2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
41 #include "connection.h"
58 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
61 static void send_udppacket(node_t *, vpn_packet_t *);
63 unsigned replaywin = 16;
64 bool localdiscovery = false;
66 #define MAX_SEQNO 1073741824
68 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
69 mtuprobes == 31: sleep pinginterval seconds
70 mtuprobes == 32: send 1 burst, sleep pingtimeout second
71 mtuprobes == 33: no response from other side, restart PMTU discovery process
73 Probes are sent in batches of three, with random sizes between the lower and
74 upper boundaries for the MTU thus far discovered.
76 In case local discovery is enabled, a fourth packet is added to each batch,
77 which will be broadcast to the local network.
80 static void send_mtu_probe_handler(int fd, short events, void *data) {
86 if(!n->status.reachable || !n->status.validkey) {
87 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
92 if(n->mtuprobes > 32) {
95 timeout = pinginterval;
99 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
105 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
106 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
110 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
111 if(n->minmtu > n->maxmtu)
112 n->minmtu = n->maxmtu;
114 n->maxmtu = n->minmtu;
116 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
120 if(n->mtuprobes == 31) {
121 timeout = pinginterval;
123 } else if(n->mtuprobes == 32) {
124 timeout = pingtimeout;
127 for(int i = 0; i < 3 + localdiscovery; i++) {
130 if(n->maxmtu <= n->minmtu)
133 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
139 memset(packet.data, 0, 14);
140 randomize(packet.data + 14, len - 14);
142 if(i >= 3 && n->mtuprobes <= 10)
143 packet.priority = -1;
147 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
149 send_udppacket(n, &packet);
153 event_add(&n->mtuevent, &(struct timeval){timeout, 0});
156 void send_mtu_probe(node_t *n) {
157 if(!timeout_initialized(&n->mtuevent))
158 timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
159 send_mtu_probe_handler(0, 0, n);
162 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
163 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
165 if(!packet->data[0]) {
167 send_udppacket(n, packet);
169 if(n->mtuprobes > 30) {
183 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
185 memcpy(dest, source, len);
187 } else if(level == 10) {
189 lzo_uint lzolen = MAXSIZE;
190 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
195 } else if(level < 10) {
197 unsigned long destlen = MAXSIZE;
198 if(compress2(dest, &destlen, source, len, level) == Z_OK)
205 lzo_uint lzolen = MAXSIZE;
206 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
216 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
218 memcpy(dest, source, len);
220 } else if(level > 9) {
222 lzo_uint lzolen = MAXSIZE;
223 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
231 unsigned long destlen = MAXSIZE;
232 if(uncompress(dest, &destlen, source, len) == Z_OK)
244 static void receive_packet(node_t *n, vpn_packet_t *packet) {
245 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
246 packet->len, n->name, n->hostname);
249 n->in_bytes += packet->len;
254 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
256 return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
258 if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
261 return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
264 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
265 vpn_packet_t pkt1, pkt2;
266 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
268 vpn_packet_t *outpkt = pkt[0];
271 if(n->status.sptps) {
272 sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
276 if(!cipher_active(&n->incipher)) {
277 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
278 n->name, n->hostname);
282 /* Check packet length */
284 if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
285 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
286 n->name, n->hostname);
290 /* Check the message authentication code */
292 if(digest_active(&n->indigest)) {
293 inpkt->len -= n->indigest.maclength;
294 if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
295 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
299 /* Decrypt the packet */
301 if(cipher_active(&n->incipher)) {
302 outpkt = pkt[nextpkt++];
305 if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
306 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
310 outpkt->len = outlen;
314 /* Check the sequence number */
316 inpkt->len -= sizeof inpkt->seqno;
317 inpkt->seqno = ntohl(inpkt->seqno);
320 if(inpkt->seqno != n->received_seqno + 1) {
321 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
322 if(n->farfuture++ < replaywin >> 2) {
323 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
324 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
327 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
328 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
329 memset(n->late, 0, replaywin);
330 } else if (inpkt->seqno <= n->received_seqno) {
331 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
332 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
