2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2002 Ivo Timmermans <ivo@o2w.nl>,
4 2000-2002 Guus Sliepen <guus@sliepen.eu.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 $Id: net_packet.c,v 1.1.2.30 2003/05/07 11:21:58 guus Exp $
28 #include <netinet/in.h>
34 #include <sys/types.h>
37 #include <sys/ioctl.h>
38 /* SunOS really wants sys/socket.h BEFORE net/if.h,
39 and FreeBSD wants these lines below the rest. */
40 #include <arpa/inet.h>
41 #include <sys/socket.h>
43 #ifdef HAVE_NETINET_IN_SYSTM_H
44 #include <netinet/in_systm.h>
46 #ifdef HAVE_NETINET_IP_H
47 #include <netinet/ip.h>
49 #ifdef HAVE_NETINET_TCP_H
50 #include <netinet/tcp.h>
53 #include <openssl/rand.h>
54 #include <openssl/evp.h>
55 #include <openssl/pem.h>
56 #include <openssl/hmac.h>
67 #include "connection.h"
84 EVP_CIPHER_CTX packet_ctx;
85 char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
88 #define MAX_SEQNO 1073741824
90 length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level)
93 lzo_uint lzolen = MAXSIZE;
94 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
96 } else if(level < 10) {
97 unsigned long destlen = MAXSIZE;
98 if(compress2(dest, &destlen, source, len, level) == Z_OK)
103 lzo_uint lzolen = MAXSIZE;
104 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
111 length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level)
114 lzo_uint lzolen = MAXSIZE;
115 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
120 unsigned long destlen = MAXSIZE;
121 if(uncompress(dest, &destlen, source, len) == Z_OK)
132 void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
134 vpn_packet_t pkt1, pkt2;
135 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
137 vpn_packet_t *outpkt = pkt[0];
139 char hmac[EVP_MAX_MD_SIZE];
144 /* Check the message authentication code */
146 if(myself->digest && myself->maclength) {
147 inpkt->len -= myself->maclength;
148 HMAC(myself->digest, myself->key, myself->keylength,
149 (char *) &inpkt->seqno, inpkt->len, hmac, NULL);
151 if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) {
152 if(debug_lvl >= DEBUG_TRAFFIC)
153 syslog(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
154 n->name, n->hostname);
159 /* Decrypt the packet */
162 outpkt = pkt[nextpkt++];
164 // EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key,
165 // myself->key + myself->cipher->key_len);
166 EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL);
167 EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen,
168 (char *) &inpkt->seqno, inpkt->len);
169 EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad);
171 outpkt->len = outlen + outpad;
175 /* Check the sequence number */
177 inpkt->len -= sizeof(inpkt->seqno);
178 inpkt->seqno = ntohl(inpkt->seqno);
180 if(inpkt->seqno != n->received_seqno + 1) {
181 if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) {
182 if(debug_lvl >= DEBUG_TRAFFIC)
183 syslog(LOG_WARNING, _("Lost %d packets from %s (%s)"),
184 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
186 memset(n->late, 0, sizeof(n->late));
187 } else if (inpkt->seqno <= n->received_seqno) {
188 if(inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8 || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
189 syslog(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"),
190 n->name, n->hostname, inpkt->seqno, n->received_seqno);
192 for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
193 n->late[(inpkt->seqno / 8) % sizeof(n->late)] |= 1 << i % 8;
197 n->received_seqno = inpkt->seqno;
198 n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8);
200 if(n->received_seqno > MAX_SEQNO)
203 /* Decompress the packet */
205 if(myself->compression) {
206 outpkt = pkt[nextpkt++];
208 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, myself->compression)) < 0) {
209 syslog(LOG_ERR, _("Error while uncompressing packet from %s (%s)"),
210 n->name, n->hostname);
217 receive_packet(n, inpkt);
220 void receive_tcppacket(connection_t *c, char *buffer, int len)
227 memcpy(outpkt.data, buffer, len);
229 receive_packet(c->node, &outpkt);
232 void receive_packet(node_t *n, vpn_packet_t *packet)
236 if(debug_lvl >= DEBUG_TRAFFIC)
237 syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"),
238 packet->len, n->name, n->hostname);
240 route_incoming(n, packet);
243 void send_udppacket(node_t *n, vpn_packet_t *inpkt)
245 vpn_packet_t pkt1, pkt2;
246 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
248 vpn_packet_t *outpkt;
252 static int priority = 0;
258 /* Make sure we have a valid key */
260 if(!n->status.validkey) {
261 if(debug_lvl >= DEBUG_TRAFFIC)
263 _("No valid key known yet for %s (%s), queueing packet"),
264 n->name, n->hostname);
266 /* Since packet is on the stack of handle_tap_input(), we have to make a copy of it first. */
