/*
net_packet.c -- Handles in- and outgoing VPN packets
- Copyright (C) 1998-2003 Ivo Timmermans <ivo@o2w.nl>,
- 2000-2003 Guus Sliepen <guus@sliepen.eu.org>
+ Copyright (C) 1998-2005 Ivo Timmermans,
+ 2000-2009 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- $Id: net_packet.c,v 1.1.2.49 2003/12/27 16:32:52 guus Exp $
+ $Id$
*/
#include "system.h"
#include <openssl/hmac.h>
#include <zlib.h>
-#include <lzo1x.h>
+#include LZO1X_H
#include "avl_tree.h"
#include "conf.h"
int keylifetime = 0;
int keyexpires = 0;
-bool strictsource = true;
EVP_CIPHER_CTX packet_ctx;
static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
memset(packet.data, 0, 14);
RAND_pseudo_bytes(packet.data + 14, len - 14);
packet.len = len;
+ packet.priority = 0;
ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname);
send_udppacket(n, &packet);
}
- n->mtuevent = xmalloc(sizeof(*n->mtuevent));
+ n->mtuevent = new_event();
n->mtuevent->handler = (event_handler_t)send_mtu_probe;
n->mtuevent->data = n;
n->mtuevent->time = now + 1;
route(n, packet);
}
-static bool authenticate_udppacket(node_t *n, vpn_packet_t *inpkt) {
- char hmac[EVP_MAX_MD_SIZE];
+static bool try_mac(const node_t *n, const vpn_packet_t *inpkt)
+{
+ unsigned char hmac[EVP_MAX_MD_SIZE];
- if(inpkt->len < sizeof(inpkt->seqno) + (myself->digest ? myself->maclength : 0))
+ if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength)
return false;
- /* Check the message authentication code */
-
- if(myself->digest && myself->maclength) {
- HMAC(myself->digest, myself->key, myself->keylength,
- (char *) &inpkt->seqno, inpkt->len - myself->maclength, hmac, NULL);
+ HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
- if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - myself->maclength, myself->maclength))
- return false;
- }
-
- return true;
+ return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
}
static void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
int nextpkt = 0;
vpn_packet_t *outpkt = pkt[0];
int outlen, outpad;
+ unsigned char hmac[EVP_MAX_MD_SIZE];
int i;
cp();
- if(!authenticate_udppacket(n, inpkt)) {
- ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
- n->name, n->hostname);
+ if(!n->inkey) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got packet from %s (%s) but he hasn't got our key yet"),
+ n->name, n->hostname);
return;
}
- inpkt->len -= myself->digest ? myself->maclength : 0;
+ /* Check packet length */
+
+ if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"),
+ n->name, n->hostname);
+ return;
+ }
+
+ /* Check the message authentication code */
+
+ if(n->indigest && n->inmaclength) {
+ inpkt->len -= n->inmaclength;
+ HMAC(n->indigest, n->inkey, n->inkeylength,
+ (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
+
+ if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
+ n->name, n->hostname);
+ return;
+ }
+ }
/* Decrypt the packet */
- if(myself->cipher) {
+ if(n->incipher) {
outpkt = pkt[nextpkt++];
- if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL)
- || !EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen,
- (char *) &inpkt->seqno, inpkt->len)
- || !EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) {
+ if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
+ || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
+ (unsigned char *) &inpkt->seqno, inpkt->len)
+ || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
return;
memset(n->late, 0, sizeof(n->late));
} else if (inpkt->seqno <= n->received_seqno) {
- if(inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8 || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
+ if((n->received_seqno >= sizeof(n->late) * 8 && inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8) || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"),
n->name, n->hostname, inpkt->seqno, n->received_seqno);
- } else
- for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
- n->late[(inpkt->seqno / 8) % sizeof(n->late)] |= 1 << i % 8;
+ return;
+ }
+ } else {
+ for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
+ n->late[(i / 8) % sizeof(n->late)] |= 1 << i % 8;
}
}
- n->received_seqno = inpkt->seqno;
- n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8);
+ n->late[(inpkt->seqno / 8) % sizeof(n->late)] &= ~(1 << inpkt->seqno % 8);
+
+ if(inpkt->seqno > n->received_seqno)
+ n->received_seqno = inpkt->seqno;
if(n->received_seqno > MAX_SEQNO)
keyexpires = 0;
/* Decompress the packet */
- if(myself->compression) {
+ if(n->incompression) {
outpkt = pkt[nextpkt++];
- if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, myself->compression)) < 0) {
+ if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while uncompressing packet from %s (%s)"),
n->name, n->hostname);
return;
inpkt = outpkt;
}
+ inpkt->priority = 0;
+
if(n->connection)
n->connection->last_ping_time = now;
cp();
outpkt.len = len;
+ if(c->options & OPTION_TCPONLY)
+ outpkt.priority = 0;
+ else
+ outpkt.priority = -1;
memcpy(outpkt.data, buffer, len);
receive_packet(c->node, &outpkt);
}
-static void send_udppacket(node_t *n, vpn_packet_t *inpkt)
