2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2002 Ivo Timmermans <itimmermans@bigfoot.com>,
4 2000-2002 Guus Sliepen <guus@sliepen.warande.net>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 $Id: net_packet.c,v 1.4 2002/04/28 12:46:26 zarq Exp $
28 #include <netinet/in.h>
30 #include <netinet/ip.h>
31 #include <netinet/tcp.h>
38 #include <sys/types.h>
40 #include <sys/ioctl.h>
41 /* SunOS really wants sys/socket.h BEFORE net/if.h,
42 and FreeBSD wants these lines below the rest. */
43 #include <arpa/inet.h>
44 #include <sys/socket.h>
47 #include <openssl/rand.h>
48 #include <openssl/evp.h>
49 #include <openssl/pem.h>
50 #include <openssl/hmac.h>
52 #ifndef HAVE_RAND_PSEUDO_BYTES
53 #define RAND_pseudo_bytes RAND_bytes
64 #include "connection.h"
83 #define MAX_SEQNO 1073741824
87 void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
89 vpn_packet_t pkt1, pkt2;
90 vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2};
92 vpn_packet_t *outpkt = pkt[0];
94 long int complen = MTU + 12;
98 char hmac[EVP_MAX_MD_SIZE];
105 /* Check the message authentication code */
107 if(myself->digest && myself->maclength)
109 inpkt->len -= myself->maclength;
111 HMAC(myself->digest, myself->key, myself->keylength, (char *)&inpkt->seqno, inpkt->len, hmac, NULL);
114 hmac = xmalloc(gcry_md_get_algo_dlen(0)); /* myself->digest type */
115 gcry_md_hash_buffer(0, hmac, (char *)&inpkt->seqno, inpkt->len);
118 if(memcmp(hmac, (char *)&inpkt->seqno + inpkt->len, myself->maclength))
120 if(debug_lvl >= DEBUG_TRAFFIC)
121 syslog(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname);
126 /* Decrypt the packet */
130 outpkt = pkt[nextpkt++];
133 EVP_DecryptInit(&ctx, myself->cipher, myself->key, myself->key + myself->cipher->key_len);
134 EVP_DecryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len);
135 EVP_DecryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad);
141 outpkt->len = outlen + outpad;
145 /* Check the sequence number */
147 inpkt->len -= sizeof(inpkt->seqno);
148 inpkt->seqno = ntohl(inpkt->seqno);
150 if(inpkt->seqno <= n->received_seqno)
152 if(debug_lvl >= DEBUG_TRAFFIC)
153 syslog(LOG_DEBUG, _("Got late or replayed packet from %s (%s), seqno %d"), n->name, n->hostname, inpkt->seqno);
157 n->received_seqno = inpkt->seqno;
159 if(n->received_seqno > MAX_SEQNO)
162 /* Decompress the packet */
164 if(myself->compression)
166 outpkt = pkt[nextpkt++];
168 if(uncompress(outpkt->data, &complen, inpkt->data, inpkt->len) != Z_OK)
170 syslog(LOG_ERR, _("Error while uncompressing packet from %s (%s)"), n->name, n->hostname);
174 outpkt->len = complen;
178 receive_packet(n, inpkt);
182 void receive_tcppacket(connection_t *c, char *buffer, int len)
187 memcpy(outpkt.data, buffer, len);
189 receive_packet(c->node, &outpkt);
193 void receive_packet(node_t *n, vpn_packet_t *packet)
196 if(debug_lvl >= DEBUG_TRAFFIC)
197 syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), packet->len, n->name, n->hostname);
199 route_incoming(n, packet);
203 void send_udppacket(node_t *n, vpn_packet_t *inpkt)
205 vpn_packet_t pkt1, pkt2;
206 vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2};
208 vpn_packet_t *outpkt;
211 long int complen = MTU + 12;
213 static int priority = 0;
222 /* Make sure we have a valid key */
224 if(!n->status.validkey)
226 if(debug_lvl >= DEBUG_TRAFFIC)
227 syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
228 n->name, n->hostname);
230 /* Since packet is on the stack of handle_tap_input(),
231 we have to make a copy of it first. */
233 copy = xmalloc(sizeof(vpn_packet_t));
234 memcpy(copy, inpkt, sizeof(vpn_packet_t));
236 list_insert_tail(n->queue, copy);
238 if(n->queue->count > MAXQUEUELENGTH)
239 list_delete_head(n->queue);
241 if(!n->status.waitingforkey)
242 send_req_key(n->nexthop->connection, myself, n);
244 n->status.waitingforkey = 1;
249 origlen = inpkt->len;
250 origpriority = inpkt->priority;
252 /* Compress the packet */
256 outpkt = pkt[nextpkt++];
258 if(compress2(outpkt->data, &complen, inpkt->data, inpkt->len, n->compression) != Z_OK)
260 syslog(LOG_ERR, _("Error while compressing packet to %s (%s)"), n->name, n->hostname);
264 outpkt->len = complen;
268 /* Add sequence number */
270 inpkt->seqno = htonl(++(n->sent_seqno));
271 inpkt->len += sizeof(inpkt->seqno);
273 /* Encrypt the packet */
277 outpkt = pkt[nextpkt++];
280 EVP_EncryptInit(&ctx, n->cipher, n->key, n->key + n->cipher->key_len);
