2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
41 #include "connection.h"
58 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
61 static void send_udppacket(node_t *, vpn_packet_t *);
63 unsigned replaywin = 16;
64 bool localdiscovery = false;
66 #define MAX_SEQNO 1073741824
68 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
69 mtuprobes == 31: sleep pinginterval seconds
70 mtuprobes == 32: send 1 burst, sleep pingtimeout second
71 mtuprobes == 33: no response from other side, restart PMTU discovery process
73 Probes are sent in batches of at least three, with random sizes between the
74 lower and upper boundaries for the MTU thus far discovered.
76 After the initial discovery, a fourth packet is added to each batch with a
77 size larger than the currently known PMTU, to test if the PMTU has increased.
79 In case local discovery is enabled, another packet is added to each batch,
80 which will be broadcast to the local network.
84 void send_mtu_probe(node_t *n) {
92 if(!n->status.reachable || !n->status.validkey) {
93 ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
98 if(n->mtuprobes > 32) {
101 timeout = pinginterval;
105 ifdebug(TRAFFIC) logger(LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
111 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
112 ifdebug(TRAFFIC) logger(LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
116 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
117 if(n->minmtu > n->maxmtu)
118 n->minmtu = n->maxmtu;
120 n->maxmtu = n->minmtu;
122 ifdebug(TRAFFIC) logger(LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
126 if(n->mtuprobes == 31) {
127 timeout = pinginterval;
129 } else if(n->mtuprobes == 32) {
130 timeout = pingtimeout;
133 for(i = 0; i < 4 + localdiscovery; i++) {
135 if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
138 } else if(n->maxmtu <= n->minmtu) {
141 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
147 memset(packet.data, 0, 14);
148 RAND_pseudo_bytes(packet.data + 14, len - 14);
150 if(i >= 4 && n->mtuprobes <= 10)
151 packet.priority = -1;
155 ifdebug(TRAFFIC) logger(LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
157 send_udppacket(n, &packet);
161 n->mtuevent = new_event();
162 n->mtuevent->handler = (event_handler_t)send_mtu_probe;
163 n->mtuevent->data = n;
164 n->mtuevent->time = now + timeout;
165 event_add(n->mtuevent);
168 void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
169 ifdebug(TRAFFIC) logger(LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
171 if(!packet->data[0]) {
173 send_udppacket(n, packet);
175 if(n->mtuprobes > 30) {
176 if (len == n->maxmtu + 8) {
177 ifdebug(TRAFFIC) logger(LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
196 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
198 memcpy(dest, source, len);
200 } else if(level == 10) {
202 lzo_uint lzolen = MAXSIZE;
203 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
208 } else if(level < 10) {
210 unsigned long destlen = MAXSIZE;
211 if(compress2(dest, &destlen, source, len, level) == Z_OK)
218 lzo_uint lzolen = MAXSIZE;
219 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
229 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
231 memcpy(dest, source, len);
233 } else if(level > 9) {
235 lzo_uint lzolen = MAXSIZE;
236 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
244 unsigned long destlen = MAXSIZE;
245 if(uncompress(dest, &destlen, source, len) == Z_OK)
257 static void receive_packet(node_t *n, vpn_packet_t *packet) {
258 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
259 packet->len, n->name, n->hostname);
264 static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
265 unsigned char hmac[EVP_MAX_MD_SIZE];
267 if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength)
270 HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
272 return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
275 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
276 vpn_packet_t pkt1, pkt2;
277 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
279 vpn_packet_t *outpkt = pkt[0];
281 unsigned char hmac[EVP_MAX_MD_SIZE];
285 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
286 n->name, n->hostname);
290 /* Check packet length */
292 if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) {
293 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got too short packet from %s (%s)",
294 n->name, n->hostname);
298 /* Check the message authentication code */
300 if(n->indigest && n->inmaclength) {
301 inpkt->len -= n->inmaclength;
302 HMAC(n->indigest, n->inkey, n->inkeylength,
