X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=c07dd1add4ff315a578aaef595af470af28ee560;hb=cfe9285adf391ab66faeb5def811fe08e47a221a;hp=16dac43f2ab66ef971034eaac52383de6c89005f;hpb=6b92ac505d2cd5c7e390d49bf1f0b399ef9f8327;p=tinc

diff --git a/src/net_packet.c b/src/net_packet.c
index 16dac43f..c07dd1ad 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -351,10 +351,14 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
 	if(n->status.sptps)
 		return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
 
+#ifdef DISABLE_LEGACY
+	return false;
+#else
 	if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
 		return false;
 
 	return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
+#endif
 }
 
 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@@ -383,6 +387,9 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 		return true;
 	}
 
+#ifdef DISABLE_LEGACY
+	return false;
+#else
 	if(!n->status.validkey) {
 		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
 		return false;
@@ -491,6 +498,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 	else
 		receive_packet(n, inpkt);
 	return true;
+#endif
 }
 
 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
@@ -514,6 +522,11 @@ static bool try_sptps(node_t *n) {
 	if(n->status.validkey)
 		return true;
 
+	/* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
+	   messages anyway, so there's no need for SPTPS at all. */
+	if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))
+		return false;
+
 	logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
 
 	if(!n->status.waitingforkey)
@@ -529,7 +542,10 @@ static bool try_sptps(node_t *n) {
 }
 
 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
-	if (!try_sptps(n))
+	/* Note: condition order is as intended - even if we have a direct
+	   metaconnection, we want to try SPTPS anyway as it's the only way to
+	   get UDP going */
+	if(!try_sptps(n) && !n->connection)
 		return;
 
 	uint8_t type = 0;
@@ -562,7 +578,14 @@ static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
 		}
 	}
 
-	sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
+	/* If we have a direct metaconnection to n, and we can't use UDP, then
+	   don't bother with SPTPS and just use a "plaintext" PACKET message.
+	   We don't really care about end-to-end security since we're not
+	   sending the message through any intermediate nodes. */
+	if(n->connection && origpkt->len > n->minmtu)
+		send_tcppacket(n->connection, origpkt);
+	else
+		sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
 	return;
 }
 
@@ -666,6 +689,9 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 	if(n->status.sptps)
 		return send_sptps_packet(n, origpkt);
 
+#ifdef DISABLE_LEGACY
+	return;
+#else
 	/* Make sure we have a valid key */
 
 	if(!n->status.validkey) {
@@ -774,6 +800,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 
 end:
 	origpkt->len = origlen;
+#endif
 }
 
 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {