diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-11-05 16:28:09 +0100 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-11-05 16:28:09 +0100 |
commit | 8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (patch) | |
tree | 566d0620eb693320cb121dfd93a5675fa704a30b /forward.c | |
parent | 349cfa7acb95abe865209a28e417ec74b56f9bba (diff) |
Imported Upstream version 2.3_rc1
Diffstat (limited to 'forward.c')
-rw-r--r-- | forward.c | 1531 |
1 files changed, 0 insertions, 1531 deletions
diff --git a/forward.c b/forward.c deleted file mode 100644 index 87d05cc..0000000 --- a/forward.c +++ /dev/null @@ -1,1531 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -#include "syshead.h" - -#include "forward.h" -#include "init.h" -#include "push.h" -#include "gremlin.h" -#include "mss.h" -#include "event.h" -#include "ps.h" -#include "dhcp.h" -#include "common.h" - -#include "memdbg.h" - -#include "forward-inline.h" -#include "occ-inline.h" -#include "ping-inline.h" - -counter_type link_read_bytes_global; /* GLOBAL */ -counter_type link_write_bytes_global; /* GLOBAL */ - -/* show event wait debugging info */ - -#ifdef ENABLE_DEBUG - -const char * -wait_status_string (struct context *c, struct gc_arena *gc) -{ - struct buffer out = alloc_buf_gc (64, gc); - buf_printf (&out, "I/O WAIT %s|%s|%s|%s %s", - tun_stat (c->c1.tuntap, EVENT_READ, gc), - tun_stat (c->c1.tuntap, EVENT_WRITE, gc), - socket_stat (c->c2.link_socket, EVENT_READ, gc), - socket_stat (c->c2.link_socket, EVENT_WRITE, gc), - tv_string (&c->c2.timeval, gc)); - return BSTR (&out); -} - -void -show_wait_status (struct context *c) -{ - struct gc_arena gc = gc_new (); - dmsg (D_EVENT_WAIT, "%s", wait_status_string (c, &gc)); - gc_free (&gc); -} - -#endif - -/* - * In TLS mode, let TLS level respond to any control-channel - * packets which were received, or prepare any packets for - * transmission. - * - * tmp_int is purely an optimization that allows us to call - * tls_multi_process less frequently when there's not much - * traffic on the control-channel. - * - */ -#if defined(USE_CRYPTO) && defined(USE_SSL) -void -check_tls_dowork (struct context *c) -{ - interval_t wakeup = BIG_TIMEOUT; - - if (interval_test (&c->c2.tmp_int)) - { - const int tmp_status = tls_multi_process - (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, - get_link_socket_info (c), &wakeup); - if (tmp_status == TLSMP_ACTIVE) - { - update_time (); - interval_action (&c->c2.tmp_int); - } - else if (tmp_status == TLSMP_KILL) - { - c->sig->signal_received = SIGTERM; - c->sig->signal_text = "auth-control-exit"; - } - - interval_future_trigger (&c->c2.tmp_int, wakeup); - } - - interval_schedule_wakeup (&c->c2.tmp_int, &wakeup); - - if (wakeup) - context_reschedule_sec (c, wakeup); -} -#endif - -#if defined(USE_CRYPTO) && defined(USE_SSL) - -void -check_tls_errors_co (struct context *c) -{ - msg (D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting"); - c->sig->signal_received = c->c2.tls_exit_signal; /* SOFT-SIGUSR1 -- TLS error */ - c->sig->signal_text = "tls-error"; -} - -void -check_tls_errors_nco (struct context *c) -{ - c->sig->signal_received = c->c2.tls_exit_signal; /* SOFT-SIGUSR1 -- TLS error */ - c->sig->signal_text = "tls-error"; -} - -#endif - -#if P2MP - -/* - * Handle incoming configuration - * messages on the control channel. - */ -void -check_incoming_control_channel_dowork (struct context *c) -{ - const int len = tls_test_payload_len (c->c2.tls_multi); - if (len) - { - struct gc_arena gc = gc_new (); - struct buffer buf = alloc_buf_gc (len, &gc); - if (tls_rec_payload (c->c2.tls_multi, &buf)) - { - /* force null termination of message */ - buf_null_terminate (&buf); - - /* enforce character class restrictions */ - string_mod (BSTR (&buf), CC_PRINT, CC_CRLF, 0); - - if (buf_string_match_head_str (&buf, "AUTH_FAILED")) - receive_auth_failed (c, &buf); - else if (buf_string_match_head_str (&buf, "PUSH_")) - incoming_push_message (c, &buf); - else if (buf_string_match_head_str (&buf, "RESTART")) - server_pushed_restart (c, &buf); - else - msg (D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR (&buf)); - } - else - { - msg (D_PUSH_ERRORS, "WARNING: Receive control message failed"); - } - - gc_free (&gc); - } -} - -/* - * Periodically resend PUSH_REQUEST until PUSH message received - */ -void -check_push_request_dowork (struct context *c) -{ - send_push_request (c); - - /* if no response to first push_request, retry at 5 second intervals */ - event_timeout_modify_wakeup (&c->c2.push_request_interval, 5); -} - -#endif /* P2MP */ - -/* - * Things that need to happen immediately after connection