X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=f219287a07d7534028d1c83c8e7cb0a50d7215c4;hb=c26bb47af130d48d003afd29af4d7ea6ad0538c5;hp=1cd03d29fcd66c834e3a38f9c1760c5cf5340a63;hpb=07108117ceddaff0654f9def703e717c002f3e2d;p=tinc

diff --git a/src/net_packet.c b/src/net_packet.c
index 1cd03d29..f219287a 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -110,7 +110,7 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
 			gettimeofday(&now, NULL);
 			uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
 			uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
-			packet->len -= 10;
+			packet->len = 14; // Minimum size for any probe packet.
 		} else {
 			/* Legacy protocol: n won't understand type 2 probe replies. */
 			DATA(packet)[0] = 1;
@@ -302,7 +302,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 #ifdef DISABLE_LEGACY
 	return false;
 #else
-	if(!n->status.validkey) {
+	if(!n->status.validkey_in) {
 		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
 		return false;
 	}
@@ -870,8 +870,6 @@ static void try_udp(node_t* n) {
 	if(!udp_discovery)
 		return;
 
-	struct timeval now;
-	gettimeofday(&now, NULL);
 	struct timeval ping_tx_elapsed;
 	timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
 
@@ -931,6 +929,25 @@ static length_t choose_initial_maxmtu(node_t *n) {
 		mtu -= SPTPS_DATAGRAM_OVERHEAD;
 		if((n->options >> 24) >= 4)
 			mtu -= sizeof(node_id_t) + sizeof(node_id_t);
+	} else {
+		mtu -= digest_length(n->outdigest);
+
+		/* Now it's tricky. We use CBC mode, so the length of the
+		   encrypted payload must be a multiple of the blocksize. The
+		   sequence number is also part of the encrypted payload, so we
+		   must account for it after correcting for the blocksize.
+		   Furthermore, the padding in the last block must be at least
+		   1 byte. */
+
+		length_t blocksize = cipher_blocksize(n->outcipher);
+
+		if(blocksize > 1) {
+			mtu /= blocksize;
+			mtu *= blocksize;
+			mtu--;
+		}
+
+		mtu -= 4; // seqno
 	}
 
 	if (mtu < 512) {
@@ -950,9 +967,12 @@ static length_t choose_initial_maxmtu(node_t *n) {
 #endif
 }
 
-// This function tries to determines the MTU of a node.
-// By calling this function repeatedly, n->minmtu will be progressively increased, and at some point, n->mtu will be fixed to n->minmtu.
-// If the MTU is already fixed, this function checks if it can be increased.
+/* This function tries to determines the MTU of a node.
+   By calling this function repeatedly, n->minmtu will be progressively
+   increased, and at some point, n->mtu will be fixed to n->minmtu.  If the MTU
+   is already fixed, this function checks if it can be increased.
+*/
+
 static void try_mtu(node_t *n) {
 	if(!(n->options & OPTION_PMTU_DISCOVERY))
 		return;
@@ -968,8 +988,6 @@ static void try_mtu(node_t *n) {
 	   mtuprobes ==    20: fix MTU, and go to -1
 	   mtuprobes ==    -1: send one >maxmtu probe every pingtimeout */
 
-	struct timeval now;
-	gettimeofday(&now, NULL);
 	struct timeval elapsed;
 	timersub(&now, &n->probe_sent_time, &elapsed);
 	if(n->mtuprobes >= 0) {
@@ -982,7 +1000,6 @@ static void try_mtu(node_t *n) {
 
 	try_fix_mtu(n);
 
-	int timeout;
 	if(n->mtuprobes < 0) {
 		/* After the initial discovery, we only send one >maxmtu probe
 		   to detect PMTU increases. */
@@ -1051,44 +1068,65 @@ static void try_mtu(node_t *n) {
 	n->prev_received = n->received;
 }
 
