26e4907140556c49025c24750cfd0113a71b1e9f
[tinc] / net_packet.c
1 /*
2     net_packet.c -- Handles in- and outgoing VPN packets
3     Copyright (C) 1998-2005 Ivo Timmermans,
4                   2000-2013 Guus Sliepen <guus@tinc-vpn.org>
5                   2010      Timothy Redaelli <timothy@redaelli.eu>
6                   2010      Brandon Black <blblack@gmail.com>
7
8     This program is free software; you can redistribute it and/or modify
9     it under the terms of the GNU General Public License as published by
10     the Free Software Foundation; either version 2 of the License, or
11     (at your option) any later version.
12
13     This program is distributed in the hope that it will be useful,
14     but WITHOUT ANY WARRANTY; without even the implied warranty of
15     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16     GNU General Public License for more details.
17
18     You should have received a copy of the GNU General Public License along
19     with this program; if not, write to the Free Software Foundation, Inc.,
20     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22
23 #include "system.h"
24
25 #ifdef HAVE_ZLIB
26 #include <zlib.h>
27 #endif
28
29 #ifdef HAVE_LZO
30 #include LZO1X_H
31 #endif
32
33 #include "cipher.h"
34 #include "conf.h"
35 #include "connection.h"
36 #include "crypto.h"
37 #include "digest.h"
38 #include "device.h"
39 #include "ethernet.h"
40 #include "graph.h"
41 #include "logger.h"
42 #include "net.h"
43 #include "netutl.h"
44 #include "protocol.h"
45 #include "process.h"
46 #include "route.h"
47 #include "utils.h"
48 #include "xalloc.h"
49
50 int keylifetime = 0;
51 #ifdef HAVE_LZO
52 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
53 #endif
54
55 static void send_udppacket(node_t *, vpn_packet_t *);
56
57 unsigned replaywin = 16;
58 bool localdiscovery = false;
59
60 #define MAX_SEQNO 1073741824
61
62 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
63    mtuprobes ==    31: sleep pinginterval seconds
64    mtuprobes ==    32: send 1 burst, sleep pingtimeout second
65    mtuprobes ==    33: no response from other side, restart PMTU discovery process
66
67    Probes are sent in batches of at least three, with random sizes between the
68    lower and upper boundaries for the MTU thus far discovered.
69
70    After the initial discovery, a fourth packet is added to each batch with a
71    size larger than the currently known PMTU, to test if the PMTU has increased.
72
73    In case local discovery is enabled, another packet is added to each batch,
74    which will be broadcast to the local network.
75
76 */
77
78 static void send_mtu_probe_handler(void *data) {
79         node_t *n = data;
80         int timeout = 1;
81
82         n->mtuprobes++;
83
84         if(!n->status.reachable || !n->status.validkey) {
85                 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
86                 n->mtuprobes = 0;
87                 return;
88         }
89
90         if(n->mtuprobes > 32) {
91                 if(!n->minmtu) {
92                         n->mtuprobes = 31;
93                         timeout = pinginterval;
94                         goto end;
95                 }
96
97                 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
98                 n->status.udp_confirmed = false;
99                 n->mtuprobes = 1;
100                 n->minmtu = 0;
101                 n->maxmtu = MTU;
102         }
103
104         if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
105                 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
106                 n->mtuprobes = 31;
107         }
108
109         if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
110                 if(n->minmtu > n->maxmtu)
111                         n->minmtu = n->maxmtu;
112                 else
113                         n->maxmtu = n->minmtu;
114                 n->mtu = n->minmtu;
115                 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
116                 n->mtuprobes = 31;
117         }
118
119         if(n->mtuprobes == 31) {
120                 timeout = pinginterval;
121                 goto end;
122         } else if(n->mtuprobes == 32) {
123                 timeout = pingtimeout;
124         }
125
126         for(int i = 0; i < 4 + localdiscovery; i++) {
127                 int len;
128
129                 if(i == 0) {
130                         if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
131                                 continue;
132                         len = n->maxmtu + 8;
133                 } else if(n->maxmtu <= n->minmtu) {
134                         len = n->maxmtu;
135                 } else {
136                         len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
137                 }
138
139                 if(len < 64)
140                         len = 64;
141
142                 vpn_packet_t packet;
143                 memset(packet.data, 0, 14);
144                 randomize(packet.data + 14, len - 14);
145                 packet.len = len;
146                 if(i >= 4 && n->mtuprobes <= 10)
147                         packet.priority = -1;
148                 else
149                         packet.priority = 0;
150
151                 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
152
153                 send_udppacket(n, &packet);
154         }
155
156         n->probe_counter = 0;
157         gettimeofday(&n->probe_time, NULL);
158
159         /* Calculate the packet loss of incoming traffic by comparing the rate of
160            packets received to the rate with which the sequence number has increased.
