--- gvpe/src/vpn_dns.C 2005/03/07 01:31:26 1.24 +++ gvpe/src/vpn_dns.C 2011/02/08 23:11:36 1.49 @@ -1,24 +1,38 @@ /* vpn_dns.C -- handle the dns tunnel part of the protocol. - Copyright (C) 2003-2005 Marc Lehmann + Copyright (C) 2003-2008 Marc Lehmann This file is part of GVPE. - GVPE is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with gvpe; if not, write to the Free Software - Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + GVPE is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 3 of the License, or (at your + option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, see . + + Additional permission under GNU GPL version 3 section 7 + + If you modify this Program, or any covered work, by linking or + combining it with the OpenSSL project's OpenSSL library (or a modified + version of that library), containing parts covered by the terms of the + OpenSSL or SSLeay licenses, the licensors of this Program grant you + additional permission to convey the resulting work. Corresponding + Source for a non-source form of such a combination shall include the + source code for the parts of OpenSSL used as well as that of the + covered work. */ +// TODO: EDNS0 option to increase dns mtu? +// TODO: re-write dns packet parsing/creation using a safe mem-buffer +// to ensure no buffer overflows or similar problems. + #include "config.h" #if ENABLE_DNS @@ -40,29 +54,27 @@ #include +#include /* bug in libgmp: gmp.h relies on cstdio being included */ #include #include "netcompat.h" #include "vpn.h" -#define MIN_POLL_INTERVAL .02 // how often to poll minimally when the server has data -#define MAX_POLL_INTERVAL 6. // how often to poll minimally when the server has no data +#define MAX_POLL_INTERVAL 5. // how often to poll minimally when the server has no data #define ACTIVITY_INTERVAL 5. #define INITIAL_TIMEOUT 0.1 // retry timeouts -#define INITIAL_SYN_TIMEOUT 10. // retry timeout for initial syn +#define INITIAL_SYN_TIMEOUT 2. // retry timeout for initial syn -#define MIN_SEND_INTERVAL 0.01 // wait at least this time between sending requests -#define MAX_SEND_INTERVAL 0.5 // optimistic? +#define MAX_SEND_INTERVAL 2. // optimistic? -#define MAX_OUTSTANDING 10 // max. outstanding requests #define MAX_WINDOW 1000 // max. for MAX_OUTSTANDING, and backlog -#define MAX_BACKLOG (100*1024) // size of gvpe protocol backlog (bytes), must be > MAXSIZE +#define MAX_BACKLOG (64*1024) // size of gvpe protocol backlog (bytes), must be > MAXSIZE -#define MAX_DOMAIN_SIZE 220 // 255 is legal limit, but bind doesn't compress well +#define MAX_DOMAIN_SIZE 240 // 255 is legal limit, but bind doesn't compress well // 240 leaves about 4 bytes of server reply data -// every two request bytes less give room for one reply byte +// every request byte less give room for two reply bytes #define SEQNO_MASK 0x3fff #define SEQNO_EQ(a,b) ( 0 == ( ((a) ^ (b)) & SEQNO_MASK) ) @@ -73,6 +85,7 @@ #define RR_TYPE_A 1 #define RR_TYPE_NULL 10 #define RR_TYPE_TXT 16 +#define RR_TYPE_AAAA 28 #define RR_TYPE_ANY 255 #define RR_CLASS_IN 1 @@ -157,12 +170,14 @@ } } -unsigned int basecoder::encode_len (unsigned int len) +unsigned int +basecoder::encode_len (unsigned int len) { return enc_len [len]; } -unsigned int basecoder::decode_len (unsigned int len) +unsigned int +basecoder::decode_len (unsigned int len) { while (len && !dec_len [len]) --len; @@ -170,7 +185,8 @@ return dec_len [len]; } -unsigned int basecoder::encode (char *dst, u8 *src, unsigned int len) +unsigned int +basecoder::encode (char *dst, u8 *src, unsigned int len) { if (!len || len > MAX_DEC_LEN) return 0; @@ -199,7 +215,8 @@ return elen; } -unsigned int basecoder::decode (u8 *dst, char *src, unsigned int len) +unsigned int +basecoder::decode (u8 *dst, char *src, unsigned int len) { if (!len || len > MAX_ENC_LEN) return 0; @@ -268,7 +285,8 @@ #define HDRSIZE 6 -inline void encode_header (char *data, int clientid, int seqno, int retry = 0) +inline void +encode_header (char *data, int clientid, int seqno, int retry = 0) { seqno &= SEQNO_MASK; @@ -283,7 +301,8 @@ cdc26.encode (data, hdr, 3); } -inline void decode_header (char *data, int &clientid, int &seqno) +inline void +decode_header (char *data, int &clientid, int &seqno) { u8 hdr[3]; @@ -326,7 +345,8 @@ delete data; } -void byte_stream::remove (int count) +void +byte_stream::remove (int count) { if (count > fill) assert (count <= fill); @@ -334,7 +354,8 @@ memmove (data, data + count, fill -= count); } -bool byte_stream::put (u8 *data, unsigned int datalen) +bool +byte_stream::put (u8 *data, unsigned int datalen) { if (maxsize - fill < datalen) return false; @@ -344,7 +365,8 @@ return true; } -bool byte_stream::put (vpn_packet *pkt) +bool +byte_stream::put (vpn_packet *pkt) { if (maxsize - fill < pkt->len + 2) return false; @@ -425,7 +447,8 @@ u8 req_cdc; u8 rep_cdc; - u8 r2, r3, r4; + u8 delay; // time in 0.01s units that the server may delay replying packets + u8 r3, r4; u8 r5, r6, r7, r8; @@ -435,7 +458,8 @@ int dns_cfg::next_uid; -void dns_cfg::reset (int clientid) +void +dns_cfg::reset (int clientid) { id1 = 'G'; id2 = 'V'; @@ -450,16 +474,20 @@ seq_cdc = 26; req_cdc = 62; rep_cdc = 0; - max_size = ntohs (MAX_PKT_SIZE); - client = ntohs (clientid); + max_size = htons (MAX_PKT_SIZE); + client = htons (clientid); uid = next_uid++; + delay = 0; - r2 = r3 = r4 = 0; + r3 = r4 = 0; r4 = r5 = r6 = r7 = 0; } -bool dns_cfg::valid () +bool +dns_cfg::valid () { + // although the protocol itself allows for some configurability, + // only the following encoding/decoding settings are implemented. return id1 == 'G' && id2 == 'V' && id3 == 'P' @@ -467,8 +495,7 @@ && seq_cdc == 26 && req_cdc == 62 && rep_cdc == 0 - && version == 1 - && max_size == ntohs (MAX_PKT_SIZE); + && version == 1; } struct dns_packet : net_packet @@ -482,7 +509,8 @@ int decode_label (char *data, int size, int &offs); }; -int dns_packet::decode_label (char *data, int size, int &offs) +int +dns_packet::decode_label (char *data, int size, int &offs) { char *orig = data; @@ -518,10 +546,11 @@ ///////////////////////////////////////////////////////////////////////////// -static u16 dns_id = 0; // TODO: should be per-vpn - -static u16 next_id () +static +u16 next_id () { + static u16 dns_id = 0; // TODO: should be per-vpn + if (!dns_id) dns_id = time (0); @@ -549,15 +578,15 @@ tstamp last_received; tstamp last_sent; - double last_latency; + double min_latency; double poll_interval, send_interval; vector rcvpq; - byte_stream rcvdq; int rcvseq; + byte_stream rcvdq; int rcvseq; int repseq; byte_stream snddq; int