303 (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
305 if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
306 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
307 n->name, n->hostname);
312 /* Decrypt the packet */
315 outpkt = pkt[nextpkt++];
317 if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
318 || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
319 (unsigned char *) &inpkt->seqno, inpkt->len)
320 || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
321 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
322 n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
326 outpkt->len = outlen + outpad;
330 /* Check the sequence number */
332 inpkt->len -= sizeof(inpkt->seqno);
333 inpkt->seqno = ntohl(inpkt->seqno);
336 if(inpkt->seqno != n->received_seqno + 1) {
337 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
338 if(n->farfuture++ < replaywin >> 2) {
339 logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
340 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
343 logger(LOG_WARNING, "Lost %d packets from %s (%s)",
344 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
345 memset(n->late, 0, replaywin);
346 } else if (inpkt->seqno <= n->received_seqno) {
347 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
348 logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
349 n->name, n->hostname, inpkt->seqno, n->received_seqno);
353 for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
354 n->late[(i / 8) % replaywin] |= 1 << i % 8;
359 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
362 if(inpkt->seqno > n->received_seqno)
363 n->received_seqno = inpkt->seqno;
365 if(n->received_seqno > MAX_SEQNO)
368 /* Decompress the packet */
370 length_t origlen = inpkt->len;
372 if(n->incompression) {
373 outpkt = pkt[nextpkt++];
375 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
376 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while uncompressing packet from %s (%s)",
377 n->name, n->hostname);
383 origlen -= MTU/64 + 20;
388 if(!inpkt->data[12] && !inpkt->data[13])
389 mtu_probe_h(n, inpkt, origlen);
391 receive_packet(n, inpkt);
394 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
397 if(len > sizeof outpkt.data)
401 if(c->options & OPTION_TCPONLY)
404 outpkt.priority = -1;
405 memcpy(outpkt.data, buffer, len);
407 receive_packet(c->node, &outpkt);
410 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
411 vpn_packet_t pkt1, pkt2;
412 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
413 vpn_packet_t *inpkt = origpkt;
415 vpn_packet_t *outpkt;
418 #if defined(SOL_IP) && defined(IP_TOS)
419 static int priority = 0;
423 if(!n->status.reachable) {
424 ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
428 /* Make sure we have a valid key */
430 if(!n->status.validkey) {
431 ifdebug(TRAFFIC) logger(LOG_INFO,
432 "No valid key known yet for %s (%s), forwarding via TCP",
433 n->name, n->hostname);
435 if(n->last_req_key + 10 <= now) {
437 n->last_req_key = now;
440 send_tcppacket(n->nexthop->connection, origpkt);
445 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
446 ifdebug(TRAFFIC) logger(LOG_INFO,
447 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
448 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
451 send_packet(n->nexthop, origpkt);
453 send_tcppacket(n->nexthop->connection, origpkt);
458 origlen = inpkt->len;
459 origpriority = inpkt->priority;
461 /* Compress the packet */
463 if(n->outcompression) {
464 outpkt = pkt[nextpkt++];
466 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
467 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while compressing packet to %s (%s)",
468 n->name, n->hostname);
475 /* Add sequence number */
477 inpkt->seqno = htonl(++(n->sent_seqno));
478 inpkt->len += sizeof(inpkt->seqno);
480 /* Encrypt the packet */
483 outpkt = pkt[nextpkt++];
485 if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
486 || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
487 (unsigned char *) &inpkt->seqno, inpkt->len)
488 || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
489 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
490 n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
494 outpkt->len = outlen + outpad;
498 /* Add the message authentication code */
500 if(n->outdigest && n->outmaclength) {
501 HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno,
502 inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
503 inpkt->len += n->outmaclength;
506 /* Determine which socket we have to use */
508 if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
