2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
41 #include "connection.h"
58 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
61 static void send_udppacket(node_t *, vpn_packet_t *);
63 unsigned replaywin = 16;
64 bool localdiscovery = false;
66 #define MAX_SEQNO 1073741824
68 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
69 mtuprobes == 31: sleep pinginterval seconds
70 mtuprobes == 32: send 1 burst, sleep pingtimeout second
71 mtuprobes == 33: no response from other side, restart PMTU discovery process
73 Probes are sent in batches of three, with random sizes between the lower and
74 upper boundaries for the MTU thus far discovered.
76 In case local discovery is enabled, a fourth packet is added to each batch,
77 which will be broadcast to the local network.
80 void send_mtu_probe(node_t *n) {
88 if(!n->status.reachable || !n->status.validkey) {
89 ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
94 if(n->mtuprobes > 32) {
97 timeout = pinginterval;
101 ifdebug(TRAFFIC) logger(LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
107 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
108 ifdebug(TRAFFIC) logger(LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
112 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
113 if(n->minmtu > n->maxmtu)
114 n->minmtu = n->maxmtu;
116 n->maxmtu = n->minmtu;
118 ifdebug(TRAFFIC) logger(LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
122 if(n->mtuprobes == 31) {
123 timeout = pinginterval;
125 } else if(n->mtuprobes == 32) {
126 timeout = pingtimeout;
129 for(i = 0; i < 3 + localdiscovery; i++) {
130 if(n->maxmtu <= n->minmtu)
133 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
138 memset(packet.data, 0, 14);
139 RAND_pseudo_bytes(packet.data + 14, len - 14);
141 packet.priority = i < 3 ? 0 : -1;
143 ifdebug(TRAFFIC) logger(LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
145 send_udppacket(n, &packet);
149 n->mtuevent = new_event();
150 n->mtuevent->handler = (event_handler_t)send_mtu_probe;
151 n->mtuevent->data = n;
152 n->mtuevent->time = now + timeout;
153 event_add(n->mtuevent);
156 void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
157 ifdebug(TRAFFIC) logger(LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
159 if(!packet->data[0]) {
161 send_udppacket(n, packet);
163 if(n->mtuprobes > 30) {
177 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
179 memcpy(dest, source, len);
181 } else if(level == 10) {
183 lzo_uint lzolen = MAXSIZE;
184 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
189 } else if(level < 10) {
191 unsigned long destlen = MAXSIZE;
192 if(compress2(dest, &destlen, source, len, level) == Z_OK)
199 lzo_uint lzolen = MAXSIZE;
200 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
210 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
212 memcpy(dest, source, len);
214 } else if(level > 9) {
216 lzo_uint lzolen = MAXSIZE;
217 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
225 unsigned long destlen = MAXSIZE;
226 if(uncompress(dest, &destlen, source, len) == Z_OK)
238 static void receive_packet(node_t *n, vpn_packet_t *packet) {
239 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
240 packet->len, n->name, n->hostname);
245 static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
246 unsigned char hmac[EVP_MAX_MD_SIZE];
248 if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength)
251 HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
253 return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
256 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
257 vpn_packet_t pkt1, pkt2;
258 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
260 vpn_packet_t *outpkt = pkt[0];
262 unsigned char hmac[EVP_MAX_MD_SIZE];
266 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
267 n->name, n->hostname);
271 /* Check packet length */
273 if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) {
274 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got too short packet from %s (%s)",
275 n->name, n->hostname);
279 /* Check the message authentication code */
281 if(n->indigest && n->inmaclength) {
282 inpkt->len -= n->inmaclength;
283 HMAC(n->indigest, n->inkey, n->inkeylength,
284 (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
286 if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
287 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
288 n->name, n->hostname);
293 /* Decrypt the packet */
296 outpkt = pkt[nextpkt++];
298 if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
299 || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
300 (unsigned char *) &inpkt->seqno, inpkt->len)
301 || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
302 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
303 n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
307 outpkt->len = outlen + outpad;
311 /* Check the sequence number */
313 inpkt->len -= sizeof(inpkt->seqno);
314 inpkt->seqno = ntohl(inpkt->seqno);
317 if(inpkt->seqno != n->received_seqno + 1) {
318 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
319 if(n->farfuture++ < replaywin >> 2) {
320 logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
321 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
324 logger(LOG_WARNING, "Lost %d packets from %s (%s)",
325 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
326 memset(n->late, 0, replaywin);
327 } else if (inpkt->seqno <= n->received_seqno) {
328 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
329 logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
330 n->name, n->hostname, inpkt->seqno, n->received_seqno);
334 for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
335 n->late[(i / 8) % replaywin] |= 1 << i % 8;
340 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
343 if(inpkt->seqno > n->received_seqno)
344 n->received_seqno = inpkt->seqno;
346 if(n->received_seqno > MAX_SEQNO)
349 /* Decompress the packet */
351 length_t origlen = inpkt->len;
353 if(n->incompression) {
354 outpkt = pkt[nextpkt++];
356 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
