2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
50 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
58 static void send_udppacket(node_t *, vpn_packet_t *);
60 unsigned replaywin = 16;
61 bool localdiscovery = true;
63 #define MAX_SEQNO 1073741824
65 static void send_mtu_probe_packet(node_t *n, int len) {
67 packet.offset = DEFAULT_PACKET_OFFSET;
68 memset(DATA(&packet), 0, 14);
69 randomize(DATA(&packet) + 14, len - 14);
73 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
75 send_udppacket(n, &packet);
78 static void send_mtu_probe_handler(void *data) {
81 if(!n->status.reachable || !n->status.validkey) {
82 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
87 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
88 mtuprobes == 31: sleep pinginterval seconds
89 mtuprobes == 32: send 1 burst, sleep pingtimeout second
90 mtuprobes == 33: no response from other side, restart PMTU discovery process */
95 if(n->mtuprobes > 32) {
98 timeout = pinginterval;
102 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
103 n->status.udp_confirmed = false;
109 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
110 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
114 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
115 if(n->minmtu > n->maxmtu)
116 n->minmtu = n->maxmtu;
118 n->maxmtu = n->minmtu;
120 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
124 if(n->mtuprobes == 31) {
125 timeout = pinginterval;
127 } else if(n->mtuprobes == 32) {
128 timeout = pingtimeout;
131 /* After the initial discovery, a fourth packet is added to each batch with a
132 size larger than the currently known PMTU, to test if the PMTU has increased. */
133 if (n->mtuprobes >= 30 && n->maxmtu + 8 < MTU)
134 send_mtu_probe_packet(n, n->maxmtu + 8);
136 /* Probes are sent in batches of three, with random sizes between the
137 lower and upper boundaries for the MTU thus far discovered. */
138 for (int i = 0; i < 3; i++) {
140 if(n->minmtu < n->maxmtu)
141 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
143 send_mtu_probe_packet(n, MAX(len, 64));
146 /* In case local discovery is enabled, another packet is added to each batch,
147 which will be broadcast to the local network. */
148 if(localdiscovery && n->mtuprobes <= 10 && n->prevedge) {
149 n->status.send_locally = true;
150 send_mtu_probe_packet(n, 16);
151 n->status.send_locally = false;
154 n->probe_counter = 0;
155 gettimeofday(&n->probe_time, NULL);
157 /* Calculate the packet loss of incoming traffic by comparing the rate of
158 packets received to the rate with which the sequence number has increased.
161 if(n->received > n->prev_received)
162 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
164 n->packetloss = n->received_seqno <= n->prev_received_seqno;
166 n->prev_received_seqno = n->received_seqno;
167 n->prev_received = n->received;
170 timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
173 void send_mtu_probe(node_t *n) {
174 timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
175 send_mtu_probe_handler(n);
178 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
179 if(!DATA(packet)[0]) {
180 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe request %d from %s (%s)", packet->len, n->name, n->hostname);
182 /* It's a probe request, send back a reply */
184 /* Type 2 probe replies were introduced in protocol 17.3 */
185 if ((n->options >> 24) >= 3) {
186 uint8_t *data = DATA(packet);
188 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
190 gettimeofday(&now, NULL);
191 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
192 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
195 /* Legacy protocol: n won't understand type 2 probe replies. */
199 /* Temporarily set udp_confirmed, so that the reply is sent
200 back exactly the way it came in. */
202 bool udp_confirmed = n->status.udp_confirmed;
203 n->status.udp_confirmed = true;
204 send_udppacket(n, packet);
205 n->status.udp_confirmed = udp_confirmed;
207 length_t probelen = len;
208 if (DATA(packet)[0] == 2) {
210 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) MTU probe reply from %s (%s)", n->name, n->hostname);
212 uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
215 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d MTU probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
217 /* It's a valid reply: now we know bidirectional communication
218 is possible using the address and socket that the reply
221 n->status.udp_confirmed = true;
223 /* If we haven't established the PMTU yet, restart the discovery process. */
225 if(n->mtuprobes > 30) {
226 if (probelen == n->maxmtu + 8) {
227 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
239 /* If applicable, raise the minimum supported MTU */
241 if(probelen > n->maxmtu)
242 probelen = n->maxmtu;
243 if(n->minmtu < probelen)
244 n->minmtu = probelen;
246 /* Calculate RTT and bandwidth.
