2000-03-26 00:33:07 +00:00
|
|
|
/*
|
2002-02-10 21:57:54 +00:00
|
|
|
protocol.c -- handle the meta-protocol, basic functions
|
2006-04-26 13:52:58 +00:00
|
|
|
Copyright (C) 1999-2005 Ivo Timmermans,
|
2013-08-13 18:38:57 +00:00
|
|
|
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
2009-09-24 22:01:00 +00:00
|
|
|
You should have received a copy of the GNU General Public License along
|
|
|
|
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
2000-03-26 00:33:07 +00:00
|
|
|
*/
|
|
|
|
|
|
2003-07-17 15:06:27 +00:00
|
|
|
#include "system.h"
|
2000-11-15 01:06:13 +00:00
|
|
|
|
2000-03-26 00:33:07 +00:00
|
|
|
#include "conf.h"
|
2000-11-20 19:12:17 +00:00
|
|
|
#include "connection.h"
|
2003-07-06 22:11:37 +00:00
|
|
|
#include "logger.h"
|
2003-07-17 15:06:27 +00:00
|
|
|
#include "meta.h"
|
|
|
|
|
#include "protocol.h"
|
|
|
|
|
#include "utils.h"
|
|
|
|
|
#include "xalloc.h"
|
2000-05-29 21:01:26 +00:00
|
|
|
|
2003-11-17 15:30:18 +00:00
|
|
|
bool tunnelserver = false;
|
2010-03-01 23:18:44 +00:00
|
|
|
bool strictsubnets = false;
|
2013-05-10 19:11:45 +00:00
|
|
|
bool experimental = true;
|
2003-11-17 15:30:18 +00:00
|
|
|
|
2003-07-06 23:16:29 +00:00
|
|
|
/* Jumptable for the request handlers */
|
|
|
|
|
|
2012-05-08 14:44:15 +00:00
|
|
|
static bool (*request_handlers[])(connection_t *, const char *) = {
|
2003-07-06 23:16:29 +00:00
|
|
|
id_h, metakey_h, challenge_h, chal_reply_h, ack_h,
|
|
|
|
|
status_h, error_h, termreq_h,
|
|
|
|
|
ping_h, pong_h,
|
|
|
|
|
add_subnet_h, del_subnet_h,
|
|
|
|
|
add_edge_h, del_edge_h,
|
2009-11-07 22:43:25 +00:00
|
|
|
key_changed_h, req_key_h, ans_key_h, tcppacket_h, control_h,
|
Introduce raw TCP SPTPS packet transport.
Currently, SPTPS packets are transported over TCP metaconnections using
extended REQ_KEY requests, in order for the packets to pass through
tinc-1.0 nodes unaltered. Unfortunately, this method presents two
significant downsides:
- An already encrypted SPTPS packet is decrypted and then encrypted
again every time it passes through a node, since it is transported
over the SPTPS channels of the metaconnections. This
double-encryption is unnecessary and wastes CPU cycles.
- More importantly, the only way to transport binary data over
standard metaconnection messages such as REQ_KEY is to encode it
in base64, which has a 33% encoding overhead. This wastes 25% of the
network bandwidth.
This commit introduces a new protocol message, SPTPS_PACKET, which can
be used to transport SPTPS packets over a TCP metaconnection in an
efficient way. The new message is appropriately protected through a
minor protocol version increment, and extended REQ_KEY messages are
still used with nodes that do not support the new message, as well as
for the intial handshake packets, for which efficiency is not a concern.
The way SPTPS_PACKET works is very similar to how the traditional PACKET
message works: after the SPTPS_PACKET message, the raw binary packet is
sent directly over the metaconnection. There is one important
difference, however: in the case of SPTPS_PACKET, the packet is sent
directly over the TCP stream completely bypassing the SPTPS channel of
the metaconnection itself for maximum efficiency. This is secure because
the SPTPS packet that is being sent is already encrypted with an
end-to-end key.
