2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
50 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
58 static void send_udppacket(node_t *, vpn_packet_t *);
60 unsigned replaywin = 16;
61 bool localdiscovery = true;
62 bool udp_discovery = true;
63 int udp_discovery_interval = 9;
64 int udp_discovery_timeout = 30;
66 #define MAX_SEQNO 1073741824
68 static void send_udp_probe_packet(node_t *n, int len) {
70 packet.offset = DEFAULT_PACKET_OFFSET;
71 memset(DATA(&packet), 0, 14);
72 randomize(DATA(&packet) + 14, len - 14);
76 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
78 send_udppacket(n, &packet);
81 static void send_mtu_probe_handler(void *data) {
84 if(!n->status.reachable || !n->status.validkey) {
85 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
90 /* mtuprobes == 0..29: initial discovery, send bursts with 1 second interval, mtuprobes++
91 mtuprobes == 30: fix MTU, and go to 31
92 mtuprobes == 31: send one >maxmtu probe every pingtimeout */
94 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
95 if(n->minmtu > n->maxmtu)
96 n->minmtu = n->maxmtu;
98 n->maxmtu = n->minmtu;
100 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
105 if(n->mtuprobes == 31) {
106 /* After the initial discovery, we only send one >maxmtu probe
107 to detect PMTU increases. */
108 if(n->maxmtu + 8 < MTU)
109 send_udp_probe_packet(n, n->maxmtu + 8);
110 timeout = pingtimeout;
112 /* Probes are sent in batches of three, with random sizes between the
113 lower and upper boundaries for the MTU thus far discovered. */
114 for (int i = 0; i < 3; i++) {
116 if(n->minmtu < n->maxmtu)
117 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
119 send_udp_probe_packet(n, MAX(len, 64));
125 n->probe_counter = 0;
126 gettimeofday(&n->probe_time, NULL);
128 /* Calculate the packet loss of incoming traffic by comparing the rate of
129 packets received to the rate with which the sequence number has increased.
130 TODO: this is unrelated to PMTU discovery - it should be moved elsewhere.
133 if(n->received > n->prev_received)
134 n->packetloss = 1.0 - (n->received - n->prev_received) / (float)(n->received_seqno - n->prev_received_seqno);
136 n->packetloss = n->received_seqno <= n->prev_received_seqno;
138 n->prev_received_seqno = n->received_seqno;
139 n->prev_received = n->received;
141 timeout_set(&n->mtutimeout, &(struct timeval){timeout, rand() % 100000});
144 void send_mtu_probe(node_t *n) {
145 timeout_add(&n->mtutimeout, send_mtu_probe_handler, n, &(struct timeval){1, 0});
146 send_mtu_probe_handler(n);
149 static void udp_probe_timeout_handler(void *data) {
151 if(!n->status.udp_confirmed)
154 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
155 n->status.udp_confirmed = false;
161 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
162 if(!DATA(packet)[0]) {
163 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
165 /* It's a probe request, send back a reply */
167 /* Type 2 probe replies were introduced in protocol 17.3 */
168 if ((n->options >> 24) >= 3) {
169 uint8_t *data = DATA(packet);
171 uint16_t len16 = htons(len); memcpy(data, &len16, 2); data += 2;
173 gettimeofday(&now, NULL);
174 uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
175 uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
178 /* Legacy protocol: n won't understand type 2 probe replies. */
182 /* Temporarily set udp_confirmed, so that the reply is sent
183 back exactly the way it came in. */
185 bool udp_confirmed = n->status.udp_confirmed;
186 n->status.udp_confirmed = true;
187 send_udppacket(n, packet);
188 n->status.udp_confirmed = udp_confirmed;
190 length_t probelen = len;
191 if (DATA(packet)[0] == 2) {
193 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
195 uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
198 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
200 /* It's a valid reply: now we know bidirectional communication
201 is possible using the address and socket that the reply
203 n->status.udp_confirmed = true;
206 timeout_del(&n->udp_ping_timeout);
207 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
210 if(probelen >= n->maxmtu + 8) {
211 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
217 /* If applicable, raise the minimum supported MTU */
219 if(probelen > n->maxmtu)
220 probelen = n->maxmtu;
221 if(n->minmtu < probelen)
222 n->minmtu = probelen;
224 /* Calculate RTT and bandwidth.
225 The RTT is the time between the MTU probe burst was sent and the first
226 reply is received. The bandwidth is measured using the time between the
227 arrival of the first and third probe reply (or type 2 probe requests).
