/*
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
- 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com>
#include "system.h"
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
#ifdef HAVE_ZLIB
#include <zlib.h>
#endif
#include LZO1X_H
#endif
-#include "splay_tree.h"
#include "cipher.h"
#include "conf.h"
#include "connection.h"
#include "net.h"
#include "netutl.h"
#include "protocol.h"
-#include "process.h"
#include "route.h"
#include "utils.h"
#include "xalloc.h"
static void send_udppacket(node_t *, vpn_packet_t *);
unsigned replaywin = 16;
-bool localdiscovery = false;
+bool localdiscovery = true;
#define MAX_SEQNO 1073741824
mtuprobes == 32: send 1 burst, sleep pingtimeout second
mtuprobes == 33: no response from other side, restart PMTU discovery process
- Probes are sent in batches of three, with random sizes between the lower and
- upper boundaries for the MTU thus far discovered.
+ Probes are sent in batches of at least three, with random sizes between the
+ lower and upper boundaries for the MTU thus far discovered.
+
+ After the initial discovery, a fourth packet is added to each batch with a
+ size larger than the currently known PMTU, to test if the PMTU has increased.
- In case local discovery is enabled, a fourth packet is added to each batch,
+ In case local discovery is enabled, another packet is added to each batch,
which will be broadcast to the local network.
+
*/
-static void send_mtu_probe_handler(int fd, short events, void *data) {
+static void send_mtu_probe_handler(void *data) {
node_t *n = data;
- vpn_packet_t packet;
- int len, i;
int timeout = 1;
-
+
n->mtuprobes++;
if(!n->status.reachable || !n->status.validkey) {
}
logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
+ n->status.udp_confirmed = false;
n->mtuprobes = 1;
n->minmtu = 0;
n->maxmtu = MTU;
timeout = pingtimeout;
}
- for(i = 0; i < 3 + localdiscovery; i++) {
- if(n->maxmtu <= n->minmtu)
+ for(int i = 0; i < 4 + localdiscovery; i++) {
+ int len;
+
+ if(i == 0) {
+ if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
+ continue;
+ len = n->maxmtu + 8;
+ } else if(n->maxmtu <= n->minmtu) {
len = n->maxmtu;
- else
+ } else {
len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
+ }
if(len < 64)
len = 64;
-
+
+ vpn_packet_t packet;
memset(packet.data, 0, 14);
randomize(packet.data + 14, len - 14);
packet.len = len;
- if(i >= 3 && n->mtuprobes <= 10)
- packet.priority = -1;
- else
- packet.priority = 0;
+ packet.priority = 0;
+ n->status.send_locally = i >= 4 && n->mtuprobes <= 10 && n->prevedge;
logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
send_udppacket(n, &packet);
}
+ n->status.send_locally = false;
+ n->probe_counter = 0;
+ gettimeofday(&n->probe_time, NULL);
+
+ /* Calculate the packet loss of incoming traffic by comparing the rate of
+ packets received to the rate with which the sequence number has increased.