initiation should go here. - */ -void -check_connection_established_dowork (struct context *c) -{ - if (event_timeout_trigger (&c->c2.wait_for_connect, &c->c2.timeval, ETT_DEFAULT)) - { - if (CONNECTION_ESTABLISHED (c)) - { -#if P2MP - /* if --pull was specified, send a push request to server */ - if (c->c2.tls_multi && c->options.pull) - { -#ifdef ENABLE_MANAGEMENT - if (management) - { - management_set_state (management, - OPENVPN_STATE_GET_CONFIG, - NULL, - 0, - 0); - } -#endif - /* send push request in 1 sec */ - event_timeout_init (&c->c2.push_request_interval, 1, now); - reset_coarse_timers (c); - } - else -#endif - { - do_up (c, false, 0); - } - - event_timeout_clear (&c->c2.wait_for_connect); - } - } -} - -/* - * Send a string to remote over the TLS control channel. - * Used for push/pull messages, passing username/password, - * etc. - */ -bool -send_control_channel_string (struct context *c, const char *str, int msglevel) -{ -#if defined(USE_CRYPTO) && defined(USE_SSL) - - if (c->c2.tls_multi) { - bool stat; - - /* buffered cleartext write onto TLS control channel */ - stat = tls_send_payload (c->c2.tls_multi, (uint8_t*) str, strlen (str) + 1); - - /* reschedule tls_multi_process */ - interval_action (&c->c2.tmp_int); - context_immediate_reschedule (c); /* ZERO-TIMEOUT */ - - msg (msglevel, "SENT CONTROL [%s]: '%s' (status=%d)", - tls_common_name (c->c2.tls_multi, false), - str, - (int) stat); - - return stat; - } -#endif - return true; -} - -/* - * Add routes. - */ - -static void -check_add_routes_action (struct context *c, const bool errors) -{ - do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->plugins, c->c2.es); - update_time (); - event_timeout_clear (&c->c2.route_wakeup); - event_timeout_clear (&c->c2.route_wakeup_expire); - initialization_sequence_completed (c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */ -} - -void -check_add_routes_dowork (struct context *c) -{ - if (test_routes (c->c1.route_list, c->c1.tuntap)) - { - check_add_routes_action (c, false); - } - else if (event_timeout_trigger (&c->c2.route_wakeup_expire, &c->c2.timeval, ETT_DEFAULT)) - { - check_add_routes_action (c, true); - } - else - { - msg (D_ROUTE, "Route: Waiting for TUN/TAP interface to come up..."); - if (c->c1.tuntap) - { - if (!tun_standby (c->c1.tuntap)) - { - c->sig->signal_received = SIGHUP; - c->sig->signal_text = "ip-fail"; - c->persist.restart_sleep_seconds = 10; -#ifdef WIN32 - show_routes (M_INFO|M_NOPREFIX); - show_adapters (M_INFO|M_NOPREFIX); -#endif - } - } - update_time (); - if (c->c2.route_wakeup.n != 1) - event_timeout_init (&c->c2.route_wakeup, 1, now); - event_timeout_reset (&c->c2.ping_rec_interval); - } -} - -/* - * Should we exit due to inactivity timeout? - */ -void -check_inactivity_timeout_dowork (struct context *c) -{ - msg (M_INFO, "Inactivity timeout (--inactive), exiting"); - c->sig->signal_received = SIGTERM; - c->sig->signal_text = "inactive"; -} - -#if P2MP - -void -check_server_poll_timeout_dowork (struct context *c) -{ - event_timeout_reset (&c->c2.server_poll_interval); - if (!tls_initial_packet_received (c->c2.tls_multi)) - { - msg (M_INFO, "Server poll timeout, restarting"); - c->sig->signal_received = SIGUSR1; - c->sig->signal_text = "server_poll"; - c->persist.restart_sleep_seconds = -1; - } -} - -/* - * Schedule a signal n_seconds from now. - */ -void -schedule_exit (struct context *c, const int n_seconds, const int signal) -{ - tls_set_single_session (c->c2.tls_multi); - update_time (); - reset_coarse_timers (c); - event_timeout_init (&c->c2.scheduled_exit, n_seconds, now); - c->c2.scheduled_exit_signal = signal; - msg (D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); -} - -/* - * Scheduled exit? - */ -void -check_scheduled_exit_dowork (struct context *c) -{ - c->sig->signal_received = c->c2.scheduled_exit_signal; - c->sig->signal_text = "delayed-exit"; -} - -#endif - -/* - * Should we write timer-triggered status file. - */ -void -check_status_file_dowork (struct context *c) -{ - if (c->c1.status_output) - print_status (c, c->c1.status_output); -} - -#ifdef ENABLE_FRAGMENT -/* - * Should we deliver a datagram fragment to remote? - */ -void -check_fragment_dowork (struct context *c) -{ - struct link_socket_info *lsi = get_link_socket_info (c); - - /* OS MTU Hint? */ - if (lsi->mtu_changed && c->c2.ipv4_tun) - { - frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu, - c->options.ce.proto); - lsi->mtu_changed = false; - } - - if (fragment_outgoing_defined (c->c2.fragment)) - { - if (!c->c2.to_link.len) - { - /* encrypt a fragment for output to TCP/UDP port */ - ASSERT (fragment_ready_to_send (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment)); - encrypt_sign (c, false); - } - } - - fragment_housekeeping (c->c2.fragment, &c->c2.frame_fragment, &c->c2.timeval); -} -#endif - -/* - * Buffer reallocation, for use with null encryption. - */ -static inline void -buffer_turnover (const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage) -{ - if (orig_buf == src_stub->data && src_stub->data != storage->data) - { - buf_assign (storage, src_stub); - *dest_stub = *storage; - } - else - { - *dest_stub = *src_stub; - } -} - -/* - * Compress, fragment, encrypt and HMAC-sign an outgoing packet. - * Input: c->c2.buf - * Output: c->c2.to_link - */ -void -encrypt_sign (struct context *c, bool comp_frag) -{ - struct context_buffers *b = c->c2.buffers; - const uint8_t *orig_buf = c->c2.buf.data; - -#if P2MP_SERVER - /* - * Drop non-TLS outgoing packet if client-connect script/plugin - * has not yet succeeded. - */ - if (c->c2.context_auth != CAS_SUCCEEDED) - c->c2.buf.len = 0; -#endif - - if (comp_frag) - { -#ifdef USE_LZO - /* Compress the packet. */ - if (lzo_defined (&c->c2.lzo_compwork)) - lzo_compress (&c->c2.buf, b->lzo_compress_buf, &c->c2.lzo_compwork, &c->c2.frame); -#endif -#ifdef ENABLE_FRAGMENT - if (c->c2.fragment) - fragment_outgoing (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment); -#endif - } - -#ifdef USE_CRYPTO -#ifdef USE_SSL - /* - * If TLS mode, get the key we will use to encrypt - * the packet. - */ - if (c->c2.tls_multi) - { - tls_pre_encrypt (c->c2.tls_multi, &c->c2.buf, &c->c2.crypto_options); - } -#endif - - /* - * Encrypt the packet and write an optional - * HMAC signature. - */ - openvpn_encrypt (&c->c2.buf, b->encrypt_buf, &c->c2.crypto_options, &c->c2.frame); -#endif - /* - * Get the address we will be sending the packet to. - */ - link_socket_get_outgoing_addr (&c->c2.buf, get_link_socket_info (c), - &c->c2.to_link_addr); -#ifdef USE_CRYPTO -#ifdef USE_SSL - /* - * In TLS mode, prepend the appropriate one-byte opcode - * to the packet which identifies it as a data channel - * packet and gives the low-permutation version of - * the key-id to the recipient so it knows which - * decrypt key to use. - */ - if (c->c2.tls_multi) - { - tls_post_encrypt (c->c2.tls_multi, &c->c2.buf); - } -#endif -#endif - - /* if null encryption, copy result to read_tun_buf */ - buffer_turnover (orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); -} - -/* - * Coarse timers work to 1 second resolution. - */ -static void -process_coarse_timers (struct context *c) -{ -#ifdef USE_CRYPTO - /* flush current packet-id to file once per 60 - seconds if --replay-persist was specified */ - check_packet_id_persist_flush (c); -#endif - - /* should we update status file? */ - check_status_file (c); - - /* process connection establishment items */ - check_connection_established (c); - -#if P2MP - /* see if we should send a push_request in response to --pull */ - check_push_request (c); -#endif - -#ifdef PLUGIN_PF - pf_check_reload (c); -#endif - - /* process --route options */ - check_add_routes (c); - - /* possibly exit due to --inactive */ - check_inactivity_timeout (c); - if (c->sig->signal_received) - return; - - /* restart if ping not received */ - check_ping_restart (c); - if (c->sig->signal_received) - return; - -#if P2MP - check_server_poll_timeout (c); - if (c->sig->signal_received) - return; - - check_scheduled_exit (c); - if (c->sig->signal_received) - return; -#endif - -#ifdef ENABLE_OCC - /* Should we send an OCC_REQUEST message? */ - check_send_occ_req (c); - - /* Should we send an MTU load test? */ - check_send_occ_load_test (c); - - /* Should we send an OCC_EXIT message to remote? */ - if (c->c2.explicit_exit_notification_time_wait) - process_explicit_exit_notification_timer_wakeup (c); -#endif - - /* Should we ping the remote? */ - check_ping_send (c); -} - -static void -check_coarse_timers_dowork (struct context *c) -{ - const struct timeval save = c->c2.timeval; - c->c2.timeval.tv_sec = BIG_TIMEOUT; - c->c2.timeval.tv_usec = 0; - process_coarse_timers (c); - c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec; - - dmsg (D_INTERVAL, "TIMER: coarse timer wakeup %d seconds", (int) c->c2.timeval.tv_sec); - - /* Is the coarse timeout NOT the earliest one? */ - if (c->c2.timeval.tv_sec > save.tv_sec) - c->c2.timeval = save; -} - -static inline void -check_coarse_timers (struct context *c) -{ - const time_t local_now = now; - if (local_now >= c->c2.coarse_timer_wakeup) - check_coarse_timers_dowork (c); - else - context_reschedule_sec (c, c->c2.coarse_timer_wakeup - local_now); -} - -static void -check_timeout_random_component_dowork (struct context *c) -{ - const int update_interval = 10; /* seconds */ - c->c2.update_timeout_random_component = now + update_interval; - c->c2.timeout_random_component.tv_usec = (time_t) get_random () & 0x0003FFFF; - c->c2.timeout_random_component.tv_sec = 0; - - dmsg (D_INTERVAL, "RANDOM USEC=%d", (int) c->c2.timeout_random_component.tv_usec); -} - -static inline void -check_timeout_random_component (struct context *c) -{ - if (now >= c->c2.update_timeout_random_component) - check_timeout_random_component_dowork (c); - if (c->c2.timeval.tv_sec >= 1) - tv_add (&c->c2.timeval, &c->c2.timeout_random_component); -} - -#ifdef ENABLE_SOCKS - -/* - * Handle addition and removal of the 10-byte Socks5 header - * in UDP packets. - */ - -static inline void -socks_postprocess_incoming_link (struct context *c) -{ - if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4) - socks_process_incoming_udp (&c->c2.buf, &c->c2.from); -} - -static inline void -socks_preprocess_outgoing_link (struct context *c, - struct link_socket_actual **to_addr, - int *size_delta) -{ - if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4) - { - *size_delta += socks_process_outgoing_udp (&c->c2.to_link, c->c2.to_link_addr); - *to_addr = &c->c2.link_socket->socks_relay; - } -} - -/* undo effect of socks_preprocess_outgoing_link */ -static inline void -link_socket_write_post_size_adjust (int *size, - int size_delta, - struct buffer *buf) -{ - if (size_delta > 0 && *size > size_delta) - { - *size -= size_delta; - if (!buf_advance (buf, size_delta)) - *size = 0; - } -} -#endif - -/* - * Output: c->c2.buf - */ - -void -read_incoming_link (struct context *c) -{ - /* - * Set up for recvfrom call to read datagram - * sent to our TCP/UDP port. - */ - int status; - - /*ASSERT (!c->c2.to_tun.len);*/ - - perf_push (PERF_READ_IN_LINK); - - c->c2.buf = c->c2.buffers->read_link_buf; - ASSERT (buf_init (&c->c2.buf, FRAME_HEADROOM_ADJ (&c->c2.frame, FRAME_HEADROOM_MARKER_READ_LINK))); - - status = link_socket_read (c->c2.link_socket, - &c->c2.buf, - MAX_RW_SIZE_LINK (&c->c2.frame), - &c->c2.from); - - if (socket_connection_reset (c->c2.link_socket, status)) - { -#if PORT_SHARE - if (port_share && socket_foreign_protocol_detected (c->c2.link_socket)) - { - const struct buffer *fbuf = socket_foreign_protocol_head (c->c2.link_socket); - const int sd = socket_foreign_protocol_sd (c->c2.link_socket); - port_share_redirect (port_share, fbuf, sd); - c->sig->signal_received = SIGTERM; - c->sig->signal_text = "port-share-redirect"; - } - else -#endif - { - /* received a disconnect from a connection-oriented protocol */ - if (c->options.inetd) - { - c->sig->signal_received = SIGTERM; - c->sig->signal_text = "connection-reset-inetd"; - msg (D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status); - } - else - { -#ifdef ENABLE_OCC - if (event_timeout_defined(&c->c2.explicit_exit_notification_interval)) - { - msg (D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status); - openvpn_sleep(1); - } - else -#endif - { - c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- TCP connection reset */ - c->sig->signal_text = "connection-reset"; - msg (D_STREAM_ERRORS, "Connection reset, restarting [%d]", status); - } - } - } - perf_pop (); - return; - } - - /* check recvfrom status */ - check_status (status, "read", c->c2.link_socket, NULL); - -#ifdef ENABLE_SOCKS - /* Remove socks header if applicable */ - socks_postprocess_incoming_link (c); -#endif - - perf_pop (); -} - -/* - * Input: c->c2.buf - * Output: c->c2.to_tun - */ - -void -process_incoming_link (struct context *c) -{ - struct gc_arena gc = gc_new (); - bool decrypt_status; - struct link_socket_info *lsi = get_link_socket_info (c); - const uint8_t *orig_buf = c->c2.buf.data; - - perf_push (PERF_PROC_IN_LINK); - - if (c->c2.buf.len > 0) - { - c->c2.link_read_bytes += c->c2.buf.len; - link_read_bytes_global += c->c2.buf.len; - c->c2.original_recv_size = c->c2.buf.len; -#ifdef ENABLE_MANAGEMENT - if (management) - { - management_bytes_in (management, c->c2.buf.len); -#ifdef MANAGEMENT_DEF_AUTH - management_bytes_server (management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context); -#endif - } -#endif - } - else - c->c2.original_recv_size = 0; - -#ifdef ENABLE_DEBUG - /* take action to corrupt packet if we are in gremlin test mode */ - if (c->options.gremlin) { - if (!ask_gremlin (c->options.gremlin)) - c->c2.buf.len = 0; - corrupt_gremlin (&c->c2.buf, c->options.gremlin); - } -#endif - - /* log incoming packet */ -#ifdef LOG_RW - if (c->c2.log_rw && c->c2.buf.len > 0) - fprintf (stderr, "R"); -#endif - msg (D_LINK_RW, "%s READ [%d] from %s: %s", - proto2ascii (lsi->proto, true), - BLEN (&c->c2.buf), - print_link_socket_actual (&c->c2.from, &gc), - PROTO_DUMP (&c->c2.buf, &gc)); - - /* - * Good, non-zero length packet received. - * Commence multi-stage processing of packet, - * such as authenticate, decrypt, decompress. - * If any stage fails, it sets buf.len to 0 or -1, - * telling downstream stages to ignore the packet. - */ - if (c->c2.buf.len > 0) - { - if (!link_socket_verify_incoming_addr (&c->c2.buf, lsi, &c->c2.from)) - link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from); - -#ifdef USE_CRYPTO -#ifdef USE_SSL - if (c->c2.tls_multi) - { - /* - * If tls_pre_decrypt returns true, it means the incoming - * packet was a good TLS control channel packet. If so, TLS code - * will deal with the packet and set buf.len to 0 so downstream - * stages ignore it. - * - * If the packet is a data channel packet, tls_pre_decrypt - * will load crypto_options with the correct encryption key - * and return false. - */ - if (tls_pre_decrypt (c->c2.tls_multi, &c->c2.from, &c->c2.buf, &c->c2.crypto_options)) - { - interval_action (&c->c2.tmp_int); - - /* reset packet received timer if TLS packet */ - if (c->options.ping_rec_timeout) - event_timeout_reset (&c->c2.ping_rec_interval); - } - } -#if P2MP_SERVER - /* - * Drop non-TLS packet if client-connect script/plugin has not - * yet succeeded. - */ - if (c->c2.context_auth != CAS_SUCCEEDED) - c->c2.buf.len = 0; -#endif -#endif /* USE_SSL */ - - /* authenticate and decrypt the incoming packet */ - decrypt_status = openvpn_decrypt (&c->c2.buf, c->c2.buffers->decrypt_buf, &c->c2.crypto_options, &c->c2.frame); - - if (!decrypt_status && link_socket_connection_oriented (c->c2.link_socket)) - { - /* decryption errors are fatal in TCP mode */ - c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- decryption error in TCP mode */ - c->sig->signal_text = "decryption-error"; - msg (D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting"); - goto done; - } - -#endif /* USE_CRYPTO */ - -#ifdef ENABLE_FRAGMENT - if (c->c2.fragment) - fragment_incoming (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment); -#endif - -#ifdef USE_LZO - /* decompress the incoming packet */ - if (lzo_defined (&c->c2.lzo_compwork)) - lzo_decompress (&c->c2.buf, c->c2.buffers->lzo_decompress_buf, &c->c2.lzo_compwork, &c->c2.frame); -#endif - -#ifdef PACKET_TRUNCATION_CHECK - /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ - ipv4_packet_size_verify (BPTR (&c->c2.buf), - BLEN (&c->c2.buf), - TUNNEL_TYPE (c->c1.tuntap), - "POST_DECRYPT", - &c->c2.n_trunc_post_decrypt); -#endif - - /* - * Set our "official" outgoing address, since - * if buf.len is non-zero, we know the packet - * authenticated. In TLS mode we do nothing - * because TLS mode takes care of source address - * authentication. - * - * Also, update the persisted version of our packet-id. - */ - if (!TLS_MODE (c)) - link_socket_set_outgoing_addr (&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es); - - /* reset packet received timer */ - if (c->options.ping_rec_timeout && c->c2.buf.len > 0) - event_timeout_reset (&c->c2.ping_rec_interval); - - /* increment authenticated receive byte count */ - if (c->c2.buf.len > 0) - { - c->c2.link_read_bytes_auth += c->c2.buf.len; - c->c2.max_recv_size_local = max_int (c->c2.original_recv_size, c->c2.max_recv_size_local); - } - - /* Did we just receive an openvpn ping packet? */ - if (is_ping_msg (&c->c2.buf)) - { - dmsg (D_PING, "RECEIVED PING PACKET"); - c->c2.buf.len = 0; /* drop packet */ - } - -#ifdef ENABLE_OCC - /* Did we just receive an OCC packet? */ - if (is_occ_msg (&c->c2.buf)) - process_received_occ_msg (c); -#endif - - buffer_turnover (orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf); - - /* to_tun defined + unopened tuntap can cause deadlock */ - if (!tuntap_defined (c->c1.tuntap)) - c->c2.to_tun.len = 0; - } - else - { - buf_reset (&c->c2.to_tun); - } - done: - perf_pop (); - gc_free (&gc); -} - -/* - * Output: c->c2.buf - */ - -void -read_incoming_tun (struct context *c) -{ - /* - * Setup for read() call on TUN/TAP device. - */ - /*ASSERT (!c->c2.to_link.len);*/ - - perf_push (PERF_READ_IN_TUN); - - c->c2.buf = c->c2.buffers->read_tun_buf; -#ifdef TUN_PASS_BUFFER - read_tun_buffered (c->c1.tuntap, &c->c2.buf, MAX_RW_SIZE_TUN (&c->c2.frame)); -#else - ASSERT (buf_init (&c->c2.buf, FRAME_HEADROOM (&c->c2.frame))); - ASSERT (buf_safe (&c->c2.buf, MAX_RW_SIZE_TUN (&c->c2.frame))); - c->c2.buf.len = read_tun (c->c1.tuntap, BPTR (&c->c2.buf), MAX_RW_SIZE_TUN (&c->c2.frame)); -#endif - -#ifdef PACKET_TRUNCATION_CHECK - ipv4_packet_size_verify (BPTR (&c->c2.buf), - BLEN (&c->c2.buf), - TUNNEL_TYPE (c->c1.tuntap), - "READ_TUN", - &c->c2.n_trunc_tun_read); -#endif - - /* Was TUN/TAP interface stopped? */ - if (tuntap_stop (c->c2.buf.len)) - { - c->sig->signal_received = SIGTERM; - c->sig->signal_text = "tun-stop"; - msg (M_INFO, "TUN/TAP interface has been stopped, exiting"); - perf_pop (); - return; - } - - /* Check the status return from read() */ - check_status (c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap); - - perf_pop (); -} - -/* - * Input: c->c2.buf - * Output: c->c2.to_link - */ - -void -process_incoming_tun (struct context *c) -{ - struct gc_arena gc = gc_new (); - - perf_push (PERF_PROC_IN_TUN); - - if (c->c2.buf.len > 0) - c->c2.tun_read_bytes += c->c2.buf.len; - -#ifdef LOG_RW - if (c->c2.log_rw && c->c2.buf.len > 0) - fprintf (stderr, "r"); -#endif - - /* Show packet content */ - dmsg (D_TUN_RW, "TUN READ [%d]", BLEN (&c->c2.buf)); - - if (c->c2.buf.len > 0) - { - /* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - process_ipv4_header (c, PIPV4_PASSTOS|PIPV4_MSSFIX, &c->c2.buf); - -#ifdef PACKET_TRUNCATION_CHECK - /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ - ipv4_packet_size_verify (BPTR (&c->c2.buf), - BLEN (&c->c2.buf), - TUNNEL_TYPE (c->c1.tuntap), - "PRE_ENCRYPT", - &c->c2.n_trunc_pre_encrypt); -#endif - - encrypt_sign (c, true); - } - else - { - buf_reset (&c->c2.to_link); - } - perf_pop (); - gc_free (&gc); -} - -void -process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf) -{ - if (!c->options.mssfix) - flags &= ~PIPV4_MSSFIX; -#if PASSTOS_CAPABILITY - if (!c->options.passtos) - flags &= ~PIPV4_PASSTOS; -#endif - if (!c->options.route_gateway_via_dhcp || !route_list_default_gateway_needed (c->c1.route_list)) - flags &= ~PIPV4_EXTRACT_DHCP_ROUTER; - - if (buf->len > 0) - { - /* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ -#if PASSTOS_CAPABILITY - if (flags & (PIPV4_PASSTOS|PIPV4_MSSFIX)) -#else - if (flags & PIPV4_MSSFIX) -#endif - { - struct buffer ipbuf = *buf; - if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf)) - { -#if PASSTOS_CAPABILITY - /* extract TOS from IP header */ - if (flags & PIPV4_PASSTOS) - link_socket_extract_tos (c->c2.link_socket, &ipbuf); -#endif - - /* possibly alter the TCP MSS */ - if (flags & PIPV4_MSSFIX) - mss_fixup (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); - - /* possibly extract a DHCP router message */ - if (flags & PIPV4_EXTRACT_DHCP_ROUTER) - { - const in_addr_t dhcp_router = dhcp_extract_router_msg (&ipbuf); - if (dhcp_router) - route_list_add_default_gateway (c->c1.route_list, c->c2.es, dhcp_router); - } - } - } - } -} - -/* - * Input: c->c2.to_link - */ - -void -process_outgoing_link (struct context *c) -{ - struct gc_arena gc = gc_new (); - - perf_push (PERF_PROC_OUT_LINK); - - if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE (&c->c2.frame)) - { - /* - * Setup for call to send/sendto which will send - * packet to remote over the TCP/UDP port. - */ - int size = 0; - ASSERT (link_socket_actual_defined (c->c2.to_link_addr)); - -#ifdef ENABLE_DEBUG - /* In gremlin-test mode, we may choose to drop this packet */ - if (!c->options.gremlin || ask_gremlin (c->options.gremlin)) -#endif - { - /* - * Let the traffic shaper know how many bytes - * we wrote. - */ -#ifdef HAVE_GETTIMEOFDAY - if (c->options.shaper) - shaper_wrote_bytes (&c->c2.shaper, BLEN (&c->c2.to_link) - + datagram_overhead (c->options.ce.proto)); -#endif - /* - * Let the pinger know that we sent a packet. - */ - if (c->options.ping_send_timeout) - event_timeout_reset (&c->c2.ping_send_interval); - -#if PASSTOS_CAPABILITY - /* Set TOS */ - link_socket_set_tos (c->c2.link_socket); -#endif - - /* Log packet send */ -#ifdef LOG_RW - if (c->c2.log_rw) - fprintf (stderr, "W"); -#endif - msg (D_LINK_RW, "%s WRITE [%d] to %s: %s", - proto2ascii (c->c2.link_socket->info.proto, true), - BLEN (&c->c2.to_link), - print_link_socket_actual (c->c2.to_link_addr, &gc), - PROTO_DUMP (&c->c2.to_link, &gc)); - - /* Packet send complexified by possible Socks5 usage */ - { - struct link_socket_actual *to_addr = c->c2.to_link_addr; -#ifdef ENABLE_SOCKS - int size_delta = 0; -#endif - -#ifdef ENABLE_SOCKS - /* If Socks5 over UDP, prepend header */ - socks_preprocess_outgoing_link (c, &to_addr, &size_delta); -#endif - /* Send packet */ - size = link_socket_write (c->c2.link_socket, - &c->c2.to_link, - to_addr); - -#ifdef ENABLE_SOCKS - /* Undo effect of prepend */ - link_socket_write_post_size_adjust (&size, size_delta, &c->c2.to_link); -#endif - } - - if (size > 0) - { - c->c2.max_send_size_local = max_int (size, c->c2.max_send_size_local); - c->c2.link_write_bytes += size; - link_write_bytes_global += size; -#ifdef ENABLE_MANAGEMENT - if (management) - { - management_bytes_out (management, size); -#ifdef MANAGEMENT_DEF_AUTH - management_bytes_server (management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context); -#endif - } -#endif - } - } - - /* Check return status */ - check_status (size, "write", c->c2.link_socket, NULL); - - if (size > 0) - { - /* Did we write a different size packet than we intended? */ - if (size != BLEN (&c->c2.to_link)) - msg (D_LINK_ERRORS, - "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)", - print_link_socket_actual (c->c2.to_link_addr, &gc), - BLEN (&c->c2.to_link), - size); - } - - /* if not a ping/control message, indicate activity regarding --inactive parameter */ - if (c->c2.buf.len > 0 ) - register_activity (c, size); - } - else - { - if (c->c2.to_link.len > 0) - msg (D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)", - print_link_socket_actual (c->c2.to_link_addr, &gc), - c->c2.to_link.len, - EXPANDED_SIZE (&c->c2.frame)); - } - - buf_reset (&c->c2.to_link); - - perf_pop (); - gc_free (&gc); -} - -/* - * Input: c->c2.to_tun - */ - -void -process_outgoing_tun (struct context *c) -{ - struct gc_arena gc = gc_new (); - - /* - * Set up for write() call to TUN/TAP - * device. - */ - if (c->c2.to_tun.len <= 0) - return; - - perf_push (PERF_PROC_OUT_TUN); - - /* - * The --mssfix option requires - * us to examine the IPv4 header. - */ - process_ipv4_header (c, PIPV4_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_OUTGOING, &c->c2.to_tun); - - if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN (&c->c2.frame)) - { - /* - * Write to TUN/TAP device. - */ - int size; - -#ifdef LOG_RW - if (c->c2.log_rw) - fprintf (stderr, "w"); -#endif - dmsg (D_TUN_RW, "TUN WRITE [%d]", BLEN (&c->c2.to_tun)); - -#ifdef PACKET_TRUNCATION_CHECK - ipv4_packet_size_verify (BPTR (&c->c2.to_tun), - BLEN (&c->c2.to_tun), - TUNNEL_TYPE (c->c1.tuntap), - "WRITE_TUN", - &c->c2.n_trunc_tun_write); -#endif - -#ifdef TUN_PASS_BUFFER - size = write_tun_buffered (c->c1.tuntap, &c->c2.to_tun); -#else - size = write_tun (c->c1.tuntap, BPTR (&c->c2.to_tun), BLEN (&c->c2.to_tun)); -#endif - - if (size > 0) - c->c2.tun_write_bytes += size; - check_status (size, "write to TUN/TAP", NULL, c->c1.tuntap); - - /* check written packet size */ - if (size > 0) - { - /* Did we write a different size packet than we intended? */ - if (size != BLEN (&c->c2.to_tun)) - msg (D_LINK_ERRORS, - "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)", - c->c1.tuntap->actual_name, - BLEN (&c->c2.to_tun), - size); - - /* indicate activity regarding --inactive parameter */ - register_activity (c, size); - } - } - else - { - /* - * This should never happen, probably indicates some kind - * of MTU mismatch. - */ - msg (D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", - c->c2.to_tun.len, - MAX_RW_SIZE_TUN (&c->c2.frame)); - } - - buf_reset (&c->c2.to_tun); - - perf_pop (); - gc_free (&gc); -} - -void -pre_select (struct context *c) -{ - /* make sure current time (now) is updated on function entry */ - - /* - * Start with an effectively infinite timeout, then let it - * reduce to a timeout that reflects the component which - * needs the earliest service. - */ - c->c2.timeval.tv_sec = BIG_TIMEOUT; - c->c2.timeval.tv_usec = 0; - -#if defined(WIN32) - if (check_debug_level (D_TAP_WIN32_DEBUG)) - { - c->c2.timeval.tv_sec = 1; - if (tuntap_defined (c->c1.tuntap)) - tun_show_debug (c->c1.tuntap); - } -#endif - - /* check coarse timers? */ - check_coarse_timers (c); - if (c->sig->signal_received) - return; - - /* Does TLS need service? */ - check_tls (c); - - /* In certain cases, TLS errors will require a restart */ - check_tls_errors (c); - if (c->sig->signal_received) - return; - - /* check for incoming configuration info on the control channel */ - check_incoming_control_channel (c); - -#ifdef ENABLE_OCC - /* Should we send an OCC message? */ - check_send_occ_msg (c); -#endif - -#ifdef ENABLE_FRAGMENT - /* Should we deliver a datagram fragment to remote? */ - check_fragment (c); -#endif - - /* Update random component of timeout */ - check_timeout_random_component (c); -} - -/* - * Wait for I/O events. Used for both TCP & UDP sockets - * in point-to-point mode and for UDP sockets in - * point-to-multipoint mode. - */ - -void -io_wait_dowork (struct context *c, const unsigned int flags) -{ - unsigned int socket = 0; - unsigned int tuntap = 0; - struct event_set_return esr[4]; - - /* These shifts all depend on EVENT_READ and