diff options
Diffstat (limited to 'src/openvpn')
120 files changed, 14225 insertions, 8539 deletions
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 6d02fea..4c18449 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -18,7 +18,7 @@ EXTRA_DIST = \ openvpn.vcxproj \ openvpn.vcxproj.filters -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_srcdir)/include \ -I$(top_srcdir)/src/compat @@ -26,6 +26,7 @@ AM_CFLAGS = \ $(TAP_CFLAGS) \ $(OPTIONAL_CRYPTO_CFLAGS) \ $(OPTIONAL_LZO_CFLAGS) \ + $(OPTIONAL_LZ4_CFLAGS) \ $(OPTIONAL_PKCS11_HELPER_CFLAGS) if WIN32 # we want unicode entry point but not the macro @@ -35,15 +36,18 @@ endif sbin_PROGRAMS = openvpn openvpn_SOURCES = \ + argv.c argv.h \ base64.c base64.h \ basic.h \ buffer.c buffer.h \ circ_list.h \ clinat.c clinat.h \ common.h \ + comp.c comp.h compstub.c \ + comp-lz4.c comp-lz4.h \ crypto.c crypto.h crypto_backend.h \ crypto_openssl.c crypto_openssl.h \ - crypto_polarssl.c crypto_polarssl.h \ + crypto_mbedtls.c crypto_mbedtls.h \ dhcp.c dhcp.h \ errlevel.h \ error.c error.h \ @@ -65,7 +69,7 @@ openvpn_SOURCES = \ memdbg.h \ misc.c misc.h \ platform.c platform.h \ - console.c console.h \ + console.c console.h console_builtin.c console_systemd.c \ mroute.c mroute.h \ mss.c mss.h \ mstats.c mstats.h \ @@ -77,7 +81,7 @@ openvpn_SOURCES = \ occ.c occ.h occ-inline.h \ pkcs11.c pkcs11.h pkcs11_backend.h \ pkcs11_openssl.c \ - pkcs11_polarssl.c \ + pkcs11_mbedtls.c \ openvpn.c openvpn.h \ options.c options.h \ otime.c otime.h \ @@ -102,26 +106,28 @@ openvpn_SOURCES = \ socks.c socks.h \ ssl.c ssl.h ssl_backend.h \ ssl_openssl.c ssl_openssl.h \ - ssl_polarssl.c ssl_polarssl.h \ + ssl_mbedtls.c ssl_mbedtls.h \ ssl_common.h \ ssl_verify.c ssl_verify.h ssl_verify_backend.h \ ssl_verify_openssl.c ssl_verify_openssl.h \ - ssl_verify_polarssl.c ssl_verify_polarssl.h \ + ssl_verify_mbedtls.c ssl_verify_mbedtls.h \ status.c status.h \ syshead.h \ + tls_crypt.c tls_crypt.h \ tun.c tun.h \ - win32.h win32_wfp.h win32.c \ + win32.h win32.c \ cryptoapi.h cryptoapi.c openvpn_LDADD = \ $(top_builddir)/src/compat/libcompat.la \ $(SOCKETS_LIBS) \ $(OPTIONAL_LZO_LIBS) \ + $(OPTIONAL_LZ4_LIBS) \ $(OPTIONAL_PKCS11_HELPER_LIBS) \ $(OPTIONAL_CRYPTO_LIBS) \ $(OPTIONAL_SELINUX_LIBS) \ $(OPTIONAL_SYSTEMD_LIBS) \ $(OPTIONAL_DL_LIBS) if WIN32 -openvpn_SOURCES += openvpn_win32_resources.rc -openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lrpcrt4 -lwinmm +openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h +openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 endif diff --git a/src/openvpn/Makefile.in b/src/openvpn/Makefile.in index 3691c96..ff15d6d 100644 --- a/src/openvpn/Makefile.in +++ b/src/openvpn/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -37,17 +37,7 @@ # Required to build Windows resource file VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -110,11 +100,13 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +DIST_COMMON = $(top_srcdir)/build/ltrc.inc $(srcdir)/Makefile.in \ + $(srcdir)/Makefile.am $(top_srcdir)/depcomp # we want unicode entry point but not the macro @WIN32_TRUE@am__append_1 = -municode -UUNICODE sbin_PROGRAMS = openvpn$(EXEEXT) -@WIN32_TRUE@am__append_2 = openvpn_win32_resources.rc -@WIN32_TRUE@am__append_3 = -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lrpcrt4 -lwinmm +@WIN32_TRUE@am__append_2 = openvpn_win32_resources.rc block_dns.c block_dns.h +@WIN32_TRUE@am__append_3 = -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 subdir = src/openvpn ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ @@ -126,63 +118,68 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_HEADER = $(top_builddir)/config.h \ + $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(sbindir)" PROGRAMS = $(sbin_PROGRAMS) -am__openvpn_SOURCES_DIST = base64.c base64.h basic.h buffer.c buffer.h \ - circ_list.h clinat.c clinat.h common.h crypto.c crypto.h \ - crypto_backend.h crypto_openssl.c crypto_openssl.h \ - crypto_polarssl.c crypto_polarssl.h dhcp.c dhcp.h errlevel.h \ +am__openvpn_SOURCES_DIST = argv.c argv.h base64.c base64.h basic.h \ + buffer.c buffer.h circ_list.h clinat.c clinat.h common.h \ + comp.c comp.h compstub.c comp-lz4.c comp-lz4.h crypto.c \ + crypto.h crypto_backend.h crypto_openssl.c crypto_openssl.h \ + crypto_mbedtls.c crypto_mbedtls.h dhcp.c dhcp.h errlevel.h \ error.c error.h event.c event.h fdmisc.c fdmisc.h forward.c \ forward.h forward-inline.h fragment.c fragment.h gremlin.c \ gremlin.h helper.c helper.h httpdigest.c httpdigest.h lladdr.c \ lladdr.h init.c init.h integer.h interval.c interval.h list.c \ list.h lzo.c lzo.h manage.c manage.h mbuf.c mbuf.h memdbg.h \ misc.c misc.h platform.c platform.h console.c console.h \ - mroute.c mroute.h mss.c mss.h mstats.c mstats.h mtcp.c mtcp.h \ - mtu.c mtu.h mudp.c mudp.h multi.c multi.h ntlm.c ntlm.h occ.c \ - occ.h occ-inline.h pkcs11.c pkcs11.h pkcs11_backend.h \ - pkcs11_openssl.c pkcs11_polarssl.c openvpn.c openvpn.h \ - options.c options.h otime.c otime.h packet_id.c packet_id.h \ - perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \ - ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \ - proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \ - reliable.h route.c route.h schedule.c schedule.h session_id.c \ - session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \ - socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \ - ssl_openssl.h ssl_polarssl.c ssl_polarssl.h ssl_common.h \ - ssl_verify.c ssl_verify.h ssl_verify_backend.h \ - ssl_verify_openssl.c ssl_verify_openssl.h \ - ssl_verify_polarssl.c ssl_verify_polarssl.h status.c status.h \ - syshead.h tun.c tun.h win32.h win32_wfp.h win32.c cryptoapi.h \ - cryptoapi.c openvpn_win32_resources.rc -@WIN32_TRUE@am__objects_1 = openvpn_win32_resources.