+ */
+
+ if(n->received > n->prev_received)
+ n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
+ else
+ n->packetloss = n->received_seqno <= n->prev_received_seqno;
+
+ n->prev_received_seqno = n->received_seqno;
+ n->prev_received = n->received;
+
end:
- event_add(&n->mtuevent, &(struct timeval){timeout, 0});
+ timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
}
void send_mtu_probe(node_t *n) {
- if(!timeout_initialized(&n->mtuevent))
- timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
- send_mtu_probe_handler(0, 0, n);
+ timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
+ send_mtu_probe_handler(n);
}
static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
- logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
-
if(!packet->data[0]) {
- packet->data[0] = 1;
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe request %d from %s (%s)", packet->len, n->name, n->hostname);
+
+ /* It's a probe request, send back a reply */
+
+ /* Type 2 probe replies were introduced in protocol 17.3 */
+ if ((n->options >> 24) >= 3) {
+ uint8_t* data = packet->data;
+ *data++ = 2;
+ uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
+ struct timeval now;
+ gettimeofday(&now, NULL);
+ uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
+ uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
+ packet->len = data - packet->data;
+ } else {
+ /* Legacy protocol: n won't understand type 2 probe replies. */
+ packet->data[0] = 1;
+ }
+
+ /* Temporarily set udp_confirmed, so that the reply is sent
+ back exactly the way it came in. */
+
+ bool udp_confirmed = n->status.udp_confirmed;
+ n->status.udp_confirmed = true;
send_udppacket(n, packet);
+ n->status.udp_confirmed = udp_confirmed;
} else {
+ length_t probelen = len;
+ if (packet->data[0] == 2) {
+ if (len < 3)
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) MTU probe reply from %s (%s)", n->name, n->hostname);
+ else {
+ uint16_t probelen16; memcpy(&probelen16, packet->data + 1, 2); probelen = ntohs(probelen16);
+ }
+ }
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d MTU probe reply %d from %s (%s)", packet->data[0], probelen, n->name, n->hostname);
+
+ /* It's a valid reply: now we know bidirectional communication
+ is possible using the address and socket that the reply
+ packet used. */
+
+ n->status.udp_confirmed = true;
+
+ /* If we haven't established the PMTU yet, restart the discovery process. */
+
if(n->mtuprobes > 30) {
+ if (probelen == n->maxmtu + 8) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+ n->maxmtu = MTU;
+ n->mtuprobes = 10;
+ return;
+ }
+
if(n->minmtu)
n->mtuprobes = 30;
else
n->mtuprobes = 1;
}
- if(len > n->maxmtu)
- len = n->maxmtu;
- if(n->minmtu < len)
- n->minmtu = len;
+ /* If applicable, raise the minimum supported MTU */
+
+ if(probelen > n->maxmtu)
+ probelen = n->maxmtu;
+ if(n->minmtu < probelen)
+ n->minmtu = probelen;
+
+ /* Calculate RTT and bandwidth.
+ The RTT is the time between the MTU probe burst was sent and the first
+ reply is received. The bandwidth is measured using the time between the
+ arrival of the first and third probe reply (or type 2 probe requests).
+ */
+
+ struct timeval now, diff;
+ gettimeofday(&now, NULL);
+ timersub(&now, &n->probe_time, &diff);
+
+ struct timeval probe_timestamp = now;
+ if (packet->data[0] == 2 && packet->len >= 11) {
+ uint32_t sec; memcpy(&sec, packet->data + 3, 4);
+ uint32_t usec; memcpy(&usec, packet->data + 7, 4);
+ probe_timestamp.tv_sec = ntohl(sec);
+ probe_timestamp.tv_usec = ntohl(usec);
+ }
+
+ n->probe_counter++;
+
+ if(n->probe_counter == 1) {
+ n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
+ n->probe_time = probe_timestamp;
+ } else if(n->probe_counter == 3) {
+ struct timeval probe_timestamp_diff;
+ timersub(&probe_timestamp, &n->probe_time, &probe_timestamp_diff);
+ n->bandwidth = 2.0 * probelen / (probe_timestamp_diff.tv_sec + probe_timestamp_diff.tv_usec * 1e-6);
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
+ }
}
}
return -1;
#endif
}
-
+
return -1;
}
static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
if(n->status.sptps)
- return sptps_verify_datagram(&n->sptps, (char *)inpkt->data - 4, inpkt->len);
+ return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
- if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
+ if(!digest_active(n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest))
return false;
- return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
+ return digest_verify(n->indigest, &inpkt->seqno, inpkt->len - digest_length(n->indigest), (const char *)&inpkt->seqno + inpkt->len - digest_length(n->indigest));
}
-static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
+static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
int nextpkt = 0;
- vpn_packet_t *outpkt = pkt[0];
size_t outlen;
if(n->status.sptps) {
- sptps_receive_data(&n->sptps, (char *)inpkt->data - 4, inpkt->len);
- return;
+ if(!n->sptps.state) {
+ if(!n->status.waitingforkey) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
+ send_req_key(n);
+ } else {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
+ }
+ return false;
+ }
+ return sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
}
- if(!cipher_active(&n->incipher)) {
- logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
- n->name, n->hostname);
- return;
