X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=99063ac25a245ff922993b8ae28c0d0a29319255;hb=eb7a0db18ea71a44999d6a37b4b179dac0ed9bc7;hp=37535c17c0cc355821fb6786d89f4bbcfe75cccf;hpb=0e653260478005eb7c824a9a1a3df04f39938cd6;p=tinc diff --git a/src/net_packet.c b/src/net_packet.c index 37535c17..99063ac2 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -97,10 +97,16 @@ static void udp_probe_timeout_handler(void *data) { static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { if(!DATA(packet)[0]) { - logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname); - /* It's a probe request, send back a reply */ + if(!n->status.sptps && !n->status.validkey) { + // But not if we don't have his key. + logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request from %s (%s) but we don't have his key yet", n->name, n->hostname); + return; + } + + logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname); + /* Type 2 probe replies were introduced in protocol 17.3 */ if ((n->options >> 24) >= 3) { uint8_t *data = DATA(packet); @@ -110,7 +116,7 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { gettimeofday(&now, NULL); uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4; uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4; - packet->len -= 10; + packet->len = 14; // Minimum size for any probe packet. } else { /* Legacy protocol: n won't understand type 2 probe replies. */ DATA(packet)[0] = 1; @@ -929,6 +935,25 @@ static length_t choose_initial_maxmtu(node_t *n) { mtu -= SPTPS_DATAGRAM_OVERHEAD; if((n->options >> 24) >= 4) mtu -= sizeof(node_id_t) + sizeof(node_id_t); + } else { + mtu -= digest_length(n->outdigest); + + /* Now it's tricky. We use CBC mode, so the length of the + encrypted payload must be a multiple of the blocksize. The + sequence number is also part of the encrypted payload, so we + must account for it after correcting for the blocksize. + Furthermore, the padding in the last block must be at least + 1 byte. */ + + length_t blocksize = cipher_blocksize(n->outcipher); + + if(blocksize > 1) { + mtu /= blocksize; + mtu *= blocksize; + mtu--; + } + + mtu -= 4; // seqno } if (mtu < 512) { @@ -1062,7 +1087,7 @@ static void try_mtu(node_t *n) { idle. */ -static void try_tx_sptps(node_t *n) { +static void try_tx_sptps(node_t *n, bool mtu) { /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET messages anyway, so there's no need for SPTPS at all. */ @@ -1085,13 +1110,19 @@ static void try_tx_sptps(node_t *n) { /* If we do have a relay, try everything with that one instead. */ if(via != n) - return try_tx_sptps(via); + return try_tx_sptps(via, mtu); try_udp(n); - try_mtu(n); + if(mtu) + try_mtu(n); } -static void try_tx_legacy(node_t *n) { +static void try_tx_legacy(node_t *n, bool mtu) { + /* Does he have our key? If not, send one. */ + + if(!n->status.validkey_in) + send_ans_key(n); + /* Check if we already have a key, or request one. */ if(!n->status.validkey) { @@ -1103,7 +1134,15 @@ static void try_tx_legacy(node_t *n) { } try_udp(n); - try_mtu(n); + if(mtu) + try_mtu(n); +} + +void try_tx(node_t *n, bool mtu) { + if(n->status.sptps) + try_tx_sptps(n, mtu); + else + try_tx_legacy(n, mtu); } void send_packet(node_t *n, vpn_packet_t *packet) { @@ -1136,7 +1175,7 @@ void send_packet(node_t *n, vpn_packet_t *packet) { if(n->status.sptps) { send_sptps_packet(n, packet); - try_tx_sptps(n); + try_tx_sptps(n, true); return; } @@ -1156,7 +1195,7 @@ void send_packet(node_t *n, vpn_packet_t *packet) { } send_udppacket(via, packet); - try_tx_legacy(via); + try_tx_legacy(via, true); } void broadcast_packet(const node_t *from, vpn_packet_t *packet) {