2015-05-10 18:00:03 +00:00
|
|
|
NULL, NULL, /* Not "real" requests (yet) */
|
|
|
|
|
sptps_tcppacket_h,
|
Add MTU_INFO protocol message.
In this commit, nodes use MTU_INFO messages to provide MTU information.
The issue this code is meant to address is the non-trivial problem of
finding the proper MTU when UDP SPTPS relays are involved. Currently,
tinc has no idea what the MTU looks like beyond the first relay, and
will arbitrarily use the first relay's MTU as the limit. This will fail
miserably if the MTU decreases after the first relay, forcing relays to
fall back to TCP. More generally, one should keep in mind that relay
paths can be arbitrarily complex, resulting in packets taking "epic
journeys" through the graph, switching back and forth between UDP (with
variable MTUs) and TCP multiple times along the path.
A solution that was considered consists in sending standard MTU probes
through the relays. This is inefficient (if there are 3 nodes on one
side of relay and 3 nodes on the other side, we end up with 3*3=9 MTU
discoveries taking place at the same time, while technically only
3+3=6 are needed) and would involve eyebrow-raising behaviors such as
probes being sent over TCP.
This commit implements an alternative solution, which consists in
the packet receiver sending MTU_INFO messages to the packet sender.
The message contains an MTU value which is set to maximum when the
message is originally sent. The message gets altered as it travels
through the metagraph, such that when the message arrives to the
destination, the MTU value contained in the message can be used to
send packets while making sure no relays will be forced to fall back to
TCP to deliver them.
The operating principles behind such a protocol message are similar to
how the UDP_INFO message works, but there is a key difference that
prevents us from simply reusing the same message: the UDP_INFO message
only cares about relay-to-relay links (i.e. it is sent between static
relays and the information it contains only makes sense between two
adjacent static relays), while the MTU_INFO cares about the end-to-end
MTU, including the entire relay path. Therefore, UDP_INFO messages stop
when they encounter static relays, while MTU_INFO messages don't stop
until they get to the original packet sender.
Note that, technically, the MTU that is obtained through this mechanism
can be slightly pessimistic, because it can be lowered by an
intermediate node that is not being used as a relay. Since nodes have no
way of knowing whether they'll be used as dynamic relays or not (and
have no say in the matter), this is not a trivial problem. That said,
this is highly unlikely to result in noticeable issues in realistic
scenarios.
2015-03-08 18:54:50 +00:00
|
|
|
udp_info_h, mtu_info_h,
|
2003-07-06 23:16:29 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* Request names */