161          */
162
163         if(n->received > n->prev_received)
164                 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
165         else
166                 n->packetloss = n->received_seqno <= n->prev_received_seqno;
167
168         n->prev_received_seqno = n->received_seqno;
169         n->prev_received = n->received;
170
171 end:
172         timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
173 }
174
175 void send_mtu_probe(node_t *n) {
176         timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
177         send_mtu_probe_handler(n);
178 }
179
180 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
181         logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
182
183         if(!packet->data[0]) {
184                 /* It's a probe request, send back a reply */
185
186                 packet->data[0] = 1;
187
188                 /* Temporarily set udp_confirmed, so that the reply is sent
189                    back exactly the way it came in. */
190
191                 bool udp_confirmed = n->status.udp_confirmed;
192                 n->status.udp_confirmed = true;
193                 send_udppacket(n, packet);
194                 n->status.udp_confirmed = udp_confirmed;
195         } else {
196                 /* It's a valid reply: now we know bidirectional communication
197                    is possible using the address and socket that the reply
198                    packet used. */
199
200                 n->status.udp_confirmed = true;
201
202                 /* If we haven't established the PMTU yet, restart the discovery process. */
203
204                 if(n->mtuprobes > 30) {
205                         if (len == n->maxmtu + 8) {
206                                 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
207                                 n->maxmtu = MTU;
208                                 n->mtuprobes = 10;
209                                 return;
210                         }
211
212                         if(n->minmtu)
213                                 n->mtuprobes = 30;
214                         else
215                                 n->mtuprobes = 1;
216                 }
217
218                 /* If applicable, raise the minimum supported MTU */
219
220                 if(len > n->maxmtu)
221                         len = n->maxmtu;
222                 if(n->minmtu < len)
223                         n->minmtu = len;
224
225                 /* Calculate RTT and bandwidth.
226                    The RTT is the time between the MTU probe burst was sent and the first
227                    reply is received. The bandwidth is measured using the time between the
228                    arrival of the first and third probe reply.
