2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
39 #include "splay_tree.h"
42 #include "connection.h"
59 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
62 static void send_udppacket(node_t *, vpn_packet_t *);
64 unsigned replaywin = 16;
65 bool localdiscovery = false;
67 #define MAX_SEQNO 1073741824
69 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
70 mtuprobes == 31: sleep pinginterval seconds
71 mtuprobes == 32: send 1 burst, sleep pingtimeout second
72 mtuprobes == 33: no response from other side, restart PMTU discovery process
74 Probes are sent in batches of three, with random sizes between the lower and
75 upper boundaries for the MTU thus far discovered.
77 In case local discovery is enabled, a fourth packet is added to each batch,
78 which will be broadcast to the local network.
81 static void send_mtu_probe_handler(int fd, short events, void *data) {
89 if(!n->status.reachable || !n->status.validkey) {
90 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
95 if(n->mtuprobes > 32) {
98 timeout = pinginterval;
102 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
108 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
109 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
113 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
114 if(n->minmtu > n->maxmtu)
115 n->minmtu = n->maxmtu;
117 n->maxmtu = n->minmtu;
119 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
123 if(n->mtuprobes == 31) {
124 timeout = pinginterval;
126 } else if(n->mtuprobes == 32) {
127 timeout = pingtimeout;
130 for(i = 0; i < 3 + localdiscovery; i++) {
131 if(n->maxmtu <= n->minmtu)
134 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
139 memset(packet.data, 0, 14);
140 randomize(packet.data + 14, len - 14);
142 if(i >= 3 && n->mtuprobes <= 10)
143 packet.priority = -1;
147 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
149 send_udppacket(n, &packet);
153 event_add(&n->mtuevent, &(struct timeval){timeout, 0});
156 void send_mtu_probe(node_t *n) {
157 if(!timeout_initialized(&n->mtuevent))
158 timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
159 send_mtu_probe_handler(0, 0, n);
162 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
163 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
165 if(!packet->data[0]) {
167 send_udppacket(n, packet);
169 if(n->mtuprobes > 30) {
183 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
185 memcpy(dest, source, len);
187 } else if(level == 10) {
189 lzo_uint lzolen = MAXSIZE;
190 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
195 } else if(level < 10) {
197 unsigned long destlen = MAXSIZE;
198 if(compress2(dest, &destlen, source, len, level) == Z_OK)
205 lzo_uint lzolen = MAXSIZE;
206 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
216 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
218 memcpy(dest, source, len);
220 } else if(level > 9) {
222 lzo_uint lzolen = MAXSIZE;
223 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
231 unsigned long destlen = MAXSIZE;
232 if(uncompress(dest, &destlen, source, len) == Z_OK)
244 static void receive_packet(node_t *n, vpn_packet_t *packet) {
245 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
246 packet->len, n->name, n->hostname);
249 n->in_bytes += packet->len;
254 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
256 return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
258 if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
261 return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
264 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
265 vpn_packet_t pkt1, pkt2;
266 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
268 vpn_packet_t *outpkt = pkt[0];
271 if(n->status.sptps) {
272 sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
276 if(!cipher_active(&n->incipher)) {
277 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
278 n->name, n->hostname);
282 /* Check packet length */
284 if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
285 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
286 n->name, n->hostname);
290 /* Check the message authentication code */
292 if(digest_active(&n->indigest)) {
293 inpkt->len -= n->indigest.maclength;
294 if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
295 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
299 /* Decrypt the packet */
301 if(cipher_active(&n->incipher)) {
302 outpkt = pkt[nextpkt++];
305 if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
306 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
310 outpkt->len = outlen;
314 /* Check the sequence number */
316 inpkt->len -= sizeof inpkt->seqno;
317 inpkt->seqno = ntohl(inpkt->seqno);
320 if(inpkt->seqno != n->received_seqno + 1) {
321 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
322 if(n->farfuture++ < replaywin >> 2) {
323 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
324 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
327 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
328 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
329 memset(n->late, 0, replaywin);
330 } else if (inpkt->seqno <= n->received_seqno) {