|
|
|
|
|
|
|
|
|
|
static char (*request_name[]) = {
|
|
|
|
|
"ID", "METAKEY", "CHALLENGE", "CHAL_REPLY", "ACK",
|
|
|
|
|
"STATUS", "ERROR", "TERMREQ",
|
|
|
|
|
"PING", "PONG",
|
|
|
|
|
"ADD_SUBNET", "DEL_SUBNET",
|
2009-11-07 22:43:25 +00:00
|
|
|
"ADD_EDGE", "DEL_EDGE", "KEY_CHANGED", "REQ_KEY", "ANS_KEY", "PACKET", "CONTROL",
|
2015-05-10 17:05:19 +00:00
|
|
|
"REQ_PUBKEY", "ANS_PUBKEY", "SPTPS_PACKET", "UDP_INFO", "MTU_INFO",
|
2003-07-06 23:16:29 +00:00
|
|
|
};
|
|
|
|
|
|
2007-05-18 10:05:26 +00:00
|
|
|
static splay_tree_t *past_request_tree;
|
2002-03-21 23:11:53 +00:00
|
|
|
|
2000-12-05 08:59:30 +00:00
|
|
|
/* Generic request routines - takes care of logging and error
|
|
|
|
|
detection as well */
|
2000-05-01 18:07:12 +00:00
|
|
|
|
2007-05-18 10:00:00 +00:00
|
|
|
bool send_request(connection_t *c, const char *format, ...) {
|
2002-09-09 21:25:28 +00:00
|
|
|
va_list args;
|
2007-05-19 22:23:02 +00:00
|
|
|
char request[MAXBUFSIZE];
|
|
|
|
|
int len;
|
2002-09-09 21:25:28 +00:00
|
|
|
|
2009-09-08 16:18:36 +00:00
|
|
|
/* Use vsnprintf instead of vxasprintf: faster, no memory
|
2002-09-09 21:25:28 +00:00
|
|
|
fragmentation, cleanup is automatic, and there is a limit on the
|
|
|
|
|
input buffer anyway */
|
|
|
|
|
|
|
|
|
|
va_start(args, format);
|
2007-05-19 22:23:02 +00:00
|
|
|
len = vsnprintf(request, MAXBUFSIZE, format, args);
|
2002-09-09 21:25:28 +00:00
|
|
|
va_end(args);
|
|
|
|
|
|
|
|
|
|
if(len < 0 || len > MAXBUFSIZE - 1) {
|
2012-02-26 17:37:36 +00:00
|
|
|
logger(DEBUG_ALWAYS, LOG_ERR, "Output buffer overflow while sending request to %s (%s)",
|
2002-09-09 21:25:28 +00:00
|
|
|
c->name, c->hostname);
|
2003-07-22 20:55:21 +00:00
|
|
|
return false;
|
2002-09-09 21:25:28 +00:00
|
|
|
}
|
|
|
|
|
|
2012-02-26 17:37:36 +00:00
|
|
|
logger(DEBUG_META, LOG_DEBUG, "Sending %s to %s (%s): %s", request_name[atoi(request)], c->name, c->hostname, request);
|
2002-09-09 21:25:28 +00:00
|
|
|
|
2007-05-19 22:23:02 +00:00
|
|
|
request[len++] = '\n';
|
2002-09-09 21:25:28 +00:00
|
|
|
|
2012-02-20 16:12:48 +00:00
|
|
|
if(c == everyone) {
|
2007-05-19 22:23:02 +00:00
|
|
|
broadcast_meta(NULL, request, len);
|
2003-07-22 20:55:21 +00:00
|
|
|
return true;
|
|
|
|
|
} else
|
2007-05-19 22:23:02 +00:00
|
|
|
return send_meta(c, request, len);
|
2002-09-04 16:26:45 +00:00
|
|
|
}
|
|
|
|
|
|
2012-05-08 14:44:15 +00:00
|
|
|
void forward_request(connection_t *from, const char *request) {
|
2012-02-26 17:37:36 +00:00
|
|
|
logger(DEBUG_META, LOG_DEBUG, "Forwarding %s from %s (%s): %s", request_name[atoi(request)], from->name, from->hostname, request);
|
2002-09-09 21:25:28 +00:00
|
|
|
|
2012-05-08 14:44:15 +00:00
|
|
|
// Create a temporary newline-terminated copy of the request
|
2007-05-19 22:23:02 +00:00
|
|
|
int len = strlen(request);
|
2012-05-08 14:44:15 +00:00
|
|
|