230 struct timeval now, diff;
231 gettimeofday(&now, NULL);
232 timersub(&now, &n->probe_time, &diff);
234 struct timeval probe_timestamp = now;
235 if (DATA(packet)[0] == 2 && packet->len >= 11) {
236 uint32_t sec; memcpy(&sec, DATA(packet) + 3, 4);
237 uint32_t usec; memcpy(&usec, DATA(packet) + 7, 4);
238 probe_timestamp.tv_sec = ntohl(sec);
239 probe_timestamp.tv_usec = ntohl(usec);
244 if(n->probe_counter == 1) {
245 n->rtt = diff.tv_sec + diff.tv_usec * 1e-6;
246 n->probe_time = probe_timestamp;
247 } else if(n->probe_counter == 3) {
248 /* TODO: this will never fire after initial MTU discovery. */
249 struct timeval probe_timestamp_diff;
250 timersub(&probe_timestamp, &n->probe_time, &probe_timestamp_diff);
251 n->bandwidth = 2.0 * probelen / (probe_timestamp_diff.tv_sec + probe_timestamp_diff.tv_usec * 1e-6);
252 logger(DEBUG_TRAFFIC, LOG_DEBUG, "%s (%s) RTT %.2f ms, burst bandwidth %.3f Mbit/s, rx packet loss %.2f %%", n->name, n->hostname, n->rtt * 1e3, n->bandwidth * 8e-6, n->packetloss * 1e2);
257 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
259 memcpy(dest, source, len);
261 } else if(level == 10) {
263 lzo_uint lzolen = MAXSIZE;
264 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
269 } else if(level < 10) {
271 unsigned long destlen = MAXSIZE;
272 if(compress2(dest, &destlen, source, len, level) == Z_OK)
279 lzo_uint lzolen = MAXSIZE;
280 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
290 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
292 memcpy(dest, source, len);
294 } else if(level > 9) {
296 lzo_uint lzolen = MAXSIZE;
297 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
305 unsigned long destlen = MAXSIZE;
306 if(uncompress(dest, &destlen, source, len) == Z_OK)
318 static void receive_packet(node_t *n, vpn_packet_t *packet) {
319 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
320 packet->len, n->name, n->hostname);
323 n->in_bytes += packet->len;
328 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
330 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
332 #ifdef DISABLE_LEGACY
335 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
338 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
342 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
343 vpn_packet_t pkt1, pkt2;
344 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
347 pkt1.offset = DEFAULT_PACKET_OFFSET;
348 pkt2.offset = DEFAULT_PACKET_OFFSET;
350 if(n->status.sptps) {
351 if(!n->sptps.state) {
352 if(!n->status.waitingforkey) {
353 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
356 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
360 inpkt->offset += 2 * sizeof(node_id_t);
361 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
362 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
368 #ifdef DISABLE_LEGACY
371 if(!n->status.validkey) {
372 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
376 /* Check packet length */
378 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
379 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
380 n->name, n->hostname);
384 /* It's a legacy UDP packet, the data starts after the seqno */
386 inpkt->offset += sizeof(seqno_t);
388 /* Check the message authentication code */
390 if(digest_active(n->indigest)) {
391 inpkt->len -= digest_length(n->indigest);
392 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
393 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
397 /* Decrypt the packet */
399 if(cipher_active(n->incipher)) {
400 vpn_packet_t *outpkt = pkt[nextpkt++];
403 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
404 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
408 outpkt->len = outlen;
412 /* Check the sequence number */
415 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
416 seqno = ntohl(seqno);
417 inpkt->len -= sizeof seqno;
420 if(seqno != n->received_seqno + 1) {
421 if(seqno >= n->received_seqno + replaywin * 8) {
422 if(n->farfuture++ < replaywin >> 2) {
423 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
424 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
427 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
428 seqno - n->received_seqno - 1, n->name, n->hostname);
429 memset(n->late, 0, replaywin);
430 } else if (seqno <= n->received_seqno) {
431 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
432 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
433 n->name, n->hostname, seqno, n->received_seqno);
437 for(int i = n->received_seqno + 1; i < seqno; i++)
438 n->late[(i / 8) % replaywin] |= 1 << i % 8;
443 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
446 if(seqno > n->received_seqno)
447 n->received_seqno = seqno;
451 if(n->received_seqno > MAX_SEQNO)
454 /* Decompress the packet */
456 length_t origlen = inpkt->len;
458 if(n->incompression) {
459 vpn_packet_t *outpkt = pkt[nextpkt++];
461 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
462 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
463 n->name, n->hostname);
469 origlen -= MTU/64 + 20;
474 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
475 udp_probe_h(n, inpkt, origlen);
477 receive_packet(n, inpkt);
482 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
484 outpkt.offset = DEFAULT_PACKET_OFFSET;
486 if(len > sizeof outpkt.data - outpkt.offset)
490 if(c->options & OPTION_TCPONLY)
493 outpkt.priority = -1;
494 memcpy(DATA(&outpkt), buffer, len);
496 receive_packet(c->node, &outpkt);
499 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
500 if(!n->status.validkey && !n->connection)
506 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
507 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
511 if(routing_mode == RMODE_ROUTER)
516 if(origpkt->len < offset)
521 if(n->outcompression) {
523 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
525 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
526 } else if(len < origpkt->len - offset) {
527 outpkt.len = len + offset;
529 type |= PKT_COMPRESSED;
533 /* If we have a direct metaconnection to n, and we can't use UDP, then
534 don't bother with SPTPS and just use a "plaintext" PACKET message.
