/*
net_packet.c -- Handles in- and outgoing VPN packets
- Copyright (C) 1998-2005 Ivo Timmermans,
- 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
- 2010 Timothy Redaelli <timothy@redaelli.eu>
- 2010 Brandon Black <blblack@gmail.com>
+ Copyright (C) 2014 Guus Sliepen <guus@meshlink.io>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "system.h"
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
#ifdef HAVE_ZLIB
#include <zlib.h>
#endif
-#ifdef HAVE_LZO
-#include LZO1X_H
-#endif
-
#include "cipher.h"
#include "conf.h"
#include "connection.h"
#include "crypto.h"
#include "digest.h"
-#include "device.h"
-#include "ethernet.h"
#include "graph.h"
#include "logger.h"
#include "net.h"
#include "netutl.h"
#include "protocol.h"
-#include "process.h"
#include "route.h"
#include "utils.h"
#include "xalloc.h"
int keylifetime = 0;
-#ifdef HAVE_LZO
-static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
-#endif
static void send_udppacket(node_t *, vpn_packet_t *);
unsigned replaywin = 16;
bool localdiscovery = false;
+sockaddr_t localdiscovery_address;
#define MAX_SEQNO 1073741824
mtuprobes == 32: send 1 burst, sleep pingtimeout second
mtuprobes == 33: no response from other side, restart PMTU discovery process
- Probes are sent in batches of three, with random sizes between the lower and
- upper boundaries for the MTU thus far discovered.
+ Probes are sent in batches of at least three, with random sizes between the
+ lower and upper boundaries for the MTU thus far discovered.
+
+ After the initial discovery, a fourth packet is added to each batch with a
+ size larger than the currently known PMTU, to test if the PMTU has increased.
- In case local discovery is enabled, a fourth packet is added to each batch,
+ In case local discovery is enabled, another packet is added to each batch,
which will be broadcast to the local network.
+
*/
static void send_mtu_probe_handler(void *data) {
timeout = pingtimeout;
}
- for(int i = 0; i < 3 + localdiscovery; i++) {
+ for(int i = 0; i < 4 + localdiscovery; i++) {
int len;
- if(n->maxmtu <= n->minmtu)
+ if(i == 0) {
+ if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
+ continue;
+ len = n->maxmtu + 8;
+ } else if(n->maxmtu <= n->minmtu) {
len = n->maxmtu;
- else
+ } else {
len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
+ }
if(len < 64)
len = 64;
memset(packet.data, 0, 14);
randomize(packet.data + 14, len - 14);
packet.len = len;
- if(i >= 3 && n->mtuprobes <= 10)
- packet.priority = -1;
- else
- packet.priority = 0;
+ packet.priority = 0;
+ n->status.broadcast = i >= 4 && n->mtuprobes <= 10 && n->prevedge;
logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
send_udppacket(n, &packet);
}
+ n->status.broadcast = false;
n->probe_counter = 0;
gettimeofday(&n->probe_time, NULL);
/* If we haven't established the PMTU yet, restart the discovery process. */
if(n->mtuprobes > 30) {
+ if (len == n->maxmtu + 8) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+ n->maxmtu = MTU;
+ n->mtuprobes = 10;
+ return;
+ }
+
if(n->minmtu)
n->mtuprobes = 30;
else
struct timeval now, diff;
gettimeofday(&now, NULL);
timersub(&now, &n->probe_time, &diff);
+
n->probe_counter++;
if(n->probe_counter == 1) {
memcpy(dest, source, len);
return len;
} else if(level == 10) {
-#ifdef HAVE_LZO
- lzo_uint lzolen = MAXSIZE;
- lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
- return lzolen;
-#else
return -1;
-#endif
} else if(level < 10) {
#ifdef HAVE_ZLIB
unsigned long destlen = MAXSIZE;
#endif
return -1;
} else {
-#ifdef HAVE_LZO
- lzo_uint lzolen = MAXSIZE;
- lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
- return lzolen;
-#else
return -1;
-#endif
}
return -1;
memcpy(dest, source, len);
return len;
} else if(level > 9) {
-#ifdef HAVE_LZO
- lzo_uint lzolen = MAXSIZE;
- if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
- return lzolen;
- else
-#endif
return -1;
}
#ifdef HAVE_ZLIB
if(n->status.sptps)
return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
- if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
+ if(!digest_active(n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest))
return false;
- return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
+ return digest_verify(n->indigest, &inpkt->seqno, inpkt->len - digest_length(n->indigest), (const char *)&inpkt->seqno + inpkt->len - digest_length(n->indigest));
}
static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
size_t outlen;
if(n->status.sptps) {
+ if(!n->sptps.state) {
+ if(!n->status.waitingforkey) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
+ send_req_key(n);
+ } else {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
+ }
+ return;
+ }
sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
return;
}
- if(!cipher_active(&n->incipher)) {
- logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
- n->name, n->hostname);
+ if(!cipher_active(n->incipher)) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
return;
}
/* Check packet length */
- if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
+ if(inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest)) {
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
n->name, n->hostname);
return;
/* Check the message authentication code */
