/*
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
- 2000-2006 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2009 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "system.h"
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
#include <zlib.h>
#include LZO1X_H
#include "splay_tree.h"
+#include "cipher.h"
#include "conf.h"
#include "connection.h"
+#include "crypto.h"
+#include "digest.h"
#include "device.h"
#include "ethernet.h"
#include "graph.h"
#endif
int keylifetime = 0;
-EVP_CIPHER_CTX packet_ctx;
static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
static void send_udppacket(node_t *, vpn_packet_t *);
len = 64;
memset(packet.data, 0, 14);
- RAND_pseudo_bytes(packet.data + 14, len - 14);
+ randomize(packet.data + 14, len - 14);
packet.len = len;
+ packet.priority = 0;
ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname);
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
int nextpkt = 0;
vpn_packet_t *outpkt = pkt[0];
- int outlen, outpad;
- unsigned char hmac[EVP_MAX_MD_SIZE];
+ size_t outlen;
int i;
cp();
/* Check packet length */
- if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) {
+ if(inpkt->len < sizeof inpkt->seqno + digest_length(&myself->digest)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"),
n->name, n->hostname);
return;
/* Check the message authentication code */
- if(myself->digest && myself->maclength) {
- inpkt->len -= myself->maclength;
- HMAC(myself->digest, myself->key, myself->keylength,
- (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
-
- if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) {
- ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
- n->name, n->hostname);
- return;
- }
+ if(digest_active(&myself->digest) && !digest_verify(&myself->digest, &inpkt->seqno, inpkt->len, &inpkt->seqno + inpkt->len)) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname);
+ return;
}
/* Decrypt the packet */
- if(myself->cipher) {
+ if(cipher_active(&myself->cipher)) {
outpkt = pkt[nextpkt++];
+ outlen = MAXSIZE;
- if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL)
- || !EVP_DecryptUpdate(&packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
- (unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_DecryptFinal_ex(&packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
- ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),
- n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ if(!cipher_decrypt(&myself->cipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s)"), n->name, n->hostname);
return;
}
- outpkt->len = outlen + outpad;
+ outpkt->len = outlen;
inpkt = outpkt;
}
/* Check the sequence number */
- inpkt->len -= sizeof(inpkt->seqno);
+ inpkt->len -= sizeof inpkt->seqno;
inpkt->seqno = ntohl(inpkt->seqno);
if(inpkt->seqno != n->received_seqno + 1) {
- if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) {
+ if(inpkt->seqno >= n->received_seqno + sizeof n->late * 8) {
logger(LOG_WARNING, _("Lost %d packets from %s (%s)"),
inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
- memset(n->late, 0, sizeof(n->late));
+ memset(n->late, 0, sizeof n->late);
} else if (inpkt->seqno <= n->received_seqno) {
- if((n->received_seqno >= sizeof(n->late) * 8 && inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8) || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
+ if((n->received_seqno >= sizeof n->late * 8 && inpkt->seqno <= n->received_seqno - sizeof n->late * 8) || !(n->late[(inpkt->seqno / 8) % sizeof n->late] & (1 << inpkt->seqno % 8))) {
logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"),
n->name, n->hostname, inpkt->seqno, n->received_seqno);
return;
}
} else {
for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
- n->late[(i / 8) % sizeof(n->late)] |= 1 << i % 8;
+ n->late[(i / 8) % sizeof n->late] |= 1 << i % 8;
}
}
- n->late[(inpkt->seqno / 8) % sizeof(n->late)] &= ~(1 << inpkt->seqno % 8);
+ n->late[(inpkt->seqno / 8) % sizeof n->late] &= ~(1 << inpkt->seqno % 8);
if(inpkt->seqno > n->received_seqno)
n->received_seqno = inpkt->seqno;
inpkt = outpkt;
}
+ inpkt->priority = 0;
+
if(!inpkt->data[12] && !inpkt->data[13])
mtu_probe_h(n, inpkt);
else
cp();
