2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
39 #include "splay_tree.h"
42 #include "connection.h"
59 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
62 static void send_udppacket(node_t *, vpn_packet_t *);
64 unsigned replaywin = 16;
65 bool localdiscovery = false;
67 #define MAX_SEQNO 1073741824
69 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
70 mtuprobes == 31: sleep pinginterval seconds
71 mtuprobes == 32: send 1 burst, sleep pingtimeout second
72 mtuprobes == 33: no response from other side, restart PMTU discovery process
74 Probes are sent in batches of three, with random sizes between the lower and
75 upper boundaries for the MTU thus far discovered.
77 In case local discovery is enabled, a fourth packet is added to each batch,
78 which will be broadcast to the local network.
81 static void send_mtu_probe_handler(int fd, short events, void *data) {
89 if(!n->status.reachable || !n->status.validkey) {
90 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
95 if(n->mtuprobes > 32) {
98 timeout = pinginterval;
102 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
108 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
109 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
113 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
114 if(n->minmtu > n->maxmtu)
115 n->minmtu = n->maxmtu;
117 n->maxmtu = n->minmtu;
119 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
123 if(n->mtuprobes == 31) {
124 timeout = pinginterval;
126 } else if(n->mtuprobes == 32) {
127 timeout = pingtimeout;
130 for(i = 0; i < 3 + localdiscovery; i++) {
131 if(n->maxmtu <= n->minmtu)
134 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
139 memset(packet.data, 0, 14);
140 randomize(packet.data + 14, len - 14);
142 if(i >= 3 && n->mtuprobes <= 10)
143 packet.priority = -1;
147 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
149 send_udppacket(n, &packet);
153 event_add(&n->mtuevent, &(struct timeval){timeout, 0});
156 void send_mtu_probe(node_t *n) {
157 if(!timeout_initialized(&n->mtuevent))
158 timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
159 send_mtu_probe_handler(0, 0, n);
162 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
163 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
165 if(!packet->data[0]) {
167 send_udppacket(n, packet);
169 if(n->mtuprobes > 30) {
183 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
185 memcpy(dest, source, len);
187 } else if(level == 10) {
189 lzo_uint lzolen = MAXSIZE;
190 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
195 } else if(level < 10) {
197 unsigned long destlen = MAXSIZE;
198 if(compress2(dest, &destlen, source, len, level) == Z_OK)
205 lzo_uint lzolen = MAXSIZE;
206 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
216 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
218 memcpy(dest, source, len);
220 } else if(level > 9) {
222 lzo_uint lzolen = MAXSIZE;
223 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
231 unsigned long destlen = MAXSIZE;
232 if(uncompress(dest, &destlen, source, len) == Z_OK)
244 static void receive_packet(node_t *n, vpn_packet_t *packet) {
245 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
246 packet->len, n->name, n->hostname);
249 n->in_bytes += packet->len;
254 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
256 return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
258 if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
261 return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
264 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
265 vpn_packet_t pkt1, pkt2;
266 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
268 vpn_packet_t *outpkt = pkt[0];
271 if(n->status.sptps) {
272 sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
276 if(!cipher_active(&n->incipher)) {
277 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
278 n->name, n->hostname);
282 /* Check packet length */
284 if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
285 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
286 n->name, n->hostname);
290 /* Check the message authentication code */
292 if(digest_active(&n->indigest)) {
293 inpkt->len -= n->indigest.maclength;
294 if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
295 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
299 /* Decrypt the packet */
301 if(cipher_active(&n->incipher)) {
302 outpkt = pkt[nextpkt++];
305 if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
306 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
310 outpkt->len = outlen;
314 /* Check the sequence number */
316 inpkt->len -= sizeof inpkt->seqno;
317 inpkt->seqno = ntohl(inpkt->seqno);
320 if(inpkt->seqno != n->received_seqno + 1) {
321 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
322 if(n->farfuture++ < replaywin >> 2) {
323 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
324 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
327 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
328 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
329 memset(n->late, 0, replaywin);
330 } else if (inpkt->seqno <= n->received_seqno) {
331 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
