ffi-tox 0.1.1 → 0.1.3

data/ProjectTox-Core/toxcore/network.h

@@ -0,0 +1,367 @@
+/* network.h
+ *
+ * Datatypes, functions and includes for the core networking.
+ *
+ *  Copyright (C) 2013 Tox project All Rights Reserved.
+ *
+ *  This file is part of Tox.
+ *
+ *  Tox is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  Tox is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with Tox.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef NETWORK_H
+#define NETWORK_H
+
+#ifdef PLAN9
+#include <u.h> //Plan 9 requires this is imported first
+#include <libc.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <time.h>
+
+#if defined(_WIN32) || defined(__WIN32__) || defined (WIN32) /* Put win32 includes here */
+#ifndef WINVER
+//Windows XP
+#define WINVER 0x0501
+#endif
+#include <winsock2.h>
+#include <windows.h>
+#include <ws2tcpip.h>
+
+#ifndef IPV6_V6ONLY
+#define IPV6_V6ONLY 27
+#endif
+
+typedef unsigned int sock_t;
+/* sa_family_t is the sockaddr_in / sockaddr_in6 family field */
+typedef short sa_family_t;
+
+#ifndef EWOULDBLOCK
+#define EWOULDBLOCK WSAEWOULDBLOCK
+#endif
+
+#else // Linux includes
+
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <netdb.h>
+#include <unistd.h>
+
+typedef int sock_t;
+
+#endif
+
+#if defined(__AIX__)
+#   define _XOPEN_SOURCE 1
+#endif
+
+#if defined(__sun__)
+#define __EXTENSIONS__ 1 // SunOS!
+#if defined(__SunOS5_6__) || defined(__SunOS5_7__) || defined(__SunOS5_8__) || defined(__SunOS5_9__) || defined(__SunOS5_10__)
+//Nothing needed
+#else
+#define __MAKECONTEXT_V2_SOURCE 1
+#endif
+#endif
+
+#ifndef IPV6_ADD_MEMBERSHIP
+#ifdef  IPV6_JOIN_GROUP
+#define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP
+#define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP
+#endif
+#endif
+
+#define MAX_UDP_PACKET_SIZE 2048
+
+#define NET_PACKET_PING_REQUEST    0   /* Ping request packet ID. */
+#define NET_PACKET_PING_RESPONSE   1   /* Ping response packet ID. */
+#define NET_PACKET_GET_NODES       2   /* Get nodes request packet ID. */
+#define NET_PACKET_SEND_NODES      3   /* Send nodes response packet ID for IPv4 addresses. */
+#define NET_PACKET_SEND_NODES_IPV6 4   /* Send nodes response packet ID for other addresses. */
+#define NET_PACKET_COOKIE_REQUEST  24  /* Cookie request packet */
+#define NET_PACKET_COOKIE_RESPONSE 25  /* Cookie response packet */
+#define NET_PACKET_CRYPTO_HS       26  /* Crypto handshake packet */
+#define NET_PACKET_CRYPTO_DATA     27  /* Crypto data packet */
+#define NET_PACKET_CRYPTO          32  /* Encrypted data packet ID. */
+#define NET_PACKET_LAN_DISCOVERY   33  /* LAN discovery packet ID. */
+#define NET_PACKET_GROUP_CHATS     48  /* Group chats packet ID. */
+
+/* See:  docs/Prevent_Tracking.txt and onion.{c, h} */
+#define NET_PACKET_ONION_SEND_INITIAL 128
+#define NET_PACKET_ONION_SEND_1 129
+#define NET_PACKET_ONION_SEND_2 130
+
+#define NET_PACKET_ANNOUNCE_REQUEST 131
+#define NET_PACKET_ANNOUNCE_RESPONSE 132
+#define NET_PACKET_ONION_DATA_REQUEST 133
+#define NET_PACKET_ONION_DATA_RESPONSE 134
+
+#define NET_PACKET_ONION_RECV_3 140
+#define NET_PACKET_ONION_RECV_2 141
+#define NET_PACKET_ONION_RECV_1 142
+
+/* Only used for bootstrap nodes */
+#define BOOTSTRAP_INFO_PACKET_ID 240
+
+
+#define TOX_PORTRANGE_FROM 33445
+#define TOX_PORTRANGE_TO   33545
+#define TOX_PORT_DEFAULT   TOX_PORTRANGE_FROM
+
+/* TCP related */
+#define TCP_ONION_FAMILY (AF_INET6 + 1)
+#define TCP_INET (AF_INET6 + 2)
+#define TCP_INET6 (AF_INET6 + 3)
+#define TCP_FAMILY (AF_INET6 + 4)
+
+typedef union __attribute__ ((__packed__))
+{
+    uint8_t uint8[4];
+    uint16_t uint16[2];
+    uint32_t uint32;
+    struct in_addr in_addr;
+}
+IP4;
+
+typedef union __attribute__ ((__packed__))
+{
+    uint8_t uint8[16];
+    uint16_t uint16[8];
+    uint32_t uint32[4];
+    uint64_t uint64[2];
+    struct in6_addr in6_addr;
+}
+IP6;
+
+typedef struct __attribute__ ((__packed__))