247 The RTT is the time between the MTU probe burst was sent and the first
248 reply is received. The bandwidth is measured using the time between the
249 arrival of the first and third probe reply (or type 2 probe requests).
252 struct timeval now, diff;
253 gettimeofday(&now, NULL);
254 timersub(&now, &n->probe_time, &diff);
256 struct timeval probe_timestamp = now;
257 if (DATA(packet)[0] == 2 && packet->len >= 11) {
258 uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
259 uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
260 probe_timestamp.tv_sec = ntohl(sec);
261 probe_timestamp.tv_usec = ntohl(usec);
266 if(n->probe_counter == 1) {
267 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
268 n->probe_time = probe_timestamp;
269 } else if(n->probe_counter == 3) {
270 struct timeval probe_timestamp_diff;
271 timersub(&probe_timestamp, &n->probe_time, &probe_timestamp_diff);
272 n->bandwidth = 2.0 * probelen / (probe_timestamp_diff.tv_sec + probe_timestamp_diff.tv_usec * 1e-6);
273 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
278 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
280 memcpy(dest, source, len);
282 } else if(level == 10) {
284 lzo_uint lzolen = MAXSIZE;
285 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
290 } else if(level < 10) {
292 unsigned long destlen = MAXSIZE;
293 if(compress2(dest, &destlen, source, len, level) == Z_OK)
300 lzo_uint lzolen = MAXSIZE;
301 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
311 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
313 memcpy(dest, source, len);
315 } else if(level > 9) {
317 lzo_uint lzolen = MAXSIZE;
318 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
326 unsigned long destlen = MAXSIZE;
327 if(uncompress(dest, &destlen, source, len) == Z_OK)
339 static void receive_packet(node_t *n, vpn_packet_t *packet) {
340 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
341 packet->len, n->name, n->hostname);
344 n->in_bytes += packet->len;
349 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
351 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
353 #ifdef DISABLE_LEGACY
356 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
359 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
363 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
364 vpn_packet_t pkt1, pkt2;
365 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
368 pkt1.offset = DEFAULT_PACKET_OFFSET;
369 pkt2.offset = DEFAULT_PACKET_OFFSET;
371 if(n->status.sptps) {
372 if(!n->sptps.state) {
373 if(!n->status.waitingforkey) {
374 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
377 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
381 inpkt->offset += 2 * sizeof(node_id_t);
382 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
383 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
389 #ifdef DISABLE_LEGACY
392 if(!n->status.validkey) {
393 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
397 /* Check packet length */
399 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
400 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
401 n->name, n->hostname);
405 /* It's a legacy UDP packet, the data starts after the seqno */
407 inpkt->offset += sizeof(seqno_t);
409 /* Check the message authentication code */
411 if(digest_active(n->indigest)) {
412 inpkt->len -= digest_length(n->indigest);
413 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
414 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
418 /* Decrypt the packet */
420 if(cipher_active(n->incipher)) {
421 vpn_packet_t *outpkt = pkt[nextpkt++];
424 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
425 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
429 outpkt->len = outlen;
433 /* Check the sequence number */
436 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
437 seqno = ntohl(seqno);
438 inpkt->len -= sizeof seqno;
441 if(seqno != n->received_seqno + 1) {
442 if(seqno >= n->received_seqno + replaywin * 8) {
443 if(n->farfuture++ < replaywin >> 2) {
444 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
445 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
448 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
449 seqno - n->received_seqno - 1, n->name, n->hostname);
450 memset(n->late, 0, replaywin);
451 } else if (seqno <= n->received_seqno) {
452 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
453 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
454 n->name, n->hostname, seqno, n->received_seqno);
458 for(int i = n->received_seqno + 1; i < seqno; i++)
459 n->late[(i / 8) % replaywin] |= 1 << i % 8;
464 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
467 if(seqno > n->received_seqno)
468 n->received_seqno = seqno;
472 if(n->received_seqno > MAX_SEQNO)
475 /* Decompress the packet */
477 length_t origlen = inpkt->len;
479 if(n->incompression) {
480 vpn_packet_t *outpkt = pkt[nextpkt++];
482 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
483 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
484 n->name, n->hostname);
490 origlen -= MTU/64 + 20;
495 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
496 mtu_probe_h(n, inpkt, origlen);
498 receive_packet(n, inpkt);
503 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
505 outpkt.offset = DEFAULT_PACKET_OFFSET;
507 if(len > sizeof outpkt.data - outpkt.offset)
511 if(c->options & OPTION_TCPONLY)
514 outpkt.priority = -1;
515 memcpy(DATA(&outpkt), buffer, len);
517 receive_packet(c->node, &outpkt);
520 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
521 if(!n->status.validkey && !n->connection)
527 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
528 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
532 if(routing_mode == RMODE_ROUTER)
537 if(origpkt->len < offset)
542 if(n->outcompression) {
544 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
546 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
547 } else if(len < origpkt->len - offset) {
548 outpkt.len = len + offset;
550 type |= PKT_COMPRESSED;
554 /* If we have a direct metaconnection to n, and we can't use UDP, then
555 don't bother with SPTPS and just use a "plaintext" PACKET message.