331 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
332 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
333 n->name, n->hostname, inpkt->seqno, n->received_seqno);
337 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
338 n->late[(i / 8) % replaywin] |= 1 << i % 8;
343 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
346 if(inpkt->seqno > n->received_seqno)
347 n->received_seqno = inpkt->seqno;
349 if(n->received_seqno > MAX_SEQNO)
352 /* Decompress the packet */
354 length_t origlen = inpkt->len;
356 if(n->incompression) {
357 outpkt = pkt[nextpkt++];
359 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
360 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
361 n->name, n->hostname);
367 origlen -= MTU/64 + 20;
372 if(!inpkt->data[12] && !inpkt->data[13])
373 mtu_probe_h(n, inpkt, origlen);
375 receive_packet(n, inpkt);
378 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
382 if(c->options & OPTION_TCPONLY)
385 outpkt.priority = -1;
386 memcpy(outpkt.data, buffer, len);
388 receive_packet(c->node, &outpkt);
391 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
392 if(n->status.sptps) {
396 if(!(origpkt->data[12] | origpkt->data[13])) {
397 sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
401 if(routing_mode == RMODE_ROUTER)
406 if(origpkt->len < offset)
411 if(n->outcompression) {
412 int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
414 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
415 } else if(len < origpkt->len - offset) {
416 outpkt.len = len + offset;
418 type |= PKT_COMPRESSED;
422 sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
427 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
428 vpn_packet_t pkt1, pkt2;
429 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
430 vpn_packet_t *inpkt = origpkt;
432 vpn_packet_t *outpkt;
433 int origlen = origpkt->len;
435 #if defined(SOL_IP) && defined(IP_TOS)
436 static int priority = 0;
438 int origpriority = origpkt->priority;
440 if(!n->status.reachable) {
441 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
446 return send_sptps_packet(n, origpkt);
448 /* Make sure we have a valid key */
450 if(!n->status.validkey) {
451 time_t now = time(NULL);
453 logger(DEBUG_TRAFFIC, LOG_INFO,
454 "No valid key known yet for %s (%s), forwarding via TCP",
455 n->name, n->hostname);
457 if(n->last_req_key + 10 <= now) {
459 n->last_req_key = now;
462 send_tcppacket(n->nexthop->connection, origpkt);
467 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
468 logger(DEBUG_TRAFFIC, LOG_INFO,
469 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
470 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
473 send_packet(n->nexthop, origpkt);
475 send_tcppacket(n->nexthop->connection, origpkt);
480 /* Compress the packet */
482 if(n->outcompression) {
483 outpkt = pkt[nextpkt++];
485 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
486 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
487 n->name, n->hostname);
494 /* Add sequence number */
496 inpkt->seqno = htonl(++(n->sent_seqno));
497 inpkt->len += sizeof inpkt->seqno;
499 /* Encrypt the packet */
501 if(cipher_active(&n->outcipher)) {
502 outpkt = pkt[nextpkt++];
505 if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
506 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
510 outpkt->len = outlen;
514 /* Add the message authentication code */
516 if(digest_active(&n->outdigest)) {
517 digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
518 inpkt->len += digest_length(&n->outdigest);
521 /* Determine which socket we have to use */
523 if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
524 for(int sock = 0; sock < listen_sockets; sock++) {
525 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
532 /* Send the packet */
538 /* Overloaded use of priority field: -1 means local broadcast */
540 if(origpriority == -1 && n->prevedge) {
541 struct sockaddr_in in;
542 in.sin_family = AF_INET;
543 in.sin_addr.s_addr = -1;
544 in.sin_port = n->prevedge->address.in.sin_port;
545 sa = (struct sockaddr *)∈
549 if(origpriority == -1)
552 sa = &(n->address.sa);
553 sl = SALEN(n->address.sa);
557 #if defined(SOL_IP) && defined(IP_TOS)
558 if(priorityinheritance && origpriority != priority
559 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
560 priority = origpriority;
561 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
562 if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
563 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
567 if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
568 if(sockmsgsize(sockerrno)) {
569 if(n->maxmtu >= origlen)
570 n->maxmtu = origlen - 1;
571 if(n->mtu >= origlen)
572 n->mtu = origlen - 1;
574 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
578 origpkt->len = origlen;
581 bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
584 if(type >= SPTPS_HANDSHAKE || ((myself->options | to->options) & OPTION_TCPONLY)) {
585 char buf[len * 4 / 3 + 5];
586 b64encode(data, buf, len);
587 if(!to->status.validkey)
588 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, myself->incompression);
590 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