+{
+    uint8_t family;
+    union {
+        IP4 ip4;
+        IP6 ip6;
+    };
+}
+IP;
+
+typedef struct __attribute__ ((__packed__)) __attribute__((gcc_struct))
+{
+    IP ip;
+    uint16_t port;
+}
+IP_Port;
+
+/* Does the IP6 struct a contain an IPv4 address in an IPv6 one? */
+#define IPV6_IPV4_IN_V6(a) ((a.uint64[0] == 0) && (a.uint32[2] == htonl (0xffff)))
+
+#define SIZE_IP4 4
+#define SIZE_IP6 16
+#define SIZE_IP (1 + SIZE_IP6)
+#define SIZE_PORT 2
+#define SIZE_IPPORT (SIZE_IP + SIZE_PORT)
+
+#define TOX_ENABLE_IPV6_DEFAULT 1
+
+/* ip_ntoa
+ *   converts ip into a string
+ *   uses a static buffer, so mustn't used multiple times in the same output
+ */
+const char *ip_ntoa(const IP *ip);
+
+/*
+ * addr_parse_ip
+ *  directly parses the input into an IP structure
+ *  tries IPv4 first, then IPv6
+ *
+ * input
+ *  address: dotted notation (IPv4: quad, IPv6: 16) or colon notation (IPv6)
+ *
+ * output
+ *  IP: family and the value is set on success
+ *
+ * returns 1 on success, 0 on failure
+ */
+int addr_parse_ip(const char *address, IP *to);
+
+/* ip_equal
+ *  compares two IPAny structures
+ *  unset means unequal
+ *
+ * returns 0 when not equal or when uninitialized
+ */
+int ip_equal(const IP *a, const IP *b);
+
+/* ipport_equal
+ *  compares two IPAny_Port structures
+ *  unset means unequal
+ *
+ * returns 0 when not equal or when uninitialized
+ */
+int ipport_equal(const IP_Port *a, const IP_Port *b);
+
+/* nulls out ip */
+void ip_reset(IP *ip);
+/* nulls out ip, sets family according to flag */
+void ip_init(IP *ip, uint8_t ipv6enabled);
+/* checks if ip is valid */
+int ip_isset(const IP *ip);
+/* checks if ip is valid */
+int ipport_isset(const IP_Port *ipport);
+/* copies an ip structure */
+void ip_copy(IP *target, const IP *source);
+/* copies an ip_port structure */
+void ipport_copy(IP_Port *target, const IP_Port *source);
+
+
+/* packs IP into data, writes SIZE_IP bytes to data */
+void ip_pack(uint8_t *data, const IP *source);
+/* unpacks IP from data, reads SIZE_IP bytes from data */
+void ip_unpack(IP *target, const uint8_t *data);
+/* packs IP_Port into data, writes SIZE_IPPORT bytes to data */
+void ipport_pack(uint8_t *data, const IP_Port *source);
+/* unpacks IP_Port from data, reads SIZE_IPPORT bytes to data */
+void ipport_unpack(IP_Port *target, const uint8_t *data);
+
+/*
+ * addr_resolve():
+ *  uses getaddrinfo to resolve an address into an IP address
+ *  uses the first IPv4/IPv6 addresses returned by getaddrinfo
+ *
+ * input
+ *  address: a hostname (or something parseable to an IP address)
+ *  to: to.family MUST be initialized, either set to a specific IP version
+ *     (AF_INET/AF_INET6) or to the unspecified AF_UNSPEC (= 0), if both
+ *     IP versions are acceptable
+ *  extra can be NULL and is only set in special circumstances, see returns
+ *
+ * returns in *to a valid IPAny (v4/v6),
+ *     prefers v6 if ip.family was AF_UNSPEC and both available
+ * returns in *extra an IPv4 address, if family was AF_UNSPEC and *to is AF_INET6
+ * returns 0 on failure
+ */
+int addr_resolve(const char *address, IP *to, IP *extra);
+
+/*
+ * addr_resolve_or_parse_ip
+ *  resolves string into an IP address
+ *
+ *  address: a hostname (or something parseable to an IP address)
+ *  to: to.family MUST be initialized, either set to a specific IP version
+ *     (AF_INET/AF_INET6) or to the unspecified AF_UNSPEC (= 0), if both
+ *     IP versions are acceptable
+ *  extra can be NULL and is only set in special circumstances, see returns
+ *
+ *  returns in *tro a matching address (IPv6 or IPv4)
+ *  returns in *extra, if not NULL, an IPv4 address, if to->family was AF_UNSPEC
+ *  returns 1 on success
+ *  returns 0 on failure
+ */
+int addr_resolve_or_parse_ip(const char *address, IP *to, IP *extra);
+
+/* Function to receive data, ip and port of sender is put into ip_port.