556 We don't really care about end-to-end security since we're not
557 sending the message through any intermediate nodes. */
558 if(n->connection && origpkt->len > n->minmtu)
559 send_tcppacket(n->connection, origpkt);
561 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
565 static void adapt_socket(const sockaddr_t *sa, int *sock) {
566 /* Make sure we have a suitable socket for the chosen address */
567 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
568 for(int i = 0; i < listen_sockets; i++) {
569 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
577 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
582 /* If the UDP address is confirmed, use it. */
583 if(n->status.udp_confirmed)
586 /* Send every third packet to n->address; that could be set
587 to the node's reflexive UDP address discovered during key
596 /* Otherwise, address are found in edges to this node.
597 So we pick a random edge and a random socket. */
600 int j = rand() % n->edge_tree->count;
601 edge_t *candidate = NULL;
603 for splay_each(edge_t, e, n->edge_tree) {
605 candidate = e->reverse;
611 *sa = &candidate->address;
612 *sock = rand() % listen_sockets;
615 adapt_socket(*sa, sock);
618 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
621 /* Pick one of the edges from this node at random, then use its local address. */
624 int j = rand() % n->edge_tree->count;
625 edge_t *candidate = NULL;
627 for splay_each(edge_t, e, n->edge_tree) {
634 if (candidate && candidate->local_address.sa.sa_family) {
635 *sa = &candidate->local_address;
636 *sock = rand() % listen_sockets;
637 adapt_socket(*sa, sock);
641 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
642 vpn_packet_t pkt1, pkt2;
643 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
644 vpn_packet_t *inpkt = origpkt;
646 vpn_packet_t *outpkt;
647 int origlen = origpkt->len;
649 #if defined(SOL_IP) && defined(IP_TOS)
650 static int priority = 0;
651 int origpriority = origpkt->priority;
654 pkt1.offset = DEFAULT_PACKET_OFFSET;
655 pkt2.offset = DEFAULT_PACKET_OFFSET;
657 if(!n->status.reachable) {
658 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
663 return send_sptps_packet(n, origpkt);
665 #ifdef DISABLE_LEGACY
668 /* Make sure we have a valid key */
670 if(!n->status.validkey) {
671 logger(DEBUG_TRAFFIC, LOG_INFO,
672 "No valid key known yet for %s (%s), forwarding via TCP",
673 n->name, n->hostname);
674 send_tcppacket(n->nexthop->connection, origpkt);
678 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
679 logger(DEBUG_TRAFFIC, LOG_INFO,
680 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
681 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
684 send_packet(n->nexthop, origpkt);
686 send_tcppacket(n->nexthop->connection, origpkt);
691 /* Compress the packet */
693 if(n->outcompression) {
694 outpkt = pkt[nextpkt++];
696 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
697 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
698 n->name, n->hostname);
705 /* Add sequence number */
707 seqno_t seqno = htonl(++(n->sent_seqno));
708 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
709 inpkt->len += sizeof seqno;
711 /* Encrypt the packet */
713 if(cipher_active(n->outcipher)) {
714 outpkt = pkt[nextpkt++];
717 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
718 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
722 outpkt->len = outlen;
726 /* Add the message authentication code */
728 if(digest_active(n->outdigest)) {
729 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
730 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
734 inpkt->len += digest_length(n->outdigest);
737 /* Send the packet */
739 const sockaddr_t *sa = NULL;
742 if(n->status.send_locally)
743 choose_local_address(n, &sa, &sock);
745 choose_udp_address(n, &sa, &sock);
747 #if defined(SOL_IP) && defined(IP_TOS)
748 if(priorityinheritance && origpriority != priority
749 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
750 priority = origpriority;
751 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
752 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
753 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
757 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
758 if(sockmsgsize(sockerrno)) {
759 if(n->maxmtu >= origlen)
760 n->maxmtu = origlen - 1;
761 if(n->mtu >= origlen)
762 n->mtu = origlen - 1;
764 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
768 origpkt->len = origlen;
772 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
773 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
774 bool direct = from == myself && to == relay;
775 bool relay_supported = (relay->options >> 24) >= 4;
776 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
778 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
779 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
780 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