+ if(!n->status.validkey) {
+ logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
+ return false;
}
/* Check packet length */
- if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
+ if(inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest)) {
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
n->name, n->hostname);
- return;
+ return false;
}
/* Check the message authentication code */
- if(digest_active(&n->indigest)) {
- inpkt->len -= n->indigest.maclength;
- if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
+ if(digest_active(n->indigest)) {
+ inpkt->len -= digest_length(n->indigest);
+ if(!digest_verify(n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
- return;
+ return false;
}
}
/* Decrypt the packet */
- if(cipher_active(&n->incipher)) {
- outpkt = pkt[nextpkt++];
+ if(cipher_active(n->incipher)) {
+ vpn_packet_t *outpkt = pkt[nextpkt++];
outlen = MAXSIZE;
- if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ if(!cipher_decrypt(n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
- return;
+ return false;
}
-
+
outpkt->len = outlen;
inpkt = outpkt;
}
/* Check the sequence number */
inpkt->len -= sizeof inpkt->seqno;
- inpkt->seqno = ntohl(inpkt->seqno);
+ uint32_t seqno;
+ memcpy(&seqno, inpkt->seqno, sizeof seqno);
+ seqno = ntohl(seqno);
if(replaywin) {
- if(inpkt->seqno != n->received_seqno + 1) {
- if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
+ if(seqno != n->received_seqno + 1) {
+ if(seqno >= n->received_seqno + replaywin * 8) {
if(n->farfuture++ < replaywin >> 2) {
logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
- n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
- return;
+ n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
+ return false;
}
logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
- inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
+ seqno - n->received_seqno - 1, n->name, n->hostname);
memset(n->late, 0, replaywin);
- } else if (inpkt->seqno <= n->received_seqno) {
- if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
+ } else if (seqno <= n->received_seqno) {
+ if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
- n->name, n->hostname, inpkt->seqno, n->received_seqno);
- return;
+ n->name, n->hostname, seqno, n->received_seqno);
+ return false;
}
} else {
- for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
+ for(int i = n->received_seqno + 1; i < seqno; i++)
n->late[(i / 8) % replaywin] |= 1 << i % 8;
}
}
n->farfuture = 0;
- n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
+ n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
}
- if(inpkt->seqno > n->received_seqno)
- n->received_seqno = inpkt->seqno;
-
+ if(seqno > n->received_seqno)
+ n->received_seqno = seqno;
+
+ n->received++;
+
if(n->received_seqno > MAX_SEQNO)
regenerate_key();
length_t origlen = inpkt->len;
if(n->incompression) {
- outpkt = pkt[nextpkt++];
+ vpn_packet_t *outpkt = pkt[nextpkt++];
if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
- n->name, n->hostname);
- return;
+ n->name, n->hostname);
+ return false;
}
inpkt = outpkt;
mtu_probe_h(n, inpkt, origlen);
else
receive_packet(n, inpkt);
+ return true;
}
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
vpn_packet_t outpkt;
+ if(len > sizeof outpkt.data)
+ return;
+
outpkt.len = len;
if(c->options & OPTION_TCPONLY)
outpkt.priority = 0;
receive_packet(c->node, &outpkt);
}
+static bool try_sptps(node_t *n) {
+ if(n->status.validkey)
+ return true;
+
+ logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
+
+ if(!n->status.waitingforkey)
+ send_req_key(n);
+ else if(n->last_req_key + 10 < now.tv_sec) {
+ logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
+ sptps_stop(&n->sptps);
+ n->status.waitingforkey = false;
+ send_req_key(n);
+ }
+
+ return false;
+}
+
+static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
+ if (!try_sptps(n))
+ return;
+
+ uint8_t type = 0;
+ int offset = 0;
+
+ if(!(origpkt->data[12] | origpkt->data[13])) {
+ sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
+ return;
+ }
+
+ if(routing_mode == RMODE_ROUTER)
+ offset = 14;
+ else
+ type = PKT_MAC;
+
+ if(origpkt->len < offset)
+ return;
+
+ vpn_packet_t outpkt;
+
+ if(n->outcompression) {
+ int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
+ if(len < 0) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
+ } else if(len < origpkt->len - offset) {
+ outpkt.len = len + offset;
+ origpkt = &outpkt;
+ type |= PKT_COMPRESSED;
+ }
+ }
+
+ sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
+ return;
+}
+
+static void adapt_socket(const sockaddr_t *sa, int *sock) {
+ /* Make sure we have a suitable socket for the chosen address */
+ if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
+ for(int i = 0; i < listen_sockets; i++) {
+ if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
+ *sock = i;
+ break;
+ }
+ }
+ }
+}
+
+static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
+ /* Latest guess */
+ *sa = &n->address;
+ *sock = n->sock;
+
+ /* If the UDP address is confirmed, use it. */
+ if(n->status.udp_confirmed)
+ return;
+
+ /* Send every third packet to n->address; that could be set
+ to the node's reflexive UDP address discovered during key
+ exchange. */
+
+ static int x = 0;
+ if(++x >= 3) {
+ x = 0;
+ return;
+ }
+
+ /* Otherwise, address are found in edges to this node.