+ * Packet data is put into data.
+ * Packet length is put into length.
+ */
+typedef int (*packet_handler_callback)(void *object, IP_Port ip_port, const uint8_t *data, uint32_t len);
+
+typedef struct {
+    packet_handler_callback function;
+    void *object;
+} Packet_Handles;
+
+typedef struct {
+    Packet_Handles packethandlers[256];
+
+    sa_family_t family;
+    uint16_t port;
+    /* Our UDP socket. */
+    sock_t sock;
+} Networking_Core;
+
+/* Run this before creating sockets.
+ *
+ * return 0 on success
+ * return -1 on failure
+ */
+int networking_at_startup(void);
+
+/* Check if socket is valid.
+ *
+ * return 1 if valid
+ * return 0 if not valid
+ */
+int sock_valid(sock_t sock);
+
+/* Close the socket.
+ */
+void kill_sock(sock_t sock);
+
+/* Set socket as nonblocking
+ *
+ * return 1 on success
+ * return 0 on failure
+ */
+int set_socket_nonblock(sock_t sock);
+
+/* Set socket to not emit SIGPIPE
+ *
+ * return 1 on success
+ * return 0 on failure
+ */
+int set_socket_nosigpipe(sock_t sock);
+
+/* Set socket to dual (IPv4 + IPv6 socket)
+ *
+ * return 1 on success
+ * return 0 on failure
+ */
+int set_socket_dualstack(sock_t sock);
+
+/* return current monotonic time in milliseconds (ms). */
+uint64_t current_time_monotonic(void);
+
+/* Basic network functions: */
+
+/* Function to send packet(data) of length length to ip_port. */
+int sendpacket(Networking_Core *net, IP_Port ip_port, const uint8_t *data, uint32_t length);
+
+/* Function to call when packet beginning with byte is received. */
+void networking_registerhandler(Networking_Core *net, uint8_t byte, packet_handler_callback cb, void *object);
+
+/* Call this several times a second. */
+void networking_poll(Networking_Core *net);
+
+/* Initialize networking.
+ * bind to ip and port.
+ * ip must be in network order EX: 127.0.0.1 = (7F000001).
+ * port is in host byte order (this means don't worry about it).
+ *
+ *  return 0 if no problems.
+ *  return -1 if there were problems.
+ */
+Networking_Core *new_networking(IP ip, uint16_t port);
+
+/* Function to cleanup networking stuff (doesn't do much right now). */
+void kill_networking(Networking_Core *net);
+
+#endif

data/ProjectTox-Core/toxcore/onion.c

@@ -0,0 +1,540 @@
+/*
+* onion.c -- Implementation of the onion part of docs/Prevent_Tracking.txt
+*
+*  Copyright (C) 2013 Tox project All Rights Reserved.
+*
+*  This file is part of Tox.
+*
+*  Tox is free software: you can redistribute it and/or modify
+*  it under the terms of the GNU General Public License as published by
+*  the Free Software Foundation, either version 3 of the License, or
+*  (at your option) any later version.
+*
+*  Tox is distributed in the hope that it will be useful,
+*  but WITHOUT ANY WARRANTY; without even the implied warranty of
+*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*  GNU General Public License for more details.
+*
+*  You should have received a copy of the GNU General Public License
+*  along with Tox.  If not, see <http://www.gnu.org/licenses/>.