229                  */
230
231                 struct timeval now, diff;
232                 gettimeofday(&now, NULL);
233                 timersub(&now, &n->probe_time, &diff);
234                 n->probe_counter++;
235
236                 if(n->probe_counter == 1) {
237                         n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
238                         n->probe_time = now;
239                 } else if(n->probe_counter == 3) {
240                         n->bandwidth = 2.0 * len / (diff.tv_sec + diff.tv_usec * 1e-6);
241                         logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
242                 }
243         }
244 }
245
246 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
247         if(level == 0) {
248                 memcpy(dest, source, len);
249                 return len;
250         } else if(level == 10) {
251 #ifdef HAVE_LZO
252                 lzo_uint lzolen = MAXSIZE;
253                 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
254                 return lzolen;
255 #else
256                 return -1;
257 #endif
258         } else if(level < 10) {
259 #ifdef HAVE_ZLIB
260                 unsigned long destlen = MAXSIZE;
261                 if(compress2(dest, &destlen, source, len, level) == Z_OK)
262                         return destlen;
263                 else
264 #endif
265                         return -1;
266         } else {
267 #ifdef HAVE_LZO
268                 lzo_uint lzolen = MAXSIZE;
269                 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
270                 return lzolen;
271 #else
272                 return -1;
273 #endif
274         }
275
276         return -1;
277 }
278
279 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
280         if(level == 0) {
281                 memcpy(dest, source, len);
282                 return len;
283         } else if(level > 9) {
284 #ifdef HAVE_LZO
285                 lzo_uint lzolen = MAXSIZE;
286                 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
287                         return lzolen;
288                 else
289 #endif
290                         return -1;
291         }
292 #ifdef HAVE_ZLIB
293         else {
294                 unsigned long destlen = MAXSIZE;
295                 if(uncompress(dest, &destlen, source, len) == Z_OK)
296                         return destlen;
297                 else
298                         return -1;
299         }
300 #endif
301
302         return -1;
303 }
304
305 /* VPN packet I/O */
306
307 static void receive_packet(node_t *n, vpn_packet_t *packet) {
308         logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
309                            packet->len, n->name, n->hostname);
310
311         n->in_packets++;
312         n->in_bytes += packet->len;
313
314         route(n, packet);
315 }
316
317 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
318         if(n->status.sptps)
319                 return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
320
321         if(!digest_active(n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest))
322                 return false;
323
324         return digest_verify(n->indigest, &inpkt->seqno, inpkt->len - digest_length(n->indigest), (const char *)&inpkt->seqno + inpkt->len - digest_length(n->indigest));
325 }
326
327 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
328         vpn_packet_t pkt1, pkt2;
329         vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
330         int nextpkt = 0;
331         vpn_packet_t *outpkt = pkt[0];
332         size_t outlen;
333
334         if(n->status.sptps) {
335                 if(!n->sptps.state) {
336                         if(!n->status.waitingforkey) {
337                                 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
338                                 send_req_key(n);
339                         } else {
340                                 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
341                         }
342                         return;
343                 }
344                 sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
345                 return;
346         }
347
348         if(!cipher_active(n->incipher)) {
349                 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
350                 return;
351         }
352
353         /* Check packet length */
354
355         if(inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest)) {
356                 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
357                                         n->name, n->hostname);
358                 return;
359         }
360
361         /* Check the message authentication code */
362
363         if(digest_active(n->indigest)) {
364                 inpkt->len -= digest_length(n->indigest);
365                 if(!digest_verify(n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
366                         logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
367                         return;
368                 }
369         }
370         /* Decrypt the packet */
371
372         if(cipher_active(n->incipher)) {
373                 outpkt = pkt[nextpkt++];
374                 outlen = MAXSIZE;
375
376                 if(!cipher_decrypt(n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
377                         logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
378                         return;
379                 }
380
381                 outpkt->len = outlen;
382                 inpkt = outpkt;
383         }
384
385         /* Check the sequence number */
386
387         inpkt->len -= sizeof inpkt->seqno;
388         inpkt->seqno = ntohl(inpkt->seqno);
389