782 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
783 char buf[len * 4 / 3 + 5];
784 b64encode(data, buf, len);
785 /* If no valid key is known yet, send the packets using ANS_KEY requests,
786 to ensure we get to learn the reflexive UDP address. */
787 if(from == myself && !to->status.validkey) {
788 to->incompression = myself->incompression;
789 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
791 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
796 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
797 char buf[len + overhead]; char* buf_ptr = buf;
798 if(relay_supported) {
800 /* Inform the recipient that this packet was sent directly. */
801 node_id_t nullid = {};
802 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
804 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
806 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
809 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
810 memcpy(buf_ptr, data, len); buf_ptr += len;
812 const sockaddr_t *sa = NULL;
814 if(relay->status.send_locally)
815 choose_local_address(relay, &sa, &sock);
817 choose_udp_address(relay, &sa, &sock);
818 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
819 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
820 if(sockmsgsize(sockerrno)) {
821 // Compensate for SPTPS overhead
822 len -= SPTPS_DATAGRAM_OVERHEAD;
823 if(relay->maxmtu >= len)
824 relay->maxmtu = len - 1;
825 if(relay->mtu >= len)
826 relay->mtu = len - 1;
828 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
836 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
837 return send_sptps_data_priv(handle, myself, type, data, len);
840 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
841 node_t *from = handle;
843 if(type == SPTPS_HANDSHAKE) {
844 if(!from->status.validkey) {
845 from->status.validkey = true;
846 from->status.waitingforkey = false;
847 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
853 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
858 inpkt.offset = DEFAULT_PACKET_OFFSET;
860 if(type == PKT_PROBE) {
862 memcpy(DATA(&inpkt), data, len);
863 mtu_probe_h(from, &inpkt, len);
867 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
868 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
872 /* Check if we have the headers we need */
873 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
874 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
876 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
877 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
880 int offset = (type & PKT_MAC) ? 0 : 14;
881 if(type & PKT_COMPRESSED) {
882 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
886 inpkt.len = ulen + offset;
888 if(inpkt.len > MAXSIZE)
891 memcpy(DATA(&inpkt) + offset, data, len);
892 inpkt.len = len + offset;
895 /* Generate the Ethernet packet type if necessary */
897 switch(DATA(&inpkt)[14] >> 4) {
899 DATA(&inpkt)[12] = 0x08;
900 DATA(&inpkt)[13] = 0x00;
903 DATA(&inpkt)[12] = 0x86;
904 DATA(&inpkt)[13] = 0xDD;
907 logger(DEBUG_TRAFFIC, LOG_ERR,
908 "Unknown IP version %d while reading packet from %s (%s)",
909 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
914 receive_packet(from, &inpkt);
918 // This function tries to get SPTPS keys, if they aren't already known.
919 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
920 static void try_sptps(node_t *n) {
921 if(n->status.validkey)
924 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
926 if(!n->status.waitingforkey)
928 else if(n->last_req_key + 10 < now.tv_sec) {
929 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
930 sptps_stop(&n->sptps);
931 n->status.waitingforkey = false;
938 // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
939 // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
940 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
941 // By calling this function repeatedly, the tunnel is gradually improved until we hit the wall imposed by the underlying network environment.
942 // It is recommended to call this function every time a packet is sent (or intended to be sent) to a node,
943 // so that the tunnel keeps improving as packets flow, and then gracefully downgrades itself as it goes idle.
944 static void try_tx(node_t *n) {
945 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
946 messages anyway, so there's no need for SPTPS at all. Otherwise, get the keys. */
947 if(n->status.sptps && !(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))) {
949 if (!n->status.validkey)
953 node_t *via = (n->via == myself) ? n->nexthop : n->via;
955 if((myself->options | via->options) & OPTION_TCPONLY)
958 if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
960 via->last_req_key = now.tv_sec;
963 /* If we don't know how to reach "via" yet, then try to reach it through a relay. */
964 if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)
965 try_tx(via->nexthop);
969 send a packet to the given vpn ip.
