Merge branch 'master' into 1.1
[oweals/tinc.git] / src / net_packet.c
index 44ab55d42c8a550f1fddad9a36c88aec0c813377..b444bc9310277605e4bec46108f25bd578eeba0f 100644 (file)
 #include LZO1X_H
 #endif
 
-#include "avl_tree.h"
+#include "splay_tree.h"
+#include "cipher.h"
 #include "conf.h"
 #include "connection.h"
+#include "crypto.h"
+#include "digest.h"
 #include "device.h"
 #include "ethernet.h"
-#include "event.h"
 #include "graph.h"
 #include "list.h"
 #include "logger.h"
@@ -67,13 +69,13 @@ static void send_udppacket(node_t *, vpn_packet_t *);
 // mtuprobes ==    32: send 1 burst, sleep pingtimeout second
 // mtuprobes ==    33: no response from other side, restart PMTU discovery process
 
-void send_mtu_probe(node_t *n) {
+static void send_mtu_probe_handler(int fd, short events, void *data) {
+       node_t *n = data;
        vpn_packet_t packet;
        int len, i;
        int timeout = 1;
        
        n->mtuprobes++;
-       n->mtuevent = NULL;
 
        if(!n->status.reachable || !n->status.validkey) {
                ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
@@ -121,7 +123,7 @@ void send_mtu_probe(node_t *n) {
                        len = 64;
                
                memset(packet.data, 0, 14);
-               RAND_pseudo_bytes(packet.data + 14, len - 14);
+               randomize(packet.data + 14, len - 14);
                packet.len = len;
                packet.priority = 0;
 
@@ -131,11 +133,13 @@ void send_mtu_probe(node_t *n) {
        }
 
 end:
-       n->mtuevent = new_event();
-       n->mtuevent->handler = (event_handler_t)send_mtu_probe;
-       n->mtuevent->data = n;
-       n->mtuevent->time = now + timeout;
-       event_add(n->mtuevent);
+       event_add(&n->mtuevent, &(struct timeval){timeout, 0});
+}
+
+void send_mtu_probe(node_t *n) {
+       if(!timeout_initialized(&n->mtuevent))
+               timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
+       send_mtu_probe_handler(0, 0, n);
 }
 
 void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
@@ -222,15 +226,11 @@ static void receive_packet(node_t *n, vpn_packet_t *packet) {
        route(n, packet);
 }
 
-static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
-       unsigned char hmac[EVP_MAX_MD_SIZE];
-
-       if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength)
+static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
+       if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
                return false;
 
-       HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
-
-       return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
+       return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
 }
 
 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@@ -238,11 +238,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
        vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
        int nextpkt = 0;
        vpn_packet_t *outpkt = pkt[0];
-       int outlen, outpad;
-       unsigned char hmac[EVP_MAX_MD_SIZE];
+       size_t outlen;
        int i;
 
-       if(!n->inkey) {
+       if(!cipher_active(&n->incipher)) {
                ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
                                        n->name, n->hostname);
                return;
@@ -250,7 +249,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 
        /* Check packet length */
 
-       if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) {
+       if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
                ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got too short packet from %s (%s)",
                                        n->name, n->hostname);
                return;
@@ -258,66 +257,58 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 
        /* Check the message authentication code */
 
-       if(n->indigest && n->inmaclength) {
-               inpkt->len -= n->inmaclength;
-               HMAC(n->indigest, n->inkey, n->inkeylength,
-                        (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
-
-               if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
-                       ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
-                                          n->name, n->hostname);
+       if(digest_active(&n->indigest)) {
+               inpkt->len -= n->indigest.maclength;
+               if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
+                       ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
                        return;
                }
        }
-
        /* Decrypt the packet */
 
-       if(n->incipher) {
+       if(cipher_active(&n->incipher)) {
                outpkt = pkt[nextpkt++];
+               outlen = MAXSIZE;
 
-               if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
-                               || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
-                                       (unsigned char *) &inpkt->seqno, inpkt->len)
-                               || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
-                       ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
-                                               n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+               if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+                       ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
                        return;
                }
                
-               outpkt->len = outlen + outpad;
+               outpkt->len = outlen;
                inpkt = outpkt;
        }
 
        /* Check the sequence number */
 
-       inpkt->len -= sizeof(inpkt->seqno);
+       inpkt->len -= sizeof inpkt->seqno;
        inpkt->seqno = ntohl(inpkt->seqno);
 
        if(inpkt->seqno != n->received_seqno + 1) {
-               if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) {
+               if(inpkt->seqno >= n->received_seqno + sizeof n->late * 8) {
                        logger(LOG_WARNING, "Lost %d packets from %s (%s)",
                                           inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
                        
-                       memset(n->late, 0, sizeof(n->late));
+                       memset(n->late, 0, sizeof n->late);
                } else if (inpkt->seqno <= n->received_seqno) {
-                       if((n->received_seqno >= sizeof(n->late) * 8 && inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8) || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
+                       if((n->received_seqno >= sizeof n->late * 8 && inpkt->seqno <= n->received_seqno - sizeof n->late * 8) || !(n->late[(inpkt->seqno / 8) % sizeof n->late] & (1 << inpkt->seqno % 8))) {
                                logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
                                           n->name, n->hostname, inpkt->seqno, n->received_seqno);
                                return;
                        }
                } else {
                        for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
-                               n->late[(i / 8) % sizeof(n->late)] |= 1 << i % 8;
+                               n->late[(i / 8) % sizeof n->late] |= 1 << i % 8;
                }
        }
        