281 EVP_EncryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len);
282 EVP_EncryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad);
285 gcry_cipher_ctl(n->cipher, GCRYCTL_SET_IV, n->key + n->keylength, n->keylength);
286 gcry_cipher_ctl(n->cipher, GCRYCTL_SET_KEY, n->key, n->keylength);
288 gcry_cipher_encrypt(n->cipher, (char *)&outpkt->seqno, outlen, (char *)&inpkt->seqno, inpkt->len);
292 outpkt->len = outlen + outpad;
296 /* Add the message authentication code */
298 if(n->digest && n->maclength)
301 HMAC(n->digest, n->key, n->keylength, (char *)&inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len, &outlen);
305 outlen = gcry_md_get_algo_dlen(0);
306 hmac = xmalloc(outlen); /* myself->digest type */
307 gcry_md_ctl(n->digest, GCRYCTL_SET_KEY, n->key, n->keylength);
308 gcry_md_hash_buffer(0, hmac, (char *)&inpkt->seqno, inpkt->len);
309 memcpy((char *)&inpkt->seqno, hmac, outlen);
312 inpkt->len += n->maclength;
315 /* Determine which socket we have to use */
317 for(sock = 0; sock < listen_sockets; sock++)
318 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family)
321 if(sock >= listen_sockets)
322 sock = 0; /* If none is available, just use the first and hope for the best. */
324 /* Send the packet */
326 #if defined(SOL_IP) && defined(IP_TOS)
327 if(priorityinheritance && origpriority != priority && listen_socket[sock].sa.sa.sa_family == AF_INET)
329 priority = origpriority;
330 if(debug_lvl >= DEBUG_TRAFFIC)
331 syslog(LOG_DEBUG, _("Setting outgoing packet priority to %d"), priority);
332 if(setsockopt(sock, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
333 syslog(LOG_ERR, _("System call `%s' failed: %s"), "setsockopt", strerror(errno));
337 if((sendto(listen_socket[sock].udp, (char *)&inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa))) < 0)
339 syslog(LOG_ERR, _("Error sending packet to %s (%s): %s"),
340 n->name, n->hostname, strerror(errno));
344 inpkt->len = origlen;
349 send a packet to the given vpn ip.
351 void send_packet(node_t *n, vpn_packet_t *packet)
355 if(debug_lvl >= DEBUG_TRAFFIC)
356 syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
357 packet->len, n->name, n->hostname);
361 if(debug_lvl >= DEBUG_TRAFFIC)
363 syslog(LOG_NOTICE, _("Packet is looping back to us!"));
369 if(!n->status.reachable)
371 if(debug_lvl >= DEBUG_TRAFFIC)
372 syslog(LOG_INFO, _("Node %s (%s) is not reachable"),
373 n->name, n->hostname);
377 via = (n->via == myself)?n->nexthop:n->via;
379 if(via != n && debug_lvl >= DEBUG_TRAFFIC)
380 syslog(LOG_ERR, _("Sending packet to %s via %s (%s)"),
381 n->name, via->name, n->via->hostname);
383 if((myself->options | via->options) & OPTION_TCPONLY)
385 if(send_tcppacket(via->connection, packet))
386 terminate_connection(via->connection, 1);
389 send_udppacket(via, packet);
392 /* Broadcast a packet using the minimum spanning tree */
394 void broadcast_packet(node_t *from, vpn_packet_t *packet)
399 if(debug_lvl >= DEBUG_TRAFFIC)
400 syslog(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"),
401 packet->len, from->name, from->hostname);
403 for(node = connection_tree->head; node; node = node->next)
405 c = (connection_t *)node->data;
406 if(c->status.active && c->status.mst && c != from->nexthop->connection)
407 send_packet(c->node, packet);
412 void flush_queue(node_t *n)
414 list_node_t *node, *next;
416 if(debug_lvl >= DEBUG_TRAFFIC)
417 syslog(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname);
419 for(node = n->queue->head; node; node = next)
422 send_udppacket(n, (vpn_packet_t *)node->data);
423 list_delete_node(n->queue, node);
428 void handle_incoming_vpn_data(int sock)
431 int x, l = sizeof(x);
434 socklen_t fromlen = sizeof(from);
437 if(getsockopt(sock, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
439 syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%s"),
440 __FILE__, __LINE__, sock, strerror(errno));
446 syslog(LOG_ERR, _("Incoming data socket error: %s"), strerror(x));
450 if((pkt.len = recvfrom(sock, (char *)&pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen)) <= 0)
452 syslog(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno));
456 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
458 n = lookup_node_udp(&from);
462 hostname = sockaddr2hostname(&from);
463 syslog(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname);
469 n->connection->last_ping_time = now;
471 receive_udppacket(n, &pkt);