971 void send_packet(node_t *n, vpn_packet_t *packet) {
976 memcpy(DATA(packet), mymac.x, ETH_ALEN);
978 n->out_bytes += packet->len;
979 devops.write(packet);
983 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
984 packet->len, n->name, n->hostname);
986 if(!n->status.reachable) {
987 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
988 n->name, n->hostname);
993 n->out_bytes += packet->len;
995 if(n->status.sptps) {
996 send_sptps_packet(n, packet);
1000 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1003 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
1004 n->name, via->name, n->via->hostname);
1006 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1007 if(!send_tcppacket(via->connection, packet))
1008 terminate_connection(via->connection, true);
1010 send_udppacket(via, packet);
1013 /* Try to improve the tunnel.
1014 Note that we do this *after* we send the packet because sending actual packets take priority
1015 with regard to the send buffer space and latency. */
1019 /* Broadcast a packet using the minimum spanning tree */
1021 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1022 // Always give ourself a copy of the packet.
1024 send_packet(myself, packet);
1026 // In TunnelServer mode, do not forward broadcast packets.
1027 // The MST might not be valid and create loops.
1028 if(tunnelserver || broadcast_mode == BMODE_NONE)
1031 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1032 packet->len, from->name, from->hostname);
1034 switch(broadcast_mode) {
1035 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1036 // This guarantees all nodes receive the broadcast packet, and
1037 // usually distributes the sending of broadcast packets over all nodes.
1039 for list_each(connection_t, c, connection_list)
1040 if(c->edge && c->status.mst && c != from->nexthop->connection)
1041 send_packet(c->node, packet);
1044 // In direct mode, we send copies to each node we know of.
1045 // However, this only reaches nodes that can be reached in a single hop.
1046 // We don't have enough information to forward broadcast packets in this case.
1051 for splay_each(node_t, n, node_tree)
1052 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1053 send_packet(n, packet);
1061 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1064 static time_t last_hard_try = 0;
1066 for splay_each(edge_t, e, edge_weight_tree) {
1067 if(!e->to->status.reachable || e->to == myself)
1070 if(sockaddrcmp_noport(from, &e->address)) {
1071 if(last_hard_try == now.tv_sec)
1076 if(!try_mac(e->to, pkt))
1084 last_hard_try = now.tv_sec;
1086 last_hard_try = now.tv_sec;
1090 void handle_incoming_vpn_data(void *data, int flags) {
1091 listen_socket_t *ls = data;
1094 node_id_t nullid = {};
1095 sockaddr_t addr = {};
1096 socklen_t addrlen = sizeof addr;
1098 bool direct = false;
1101 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1103 if(len <= 0 || len > MAXSIZE) {
1104 if(!sockwouldblock(sockerrno))
1105 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1111 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1113 // Try to figure out who sent this packet.
1115 node_t *n = lookup_node_udp(&addr);
1118 // It might be from a 1.1 node, which might have a source ID in the packet.
1119 pkt.offset = 2 * sizeof(node_id_t);
1120 from = lookup_node_id(SRCID(&pkt));
1121 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1122 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1131 n = try_harder(&addr, &pkt);
1136 if(debug_level >= DEBUG_PROTOCOL) {
1137 hostname = sockaddr2hostname(&addr);
1138 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1144 if(n->status.sptps) {
1145 pkt.offset = 2 * sizeof(node_id_t);
1147 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1152 from = lookup_node_id(SRCID(&pkt));
1153 to = lookup_node_id(DSTID(&pkt));
1156 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1161 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1170 if(!receive_udppacket(from, &pkt))
1173 n->sock = ls - listen_socket;
1174 if(direct && sockaddrcmp(&addr, &n->address))
1175 update_node_udp(n, &addr);
1178 void handle_device_data(void *data, int flags) {
1179 vpn_packet_t packet;
1180 packet.offset = DEFAULT_PACKET_OFFSET;
1181 packet.priority = 0;
1183 if(devops.read(&packet)) {
1184 myself->in_packets++;
1185 myself->in_bytes += packet.len;
1186 route(myself, &packet);
projects / tinc / blob