X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet_packet.c;h=ae5a8402a7af159ad3873b877854c2b286a0c485;hp=d2e9aa816c846a589fa575d1bf996a238b8b0623;hb=56aad1bb486675ff9aba31418708cc179eea0381;hpb=9bab08e972ae0ca4b904a659d9aed46aaa9b5dd5 diff --git a/src/net_packet.c b/src/net_packet.c index d2e9aa81..ae5a8402 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net_packet.c,v 1.1.2.46 2003/12/20 21:09:33 guus Exp $ + $Id: net_packet.c,v 1.1.2.49 2003/12/27 16:32:52 guus Exp $ */ #include "system.h" @@ -35,6 +35,7 @@ #include "conf.h" #include "connection.h" #include "device.h" +#include "ethernet.h" #include "event.h" #include "graph.h" #include "list.h" @@ -47,8 +48,13 @@ #include "utils.h" #include "xalloc.h" +#ifdef WSAEMSGSIZE +#define EMSGSIZE WSAEMSGSIZE +#endif + int keylifetime = 0; int keyexpires = 0; +bool strictsource = true; EVP_CIPHER_CTX packet_ctx; static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS]; @@ -64,20 +70,21 @@ void send_mtu_probe(node_t *n) cp(); n->mtuprobes++; + n->mtuevent = NULL; - if(n->mtuprobes >= 10 && !n->probedmtu) { + if(n->mtuprobes >= 10 && !n->minmtu) { ifdebug(TRAFFIC) logger(LOG_INFO, _("No response to MTU probes from %s (%s)"), n->name, n->hostname); return; } for(i = 0; i < 3; i++) { - if(n->mtuprobes >= 30 || n->probedmtu >= n->mtu) { - n->mtu = n->probedmtu; + if(n->mtuprobes >= 30 || n->minmtu >= n->maxmtu) { + n->mtu = n->minmtu; ifdebug(TRAFFIC) logger(LOG_INFO, _("Fixing MTU of %s (%s) to %d after %d probes"), n->name, n->hostname, n->mtu, n->mtuprobes); return; } - len = n->probedmtu + 1 + random() % (n->mtu - n->probedmtu); + len = n->minmtu + 1 + random() % (n->maxmtu - n->minmtu); if(len < 64) len = 64; @@ -104,8 +111,8 @@ void mtu_probe_h(node_t *n, vpn_packet_t *packet) { packet->data[0] = 1; send_packet(n, packet); } else { - if(n->probedmtu < packet->len) - n->probedmtu = packet->len; + if(n->minmtu < packet->len) + n->minmtu = packet->len; } } @@ -161,6 +168,25 @@ static void receive_packet(node_t *n, vpn_packet_t *packet) route(n, packet); } +static bool authenticate_udppacket(node_t *n, vpn_packet_t *inpkt) { + char hmac[EVP_MAX_MD_SIZE]; + + if(inpkt->len < sizeof(inpkt->seqno) + (myself->digest ? myself->maclength : 0)) + return false; + + /* Check the message authentication code */ + + if(myself->digest && myself->maclength) { + HMAC(myself->digest, myself->key, myself->keylength, + (char *) &inpkt->seqno, inpkt->len - myself->maclength, hmac, NULL); + + if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - myself->maclength, myself->maclength)) + return false; + } + + return true; +} + static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { vpn_packet_t pkt1, pkt2; @@ -168,32 +194,17 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) int nextpkt = 0; vpn_packet_t *outpkt = pkt[0]; int outlen, outpad; - char hmac[EVP_MAX_MD_SIZE]; int i; cp(); - /* Check packet length */ - - if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) { - ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"), - n->name, n->hostname); + if(!authenticate_udppacket(n, inpkt)) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), + n->name, n->hostname); return; } - /* Check the message authentication code */ - - if(myself->digest && myself->maclength) { - inpkt->len -= myself->maclength; - HMAC(myself->digest, myself->key, myself->keylength, - (char *) &inpkt->seqno, inpkt->len, hmac, NULL); - - if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) { - ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), - n->name, n->hostname); - return; - } - } + inpkt->len -= myself->digest ? myself->maclength : 0; /* Decrypt the packet */ @@ -347,7 +358,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) || !EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); - return; + goto end; } outpkt->len = outlen + outpad; @@ -384,14 +395,16 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) #endif if((sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa))) < 0) { - logger(LOG_ERR, _("Error sending packet to %s (%s): %s"), n->name, n->hostname, strerror(errno)); if(errno == EMSGSIZE) { + if(n->maxmtu >= origlen) + n->maxmtu = origlen - 1; if(n->mtu >= origlen) n->mtu = origlen - 1; - } - return; + } else + logger(LOG_ERR, _("Error sending packet to %s (%s): %s"), n->name, n->hostname, strerror(errno)); } +end: inpkt->len = origlen; } @@ -405,6 +418,8 @@ void send_packet(const node_t *n, vpn_packet_t *packet) cp(); if(n == myself) { + if(overwrite_mac) + memcpy(packet->data, mymac.x, ETH_ALEN); write_packet(packet); return; } @@ -473,6 +488,7 @@ void handle_incoming_vpn_data(int sock) sockaddr_t from; socklen_t fromlen = sizeof(from); node_t *n; + static time_t lasttime = 0; cp(); @@ -487,10 +503,25 @@ void handle_incoming_vpn_data(int sock) n = lookup_node_udp(&from); + if(!n && !strictsource && myself->digest && myself->maclength && lasttime != now) { + avl_node_t *node; + + lasttime = now; + + for(node = node_tree->head; node; node = node->next) { + n = node->data; + + if(authenticate_udppacket(n, &pkt)) { + update_node_address(n, &from); + logger(LOG_DEBUG, _("Updated address of node %s to %s"), n->name, n->hostname); + break; + } + } + } + if(!n) { hostname = sockaddr2hostname(&from); - logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), - hostname); + logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname); free(hostname); return; }