-void send_udppacket(node_t *n, vpn_packet_t *inpkt)
-{
- vpn_packet_t pkt1, pkt2;
- vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2};
- int nextpkt = 0;
- vpn_packet_t *outpkt;
- int origlen;
- int outlen, outpad;
- long int complen = MTU + 12;
- EVP_CIPHER_CTX ctx;
- vpn_packet_t *copy;
-cp
- if(!n->status.validkey)
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
- n->name, n->hostname);
-
- /* Since packet is on the stack of handle_tap_input(),
- we have to make a copy of it first. */
-
- copy = xmalloc(sizeof(vpn_packet_t));
- memcpy(copy, inpkt, sizeof(vpn_packet_t));
-
- list_insert_tail(n->queue, copy);
-
- if(!n->status.waitingforkey)
- send_req_key(n->nexthop->connection, myself, n);
-
- return;
- }
-
- origlen = inpkt->len;
-
- /* Compress the packet */
-
- if(n->compression)
- {
- outpkt = pkt[nextpkt++];
-
- if(compress2(outpkt->data, &complen, inpkt->data, inpkt->len, n->compression) != Z_OK)
- {
- syslog(LOG_ERR, _("Error while compressing packet to %s (%s)"), n->name, n->hostname);
- return;
- }
-
- outpkt->len = complen;
- inpkt = outpkt;
- }
-
- /* Add sequence number */
-
- inpkt->seqno = htonl(++(n->sent_seqno));
- inpkt->len += sizeof(inpkt->seqno);
-
- /* Encrypt the packet */
-
- if(n->cipher)
- {
- outpkt = pkt[nextpkt++];
-
- EVP_EncryptInit(&ctx, n->cipher, n->key, n->key + n->cipher->key_len);
- EVP_EncryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len);
- EVP_EncryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad);
-
- outpkt->len = outlen + outpad;
- inpkt = outpkt;
- }
-
- /* Add the message authentication code */
-
- if(n->digest && n->maclength)
- {
- HMAC(n->digest, n->key, n->keylength, (char *)&inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len, &outlen);
- inpkt->len += n->maclength;
- }
-
- /* Send the packet */
-
- if((sendto(udp_socket, (char *)&inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa))) < 0)
- {
- syslog(LOG_ERR, _("Error sending packet to %s (%s): %s"),
- n->name, n->hostname, strerror(errno));
- return;
- }
-
- inpkt->len = origlen;
-cp
+static void choose_broadcast_address(const node_t *n, const sockaddr_t **sa, int *sock) {
+ static sockaddr_t broadcast_ipv4 = {
+ .in = {
+ .sin_family = AF_INET,
+ .sin_addr.s_addr = -1,
+ }
+ };
+
+ static sockaddr_t broadcast_ipv6 = {
+ .in6 = {
+ .sin6_family = AF_INET6,
+ .sin6_addr.s6_addr[0x0] = 0xff,
+ .sin6_addr.s6_addr[0x1] = 0x02,
+ .sin6_addr.s6_addr[0xf] = 0x01,
+ }
+ };
+
+ *sock = rand() % listen_sockets;
+
+ if(listen_socket[*sock].sa.sa.sa_family == AF_INET6) {
+ if(localdiscovery_address.sa.sa_family == AF_INET6) {
+ localdiscovery_address.in6.sin6_port = n->prevedge->address.in.sin_port;
+ *sa = &localdiscovery_address;
+ } else {
+ broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
+ broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
+ *sa = &broadcast_ipv6;
+ }
+ } else {
+ if(localdiscovery_address.sa.sa_family == AF_INET) {
+ localdiscovery_address.in.sin_port = n->prevedge->address.in.sin_port;
+ *sa = &localdiscovery_address;
+ } else {
+ broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
+ *sa = &broadcast_ipv4;
+ }
+ }
+}
+
+static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
+ vpn_packet_t pkt1, pkt2;
+ vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
+ vpn_packet_t *inpkt = origpkt;
+ int nextpkt = 0;
+ vpn_packet_t *outpkt;
+ int origlen = origpkt->len;
+ size_t outlen;
+#if defined(SOL_IP) && defined(IP_TOS)
+ static int priority = 0;
+#endif
+ int origpriority = origpkt->priority;
+
+ if(!n->status.reachable) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
+ return;
+ }
+
+ if(n->status.sptps)
+ return send_sptps_packet(n, origpkt);
+
+ /* Make sure we have a valid key */
+
+ if(!n->status.validkey) {
+ logger(DEBUG_TRAFFIC, LOG_INFO,
+ "No valid key known yet for %s (%s), forwarding via TCP",
+ n->name, n->hostname);
+
+ if(n->last_req_key + 10 <= now.tv_sec) {
+ send_req_key(n);
+ n->last_req_key = now.tv_sec;
+ }
+
+ send_tcppacket(n->nexthop->connection, origpkt);
+
+ return;
+ }
+
+ if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
+ logger(DEBUG_TRAFFIC, LOG_INFO,
+ "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
+ n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
+
+ if(n != n->nexthop)
+ send_packet(n->nexthop, origpkt);
+ else
+ send_tcppacket(n->nexthop->connection, origpkt);
+
+ return;
+ }
+
+ /* Compress the packet */
+
+ if(n->outcompression) {
+ outpkt = pkt[nextpkt++];
+
+ if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
+ n->name, n->hostname);
+ return;