+*
+*/
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "onion.h"
+#include "util.h"
+
+#define RETURN_1 ONION_RETURN_1
+#define RETURN_2 ONION_RETURN_2
+#define RETURN_3 ONION_RETURN_3
+
+#define SEND_BASE ONION_SEND_BASE
+#define SEND_3 ONION_SEND_3
+#define SEND_2 ONION_SEND_2
+#define SEND_1 ONION_SEND_1
+
+/* Change symmetric keys every hour to make paths expire eventually. */
+#define KEY_REFRESH_INTERVAL (60 * 60)
+static void change_symmetric_key(Onion *onion)
+{
+    if (is_timeout(onion->timestamp, KEY_REFRESH_INTERVAL)) {
+        new_symmetric_key(onion->secret_symmetric_key);
+        onion->timestamp = unix_time();
+    }
+}
+
+/* Create a new onion path.
+ *
+ * Create a new onion path out of nodes (nodes is a list of 3 nodes)
+ *
+ * new_path must be an empty memory location of atleast Onion_Path size.
+ *
+ * return -1 on failure.
+ * return 0 on success.
+ */
+int create_onion_path(const DHT *dht, Onion_Path *new_path, const Node_format *nodes)
+{
+    if (!new_path || !nodes)
+        return -1;
+
+    encrypt_precompute(nodes[0].client_id, dht->self_secret_key, new_path->shared_key1);
+    memcpy(new_path->public_key1, dht->self_public_key, crypto_box_PUBLICKEYBYTES);
+
+    uint8_t random_public_key[crypto_box_PUBLICKEYBYTES];
+    uint8_t random_secret_key[crypto_box_SECRETKEYBYTES];
+
+    crypto_box_keypair(random_public_key, random_secret_key);
+    encrypt_precompute(nodes[1].client_id, random_secret_key, new_path->shared_key2);
+    memcpy(new_path->public_key2, random_public_key, crypto_box_PUBLICKEYBYTES);
+
+    crypto_box_keypair(random_public_key, random_secret_key);
+    encrypt_precompute(nodes[2].client_id, random_secret_key, new_path->shared_key3);
+    memcpy(new_path->public_key3, random_public_key, crypto_box_PUBLICKEYBYTES);
+
+    new_path->ip_port1 = nodes[0].ip_port;
+    new_path->ip_port2 = nodes[1].ip_port;
+    new_path->ip_port3 = nodes[2].ip_port;
+
+    /* to_net_family(&new_path->ip_port1.ip); */
+    to_net_family(&new_path->ip_port2.ip);
+    to_net_family(&new_path->ip_port3.ip);
+
+    return 0;
+}
+
+/* Create a onion packet.
+ *
+ * Use Onion_Path path to create packet for data of length to dest.
+ * Maximum length of data is ONION_MAX_DATA_SIZE.
+ * packet should be at least ONION_MAX_PACKET_SIZE big.
+ *
+ * return -1 on failure.
+ * return length of created packet on success.
+ */
+int create_onion_packet(uint8_t *packet, uint16_t max_packet_length, const Onion_Path *path, IP_Port dest,
+                        const uint8_t *data, uint32_t length)
+{
+    if (1 + length + SEND_1 > max_packet_length || length == 0)
+        return -1;
+
+    to_net_family(&dest.ip);
+    uint8_t step1[SIZE_IPPORT + length];
+
+
+    ipport_pack(step1, &dest);
+    memcpy(step1 + SIZE_IPPORT, data, length);
+
+    uint8_t nonce[crypto_box_NONCEBYTES];
+    random_nonce(nonce);
+
+    uint8_t step2[SIZE_IPPORT + SEND_BASE + length];
+    ipport_pack(step2, &path->ip_port3);
+    memcpy(step2 + SIZE_IPPORT, path->public_key3, crypto_box_PUBLICKEYBYTES);
+
+    int len = encrypt_data_symmetric(path->shared_key3, nonce, step1, sizeof(step1),
+                                     step2 + SIZE_IPPORT + crypto_box_PUBLICKEYBYTES);
+
+    if ((uint32_t)len != SIZE_IPPORT + length + crypto_box_MACBYTES)
+        return -1;
+
+    uint8_t step3[SIZE_IPPORT + SEND_BASE * 2 + length];
+    ipport_pack(step3, &path->ip_port2);
+    memcpy(step3 + SIZE_IPPORT, path->public_key2, crypto_box_PUBLICKEYBYTES);
+    len = encrypt_data_symmetric(path->shared_key2, nonce, step2, sizeof(step2),
+                                 step3 + SIZE_IPPORT + crypto_box_PUBLICKEYBYTES);
+
+    if ((uint32_t)len != SIZE_IPPORT + SEND_BASE + length + crypto_box_MACBYTES)
+        return -1;
+
+    packet[0] = NET_PACKET_ONION_SEND_INITIAL;
+    memcpy(packet + 1, nonce, crypto_box_NONCEBYTES);
+    memcpy(packet + 1 + crypto_box_NONCEBYTES, path->public_key1, crypto_box_PUBLICKEYBYTES);
+
+    len = encrypt_data_symmetric(path->shared_key1, nonce, step3, sizeof(step3),
+                                 packet + 1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES);
+
+    if ((uint32_t)len != SIZE_IPPORT + SEND_BASE * 2 + length + crypto_box_MACBYTES)
+        return -1;
+
+    return 1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES + len;
+}
+
+/* Create a onion packet to be sent over tcp.