390         if(replaywin) {
391                 if(inpkt->seqno != n->received_seqno + 1) {
392                         if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
393                                 if(n->farfuture++ < replaywin >> 2) {
394                                         logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
395                                                 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
396                                         return;
397                                 }
398                                 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
399                                                 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
400                                 memset(n->late, 0, replaywin);
401                         } else if (inpkt->seqno <= n->received_seqno) {
402                                 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
403                                         logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
404                                                 n->name, n->hostname, inpkt->seqno, n->received_seqno);
405                                         return;
406                                 }
407                         } else {
408                                 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
409                                         n->late[(i / 8) % replaywin] |= 1 << i % 8;
410                         }
411                 }
412
413                 n->farfuture = 0;
414                 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
415         }
416
417         if(inpkt->seqno > n->received_seqno)
418                 n->received_seqno = inpkt->seqno;
419
420         n->received++;
421
422         if(n->received_seqno > MAX_SEQNO)
423                 regenerate_key();
424
425         /* Decompress the packet */
426
427         length_t origlen = inpkt->len;
428
429         if(n->incompression) {
430                 outpkt = pkt[nextpkt++];
431
432                 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
433                         logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
434                                                  n->name, n->hostname);
435                         return;
436                 }
437
438                 inpkt = outpkt;
439
440                 origlen -= MTU/64 + 20;
441         }
442
443         inpkt->priority = 0;
444
445         if(!inpkt->data[12] && !inpkt->data[13])
446                 mtu_probe_h(n, inpkt, origlen);
447         else
448                 receive_packet(n, inpkt);
449 }
450
451 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
452         vpn_packet_t outpkt;
453
454         if(len > sizeof outpkt.data)
455                 return;
456
457         outpkt.len = len;
458         if(c->options & OPTION_TCPONLY)
459                 outpkt.priority = 0;
460         else
461                 outpkt.priority = -1;
462         memcpy(outpkt.data, buffer, len);
463
464         receive_packet(c->node, &outpkt);
465 }
466
467 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
468         if(!n->status.validkey) {
469                 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
470                 if(!n->status.waitingforkey)
471                         send_req_key(n);
472                 else if(n->last_req_key + 10 < now.tv_sec) {
473                         logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
474                         sptps_stop(&n->sptps);
475                         n->status.waitingforkey = false;
476                         send_req_key(n);
477                 }
478                 return;
479         }
480
481         uint8_t type = 0;
482         int offset = 0;
483
484         if(!(origpkt->data[12] | origpkt->data[13])) {
485                 sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
486                 return;
487         }
488
489         if(routing_mode == RMODE_ROUTER)
490                 offset = 14;
491         else
492                 type = PKT_MAC;
493
494         if(origpkt->len < offset)
495                 return;
496
497         vpn_packet_t outpkt;
498
499         if(n->outcompression) {
500                 int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
501                 if(len < 0) {
502                         logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
503                 } else if(len < origpkt->len - offset) {
504                         outpkt.len = len + offset;
505                         origpkt = &outpkt;
506                         type |= PKT_COMPRESSED;
507                 }
508         }
509
510         sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
511         return;
512 }
513
514 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
515         /* Latest guess */
516         *sa = &n->address;
517         *sock = n->sock;
518
519         /* If the UDP address is confirmed, use it. */
520         if(n->status.udp_confirmed)
521                 return;
522
523         /* Send every third packet to n->address; that could be set
524            to the node's reflexive UDP address discovered during key
525            exchange. */
526
527         static int x = 0;
528         if(++x >= 3) {
529                 x = 0;
530                 return;
531         }
532
533         /* Otherwise, address are found in edges to this node.
534            So we pick a random edge and a random socket. */
535
536         int i = 0;
537         int j = rand() % n->edge_tree->count;
538         edge_t *candidate = NULL;
539
540         for splay_each(edge_t, e, n->edge_tree) {
541                 if(i++ == j) {
542                         candidate = e->reverse;
