X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=4bbb2d6f16e560bd5911addf946b8ca379d713fc;hb=b811e980e3a2a301c019459b91df2252468fd572;hp=c0be8c4de2f074538041c03d89639025403e0927;hpb=eef25266cb862b5e2c24450d158d99e3cb43e511;p=tinc

diff --git a/src/net_packet.c b/src/net_packet.c
index c0be8c4d..4bbb2d6f 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -1,7 +1,7 @@
 /*
     net_packet.c -- Handles in- and outgoing VPN packets
     Copyright (C) 1998-2005 Ivo Timmermans,
-                  2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2013 Guus Sliepen <guus@tinc-vpn.org>
                   2010      Timothy Redaelli <timothy@redaelli.eu>
                   2010      Brandon Black <blblack@gmail.com>
 
@@ -22,12 +22,6 @@
 
 #include "system.h"
 
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
 #ifdef HAVE_ZLIB
 #include <zlib.h>
 #endif
@@ -62,6 +56,7 @@ static void send_udppacket(node_t *, vpn_packet_t *);
 
 unsigned replaywin = 16;
 bool localdiscovery = false;
+sockaddr_t localdiscovery_address;
 
 #define MAX_SEQNO 1073741824
 
@@ -70,11 +65,15 @@ bool localdiscovery = false;
    mtuprobes ==    32: send 1 burst, sleep pingtimeout second
    mtuprobes ==    33: no response from other side, restart PMTU discovery process
 
-   Probes are sent in batches of three, with random sizes between the lower and
-   upper boundaries for the MTU thus far discovered.
+   Probes are sent in batches of at least three, with random sizes between the
+   lower and upper boundaries for the MTU thus far discovered.
+
+   After the initial discovery, a fourth packet is added to each batch with a
+   size larger than the currently known PMTU, to test if the PMTU has increased.
 
-   In case local discovery is enabled, a fourth packet is added to each batch,
+   In case local discovery is enabled, another packet is added to each batch,
    which will be broadcast to the local network.
+
 */
 
 static void send_mtu_probe_handler(void *data) {
@@ -125,13 +124,18 @@ static void send_mtu_probe_handler(void *data) {
 		timeout = pingtimeout;
 	}
 
-	for(int i = 0; i < 3 + localdiscovery; i++) {
+	for(int i = 0; i < 4 + localdiscovery; i++) {
 		int len;
 
-		if(n->maxmtu <= n->minmtu)
+		if(i == 0) {
+			if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
+				continue;
+			len = n->maxmtu + 8;
+		} else if(n->maxmtu <= n->minmtu) {
 			len = n->maxmtu;
-		else
+		} else {
 			len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
+		}
 
 		if(len < 64)
 			len = 64;
@@ -140,7 +144,7 @@ static void send_mtu_probe_handler(void *data) {
 		memset(packet.data, 0, 14);
 		randomize(packet.data + 14, len - 14);
 		packet.len = len;
-		if(i >= 3 && n->mtuprobes <= 10)
+		if(i >= 4 && n->mtuprobes <= 10)
 			packet.priority = -1;
 		else
 			packet.priority = 0;
@@ -150,6 +154,21 @@ static void send_mtu_probe_handler(void *data) {
 		send_udppacket(n, &packet);
 	}
 
+	n->probe_counter = 0;
+	gettimeofday(&n->probe_time, NULL);
+
+	/* Calculate the packet loss of incoming traffic by comparing the rate of
+	   packets received to the rate with which the sequence number has increased.
+	 */
+
+	if(n->received > n->prev_received)
+		n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
+	else
+		n->packetloss = n->received_seqno <= n->prev_received_seqno;
+
+	n->prev_received_seqno = n->received_seqno;
+	n->prev_received = n->received;
+
 end:
 	timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
 }
@@ -184,6 +203,13 @@ static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
 		/* If we haven't established the PMTU yet, restart the discovery process. */
 
 		if(n->mtuprobes > 30) {
+			if (len == n->maxmtu + 8) {
+				logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+				n->maxmtu = MTU;
+				n->mtuprobes = 10;
+				return;
+			}
+
 			if(n->minmtu)
 				n->mtuprobes = 30;
 			else
@@ -196,6 +222,25 @@ static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
 			len = n->maxmtu;
 		if(n->minmtu < len)
 			n->minmtu = len;
+
+		/* Calculate RTT and bandwidth.
+		   The RTT is the time between the MTU probe burst was sent and the first
+		   reply is received. The bandwidth is measured using the time between the
+		   arrival of the first and third probe reply.
+		 */
+
+		struct timeval now, diff;
+		gettimeofday(&now, NULL);
+		timersub(&now, &n->probe_time, &diff);
+		n->probe_counter++;
+
+		if(n->probe_counter == 1) {
+			n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
+			n->probe_time = now;
+		} else if(n->probe_counter == 3) {
+			n->bandwidth = 2.0 * len / (diff.tv_sec + diff.tv_usec * 1e-6);
+			logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
+		}
 	}
 }
 