+ *
+ * Use Onion_Path path to create packet for data of length to dest.
+ * Maximum length of data is ONION_MAX_DATA_SIZE.
+ * packet should be at least ONION_MAX_PACKET_SIZE big.
+ *
+ * return -1 on failure.
+ * return length of created packet on success.
+ */
+int create_onion_packet_tcp(uint8_t *packet, uint16_t max_packet_length, const Onion_Path *path, IP_Port dest,
+                            const uint8_t *data, uint32_t length)
+{
+    if (crypto_box_NONCEBYTES + SIZE_IPPORT + SEND_BASE * 2 + length > max_packet_length || length == 0)
+        return -1;
+
+    to_net_family(&dest.ip);
+    uint8_t step1[SIZE_IPPORT + length];
+
+
+    ipport_pack(step1, &dest);
+    memcpy(step1 + SIZE_IPPORT, data, length);
+
+    uint8_t nonce[crypto_box_NONCEBYTES];
+    random_nonce(nonce);
+
+    uint8_t step2[SIZE_IPPORT + SEND_BASE + length];
+    ipport_pack(step2, &path->ip_port3);
+    memcpy(step2 + SIZE_IPPORT, path->public_key3, crypto_box_PUBLICKEYBYTES);
+
+    int len = encrypt_data_symmetric(path->shared_key3, nonce, step1, sizeof(step1),
+                                     step2 + SIZE_IPPORT + crypto_box_PUBLICKEYBYTES);
+
+    if ((uint32_t)len != SIZE_IPPORT + length + crypto_box_MACBYTES)
+        return -1;
+
+    ipport_pack(packet + crypto_box_NONCEBYTES, &path->ip_port2);
+    memcpy(packet + crypto_box_NONCEBYTES + SIZE_IPPORT, path->public_key2, crypto_box_PUBLICKEYBYTES);
+    len = encrypt_data_symmetric(path->shared_key2, nonce, step2, sizeof(step2),
+                                 packet + crypto_box_NONCEBYTES + SIZE_IPPORT + crypto_box_PUBLICKEYBYTES);
+
+    if ((uint32_t)len != SIZE_IPPORT + SEND_BASE + length + crypto_box_MACBYTES)
+        return -1;
+
+    memcpy(packet, nonce, crypto_box_NONCEBYTES);
+
+    return crypto_box_NONCEBYTES + SIZE_IPPORT + crypto_box_PUBLICKEYBYTES + len;
+}
+
+/* Create and send a onion packet.
+ *
+ * Use Onion_Path path to send data of length to dest.
+ * Maximum length of data is ONION_MAX_DATA_SIZE.
+ *
+ * return -1 on failure.
+ * return 0 on success.
+ */
+int send_onion_packet(Networking_Core *net, const Onion_Path *path, IP_Port dest, const uint8_t *data, uint32_t length)
+{
+    uint8_t packet[ONION_MAX_PACKET_SIZE];
+    int len = create_onion_packet(packet, sizeof(packet), path, dest, data, length);
+
+    if (len == -1)
+        return -1;
+
+    if (sendpacket(net, path->ip_port1, packet, len) != len)
+        return -1;
+
+    return 0;
+}
+
+/* Create and send a onion response sent initially to dest with.
+ * Maximum length of data is ONION_RESPONSE_MAX_DATA_SIZE.
+ *
+ * return -1 on failure.
+ * return 0 on success.