543                         break;
544                 }
545         }
546
547         if(candidate) {
548                 *sa = &candidate->address;
549                 *sock = rand() % listen_sockets;
550         }
551
552         /* Make sure we have a suitable socket for the chosen address */
553         if(listen_socket[*sock].sa.sa.sa_family != (*sa)->sa.sa_family) {
554                 for(int i = 0; i < listen_sockets; i++) {
555                         if(listen_socket[i].sa.sa.sa_family == (*sa)->sa.sa_family) {
556                                 *sock = i;
557                                 break;
558                         }
559                 }
560         }
561 }
562
563 static void choose_broadcast_address(const node_t *n, const sockaddr_t **sa, int *sock) {
564         static sockaddr_t broadcast_ipv4 = {
565                 .in = {
566                         .sin_family = AF_INET,
567                         .sin_addr.s_addr = -1,
568                 }
569         };
570
571         static sockaddr_t broadcast_ipv6 = {
572                 .in6 = {
573                         .sin6_family = AF_INET6,
574                         .sin6_addr.s6_addr[0x0] = 0xff,
575                         .sin6_addr.s6_addr[0x1] = 0x02,
576                         .sin6_addr.s6_addr[0xf] = 0x01,
577                 }
578         };
579
580         *sock = rand() % listen_sockets;
581
582         if(listen_socket[*sock].sa.sa.sa_family == AF_INET6) {
583                 broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
584                 broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
585                 *sa = &broadcast_ipv6;
586         } else {
587                 broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
588                 *sa = &broadcast_ipv4;
589         }
590 }
591
592 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
593         vpn_packet_t pkt1, pkt2;
594         vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
595         vpn_packet_t *inpkt = origpkt;
596         int nextpkt = 0;
597         vpn_packet_t *outpkt;
598         int origlen = origpkt->len;
599         size_t outlen;
600 #if defined(SOL_IP) && defined(IP_TOS)
601         static int priority = 0;
602 #endif
603         int origpriority = origpkt->priority;
604
605         if(!n->status.reachable) {
606                 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
607                 return;
608         }
609
610         if(n->status.sptps)
611                 return send_sptps_packet(n, origpkt);
612
613         /* Make sure we have a valid key */
614
615         if(!n->status.validkey) {
616                 logger(DEBUG_TRAFFIC, LOG_INFO,
617                                    "No valid key known yet for %s (%s), forwarding via TCP",
618                                    n->name, n->hostname);
619
620                 if(n->last_req_key + 10 <= now.tv_sec) {
621                         send_req_key(n);
622                         n->last_req_key = now.tv_sec;
623                 }
624
625                 send_tcppacket(n->nexthop->connection, origpkt);
626
627                 return;
628         }
629
630         if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
631                 logger(DEBUG_TRAFFIC, LOG_INFO,
632                                 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
633                                 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
634
635                 if(n != n->nexthop)
636                         send_packet(n->nexthop, origpkt);
637                 else
638                         send_tcppacket(n->nexthop->connection, origpkt);
639
640                 return;
641         }
642
643         /* Compress the packet */
644
645         if(n->outcompression) {
646                 outpkt = pkt[nextpkt++];
647
648                 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
649                         logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
650                                    n->name, n->hostname);
651                         return;
652                 }
653
654                 inpkt = outpkt;
655         }
656
657         /* Add sequence number */
658
659         inpkt->seqno = htonl(++(n->sent_seqno));
660         inpkt->len += sizeof inpkt->seqno;
661
662         /* Encrypt the packet */
663
664         if(cipher_active(n->outcipher)) {
665                 outpkt = pkt[nextpkt++];
666                 outlen = MAXSIZE;
667
668                 if(!cipher_encrypt(n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
669                         logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
670                         goto end;
671                 }
672
673                 outpkt->len = outlen;
674                 inpkt = outpkt;
675         }
676
677         /* Add the message authentication code */
678
679         if(digest_active(n->outdigest)) {
680                 if(!digest_create(n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len)) {
681                         logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
682                         goto end;
683                 }
684
685                 inpkt->len += digest_length(n->outdigest);
686         }
687
688         /* Send the packet */
689
690         const sockaddr_t *sa;
691         int sock;
692
693         /* Overloaded use of priority field: -1 means local broadcast */
694
695         if(origpriority == -1 && n->prevedge)
696                 choose_broadcast_address(n, &sa, &sock);
697         else
698                 choose_udp_address(n, &sa, &sock);
699
700 #if defined(SOL_IP) && defined(IP_TOS)
701         if(priorityinheritance && origpriority != priority