@@ -274,10 +319,10 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
 	if(n->status.sptps)
 		return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
 
-	if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
+	if(!digest_active(n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest))
 		return false;
 
-	return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
+	return digest_verify(n->indigest, &inpkt->seqno, inpkt->len - digest_length(n->indigest), (const char *)&inpkt->seqno + inpkt->len - digest_length(n->indigest));
 }
 
 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@@ -288,19 +333,27 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 	size_t outlen;
 
 	if(n->status.sptps) {
+		if(!n->sptps.state) {
+			if(!n->status.waitingforkey) {
+				logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
+				send_req_key(n);
+			} else {
+				logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
+			}
+			return;
+		}
 		sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
 		return;
 	}
 
-	if(!cipher_active(&n->incipher)) {
-		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
-					n->name, n->hostname);
+	if(!cipher_active(n->incipher)) {
+		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
 		return;
 	}
 
 	/* Check packet length */
 
-	if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
+	if(inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest)) {
 		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
 					n->name, n->hostname);
 		return;
@@ -308,20 +361,20 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 
 	/* Check the message authentication code */
 
-	if(digest_active(&n->indigest)) {
-		inpkt->len -= n->indigest.maclength;
-		if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
+	if(digest_active(n->indigest)) {
+		inpkt->len -= digest_length(n->indigest);
+		if(!digest_verify(n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
 			logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
 			return;
 		}
 	}
 	/* Decrypt the packet */
 
-	if(cipher_active(&n->incipher)) {
+	if(cipher_active(n->incipher)) {
 		outpkt = pkt[nextpkt++];
 		outlen = MAXSIZE;
 
-		if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+		if(!cipher_decrypt(n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
 			logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
 			return;
 		}
@@ -399,6 +452,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
 	vpn_packet_t outpkt;
 
+	if(len > sizeof outpkt.data)
+		return;
+
 	outpkt.len = len;
 	if(c->options & OPTION_TCPONLY)
 		outpkt.priority = 0;
@@ -414,7 +470,7 @@ static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
 		logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
 		if(!n->status.waitingforkey)
 			send_req_key(n);
-		else if(n->last_req_key + 10 < time(NULL)) {
+		else if(n->last_req_key + 10 < now.tv_sec) {
 			logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
 			sptps_stop(&n->sptps);
 			n->status.waitingforkey = false;
@@ -525,12 +581,22 @@ static void choose_broadcast_address(const node_t *n, const sockaddr_t **sa, int
 	*sock = rand() % listen_sockets;
 
 	if(listen_socket[*sock].sa.sa.sa_family == AF_INET6) {
-		broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
-		broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
-		*sa = &broadcast_ipv6;
+		if(localdiscovery_address.sa.sa_family == AF_INET6) {
+			localdiscovery_address.in6.sin6_port = n->prevedge->address.in.sin_port;
+			*sa = &localdiscovery_address;
+		} else {
+			broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
+			broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
+			*sa = &broadcast_ipv6;
+		}
 	} else {
-		broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
-		*sa = &broadcast_ipv4;
+		if(localdiscovery_address.sa.sa_family == AF_INET) {
+			localdiscovery_address.in.sin_port = n->prevedge->address.in.sin_port;
+			*sa = &localdiscovery_address;
+		} else {
+			broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
+			*sa = &broadcast_ipv4;
+		}
 	}
 }
 
@@ -606,11 +672,11 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 
 	/* Encrypt the packet */
 
-	if(cipher_active(&n->outcipher)) {
+	if(cipher_active(n->outcipher)) {
 		outpkt = pkt[nextpkt++];
 		outlen = MAXSIZE;
 
-		if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+		if(!cipher_encrypt(n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
 			logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
 			goto end;
 		}
@@ -621,9 +687,13 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 
 	/* Add the message authentication code */
 
-	if(digest_active(&n->outdigest)) {
-		digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
-		inpkt->len += digest_length(&n->outdigest);
+	if(digest_active(n->outdigest)) {
+		if(!digest_create(n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len)) {
+			logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
+			goto end;
+		}
+
+		inpkt->len += digest_length(n->outdigest);
 	}
 
 	/* Send the packet */