X-Git-Url: https://git.librecmc.org/?p=oweals%2Ftinc.git;a=blobdiff_plain;f=src%2Fnet_packet.c;h=e67857cc4865b6c60d2d52ee6c36a47d44dbf011;hp=4b3496d38ea3572155c5c52c976aa15fb7b64205;hb=042a6c139e1bf798511db3986a3d4a47e638e731;hpb=ae5249610954af17c68c547bb1b45ad286ad647e diff --git a/src/net_packet.c b/src/net_packet.c index 4b3496d..e67857c 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -1,7 +1,7 @@ /* net_packet.c -- Handles in- and outgoing VPN packets Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2011 Guus Sliepen + 2000-2014 Guus Sliepen 2010 Timothy Redaelli 2010 Brandon Black @@ -70,11 +70,15 @@ bool localdiscovery = false; mtuprobes == 32: send 1 burst, sleep pingtimeout second mtuprobes == 33: no response from other side, restart PMTU discovery process - Probes are sent in batches of three, with random sizes between the lower and - upper boundaries for the MTU thus far discovered. + Probes are sent in batches of at least three, with random sizes between the + lower and upper boundaries for the MTU thus far discovered. - In case local discovery is enabled, a fourth packet is added to each batch, + After the initial discovery, a fourth packet is added to each batch with a + size larger than the currently known PMTU, to test if the PMTU has increased. + + In case local discovery is enabled, another packet is added to each batch, which will be broadcast to the local network. + */ void send_mtu_probe(node_t *n) { @@ -126,11 +130,16 @@ void send_mtu_probe(node_t *n) { timeout = pingtimeout; } - for(i = 0; i < 3 + localdiscovery; i++) { - if(n->maxmtu <= n->minmtu) + for(i = 0; i < 4 + localdiscovery; i++) { + if(i == 0) { + if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU) + continue; + len = n->maxmtu + 8; + } else if(n->maxmtu <= n->minmtu) { len = n->maxmtu; - else + } else { len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu); + } if(len < 64) len = 64; @@ -138,7 +147,7 @@ void send_mtu_probe(node_t *n) { memset(packet.data, 0, 14); RAND_pseudo_bytes(packet.data + 14, len - 14); packet.len = len; - if(i >= 3 && n->mtuprobes <= 10) + if(i >= 4 && n->mtuprobes <= 10) packet.priority = -1; else packet.priority = 0; @@ -164,6 +173,13 @@ void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { send_udppacket(n, packet); } else { if(n->mtuprobes > 30) { + if (len == n->maxmtu + 8) { + ifdebug(TRAFFIC) logger(LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname); + n->maxmtu = MTU; + n->mtuprobes = 10; + return; + } + if(n->minmtu) n->mtuprobes = 30; else @@ -253,7 +269,7 @@ static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) { HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL); - return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength); + return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength); } static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { @@ -286,7 +302,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL); - if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) { + if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname); return; @@ -378,6 +394,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { void receive_tcppacket(connection_t *c, const char *buffer, int len) { vpn_packet_t outpkt; + if(len > sizeof outpkt.data) + return; + outpkt.len = len; if(c->options & OPTION_TCPONLY) outpkt.priority = 0; @@ -396,9 +415,6 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { vpn_packet_t *outpkt; int origlen; int outlen, outpad; -#if defined(SOL_IP) && defined(IP_TOS) - static int priority = 0; -#endif int origpriority; if(!n->status.reachable) { @@ -500,17 +516,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { struct sockaddr *sa; socklen_t sl; int sock; + sockaddr_t broadcast; /* Overloaded use of priority field: -1 means local broadcast */ if(origpriority == -1 && n->prevedge) { - struct sockaddr_in in; - in.sin_family = AF_INET; - in.sin_addr.s_addr = -1; - in.sin_port = n->prevedge->address.in.sin_port; - sa = (struct sockaddr *)∈ - sl = sizeof in; - sock = 0; + sock = rand() % listen_sockets; + memset(&broadcast, 0, sizeof broadcast); + if(listen_socket[sock].sa.sa.sa_family == AF_INET6) { + broadcast.in6.sin6_family = AF_INET6; + broadcast.in6.sin6_addr.s6_addr[0x0] = 0xff; + broadcast.in6.sin6_addr.s6_addr[0x1] = 0x02; + broadcast.in6.sin6_addr.s6_addr[0xf] = 0x01; + broadcast.in6.sin6_port = n->prevedge->address.in.sin_port; + broadcast.in6.sin6_scope_id = listen_socket[sock].sa.in6.sin6_scope_id; + } else { + broadcast.in.sin_family = AF_INET; + broadcast.in.sin_addr.s_addr = -1; + broadcast.in.sin_port = n->prevedge->address.in.sin_port; + } + sa = &broadcast.sa; + sl = SALEN(broadcast.sa); } else { if(origpriority == -1) origpriority = 0; @@ -520,15 +546,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { sock = n->sock; } + if(priorityinheritance && origpriority != listen_socket[n->sock].priority) { + listen_socket[n->sock].priority = origpriority; + switch(listen_socket[n->sock].sa.sa.sa_family) { #if defined(SOL_IP) && defined(IP_TOS) - if(priorityinheritance && origpriority != priority - && listen_socket[n->sock].sa.sa.sa_family == AF_INET) { - priority = origpriority; - ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority); - if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */ - logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno)); - } + case AF_INET: + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority); + if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &origpriority, sizeof(origpriority))) /* SO_PRIORITY doesn't seem to work */ + logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno)); + break; #endif +#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) + case AF_INET6: + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority); + if(setsockopt(listen_socket[n->sock].udp, IPPROTO_IPV6, IPV6_TCLASS, &origpriority, sizeof(origpriority))) + logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno)); + break; +#endif + default: + break; + } + } if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) { if(sockmsgsize(sockerrno)) { @@ -537,7 +575,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { if(n->mtu >= origlen) n->mtu = origlen - 1; } else - logger(LOG_ERR, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno)); + ifdebug(TRAFFIC) logger(LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno)); } end: @@ -584,24 +622,50 @@ void send_packet(const node_t *n, vpn_packet_t *packet) { void broadcast_packet(const node_t *from, vpn_packet_t *packet) { avl_node_t *node; connection_t *c; + node_t *n; + + // Always give ourself a copy of the packet. + if(from != myself) + send_packet(myself, packet); + + // In TunnelServer mode, do not forward broadcast packets. + // The MST might not be valid and create loops. + if(tunnelserver || broadcast_mode == BMODE_NONE) + return; ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)", packet->len, from->name, from->hostname); - if(from != myself) { - send_packet(myself, packet); + switch(broadcast_mode) { + // In MST mode, broadcast packets travel via the Minimum Spanning Tree. + // This guarantees all nodes receive the broadcast packet, and + // usually distributes the sending of broadcast packets over all nodes. + case BMODE_MST: + for(node = connection_tree->head; node; node = node->next) { + c = node->data; - // In TunnelServer mode, do not forward broadcast packets. - // The MST might not be valid and create loops. - if(tunnelserver) - return; - } + if(c->status.active && c->status.mst && c != from->nexthop->connection) + send_packet(c->node, packet); + } + break; - for(node = connection_tree->head; node; node = node->next) { - c = node->data; + // In direct mode, we send copies to each node we know of. + // However, this only reaches nodes that can be reached in a single hop. + // We don't have enough information to forward broadcast packets in this case. + case BMODE_DIRECT: + if(from != myself) + break; + + for(node = node_udp_tree->head; node; node = node->next) { + n = node->data; + + if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n)) + send_packet(n, packet); + } + break; - if(c->status.active && c->status.mst && c != from->nexthop->connection) - send_packet(c->node, packet); + default: + break; } } @@ -609,7 +673,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { avl_node_t *node; edge_t *e; node_t *n = NULL; - bool hard = false; static time_t last_hard_try = 0; for(node = edge_weight_tree->head; node; node = node->next) { @@ -618,11 +681,8 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { if(e->to == myself) continue; - if(sockaddrcmp_noport(from, &e->address)) { - if(last_hard_try == now) - continue; - hard = true; - } + if(last_hard_try == now && sockaddrcmp_noport(from, &e->address)) + continue; if(!try_mac(e->to, pkt)) continue; @@ -631,9 +691,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { break; } - if(hard) - last_hard_try = now; - last_hard_try = now; return n; }