2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
39 #include "splay_tree.h"
42 #include "connection.h"
59 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
62 static void send_udppacket(node_t *, vpn_packet_t *);
64 unsigned replaywin = 16;
65 bool localdiscovery = false;
67 #define MAX_SEQNO 1073741824
69 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
70 mtuprobes == 31: sleep pinginterval seconds
71 mtuprobes == 32: send 1 burst, sleep pingtimeout second
72 mtuprobes == 33: no response from other side, restart PMTU discovery process
74 Probes are sent in batches of three, with random sizes between the lower and
75 upper boundaries for the MTU thus far discovered.
77 In case local discovery is enabled, a fourth packet is added to each batch,
78 which will be broadcast to the local network.
81 static void send_mtu_probe_handler(int fd, short events, void *data) {
89 if(!n->status.reachable || !n->status.validkey) {
90 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
95 if(n->mtuprobes > 32) {
98 timeout = pinginterval;
102 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
108 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
109 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
113 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
114 if(n->minmtu > n->maxmtu)
115 n->minmtu = n->maxmtu;
117 n->maxmtu = n->minmtu;
119 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
123 if(n->mtuprobes == 31) {
124 timeout = pinginterval;
126 } else if(n->mtuprobes == 32) {
127 timeout = pingtimeout;
130 for(i = 0; i < 3 + localdiscovery; i++) {
131 if(n->maxmtu <= n->minmtu)
134 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
139 memset(packet.data, 0, 14);
140 randomize(packet.data + 14, len - 14);
142 if(i >= 3 && n->mtuprobes <= 10)
143 packet.priority = -1;
147 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
149 send_udppacket(n, &packet);
153 event_add(&n->mtuevent, &(struct timeval){timeout, 0});
156 void send_mtu_probe(node_t *n) {
157 if(!timeout_initialized(&n->mtuevent))
158 timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
159 send_mtu_probe_handler(0, 0, n);
162 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
163 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
165 if(!packet->data[0]) {
167 send_udppacket(n, packet);
169 if(n->mtuprobes > 30) {
183 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
185 memcpy(dest, source, len);
187 } else if(level == 10) {
189 lzo_uint lzolen = MAXSIZE;
190 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
195 } else if(level < 10) {
197 unsigned long destlen = MAXSIZE;
198 if(compress2(dest, &destlen, source, len, level) == Z_OK)
205 lzo_uint lzolen = MAXSIZE;
206 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
216 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
218 memcpy(dest, source, len);
220 } else if(level > 9) {
222 lzo_uint lzolen = MAXSIZE;
223 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
231 unsigned long destlen = MAXSIZE;
232 if(uncompress(dest, &destlen, source, len) == Z_OK)
244 static void receive_packet(node_t *n, vpn_packet_t *packet) {
245 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
246 packet->len, n->name, n->hostname);
249 n->in_bytes += packet->len;
254 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
255 if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
258 return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
261 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
262 vpn_packet_t pkt1, pkt2;
263 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
265 vpn_packet_t *outpkt = pkt[0];
268 if(!cipher_active(&n->incipher)) {
269 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
270 n->name, n->hostname);
274 /* Check packet length */
276 if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
277 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
278 n->name, n->hostname);
282 /* Check the message authentication code */
284 if(digest_active(&n->indigest)) {
285 inpkt->len -= n->indigest.maclength;
286 if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
287 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
291 /* Decrypt the packet */
293 if(cipher_active(&n->incipher)) {
294 outpkt = pkt[nextpkt++];
297 if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
298 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
302 outpkt->len = outlen;
306 /* Check the sequence number */
308 inpkt->len -= sizeof inpkt->seqno;
309 inpkt->seqno = ntohl(inpkt->seqno);
312 if(inpkt->seqno != n->received_seqno + 1) {
313 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
314 if(n->farfuture++ < replaywin >> 2) {
315 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
316 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
319 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
320 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
321 memset(n->late, 0, replaywin);
322 } else if (inpkt->seqno <= n->received_seqno) {
323 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
324 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
325 n->name, n->hostname, inpkt->seqno, n->received_seqno);
329 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
330 n->late[(i / 8) % replaywin] |= 1 << i % 8;
335 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
338 if(inpkt->seqno > n->received_seqno)
339 n->received_seqno = inpkt->seqno;
341 if(n->received_seqno > MAX_SEQNO)
344 /* Decompress the packet */
346 length_t origlen = inpkt->len;
348 if(n->incompression) {
349 outpkt = pkt[nextpkt++];
351 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
352 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
353 n->name, n->hostname);
359 origlen -= MTU/64 + 20;
364 if(!inpkt->data[12] && !inpkt->data[13])
365 mtu_probe_h(n, inpkt, origlen);
367 receive_packet(n, inpkt);
370 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
374 if(c->options & OPTION_TCPONLY)
377 outpkt.priority = -1;
378 memcpy(outpkt.data, buffer, len);
380 receive_packet(c->node, &outpkt);
383 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
384 vpn_packet_t pkt1, pkt2;
385 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