+ So we pick a random edge and a random socket. */
+
+ int i = 0;
+ int j = rand() % n->edge_tree->count;
+ edge_t *candidate = NULL;
+
+ for splay_each(edge_t, e, n->edge_tree) {
+ if(i++ == j) {
+ candidate = e->reverse;
+ break;
+ }
+ }
+
+ if(candidate) {
+ *sa = &candidate->address;
+ *sock = rand() % listen_sockets;
+ }
+
+ adapt_socket(*sa, sock);
+}
+
+static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
+ *sa = NULL;
+
+ /* Pick one of the edges from this node at random, then use its local address. */
+
+ int i = 0;
+ int j = rand() % n->edge_tree->count;
+ edge_t *candidate = NULL;
+
+ for splay_each(edge_t, e, n->edge_tree) {
+ if(i++ == j) {
+ candidate = e;
+ break;
+ }
+ }
+
+ if (candidate && candidate->local_address.sa.sa_family) {
+ *sa = &candidate->local_address;
+ *sock = rand() % listen_sockets;
+ adapt_socket(*sa, sock);
+ }
+}
+
static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
size_t outlen;
#if defined(SOL_IP) && defined(IP_TOS)
static int priority = 0;
-#endif
int origpriority = origpkt->priority;
+#endif
if(!n->status.reachable) {
logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
return;
}
+ if(n->status.sptps)
+ return send_sptps_packet(n, origpkt);
+
/* Make sure we have a valid key */
if(!n->status.validkey) {
- time_t now = time(NULL);
-
logger(DEBUG_TRAFFIC, LOG_INFO,
"No valid key known yet for %s (%s), forwarding via TCP",
n->name, n->hostname);
- if(n->last_req_key + 10 <= now) {
+ if(n->last_req_key + 10 <= now.tv_sec) {
send_req_key(n);
- n->last_req_key = now;
+ n->last_req_key = now.tv_sec;
}
send_tcppacket(n->nexthop->connection, origpkt);
return;
}
- if(n->status.sptps) {
- uint8_t type = 0;
- if(!(inpkt->data[12] | inpkt->data[13]))
- type = PKT_PROBE;
- sptps_send_record(&n->sptps, type, (char *)inpkt->data, inpkt->len);
- return;
- }
-
/* Compress the packet */
if(n->outcompression) {
/* Add sequence number */
- inpkt->seqno = htonl(++(n->sent_seqno));
+ uint32_t seqno = htonl(++(n->sent_seqno));
+ memcpy(inpkt->seqno, &seqno, sizeof inpkt->seqno);
inpkt->len += sizeof inpkt->seqno;
/* Encrypt the packet */
- if(cipher_active(&n->outcipher)) {
+ if(cipher_active(n->outcipher)) {
outpkt = pkt[nextpkt++];
outlen = MAXSIZE;
- if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ if(!cipher_encrypt(n->outcipher, inpkt->seqno, inpkt->len, outpkt->seqno, &outlen, true)) {
logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
goto end;
}
/* Add the message authentication code */
- if(digest_active(&n->outdigest)) {
- digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
- inpkt->len += digest_length(&n->outdigest);
- }
-
- /* Determine which socket we have to use */
-
- if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
- for(int sock = 0; sock < listen_sockets; sock++) {
- if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
- n->sock = sock;
- break;
- }
+ if(digest_active(n->outdigest)) {
+ if(!digest_create(n->outdigest, inpkt->seqno, inpkt->len, inpkt->seqno + inpkt->len)) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
+ goto end;
}
+
+ inpkt->len += digest_length(n->outdigest);
}
/* Send the packet */
- struct sockaddr *sa;
- socklen_t sl;
+ const sockaddr_t *sa = NULL;
int sock;
- /* Overloaded use of priority field: -1 means local broadcast */
-
- if(origpriority == -1 && n->prevedge) {
- struct sockaddr_in in;
- in.sin_family = AF_INET;
- in.sin_addr.s_addr = -1;
- in.sin_port = n->prevedge->address.in.sin_port;
- sa = (struct sockaddr *)∈
- sl = sizeof in;
- sock = 0;
- } else {
- if(origpriority == -1)