333 n->name, n->hostname, inpkt->seqno, n->received_seqno);
337 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
338 n->late[(i / 8) % replaywin] |= 1 << i % 8;
343 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
346 if(inpkt->seqno > n->received_seqno)
347 n->received_seqno = inpkt->seqno;
349 if(n->received_seqno > MAX_SEQNO)
352 /* Decompress the packet */
354 length_t origlen = inpkt->len;
356 if(n->incompression) {
357 outpkt = pkt[nextpkt++];
359 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
360 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
361 n->name, n->hostname);
367 origlen -= MTU/64 + 20;
372 if(!inpkt->data[12] && !inpkt->data[13])
373 mtu_probe_h(n, inpkt, origlen);
375 receive_packet(n, inpkt);
378 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
382 if(c->options & OPTION_TCPONLY)
385 outpkt.priority = -1;
386 memcpy(outpkt.data, buffer, len);
388 receive_packet(c->node, &outpkt);
391 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
392 if(!n->status.validkey) {
393 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
394 if(!n->status.waitingforkey)
396 else if(n->last_req_key + 10 < time(NULL)) {
397 sptps_stop(&n->sptps);
398 n->status.waitingforkey = false;
407 if(!(origpkt->data[12] | origpkt->data[13])) {
408 sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
412 if(routing_mode == RMODE_ROUTER)
417 if(origpkt->len < offset)
422 if(n->outcompression) {
423 int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
425 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
426 } else if(len < origpkt->len - offset) {
427 outpkt.len = len + offset;
429 type |= PKT_COMPRESSED;
433 sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
437 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
438 vpn_packet_t pkt1, pkt2;
439 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
440 vpn_packet_t *inpkt = origpkt;
442 vpn_packet_t *outpkt;
443 int origlen = origpkt->len;
445 #if defined(SOL_IP) && defined(IP_TOS)
446 static int priority = 0;
448 int origpriority = origpkt->priority;
450 if(!n->status.reachable) {
451 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
456 return send_sptps_packet(n, origpkt);
458 /* Make sure we have a valid key */
460 if(!n->status.validkey) {
461 time_t now = time(NULL);
463 logger(DEBUG_TRAFFIC, LOG_INFO,
464 "No valid key known yet for %s (%s), forwarding via TCP",
465 n->name, n->hostname);
467 if(n->last_req_key + 10 <= now) {
469 n->last_req_key = now;
472 send_tcppacket(n->nexthop->connection, origpkt);
477 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
478 logger(DEBUG_TRAFFIC, LOG_INFO,
479 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
480 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
483 send_packet(n->nexthop, origpkt);
485 send_tcppacket(n->nexthop->connection, origpkt);
490 /* Compress the packet */
492 if(n->outcompression) {
493 outpkt = pkt[nextpkt++];
495 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
496 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
497 n->name, n->hostname);
504 /* Add sequence number */
506 inpkt->seqno = htonl(++(n->sent_seqno));
507 inpkt->len += sizeof inpkt->seqno;
509 /* Encrypt the packet */
511 if(cipher_active(&n->outcipher)) {
512 outpkt = pkt[nextpkt++];
515 if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
516 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
520 outpkt->len = outlen;
524 /* Add the message authentication code */
526 if(digest_active(&n->outdigest)) {
527 digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
528 inpkt->len += digest_length(&n->outdigest);
531 /* Determine which socket we have to use */
533 if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
534 for(int sock = 0; sock < listen_sockets; sock++) {
535 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
542 /* Send the packet */
548 /* Overloaded use of priority field: -1 means local broadcast */
550 if(origpriority == -1 && n->prevedge) {
551 struct sockaddr_in in;
552 in.sin_family = AF_INET;
553 in.sin_addr.s_addr = -1;
554 in.sin_port = n->prevedge->address.in.sin_port;
555 sa = (struct sockaddr *)∈
559 if(origpriority == -1)
562 sa = &(n->address.sa);
563 sl = SALEN(n->address.sa);
567 #if defined(SOL_IP) && defined(IP_TOS)
568 if(priorityinheritance && origpriority != priority
569 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
570 priority = origpriority;
571 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
572 if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
573 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
577 if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
578 if(sockmsgsize(sockerrno)) {
579 if(n->maxmtu >= origlen)
580 n->maxmtu = origlen - 1;
581 if(n->mtu >= origlen)
582 n->mtu = origlen - 1;
584 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
588 origpkt->len = origlen;
591 bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
594 if(type >= SPTPS_HANDSHAKE
595 || ((myself->options | to->options) & OPTION_TCPONLY)
596 || (type != PKT_PROBE && len > to->minmtu)) {
597 char buf[len * 4 / 3 + 5];
598 b64encode(data, buf, len);
599 if(!to->status.validkey)
600 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, myself->incompression);