535 We don't really care about end-to-end security since we're not
536 sending the message through any intermediate nodes. */
537 if(n->connection && origpkt->len > n->minmtu)
538 send_tcppacket(n->connection, origpkt);
540 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
544 static void adapt_socket(const sockaddr_t *sa, int *sock) {
545 /* Make sure we have a suitable socket for the chosen address */
546 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
547 for(int i = 0; i < listen_sockets; i++) {
548 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
556 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
561 /* If the UDP address is confirmed, use it. */
562 if(n->status.udp_confirmed)
565 /* Send every third packet to n->address; that could be set
566 to the node's reflexive UDP address discovered during key
575 /* Otherwise, address are found in edges to this node.
576 So we pick a random edge and a random socket. */
579 int j = rand() % n->edge_tree->count;
580 edge_t *candidate = NULL;
582 for splay_each(edge_t, e, n->edge_tree) {
584 candidate = e->reverse;
590 *sa = &candidate->address;
591 *sock = rand() % listen_sockets;
594 adapt_socket(*sa, sock);
597 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
600 /* Pick one of the edges from this node at random, then use its local address. */
603 int j = rand() % n->edge_tree->count;
604 edge_t *candidate = NULL;
606 for splay_each(edge_t, e, n->edge_tree) {
613 if (candidate && candidate->local_address.sa.sa_family) {
614 *sa = &candidate->local_address;
615 *sock = rand() % listen_sockets;
616 adapt_socket(*sa, sock);
620 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
621 vpn_packet_t pkt1, pkt2;
622 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
623 vpn_packet_t *inpkt = origpkt;
625 vpn_packet_t *outpkt;
626 int origlen = origpkt->len;
628 #if defined(SOL_IP) && defined(IP_TOS)
629 static int priority = 0;
630 int origpriority = origpkt->priority;
633 pkt1.offset = DEFAULT_PACKET_OFFSET;
634 pkt2.offset = DEFAULT_PACKET_OFFSET;
636 if(!n->status.reachable) {
637 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
642 return send_sptps_packet(n, origpkt);
644 #ifdef DISABLE_LEGACY
647 /* Make sure we have a valid key */
649 if(!n->status.validkey) {
650 logger(DEBUG_TRAFFIC, LOG_INFO,
651 "No valid key known yet for %s (%s), forwarding via TCP",
652 n->name, n->hostname);
653 send_tcppacket(n->nexthop->connection, origpkt);
657 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
658 logger(DEBUG_TRAFFIC, LOG_INFO,
659 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
660 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
663 send_packet(n->nexthop, origpkt);
665 send_tcppacket(n->nexthop->connection, origpkt);
670 /* Compress the packet */
672 if(n->outcompression) {
673 outpkt = pkt[nextpkt++];
675 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
676 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
677 n->name, n->hostname);
684 /* Add sequence number */
686 seqno_t seqno = htonl(++(n->sent_seqno));
687 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
688 inpkt->len += sizeof seqno;
690 /* Encrypt the packet */
692 if(cipher_active(n->outcipher)) {
693 outpkt = pkt[nextpkt++];
696 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
697 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
701 outpkt->len = outlen;
705 /* Add the message authentication code */
707 if(digest_active(n->outdigest)) {
708 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
709 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
713 inpkt->len += digest_length(n->outdigest);
716 /* Send the packet */
718 const sockaddr_t *sa = NULL;
721 if(n->status.send_locally)
722 choose_local_address(n, &sa, &sock);
724 choose_udp_address(n, &sa, &sock);
726 #if defined(SOL_IP) && defined(IP_TOS)
727 if(priorityinheritance && origpriority != priority
728 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
729 priority = origpriority;
730 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
731 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
732 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
736 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
737 if(sockmsgsize(sockerrno)) {
738 if(n->maxmtu >= origlen)
739 n->maxmtu = origlen - 1;
740 if(n->mtu >= origlen)
741 n->mtu = origlen - 1;
743 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
747 origpkt->len = origlen;
751 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
752 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
753 bool direct = from == myself && to == relay;
754 bool relay_supported = (relay->options >> 24) >= 4;
755 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
757 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
758 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
759 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