-       n->late[(inpkt->seqno / 8) % sizeof(n->late)] &= ~(1 << inpkt->seqno % 8);
+       n->late[(inpkt->seqno / 8) % sizeof n->late] &= ~(1 << inpkt->seqno % 8);
 
        if(inpkt->seqno > n->received_seqno)
                n->received_seqno = inpkt->seqno;
                        
        if(n->received_seqno > MAX_SEQNO)
-               keyexpires = 0;
+               regenerate_key();
 
        /* Decompress the packet */
 
@@ -365,7 +356,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
        int nextpkt = 0;
        vpn_packet_t *outpkt;
        int origlen;
-       int outlen, outpad;
+       size_t outlen;
 #if defined(SOL_IP) && defined(IP_TOS)
        static int priority = 0;
 #endif
@@ -380,6 +371,8 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
        /* Make sure we have a valid key */
 
        if(!n->status.validkey) {
+               time_t now = time(NULL);
+
                ifdebug(TRAFFIC) logger(LOG_INFO,
                                   "No valid key known yet for %s (%s), forwarding via TCP",
                                   n->name, n->hostname);
@@ -427,32 +420,28 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
        /* Add sequence number */
 
        inpkt->seqno = htonl(++(n->sent_seqno));
-       inpkt->len += sizeof(inpkt->seqno);
+       inpkt->len += sizeof inpkt->seqno;
 
        /* Encrypt the packet */
 
-       if(n->outcipher) {
+       if(cipher_active(&n->outcipher)) {
                outpkt = pkt[nextpkt++];
+               outlen = MAXSIZE;
 
-               if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
-                               || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
-                                       (unsigned char *) &inpkt->seqno, inpkt->len)
-                               || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
-                       ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
-                                               n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+               if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+                       ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
                        goto end;
                }
 
-               outpkt->len = outlen + outpad;
+               outpkt->len = outlen;
                inpkt = outpkt;
        }
 
        /* Add the message authentication code */
 
-       if(n->outdigest && n->outmaclength) {
-               HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno,
-                        inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
-               inpkt->len += n->outmaclength;
+       if(digest_active(&n->outdigest)) {
+               digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
+               inpkt->len += digest_length(&n->outdigest);
        }
 
        /* Determine which socket we have to use */
@@ -471,7 +460,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
           && listen_socket[sock].sa.sa.sa_family == AF_INET) {
                priority = origpriority;
                ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
-               if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority)))    /* SO_PRIORITY doesn't seem to work */
+               if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof priority))     /* SO_PRIORITY doesn't seem to work */
                        logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
        }
 #endif
@@ -528,7 +517,7 @@ void send_packet(const node_t *n, vpn_packet_t *packet) {
 /* Broadcast a packet using the minimum spanning tree */
 
 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
-       avl_node_t *node;
+       splay_node_t *node;
        connection_t *c;
 
        ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
@@ -552,48 +541,49 @@ void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
 }
 
 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
-       avl_node_t *node;
-       edge_t *e;
-       node_t *n = NULL;
+       splay_node_t *node;
+       node_t *n, *found = NULL;
        static time_t last_hard_try = 0;
+       time_t now = time(NULL);
 
-       for(node = edge_weight_tree->head; node; node = node->next) {
-               e = node->data;
-
-               if(sockaddrcmp_noport(from, &e->address)) {
-                       if(last_hard_try == now)
-                               continue;
-                       last_hard_try = now;
-               }
+       if(last_hard_try == now)
+               return NULL;
+       else
+               last_hard_try = now;
 
-               if(!n)
-                       n = e->to;
+       for(node = node_tree->head; node; node = node->next) {
+               n = node->data;
 
-               if(!try_mac(e->to, pkt))
+               if(n == myself || !n->status.reachable || !digest_active(&n->indigest))
                        continue;
 
-               n = e->to;
-               break;
+               if(try_mac(n, pkt)) {
+                       found = n;
+                       break;
+               }
        }
 
-       return n;
+       return found;
 }
 
-void handle_incoming_vpn_data(int sock) {
+void handle_incoming_vpn_data(int sock, short events, void *data) {
        vpn_packet_t pkt;
        char *hostname;
        sockaddr_t from;
-       socklen_t fromlen = sizeof(from);
+       socklen_t fromlen = sizeof from;
        node_t *n;
+       int len;
 
-       pkt.len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
+       len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
 
-       if(pkt.len < 0) {
+       if(len <= 0 || len > MAXSIZE) {
                if(!sockwouldblock(sockerrno))
                        logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
                return;
        }
 
+       pkt.len = len;
+
        sockaddrunmap(&from);           /* Some braindead IPv6 implementations do stupid things. */
 
        n = lookup_node_udp(&from);
@@ -614,3 +604,10 @@ void handle_incoming_vpn_data(int sock) {
 
        receive_udppacket(n, &pkt);
 }
+
+void handle_device_data(int sock, short events, void *data) {
+       vpn_packet_t packet;
+
+       if(read_packet(&packet))
+               route(myself, &packet);
+}