702            && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
703                 priority = origpriority;
704                 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
705                 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
706                         logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
707         }
708 #endif
709
710         if(sendto(listen_socket[sock].udp.fd, (char *) &inpkt->seqno, inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
711                 if(sockmsgsize(sockerrno)) {
712                         if(n->maxmtu >= origlen)
713                                 n->maxmtu = origlen - 1;
714                         if(n->mtu >= origlen)
715                                 n->mtu = origlen - 1;
716                 } else
717                         logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
718         }
719
720 end:
721         origpkt->len = origlen;
722 }
723
724 bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
725         node_t *to = handle;
726
727         /* Send it via TCP if it is a handshake packet, TCPOnly is in use, or this packet is larger than the MTU. */
728
729         if(type >= SPTPS_HANDSHAKE || ((myself->options | to->options) & OPTION_TCPONLY) || (type != PKT_PROBE && len > to->minmtu)) {
730                 char buf[len * 4 / 3 + 5];
731                 b64encode(data, buf, len);
732                 /* If no valid key is known yet, send the packets using ANS_KEY requests,
733                    to ensure we get to learn the reflexive UDP address. */
734                 if(!to->status.validkey)
735                         return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, myself->incompression);
736                 else
737                         return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
738         }
739
740         /* Otherwise, send the packet via UDP */
741
742         const sockaddr_t *sa;
743         int sock;
744
745         choose_udp_address(to, &sa, &sock);
746
747         if(sendto(listen_socket[sock].udp.fd, data, len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
748                 if(sockmsgsize(sockerrno)) {
749                         if(to->maxmtu >= len)
750                                 to->maxmtu = len - 1;
751                         if(to->mtu >= len)
752                                 to->mtu = len - 1;
753                 } else {
754                         logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
755                         return false;
756                 }
757         }
758
759         return true;
760 }
761
762 bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
763         node_t *from = handle;
764
765         if(type == SPTPS_HANDSHAKE) {
766                 if(!from->status.validkey) {
767                         from->status.validkey = true;
768                         from->status.waitingforkey = false;
769                         logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
770                 }
771                 return true;
772         }
773
774         if(len > MTU) {
775                 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
776                 return false;
777         }
778
779         vpn_packet_t inpkt;
780
781         if(type == PKT_PROBE) {
782                 inpkt.len = len;
783                 memcpy(inpkt.data, data, len);
784                 mtu_probe_h(from, &inpkt, len);
785                 return true;
786         }
787
788         if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
789                 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
790                 return false;
791         }
792
793         /* Check if we have the headers we need */
794         if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
795                 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
796                 return false;
797         } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
798                 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
799         }
800
801         int offset = (type & PKT_MAC) ? 0 : 14;
802         if(type & PKT_COMPRESSED) {
803                 length_t ulen = uncompress_packet(inpkt.data + offset, (const uint8_t *)data, len, from->incompression);
804                 if(ulen < 0) {
805                         return false;
806                 } else {
807                         inpkt.len = ulen + offset;
808                 }
809                 if(inpkt.len > MAXSIZE)
810                         abort();
811         } else {
812                 memcpy(inpkt.data + offset, data, len);
813                 inpkt.len = len + offset;
814         }
815
816         /* Generate the Ethernet packet type if necessary */
817         if(offset) {
818                 switch(inpkt.data[14] >> 4) {
819                         case 4:
820                                 inpkt.data[12] = 0x08;
821                                 inpkt.data[13] = 0x00;
822                                 break;
823                         case 6:
824                                 inpkt.data[12] = 0x86;
825                                 inpkt.data[13] = 0xDD;
826                                 break;
827                         default:
828                                 logger(DEBUG_TRAFFIC, LOG_ERR,
829                                                    "Unknown IP version %d while reading packet from %s (%s)",
830                                                    inpkt.data[14] >> 4, from->name, from->hostname);
831                                 return false;
832                 }
833         }
834
835         receive_packet(from, &inpkt);
836         return true;
837 }
838
839 /*
840   send a packet to the given vpn ip.