sndseq; - void time_cb (time_watcher &w); time_watcher tw; + inline void time_cb (ev::timer &w, int revents); ev::timer tw; void receive_rep (dns_rcv *r); dns_connection (connection *c); @@ -586,7 +615,7 @@ timeout = 0; retry = 0; seqno = 0; - sent = NOW; + sent = ev_now (); stdhdr = false; pkt = new dns_packet; @@ -599,7 +628,8 @@ delete pkt; } -static void append_domain (dns_packet &pkt, int &offs, const char *domain) +static void +append_domain (dns_packet &pkt, int &offs, const char *domain) { // add tunnel domain for (;;) @@ -622,12 +652,13 @@ } } -void dns_snd::gen_stream_req (int seqno, byte_stream &stream) +void +dns_snd::gen_stream_req (int seqno, byte_stream &stream) { stdhdr = true; this->seqno = seqno; - timeout = NOW + INITIAL_TIMEOUT; + timeout = ev_now () + INITIAL_TIMEOUT; pkt->flags = htons (DEFAULT_CLIENT_FLAGS); pkt->qdcount = htons (1); @@ -670,9 +701,10 @@ pkt->len = offs; } -void dns_snd::gen_syn_req () +void +dns_snd::gen_syn_req () { - timeout = NOW + INITIAL_SYN_TIMEOUT; + timeout = ev_now () + INITIAL_SYN_TIMEOUT; pkt->flags = htons (DEFAULT_CLIENT_FLAGS); pkt->qdcount = htons (1); @@ -721,19 +753,20 @@ dns_connection::dns_connection (connection *c) : c (c) , rcvdq (MAX_BACKLOG * 2) -, snddq (MAX_BACKLOG * 2) -, tw (this, &dns_connection::time_cb) +, snddq (MAX_BACKLOG) { + tw.set (this); + vpn = c->vpn; established = false; - rcvseq = sndseq = 0; + rcvseq = repseq = sndseq = 0; last_sent = last_received = 0; - poll_interval = MIN_POLL_INTERVAL; + poll_interval = 0.5; // starting here send_interval = 0.5; // starting rate - last_latency = INITIAL_TIMEOUT; + min_latency = INITIAL_TIMEOUT; } dns_connection::~dns_connection () @@ -744,18 +777,20 @@ delete *i; } -void dns_connection::receive_rep (dns_rcv *r) +void +dns_connection::receive_rep (dns_rcv *r) { if (r->datalen) { - last_received = NOW; - tw.trigger (); + last_received = ev_now (); + tw (); poll_interval = send_interval; } else { poll_interval *= 1.5; + if (poll_interval > MAX_POLL_INTERVAL) poll_interval = MAX_POLL_INTERVAL; } @@ -768,6 +803,7 @@ for (vector::iterator i = rcvpq.end (); i-- != rcvpq.begin (); ) if (SEQNO_EQ (rcvseq, (*i)->seqno)) { + //printf ("seqno eq %x %x\n", rcvseq, (*i)->seqno);//D // enter the packet into our input stream r = *i; @@ -775,6 +811,7 @@ for (vector::iterator j = rcvpq.begin (); j != rcvpq.end (); ++j) if (SEQNO_EQ ((*j)->seqno, rcvseq - MAX_WINDOW)) { + //printf ("seqno RR %x %x\n", (*j)->seqno, rcvseq - MAX_WINDOW);//D delete *j; rcvpq.erase (j); break; @@ -791,7 +828,7 @@ while (vpn_packet *pkt = rcvdq.get ()) { sockinfo si; - si.host = 0x01010101; si.port = htons (c->conf->id); si.prot = PROT_DNSv4; + si.host = htonl (c->conf->id); si.port = 0; si.prot = PROT_DNSv4; vpn->recv_vpn_packet (pkt, si); @@ -855,7 +892,6 @@ connection *c = conns [client - 1]; dns_connection *dns = c->dns; dns_rcv *rcv; - bool in_seq; if (dns) { @@ -876,8 +912,6 @@ goto duplicate_request; } - in_seq = dns->rcvseq == seqno; - // new packet, queue rcv = new dns_rcv (seqno, data, datalen); dns->receive_rep (rcv); @@ -894,31 +928,38 @@ int rdlen_offs = offs += 2; - int dlen = (dns ? ntohs (dns->cfg.max_size) : MAX_PKT_SIZE) - offs; - // bind doesn't compress well, so reduce further by one label length - dlen -= qlen; - if (dns) { + int