$(OBJEXT) -am_openvpn_OBJECTS = base64.$(OBJEXT) buffer.$(OBJEXT) \ - clinat.$(OBJEXT) crypto.$(OBJEXT) crypto_openssl.$(OBJEXT) \ - crypto_polarssl.$(OBJEXT) dhcp.$(OBJEXT) error.$(OBJEXT) \ + console_builtin.c console_systemd.c mroute.c mroute.h mss.c \ + mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \ + mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \ + pkcs11.c pkcs11.h pkcs11_backend.h pkcs11_openssl.c \ + pkcs11_mbedtls.c openvpn.c openvpn.h options.c options.h \ + otime.c otime.h packet_id.c packet_id.h perf.c perf.h pf.c \ + pf.h pf-inline.h ping.c ping.h ping-inline.h plugin.c plugin.h \ + pool.c pool.h proto.c proto.h proxy.c proxy.h ps.c ps.h push.c \ + push.h pushlist.h reliable.c reliable.h route.c route.h \ + schedule.c schedule.h session_id.c session_id.h shaper.c \ + shaper.h sig.c sig.h socket.c socket.h socks.c socks.h ssl.c \ + ssl.h ssl_backend.h ssl_openssl.c ssl_openssl.h ssl_mbedtls.c \ + ssl_mbedtls.h ssl_common.h ssl_verify.c ssl_verify.h \ + ssl_verify_backend.h ssl_verify_openssl.c ssl_verify_openssl.h \ + ssl_verify_mbedtls.c ssl_verify_mbedtls.h status.c status.h \ + syshead.h tls_crypt.c tls_crypt.h tun.c tun.h win32.h win32.c \ + cryptoapi.h cryptoapi.c openvpn_win32_resources.rc block_dns.c \ + block_dns.h +@WIN32_TRUE@am__objects_1 = openvpn_win32_resources.$(OBJEXT) \ +@WIN32_TRUE@ block_dns.$(OBJEXT) +am_openvpn_OBJECTS = argv.$(OBJEXT) base64.$(OBJEXT) buffer.$(OBJEXT) \ + clinat.$(OBJEXT) comp.$(OBJEXT) compstub.$(OBJEXT) \ + comp-lz4.$(OBJEXT) crypto.$(OBJEXT) crypto_openssl.$(OBJEXT) \ + crypto_mbedtls.$(OBJEXT) dhcp.$(OBJEXT) error.$(OBJEXT) \ event.$(OBJEXT) fdmisc.$(OBJEXT) forward.$(OBJEXT) \ fragment.$(OBJEXT) gremlin.$(OBJEXT) helper.$(OBJEXT) \ httpdigest.$(OBJEXT) lladdr.$(OBJEXT) init.$(OBJEXT) \ interval.$(OBJEXT) list.$(OBJEXT) lzo.$(OBJEXT) \ manage.$(OBJEXT) mbuf.$(OBJEXT) misc.$(OBJEXT) \ - platform.$(OBJEXT) console.$(OBJEXT) mroute.$(OBJEXT) \ - mss.$(OBJEXT) mstats.$(OBJEXT) mtcp.$(OBJEXT) mtu.$(OBJEXT) \ - mudp.$(OBJEXT) multi.$(OBJEXT) ntlm.$(OBJEXT) occ.$(OBJEXT) \ - pkcs11.$(OBJEXT) pkcs11_openssl.$(OBJEXT) \ - pkcs11_polarssl.$(OBJEXT) openvpn.$(OBJEXT) options.$(OBJEXT) \ - otime.$(OBJEXT) packet_id.$(OBJEXT) perf.$(OBJEXT) \ - pf.$(OBJEXT) ping.$(OBJEXT) plugin.$(OBJEXT) pool.$(OBJEXT) \ - proto.$(OBJEXT) proxy.$(OBJEXT) ps.$(OBJEXT) push.$(OBJEXT) \ - reliable.$(OBJEXT) route.$(OBJEXT) schedule.$(OBJEXT) \ - session_id.$(OBJEXT) shaper.$(OBJEXT) sig.$(OBJEXT) \ - socket.$(OBJEXT) socks.$(OBJEXT) ssl.$(OBJEXT) \ - ssl_openssl.$(OBJEXT) ssl_polarssl.$(OBJEXT) \ - ssl_verify.$(OBJEXT) ssl_verify_openssl.$(OBJEXT) \ - ssl_verify_polarssl.$(OBJEXT) status.$(OBJEXT) tun.$(OBJEXT) \ + platform.$(OBJEXT) console.$(OBJEXT) console_builtin.$(OBJEXT) \ + console_systemd.$(OBJEXT) mroute.$(OBJEXT) mss.$(OBJEXT) \ + mstats.$(OBJEXT) mtcp.$(OBJEXT) mtu.$(OBJEXT) mudp.$(OBJEXT) \ + multi.$(OBJEXT) ntlm.$(OBJEXT) occ.$(OBJEXT) pkcs11.$(OBJEXT) \ + pkcs11_openssl.$(OBJEXT) pkcs11_mbedtls.$(OBJEXT) \ + openvpn.$(OBJEXT) options.$(OBJEXT) otime.$(OBJEXT) \ + packet_id.$(OBJEXT) perf.$(OBJEXT) pf.$(OBJEXT) ping.$(OBJEXT) \ + plugin.$(OBJEXT) pool.$(OBJEXT) proto.$(OBJEXT) \ + proxy.$(OBJEXT) ps.$(OBJEXT) push.$(OBJEXT) reliable.$(OBJEXT) \ + route.$(OBJEXT) schedule.$(OBJEXT) session_id.$(OBJEXT) \ + shaper.$(OBJEXT) sig.$(OBJEXT) socket.$(OBJEXT) \ + socks.$(OBJEXT) ssl.$(OBJEXT) ssl_openssl.$(OBJEXT) \ + ssl_mbedtls.$(OBJEXT) ssl_verify.$(OBJEXT) \ + ssl_verify_openssl.$(OBJEXT) ssl_verify_mbedtls.$(OBJEXT) \ + status.$(OBJEXT) tls_crypt.$(OBJEXT) tun.$(OBJEXT) \ win32.$(OBJEXT) cryptoapi.$(OBJEXT) $(am__objects_1) openvpn_OBJECTS = $(am_openvpn_OBJECTS) am__DEPENDENCIES_1 = @@ -190,7 +187,8 @@ openvpn_DEPENDENCIES = $(top_builddir)/src/compat/libcompat.la \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -207,7 +205,7 @@ AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f @@ -255,8 +253,6 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/build/ltrc.inc \ - $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -270,6 +266,7 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -304,25 +301,31 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +LZ4_CFLAGS = @LZ4_CFLAGS@ +LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ +MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ -OPENSSL_CRYPTO_CFLAGS = @OPENSSL_CRYPTO_CFLAGS@ -OPENSSL_CRYPTO_LIBS = @OPENSSL_CRYPTO_LIBS@ -OPENSSL_SSL_CFLAGS = @OPENSSL_SSL_CFLAGS@ -OPENSSL_SSL_LIBS = @OPENSSL_SSL_LIBS@ +OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ +OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ +OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ +OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ +OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ @@ -348,8 +351,6 @@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ -POLARSSL_CFLAGS = @POLARSSL_CFLAGS@ -POLARSSL_LIBS = @POLARSSL_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ @@ -364,6 +365,11 @@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ +TEST_CFLAGS = @TEST_CFLAGS@ +TEST_LDFLAGS = @TEST_LDFLAGS@ +VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ +VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ +VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -432,42 +438,43 @@ EXTRA_DIST = \ openvpn.vcxproj \ openvpn.vcxproj.filters -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_srcdir)/include \ -I$(top_srcdir)/src/compat AM_CFLAGS = $(TAP_CFLAGS) $(OPTIONAL_CRYPTO_CFLAGS) \ - $(OPTIONAL_LZO_CFLAGS) $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ - $(am__append_1) -openvpn_SOURCES = base64.c base64.h basic.h buffer.c buffer.h \ - circ_list.h clinat.c clinat.h common.h crypto.c crypto.h \ + $(OPTIONAL_LZO_CFLAGS) $(OPTIONAL_LZ4_CFLAGS) \ + $(OPTIONAL_PKCS11_HELPER_CFLAGS) $(am__append_1) +openvpn_SOURCES = argv.c argv.h base64.c base64.h basic.h buffer.c \ + buffer.h circ_list.h clinat.c clinat.h common.h comp.c comp.h \ + compstub.c comp-lz4.c comp-lz4.h crypto.c crypto.h \ crypto_backend.h crypto_openssl.c crypto_openssl.h \ - crypto_polarssl.c crypto_polarssl.h dhcp.c dhcp.h errlevel.h \ + crypto_mbedtls.c crypto_mbedtls.h dhcp.c dhcp.h errlevel.h \ error.c error.h event.c event.h fdmisc.c fdmisc.h forward.c \ forward.h forward-inline.h fragment.c fragment.h gremlin.c \ gremlin.h helper.c helper.h httpdigest.c httpdigest.h lladdr.c \ lladdr.h init.c init.h integer.h interval.c interval.h list.c \ list.h lzo.c lzo.h manage.c manage.h mbuf.c mbuf.h memdbg.h \ misc.c misc.h platform.c platform.h console.c console.h \ - mroute.c mroute.h mss.c mss.h mstats.c mstats.h mtcp.c mtcp.h \ - mtu.c mtu.h mudp.c mudp.h multi.c multi.h ntlm.c ntlm.h occ.c \ - occ.h occ-inline.h pkcs11.c pkcs11.h pkcs11_backend.h \ - pkcs11_openssl.c pkcs11_polarssl.c openvpn.c openvpn.h \ - options.c options.h otime.c otime.h packet_id.c packet_id.h \ - perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \ - ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \ - proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \ - reliable.h route.c route.h schedule.c schedule.h session_id.c \ - session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \ - socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \ - ssl_openssl.h ssl_polarssl.c ssl_polarssl.h ssl_common.h \ - ssl_verify.c ssl_verify.h ssl_verify_backend.h \ - ssl_verify_openssl.c ssl_verify_openssl.h \ - ssl_verify_polarssl.c ssl_verify_polarssl.h status.c status.h \ - syshead.h tun.c tun.h win32.h win32_wfp.h win32.c cryptoapi.h \ - cryptoapi.c $(am__append_2) + console_builtin.c console_systemd.c mroute.c mroute.h mss.c \ + mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \ + mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \ + pkcs11.c pkcs11.h pkcs11_backend.h pkcs11_openssl.c \ + pkcs11_mbedtls.c openvpn.c openvpn.h options.c options.h \ + otime.c otime.h packet_id.c packet_id.h perf.c perf.h pf.c \ + pf.h pf-inline.h ping.c ping.h ping-inline.h plugin.c plugin.h \ + pool.c pool.h proto.c proto.h proxy.c proxy.h ps.c ps.h push.c \ + push.h pushlist.h reliable.c reliable.h route.c route.h \ + schedule.c schedule.h session_id.c session_id.h shaper.c \ + shaper.h sig.c sig.h socket.c socket.h socks.c socks.h ssl.c \ + ssl.h ssl_backend.h ssl_openssl.c ssl_openssl.h ssl_mbedtls.c \ + ssl_mbedtls.h ssl_common.h ssl_verify.c ssl_verify.h \ + ssl_verify_backend.h ssl_verify_openssl.c ssl_verify_openssl.h \ + ssl_verify_mbedtls.c ssl_verify_mbedtls.h status.c status.h \ + syshead.h tls_crypt.c tls_crypt.h tun.c tun.h win32.h win32.c \ + cryptoapi.h cryptoapi.c $(am__append_2) openvpn_LDADD = $(top_builddir)/src/compat/libcompat.la \ - $(SOCKETS_LIBS) $(OPTIONAL_LZO_LIBS) \ + $(SOCKETS_LIBS) $(OPTIONAL_LZO_LIBS) $(OPTIONAL_LZ4_LIBS) \ $(OPTIONAL_PKCS11_HELPER_LIBS) $(OPTIONAL_CRYPTO_LIBS) \ $(OPTIONAL_SELINUX_LIBS) $(OPTIONAL_SYSTEMD_LIBS) \ $(OPTIONAL_DL_LIBS) $(am__append_3) @@ -487,6 +494,7 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/build/ltrc.inc $(am_ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/openvpn/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/openvpn/Makefile +.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -495,7 +503,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; -$(top_srcdir)/build/ltrc.inc $(am__empty): +$(top_srcdir)/build/ltrc.inc: $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh @@ -565,13 +573,20 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/base64.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/block_dns.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/buffer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/clinat.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/comp-lz4.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/comp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/compstub.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/console.