X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet_packet.c;h=544bbde775024a951d85525571406ca6ce0657c6;hp=ae5a8402a7af159ad3873b877854c2b286a0c485;hb=78fc59e994c764d072bf0045177f690a378d1308;hpb=56aad1bb486675ff9aba31418708cc179eea0381 diff --git a/src/net_packet.c b/src/net_packet.c index ae5a8402..544bbde7 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -1,7 +1,7 @@ /* net_packet.c -- Handles in- and outgoing VPN packets - Copyright (C) 1998-2003 Ivo Timmermans , - 2000-2003 Guus Sliepen + Copyright (C) 1998-2005 Ivo Timmermans, + 2000-2009 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net_packet.c,v 1.1.2.49 2003/12/27 16:32:52 guus Exp $ + $Id$ */ #include "system.h" @@ -29,7 +29,7 @@ #include #include -#include +#include LZO1X_H #include "avl_tree.h" #include "conf.h" @@ -54,7 +54,6 @@ int keylifetime = 0; int keyexpires = 0; -bool strictsource = true; EVP_CIPHER_CTX packet_ctx; static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS]; @@ -91,13 +90,14 @@ void send_mtu_probe(node_t *n) memset(packet.data, 0, 14); RAND_pseudo_bytes(packet.data + 14, len - 14); packet.len = len; + packet.priority = 0; ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname); send_udppacket(n, &packet); } - n->mtuevent = xmalloc(sizeof(*n->mtuevent)); + n->mtuevent = new_event(); n->mtuevent->handler = (event_handler_t)send_mtu_probe; n->mtuevent->data = n; n->mtuevent->time = now + 1; @@ -168,25 +168,6 @@ static void receive_packet(node_t *n, vpn_packet_t *packet) route(n, packet); } -static bool authenticate_udppacket(node_t *n, vpn_packet_t *inpkt) { - char hmac[EVP_MAX_MD_SIZE]; - - if(inpkt->len < sizeof(inpkt->seqno) + (myself->digest ? myself->maclength : 0)) - return false; - - /* Check the message authentication code */ - - if(myself->digest && myself->maclength) { - HMAC(myself->digest, myself->key, myself->keylength, - (char *) &inpkt->seqno, inpkt->len - myself->maclength, hmac, NULL); - - if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - myself->maclength, myself->maclength)) - return false; - } - - return true; -} - static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { vpn_packet_t pkt1, pkt2; @@ -194,17 +175,32 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) int nextpkt = 0; vpn_packet_t *outpkt = pkt[0]; int outlen, outpad; + unsigned char hmac[EVP_MAX_MD_SIZE]; int i; cp(); - if(!authenticate_udppacket(n, inpkt)) { - ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), - n->name, n->hostname); + /* Check packet length */ + + if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"), + n->name, n->hostname); return; } - inpkt->len -= myself->digest ? myself->maclength : 0; + /* Check the message authentication code */ + + if(myself->digest && myself->maclength) { + inpkt->len -= myself->maclength; + HMAC(myself->digest, myself->key, myself->keylength, + (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL); + + if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), + n->name, n->hostname); + return; + } + } /* Decrypt the packet */ @@ -212,9 +208,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) outpkt = pkt[nextpkt++]; if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL) - || !EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen, - (char *) &inpkt->seqno, inpkt->len) - || !EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { + || !EVP_DecryptUpdate(&packet_ctx, (unsigned char *) &outpkt->seqno, &outlen, + (unsigned char *) &inpkt->seqno, inpkt->len) + || !EVP_DecryptFinal_ex(&packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); return; @@ -236,17 +232,21 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) memset(n->late, 0, sizeof(n->late)); } else if (inpkt->seqno <= n->received_seqno) { - if(inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8 || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) { + if((n->received_seqno >= sizeof(n->late) * 8 && inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8) || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) { logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"), n->name, n->hostname, inpkt->seqno, n->received_seqno); - } else - for(i = n->received_seqno + 1; i < inpkt->seqno; i++) - n->late[(inpkt->seqno / 8) % sizeof(n->late)] |= 1 << i % 8; + return; + } + } else { + for(i = n->received_seqno + 1; i < inpkt->seqno; i++) + n->late[(i / 8) % sizeof(n->late)] |= 1 << i % 8; } } - n->received_seqno = inpkt->seqno; - n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8); + n->late[(inpkt->seqno / 8) % sizeof(n->late)] &= ~(1 << inpkt->seqno % 8); + + if(inpkt->seqno > n->received_seqno) + n->received_seqno = inpkt->seqno; if(n->received_seqno > MAX_SEQNO) keyexpires = 0; @@ -265,6 +265,8 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) inpkt = outpkt; } + inpkt->priority = 0; + if(n->connection) n->connection->last_ping_time = now; @@ -281,20 +283,24 @@ void receive_tcppacket(connection_t *c, char *buffer, int