X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=27a6542c22a959f1a0e75eb131fa8c89956c7f2b;hb=8e43a2fc744559956640d3eb9a7a26a945d94fde;hp=16f8e5ede93305251051a8ed725307597f9a637a;hpb=7b76b7ac35b49b8a94ad91c432886a0a54e144d1;p=tinc

diff --git a/src/net_packet.c b/src/net_packet.c
index 16f8e5ed..27a6542c 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -64,10 +64,10 @@ static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999
 
 static void send_udppacket(node_t *, vpn_packet_t *);
 
-unsigned replaywin = 16;
+unsigned replaywin = 32;
 bool localdiscovery = true;
 bool udp_discovery = true;
-int udp_discovery_keepalive_interval = 9;
+int udp_discovery_keepalive_interval = 10;
 int udp_discovery_interval = 2;
 int udp_discovery_timeout = 30;
 
@@ -103,24 +103,22 @@ static void udp_probe_timeout_handler(void *data) {
 
 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
 	if(!n->status.sptps && !n->status.validkey) {
-		// But not if we don't have his key.
-		logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request from %s (%s) but we don't have his key yet", n->name, n->hostname);
+		logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP probe reply to %s (%s) but we don't have his key yet", n->name, n->hostname);
 		return;
 	}
 
-	logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
-
 	/* Type 2 probe replies were introduced in protocol 17.3 */
 	if ((n->options >> 24) >= 3) {
-		uint8_t *data = DATA(packet);
-		*data++ = 2;
-		uint16_t len16 = htons(MAX(len, n->maxrecentlen));
-		n->maxrecentlen = 0;
-		memcpy(data, &len16, 2);
+		DATA(packet)[0] = 2;
+		uint16_t len16 = htons(len);
+		memcpy(DATA(packet) + 1, &len16, 2);
 		packet->len = MIN_PROBE_SIZE;
+		logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 2 probe reply length %u to %s (%s)", len, n->name, n->hostname);
+
 	} else {
 		/* Legacy protocol: n won't understand type 2 probe replies. */
 		DATA(packet)[0] = 1;
+		logger(DEBUG_TRAFFIC, LOG_INFO, "Sending type 1 probe reply length %u to %s (%s)", len, n->name, n->hostname);
 	}
 
 	/* Temporarily set udp_confirmed, so that the reply is sent
@@ -134,7 +132,7 @@ static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len)
 
 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
 	if(!DATA(packet)[0]) {
-		/* It's a probe request, send back a reply */
+		logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
 		return send_udp_probe_reply(n, packet, len);
 	}
 
@@ -152,6 +150,9 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
 	   packet used. */
 	n->status.udp_confirmed = true;
 
+	// Reset the UDP ping timer.
+	n->udp_ping_sent = now;
+
 	if(udp_discovery) {
 		timeout_del(&n->udp_ping_timeout);
 		timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
@@ -256,7 +257,7 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
 #ifdef DISABLE_LEGACY
 	return false;
 #else
-	if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
+	if(!n->status.validkey_in || !digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
 		return false;
 
 	return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
@@ -282,7 +283,11 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 			return false;
 		}
 		inpkt->offset += 2 * sizeof(node_id_t);
-		if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
+		n->status.udppacket = true;
+		bool result = sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t));
+		n->status.udppacket = false;
+
+		if(!result) {
 			logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
 			return false;
 		}
@@ -682,9 +687,7 @@ static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void
 	bool relay_supported = (relay->options >> 24) >= 4;
 	bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
 
-	/* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
-	   TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
-	         This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
+	/* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
 
 	if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
 		char buf[len * 4 / 3 + 5];
@@ -766,8 +769,14 @@ bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t
 	inpkt.offset = DEFAULT_PACKET_OFFSET;
 
 	if(type == PKT_PROBE) {
+		if(!from->status.udppacket) {
+			logger(DEBUG_ALWAYS, LOG_ERR, "Got SPTPS PROBE packet from %s (%s) via TCP", from->name, from->hostname);
+			return false;
+		}
 		inpkt.len = len;
 		memcpy(DATA(&inpkt), data, len);
+		if(inpkt.len > from->maxrecentlen)
+			from->maxrecentlen = inpkt.len;
 		udp_probe_h(from, &inpkt, len);
 		return true;
 	}
@@ -819,6 +828,9 @@ bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t
 		}
 	}
 
+	if(from->status.udppacket && inpkt.len > from->maxrecentlen)
+		from->maxrecentlen = inpkt.len;
+
 	receive_packet(from, &inpkt);
 	return true;
 }
@@ -863,6 +875,28 @@ static void try_udp(node_t* n) {
 	if(!udp_discovery)
 		return;
 
+	/* Send gratuitous probe replies to 1.1 nodes. */
+
+	if((n->options >> 24) >= 3 && n->status.udp_confirmed) {
+		struct timeval ping_tx_elapsed;
+		timersub(&now, &n->udp_reply_sent, &ping_tx_elapsed);
+
+		if(ping_tx_elapsed.tv_sec >= udp_discovery_keepalive_interval - 1) {
+			n->udp_reply_sent = now;
+			if(n->maxrecentlen) {
+				vpn_packet_t pkt;
+				pkt.len = n->maxrecentlen;
+				pkt.offset = DEFAULT_PACKET_OFFSET;
+				memset(DATA(&pkt), 0, 14);
+				randomize(DATA(&pkt) + 14, MIN_PROBE_SIZE - 14);
+				send_udp_probe_reply(n, &pkt, pkt.len);
+				n->maxrecentlen = 0;
+			}
+		}
+	}
+
+	/* Probe request */
+
 	struct timeval ping_tx_elapsed;
 	timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
 