-// This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
-// If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
-// This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
-// By calling this function repeatedly, the tunnel is gradually improved until we hit the wall imposed by the underlying network environment.
-// It is recommended to call this function every time a packet is sent (or intended to be sent) to a node,
-// so that the tunnel keeps improving as packets flow, and then gracefully downgrades itself as it goes idle.
-static void try_tx(node_t *n) {
+/* These functions try to establish a tunnel to a node (or its relay) so that
+   packets can be sent (e.g. exchange keys).
+   If a tunnel is already established, it tries to improve it (e.g. by trying
+   to establish a UDP tunnel instead of TCP).  This function makes no
+   guarantees - it is up to the caller to check the node's state to figure out
+   if TCP and/or UDP is usable.  By calling this function repeatedly, the
+   tunnel is gradually improved until we hit the wall imposed by the underlying
+   network environment.  It is recommended to call this function every time a
+   packet is sent (or intended to be sent) to a node, so that the tunnel keeps
+   improving as packets flow, and then gracefully downgrades itself as it goes
+   idle.
+*/
+
+static void try_tx_sptps(node_t *n) {
 	/* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
-	   messages anyway, so there's no need for SPTPS at all. Otherwise, get the keys. */
-	if(n->status.sptps && !(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))) {
-		try_sptps(n);
-		if (!n->status.validkey)
-			return;
-	}
+	   messages anyway, so there's no need for SPTPS at all. */
+
+	if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))
+		return;
+
+	/* Otherwise, try to do SPTPS authentication with n if necessary. */
+
+	try_sptps(n);
+
+	/* Do we need to relay packets? */
 
 	node_t *via = (n->via == myself) ? n->nexthop : n->via;
-	
-	if((myself->options | via->options) & OPTION_TCPONLY)
+
+	/* If the relay doesn't support SPTPS, everything goes via TCP anyway. */
+
+	if((via->options >> 24) < 4)
 		return;
 
-	if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
-		send_req_key(via);
-		via->last_req_key = now.tv_sec;
-	} else if(via == n || !n->status.sptps || (via->options >> 24) >= 4) {
-		try_udp(via);
-		try_mtu(via);
+	/* If we do have a relay, try everything with that one instead. */
+
+	if(via != n)
+		return try_tx_sptps(via);
+
+	try_udp(n);
+	try_mtu(n);
+}
+
+static void try_tx_legacy(node_t *n) {
+	/* Check if we already have a key, or request one. */
+
+	if(!n->status.validkey) {
+		if(n->last_req_key + 10 <= now.tv_sec) {
+			send_req_key(n);
+			n->last_req_key = now.tv_sec;
+		}
+		return;
 	}
 
-	/* If we don't know how to reach "via" yet, then try to reach it through a relay. */
-	if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)
-		try_tx(via->nexthop);
+	try_udp(n);
+	try_mtu(n);
 }
 
-/*
-  send a packet to the given vpn ip.
-*/
 void send_packet(node_t *n, vpn_packet_t *packet) {
-	node_t *via;
+	// If it's for myself, write it to the tun/tap device.
 
 	if(n == myself) {
 		if(overwrite_mac)
@@ -1099,44 +1137,47 @@ void send_packet(node_t *n, vpn_packet_t *packet) {
 		return;
 	}
 
-	logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
-			   packet->len, n->name, n->hostname);
+	logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
+
+	// If the node is not reachable, drop it.
 
 	if(!n->status.reachable) {
-		logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
-				   n->name, n->hostname);
+		logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
 		return;
 	}
 
+	// Keep track of packet statistics.
+
 	n->out_packets++;
 	n->out_bytes += packet->len;
 
+	// Check if it should be sent as an SPTPS packet.
+
 	if(n->status.sptps) {
 		send_sptps_packet(n, packet);
-		goto end;
+		try_tx_sptps(n);
+		return;
 	}
 
-	via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
+	// Determine which node to actually send it to.
+
+	node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
 
 	if(via != n)
-		logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
-			   n->name, via->name, n->via->hostname);
+		logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
+
+	// Try to send via UDP, unless TCP is forced.
 
 	if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
 		if(!send_tcppacket(via->connection, packet))
 			terminate_connection(via->connection, true);
-	} else
-		send_udppacket(via, packet);
+		return;
+	}
 
-end:
-	/* Try to improve the tunnel.
-	   Note that we do this *after* we send the packet because sending actual packets take priority
-	   with regard to the send buffer space and latency. */
-	try_tx(n);
+	send_udppacket(via, packet);
+	try_tx_legacy(via);
 }
 
-/* Broadcast a packet using the minimum spanning tree */
-
 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
 	// Always give ourself a copy of the packet.
 	if(from != myself)