2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2006 Guus Sliepen <guus@tinc-vpn.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
34 #include "splay_tree.h"
36 #include "connection.h"
51 #define EMSGSIZE WSAEMSGSIZE
55 EVP_CIPHER_CTX packet_ctx;
56 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
58 static void send_udppacket(node_t *, vpn_packet_t *);
60 #define MAX_SEQNO 1073741824
62 static void send_mtu_probe_handler(int fd, short events, void *data) {
71 if(n->mtuprobes >= 10 && !n->minmtu) {
72 ifdebug(TRAFFIC) logger(LOG_INFO, _("No response to MTU probes from %s (%s)"), n->name, n->hostname);
76 for(i = 0; i < 3; i++) {
77 if(n->mtuprobes >= 30 || n->minmtu >= n->maxmtu) {
79 ifdebug(TRAFFIC) logger(LOG_INFO, _("Fixing MTU of %s (%s) to %d after %d probes"), n->name, n->hostname, n->mtu, n->mtuprobes);
83 len = n->minmtu + 1 + random() % (n->maxmtu - n->minmtu);
87 memset(packet.data, 0, 14);
88 RAND_pseudo_bytes(packet.data + 14, len - 14);
91 ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname);
93 send_udppacket(n, &packet);
96 event_add(&n->mtuevent, &(struct timeval){1, 0});
99 void send_mtu_probe(node_t *n) {
100 if(!timeout_initialized(&n->mtuevent))
101 timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
102 send_mtu_probe_handler(0, 0, n);
105 void mtu_probe_h(node_t *n, vpn_packet_t *packet) {
106 ifdebug(TRAFFIC) logger(LOG_INFO, _("Got MTU probe length %d from %s (%s)"), packet->len, n->name, n->hostname);
108 if(!packet->data[0]) {
110 send_packet(n, packet);
112 if(n->minmtu < packet->len)
113 n->minmtu = packet->len;
117 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
119 lzo_uint lzolen = MAXSIZE;
120 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
122 } else if(level < 10) {
123 unsigned long destlen = MAXSIZE;
124 if(compress2(dest, &destlen, source, len, level) == Z_OK)
129 lzo_uint lzolen = MAXSIZE;
130 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
137 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
139 lzo_uint lzolen = MAXSIZE;
140 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
145 unsigned long destlen = MAXSIZE;
146 if(uncompress(dest, &destlen, source, len) == Z_OK)
157 static void receive_packet(node_t *n, vpn_packet_t *packet) {
160 ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"),
161 packet->len, n->name, n->hostname);
166 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
167 vpn_packet_t pkt1, pkt2;
168 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
170 vpn_packet_t *outpkt = pkt[0];
172 unsigned char hmac[EVP_MAX_MD_SIZE];
177 /* Check packet length */
179 if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) {
180 ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"),
181 n->name, n->hostname);
185 /* Check the message authentication code */
187 if(myself->digest && myself->maclength) {
188 inpkt->len -= myself->maclength;
189 HMAC(myself->digest, myself->key, myself->keylength,
190 (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
192 if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) {
193 ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
194 n->name, n->hostname);
199 /* Decrypt the packet */
202 outpkt = pkt[nextpkt++];
204 if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL)
205 || !EVP_DecryptUpdate(&packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
206 (unsigned char *) &inpkt->seqno, inpkt->len)
207 || !EVP_DecryptFinal_ex(&packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
208 ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),
209 n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
213 outpkt->len = outlen + outpad;
217 /* Check the sequence number */
219 inpkt->len -= sizeof(inpkt->seqno);
220 inpkt->seqno = ntohl(inpkt->seqno);
222 if(inpkt->seqno != n->received_seqno + 1) {
223 if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) {
224 logger(LOG_WARNING, _("Lost %d packets from %s (%s)"),
225 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
227 memset(n->late, 0, sizeof(n->late));
228 } else if (inpkt->seqno <= n->received_seqno) {
229 if((n->received_seqno >= sizeof(n->late) * 8 && inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8) || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
230 logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"),
231 n->name, n->hostname, inpkt->seqno, n->received_seqno);
235 for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
236 n->late[(i / 8) % sizeof(n->late)] |= 1 << i % 8;
240 n->late[(inpkt->seqno / 8) % sizeof(n->late)] &= ~(1 << inpkt->seqno % 8);
242 if(inpkt->seqno > n->received_seqno)
243 n->received_seqno = inpkt->seqno;
245 if(n->received_seqno > MAX_SEQNO)
248 /* Decompress the packet */
250 if(myself->compression) {
251 outpkt = pkt[nextpkt++];
253 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, myself->compression)) < 0) {
254 ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while uncompressing packet from %s (%s)"),
255 n->name, n->hostname);
262 if(!inpkt->data[12] && !inpkt->data[13])
263 mtu_probe_h(n, inpkt);
265 receive_packet(n, inpkt);
268 void receive_tcppacket(connection_t *c, char *buffer, int len) {
274 memcpy(outpkt.data, buffer, len);
276 receive_packet(c->node, &outpkt);