dlen = ntohs (dns->cfg.max_size) - offs; + + // bind doesn't compress well, so reduce further by one label length + dlen -= qlen; + // only put data into in-order sequence packets, if // we receive out-of-order packets we generate empty // replies - while (dlen > 1 && !dns->snddq.empty () && in_seq) + //printf ("%d - %d & %x (=%d) < %d\n", seqno, dns->repseq, SEQNO_MASK, (seqno - dns->repseq) & SEQNO_MASK, MAX_WINDOW);//D + if (((seqno - dns->repseq) & SEQNO_MASK) <= MAX_WINDOW) { - int txtlen = dlen <= 255 ? dlen - 1 : 255; + dns->repseq = seqno; - if (txtlen > dns->snddq.size ()) - txtlen = dns->snddq.size (); + while (dlen > 1 && !dns->snddq.empty ()) + { + int txtlen = dlen <= 255 ? dlen - 1 : 255; + + if (txtlen > dns->snddq.size ()) + txtlen = dns->snddq.size (); + + pkt[offs++] = txtlen; + memcpy (pkt.at (offs), dns->snddq.begin (), txtlen); + offs += txtlen; + dns->snddq.remove (txtlen); - pkt[offs++] = txtlen; - memcpy (pkt.at (offs), dns->snddq.begin (), txtlen); - offs += txtlen; - dns->snddq.remove (txtlen); - - dlen -= txtlen + 1; + dlen -= txtlen + 1; + } } - // avoid empty TXT rdata + // avoid completely empty TXT rdata if (offs == rdlen_offs) pkt[offs++] = 0; @@ -1008,6 +1049,7 @@ connection *c = dns->c; int seqno = (*i)->seqno; u8 data[MAXSIZE], *datap = data; + //printf ("rcv pkt %x\n", seqno);//D if ((*i)->retry) { @@ -1017,19 +1059,21 @@ } else { -#if 1 +#if 0 dns->send_interval *= 0.999; #endif - if (dns->send_interval < MIN_SEND_INTERVAL) - dns->send_interval = MIN_SEND_INTERVAL; - // the latency surely puts an upper bound on // the minimum send interval - double latency = NOW - (*i)->sent; - dns->last_latency = latency; + double latency = ev_now () - (*i)->sent; + + if (latency < dns->min_latency) + dns->min_latency = latency; + + if (dns->send_interval > dns->min_latency * conf.dns_overlap_factor) + dns->send_interval = dns->min_latency * conf.dns_overlap_factor; - if (dns->send_interval > latency) - dns->send_interval = latency; + if (dns->send_interval < conf.dns_send_interval) + dns->send_interval = conf.dns_send_interval; } delete *i; @@ -1144,9 +1188,9 @@ } void -vpn::dnsv4_ev (io_watcher &w, short revents) +vpn::dnsv4_ev (ev::io &w, int revents) { - if (revents & EVENT_READ) + if (revents & EV_READ) { dns_packet *pkt = new dns_packet; struct sockaddr_in sa; @@ -1172,7 +1216,7 @@ bool vpn::send_dnsv4_packet (vpn_packet *pkt, const sockinfo &si, int tos) { - int client = ntohs (si.port); + int client = ntohl (si.host); assert (0 < client && client <= conns.size ()); @@ -1181,11 +1225,10 @@ if (!c->dns) c->dns = new dns_connection (c); - if (!c->dns->snddq.put (pkt)) - return false; - - c->dns->tw.trigger (); + if (c->dns->snddq.put (pkt)) + c->dns->tw (); + // always return true even if the buffer overflows return true; } @@ -1198,14 +1241,14 @@ #define NEXT(w) do { if (next > (w)) next = w; } while (0) void -dns_connection::time_cb (time_watcher &w) +dns_connection::time_cb (ev::timer &w, int revents) { // servers have to be polled if (THISNODE->dns_port) return; // check for timeouts and (re)transmit - tstamp next = NOW + poll_interval; + tstamp next = ev::now () + poll_interval; dns_snd *send = 0; for (vector::iterator i = vpn->dns_sndpq.begin (); @@ -1214,85 +1257,86 @@ { dns_snd *r = *i; - if (r->timeout <= NOW) + if (r->timeout <= ev_now ()) { if (!send) { send = r; r->retry++; - r->timeout = NOW + (r->retry * last_latency * 8.); + r->timeout = ev_now () + (r->retry * min_latency * conf.dns_timeout_factor); + //printf ("RETRY %x (%d, %f)\n", r->seqno, r->retry, r->timeout - ev_now ());//D // the following code changes the query section a bit, forcing // the forwarder to generate a new request if (r->stdhdr) - { - //printf ("reencoded header for ID %d retry %d:%d:%d\n", htons (r->pkt->id), THISNODE->id, r->seqno, r->retry);printf ("reencoded header for ID %d retry %d:%d:%d\n", htons (r->pkt->id), THISNODE->id, r->seqno, r->retry); - //encode_header ((char *)r->pkt->at (6 * 2 + 1), THISNODE->id, r->seqno, r->retry); - } + encode_header ((char *)r->pkt->at (6 * 2 + 1), THISNODE->id, r->seqno, r->retry); } } else NEXT (r->timeout); } - if (last_sent + send_interval <= NOW) + if (!send) { - if (!send) - { - // generate a new packet, if wise + // generate a new packet, if wise - if (!established) + if (!established) + { + if (vpn->dns_sndpq.empty ()) { - if (vpn->dns_sndpq.empty ()) - { - send = new dns_snd (this); + send = new dns_snd (this); - cfg.reset (THISNODE->id); - send->gen_syn_req (); - } + cfg.reset (THISNODE->id); + send->gen_syn_req (); } - else if (vpn->dns_sndpq.size () < MAX_OUTSTANDING - && !SEQNO_EQ (rcvseq, sndseq - (MAX_WINDOW - 1))) + } + else if (vpn->dns_sndpq.size () < conf.dns_max_outstanding + && !SEQNO_EQ (rcvseq, sndseq - (MAX_WINDOW - 1))) + { + if (last_sent + send_interval <= ev_now ()) { //printf ("sending data request etc.\n"); //D - if (!snddq.empty ()) + if (!snddq.empty () || last_received + 1. > ev_now ()) { poll_interval = send_interval; - NEXT (NOW + send_interval); + NEXT (ev_now () + send_interval); } send = new dns_snd (this); send->gen_stream_req (sndseq, snddq); - send->timeout = NOW + last_latency * 8.; + send->timeout = ev_now () + min_latency * conf.dns_timeout_factor; + //printf ("SEND %x (%f)\n", send->seqno, send->timeout - ev_now (), min_latency, conf.dns_timeout_factor);//D sndseq = (sndseq + 1) & SEQNO_MASK; } - - if (send) - vpn->dns_sndpq.push_back (send); + else + NEXT (last_sent + send_interval); } if (send) - { - last_sent = NOW; - sendto (vpn->dnsv4_fd, - send->pkt->at (0), send->pkt->len, 0, - vpn->dns_forwarder.sav4 (), vpn->dns_forwarder.salenv4 ()); - } + vpn->dns_sndpq.push_back (send); } - else - NEXT (last_sent + send_interval); - slog (L_NOISE, "DNS: pi %f si %f N %f (%d:%d)", - poll_interval, send_interval, next - NOW, - vpn->dns_sndpq.size (), snddq.size ()); + if (send) + { + last_sent = ev_now (); + sendto (vpn->dnsv4_fd, + send->pkt->at (0), send->pkt->len, 0, + vpn->dns_forwarder.sav4 (), vpn->dns_forwarder.salenv4 ()); + } - // TODO: no idea when this happens, but when next < NOW, we have a problem - if (next < NOW + 0.0001) - next = NOW + 0.1; + slog (L_NOISE, "DNS: pi %f si %f N %f (%d:%d %d)", + poll_interval, send_interval, next - ev_now (), + vpn->dns_sndpq.size (), snddq.size (), + rcvpq.size ()); + + // TODO: no idea when this happens, but when next < ev_now (), we have a problem + // doesn't seem to happen anymore + if (next < ev_now () + 0.001) + next = ev_now () + 0.1; - w.start (next); + w.start (next - ev_now ()); } #endif