268 copy = xmalloc(sizeof(vpn_packet_t));
269 memcpy(copy, inpkt, sizeof(vpn_packet_t));
271 list_insert_tail(n->queue, copy);
273 if(n->queue->count > MAXQUEUELENGTH)
274 list_delete_head(n->queue);
276 if(!n->status.waitingforkey)
277 send_req_key(n->nexthop->connection, myself, n);
279 n->status.waitingforkey = 1;
284 origlen = inpkt->len;
285 origpriority = inpkt->priority;
287 /* Compress the packet */
290 outpkt = pkt[nextpkt++];
292 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->compression)) < 0) {
293 syslog(LOG_ERR, _("Error while compressing packet to %s (%s)"),
294 n->name, n->hostname);
301 /* Add sequence number */
303 inpkt->seqno = htonl(++(n->sent_seqno));
304 inpkt->len += sizeof(inpkt->seqno);
306 /* Encrypt the packet */
309 outpkt = pkt[nextpkt++];
311 // EVP_EncryptInit_ex(&packet_ctx, n->cipher, NULL, n->key, n->key + n->cipher->key_len);
312 EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL);
313 EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen,
314 (char *) &inpkt->seqno, inpkt->len);
315 EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad);
317 outpkt->len = outlen + outpad;
321 /* Add the message authentication code */
323 if(n->digest && n->maclength) {
324 HMAC(n->digest, n->key, n->keylength, (char *) &inpkt->seqno,
325 inpkt->len, (char *) &inpkt->seqno + inpkt->len, &outlen);
326 inpkt->len += n->maclength;
329 /* Determine which socket we have to use */
331 for(sock = 0; sock < listen_sockets; sock++)
332 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family)
335 if(sock >= listen_sockets)
336 sock = 0; /* If none is available, just use the first and hope for the best. */
338 /* Send the packet */
340 #if defined(SOL_IP) && defined(IP_TOS)
341 if(priorityinheritance && origpriority != priority
342 && listen_socket[sock].sa.sa.sa_family == AF_INET) {
343 priority = origpriority;
344 if(debug_lvl >= DEBUG_TRAFFIC)
345 syslog(LOG_DEBUG, _("Setting outgoing packet priority to %d"),
347 if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
348 syslog(LOG_ERR, _("System call `%s' failed: %s"), "setsockopt",
353 if((sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa))) < 0) {
354 syslog(LOG_ERR, _("Error sending packet to %s (%s): %s"), n->name,
355 n->hostname, strerror(errno));
359 inpkt->len = origlen;
363 send a packet to the given vpn ip.
365 void send_packet(node_t *n, vpn_packet_t *packet)
371 if(debug_lvl >= DEBUG_TRAFFIC)
372 syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
373 packet->len, n->name, n->hostname);
376 if(debug_lvl >= DEBUG_TRAFFIC)
377 syslog(LOG_NOTICE, _("Packet is looping back to us!"));
382 if(!n->status.reachable) {
383 if(debug_lvl >= DEBUG_TRAFFIC)
384 syslog(LOG_INFO, _("Node %s (%s) is not reachable"),
385 n->name, n->hostname);
390 via = (n->via == myself) ? n->nexthop : n->via;
392 if(via != n && debug_lvl >= DEBUG_TRAFFIC)
393 syslog(LOG_ERR, _("Sending packet to %s via %s (%s)"),
394 n->name, via->name, n->via->hostname);
396 if((myself->options | via->options) & OPTION_TCPONLY) {
397 if(send_tcppacket(via->connection, packet))
398 terminate_connection(via->connection, 1);
400 send_udppacket(via, packet);
403 /* Broadcast a packet using the minimum spanning tree */
405 void broadcast_packet(node_t *from, vpn_packet_t *packet)
412 if(debug_lvl >= DEBUG_TRAFFIC)
413 syslog(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"),
414 packet->len, from->name, from->hostname);
416 for(node = connection_tree->head; node; node = node->next) {
417 c = (connection_t *) node->data;
419 if(c->status.active && c->status.mst && c != from->nexthop->connection)
420 send_packet(c->node, packet);
424 void flush_queue(node_t *n)
426 list_node_t *node, *next;
430 if(debug_lvl >= DEBUG_TRAFFIC)
431 syslog(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname);
433 for(node = n->queue->head; node; node = next) {
435 send_udppacket(n, (vpn_packet_t *) node->data);
436 list_delete_node(n->queue, node);
440 void handle_incoming_vpn_data(int sock)
443 int x, l = sizeof(x);
446 socklen_t fromlen = sizeof(from);
451 if(getsockopt(sock, SOL_SOCKET, SO_ERROR, &x, &l) < 0) {
452 syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%s"),
453 __FILE__, __LINE__, sock, strerror(errno));
459 syslog(LOG_ERR, _("Incoming data socket error: %s"), strerror(x));
463 pkt.len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
466 syslog(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno));
470 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
472 n = lookup_node_udp(&from);
475 hostname = sockaddr2hostname(&from);
476 syslog(LOG_WARNING, _("Received UDP packet from unknown source %s"),
483 n->connection->last_ping_time = now;
485 receive_udppacket(n, &pkt);