357 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while uncompressing packet from %s (%s)",
358 n->name, n->hostname);
364 origlen -= MTU/64 + 20;
369 if(!inpkt->data[12] && !inpkt->data[13])
370 mtu_probe_h(n, inpkt, origlen);
372 receive_packet(n, inpkt);
375 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
379 if(c->options & OPTION_TCPONLY)
382 outpkt.priority = -1;
383 memcpy(outpkt.data, buffer, len);
385 receive_packet(c->node, &outpkt);
388 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
389 vpn_packet_t pkt1, pkt2;
390 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
391 vpn_packet_t *inpkt = origpkt;
393 vpn_packet_t *outpkt;
396 #if defined(SOL_IP) && defined(IP_TOS)
397 static int priority = 0;
401 if(!n->status.reachable) {
402 ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
406 /* Make sure we have a valid key */
408 if(!n->status.validkey) {
409 ifdebug(TRAFFIC) logger(LOG_INFO,
410 "No valid key known yet for %s (%s), forwarding via TCP",
411 n->name, n->hostname);
413 if(n->last_req_key + 10 <= now) {
415 n->last_req_key = now;
418 send_tcppacket(n->nexthop->connection, origpkt);
423 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
424 ifdebug(TRAFFIC) logger(LOG_INFO,
425 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
426 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
429 send_packet(n->nexthop, origpkt);
431 send_tcppacket(n->nexthop->connection, origpkt);
436 origlen = inpkt->len;
437 origpriority = inpkt->priority;
439 /* Compress the packet */
441 if(n->outcompression) {
442 outpkt = pkt[nextpkt++];
444 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
445 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while compressing packet to %s (%s)",
446 n->name, n->hostname);
453 /* Add sequence number */
455 inpkt->seqno = htonl(++(n->sent_seqno));
456 inpkt->len += sizeof(inpkt->seqno);
458 /* Encrypt the packet */
461 outpkt = pkt[nextpkt++];
463 if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
464 || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
465 (unsigned char *) &inpkt->seqno, inpkt->len)
466 || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
467 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
468 n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
472 outpkt->len = outlen + outpad;
476 /* Add the message authentication code */
478 if(n->outdigest && n->outmaclength) {
479 HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno,
480 inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
481 inpkt->len += n->outmaclength;
484 /* Determine which socket we have to use */
486 if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
487 for(int sock = 0; sock < listen_sockets; sock++) {
488 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
495 /* Send the packet */
501 /* Overloaded use of priority field: -1 means local broadcast */
503 if(origpriority == -1 && n->prevedge) {
504 struct sockaddr_in in;
505 in.sin_family = AF_INET;
506 in.sin_addr.s_addr = -1;
507 in.sin_port = n->prevedge->address.in.sin_port;
508 sa = (struct sockaddr *)∈
512 if(origpriority == -1)
515 sa = &(n->address.sa);
516 sl = SALEN(n->address.sa);
520 #if defined(SOL_IP) && defined(IP_TOS)
521 if(priorityinheritance && origpriority != priority
522 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
523 priority = origpriority;
524 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
525 if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
526 logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
530 if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
531 if(sockmsgsize(sockerrno)) {
532 if(n->maxmtu >= origlen)
533 n->maxmtu = origlen - 1;
534 if(n->mtu >= origlen)
535 n->mtu = origlen - 1;
537 logger(LOG_ERR, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
541 origpkt->len = origlen;
545 send a packet to the given vpn ip.
547 void send_packet(const node_t *n, vpn_packet_t *packet) {
552 memcpy(packet->data, mymac.x, ETH_ALEN);
553 devops.write(packet);
557 ifdebug(TRAFFIC) logger(LOG_ERR, "Sending packet of %d bytes to %s (%s)",
558 packet->len, n->name, n->hostname);
560 if(!n->status.reachable) {
561 ifdebug(TRAFFIC) logger(LOG_INFO, "Node %s (%s) is not reachable",
562 n->name, n->hostname);
566 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
569 ifdebug(TRAFFIC) logger(LOG_INFO, "Sending packet to %s via %s (%s)",
570 n->name, via->name, n->via->hostname);
572 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
573 if(!send_tcppacket(via->connection, packet))
574 terminate_connection(via->connection, true);
576 send_udppacket(via, packet);
579 /* Broadcast a packet using the minimum spanning tree */
581 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
585 ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
586 packet->len, from->name, from->hostname);
589 send_packet(myself, packet);
591 // In TunnelServer mode, do not forward broadcast packets.
592 // The MST might not be valid and create loops.
597 for(node = connection_tree->head; node; node = node->next) {
600 if(c->status.active && c->status.mst && c != from->nexthop->connection)
601 send_packet(c->node, packet);
605 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
610 static time_t last_hard_try = 0;
612 for(node = edge_weight_tree->head; node; node = node->next) {
618 if(sockaddrcmp_noport(from, &e->address)) {
619 if(last_hard_try == now)
624 if(!try_mac(e->to, pkt))
638 void handle_incoming_vpn_data(int sock) {
642 socklen_t fromlen = sizeof(from);
645 pkt.len = recvfrom(listen_socket[sock].udp, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
648 if(!sockwouldblock(sockerrno))
649 logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
653 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
655 n = lookup_node_udp(&from);
658 n = try_harder(&from, &pkt);
660 update_node_udp(n, &from);
661 else ifdebug(PROTOCOL) {
662 hostname = sockaddr2hostname(&from);
663 logger(LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
673 receive_udppacket(n, &pkt);