X-Git-Url: https://git.librecmc.org/?p=oweals%2Ftinc.git;a=blobdiff_plain;f=src%2Fnet_packet.c;h=31c44771967a2d62f35da6c34eade0f4411cfc9d;hp=c159efb3fc8e7723ec94bc8b7388627aa339ea72;hb=de029ce46056e02908b5390da9b71a6a59133f26;hpb=67df7fb7e1c9eefe4bbc920fdc68b595ef28abd9 diff --git a/src/net_packet.c b/src/net_packet.c index c159efb..31c4477 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -1,7 +1,7 @@ /* net_packet.c -- Handles in- and outgoing VPN packets Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2006 Guus Sliepen + 2000-2009 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -54,7 +54,6 @@ int keylifetime = 0; int keyexpires = 0; -EVP_CIPHER_CTX packet_ctx; static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS]; static void send_udppacket(node_t *, vpn_packet_t *); @@ -71,6 +70,11 @@ void send_mtu_probe(node_t *n) n->mtuprobes++; n->mtuevent = NULL; + if(!n->status.reachable) { + logger(LOG_DEBUG, _("Trying to send MTU probe to unreachable node %s (%s)"), n->name, n->hostname); + return; + } + if(n->mtuprobes >= 10 && !n->minmtu) { ifdebug(TRAFFIC) logger(LOG_INFO, _("No response to MTU probes from %s (%s)"), n->name, n->hostname); return; @@ -104,15 +108,15 @@ void send_mtu_probe(node_t *n) event_add(n->mtuevent); } -void mtu_probe_h(node_t *n, vpn_packet_t *packet) { +void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { ifdebug(TRAFFIC) logger(LOG_INFO, _("Got MTU probe length %d from %s (%s)"), packet->len, n->name, n->hostname); if(!packet->data[0]) { packet->data[0] = 1; send_packet(n, packet); } else { - if(n->minmtu < packet->len) - n->minmtu = packet->len; + if(n->minmtu < len) + n->minmtu = len; } } @@ -168,6 +172,18 @@ static void receive_packet(node_t *n, vpn_packet_t *packet) route(n, packet); } +static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) +{ + unsigned char hmac[EVP_MAX_MD_SIZE]; + + if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength) + return false; + + HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL); + + return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength); +} + static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { vpn_packet_t pkt1, pkt2; @@ -180,9 +196,15 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) cp(); + if(!n->inkey) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got packet from %s (%s) but he hasn't got our key yet"), + n->name, n->hostname); + return; + } + /* Check packet length */ - if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) { + if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"), n->name, n->hostname); return; @@ -190,12 +212,12 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) /* Check the message authentication code */ - if(myself->digest && myself->maclength) { - inpkt->len -= myself->maclength; - HMAC(myself->digest, myself->key, myself->keylength, + if(n->indigest && n->inmaclength) { + inpkt->len -= n->inmaclength; + HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL); - if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) { + if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname); return; @@ -204,13 +226,13 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) /* Decrypt the packet */ - if(myself->cipher) { + if(n->incipher) { outpkt = pkt[nextpkt++]; - if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL) - || !EVP_DecryptUpdate(&packet_ctx, (unsigned char *) &outpkt->seqno, &outlen, + if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL) + || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen, (unsigned char *) &inpkt->seqno, inpkt->len) - || !EVP_DecryptFinal_ex(&packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { + || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); return; @@ -253,16 +275,20 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) /* Decompress the packet */ - if(myself->compression) { + length_t origlen = inpkt->len; + + if(n->incompression) { outpkt = pkt[nextpkt++]; - if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, myself->compression)) < 0) { + if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while uncompressing packet from %s (%s)"), n->name, n->hostname); return; } inpkt = outpkt; + + origlen -= MTU/64 + 20; } inpkt->priority = 0; @@ -271,7 +297,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) n->connection->last_ping_time = now; if(!inpkt->data[12] && !inpkt->data[13]) - mtu_probe_h(n, inpkt); + mtu_probe_h(n, inpkt, origlen); else receive_packet(n, inpkt); } @@ -307,6 +333,11 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) cp(); + if(!n->status.reachable) { + ifdebug(TRAFFIC) logger(LOG_INFO, _("Trying to send UDP packet to unreachable node %s (%s)"), n->name, n->hostname); + return; + } + /* Make sure we have a valid key */ if(!n->status.validkey) { @@ -315,7 +346,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) n->name, n->hostname); if(!n->status.waitingforkey) - send_req_key(n->nexthop->connection, myself, n); + send_req_key(n); n->status.waitingforkey = true; @@ -324,12 +355,14 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) return; } - if(!n->minmtu && (inpkt->data[12] | inpkt->data[13])) { + if(n->options & OPTION_PMTU_DISCOVERY && !n->minmtu && (inpkt->data[12] | inpkt->data[13])) { ifdebug(TRAFFIC) logger(LOG_INFO, _("No minimum MTU established yet for %s (%s), forwarding via TCP"), n->name, n->hostname); send_tcppacket(n->nexthop->connection, origpkt); + + return; } origlen = inpkt->len; @@ -337,10 +370,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) /* Compress the packet */ - if(n->compression) { + if(n->outcompression) { outpkt = pkt[nextpkt++]; - if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->compression)) < 0) { + if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while compressing packet to %s (%s)"), n->name, n->hostname); return; @@ -356,13 +389,13 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) /* Encrypt the packet */ - if(n->cipher) { + if(n->outcipher) { outpkt = pkt[nextpkt++]; - if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL) - || !EVP_EncryptUpdate(&n->packet_ctx, (unsigned char *) &outpkt->seqno, &outlen, + if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL) + || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen, (unsigned char *) &inpkt->seqno, inpkt->len) - || !EVP_EncryptFinal_ex(&n->packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { + || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); goto end; @@ -374,10 +407,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) /* Add the message authentication code */ - if(n->digest && n->maclength) { - HMAC(n->digest, n->key, n->keylength, (unsigned char *) &inpkt->seqno, + if(n->outdigest && n->outmaclength) { + HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL); - inpkt->len += n->maclength; + inpkt->len += n->outmaclength; } /* Determine which socket we have to use */ @@ -465,9 +498,15 @@ void broadcast_packet(const node_t *from, vpn_packet_t *packet) ifdebug(TRAFFIC) logger(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"), packet->len, from->name, from->hostname); - if(from != myself) + if(from != myself) { send_packet(myself, packet); + // In TunnelServer mode, do not forward broadcast packets. + // The MST might not be valid and create loops. + if(tunnelserver) + return; + } + for(node = connection_tree->head; node; node = node->next) { c = node->data; @@ -476,6 +515,30 @@ void broadcast_packet(const node_t *from, vpn_packet_t *packet) } } +static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { + avl_node_t *node; + edge_t *e; + node_t *n = NULL; + + for(node = edge_weight_tree->head; node; node = node->next) { + e = node->data; + + if(sockaddrcmp_noport(from, &e->address)) + continue; + + if(!n) + n = e->to; + + if(!try_mac(e->to, pkt)) + continue; + + n = e->to; + break; + } + + return n; +} + void handle_incoming_vpn_data(int sock) { vpn_packet_t pkt; @@ -489,7 +552,8 @@ void handle_incoming_vpn_data(int sock) pkt.len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen); if(pkt.len < 0) { - logger(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno)); + if(errno != EAGAIN && errno != EINTR) + logger(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno)); return; } @@ -498,11 +562,17 @@ void handle_incoming_vpn_data(int sock) n = lookup_node_udp(&from); if(!n) { - hostname = sockaddr2hostname(&from); - logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), - hostname); - free(hostname); - return; + n = try_harder(&from, &pkt); + if(n) + update_node_udp(n, &from); + else ifdebug(PROTOCOL) { + hostname = sockaddr2hostname(&from); + logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname); + free(hostname); + return; + } + else + return; } receive_udppacket(n, &pkt);