761 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
762 char buf[len * 4 / 3 + 5];
763 b64encode(data, buf, len);
764 /* If no valid key is known yet, send the packets using ANS_KEY requests,
765 to ensure we get to learn the reflexive UDP address. */
766 if(from == myself && !to->status.validkey) {
767 to->incompression = myself->incompression;
768 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
770 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
775 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
776 char buf[len + overhead]; char* buf_ptr = buf;
777 if(relay_supported) {
779 /* Inform the recipient that this packet was sent directly. */
780 node_id_t nullid = {};
781 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
783 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
785 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
788 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
789 memcpy(buf_ptr, data, len); buf_ptr += len;
791 const sockaddr_t *sa = NULL;
793 if(relay->status.send_locally)
794 choose_local_address(relay, &sa, &sock);
796 choose_udp_address(relay, &sa, &sock);
797 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
798 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
799 if(sockmsgsize(sockerrno)) {
800 // Compensate for SPTPS overhead
801 len -= SPTPS_DATAGRAM_OVERHEAD;
802 if(relay->maxmtu >= len)
803 relay->maxmtu = len - 1;
804 if(relay->mtu >= len)
805 relay->mtu = len - 1;
807 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
815 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
816 return send_sptps_data_priv(handle, myself, type, data, len);
819 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
820 node_t *from = handle;
822 if(type == SPTPS_HANDSHAKE) {
823 if(!from->status.validkey) {
824 from->status.validkey = true;
825 from->status.waitingforkey = false;
826 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
832 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
837 inpkt.offset = DEFAULT_PACKET_OFFSET;
839 if(type == PKT_PROBE) {
841 memcpy(DATA(&inpkt), data, len);
842 udp_probe_h(from, &inpkt, len);
846 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
847 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
851 /* Check if we have the headers we need */
852 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
853 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
855 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
856 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
859 int offset = (type & PKT_MAC) ? 0 : 14;
860 if(type & PKT_COMPRESSED) {
861 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
865 inpkt.len = ulen + offset;
867 if(inpkt.len > MAXSIZE)
870 memcpy(DATA(&inpkt) + offset, data, len);
871 inpkt.len = len + offset;
874 /* Generate the Ethernet packet type if necessary */
876 switch(DATA(&inpkt)[14] >> 4) {
878 DATA(&inpkt)[12] = 0x08;
879 DATA(&inpkt)[13] = 0x00;
882 DATA(&inpkt)[12] = 0x86;
883 DATA(&inpkt)[13] = 0xDD;
886 logger(DEBUG_TRAFFIC, LOG_ERR,
887 "Unknown IP version %d while reading packet from %s (%s)",
888 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
893 receive_packet(from, &inpkt);
897 // This function tries to get SPTPS keys, if they aren't already known.
898 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
899 static void try_sptps(node_t *n) {
900 if(n->status.validkey)
903 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
905 if(!n->status.waitingforkey)
907 else if(n->last_req_key + 10 < now.tv_sec) {
908 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
909 sptps_stop(&n->sptps);
910 n->status.waitingforkey = false;
917 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
918 // If a tunnel is already established, it makes sure it stays up.
919 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
920 static void try_udp(node_t* n) {
925 gettimeofday(&now, NULL);
926 struct timeval ping_tx_elapsed;
927 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
929 if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) {
930 send_udp_probe_packet(n, MAX(n->minmtu, 16));
931 n->udp_ping_sent = now;
933 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
934 n->status.send_locally = true;
935 send_udp_probe_packet(n, 16);
936 n->status.send_locally = false;
941 // This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
942 // If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
943 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
944 // By calling this function repeatedly, the tunnel is gradually improved until we hit the wall imposed by the underlying network environment.
945 // It is recommended to call this function every time a packet is sent (or intended to be sent) to a node,
946 // so that the tunnel keeps improving as packets flow, and then gracefully downgrades itself as it goes idle.