@@ -922,6 +956,7 @@ static length_t choose_initial_maxmtu(node_t *n) {
 		mtu -= SPTPS_DATAGRAM_OVERHEAD;
 		if((n->options >> 24) >= 4)
 			mtu -= sizeof(node_id_t) + sizeof(node_id_t);
+#ifndef DISABLE_LEGACY
 	} else {
 		mtu -= digest_length(n->outdigest);
 
@@ -941,6 +976,7 @@ static length_t choose_initial_maxmtu(node_t *n) {
 		}
 
 		mtu -= 4; // seqno
+#endif
 	}
 
 	if (mtu < 512) {
@@ -1087,23 +1123,31 @@ static void try_tx_sptps(node_t *n, bool mtu) {
 
 	try_sptps(n);
 
-	/* Do we need to relay packets? */
+	/* Do we need to statically relay packets? */
 
 	node_t *via = (n->via == myself) ? n->nexthop : n->via;
 
-	/* If the relay doesn't support SPTPS, everything goes via TCP anyway. */
+	/* If the static relay doesn't support SPTPS, everything goes via TCP anyway. */
 
 	if((via->options >> 24) < 4)
 		return;
 
-	/* If we do have a relay, try everything with that one instead. */
+	/* If we do have a static relay, try everything with that one instead. */
 
 	if(via != n)
 		return try_tx_sptps(via, mtu);
 
+	/* Otherwise, try to establish UDP connectivity. */
+
 	try_udp(n);
 	if(mtu)
 		try_mtu(n);
+
+	/* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
+	   while we try to establish direct connectivity. */
+
+	if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4)
+		try_tx_sptps(n->nexthop, mtu);
 }
 
 static void try_tx_legacy(node_t *n, bool mtu) {
@@ -1227,33 +1271,52 @@ void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
 	}
 }
 
+/* We got a packet from some IP address, but we don't know who sent it.  Try to
+   verify the message authentication code against all active session keys.
+   Since this is actually an expensive operation, we only do a full check once
+   a minute, the rest of the time we only check against nodes for which we know
+   an IP address that matches the one from the packet.  */
+
 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
-	node_t *n = NULL;
+	node_t *match = NULL;
 	bool hard = false;
 	static time_t last_hard_try = 0;
 
-	for splay_each(edge_t, e, edge_weight_tree) {
-		if(!e->to->status.reachable || e->to == myself)
+	for splay_each(node_t, n, node_tree) {
+		if(!n->status.reachable || n == myself)
+			continue;
+
+		if((n->status.sptps && !n->sptps.instate) || !n->status.validkey_in)
 			continue;
 
-		if(sockaddrcmp_noport(from, &e->address)) {
+		bool soft = false;
+
+		for splay_each(edge_t, e, n->edge_tree) {
+			if(!e->reverse)
+				continue;
+			if(!sockaddrcmp_noport(from, &e->reverse->address)) {
+				soft = true;
+				break;
+			}
+		}
+
+		if(!soft) {
 			if(last_hard_try == now.tv_sec)
 				continue;
 			hard = true;
 		}
 
-		if(!try_mac(e->to, pkt))
+		if(!try_mac(n, pkt))
 			continue;
 
-		n = e->to;
+		match = n;
 		break;
 	}
 
 	if(hard)
 		last_hard_try = now.tv_sec;
 
-	last_hard_try = now.tv_sec;
-	return n;
+	return match;
 }
 
 void handle_incoming_vpn_data(void *data, int flags) {
@@ -1283,6 +1346,9 @@ void handle_incoming_vpn_data(void *data, int flags) {
 
 	node_t *n = lookup_node_udp(&addr);
 
+	if(n && !n->status.udp_confirmed)
+		n = NULL; // Don't believe it if we don't have confirmation yet.
+
 	if(!n) {
 		// It might be from a 1.1 node, which might have a source ID in the packet.
 		pkt.offset = 2 * sizeof(node_id_t);
@@ -1326,8 +1392,20 @@ skip_harder:
 			return;
 		}
 
+		/* The packet is supposed to come from the originator or its static relay
+		   (i.e. with no dynamic relays in between).
+		   If it did not, "help" the static relay by sending it UDP info.
+		   Note that we only do this if we're the destination or the static relay;
+		   otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
+
+		if(n != from->via && to->via == myself)
+			send_udp_info(myself, from);
+
+		/* If we're not the final recipient, relay the packet. */
+
 		if(to != myself) {
-			send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
+			send_sptps_data_priv(to, from, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
+			try_tx_sptps(to, true);
 			return;
 		}
 	} else {
@@ -1342,6 +1420,12 @@ skip_harder:
 	n->sock = ls - listen_socket;
 	if(direct && sockaddrcmp(&addr, &n->address))
 		update_node_udp(n, &addr);
+
+	/* If the packet went through a relay, help the sender find the appropriate MTU
+	   through the relay path. */
+
+	if(!direct)
+		send_mtu_info(myself, n, MTU);
 }
 
 void handle_device_data(void *data, int flags) {