static void send_udppacket(node_t *, vpn_packet_t *);
-unsigned replaywin = 16;
+unsigned replaywin = 32;
bool localdiscovery = true;
bool udp_discovery = true;
int udp_discovery_keepalive_interval = 10;
#ifdef DISABLE_LEGACY
return false;
#else
- if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
+ if(!n->status.validkey_in || !digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
return false;
return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
bool relay_supported = (relay->options >> 24) >= 4;
bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
- /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
- TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
- This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
+ /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU. */
if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
char buf[len * 4 / 3 + 5];
mtu -= SPTPS_DATAGRAM_OVERHEAD;
if((n->options >> 24) >= 4)
mtu -= sizeof(node_id_t) + sizeof(node_id_t);
+#ifndef DISABLE_LEGACY
} else {
mtu -= digest_length(n->outdigest);
}
mtu -= 4; // seqno
+#endif
}
if (mtu < 512) {
try_sptps(n);
- /* Do we need to relay packets? */
+ /* Do we need to statically relay packets? */
node_t *via = (n->via == myself) ? n->nexthop : n->via;
- /* If the relay doesn't support SPTPS, everything goes via TCP anyway. */
+ /* If the static relay doesn't support SPTPS, everything goes via TCP anyway. */
if((via->options >> 24) < 4)
return;
- /* If we do have a relay, try everything with that one instead. */
+ /* If we do have a static relay, try everything with that one instead. */
if(via != n)
return try_tx_sptps(via, mtu);
+ /* Otherwise, try to establish UDP connectivity. */
+
try_udp(n);
if(mtu)
try_mtu(n);
+
+ /* If we don't have UDP connectivity (yet), we need to use a dynamic relay (nexthop)
+ while we try to establish direct connectivity. */
+
+ if(!n->status.udp_confirmed && n != n->nexthop && (n->nexthop->options >> 24) >= 4)
+ try_tx_sptps(n->nexthop, mtu);
}
static void try_tx_legacy(node_t *n, bool mtu) {
}
}
+/* We got a packet from some IP address, but we don't know who sent it. Try to
+ verify the message authentication code against all active session keys.
+ Since this is actually an expensive operation, we only do a full check once
+ a minute, the rest of the time we only check against nodes for which we know
+ an IP address that matches the one from the packet. */
+
static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
- node_t *n = NULL;
+ node_t *match = NULL;
bool hard = false;
static time_t last_hard_try = 0;
- for splay_each(edge_t, e, edge_weight_tree) {
- if(!e->to->status.reachable || e->to == myself)
+ for splay_each(node_t, n, node_tree) {
+ if(!n->status.reachable || n == myself)
continue;
- if(sockaddrcmp_noport(from, &e->address)) {
+ if((n->status.sptps && !n->sptps.instate) || !n->status.validkey_in)
+ continue;
+
+ bool soft = false;
+
+ for splay_each(edge_t, e, n->edge_tree) {
+ if(!e->reverse)
+ continue;
+ if(!sockaddrcmp_noport(from, &e->reverse->address)) {
+ soft = true;
+ break;
+ }
+ }
+
+ if(!soft) {
if(last_hard_try == now.tv_sec)
continue;
hard = true;
}
- if(!try_mac(e->to, pkt))
+ if(!try_mac(n, pkt))
continue;
- n = e->to;
+ match = n;
break;
}
if(hard)
last_hard_try = now.tv_sec;
- last_hard_try = now.tv_sec;
- return n;
+ return match;
}
void handle_incoming_vpn_data(void *data, int flags) {
node_t *n = lookup_node_udp(&addr);
+ if(n && !n->status.udp_confirmed)
+ n = NULL; // Don't believe it if we don't have confirmation yet.
+
if(!n) {
// It might be from a 1.1 node, which might have a source ID in the packet.
pkt.offset = 2 * sizeof(node_id_t);
return;
}
+ /* The packet is supposed to come from the originator or its static relay
+ (i.e. with no dynamic relays in between).
+ If it did not, "help" the static relay by sending it UDP info.
+ Note that we only do this if we're the destination or the static relay;
+ otherwise every hop would initiate its own UDP info message, resulting in elevated chatter. */
+
+ if(n != from->via && to->via == myself)
+ send_udp_info(myself, from);
+
+ /* If we're not the final recipient, relay the packet. */
+
if(to != myself) {
send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
+ try_tx_sptps(n, true);
return;
}
} else {
n->sock = ls - listen_socket;
if(direct && sockaddrcmp(&addr, &n->address))
update_node_udp(n, &addr);
+
+ /* If the packet went through a relay, help the sender find the appropriate MTU
+ through the relay path. */
+
+ if(!direct)
+ send_mtu_info(myself, n, MTU);
}
void handle_device_data(void *data, int flags) {