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/console_builtin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/console_systemd.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_openssl.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_polarssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cryptoapi.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error.Po@am__quote@ @@ -607,8 +622,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pf.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ping.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_openssl.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_polarssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/platform.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@ @@ -625,12 +640,13 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socks.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_openssl.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_polarssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_verify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_verify_mbedtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_verify_openssl.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl_verify_polarssl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/status.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypt.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tun.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/win32.Po@am__quote@ @@ -639,14 +655,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -868,8 +884,6 @@ uninstall-am: uninstall-sbinPROGRAMS mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS -.PRECIOUS: Makefile - .rc.lo: $(LTRCCOMPILE) -i "$<" -o "$@" diff --git a/src/openvpn/argv.c b/src/openvpn/argv.c new file mode 100644 index 0000000..596e59c --- /dev/null +++ b/src/openvpn/argv.c @@ -0,0 +1,315 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * + * A printf-like function (that only recognizes a subset of standard printf + * format operators) that prints arguments to an argv list instead + * of a standard string. This is used to build up argv arrays for passing + * to execve. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#include "argv.h" +#include "options.h" + +static void +argv_init (struct argv *a) +{ + a->capacity = 0; + a->argc = 0; + a->argv = NULL; +} + +struct argv +argv_new (void) +{ + struct argv ret; + argv_init (&ret); + return ret; +} + +void +argv_reset (struct argv *a) +{ + size_t i; + for (i = 0; i < a->argc; ++i) + free (a->argv[i]); + free (a->argv); + argv_init (a); +} + +static void +argv_extend (struct argv *a, const size_t newcap) +{ + if (newcap > a->capacity) + { + char **newargv; + size_t i; + ALLOC_ARRAY_CLEAR (newargv, char *, newcap); + for (i = 0; i < a->argc; ++i) + newargv[i] = a->argv[i]; + free (a->argv); + a->argv = newargv; + a->capacity = newcap; + } +} + +static void +argv_grow (struct argv *a, const size_t add) +{ + const size_t newargc = a->argc + add + 1; + ASSERT (newargc > a->argc); + argv_extend (a, adjust_power_of_2 (newargc)); +} + +static void +argv_append (struct argv *a, char *str) /* str must have been malloced or be NULL */ +{ + argv_grow (a, 1); + a->argv[a->argc++] = str; +} + +static struct argv +argv_clone (const struct argv *a, const size_t headroom) +{ + struct argv r; + size_t i; + + argv_init (&r); + for (i = 0; i < headroom; ++i) + argv_append (&r, NULL); + if (a) + { + for (i = 0; i < a->argc; ++i) + argv_append (&r, string_alloc (a->argv[i], NULL)); + } + return r; +} + +struct argv +argv_insert_head (const struct argv *a, const char *head) +{ + struct argv r; + r = argv_clone (a, 1); + r.argv[0] = string_alloc (head, NULL); + return r; +} + +static char * +argv_term (const char **f) +{ + const char *p = *f; + const char *term = NULL; + size_t termlen = 0; + + if (*p == '\0') + return NULL; + + while (true) + { + const int c = *p; + if (c == '\0') + break; + if (term) + { + if (!isspace (c)) + ++termlen; + else + break; + } + else + { + if (!isspace (c)) + { + term = p; + termlen = 1; + } + } + ++p; + } + *f = p; + + if (term) + { + char *ret; + ASSERT (termlen > 0); + ret = malloc (termlen + 1); + check_malloc_return (ret); + memcpy (ret, term, termlen); + ret[termlen] = '\0'; + return ret; + } + else + return NULL; +} + +const char * +argv_str (const struct argv *a, struct gc_arena *gc, const unsigned int flags) +{ + if (a->argv) + return print_argv ((const char **)a->argv, gc, flags); + else + return ""; +} + +void +argv_msg (const int msglev, const struct argv *a) +{ + struct gc_arena gc = gc_new (); + msg (msglev, "%s", argv_str (a, &gc, 0)); + gc_free (&gc); +} + +void +argv_msg_prefix (const int msglev, const struct argv *a, const char *prefix) +{ + struct gc_arena gc = gc_new (); + msg (msglev, "%s: %s", prefix, argv_str (a, &gc, 0)); + gc_free (&gc); +} + +static void +argv_printf_arglist (struct argv *a, const char *format, va_list arglist) +{ + char *term; + const char *f = format; + + argv_extend (a, 1); /* ensure trailing NULL */ + + while ((term = argv_term (&f)) != NULL) + { + if (term[0] == '%') + { + if (!strcmp (term, "%s")) + { + char *s = va_arg (arglist, char *); + if (!s) + s = ""; + argv_append (a, string_alloc (s, NULL)); + } + else if (!strcmp (term, "%d")) + { + char numstr[64]; + openvpn_snprintf (numstr, sizeof (numstr), "%d", va_arg (arglist, int)); + argv_append (a, string_alloc (numstr, NULL)); + } + else if (!strcmp (term, "%u")) + { + char numstr[64]; + openvpn_snprintf (numstr, sizeof (numstr), "%u", va_arg (arglist, unsigned int)); + argv_append (a, string_alloc (numstr, NULL)); + } + else if (!strcmp (term, "%s/%d")) + { + char numstr[64]; + char *s = va_arg (arglist, char *); + + if (!s) + s = ""; + + openvpn_snprintf (numstr, sizeof (numstr), "%d", va_arg (arglist, int)); + + { + const size_t len = strlen(s) + strlen(numstr) + 2; + char *combined = (char *) malloc (len); + check_malloc_return (combined); + + strcpy (combined, s); + strcat (combined, "/"); + strcat (combined, numstr); + argv_append (a, combined); + } + } + else if (!strcmp (term, "%s%sc")) + { + char *s1 = va_arg (arglist, char *); + char *s2 = va_arg (arglist, char *); + char *combined; + + if (!s1) s1 = ""; + if (!s2) s2 = ""; + combined = (char *) malloc (strlen(s1) + strlen(s2) + 1); + check_malloc_return (combined); + strcpy (combined, s1); + strcat (combined, s2); + argv_append (a, combined); + } + else + ASSERT (0); + free (term); + } + else + { + argv_append (a, term); + } + } +} + +void +argv_printf (struct argv *a, const char *format, ...) +{ + va_list arglist; + argv_reset (a); + va_start (arglist, format); + argv_printf_arglist (a, format, arglist); + va_end (arglist); + } + +void +argv_printf_cat (struct argv *a, const char *format, ...) +{ + va_list arglist; + va_start (arglist, format); + argv_printf_arglist (a, format, arglist); + va_end (arglist); +} + +void +argv_parse_cmd (struct argv *a, const char *s) +{ + int nparms; + char *parms[MAX_PARMS + 1]; + struct gc_arena gc = gc_new (); + + argv_reset (a); + argv_extend (a, 1); /* ensure trailing NULL */ + + nparms = parse_line (s, parms, MAX_PARMS, "SCRIPT-ARGV", 0, D_ARGV_PARSE_CMD, &gc); + if (nparms) + { + int i; + for (i = 0; i < nparms; ++i) + argv_append (a, string_alloc (parms[i], NULL)); + } + else + argv_append (a, string_alloc (s, NULL)); + + gc_free (&gc); +} diff --git a/src/openvpn/argv.h b/src/openvpn/argv.h new file mode 100644 index 0000000..9aee641 --- /dev/null +++ b/src/openvpn/argv.h @@ -0,0 +1,70 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * + * A printf-like function (that only recognizes a subset of standard printf + * format operators) that prints arguments to an argv list instead + * of a standard string. This is used to build up argv arrays for passing + * to execve. + */ + +#ifndef ARGV_H +#define ARGV_H + +#include "buffer.h" + +struct argv { + size_t capacity; + size_t argc; + char **argv; +}; + +struct argv argv_new (void); +void argv_reset (struct argv *a); +const char *argv_str (const struct argv *a, struct gc_arena *gc, const unsigned int flags); +struct argv argv_insert_head (const struct argv *a, const char *head); +void argv_msg (const int msglev, const struct argv *a); +void argv_msg_prefix (const int msglev, const struct argv *a, const char *prefix); +void argv_parse_cmd (struct argv *a, const char *s); + +void argv_printf (struct argv *a, const char *format, ...) +#ifdef __GNUC__ +#if __USE_MINGW_ANSI_STDIO + __attribute__ ((format (gnu_printf, 2, 3))) +#else + __attribute__ ((format (__printf__, 2, 3))) +#endif +#endif + ; + +void argv_printf_cat (struct argv *a, const char *format, ...) +#ifdef __GNUC__ +#if __USE_MINGW_ANSI_STDIO + __attribute__ ((format (gnu_printf, 2, 3))) +#else + __attribute__ ((format (__printf__, 2, 3))) +#endif +#endif + ; + +#endif diff --git a/src/openvpn/base64.c b/src/openvpn/base64.c index 7dccec2..258b258 100644 --- a/src/openvpn/base64.c +++ b/src/openvpn/base64.c @@ -39,8 +39,6 @@ #include "syshead.h" -#if defined(ENABLE_HTTP_PROXY) || defined(ENABLE_PKCS11) || defined(ENABLE_CLIENT_CR) || defined(MANAGMENT_EXTERNAL_KEY) - #include "base64.h" #include "memdbg.h" @@ -163,7 +161,3 @@ openvpn_base64_decode(const char *str, void *data, int size) } return q - (unsigned char *) data; } - -#else -static void dummy(void) {} -#endif /* ENABLE_HTTP_PROXY, ENABLE_PKCS11, ENABLE_CLIENT_CR */ diff --git a/src/openvpn/base64.h b/src/openvpn/base64.h index 28a9677..92a195a 100644 --- a/src/openvpn/base64.h +++ b/src/openvpn/base64.h @@ -34,11 +34,7 @@ #ifndef _BASE64_H_ #define _BASE64_H_ -#if defined(ENABLE_HTTP_PROXY) || defined(ENABLE_PKCS11) || defined(ENABLE_CLIENT_CR) || defined(MANAGMENT_EXTERNAL_KEY) - int openvpn_base64_encode(const void *data, int size, char **str); int openvpn_base64_decode(const char *str, void *data, int size); #endif - -#endif diff --git a/src/openvpn/block_dns.c b/src/openvpn/block_dns.c new file mode 100644 index 0000000..cb3ce88 --- /dev/null +++ b/src/openvpn/block_dns.c @@ -0,0 +1,332 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * 2015-2016 <iam@valdikss.org.ru> + * 2016 Selva Nair <selva.nair@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif +#ifdef HAVE_CONFIG_VERSION_H +#include "config-version.h" +#endif + +#include "syshead.h" + +#ifdef _WIN32 + +#include <fwpmu.h> +#include <initguid.h> +#include <fwpmtypes.h> +#include <winsock2.h> +#include <ws2ipdef.h> +#include <iphlpapi.h> +#include "block_dns.h" + +/* + * WFP-related defines and GUIDs not in mingw32 + */ + +#ifndef FWPM_SESSION_FLAG_DYNAMIC +#define FWPM_SESSION_FLAG_DYNAMIC 0x00000001 +#endif + +// c38d57d1-05a7-4c33-904f-7fbceee60e82 +DEFINE_GUID( + FWPM_LAYER_ALE_AUTH_CONNECT_V4, + 0xc38d57d1, + 0x05a7, + 0x4c33, + 0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82 +); + +// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4 +DEFINE_GUID( + FWPM_LAYER_ALE_AUTH_CONNECT_V6, + 0x4a72393b, + 0x319f, + 0x44bc, + 0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4 +); + +// d78e1e87-8644-4ea5-9437-d809ecefc971 +DEFINE_GUID( + FWPM_CONDITION_ALE_APP_ID, + 0xd78e1e87, + 0x8644, + 0x4ea5, + 0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71 +); + +// c35a604d-d22b-4e1a-91b4-68f674ee674b +DEFINE_GUID( + FWPM_CONDITION_IP_REMOTE_PORT, + 0xc35a604d, + 0xd22b, + 0x4e1a, + 0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b +); + +// 4cd62a49-59c3-4969-b7f3-bda5d32890a4 +DEFINE_GUID( + FWPM_CONDITION_IP_LOCAL_INTERFACE, + 0x4cd62a49, + 0x59c3, + 0x4969, + 0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4 +); + +/* UUID of WFP sublayer used by all instances of openvpn + 2f660d7e-6a37-11e6-a181-001e8c6e04a2 */ +DEFINE_GUID( + OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, + 0x2f660d7e, + 0x6a37, + 0x11e6, + 0xa1, 0x81, 0x00, 0x1e, 0x8c, 0x6e, 0x04, 0xa2 +); + +static WCHAR *FIREWALL_NAME = L"OpenVPN"; + +/* + * Default msg handler does nothing + */ +static inline void +default_msg_handler (DWORD err, const char *msg) +{ + return; +} + +#define CHECK_ERROR(err, msg) \ + if (err) { msg_handler (err, msg); goto out; } + +/* + * Add a persistent sublayer with specified uuid. + */ +static DWORD +add_sublayer (GUID uuid) +{ + FWPM_SESSION0 session; + HANDLE engine = NULL; + DWORD err = 0; + FWPM_SUBLAYER0 sublayer; + + memset (&session, 0, sizeof(session)); + memset (&sublayer, 0, sizeof(sublayer)); + + err = FwpmEngineOpen0 (NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engine); + if (err != ERROR_SUCCESS) + goto out; + + sublayer.subLayerKey = uuid; + sublayer.displayData.name = FIREWALL_NAME; + sublayer.displayData.description = FIREWALL_NAME; + sublayer.flags = 0; + sublayer.weight = 0x100; + + /* Add sublayer to the session */ + err = FwpmSubLayerAdd0 (engine, &sublayer, NULL); + +out: + if (engine) + FwpmEngineClose0 (engine); + return err; +} + +/* + * Block outgoing port 53 traffic except for + * (i) adapter with the specified index + * OR + * (ii) processes with the specified executable path + * The firewall filters added here are automatically removed when the process exits or + * on calling delete_block_dns_filters(). + * Arguments: + * engine_handle : On successful return contains the handle for a newly opened fwp session + * in which the filters are added. + * May be closed by passing to delete_block_dns_filters to remove the filters. + * index : The index of adapter for which traffic is permitted. + * exe_path : Path of executable for which traffic is permitted. + * msg_handler : An optional callback function for error reporting. + * Returns 0 on success, a non-zero status code of the last failed action on failure. + */ + +DWORD +add_block_dns_filters (HANDLE *engine_handle, + int index, + const WCHAR *exe_path, + block_dns_msg_handler_t msg_handler + ) +{ + FWPM_SESSION0 session = {0}; + FWPM_SUBLAYER0 *sublayer_ptr = NULL; + NET_LUID tapluid; + UINT64 filterid; + FWP_BYTE_BLOB *openvpnblob = NULL; + FWPM_FILTER0 Filter = {0}; + FWPM_FILTER_CONDITION0 Condition[2] = {0}; + DWORD err = 0; + + if (!msg_handler) + msg_handler = default_msg_handler; + + /* Add temporary filters which don't survive reboots or crashes. */ + session.flags = FWPM_SESSION_FLAG_DYNAMIC; + + *engine_handle = NULL; + + err = FwpmEngineOpen0 (NULL, RPC_C_AUTHN_WINNT, NULL, &session, engine_handle); + CHECK_ERROR (err, "FwpEngineOpen: open fwp session failed"); + msg_handler (0, "Block_DNS: WFP engine opened"); + + /* Check sublayer exists and add one if it does not. */ + if (FwpmSubLayerGetByKey0 (*engine_handle, &OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, &sublayer_ptr) + == ERROR_SUCCESS) + { + msg_handler (0, "Block_DNS: Using existing sublayer"); + FwpmFreeMemory0 ((void **)&sublayer_ptr); + } + else + { /* Add a new sublayer -- as another process may add it in the meantime, + do not treat "already exists" as an error */ + err = add_sublayer (OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER); + + if (err == FWP_E_ALREADY_EXISTS || err == ERROR_SUCCESS) + msg_handler (0, "Block_DNS: Added a persistent sublayer with pre-defined UUID"); + else + CHECK_ERROR (err, "add_sublayer: failed to add persistent sublayer"); + } + + err = ConvertInterfaceIndexToLuid (index, &tapluid); + CHECK_ERROR (err, "Convert interface index to luid failed"); + + err = FwpmGetAppIdFromFileName0 (exe_path, &openvpnblob); + CHECK_ERROR (err, "Get byte blob for openvpn executable name failed"); + + /* Prepare filter. */ + Filter.subLayerKey = OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER; + Filter.displayData.name = FIREWALL_NAME; + Filter.weight.type = FWP_UINT8; + Filter.weight.uint8 = 0xF; + Filter.filterCondition = Condition; + Filter.numFilterConditions = 