+static void send_udppacket(node_t *n, vpn_packet_t *origpkt)
{
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
+ vpn_packet_t *inpkt = origpkt;
int nextpkt = 0;
vpn_packet_t *outpkt;
int origlen;
int outlen, outpad;
- vpn_packet_t *copy;
static int priority = 0;
int origpriority;
int sock;
if(!n->status.validkey) {
ifdebug(TRAFFIC) logger(LOG_INFO,
- _("No valid key known yet for %s (%s), queueing packet"),
+ _("No valid key known yet for %s (%s), forwarding via TCP"),
n->name, n->hostname);
- /* Since packet is on the stack of handle_tap_input(), we have to make a copy of it first. */
+ if(!n->status.waitingforkey)
+ send_req_key(n);
- *(copy = xmalloc(sizeof(*copy))) = *inpkt;
+ n->status.waitingforkey = true;
- list_insert_tail(n->queue, copy);
+ send_tcppacket(n->nexthop->connection, origpkt);
- if(n->queue->count > MAXQUEUELENGTH)
- list_delete_head(n->queue);
+ return;
+ }
- if(!n->status.waitingforkey)
- send_req_key(n->nexthop->connection, myself, n);
+ if(!n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
+ ifdebug(TRAFFIC) logger(LOG_INFO,
+ _("No minimum MTU established yet for %s (%s), forwarding via TCP"),
+ n->name, n->hostname);
- n->status.waitingforkey = true;
+ send_tcppacket(n->nexthop->connection, origpkt);
return;
}
/* Compress the packet */
- if(n->compression) {
+ if(n->outcompression) {
outpkt = pkt[nextpkt++];
- if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->compression)) < 0) {
+ if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while compressing packet to %s (%s)"),
n->name, n->hostname);
return;
/* Encrypt the packet */
- if(n->cipher) {
+ if(n->outcipher) {
outpkt = pkt[nextpkt++];
- if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL)
- || !EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen,
- (char *) &inpkt->seqno, inpkt->len)
- || !EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) {
+ if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
+ || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
+ (unsigned char *) &inpkt->seqno, inpkt->len)
+ || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
goto end;
/* Add the message authentication code */
- if(n->digest && n->maclength) {
- HMAC(n->digest, n->key, n->keylength, (char *) &inpkt->seqno,
- inpkt->len, (char *) &inpkt->seqno + inpkt->len, &outlen);
- inpkt->len += n->maclength;
+ if(n->outdigest && n->outmaclength) {
+ HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno,
+ inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
+ inpkt->len += n->outmaclength;
}
/* Determine which socket we have to use */
}
end:
- inpkt->len = origlen;
+ origpkt->len = origlen;
}
/*
return;
}
- via = (n->via == myself) ? n->nexthop : n->via;
+ via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
if(via != n)
- ifdebug(TRAFFIC) logger(LOG_ERR, _("Sending packet to %s via %s (%s)"),
+ ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending packet to %s via %s (%s)"),
n->name, via->name, n->via->hostname);
- if((myself->options | via->options) & OPTION_TCPONLY) {
+ if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
if(!send_tcppacket(via->connection, packet))
terminate_connection(via->connection, true);
} else
ifdebug(TRAFFIC) logger(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"),
packet->len, from->name, from->hostname);
+ if(from != myself)
+ send_packet(myself, packet);
+
for(node = connection_tree->head; node; node = node->next) {
c = node->data;
}
}
-void flush_queue(node_t *n)
-{
- list_node_t *node, *next;
+static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
+ avl_node_t *node;
+ edge_t *e;
+ node_t *n = NULL;
- cp();
+ for(node = edge_weight_tree->head; node; node = node->next) {
+ e = node->data;
+
+ if(sockaddrcmp_noport(from, &e->address))
+ continue;
+
+ if(!n)
+ n = e->to;
- ifdebug(TRAFFIC) logger(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname);
+ if(!try_mac(e->to, pkt))
+ continue;
- for(node = n->queue->head; node; node = next) {
- next = node->next;
- send_udppacket(n, node->data);
- list_delete_node(n->queue, node);
+ n = e->to;
+ break;
}
+
+ return n;
}
void handle_incoming_vpn_data(int sock)
sockaddr_t from;
socklen_t fromlen = sizeof(from);
node_t *n;
- static time_t lasttime = 0;
cp();
n = lookup_node_udp(&from);
- if(!n && !strictsource && myself->digest && myself->maclength && lasttime != now) {
- avl_node_t *node;
-
- lasttime = now;
-
- for(node = node_tree->head; node; node = node->next) {
- n = node->data;
-
- if(authenticate_udppacket(n, &pkt)) {
- update_node_address(n, &from);
- logger(LOG_DEBUG, _("Updated address of node %s to %s"), n->name, n->hostname);
- break;
- }
- }
- }
-
if(!n) {
- hostname = sockaddr2hostname(&from);
- logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname);
- free(hostname);
- return;
+ n = try_harder(&from, &pkt);
+ if(n)
+ update_node_udp(n, &from);
+ else {
+ hostname = sockaddr2hostname(&from);
+ logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname);
+ free(hostname);
+ return;
+ }
}
receive_udppacket(n, &pkt);