len) cp(); outpkt.len = len; + if(c->options & OPTION_TCPONLY) + outpkt.priority = 0; + else + outpkt.priority = -1; memcpy(outpkt.data, buffer, len); receive_packet(c->node, &outpkt); } -static void send_udppacket(node_t *n, vpn_packet_t *inpkt) +static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { vpn_packet_t pkt1, pkt2; vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 }; + vpn_packet_t *inpkt = origpkt; int nextpkt = 0; vpn_packet_t *outpkt; int origlen; int outlen, outpad; - vpn_packet_t *copy; static int priority = 0; int origpriority; int sock; @@ -305,26 +311,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) if(!n->status.validkey) { ifdebug(TRAFFIC) logger(LOG_INFO, - _("No valid key known yet for %s (%s), queueing packet"), + _("No valid key known yet for %s (%s), forwarding via TCP"), n->name, n->hostname); - /* Since packet is on the stack of handle_tap_input(), we have to make a copy of it first. */ - - *(copy = xmalloc(sizeof(*copy))) = *inpkt; - - list_insert_tail(n->queue, copy); - - if(n->queue->count > MAXQUEUELENGTH) - list_delete_head(n->queue); - if(!n->status.waitingforkey) send_req_key(n->nexthop->connection, myself, n); n->status.waitingforkey = true; + send_tcppacket(n->nexthop->connection, origpkt); + return; } + if(!n->minmtu && (inpkt->data[12] | inpkt->data[13])) { + ifdebug(TRAFFIC) logger(LOG_INFO, + _("No minimum MTU established yet for %s (%s), forwarding via TCP"), + n->name, n->hostname); + + send_tcppacket(n->nexthop->connection, origpkt); + } + origlen = inpkt->len; origpriority = inpkt->priority; @@ -353,9 +360,9 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) outpkt = pkt[nextpkt++]; if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL) - || !EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen, - (char *) &inpkt->seqno, inpkt->len) - || !EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { + || !EVP_EncryptUpdate(&n->packet_ctx, (unsigned char *) &outpkt->seqno, &outlen, + (unsigned char *) &inpkt->seqno, inpkt->len) + || !EVP_EncryptFinal_ex(&n->packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); goto end; @@ -368,8 +375,8 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) /* Add the message authentication code */ if(n->digest && n->maclength) { - HMAC(n->digest, n->key, n->keylength, (char *) &inpkt->seqno, - inpkt->len, (char *) &inpkt->seqno + inpkt->len, &outlen); + HMAC(n->digest, n->key, n->keylength, (unsigned char *) &inpkt->seqno, + inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL); inpkt->len += n->maclength; } @@ -405,7 +412,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) } end: - inpkt->len = origlen; + origpkt->len = origlen; } /* @@ -433,13 +440,13 @@ void send_packet(const node_t *n, vpn_packet_t *packet) return; } - via = (n->via == myself) ? n->nexthop : n->via; + via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via; if(via != n) - ifdebug(TRAFFIC) logger(LOG_ERR, _("Sending packet to %s via %s (%s)"), + ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending packet to %s via %s (%s)"), n->name, via->name, n->via->hostname); - if((myself->options | via->options) & OPTION_TCPONLY) { + if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) { if(!send_tcppacket(via->connection, packet)) terminate_connection(via->connection, true); } else @@ -458,6 +465,9 @@ void broadcast_packet(const node_t *from, vpn_packet_t *packet) ifdebug(TRAFFIC) logger(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"), packet->len, from->name, from->hostname); + if(from != myself) + send_packet(myself, packet); + for(node = connection_tree->head; node; node = node->next) { c = node->data; @@ -466,21 +476,6 @@ void broadcast_packet(const node_t *from, vpn_packet_t *packet) } } -void flush_queue(node_t *n) -{ - list_node_t *node, *next; - - cp(); - - ifdebug(TRAFFIC) logger(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname); - - for(node = n->queue->head; node; node = next) { - next = node->next; - send_udppacket(n, node->data); - list_delete_node(n->queue, node); - } -} - void handle_incoming_vpn_data(int sock) { vpn_packet_t pkt; @@ -488,7 +483,6 @@ void handle_incoming_vpn_data(int sock) sockaddr_t from; socklen_t fromlen = sizeof(from); node_t *n; - static time_t lasttime = 0; cp(); @@ -503,25 +497,10 @@ void handle_incoming_vpn_data(int sock) n = lookup_node_udp(&from); - if(!n && !strictsource && myself->digest && myself->maclength && lasttime != now) { - avl_node_t *node; - - lasttime = now; - - for(node = node_tree->head; node; node = node->next) { - n = node->data; - - if(authenticate_udppacket(n, &pkt)) { - update_node_address(n, &from); - logger(LOG_DEBUG, _("Updated address of node %s to %s"), n->name, n->hostname); - break; - } - } - } - if(!n) { hostname = sockaddr2hostname(&from); - logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname); + logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), + hostname); free(hostname); return; }