- origpriority = 0;
-
- sa = &(n->address.sa);
- sl = SALEN(n->address.sa);
- sock = n->sock;
- }
+ if(n->status.send_locally)
+ choose_local_address(n, &sa, &sock);
+ if(!sa)
+ choose_udp_address(n, &sa, &sock);
#if defined(SOL_IP) && defined(IP_TOS)
if(priorityinheritance && origpriority != priority
&& listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
priority = origpriority;
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
- if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
- logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
+ if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
+ logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
}
#endif
- if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
+ if(sendto(listen_socket[sock].udp.fd, inpkt->seqno, inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
if(sockmsgsize(sockerrno)) {
if(n->maxmtu >= origlen)
n->maxmtu = origlen - 1;
origpkt->len = origlen;
}
-bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
- node_t *to = handle;
+static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
+ node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
+ bool direct = from == myself && to == relay;
+ bool relay_supported = (relay->options >> 24) >= 4;
+ bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
- if(type >= SPTPS_HANDSHAKE) {
+ /* We don't really need the relay's key, but we need to establish a UDP tunnel with it and discover its MTU. */
+ if (!direct && relay_supported && !tcponly)
+ try_sptps(relay);
+
+ /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
+ TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
+ This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
+
+ if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
char buf[len * 4 / 3 + 5];
b64encode(data, buf, len);
- if(!to->status.validkey)
- return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 -1", ANS_KEY, myself->name, to->name, buf);
- else
- return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
+ /* If no valid key is known yet, send the packets using ANS_KEY requests,
+ to ensure we get to learn the reflexive UDP address. */
+ if(from == myself && !to->status.validkey) {
+ to->incompression = myself->incompression;
+ return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
+ } else {
+ return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
+ }
}
- /* Send the packet */
-
- struct sockaddr *sa;
- socklen_t sl;
- int sock;
+ size_t overhead = 0;
+ if(relay_supported) overhead += sizeof to->id + sizeof from->id;
+ char buf[len + overhead]; char* buf_ptr = buf;
+ if(relay_supported) {
+ if(direct) {
+ /* Inform the recipient that this packet was sent directly. */
+ node_id_t nullid = {};
+ memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
+ } else {
+ memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
+ }
+ memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
- sa = &(to->address.sa);
- sl = SALEN(to->address.sa);
- sock = to->sock;
+ }
+ /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
+ memcpy(buf_ptr, data, len); buf_ptr += len;
- if(sendto(listen_socket[sock].udp, data, len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
+ const sockaddr_t *sa = NULL;
+ int sock;
+ if(relay->status.send_locally)
+ choose_local_address(relay, &sa, &sock);
+ if(!sa)
+ choose_udp_address(relay, &sa, &sock);
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
+ if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
if(sockmsgsize(sockerrno)) {
- if(to->maxmtu >= len)