+ */
+int send_onion_response(Networking_Core *net, IP_Port dest, const uint8_t *data, uint32_t length, const uint8_t *ret)
+{
+    if (length > ONION_RESPONSE_MAX_DATA_SIZE || length == 0)
+        return -1;
+
+    uint8_t packet[1 + RETURN_3 + length];
+    packet[0] = NET_PACKET_ONION_RECV_3;
+    memcpy(packet + 1, ret, RETURN_3);
+    memcpy(packet + 1 + RETURN_3, data, length);
+
+    if ((uint32_t)sendpacket(net, dest, packet, sizeof(packet)) != sizeof(packet))
+        return -1;
+
+    return 0;
+}
+
+static int handle_send_initial(void *object, IP_Port source, const uint8_t *packet, uint32_t length)
+{
+    Onion *onion = object;
+
+    if (length > ONION_MAX_PACKET_SIZE)
+        return 1;
+
+    if (length <= 1 + SEND_1)
+        return 1;
+
+    change_symmetric_key(onion);
+
+    uint8_t plain[ONION_MAX_PACKET_SIZE];
+    uint8_t shared_key[crypto_box_BEFORENMBYTES];
+    get_shared_key(&onion->shared_keys_1, shared_key, onion->dht->self_secret_key, packet + 1 + crypto_box_NONCEBYTES);
+    int len = decrypt_data_symmetric(shared_key, packet + 1, packet + 1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES,
+                                     length - (1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES), plain);
+
+    if ((uint32_t)len != length - (1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES + crypto_box_MACBYTES))
+        return 1;
+
+    return onion_send_1(onion, plain, len, source, packet + 1);
+}
+
+int onion_send_1(const Onion *onion, const uint8_t *plain, uint32_t len, IP_Port source, const uint8_t *nonce)
+{
+    if (len > ONION_MAX_PACKET_SIZE + SIZE_IPPORT - (1 + crypto_box_NONCEBYTES + ONION_RETURN_1))
+        return 1;
+
+    if (len <= SIZE_IPPORT + SEND_BASE * 2)
+        return 1;
+
+    IP_Port send_to;
+    ipport_unpack(&send_to, plain);
+    to_host_family(&send_to.ip);
+
+    uint8_t ip_port[SIZE_IPPORT];
+    ipport_pack(ip_port, &source);
+
+    uint8_t data[ONION_MAX_PACKET_SIZE];
+    data[0] = NET_PACKET_ONION_SEND_1;
+    memcpy(data + 1, nonce, crypto_box_NONCEBYTES);
+    memcpy(data + 1 + crypto_box_NONCEBYTES, plain + SIZE_IPPORT, len - SIZE_IPPORT);
+    uint32_t data_len = 1 + crypto_box_NONCEBYTES + (len - SIZE_IPPORT);
+    uint8_t *ret_part = data + data_len;
+    new_nonce(ret_part);
+    len = encrypt_data_symmetric(onion->secret_symmetric_key, ret_part, ip_port, SIZE_IPPORT,
+                                 ret_part + crypto_box_NONCEBYTES);
+
+    if (len != SIZE_IPPORT + crypto_box_MACBYTES)
+        return 1;
+
+    data_len += crypto_box_NONCEBYTES + len;
+
+    if ((uint32_t)sendpacket(onion->net, send_to, data, data_len) != data_len)
+        return 1;
+
+    return 0;
+}
+
+static int handle_send_1(void *object, IP_Port source, const uint8_t *packet, uint32_t length)
+{
+    Onion *onion = object;
+
+    if (length > ONION_MAX_PACKET_SIZE)
+        return 1;
+
+    if (length <= 1 + SEND_2)
+        return 1;
+
+    change_symmetric_key(onion);
+
+    uint8_t plain[ONION_MAX_PACKET_SIZE];
+    uint8_t shared_key[crypto_box_BEFORENMBYTES];
+    get_shared_key(&onion->shared_keys_2, shared_key, onion->dht->self_secret_key, packet + 1 + crypto_box_NONCEBYTES);
+    int len = decrypt_data_symmetric(shared_key, packet + 1, packet + 1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES,
+                                     length - (1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES + RETURN_1), plain);
+
+    if ((uint32_t)len != length - (1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES + RETURN_1 + crypto_box_MACBYTES))
+        return 1;
+
+    IP_Port send_to;
+    ipport_unpack(&send_to, plain);
+    to_host_family(&send_to.ip);
+
+    uint8_t data[ONION_MAX_PACKET_SIZE];
+    data[0] = NET_PACKET_ONION_SEND_2;
