Make datagram SPTPS key exchange more robust.

Similar to old style key exchange requests, keep track of whether a key
exchange is already in progress and how long it took. If no key is known yet
or if key exchange takes too long, (re)start a new key exchange.

diff --git a/src/graph.c b/src/graph.c
index 98eb469b447087884c52ec21e052192bee30c082..621dd9be3ae0246e316a7b96760a1d29fb5adb25 100644 (file)
--- a/src/graph.c
+++ b/src/graph.c
@@ -234,6 +234,10 @@ static void check_reachability(void) {
                        /* TODO: only clear status.validkey if node is unreachable? */
 
                        n->status.validkey = false;
+                       if(n->status.sptps) {
+                               sptps_stop(&n->sptps);
+                               n->status.waitingforkey = false;
+                       }
                        n->last_req_key = 0;
 
                        n->maxmtu = MTU;

diff --git a/src/net_packet.c b/src/net_packet.c
index abfb55c411435af0e07d56ab021d9c7c01bbb742..371632fa3c57c18ff7c204754a41463555acff65 100644 (file)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -389,39 +389,48 @@ void receive_tcppacket(connection_t *c, const char *buffer, int len) {
 }
 
 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
-       if(n->status.sptps) {
-               uint8_t type = 0;
-               int offset = 0;
-
-               if(!(origpkt->data[12] | origpkt->data[13])) {
-                       sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
-                       return;
+       if(!n->status.validkey) {
+               logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
+               if(!n->status.waitingforkey)
+                       send_req_key(n);
+               else if(n->last_req_key + 10 < time(NULL)) {
+                       sptps_stop(&n->sptps);
+                       n->status.waitingforkey = false;
+                       send_req_key(n);
                }
+       }
 
-               if(routing_mode == RMODE_ROUTER)
-                       offset = 14;
-               else
-                       type = PKT_MAC;
+       uint8_t type = 0;
+       int offset = 0;
 
-               if(origpkt->len < offset)
-                       return;
-
-               vpn_packet_t outpkt;
+       if(!(origpkt->data[12] | origpkt->data[13])) {
+               sptps_send_record(&n->sptps, PKT_PROBE, (char *)origpkt->data, origpkt->len);
+               return;
+       }
 
-               if(n->outcompression) {
-                       int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
-                       if(len < 0) {
-                               logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
-                       } else if(len < origpkt->len - offset) {
-                               outpkt.len = len + offset;
-                               origpkt = &outpkt;
-                               type |= PKT_COMPRESSED;
-                       }
-               }
+       if(routing_mode == RMODE_ROUTER)
+               offset = 14;
+       else
+               type = PKT_MAC;
 
-               sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
+       if(origpkt->len < offset)
                return;
+
+       vpn_packet_t outpkt;
+
+       if(n->outcompression) {
+               int len = compress_packet(outpkt.data + offset, origpkt->data + offset, origpkt->len - offset, n->outcompression);
+               if(len < 0) {
+                       logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
+               } else if(len < origpkt->len - offset) {
+                       outpkt.len = len + offset;
+                       origpkt = &outpkt;
+                       type |= PKT_COMPRESSED;
+               }
        }
+
+       sptps_send_record(&n->sptps, type, (char *)origpkt->data + offset, origpkt->len - offset);
+       return;
 }
 
 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
@@ -620,6 +629,7 @@ bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t
 
        if(type == SPTPS_HANDSHAKE) {
                from->status.validkey = true;
+               from->status.waitingforkey = false;
                logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
                return true;
        }

diff --git a/src/node.h b/src/node.h
index dad926ccae30e1bc88e0c3e6f238d0f169e39b49..d6d07d423cf37e349fd26b1229466f55e1d41d67 100644 (file)
--- a/src/node.h
+++ b/src/node.h
@@ -30,7 +30,7 @@
 typedef struct node_status_t {
        unsigned int unused_active:1;           /* 1 if active (not used for nodes) */
        unsigned int validkey:1;                /* 1 if we currently have a valid key for him */
-       unsigned int unused_waitingforkey:1;    /* 1 if we already sent out a request */
+       unsigned int waitingforkey:1;           /* 1 if we already sent out a request */
        unsigned int visited:1;                 /* 1 if this node has been visited by one of the graph algorithms */
        unsigned int reachable:1;               /* 1 if this node is reachable in the graph */
        unsigned int indirect:1;                /* 1 if this node is not directly reachable by us */

diff --git a/src/protocol_key.c b/src/protocol_key.c
index 802f7ca68d5f2707fb6eaed2ce47990d810d3a60..3e8d29adfc4df0883dd224b23bab896951671b6c 100644 (file)
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -116,6 +116,8 @@ bool send_req_key(node_t *to) {
                snprintf(label, sizeof label, "tinc UDP key expansion %s %s", myself->name, to->name);
                sptps_stop(&to->sptps);
                to->status.validkey = false;
+               to->status.waitingforkey = true;
+               to->last_req_key = time(NULL);
                to->incompression = myself->incompression;
                return sptps_start(&to->sptps, to, true, true, myself->connection->ecdsa, to->ecdsa, label, sizeof label, send_initial_sptps_data, receive_sptps_record); 
        }
@@ -172,6 +174,8 @@ static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, in
                        snprintf(label, sizeof label, "tinc UDP key expansion %s %s", from->name, myself->name);
                        sptps_stop(&from->sptps);
                        from->status.validkey = false;
+                       from->status.waitingforkey = true;
+                       from->last_req_key = time(NULL);
                        sptps_start(&from->sptps, from, false, true, myself->connection->ecdsa, from->ecdsa, label, sizeof label, send_sptps_data, receive_sptps_record); 
                        sptps_receive_data(&from->sptps, buf, len);
                        return true;