- to->maxmtu = len - 1;
- if(to->mtu >= len)
- to->mtu = len - 1;
+ // Compensate for SPTPS overhead
+ len -= SPTPS_DATAGRAM_OVERHEAD;
+ if(relay->maxmtu >= len)
+ relay->maxmtu = len - 1;
+ if(relay->mtu >= len)
+ relay->mtu = len - 1;
} else {
- logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
return false;
}
}
return true;
}
+bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
+ return send_sptps_data_priv(handle, myself, type, data, len);
+}
+
bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
node_t *from = handle;
if(type == SPTPS_HANDSHAKE) {
- from->status.validkey = true;
- logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
+ if(!from->status.validkey) {
+ from->status.validkey = true;
+ from->status.waitingforkey = false;
+ logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
+ }
return true;
}
}
vpn_packet_t inpkt;
- inpkt.len = len;
- memcpy(inpkt.data, data, len);
if(type == PKT_PROBE) {
+ inpkt.len = len;
+ memcpy(inpkt.data, data, len);
mtu_probe_h(from, &inpkt, len);
return true;
-
}
- if(type != 0) {
+
+ if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
return false;
}
+ /* Check if we have the headers we need */
+ if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
+ logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
+ return false;
+ } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
+ }
+
+ int offset = (type & PKT_MAC) ? 0 : 14;
+ if(type & PKT_COMPRESSED) {
+ length_t ulen = uncompress_packet(inpkt.data + offset, (const uint8_t *)data, len, from->incompression);
+ if(ulen < 0) {
+ return false;
+ } else {
+ inpkt.len = ulen + offset;
+ }
+ if(inpkt.len > MAXSIZE)
+ abort();
+ } else {
+ memcpy(inpkt.data + offset, data, len);
+ inpkt.len = len + offset;
+ }
+
+ /* Generate the Ethernet packet type if necessary */
+ if(offset) {
+ switch(inpkt.data[14] >> 4) {
+ case 4:
+ inpkt.data[12] = 0x08;
+ inpkt.data[13] = 0x00;
+ break;
+ case 6:
+ inpkt.data[12] = 0x86;
+ inpkt.data[13] = 0xDD;
+ break;
+ default:
+ logger(DEBUG_TRAFFIC, LOG_ERR,
+ "Unknown IP version %d while reading packet from %s (%s)",
+ inpkt.data[14] >> 4, from->name, from->hostname);
+ return false;
+ }
+ }
+
receive_packet(from, &inpkt);
return true;
}
n->out_packets++;
n->out_bytes += packet->len;
+ if(n->status.sptps) {
+ send_sptps_packet(n, packet);
+ return;
+ }
+
via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
if(via != n)
/* Broadcast a packet using the minimum spanning tree */
void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
- splay_node_t *node;
- connection_t *c;
- node_t *n;
-
// Always give ourself a copy of the packet.
if(from != myself)
send_packet(myself, packet);
// In TunnelServer mode, do not forward broadcast packets.
- // The MST might not be valid and create loops.
+ // The MST might not be valid and create loops.
if(tunnelserver || broadcast_mode == BMODE_NONE)
return;
// This guarantees all nodes receive the broadcast packet, and
// usually distributes the sending of broadcast packets over all nodes.
case BMODE_MST:
- for(node = connection_tree->head; node; node = node->next) {
- c = node->data;
-
- if(c->status.active && c->status.mst && c != from->nexthop->connection)
+ for list_each(connection_t, c, connection_list)
+ if(c->edge && c->status.mst && c != from->nexthop->connection)
send_packet(c->node, packet);
- }
break;
// In direct mode, we send copies to each node we know of.
- // However, this only reaches nodes that can be reached in a single hop.
+ // However, this only reaches nodes that can be reached in a single hop.