509 for(int sock = 0; sock < listen_sockets; sock++) {
510 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
517 /* Send the packet */
522 sockaddr_t broadcast;
524 /* Overloaded use of priority field: -1 means local broadcast */
526 if(origpriority == -1 && n->prevedge) {
527 sock = rand() % listen_sockets;
528 memset(&broadcast, 0, sizeof broadcast);
529 if(listen_socket[sock].sa.sa.sa_family == AF_INET6) {
530 broadcast.in6.sin6_family = AF_INET6;
531 broadcast.in6.sin6_addr.s6_addr[0x0] = 0xff;
532 broadcast.in6.sin6_addr.s6_addr[0x1] = 0x02;
533 broadcast.in6.sin6_addr.s6_addr[0xf] = 0x01;
534 broadcast.in6.sin6_port = n->prevedge->address.in.sin_port;
535 broadcast.in6.sin6_scope_id = listen_socket[sock].sa.in6.sin6_scope_id;
537 broadcast.in.sin_family = AF_INET;
538 broadcast.in.sin_addr.s_addr = -1;
539 broadcast.in.sin_port = n->prevedge->address.in.sin_port;
542 sl = SALEN(broadcast.sa);
544 if(origpriority == -1)
547 sa = &(n->address.sa);
548 sl = SALEN(n->address.sa);
552 #if defined(SOL_IP) && defined(IP_TOS)
553 if(priorityinheritance && origpriority != priority
554 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
555 priority = origpriority;
556 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
557 if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
558 logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
562 if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
563 if(sockmsgsize(sockerrno)) {
564 if(n->maxmtu >= origlen)
565 n->maxmtu = origlen - 1;
566 if(n->mtu >= origlen)
567 n->mtu = origlen - 1;
569 ifdebug(TRAFFIC) logger(LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
573 origpkt->len = origlen;
577 send a packet to the given vpn ip.
579 void send_packet(const node_t *n, vpn_packet_t *packet) {
584 memcpy(packet->data, mymac.x, ETH_ALEN);
585 devops.write(packet);
589 ifdebug(TRAFFIC) logger(LOG_ERR, "Sending packet of %d bytes to %s (%s)",
590 packet->len, n->name, n->hostname);
592 if(!n->status.reachable) {
593 ifdebug(TRAFFIC) logger(LOG_INFO, "Node %s (%s) is not reachable",
594 n->name, n->hostname);
598 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
601 ifdebug(TRAFFIC) logger(LOG_INFO, "Sending packet to %s via %s (%s)",
602 n->name, via->name, n->via->hostname);
604 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
605 if(!send_tcppacket(via->connection, packet))
606 terminate_connection(via->connection, true);
608 send_udppacket(via, packet);
611 /* Broadcast a packet using the minimum spanning tree */
613 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
618 // Always give ourself a copy of the packet.
620 send_packet(myself, packet);
622 // In TunnelServer mode, do not forward broadcast packets.
623 // The MST might not be valid and create loops.
624 if(tunnelserver || broadcast_mode == BMODE_NONE)
627 ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
628 packet->len, from->name, from->hostname);
630 switch(broadcast_mode) {
631 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
632 // This guarantees all nodes receive the broadcast packet, and
633 // usually distributes the sending of broadcast packets over all nodes.
635 for(node = connection_tree->head; node; node = node->next) {
638 if(c->status.active && c->status.mst && c != from->nexthop->connection)
639 send_packet(c->node, packet);
643 // In direct mode, we send copies to each node we know of.
644 // However, this only reaches nodes that can be reached in a single hop.
645 // We don't have enough information to forward broadcast packets in this case.
650 for(node = node_udp_tree->head; node; node = node->next) {
653 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
654 send_packet(n, packet);
663 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
667 static time_t last_hard_try = 0;
669 for(node = edge_weight_tree->head; node; node = node->next) {
675 if(last_hard_try == now && sockaddrcmp_noport(from, &e->address))
678 if(!try_mac(e->to, pkt))
689 void handle_incoming_vpn_data(int sock) {
693 socklen_t fromlen = sizeof(from);
696 pkt.len = recvfrom(listen_socket[sock].udp, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
699 if(!sockwouldblock(sockerrno))
700 logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
704 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
706 n = lookup_node_udp(&from);
709 n = try_harder(&from, &pkt);
711 update_node_udp(n, &from);
712 else ifdebug(PROTOCOL) {
713 hostname = sockaddr2hostname(&from);
714 logger(LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
724 receive_udppacket(n, &pkt);