+    memcpy(data + 1, packet + 1, crypto_box_NONCEBYTES);
+    memcpy(data + 1 + crypto_box_NONCEBYTES, plain + SIZE_IPPORT, len - SIZE_IPPORT);
+    uint32_t data_len = 1 + crypto_box_NONCEBYTES + (len - SIZE_IPPORT);
+    uint8_t *ret_part = data + data_len;
+    new_nonce(ret_part);
+    uint8_t ret_data[RETURN_1 + SIZE_IPPORT];
+    ipport_pack(ret_data, &source);
+    memcpy(ret_data + SIZE_IPPORT, packet + (length - RETURN_1), RETURN_1);
+    len = encrypt_data_symmetric(onion->secret_symmetric_key, ret_part, ret_data, sizeof(ret_data),
+                                 ret_part + crypto_box_NONCEBYTES);
+
+    if (len != RETURN_2 - crypto_box_NONCEBYTES)
+        return 1;
+
+    data_len += crypto_box_NONCEBYTES + len;
+
+    if ((uint32_t)sendpacket(onion->net, send_to, data, data_len) != data_len)
+        return 1;
+
+    return 0;
+}
+
+static int handle_send_2(void *object, IP_Port source, const uint8_t *packet, uint32_t length)
+{
+    Onion *onion = object;
+
+    if (length > ONION_MAX_PACKET_SIZE)
+        return 1;
+
+    if (length <= 1 + SEND_3)
+        return 1;
+
+    change_symmetric_key(onion);
+
+    uint8_t plain[ONION_MAX_PACKET_SIZE];
+    uint8_t shared_key[crypto_box_BEFORENMBYTES];
+    get_shared_key(&onion->shared_keys_3, shared_key, onion->dht->self_secret_key, packet + 1 + crypto_box_NONCEBYTES);
+    int len = decrypt_data_symmetric(shared_key, packet + 1, packet + 1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES,
+                                     length - (1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES + RETURN_2), plain);
+
+    if ((uint32_t)len != length - (1 + crypto_box_NONCEBYTES + crypto_box_PUBLICKEYBYTES + RETURN_2 + crypto_box_MACBYTES))
+        return 1;
+
+    IP_Port send_to;
+    ipport_unpack(&send_to, plain);
+    to_host_family(&send_to.ip);
+
+    uint8_t data[ONION_MAX_PACKET_SIZE];
+    memcpy(data, plain + SIZE_IPPORT, len - SIZE_IPPORT);
+    uint32_t data_len = (len - SIZE_IPPORT);
+    uint8_t *ret_part = data + (len - SIZE_IPPORT);
+    new_nonce(ret_part);
+    uint8_t ret_data[RETURN_2 + SIZE_IPPORT];
+    ipport_pack(ret_data, &source);
+    memcpy(ret_data + SIZE_IPPORT, packet + (length - RETURN_2), RETURN_2);
+    len = encrypt_data_symmetric(onion->secret_symmetric_key, ret_part, ret_data, sizeof(ret_data),
+                                 ret_part + crypto_box_NONCEBYTES);
+
+    if (len != RETURN_3 - crypto_box_NONCEBYTES)
+        return 1;
+
+    data_len += RETURN_3;
+
+    if ((uint32_t)sendpacket(onion->net, send_to, data, data_len) != data_len)
+        return 1;
+
+    return 0;
+}
+
+
+static int handle_recv_3(void *object, IP_Port source, const uint8_t *packet, uint32_t length)
+{
+    Onion *onion = object;
+
+    if (length > ONION_MAX_PACKET_SIZE)
+        return 1;
+
+    if (length <= 1 + RETURN_3)
+        return 1;
+
+    change_symmetric_key(onion);
+
+    uint8_t plain[SIZE_IPPORT + RETURN_2];
+    int len = decrypt_data_symmetric(onion->secret_symmetric_key, packet + 1, packet + 1 + crypto_box_NONCEBYTES,
+                                     SIZE_IPPORT + RETURN_2 + crypto_box_MACBYTES, plain);
+
+    if ((uint32_t)len != sizeof(plain))
+        return 1;
+
+    IP_Port send_to;
+    ipport_unpack(&send_to, plain);
+
+    uint8_t data[ONION_MAX_PACKET_SIZE];
+    data[0] = NET_PACKET_ONION_RECV_2;
+    memcpy(data + 1, plain + SIZE_IPPORT, RETURN_2);
+    memcpy(data + 1 + RETURN_2, packet + 1 + RETURN_3, length - (1 + RETURN_3));
+    uint32_t data_len = 1 + RETURN_2 + (length - (1 + RETURN_3));
+
+    if ((uint32_t)sendpacket(onion->net, send_to, data, data_len) != data_len)
+        return 1;
+
+    return 0;
+}
+
+static int handle_recv_2(void *object, IP_Port source, const uint8_t *packet, uint32_t length)