outpkt.len = len;
+ if(c->options & OPTION_TCPONLY)
+ outpkt.priority = 0;
+ else
+ outpkt.priority = -1;
memcpy(outpkt.data, buffer, len);
receive_packet(c->node, &outpkt);
int nextpkt = 0;
vpn_packet_t *outpkt;
int origlen;
- int outlen, outpad;
- vpn_packet_t *copy;
+ size_t outlen;
static int priority = 0;
int origpriority;
int sock;
if(!n->status.validkey) {
ifdebug(TRAFFIC) logger(LOG_INFO,
- _("No valid key known yet for %s (%s), queueing packet"),
+ _("No valid key known yet for %s (%s), forwarding via TCP"),
n->name, n->hostname);
- /* Since packet is on the stack of handle_tap_input(), we have to make a copy of it first. */
-
- *(copy = xmalloc(sizeof(*copy))) = *inpkt;
-
- list_insert_tail(n->queue, copy);
-
- if(n->queue->count > MAXQUEUELENGTH)
- list_delete_head(n->queue);
-
if(!n->status.waitingforkey)
send_req_key(n->nexthop->connection, myself, n);
n->status.waitingforkey = true;
+ send_tcppacket(n->nexthop->connection, origpkt);
+
return;
}
+ if(!n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
+ ifdebug(TRAFFIC) logger(LOG_INFO,
+ _("No minimum MTU established yet for %s (%s), forwarding via TCP"),
+ n->name, n->hostname);
+
+ send_tcppacket(n->nexthop->connection, origpkt);
+ }
+
origlen = inpkt->len;
origpriority = inpkt->priority;
/* Add sequence number */
inpkt->seqno = htonl(++(n->sent_seqno));
- inpkt->len += sizeof(inpkt->seqno);
+ inpkt->len += sizeof inpkt->seqno;
/* Encrypt the packet */
- if(n->cipher) {
+ if(cipher_active(&n->cipher)) {
outpkt = pkt[nextpkt++];
+ outlen = MAXSIZE;
- if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL)
- || !EVP_EncryptUpdate(&n->packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
- (unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_EncryptFinal_ex(&n->packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
- ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),
- n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ if(!cipher_encrypt(&n->cipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s)"), n->name, n->hostname);
goto end;
}
- outpkt->len = outlen + outpad;
+ outpkt->len = outlen;
inpkt = outpkt;
}
/* Add the message authentication code */
- if(n->digest && n->maclength) {
- HMAC(n->digest, n->key, n->keylength, (unsigned char *) &inpkt->seqno,
- inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
- inpkt->len += n->maclength;
+ if(digest_active(&n->digest)) {
+ digest_create(&n->digest, &inpkt->seqno, inpkt->len, &inpkt->seqno + inpkt->len);
+ inpkt->len += digest_length(&n->digest);
}
/* Determine which socket we have to use */
&& listen_socket[sock].sa.sa.sa_family == AF_INET) {
priority = origpriority;
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Setting outgoing packet priority to %d"), priority);
- if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
+ if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof priority)) /* SO_PRIORITY doesn't seem to work */
logger(LOG_ERR, _("System call `%s' failed: %s"), "setsockopt", strerror(errno));
}
#endif
return;
}
- via = (n->via == myself) ? n->nexthop : n->via;
+ via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
if(via != n)
- ifdebug(TRAFFIC) logger(LOG_ERR, _("Sending packet to %s via %s (%s)"),
+ ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending packet to %s via %s (%s)"),
n->name, via->name, n->via->hostname);
- if((myself->options | via->options) & OPTION_TCPONLY) {
+ if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
if(!send_tcppacket(via->connection, packet))
terminate_connection(via->connection, true);
} else
}
}
-void flush_queue(node_t *n) {
- list_node_t *node, *next;
-
- cp();
-
- ifdebug(TRAFFIC) logger(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname);
-
- for(node = n->queue->head; node; node = next) {
- next = node->next;
- send_udppacket(n, node->data);
- list_delete_node(n->queue, node);
- }
-}
-
-void handle_incoming_vpn_data(int sock, short events, void *data) {
+void handle_incoming_vpn_data(int sock, short events, void *data)
+{
vpn_packet_t pkt;
char *hostname;
sockaddr_t from;
- socklen_t fromlen = sizeof(from);
+ socklen_t fromlen = sizeof from;
node_t *n;
cp();