char tmp[len + 1];
|
|
|
|
|
memcpy(tmp, request, len);
|
|
|
|
|
tmp[len] = '\n';
|
2012-05-13 20:16:42 +00:00
|
|
|
broadcast_meta(from, tmp, sizeof tmp);
|
2000-09-22 16:20:07 +00:00
|
|
|
}
|
|
|
|
|
|
2012-05-08 14:44:15 +00:00
|
|
|
bool receive_request(connection_t *c, const char *request) {
|
2013-02-07 13:22:28 +00:00
|
|
|
if(c->outgoing && proxytype == PROXY_HTTP && c->allow_request == ID) {
|
2012-06-26 11:24:20 +00:00
|
|
|
if(!request[0] || request[0] == '\r')
|
2012-04-18 21:19:40 +00:00
|
|
|
return true;
|
2012-06-26 11:24:20 +00:00
|
|
|
if(!strncasecmp(request, "HTTP/1.1 ", 9)) {
|
|
|
|
|
if(!strncmp(request + 9, "200", 3)) {
|
|
|
|
|
logger(DEBUG_CONNECTIONS, LOG_DEBUG, "Proxy request granted");
|
2012-04-18 21:19:40 +00:00
|
|
|
return true;
|
|
|
|
|
} else {
|
2012-06-26 11:24:20 +00:00
|
|
|
logger(DEBUG_ALWAYS, LOG_DEBUG, "Proxy request rejected: %s", request + 9);
|
2012-04-18 21:19:40 +00:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-05-19 22:23:02 +00:00
|
|
|
int reqno = atoi(request);
|
2002-09-09 21:25:28 +00:00
|
|
|
|
2007-05-19 22:23:02 +00:00
|
|
|
if(reqno || *request == '0') {
|
|
|
|
|
if((reqno < 0) || (reqno >= LAST) || !request_handlers[reqno]) {
|
2012-02-26 17:37:36 +00:00
|
|
|
logger(DEBUG_META, LOG_DEBUG, "Unknown request from %s (%s): %s", c->name, c->hostname, request);
|
2003-07-22 20:55:21 +00:00
|
|
|
return false;
|
2002-09-09 21:25:28 +00:00
|
|
|
} else {
|
2012-02-26 17:37:36 +00:00
|
|
|
logger(DEBUG_META, LOG_DEBUG, "Got %s from %s (%s): %s", request_name[reqno], c->name, c->hostname, request);
|
2002-09-09 21:25:28 +00:00
|
|
|
}
|
|
|
|
|
|
2007-05-19 22:23:02 +00:00
|
|
|
if((c->allow_request != ALL) && (c->allow_request != reqno)) {
|
2012-02-26 17:37:36 +00:00
|
|
|
logger(DEBUG_ALWAYS, LOG_ERR, "Unauthorized request from %s (%s)", c->name, c->hostname);
|
2003-07-22 20:55:21 +00:00
|
|
|
return false;
|
2002-09-09 21:25:28 +00:00
|
|
|
}
|
|
|
|
|
|
2007-05-19 22:23:02 +00:00
|
|
|
if(!request_handlers[reqno](c, request)) {
|
2002-09-09 21:25:28 +00:00
|
|
|
/* Something went wrong. Probably scriptkiddies. Terminate. */
|
2003-07-22 20:55:21 +00:00
|
|
|
|
2015-04-24 21:51:29 +00:00
|
|
|
if(reqno != TERMREQ)
|
2015-04-24 21:43:58 +00:00
|
|
|
logger(DEBUG_ALWAYS, LOG_ERR, "Error while processing %s from %s (%s)", request_name[reqno], c->name, c->hostname);
|
2003-07-22 20:55:21 +00:00
|
|
|
return false;
|
2002-09-09 21:25:28 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
2012-02-26 17:37:36 +00:00
|
|
|
logger(DEBUG_ALWAYS, LOG_ERR, "Bogus data received from %s (%s)", c->name, c->hostname);
|
2003-07-22 20:55:21 +00:00
|
|
|
return false;
|
2000-09-26 14:06:11 +00:00
|
|
|
}
|
2000-10-29 00:02:20 +00:00
|
|
|
|
2003-07-22 20:55:21 +00:00
|
|
|
return true;
|
2000-09-10 15:18:03 +00:00
|
|
|
}
|
|
|
|
|
|
2007-05-18 10:00:00 +00:00
|
|
|
