-void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
-{
- vpn_packet_t pkt1, pkt2;
- vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2};
- int nextpkt = 0;
- vpn_packet_t *outpkt = pkt[0];
- int outlen, outpad;
- long int complen = MTU + 12;
- EVP_CIPHER_CTX ctx;
- char hmac[EVP_MAX_MD_SIZE];
-cp
- /* Check the message authentication code */
-
- if(myself->digest && myself->maclength)
- {
- inpkt->len -= myself->maclength;
- HMAC(myself->digest, myself->key, myself->keylength, (char *)&inpkt->seqno, inpkt->len, hmac, NULL);
- if(memcmp(hmac, (char *)&inpkt->seqno + inpkt->len, myself->maclength))
- {
- syslog(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname);
- return;
- }
- }
-
- /* Decrypt the packet */
-
- if(myself->cipher)
- {
- outpkt = pkt[nextpkt++];
-
- EVP_DecryptInit(&ctx, myself->cipher, myself->key, myself->key + myself->cipher->key_len);
- EVP_DecryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len);
- EVP_DecryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad);
-
- outpkt->len = outlen + outpad;
- inpkt = outpkt;
- }
-
- /* Check the sequence number */
-
- inpkt->len -= sizeof(inpkt->seqno);
- inpkt->seqno = ntohl(inpkt->seqno);
-
- if(inpkt->seqno <= n->received_seqno)
- {
- syslog(LOG_DEBUG, _("Got late or replayed packet from %s (%s), seqno %d"), n->name, n->hostname, inpkt->seqno);
- return;
- }
-
- n->received_seqno = inpkt->seqno;
-
- if(n->received_seqno > MAX_SEQNO)
- keyexpires = 0;
-
- /* Decompress the packet */
-
- if(myself->compression)
- {
- outpkt = pkt[nextpkt++];
-
- if(uncompress(outpkt->data, &complen, inpkt->data, inpkt->len) != Z_OK)
- {
- syslog(LOG_ERR, _("Error while uncompressing packet from %s (%s)"), n->name, n->hostname);
- return;
- }
-
- outpkt->len = complen;
- inpkt = outpkt;
- }
-
- receive_packet(n, inpkt);
-cp
+static void receive_packet(node_t *n, vpn_packet_t *packet) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
+ packet->len, n->name, n->hostname);
+
+ n->in_packets++;
+ n->in_bytes += packet->len;
+
+ route(n, packet);
+}
+
+static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
+ if(n->status.sptps)
+ return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
+
+ if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
+ return false;
+
+ return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
+}
+
+static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
+ vpn_packet_t pkt1, pkt2;
+ vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
+ int nextpkt = 0;
+ size_t outlen;
+ pkt1.offset = DEFAULT_PACKET_OFFSET;
+ pkt2.offset = DEFAULT_PACKET_OFFSET;
+
+ if(n->status.sptps) {
+ if(!n->sptps.state) {
+ if(!n->status.waitingforkey) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
+ send_req_key(n);
+ } else {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
+ }
+ return false;
+ }
+ inpkt->offset += 2 * sizeof(node_id_t);
+ if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
+ return false;
+ }
+ return true;
+ }
+
+ if(!n->status.validkey) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
+ return false;
+ }
+
+ /* Check packet length */
+
+ if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
+ n->name, n->hostname);
+ return false;
+ }
+
+ /* It's a legacy UDP packet, the data starts after the seqno */
+
+ inpkt->offset += sizeof(seqno_t);
+
+ /* Check the message authentication code */
+
+ if(digest_active(n->indigest)) {
+ inpkt->len -= digest_length(n->indigest);
+ if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
+ return false;
+ }
+ }
+ /* Decrypt the packet */
+
+ if(cipher_active(n->incipher)) {
+ vpn_packet_t *outpkt = pkt[nextpkt++];
+ outlen = MAXSIZE;
+
+ if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
+ return false;
+ }
+
+ outpkt->len = outlen;
+ inpkt = outpkt;
+ }
+
+ /* Check the sequence number */
+
+ seqno_t seqno;
+ memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
+ seqno = ntohl(seqno);
+ inpkt->len -= sizeof seqno;
+
+ if(replaywin) {
+ if(seqno != n->received_seqno + 1) {
+ if(seqno >= n->received_seqno + replaywin * 8) {
+ if(n->farfuture++ < replaywin >> 2) {
+ logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
+ n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
+ return false;
+ }
+ logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
+ seqno - n->received_seqno - 1, n->name, n->hostname);
+ memset(n->late, 0, replaywin);
+ } else if (seqno <= n->received_seqno) {
+ if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
+ logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
+ n->name, n->hostname, seqno, n->received_seqno);
+ return false;
+ }
+ } else {
+ for(int i = n->received_seqno + 1; i < seqno; i++)