// We don't have enough information to forward broadcast packets in this case.
case BMODE_DIRECT:
if(from != myself)
break;
- for(node = node_udp_tree->head; node; node = node->next) {
- n = node->data;
-
- if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
+ for splay_each(node_t, n, node_tree)
+ if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
send_packet(n, packet);
- }
break;
default:
}
static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
- splay_node_t *node;
- edge_t *e;
node_t *n = NULL;
bool hard = false;
static time_t last_hard_try = 0;
- time_t now = time(NULL);
- for(node = edge_weight_tree->head; node; node = node->next) {
- e = node->data;
-
- if(e->to == myself)
+ for splay_each(edge_t, e, edge_weight_tree) {
+ if(!e->to->status.reachable || e->to == myself)
continue;
if(sockaddrcmp_noport(from, &e->address)) {
- if(last_hard_try == now)
+ if(last_hard_try == now.tv_sec)
continue;
hard = true;
}
}
if(hard)
- last_hard_try = now;
+ last_hard_try = now.tv_sec;
- last_hard_try = now;
+ last_hard_try = now.tv_sec;
return n;
}
-void handle_incoming_vpn_data(int sock, short events, void *data) {
+void handle_incoming_vpn_data(void *data, int flags) {
+ listen_socket_t *ls = data;
vpn_packet_t pkt;
char *hostname;
- sockaddr_t from;
+ sockaddr_t from = {{0}};
socklen_t fromlen = sizeof from;
- node_t *n;
+ node_t *n = NULL;
+ node_t *to = myself;
int len;
- len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
+ len = recvfrom(ls->udp.fd, &pkt.dstid, MAXSIZE, 0, &from.sa, &fromlen);
if(len <= 0 || len > MAXSIZE) {
if(!sockwouldblock(sockerrno))
pkt.len = len;
- sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
+ sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
+
+ bool direct = false;
+ if(len >= sizeof pkt.dstid + sizeof pkt.srcid) {
+ n = lookup_node_id(&pkt.srcid);
+ if(n) {
+ node_id_t nullid = {};
+ if(memcmp(&pkt.dstid, &nullid, sizeof nullid) == 0) {
+ /* A zero dstid is used to indicate a direct, non-relayed packet. */
+ direct = true;
+ } else {
+ to = lookup_node_id(&pkt.dstid);
+ if(!to) {
+ logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet presumably sent by %s (%s) but with unknown destination ID", n->name, n->hostname);
+ return;
+ }
+ }
+ pkt.len -= sizeof pkt.dstid + sizeof pkt.srcid;
+ }
+ }
+
+ if(to != myself) {
+ /* We are being asked to relay this packet. */
+
+ /* Don't allow random strangers to relay through us. Note that we check for *any* known address since we are not necessarily the first relay. */
+ if (!lookup_node_udp(&from)) {
+ logger(DEBUG_PROTOCOL, LOG_WARNING, "Refusing to relay packet from (presumably) %s (%s) to (presumably) %s (%s) because the packet comes from an unknown address", n->name, n->hostname, to->name, to->hostname);
+ return;
+ }
- n = lookup_node_udp(&from);
+ send_sptps_data_priv(to, n, 0, pkt.seqno, pkt.len);
+ return;
+ }
if(!n) {
+ /* Most likely an old-style packet without node IDs. */
+ direct = true;
+ memmove(pkt.seqno, &pkt.dstid, sizeof pkt - offsetof(vpn_packet_t, seqno));
+ n = lookup_node_udp(&from);
+ }
+
+ if(!n)
n = try_harder(&from, &pkt);
- if(n)
- update_node_udp(n, &from);
- else if(debug_level >= DEBUG_PROTOCOL) {
+
+ if(!n) {
+ if(debug_level >= DEBUG_PROTOCOL) {
hostname = sockaddr2hostname(&from);
logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
free(hostname);
- return;
}
- else
- return;
+ return;
}
- n->sock = (intptr_t)data;
+ if(!receive_udppacket(n, &pkt))
+ return;
- receive_udppacket(n, &pkt);
+ n->sock = ls - listen_socket;
+ if(direct && sockaddrcmp(&from, &n->address))
+ update_node_udp(n, &from);
}
-void handle_device_data(int sock, short events, void *data) {
+void handle_device_data(void *data, int flags) {
vpn_packet_t packet;
packet.priority = 0;