602 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, type >= SPTPS_HANDSHAKE ? REQ_SPTPS : REQ_PACKET, buf);
605 /* Send the packet */
611 sa = &(to->address.sa);
612 sl = SALEN(to->address.sa);
615 if(sendto(listen_socket[sock].udp, data, len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
616 if(sockmsgsize(sockerrno)) {
617 if(to->maxmtu >= len)
618 to->maxmtu = len - 1;
622 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
630 bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
631 node_t *from = handle;
633 if(type == SPTPS_HANDSHAKE) {
634 from->status.validkey = true;
635 from->status.waitingforkey = false;
636 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
641 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
647 if(type == PKT_PROBE) {
649 memcpy(inpkt.data, data, len);
650 mtu_probe_h(from, &inpkt, len);
654 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
655 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
659 /* Check if we have the headers we need */
660 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
661 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
663 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
664 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
667 int offset = (type & PKT_MAC) ? 0 : 14;
668 if(type & PKT_COMPRESSED) {
669 len = uncompress_packet(inpkt.data + offset, (const uint8_t *)data, len, from->incompression);
673 inpkt.len = len + offset;
675 if(inpkt.len > MAXSIZE)
678 memcpy(inpkt.data + offset, data, len);
679 inpkt.len = len + offset;
682 /* Generate the Ethernet packet type if necessary */
684 switch(inpkt.data[14] >> 4) {
686 inpkt.data[12] = 0x08;
687 inpkt.data[13] = 0x00;
690 inpkt.data[12] = 0x86;
691 inpkt.data[13] = 0xDD;
694 logger(DEBUG_TRAFFIC, LOG_ERR,
695 "Unknown IP version %d while reading packet from %s (%s)",
696 inpkt.data[14] >> 4, from->name, from->hostname);
701 receive_packet(from, &inpkt);
706 send a packet to the given vpn ip.
708 void send_packet(node_t *n, vpn_packet_t *packet) {
713 memcpy(packet->data, mymac.x, ETH_ALEN);
715 n->out_bytes += packet->len;
716 devops.write(packet);
720 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
721 packet->len, n->name, n->hostname);
723 if(!n->status.reachable) {
724 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
725 n->name, n->hostname);
730 n->out_bytes += packet->len;
732 if(n->status.sptps) {
733 send_sptps_packet(n, packet);
737 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
740 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
741 n->name, via->name, n->via->hostname);
743 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
744 if(!send_tcppacket(via->connection, packet))
745 terminate_connection(via->connection, true);
747 send_udppacket(via, packet);
750 /* Broadcast a packet using the minimum spanning tree */
752 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
753 // Always give ourself a copy of the packet.
755 send_packet(myself, packet);
757 // In TunnelServer mode, do not forward broadcast packets.
758 // The MST might not be valid and create loops.
759 if(tunnelserver || broadcast_mode == BMODE_NONE)
762 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
763 packet->len, from->name, from->hostname);
765 switch(broadcast_mode) {
766 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
767 // This guarantees all nodes receive the broadcast packet, and
768 // usually distributes the sending of broadcast packets over all nodes.
770 for list_each(connection_t, c, connection_list)
771 if(c->status.active && c->status.mst && c != from->nexthop->connection)
772 send_packet(c->node, packet);
775 // In direct mode, we send copies to each node we know of.
776 // However, this only reaches nodes that can be reached in a single hop.
777 // We don't have enough information to forward broadcast packets in this case.
782 for splay_each(node_t, n, node_tree)
783 if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
784 send_packet(n, packet);
792 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
795 static time_t last_hard_try = 0;
796 time_t now = time(NULL);
798 for splay_each(edge_t, e, edge_weight_tree) {
799 if(!e->to->status.reachable || e->to == myself)
802 if(sockaddrcmp_noport(from, &e->address)) {
803 if(last_hard_try == now)
808 if(!try_mac(e->to, pkt))
822 void handle_incoming_vpn_data(int sock, short events, void *data) {
825 sockaddr_t from = {{0}};
826 socklen_t fromlen = sizeof from;
830 len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
832 if(len <= 0 || len > MAXSIZE) {
833 if(!sockwouldblock(sockerrno))
834 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
840 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
842 n = lookup_node_udp(&from);
845 n = try_harder(&from, &pkt);
847 update_node_udp(n, &from);
848 else if(debug_level >= DEBUG_PROTOCOL) {
849 hostname = sockaddr2hostname(&from);
850 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
858 n->sock = (intptr_t)data;
860 receive_udppacket(n, &pkt);
863 void handle_device_data(int sock, short events, void *data) {
868 if(devops.read(&packet)) {
869 myself->in_packets++;
870 myself->in_bytes += packet.len;
871 route(myself, &packet);