841 */
842 void send_packet(node_t *n, vpn_packet_t *packet) {
843         node_t *via;
844
845         if(n == myself) {
846                 if(overwrite_mac)
847                          memcpy(packet->data, mymac.x, ETH_ALEN);
848                 n->out_packets++;
849                 n->out_bytes += packet->len;
850                 devops.write(packet);
851                 return;
852         }
853
854         logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
855                            packet->len, n->name, n->hostname);
856
857         if(!n->status.reachable) {
858                 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
859                                    n->name, n->hostname);
860                 return;
861         }
862
863         n->out_packets++;
864         n->out_bytes += packet->len;
865
866         if(n->status.sptps) {
867                 send_sptps_packet(n, packet);
868                 return;
869         }
870
871         via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
872
873         if(via != n)
874                 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
875                            n->name, via->name, n->via->hostname);
876
877         if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
878                 if(!send_tcppacket(via->connection, packet))
879                         terminate_connection(via->connection, true);
880         } else
881                 send_udppacket(via, packet);
882 }
883
884 /* Broadcast a packet using the minimum spanning tree */
885
886 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
887         // Always give ourself a copy of the packet.
888         if(from != myself)
889                 send_packet(myself, packet);
890
891         // In TunnelServer mode, do not forward broadcast packets.
892         // The MST might not be valid and create loops.
893         if(tunnelserver || broadcast_mode == BMODE_NONE)
894                 return;
895
896         logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
897                            packet->len, from->name, from->hostname);
898
899         switch(broadcast_mode) {
900                 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
901                 // This guarantees all nodes receive the broadcast packet, and
902                 // usually distributes the sending of broadcast packets over all nodes.
903                 case BMODE_MST:
904                         for list_each(connection_t, c, connection_list)
905                                 if(c->status.active && c->status.mst && c != from->nexthop->connection)
906                                         send_packet(c->node, packet);
907                         break;
908
909                 // In direct mode, we send copies to each node we know of.
910                 // However, this only reaches nodes that can be reached in a single hop.
911                 // We don't have enough information to forward broadcast packets in this case.
912                 case BMODE_DIRECT:
913                         if(from != myself)
914                                 break;
915
916                         for splay_each(node_t, n, node_tree)
917                                 if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
918                                         send_packet(n, packet);
919                         break;
920
921                 default:
922                         break;
923         }
924 }
925
926 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
927         node_t *n = NULL;
928         bool hard = false;
929         static time_t last_hard_try = 0;
930
931         for splay_each(edge_t, e, edge_weight_tree) {
932                 if(!e->to->status.reachable || e->to == myself)
933                         continue;
934
935                 if(sockaddrcmp_noport(from, &e->address)) {
936                         if(last_hard_try == now.tv_sec)
937                                 continue;
938                         hard = true;
939                 }
940
941                 if(!try_mac(e->to, pkt))
942                         continue;
943
944                 n = e->to;
945                 break;
946         }
947
948         if(hard)
949                 last_hard_try = now.tv_sec;
950
951         last_hard_try = now.tv_sec;
952         return n;
953 }
954
955 void handle_incoming_vpn_data(void *data, int flags) {
956         listen_socket_t *ls = data;
957         vpn_packet_t pkt;
958         char *hostname;
959         sockaddr_t from = {{0}};
960         socklen_t fromlen = sizeof from;
961         node_t *n;
962         int len;
963
964         len = recvfrom(ls->udp.fd, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
965
966         if(len <= 0 || len > MAXSIZE) {
967                 if(!sockwouldblock(sockerrno))
968                         logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
969                 return;
970         }
971
972         pkt.len = len;
973
974         sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
975
976         n = lookup_node_udp(&from);
977
978         if(!n) {
979                 n = try_harder(&from, &pkt);
980                 if(n)
981                         update_node_udp(n, &from);
982                 else if(debug_level >= DEBUG_PROTOCOL) {
983                         hostname = sockaddr2hostname(&from);
984                         logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
985                         free(hostname);
986                         return;
987                 }
988                 else
989                         return;
990         }
991
992         n->sock = ls - listen_socket;
993
994         receive_udppacket(n, &pkt);
995 }
996
997 void handle_device_data(void *data, int flags) {
998         vpn_packet_t packet;
999
1000         packet.priority = 0;
1001
1002         if(devops.read(&packet)) {
1003                 myself->in_packets++;
1004                 myself->in_bytes += packet.len;
1005                 route(myself, &packet);
1006         }
1007 }