- if(digest_active(&n->indigest)) {
- inpkt->len -= n->indigest.maclength;
- if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
+ if(digest_active(n->indigest)) {
+ inpkt->len -= digest_length(n->indigest);
+ if(!digest_verify(n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
return;
}
}
/* Decrypt the packet */
- if(cipher_active(&n->incipher)) {
+ if(cipher_active(n->incipher)) {
outpkt = pkt[nextpkt++];
outlen = MAXSIZE;
- if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ if(!cipher_decrypt(n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
return;
}
if(replaywin) {
if(inpkt->seqno != n->received_seqno + 1) {
if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
- if(n->farfuture++ < replaywin >> 2) {
- logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
- n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
- return;
- }
logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
memset(n->late, 0, replaywin);
}
}
- n->farfuture = 0;
n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
}
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
vpn_packet_t outpkt;
+ if(len > sizeof outpkt.data)
+ return;
+
outpkt.len = len;
if(c->options & OPTION_TCPONLY)
outpkt.priority = 0;
logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
if(!n->status.waitingforkey)
send_req_key(n);
- else if(n->last_req_key + 10 < time(NULL)) {
+ else if(n->last_req_key + 10 < now.tv_sec) {
logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
sptps_stop(&n->sptps);
n->status.waitingforkey = false;
*sock = rand() % listen_sockets;
if(listen_socket[*sock].sa.sa.sa_family == AF_INET6) {
- broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
- broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
- *sa = &broadcast_ipv6;
+ if(localdiscovery_address.sa.sa_family == AF_INET6) {
+ localdiscovery_address.in6.sin6_port = n->prevedge->address.in.sin_port;
+ *sa = &localdiscovery_address;
+ } else {
+ broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
+ broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
+ *sa = &broadcast_ipv6;
+ }
} else {
- broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
- *sa = &broadcast_ipv4;
+ if(localdiscovery_address.sa.sa_family == AF_INET) {
+ localdiscovery_address.in.sin_port = n->prevedge->address.in.sin_port;
+ *sa = &localdiscovery_address;
+ } else {
+ broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
+ *sa = &broadcast_ipv4;
+ }
}
}
/* Encrypt the packet */
- if(cipher_active(&n->outcipher)) {
+ if(cipher_active(n->outcipher)) {
outpkt = pkt[nextpkt++];
outlen = MAXSIZE;
- if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ if(!cipher_encrypt(n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
goto end;
}
/* Add the message authentication code */
- if(digest_active(&n->outdigest)) {
- digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
- inpkt->len += digest_length(&n->outdigest);
+ if(digest_active(n->outdigest)) {
+ if(!digest_create(n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len)) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
+ goto end;
+ }
+
+ inpkt->len += digest_length(n->outdigest);
}
/* Send the packet */
const sockaddr_t *sa;
int sock;
- /* Overloaded use of priority field: -1 means local broadcast */
-
- if(origpriority == -1 && n->prevedge)
+ if(n->status.broadcast)
choose_broadcast_address(n, &sa, &sock);
else
choose_udp_address(n, &sa, &sock);
b64encode(data, buf, len);
/* If no valid key is known yet, send the packets using ANS_KEY requests,
to ensure we get to learn the reflexive UDP address. */
- if(!to->status.validkey)
- return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, myself->incompression);
- else
+ if(!to->status.validkey) {
+ to->incompression = myself->incompression;
+ return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, to->incompression);
+ } else {
return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
+ }
}
/* Otherwise, send the packet via UDP */
const sockaddr_t *sa;
int sock;
- choose_udp_address(to, &sa, &sock);
+ if(to->status.broadcast)
+ choose_broadcast_address(to, &sa, &sock);
+ else
+ choose_udp_address(to, &sa, &sock);
if(sendto(listen_socket[sock].udp.fd, data, len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
if(sockmsgsize(sockerrno)) {
node_t *via;
if(n == myself) {
- if(overwrite_mac)
- memcpy(packet->data, mymac.x, ETH_ALEN);
n->out_packets++;
n->out_bytes += packet->len;
- devops.write(packet);
+ // TODO: send to application
return;
}
if(from != myself)
send_packet(myself, packet);
- // In TunnelServer mode, do not forward broadcast packets.
- // The MST might not be valid and create loops.
- if(tunnelserver || broadcast_mode == BMODE_NONE)
- return;
-
logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
packet->len, from->name, from->hostname);
break;
for splay_each(node_t, n, node_tree)
- if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
+ if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
send_packet(n, packet);
break;
receive_udppacket(n, &pkt);
}
-
-void handle_device_data(void *data, int flags) {
- vpn_packet_t packet;
-
- packet.priority = 0;
-
- if(devops.read(&packet)) {
- myself->in_packets++;
- myself->in_bytes += packet.len;
- route(myself, &packet);
- }
-}