static int past_request_compare(const past_request_t *a, const past_request_t *b) {
|
2002-09-09 21:25:28 +00:00
|
|
|
return strcmp(a->request, b->request);
|
2002-03-21 23:11:53 +00:00
|
|
|
}
|
|
|
|
|
|
2007-05-18 10:00:00 +00:00
|
|
|
static void free_past_request(past_request_t *r) {
|
2002-09-09 21:25:28 +00:00
|
|
|
if(r->request)
|
2012-05-08 14:44:15 +00:00
|
|
|
free((char *)r->request);
|
2002-09-09 21:25:28 +00:00
|
|
|
|
|
|
|
|
free(r);
|
2002-03-23 20:12:29 +00:00
|
|
|
}
|
|
|
|
|
|
2012-11-29 11:28:23 +00:00
|
|
|
static timeout_t past_request_timeout;
|
|
|
|
|
|
|
|
|
|
static void age_past_requests(void *data) {
|
|
|
|
|
int left = 0, deleted = 0;
|
|
|
|
|
|
|
|
|
|
for splay_each(past_request_t, p, past_request_tree) {
|
|
|
|
|
if(p->firstseen + pinginterval <= now.tv_sec)
|
|
|
|
|
splay_delete_node(past_request_tree, node), deleted++;
|
|
|
|
|
else
|
|
|
|
|
left++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(left || deleted)
|
|
|
|
|
logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Aging past requests: deleted %d, left %d", deleted, left);
|
|
|
|
|
|
|
|
|
|
if(left)
|
|
|
|
|
timeout_set(&past_request_timeout, &(struct timeval){10, rand() % 100000});
|
|
|
|
|
}
|
2002-03-21 23:11:53 +00:00
|
|
|
|
2012-05-08 14:44:15 +00:00
|
|
|
bool seen_request(const char *request) {
|
2015-06-30 16:09:07 +00:00
|
|
|
past_request_t *new, p = {NULL};
|
2002-09-09 21:25:28 +00:00
|
|
|
|
2003-07-30 11:50:45 +00:00
|
|
|
p.request = request;
|
|
|
|
|
|
2007-05-18 10:05:26 +00:00
|
|
|
if(splay_search(past_request_tree, &p)) {
|
2012-02-26 17:37:36 +00:00
|
|
|
logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Already seen request");
|
2003-07-22 20:55:21 +00:00
|
|
|
return true;
|
2002-09-09 21:25:28 +00:00
|
|
|
} else {
|
2008-12-11 15:56:18 +00:00
|
|
|
new = xmalloc(sizeof *new);
|
2002-09-09 21:25:28 +00:00
|
|
|
new->request = xstrdup(request);
|
2013-03-08 13:11:15 +00:00
|
|
|
new->firstseen = now.tv_sec;
|
2007-05-18 10:05:26 +00:00
|
|
|
splay_insert(past_request_tree, new);
|
2012-11-29 11:28:23 +00:00
|
|
|
timeout_add(&past_request_timeout, age_past_requests, NULL, &(struct timeval){10, rand() % 100000});
|
2003-07-22 20:55:21 +00:00
|
|
|
return false;
|
2002-09-09 21:25:28 +00:00
|
|
|
}
|
2002-03-21 23:11:53 +00:00
|
|
|
}
|
|
|
|
|
|
2007-05-18 10:00:00 +00:00
|
|
|
void init_requests(void) {
|
2007-05-18 10:05:26 +00:00
|
|
|
past_request_tree = splay_alloc_tree((splay_compare_t) past_request_compare, (splay_action_t) free_past_request);
|
2007-05-17 23:14:42 +00:00
|
|
|
}
|
|
|
|
|
|
2007-05-18 10:00:00 +00:00
|
|
|
void exit_requests(void) {
|
2007-05-18 10:05:26 +00:00
|
|
|
splay_delete_tree(past_request_tree);
|
2007-05-17 23:14:42 +00:00
|
|
|
|
2012-11-29 11:28:23 +00:00
|
|
|
timeout_del(&past_request_timeout);
|
2002-03-21 23:11:53 +00:00
|
|
|
}
|