+{
+    Onion *onion = object;
+
+    if (length > ONION_MAX_PACKET_SIZE)
+        return 1;
+
+    if (length <= 1 + RETURN_2)
+        return 1;
+
+    change_symmetric_key(onion);
+
+    uint8_t plain[SIZE_IPPORT + RETURN_1];
+    int len = decrypt_data_symmetric(onion->secret_symmetric_key, packet + 1, packet + 1 + crypto_box_NONCEBYTES,
+                                     SIZE_IPPORT + RETURN_1 + crypto_box_MACBYTES, plain);
+
+    if ((uint32_t)len != sizeof(plain))
+        return 1;
+
+    IP_Port send_to;
+    ipport_unpack(&send_to, plain);
+
+    uint8_t data[ONION_MAX_PACKET_SIZE];
+    data[0] = NET_PACKET_ONION_RECV_1;
+    memcpy(data + 1, plain + SIZE_IPPORT, RETURN_1);
+    memcpy(data + 1 + RETURN_1, packet + 1 + RETURN_2, length - (1 + RETURN_2));
+    uint32_t data_len = 1 + RETURN_1 + (length - (1 + RETURN_2));
+
+    if ((uint32_t)sendpacket(onion->net, send_to, data, data_len) != data_len)
+        return 1;
+
+    return 0;
+}
+
+static int handle_recv_1(void *object, IP_Port source, const uint8_t *packet, uint32_t length)
+{
+    Onion *onion = object;
+
+    if (length > ONION_MAX_PACKET_SIZE)
+        return 1;
+
+    if (length <= 1 + RETURN_1)
+        return 1;
+
+    change_symmetric_key(onion);
+
+    uint8_t plain[SIZE_IPPORT];
+    int len = decrypt_data_symmetric(onion->secret_symmetric_key, packet + 1, packet + 1 + crypto_box_NONCEBYTES,
+                                     SIZE_IPPORT + crypto_box_MACBYTES, plain);
+
+    if ((uint32_t)len != SIZE_IPPORT)
+        return 1;
+
+    IP_Port send_to;
+    ipport_unpack(&send_to, plain);
+
+    uint32_t data_len = length - (1 + RETURN_1);
+
+    if (onion->recv_1_function && send_to.ip.family != AF_INET && send_to.ip.family != AF_INET6)
+        return onion->recv_1_function(onion->callback_object, send_to, packet + (1 + RETURN_1), data_len);
+
+    if ((uint32_t)sendpacket(onion->net, send_to, packet + (1 + RETURN_1), data_len) != data_len)
+        return 1;
+
+    return 0;
+}
+
+void set_callback_handle_recv_1(Onion *onion, int (*function)(void *, IP_Port, const uint8_t *, uint16_t), void *object)
+{
+    onion->recv_1_function = function;
+    onion->callback_object = object;
+}
+
+Onion *new_onion(DHT *dht)
+{
+    if (dht == NULL)
+        return NULL;
+
+    Onion *onion = calloc(1, sizeof(Onion));
+
+    if (onion == NULL)
+        return NULL;
+
+    onion->dht = dht;
+    onion->net = dht->net;
+    new_symmetric_key(onion->secret_symmetric_key);
+    onion->timestamp = unix_time();
+
+    networking_registerhandler(onion->net, NET_PACKET_ONION_SEND_INITIAL, &handle_send_initial, onion);
+    networking_registerhandler(onion->net, NET_PACKET_ONION_SEND_1, &handle_send_1, onion);
+    networking_registerhandler(onion->net, NET_PACKET_ONION_SEND_2, &handle_send_2, onion);
+
+    networking_registerhandler(onion->net, NET_PACKET_ONION_RECV_3, &handle_recv_3, onion);
+    networking_registerhandler(onion->net, NET_PACKET_ONION_RECV_2, &handle_recv_2, onion);
+    networking_registerhandler(onion->net, NET_PACKET_ONION_RECV_1, &handle_recv_1, onion);
+
+    return onion;
+}
+
+void kill_onion(Onion *onion)
+{
+    if (onion == NULL)
+        return;
+
+    networking_registerhandler(onion->net, NET_PACKET_ONION_SEND_INITIAL, NULL, NULL);
+    networking_registerhandler(onion->net, NET_PACKET_ONION_SEND_1, NULL, NULL);
+    networking_registerhandler(onion->net, NET_PACKET_ONION_SEND_2, NULL, NULL);
+
+    networking_registerhandler(onion->net, NET_PACKET_ONION_RECV_3, NULL, NULL);
+    networking_registerhandler(onion->net, NET_PACKET_ONION_RECV_2, NULL, NULL);
+    networking_registerhandler(onion->net, NET_PACKET_ONION_RECV_1, NULL, NULL);
+
+    free(onion);
+}