332 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
333 n->name, n->hostname, inpkt->seqno, n->received_seqno);
337 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
338 n->late[(i / 8) % replaywin] |= 1 << i % 8;
343 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
346 if(inpkt->seqno > n->received_seqno)
347 n->received_seqno = inpkt->seqno;
349 if(n->received_seqno > MAX_SEQNO)
352 /* Decompress the packet */
354 length_t origlen = inpkt->len;
356 if(n->incompression) {
357 outpkt = pkt[nextpkt++];
359 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
360 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
361 n->name, n->hostname);
367 origlen -= MTU/64 + 20;
372 if(!inpkt->data[12] && !inpkt->data[13])
373 mtu_probe_h(n, inpkt, origlen);
375 receive_packet(n, inpkt);
378 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
382 if(c->options & OPTION_TCPONLY)
385 outpkt.priority = -1;
386 memcpy(outpkt.data, buffer, len);
388 receive_packet(c->node, &outpkt);
391 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
392 if(!n->status.validkey) {
393 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
394 if(!n->status.waitingforkey)
396 else if(n->last_req_key + 10 < time(NULL)) {
397 sptps_stop(&n->sptps);
398 n->status.waitingforkey = false;
406 if(!(origpkt->data[12] | origpkt->data[13])) {
407 sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
411 if(routing_mode == RMODE_ROUTER)
416 if(origpkt->len < offset)
421 if(n->outcompression) {
422 int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
424 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
425 } else if(len < origpkt->len - offset) {
426 outpkt.len = len + offset;
428 type |= PKT_COMPRESSED;
432 sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
436 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
437 vpn_packet_t pkt1, pkt2;
438 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
439 vpn_packet_t *inpkt = origpkt;
441 vpn_packet_t *outpkt;
442 int origlen = origpkt->len;
444 #if defined(SOL_IP) && defined(IP_TOS)
445 static int priority = 0;
447 int origpriority = origpkt->priority;
449 if(!n->status.reachable) {
450 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
455 return send_sptps_packet(n, origpkt);
457 /* Make sure we have a valid key */
459 if(!n->status.validkey) {
460 time_t now = time(NULL);
462 logger(DEBUG_TRAFFIC, LOG_INFO,
463 "No valid key known yet for %s (%s), forwarding via TCP",
464 n->name, n->hostname);
466 if(n->last_req_key + 10 <= now) {
468 n->last_req_key = now;
471 send_tcppacket(n->nexthop->connection, origpkt);
476 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
477 logger(DEBUG_TRAFFIC, LOG_INFO,
478 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
479 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
482 send_packet(n->nexthop, origpkt);
484 send_tcppacket(n->nexthop->connection, origpkt);
489 /* Compress the packet */
491 if(n->outcompression) {
492 outpkt = pkt[nextpkt++];
494 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
495 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
496 n->name, n->hostname);
503 /* Add sequence number */
505 inpkt->seqno = htonl(++(n->sent_seqno));
506 inpkt->len += sizeof inpkt->seqno;
508 /* Encrypt the packet */
510 if(cipher_active(&n->outcipher)) {
511 outpkt = pkt[nextpkt++];
514 if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
515 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
519 outpkt->len = outlen;
523 /* Add the message authentication code */
525 if(digest_active(&n->outdigest)) {
526 digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
527 inpkt->len += digest_length(&n->outdigest);
530 /* Determine which socket we have to use */
532 if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
533 for(int sock = 0; sock < listen_sockets; sock++) {
534 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
541 /* Send the packet */
547 /* Overloaded use of priority field: -1 means local broadcast */
549 if(origpriority == -1 && n->prevedge) {
550 struct sockaddr_in in;
551 in.sin_family = AF_INET;
552 in.sin_addr.s_addr = -1;
553 in.sin_port = n->prevedge->address.in.sin_port;
554 sa = (struct sockaddr *)∈
558 if(origpriority == -1)
561 sa = &(n->address.sa);
562 sl = SALEN(n->address.sa);
566 #if defined(SOL_IP) && defined(IP_TOS)
567 if(priorityinheritance && origpriority != priority
568 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
569 priority = origpriority;
570 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
571 if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
572 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
576 if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
577 if(sockmsgsize(sockerrno)) {
578 if(n->maxmtu >= origlen)
579 n->maxmtu = origlen - 1;
580 if(n->mtu >= origlen)
581 n->mtu = origlen - 1;
583 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
587 origpkt->len = origlen;
590 bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
593 if(type >= SPTPS_HANDSHAKE || ((myself->options | to->options) & OPTION_TCPONLY)) {
594 char buf[len * 4 / 3 + 5];
595 b64encode(data, buf, len);
596 if(!to->status.validkey)
597 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, myself->incompression);
599 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
602 /* Send the packet */
608 sa = &(to->address.sa);
609 sl = SALEN(to->address.sa);
612 if(sendto(listen_socket[sock].udp, data, len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
613 if(sockmsgsize(sockerrno)) {
614 if(to->maxmtu >= len)
615 to->maxmtu = len - 1;
619 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
627 bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
628 node_t *from = handle;
630 if(type == SPTPS_HANDSHAKE) {
631 from->status.validkey = true;
632 from->status.waitingforkey = false;
633 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
638 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
644 if(type == PKT_PROBE) {
646 memcpy(inpkt.data, data, len);
647 mtu_probe_h(from, &inpkt, len);
651 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
652 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
656 /* Check if we have the headers we need */
657 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
658 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
660 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
661 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
664 int offset = (type & PKT_MAC) ? 0 : 14;
665 if(type & PKT_COMPRESSED) {
666 len = uncompress_packet(inpkt.data + offset, (const uint8_t *)data, len, from->incompression);
670 inpkt.len = len + offset;
672 if(inpkt.len > MAXSIZE)
675 memcpy(inpkt.data + offset, data, len);
676 inpkt.len = len + offset;
679 /* Generate the Ethernet packet type if necessary */
681 switch(inpkt.data[14] >> 4) {
683 inpkt.data[12] = 0x08;
684 inpkt.data[13] = 0x00;
687 inpkt.data[12] = 0x86;
688 inpkt.data[13] = 0xDD;
691 logger(DEBUG_TRAFFIC, LOG_ERR,
692 "Unknown IP version %d while reading packet from %s (%s)",
693 inpkt.data[14] >> 4, from->name, from->hostname);
698 receive_packet(from, &inpkt);
703 send a packet to the given vpn ip.
705 void send_packet(node_t *n, vpn_packet_t *packet) {
710 memcpy(packet->data, mymac.x, ETH_ALEN);
712 n->out_bytes += packet->len;
713 devops.write(packet);
717 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
718 packet->len, n->name, n->hostname);
720 if(!n->status.reachable) {
721 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
722 n->name, n->hostname);
727 n->out_bytes += packet->len;
729 if(n->status.sptps) {
730 send_sptps_packet(n, packet);
734 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
737 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
738 n->name, via->name, n->via->hostname);
740 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
741 if(!send_tcppacket(via->connection, packet))
742 terminate_connection(via->connection, true);
744 send_udppacket(via, packet);
747 /* Broadcast a packet using the minimum spanning tree */
749 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
754 // Always give ourself a copy of the packet.
756 send_packet(myself, packet);
758 // In TunnelServer mode, do not forward broadcast packets.
759 // The MST might not be valid and create loops.
760 if(tunnelserver || broadcast_mode == BMODE_NONE)
763 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
764 packet->len, from->name, from->hostname);
766 switch(broadcast_mode) {
767 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
768 // This guarantees all nodes receive the broadcast packet, and
769 // usually distributes the sending of broadcast packets over all nodes.
771 for(node = connection_tree->head; node; node = node->next) {
774 if(c->status.active && c->status.mst && c != from->nexthop->connection)
775 send_packet(c->node, packet);
779 // In direct mode, we send copies to each node we know of.
780 // However, this only reaches nodes that can be reached in a single hop.
781 // We don't have enough information to forward broadcast packets in this case.
786 for(node = node_tree->head; node; node = node->next) {
789 if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
790 send_packet(n, packet);
799 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
804 static time_t last_hard_try = 0;
805 time_t now = time(NULL);
807 for(node = edge_weight_tree->head; node; node = node->next) {
810 if(!e->to->status.reachable || e->to == myself)
813 if(sockaddrcmp_noport(from, &e->address)) {
814 if(last_hard_try == now)
819 if(!try_mac(e->to, pkt))
833 void handle_incoming_vpn_data(int sock, short events, void *data) {
836 sockaddr_t from = {{0}};
837 socklen_t fromlen = sizeof from;
841 len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
843 if(len <= 0 || len > MAXSIZE) {
844 if(!sockwouldblock(sockerrno))
845 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
851 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
853 n = lookup_node_udp(&from);
856 n = try_harder(&from, &pkt);
858 update_node_udp(n, &from);
859 else if(debug_level >= DEBUG_PROTOCOL) {
860 hostname = sockaddr2hostname(&from);
861 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
869 n->sock = (intptr_t)data;
871 receive_udppacket(n, &pkt);
874 void handle_device_data(int sock, short events, void *data) {
879 if(devops.read(&packet)) {
880 myself->in_packets++;
881 myself->in_bytes += packet.len;
882 route(myself, &packet);