947 static void try_tx(node_t *n) {
948 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
949 messages anyway, so there's no need for SPTPS at all. Otherwise, get the keys. */
950 if(n->status.sptps && !(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))) {
952 if (!n->status.validkey)
956 node_t *via = (n->via == myself) ? n->nexthop : n->via;
958 if((myself->options | via->options) & OPTION_TCPONLY)
961 if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
963 via->last_req_key = now.tv_sec;
964 } else if(via == n || !n->status.sptps || (via->options >> 24) >= 4)
967 /* If we don't know how to reach "via" yet, then try to reach it through a relay. */
968 if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)
969 try_tx(via->nexthop);
973 send a packet to the given vpn ip.
975 void send_packet(node_t *n, vpn_packet_t *packet) {
980 memcpy(DATA(packet), mymac.x, ETH_ALEN);
982 n->out_bytes += packet->len;
983 devops.write(packet);
987 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
988 packet->len, n->name, n->hostname);
990 if(!n->status.reachable) {
991 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
992 n->name, n->hostname);
997 n->out_bytes += packet->len;
999 if(n->status.sptps) {
1000 send_sptps_packet(n, packet);
1004 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1007 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
1008 n->name, via->name, n->via->hostname);
1010 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1011 if(!send_tcppacket(via->connection, packet))
1012 terminate_connection(via->connection, true);
1014 send_udppacket(via, packet);
1017 /* Try to improve the tunnel.
1018 Note that we do this *after* we send the packet because sending actual packets take priority
1019 with regard to the send buffer space and latency. */
1023 /* Broadcast a packet using the minimum spanning tree */
1025 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1026 // Always give ourself a copy of the packet.
1028 send_packet(myself, packet);
1030 // In TunnelServer mode, do not forward broadcast packets.
1031 // The MST might not be valid and create loops.
1032 if(tunnelserver || broadcast_mode == BMODE_NONE)
1035 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1036 packet->len, from->name, from->hostname);
1038 switch(broadcast_mode) {
1039 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1040 // This guarantees all nodes receive the broadcast packet, and
1041 // usually distributes the sending of broadcast packets over all nodes.
1043 for list_each(connection_t, c, connection_list)
1044 if(c->edge && c->status.mst && c != from->nexthop->connection)
1045 send_packet(c->node, packet);
1048 // In direct mode, we send copies to each node we know of.
1049 // However, this only reaches nodes that can be reached in a single hop.
1050 // We don't have enough information to forward broadcast packets in this case.
1055 for splay_each(node_t, n, node_tree)
1056 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1057 send_packet(n, packet);
1065 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1068 static time_t last_hard_try = 0;
1070 for splay_each(edge_t, e, edge_weight_tree) {
1071 if(!e->to->status.reachable || e->to == myself)
1074 if(sockaddrcmp_noport(from, &e->address)) {
1075 if(last_hard_try == now.tv_sec)
1080 if(!try_mac(e->to, pkt))
1088 last_hard_try = now.tv_sec;
1090 last_hard_try = now.tv_sec;
1094 void handle_incoming_vpn_data(void *data, int flags) {
1095 listen_socket_t *ls = data;
1098 node_id_t nullid = {};
1099 sockaddr_t addr = {};
1100 socklen_t addrlen = sizeof addr;
1102 bool direct = false;
1105 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1107 if(len <= 0 || len > MAXSIZE) {
1108 if(!sockwouldblock(sockerrno))
1109 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1115 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1117 // Try to figure out who sent this packet.
1119 node_t *n = lookup_node_udp(&addr);
1122 // It might be from a 1.1 node, which might have a source ID in the packet.
1123 pkt.offset = 2 * sizeof(node_id_t);
1124 from = lookup_node_id(SRCID(&pkt));
1125 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1126 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1135 n = try_harder(&addr, &pkt);
1140 if(debug_level >= DEBUG_PROTOCOL) {
1141 hostname = sockaddr2hostname(&addr);
1142 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1148 if(n->status.sptps) {
1149 pkt.offset = 2 * sizeof(node_id_t);
1151 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1156 from = lookup_node_id(SRCID(&pkt));
1157 to = lookup_node_id(DSTID(&pkt));
1160 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1165 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1174 if(!receive_udppacket(from, &pkt))
1177 n->sock = ls - listen_socket;
1178 if(direct && sockaddrcmp(&addr, &n->address))
1179 update_node_udp(n, &addr);
1182 void handle_device_data(void *data, int flags) {
1183 vpn_packet_t packet;
1184 packet.offset = DEFAULT_PACKET_OFFSET;
1185 packet.priority = 0;
1187 if(devops.read(&packet)) {
1188 myself->in_packets++;
1189 myself->in_bytes += packet.len;
1190 route(myself, &packet);