2; + + /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */ + Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; + Filter.action.type = FWP_ACTION_PERMIT; + + Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT; + Condition[0].matchType = FWP_MATCH_EQUAL; + Condition[0].conditionValue.type = FWP_UINT16; + Condition[0].conditionValue.uint16 = 53; + + Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID; + Condition[1].matchType = FWP_MATCH_EQUAL; + Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE; + Condition[1].conditionValue.byteBlob = openvpnblob; + + err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); + CHECK_ERROR (err, "Add filter to permit IPv4 port 53 traffic from OpenVPN failed"); + + /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */ + Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; + + err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); + CHECK_ERROR (err, "Add filter to permit IPv6 port 53 traffic from OpenVPN failed"); + + msg_handler (0, "Block_DNS: Added permit filters for exe_path"); + + /* Third filter. Block all IPv4 DNS queries. */ + Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; + Filter.action.type = FWP_ACTION_BLOCK; + Filter.weight.type = FWP_EMPTY; + Filter.numFilterConditions = 1; + + err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); + CHECK_ERROR (err, "Add filter to block IPv4 DNS traffic failed"); + + /* Forth filter. Block all IPv6 DNS queries. */ + Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; + + err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); + CHECK_ERROR (err, "Add filter to block IPv6 DNS traffic failed"); + + msg_handler (0, "Block_DNS: Added block filters for all interfaces"); + + /* Fifth filter. Permit IPv4 DNS queries from TAP. + * Use a non-zero weight so that the permit filters get higher priority + * over the block filter added with automatic weighting */ + + Filter.weight.type = FWP_UINT8; + Filter.weight.uint8 = 0xE; + Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; + Filter.action.type = FWP_ACTION_PERMIT; + Filter.numFilterConditions = 2; + + Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE; + Condition[1].matchType = FWP_MATCH_EQUAL; + Condition[1].conditionValue.type = FWP_UINT64; + Condition[1].conditionValue.uint64 = &tapluid.Value; + + err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); + CHECK_ERROR (err, "Add filter to permit IPv4 DNS traffic through TAP failed"); + + /* Sixth filter. Permit IPv6 DNS queries from TAP. + * Use same weight as IPv4 filter */ + Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; + + err = FwpmFilterAdd0(*engine_handle, &Filter, NULL, &filterid); + CHECK_ERROR (err, "Add filter to permit IPv6 DNS traffic through TAP failed"); + + msg_handler (0, "Block_DNS: Added permit filters for TAP interface"); + +out: + + if (openvpnblob) + FwpmFreeMemory0 ((void **)&openvpnblob); + + if (err && *engine_handle) + { + FwpmEngineClose0 (*engine_handle); + *engine_handle = NULL; + } + + return err; +} + +DWORD +delete_block_dns_filters (HANDLE engine_handle) +{ + DWORD err = 0; + /* + * For dynamic sessions closing the engine removes all filters added in the session + */ + if (engine_handle) + { + err = FwpmEngineClose0(engine_handle); + } + return err; +} + +#endif diff --git a/src/openvpn/block_dns.h b/src/openvpn/block_dns.h new file mode 100644 index 0000000..f8b6d4f --- /dev/null +++ b/src/openvpn/block_dns.h @@ -0,0 +1,40 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2016 Selva Nair <selva.nair@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifdef _WIN32 + +#ifndef OPENVPN_BLOCK_DNS_H +#define OPENVPN_BLOCK_DNS_H + +typedef void (*block_dns_msg_handler_t) (DWORD err, const char *msg); + +DWORD +delete_block_dns_filters (HANDLE engine); + +DWORD +add_block_dns_filters (HANDLE *engine, int iface_index, const WCHAR *exe_path, + block_dns_msg_handler_t msg_handler_callback); + +#endif +#endif diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index fb3b52d..52c6ab9 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -254,7 +254,7 @@ buf_puts(struct buffer *buf, const char *str) * * Return false on overflow. * - * This function is duplicated into service-win32/openvpnserv.c + * This functionality is duplicated in src/openvpnserv/common.c * Any modifications here should be done to the other place as well. */ @@ -372,6 +372,44 @@ x_gc_free (struct gc_arena *a) } /* + * Functions to handle special objects in gc_entries + */ + +void +x_gc_freespecial (struct gc_arena *a) +{ + struct gc_entry_special *e; + e = a->list_special; + a->list_special = NULL; + + while (e != NULL) + { + struct gc_entry_special *next = e->next; + e->free_fnc (e->addr); + free(e); + e = next; + } +} + +void gc_addspecial (void *addr, void (free_function)(void*), struct gc_arena *a) +{ + ASSERT(a); + struct gc_entry_special *e; +#ifdef DMALLOC + e = (struct gc_entry_special *) openvpn_dmalloc (file, line, sizeof (struct gc_entry_special)); +#else + e = (struct gc_entry_special *) malloc (sizeof (struct gc_entry_special)); +#endif + check_malloc_return (e); + e->free_fnc = free_function; + e->addr = addr; + + e->next = a->list_special; + a->list_special = e; +} + + +/* * Transfer src arena to dest, resetting src to an empty arena. */ void @@ -397,18 +435,21 @@ gc_transfer (struct gc_arena *dest, struct gc_arena *src) char * format_hex_ex (const uint8_t *data, int size, int maxoutput, - int space_break, const char* separator, + unsigned int space_break_flags, const char* separator, struct gc_arena *gc) { struct buffer out = alloc_buf_gc (maxoutput ? maxoutput : - ((size * 2) + (size / space_break) * (int) strlen (separator) + 2), + ((size * 2) + (size / (space_break_flags & FHE_SPACE_BREAK_MASK)) * (int) strlen (separator) + 2), gc); int i; for (i = 0; i < size; ++i) { - if (separator && i && !