+ n->late[(i / 8) % replaywin] |= 1 << i % 8;
+ }
+ }
+
+ n->farfuture = 0;
+ n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
+ }
+
+ if(seqno > n->received_seqno)
+ n->received_seqno = seqno;
+
+ n->received++;
+
+ if(n->received_seqno > MAX_SEQNO)
+ regenerate_key();
+
+ /* Decompress the packet */
+
+ length_t origlen = inpkt->len;
+
+ if(n->incompression) {
+ vpn_packet_t *outpkt = pkt[nextpkt++];
+
+ if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
+ n->name, n->hostname);
+ return false;
+ }
+
+ inpkt = outpkt;
+
+ origlen -= MTU/64 + 20;
+ }
+
+ inpkt->priority = 0;
+
+ if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
+ mtu_probe_h(n, inpkt, origlen);
+ else
+ receive_packet(n, inpkt);
+ return true;
+}
+
+void receive_tcppacket(connection_t *c, const char *buffer, int len) {
+ vpn_packet_t outpkt;
+ outpkt.offset = DEFAULT_PACKET_OFFSET;
+
+ if(len > sizeof outpkt.data - outpkt.offset)
+ return;
+
+ outpkt.len = len;
+ if(c->options & OPTION_TCPONLY)
+ outpkt.priority = 0;
+ else
+ outpkt.priority = -1;
+ memcpy(DATA(&outpkt), buffer, len);
+
+ receive_packet(c->node, &outpkt);
+}
+
+static bool try_sptps(node_t *n) {
+ if(n->status.validkey)
+ return true;
+
+ /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
+ messages anyway, so there's no need for SPTPS at all. */
+ if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))
+ return false;
+
+ logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
+
+ if(!n->status.waitingforkey)
+ send_req_key(n);
+ else if(n->last_req_key + 10 < now.tv_sec) {
+ logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
+ sptps_stop(&n->sptps);
+ n->status.waitingforkey = false;
+ send_req_key(n);
+ }
+
+ return false;
+}
+
+static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
+ /* Note: condition order is as intended - even if we have a direct
+ metaconnection, we want to try SPTPS anyway as it's the only way to
+ get UDP going */
+ if(!try_sptps(n) && !n->connection)
+ return;
+
+ uint8_t type = 0;
+ int offset = 0;
+
+ if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
+ sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
+ return;
+ }
+
+ if(routing_mode == RMODE_ROUTER)
+ offset = 14;
+ else
+ type = PKT_MAC;
+
+ if(origpkt->len < offset)
+ return;
+
+ vpn_packet_t outpkt;
+
+ if(n->outcompression) {
+ outpkt.offset = 0;
+ int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
+ if(len < 0) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
+ } else if(len < origpkt->len - offset) {
+ outpkt.len = len + offset;
+ origpkt = &outpkt;
+ type |= PKT_COMPRESSED;
+ }
+ }
+
+ /* If we have a direct metaconnection to n, and we can't use UDP, then
+ don't bother with SPTPS and just use a "plaintext" PACKET message.
+ We don't really care about end-to-end security since we're not
+ sending the message through any intermediate nodes. */
+ if(n->connection && origpkt->len > n->minmtu)
+ send_tcppacket(n->connection, origpkt);
+ else
+ sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
+ return;
+}
+
+static void adapt_socket(const sockaddr_t *sa, int *sock) {
+ /* Make sure we have a suitable socket for the chosen address */
+ if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
+ for(int i = 0; i < listen_sockets; i++) {
+ if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
+ *sock = i;
+ break;
+ }
+ }
+ }
+}
+
+static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
+ /* Latest guess */
+ *sa = &n->address;
+ *sock = n->sock;
+
+ /* If the UDP address is confirmed, use it. */
+ if(n->status.udp_confirmed)
+ return;
+
+ /* Send every third packet to n->address; that could be set
+ to the node's reflexive UDP address discovered during key
+ exchange. */
+
+ static int x = 0;
+ if(++x >= 3) {
+ x = 0;
+ return;
+ }
+
+ /* Otherwise, address are found in edges to this node.
+ So we pick a random edge and a random socket. */
+
+ int i = 0;
+ int j = rand() % n->edge_tree->count;
+ edge_t *candidate = NULL;
+
+ for splay_each(edge_t, e, n->edge_tree) {
+ if(i++ == j) {
+ candidate = e->reverse;
+ break;
+ }
+ }
+
+ if(candidate) {
+ *sa = &candidate->address;
+ *sock = rand() % listen_sockets;
+ }
+
+ adapt_socket(*sa, sock);
+}
+
+static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
+ *sa = NULL;
+
+ /* Pick one of the edges from this node at random, then use its local address. */
+
+ int i = 0;
+ int j = rand() % n->edge_tree->count;
+ edge_t *candidate = NULL;
+
+ for splay_each(edge_t, e, n->edge_tree) {
+ if(i++ == j) {
+ candidate = e;
+ break;
+ }
+ }
+
+ if (candidate && candidate->local_address.sa.sa_family) {
+ *sa = &candidate->local_address;
+ *sock = rand() % listen_sockets;
+ adapt_socket(*sa, sock);
+ }