386 vpn_packet_t *inpkt = origpkt;
388 vpn_packet_t *outpkt;
389 int origlen = origpkt->len;
391 #if defined(SOL_IP) && defined(IP_TOS)
392 static int priority = 0;
393 int origpriority = origpkt->priority;
396 if(!n->status.reachable) {
397 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
401 /* Make sure we have a valid key */
403 if(!n->status.validkey) {
404 time_t now = time(NULL);
406 logger(DEBUG_TRAFFIC, LOG_INFO,
407 "No valid key known yet for %s (%s), forwarding via TCP",
408 n->name, n->hostname);
410 if(n->last_req_key + 10 <= now) {
412 n->last_req_key = now;
415 send_tcppacket(n->nexthop->connection, origpkt);
420 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
421 logger(DEBUG_TRAFFIC, LOG_INFO,
422 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
423 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
426 send_packet(n->nexthop, origpkt);
428 send_tcppacket(n->nexthop->connection, origpkt);
433 /* Compress the packet */
435 if(n->outcompression) {
436 outpkt = pkt[nextpkt++];
438 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
439 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
440 n->name, n->hostname);
447 /* Add sequence number */
449 inpkt->seqno = htonl(++(n->sent_seqno));
450 inpkt->len += sizeof inpkt->seqno;
452 /* Encrypt the packet */
454 if(cipher_active(&n->outcipher)) {
455 outpkt = pkt[nextpkt++];
458 if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
459 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
463 outpkt->len = outlen;
467 /* Add the message authentication code */
469 if(digest_active(&n->outdigest)) {
470 digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
471 inpkt->len += digest_length(&n->outdigest);
474 /* Determine which socket we have to use */
476 if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
477 for(int sock = 0; sock < listen_sockets; sock++) {
478 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
485 /* Send the packet */
491 /* Overloaded use of priority field: -1 means local broadcast */
493 if(origpriority == -1 && n->prevedge) {
494 struct sockaddr_in in;
495 in.sin_family = AF_INET;
496 in.sin_addr.s_addr = -1;
497 in.sin_port = n->prevedge->address.in.sin_port;
498 sa = (struct sockaddr *)∈
502 if(origpriority == -1)
505 sa = &(n->address.sa);
506 sl = SALEN(n->address.sa);
510 #if defined(SOL_IP) && defined(IP_TOS)
511 if(priorityinheritance && origpriority != priority
512 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
513 priority = origpriority;
514 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
515 if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
516 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
520 if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
521 if(sockmsgsize(sockerrno)) {
522 if(n->maxmtu >= origlen)
523 n->maxmtu = origlen - 1;
524 if(n->mtu >= origlen)
525 n->mtu = origlen - 1;
527 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
531 origpkt->len = origlen;
535 send a packet to the given vpn ip.
537 void send_packet(node_t *n, vpn_packet_t *packet) {
542 memcpy(packet->data, mymac.x, ETH_ALEN);
544 n->out_bytes += packet->len;
545 devops.write(packet);
549 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
550 packet->len, n->name, n->hostname);
552 if(!n->status.reachable) {
553 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
554 n->name, n->hostname);
559 n->out_bytes += packet->len;
561 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
564 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
565 n->name, via->name, n->via->hostname);
567 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
568 if(!send_tcppacket(via->connection, packet))
569 terminate_connection(via->connection, true);
571 send_udppacket(via, packet);
574 /* Broadcast a packet using the minimum spanning tree */
576 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
581 // Always give ourself a copy of the packet.
583 send_packet(myself, packet);
585 // In TunnelServer mode, do not forward broadcast packets.
586 // The MST might not be valid and create loops.
587 if(tunnelserver || broadcast_mode == BMODE_NONE)
590 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
591 packet->len, from->name, from->hostname);
593 switch(broadcast_mode) {
594 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
595 // This guarantees all nodes receive the broadcast packet, and
596 // usually distributes the sending of broadcast packets over all nodes.
598 for(node = connection_tree->head; node; node = node->next) {
601 if(c->status.active && c->status.mst && c != from->nexthop->connection)
602 send_packet(c->node, packet);
606 // In direct mode, we send copies to each node we know of.
607 // However, this only reaches nodes that can be reached in a single hop.
608 // We don't have enough information to forward broadcast packets in this case.
613 for(node = node_udp_tree->head; node; node = node->next) {
616 if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
617 send_packet(n, packet);
626 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
631 static time_t last_hard_try = 0;
632 time_t now = time(NULL);
634 for(node = edge_weight_tree->head; node; node = node->next) {
640 if(sockaddrcmp_noport(from, &e->address)) {
641 if(last_hard_try == now)
646 if(!try_mac(e->to, pkt))
660 void handle_incoming_vpn_data(int sock, short events, void *data) {
664 socklen_t fromlen = sizeof from;
668 len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
670 if(len <= 0 || len > MAXSIZE) {
671 if(!sockwouldblock(sockerrno))
672 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
678 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
680 n = lookup_node_udp(&from);
683 n = try_harder(&from, &pkt);
685 update_node_udp(n, &from);
686 else if(debug_level >= DEBUG_PROTOCOL) {
687 hostname = sockaddr2hostname(&from);
688 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
696 n->sock = (intptr_t)data;
698 receive_udppacket(n, &pkt);
701 void handle_device_data(int sock, short events, void *data) {
706 if(devops.read(&packet)) {
707 myself->in_packets++;
708 myself->in_bytes += packet.len;
709 route(myself, &packet);
projects / meshlink / blob