EVENT_WRITE */ - static int socket_shift = 0; /* depends on SOCKET_READ and SOCKET_WRITE */ - static int tun_shift = 2; /* depends on TUN_READ and TUN_WRITE */ - static int err_shift = 4; /* depends on ES_ERROR */ -#ifdef ENABLE_MANAGEMENT - static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */ -#endif - - /* - * Decide what kind of events we want to wait for. - */ - event_reset (c->c2.event_set); - - /* - * On win32 we use the keyboard or an event object as a source - * of asynchronous signals. - */ - if (flags & IOW_WAIT_SIGNAL) - wait_signal (c->c2.event_set, (void*)&err_shift); - - /* - * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send - * status from TCP/UDP port. Otherwise, wait for incoming data on - * TUN/TAP device. - */ - if (flags & IOW_TO_LINK) - { - if (flags & IOW_SHAPER) - { - /* - * If sending this packet would put us over our traffic shaping - * quota, don't send -- instead compute the delay we must wait - * until it will be OK to send the packet. - */ -#ifdef HAVE_GETTIMEOFDAY - int delay = 0; - - /* set traffic shaping delay in microseconds */ - if (c->options.shaper) - delay = max_int (delay, shaper_delay (&c->c2.shaper)); - - if (delay < 1000) - { - socket |= EVENT_WRITE; - } - else - { - shaper_soonest_event (&c->c2.timeval, delay); - } -#else /* HAVE_GETTIMEOFDAY */ - socket |= EVENT_WRITE; -#endif /* HAVE_GETTIMEOFDAY */ - } - else - { - socket |= EVENT_WRITE; - } - } - else if (!((flags & IOW_FRAG) && TO_LINK_FRAG (c))) - { - if (flags & IOW_READ_TUN) - tuntap |= EVENT_READ; - } - - /* - * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status - * from device. Otherwise, wait for incoming data on TCP/UDP port. - */ - if (flags & IOW_TO_TUN) - { - tuntap |= EVENT_WRITE; - } - else - { - if (flags & IOW_READ_LINK) - socket |= EVENT_READ; - } - - /* - * outgoing bcast buffer waiting to be sent? - */ - if (flags & IOW_MBUF) - socket |= EVENT_WRITE; - - /* - * Force wait on TUN input, even if also waiting on TCP/UDP output - */ - if (flags & IOW_READ_TUN_FORCE) - tuntap |= EVENT_READ; - - /* - * Configure event wait based on socket, tuntap flags. - */ - socket_set (c->c2.link_socket, c->c2.event_set, socket, (void*)&socket_shift, NULL); - tun_set (c->c1.tuntap, c->c2.event_set, tuntap, (void*)&tun_shift, NULL); - -#ifdef ENABLE_MANAGEMENT - if (management) - management_socket_set (management, c->c2.event_set, (void*)&management_shift, NULL); -#endif - - /* - * Possible scenarios: - * (1) tcp/udp port has data available to read - * (2) tcp/udp port is ready to accept more data to write - * (3) tun dev has data available to read - * (4) tun dev is ready to accept more data to write - * (5) we received a signal (handler sets signal_received) - * (6) timeout (tv) expired - */ - - c->c2.event_set_status = ES_ERROR; - - if (!c->sig->signal_received) - { - if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual (c->c2.link_socket)) - { - int status; - -#ifdef ENABLE_DEBUG - if (check_debug_level (D_EVENT_WAIT)) - show_wait_status (c); -#endif - - /* - * Wait for something to happen. - */ - status = event_wait (c->c2.event_set, &c->c2.timeval, esr, SIZE(esr)); - - check_status (status, "event_wait", NULL, NULL); - - if (status > 0) - { - int i; - c->c2.event_set_status = 0; - for (i = 0; i < status; ++i) - { - const struct event_set_return *e = &esr[i]; - c->c2.event_set_status |= ((e->rwflags & 3) << *((int*)e->arg)); - } - } - else if (status == 0) - { - c->c2.event_set_status = ES_TIMEOUT; - } - } - else - { - c->c2.event_set_status = SOCKET_READ; - } - } - - /* 'now' should always be a reasonably up-to-date timestamp */ - update_time (); - - /* set signal_received if a signal was received */ - if (c->c2.event_set_status & ES_ERROR) - get_signal (&c->sig->signal_received); - - dmsg (D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status); -} - -void -process_io (struct context *c) -{ - const unsigned int status = c->c2.event_set_status; - -#ifdef ENABLE_MANAGEMENT - if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE)) - { - ASSERT (management); - management_io (management); - } -#endif - - /* TCP/UDP port ready to accept write */ - if (status & SOCKET_WRITE) - { - process_outgoing_link (c); - } - /* TUN device ready to accept write */ - else if (status & TUN_WRITE) - { - process_outgoing_tun (c); - } - /* Incoming data on TCP/UDP port */ - else if (status & SOCKET_READ) - { - read_incoming_link (c); - if (!IS_SIG (c)) - process_incoming_link (c); - } - /* Incoming data on TUN device */ - else if (status & TUN_READ) - { - read_incoming_tun (c); - if (!IS_SIG (c)) - process_incoming_tun (c); - } -} |