279 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
280 vpn_packet_t pkt1, pkt2;
281 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
282 vpn_packet_t *inpkt = origpkt;
284 vpn_packet_t *outpkt;
288 static int priority = 0;
294 /* Make sure we have a valid key */
296 if(!n->status.validkey) {
297 ifdebug(TRAFFIC) logger(LOG_INFO,
298 _("No valid key known yet for %s (%s), queueing packet"),
299 n->name, n->hostname);
301 /* Since packet is on the stack of handle_tap_input(), we have to make a copy of it first. */
303 *(copy = xmalloc(sizeof(*copy))) = *inpkt;
305 list_insert_tail(n->queue, copy);
307 if(n->queue->count > MAXQUEUELENGTH)
308 list_delete_head(n->queue);
310 if(!n->status.waitingforkey)
311 send_req_key(n->nexthop->connection, myself, n);
313 n->status.waitingforkey = true;
318 origlen = inpkt->len;
319 origpriority = inpkt->priority;
321 /* Compress the packet */
324 outpkt = pkt[nextpkt++];
326 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->compression)) < 0) {
327 ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while compressing packet to %s (%s)"),
328 n->name, n->hostname);
335 /* Add sequence number */
337 inpkt->seqno = htonl(++(n->sent_seqno));
338 inpkt->len += sizeof(inpkt->seqno);
340 /* Encrypt the packet */
343 outpkt = pkt[nextpkt++];
345 if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL)
346 || !EVP_EncryptUpdate(&n->packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
347 (unsigned char *) &inpkt->seqno, inpkt->len)
348 || !EVP_EncryptFinal_ex(&n->packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
349 ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),
350 n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
354 outpkt->len = outlen + outpad;
358 /* Add the message authentication code */
360 if(n->digest && n->maclength) {
361 HMAC(n->digest, n->key, n->keylength, (unsigned char *) &inpkt->seqno,
362 inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
363 inpkt->len += n->maclength;
366 /* Determine which socket we have to use */
368 for(sock = 0; sock < listen_sockets; sock++)
369 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family)
372 if(sock >= listen_sockets)
373 sock = 0; /* If none is available, just use the first and hope for the best. */
375 /* Send the packet */
377 #if defined(SOL_IP) && defined(IP_TOS)
378 if(priorityinheritance && origpriority != priority
379 && listen_socket[sock].sa.sa.sa_family == AF_INET) {
380 priority = origpriority;
381 ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Setting outgoing packet priority to %d"), priority);
382 if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
383 logger(LOG_ERR, _("System call `%s' failed: %s"), "setsockopt", strerror(errno));
387 if((sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa))) < 0) {
388 if(errno == EMSGSIZE) {
389 if(n->maxmtu >= origlen)
390 n->maxmtu = origlen - 1;
391 if(n->mtu >= origlen)
392 n->mtu = origlen - 1;
394 logger(LOG_ERR, _("Error sending packet to %s (%s): %s"), n->name, n->hostname, strerror(errno));
398 origpkt->len = origlen;
402 send a packet to the given vpn ip.
404 void send_packet(const node_t *n, vpn_packet_t *packet) {
411 memcpy(packet->data, mymac.x, ETH_ALEN);
412 write_packet(packet);
416 ifdebug(TRAFFIC) logger(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
417 packet->len, n->name, n->hostname);
419 if(!n->status.reachable) {
420 ifdebug(TRAFFIC) logger(LOG_INFO, _("Node %s (%s) is not reachable"),
421 n->name, n->hostname);
425 via = (n->via == myself) ? n->nexthop : n->via;
428 ifdebug(TRAFFIC) logger(LOG_ERR, _("Sending packet to %s via %s (%s)"),
429 n->name, via->name, n->via->hostname);
431 if((myself->options | via->options) & OPTION_TCPONLY) {
432 if(!send_tcppacket(via->connection, packet))
433 terminate_connection(via->connection, true);
435 send_udppacket(via, packet);
438 /* Broadcast a packet using the minimum spanning tree */
440 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
446 ifdebug(TRAFFIC) logger(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"),
447 packet->len, from->name, from->hostname);
450 send_packet(myself, packet);
452 for(node = connection_tree->head; node; node = node->next) {
455 if(c->status.active && c->status.mst && c != from->nexthop->connection)
456 send_packet(c->node, packet);
460 void flush_queue(node_t *n) {
461 list_node_t *node, *next;
465 ifdebug(TRAFFIC) logger(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname);
467 for(node = n->queue->head; node; node = next) {
469 send_udppacket(n, node->data);
470 list_delete_node(n->queue, node);
474 void handle_incoming_vpn_data(int sock, short events, void *data) {
478 socklen_t fromlen = sizeof(from);
483 pkt.len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
486 logger(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno));
490 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
492 n = lookup_node_udp(&from);
495 hostname = sockaddr2hostname(&from);
496 logger(LOG_WARNING, _("Received UDP packet from unknown source %s"),
502 receive_udppacket(n, &pkt);
505 void handle_device_data(int sock, short events, void *data) {
508 if(read_packet(&packet))
509 route(myself, &packet);