+ }
+
+ inpkt = outpkt;
+ }
+
+ /* Add sequence number */
+
+ inpkt->seqno = htonl(++(n->sent_seqno));
+ inpkt->len += sizeof inpkt->seqno;
+
+ /* Encrypt the packet */
+
+ if(cipher_active(n->outcipher)) {
+ outpkt = pkt[nextpkt++];
+ outlen = MAXSIZE;
+
+ if(!cipher_encrypt(n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
+ goto end;
+ }
+
+ outpkt->len = outlen;
+ inpkt = outpkt;
+ }
+
+ /* Add the message authentication code */
+
+ if(digest_active(n->outdigest)) {
+ if(!digest_create(n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len)) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
+ goto end;
+ }
+
+ inpkt->len += digest_length(n->outdigest);
+ }
+
+ /* Send the packet */
+
+ const sockaddr_t *sa;
+ int sock;
+
+ /* Overloaded use of priority field: -1 means local broadcast */
+
+ if(origpriority == -1 && n->prevedge)
+ choose_broadcast_address(n, &sa, &sock);
+ else
+ choose_udp_address(n, &sa, &sock);
+
+#if defined(SOL_IP) && defined(IP_TOS)
+ if(priorityinheritance && origpriority != priority
+ && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
+ priority = origpriority;
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
+ if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
+ logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
+ }
+#endif
+
+ if(sendto(listen_socket[sock].udp.fd, (char *) &inpkt->seqno, inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
+ if(sockmsgsize(sockerrno)) {
+ if(n->maxmtu >= origlen)
+ n->maxmtu = origlen - 1;
+ if(n->mtu >= origlen)
+ n->mtu = origlen - 1;
+ } else
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
+ }
+
+end:
+ origpkt->len = origlen;
+}
+
+bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
+ node_t *to = handle;
+
+ /* Send it via TCP if it is a handshake packet, TCPOnly is in use, or this packet is larger than the MTU. */
+
+ if(type >= SPTPS_HANDSHAKE || ((myself->options | to->options) & OPTION_TCPONLY) || (type != PKT_PROBE && len > to->minmtu)) {
+ char buf[len * 4 / 3 + 5];
+ b64encode(data, buf, len);
+ /* If no valid key is known yet, send the packets using ANS_KEY requests,
+ to ensure we get to learn the reflexive UDP address. */
+ if(!to->status.validkey) {
+ to->incompression = myself->incompression;
+ return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, myself->name, to->name, buf, to->incompression);
+ } else {
+ return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
+ }
+ }
+
+ /* Otherwise, send the packet via UDP */
+
+ const sockaddr_t *sa;
+ int sock;
+
+ choose_udp_address(to, &sa, &sock);
+
+ if(sendto(listen_socket[sock].udp.fd, data, len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
+ if(sockmsgsize(sockerrno)) {
+ if(to->maxmtu >= len)
+ to->maxmtu = len - 1;
+ if(to->mtu >= len)
+ to->mtu = len - 1;
+ } else {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
+ return false;
+ }
+ }
+
+ return true;
+}
+
+bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
+ node_t *from = handle;
+
+ if(type == SPTPS_HANDSHAKE) {
+ if(!from->status.validkey) {
+ from->status.validkey = true;
+ from->status.waitingforkey = false;
+ logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
+ }
+ return true;
+ }
+
+ if(len > MTU) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
+ return false;
+ }
+
+ vpn_packet_t inpkt;
+
+ if(type == PKT_PROBE) {
+ inpkt.len = len;
+ memcpy(inpkt.data, data, len);
+ mtu_probe_h(from, &inpkt, len);
+ return true;
+ }
+
+ if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
+ return false;
+ }
+
+ /* Check if we have the headers we need */
+ if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
+ return false;
+ } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
+ }
+
+ int offset = (type & PKT_MAC) ? 0 : 14;
+ if(type & PKT_COMPRESSED) {
+ length_t ulen = uncompress_packet(inpkt.data + offset, (const uint8_t *)data, len, from->incompression);
+ if(ulen < 0) {
+ return false;
+ } else {
+ inpkt.len = ulen + offset;
+ }
+ if(inpkt.len > MAXSIZE)
+ abort();
+ } else {
+ memcpy(inpkt.data + offset, data, len);
+ inpkt.len = len + offset;
+ }
+
+ /* Generate the Ethernet packet type if necessary */
+ if(offset) {
+ switch(inpkt.data[14] >> 4) {
+ case 4:
+ inpkt.data[12] = 0x08;
+ inpkt.data[13] = 0x00;
+ break;
+ case 6:
+ inpkt.data[12] = 0x86;
+ inpkt.data[13] = 0xDD;
+ break;
+ default:
+ logger(DEBUG_TRAFFIC, LOG_ERR,
+ "Unknown IP version %d while reading packet from %s (%s)",
+ inpkt.data[14] >> 4, from->name, from->hostname);
+ return false;
+ }
+ }
+
+ receive_packet(from, &inpkt);
+ return true;