593 /* Send the packet */
599 sa = &(to->address.sa);
600 sl = SALEN(to->address.sa);
603 if(sendto(listen_socket[sock].udp, data, len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
604 if(sockmsgsize(sockerrno)) {
605 if(to->maxmtu >= len)
606 to->maxmtu = len - 1;
610 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
618 bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
619 node_t *from = handle;
621 if(type == SPTPS_HANDSHAKE) {
622 from->status.validkey = true;
623 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
628 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
634 if(type == PKT_PROBE) {
636 memcpy(inpkt.data, data, len);
637 mtu_probe_h(from, &inpkt, len);
641 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
642 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
646 /* Check if we have the headers we need */
647 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
648 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
650 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
651 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
654 int offset = (type & PKT_MAC) ? 0 : 14;
655 if(type & PKT_COMPRESSED) {
656 len = uncompress_packet(inpkt.data + offset, (const uint8_t *)data, len, from->incompression);
660 inpkt.len = len + offset;
662 if(inpkt.len > MAXSIZE)
665 memcpy(inpkt.data + offset, data, len);
666 inpkt.len = len + offset;
669 /* Generate the Ethernet packet type if necessary */
671 switch(inpkt.data[14] >> 4) {
673 inpkt.data[12] = 0x08;
674 inpkt.data[13] = 0x00;
677 inpkt.data[12] = 0x86;
678 inpkt.data[13] = 0xDD;
681 logger(DEBUG_TRAFFIC, LOG_ERR,
682 "Unknown IP version %d while reading packet from %s (%s)",
683 inpkt.data[14] >> 4, from->name, from->hostname);
688 receive_packet(from, &inpkt);
693 send a packet to the given vpn ip.
695 void send_packet(node_t *n, vpn_packet_t *packet) {
700 memcpy(packet->data, mymac.x, ETH_ALEN);
702 n->out_bytes += packet->len;
703 devops.write(packet);
707 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
708 packet->len, n->name, n->hostname);
710 if(!n->status.reachable) {
711 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
712 n->name, n->hostname);
717 n->out_bytes += packet->len;
719 if(n->status.sptps) {
720 send_sptps_packet(n, packet);
724 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
727 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
728 n->name, via->name, n->via->hostname);
730 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
731 if(!send_tcppacket(via->connection, packet))
732 terminate_connection(via->connection, true);
734 send_udppacket(via, packet);
737 /* Broadcast a packet using the minimum spanning tree */
739 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
744 // Always give ourself a copy of the packet.
746 send_packet(myself, packet);
748 // In TunnelServer mode, do not forward broadcast packets.
749 // The MST might not be valid and create loops.
750 if(tunnelserver || broadcast_mode == BMODE_NONE)
753 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
754 packet->len, from->name, from->hostname);
756 switch(broadcast_mode) {
757 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
758 // This guarantees all nodes receive the broadcast packet, and
759 // usually distributes the sending of broadcast packets over all nodes.
761 for(node = connection_tree->head; node; node = node->next) {
764 if(c->status.active && c->status.mst && c != from->nexthop->connection)
765 send_packet(c->node, packet);
769 // In direct mode, we send copies to each node we know of.
770 // However, this only reaches nodes that can be reached in a single hop.
771 // We don't have enough information to forward broadcast packets in this case.
776 for(node = node_tree->head; node; node = node->next) {
779 if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
780 send_packet(n, packet);
789 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
794 static time_t last_hard_try = 0;
795 time_t now = time(NULL);
797 for(node = edge_weight_tree->head; node; node = node->next) {
800 if(!e->to->status.reachable || e->to == myself)
803 if(sockaddrcmp_noport(from, &e->address)) {
804 if(last_hard_try == now)
809 if(!try_mac(e->to, pkt))
823 void handle_incoming_vpn_data(int sock, short events, void *data) {
826 sockaddr_t from = {{0}};
827 socklen_t fromlen = sizeof from;
831 len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
833 if(len <= 0 || len > MAXSIZE) {
834 if(!sockwouldblock(sockerrno))
835 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
841 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
843 n = lookup_node_udp(&from);
846 n = try_harder(&from, &pkt);
848 update_node_udp(n, &from);
849 else if(debug_level >= DEBUG_PROTOCOL) {
850 hostname = sockaddr2hostname(&from);
851 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
859 n->sock = (intptr_t)data;
861 receive_udppacket(n, &pkt);
864 void handle_device_data(int sock, short events, void *data) {
869 if(devops.read(&packet)) {
870 myself->in_packets++;
871 myself->in_bytes += packet.len;
872 route(myself, &packet);
projects / meshlink / blob