(i % space_break)) + if (separator && i && !(i % (space_break_flags & FHE_SPACE_BREAK_MASK))) buf_printf (&out, "%s", separator); - buf_printf (&out, "%02x", data[i]); + if (space_break_flags & FHE_CAPS) + buf_printf (&out, "%02X", data[i]); + else + buf_printf (&out, "%02x", data[i]); } buf_catrunc (&out, "[more...]"); return (char *)out.data; @@ -938,9 +979,6 @@ valign4 (const struct buffer *buf, const char *file, const int line) /* * struct buffer_list */ - -#ifdef ENABLE_BUFFER_LIST - struct buffer_list * buffer_list_new (const int max_size) { @@ -1031,8 +1069,10 @@ buffer_list_peek (struct buffer_list *ol) } void -buffer_list_aggregate (struct buffer_list *bl, const size_t max) +buffer_list_aggregate_separator (struct buffer_list *bl, const size_t max, const char *sep) { + int sep_len = strlen(sep); + if (bl->head) { struct buffer_entry *more = bl->head; @@ -1040,7 +1080,7 @@ buffer_list_aggregate (struct buffer_list *bl, const size_t max) int count = 0; for (count = 0; more && size <= max; ++count) { - size += BLEN(&more->buf); + size += BLEN(&more->buf) + sep_len; more = more->next; } @@ -1057,6 +1097,7 @@ buffer_list_aggregate (struct buffer_list *bl, const size_t max) { struct buffer_entry *next = e->next; buf_copy (&f->buf, &e->buf); + buf_write(&f->buf, sep, sep_len); free_buf (&e->buf); free (e); e = next; @@ -1070,6 +1111,12 @@ buffer_list_aggregate (struct buffer_list *bl, const size_t max) } void +buffer_list_aggregate (struct buffer_list *bl, const size_t max) +{ + buffer_list_aggregate_separator(bl, max, ""); +} + +void buffer_list_pop (struct buffer_list *ol) { if (ol && ol->head) @@ -1116,5 +1163,3 @@ buffer_list_file (const char *fn, int max_line_len) } return bl; } - -#endif diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 58f0601..8070439 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -91,6 +91,18 @@ struct gc_entry * linked list. */ }; +/** + * Gargabe collection entry for a specially allocated structure that needs + * a custom free function to be freed like struct addrinfo + * + */ +struct gc_entry_special +{ + struct gc_entry_special *next; + void (*free_fnc)(void*); + void *addr; +}; + /** * Garbage collection arena used to keep track of dynamically allocated @@ -106,6 +118,7 @@ struct gc_arena { struct gc_entry *list; /**< First element of the linked list of * \c gc_entry structures. */ + struct gc_entry_special *list_special; }; @@ -163,6 +176,9 @@ struct buffer string_alloc_buf (const char *str, struct gc_arena *gc); #endif +void gc_addspecial (void *addr, void (*free_function)(void*), struct gc_arena *a); + + #ifdef BUF_INIT_TRACKING #define buf_init(buf, offset) buf_init_debug (buf, offset, __FILE__, __LINE__) bool buf_init_debug (struct buffer *buf, int offset, const char *file, int line); @@ -172,6 +188,11 @@ bool buf_init_debug (struct buffer *buf, int offset, const char *file, int line) /* inline functions */ +inline static void +gc_freeaddrinfo_callback (void *addr) +{ + freeaddrinfo((struct addrinfo*) addr); +} static inline bool buf_defined (const struct buffer *buf) @@ -382,9 +403,11 @@ bool buf_parse (struct buffer *buf, const int delim, char *line, const int size) /* * Hex dump -- Output a binary buffer to a hex string and return it. */ +#define FHE_SPACE_BREAK_MASK 0xFF /* space_break parameter in lower 8 bits */ +#define FHE_CAPS 0x100 /* output hex in caps */ char * format_hex_ex (const uint8_t *data, int size, int maxoutput, - int space_break, const char* separator, + unsigned int space_break_flags, const char* separator, struct gc_arena *gc); static inline char * @@ -781,6 +804,7 @@ void character_class_debug (void); void gc_transfer (struct gc_arena *dest, struct gc_arena *src); void x_gc_free (struct gc_arena *a); +void x_gc_freespecial (struct gc_arena *a); static inline bool gc_defined (struct gc_arena *a) @@ -792,6 +816,7 @@ static inline void gc_init (struct gc_arena *a) { a->list = NULL; + a->list_special = NULL; } static inline void @@ -804,7 +829,7 @@ static inline struct gc_arena gc_new (void) { struct gc_arena ret; - ret.list = NULL; + gc_init (&ret); return ret; } @@ -813,6 +838,8 @@ gc_free (struct gc_arena *a) { if (a->list) x_gc_free (a); + if (a->list_special) + x_gc_freespecial(a); } static inline void @@ -882,9 +909,6 @@ check_malloc_return (const void *p) /* * Manage lists of buffers */ - -#ifdef ENABLE_BUFFER_LIST - struct buffer_entry { struct buffer buf; @@ -912,9 +936,7 @@ void buffer_list_advance (struct buffer_list *ol, int n); void buffer_list_pop (struct buffer_list *ol); void buffer_list_aggregate (struct buffer_list *bl, const size_t max); +void buffer_list_aggregate_separator (struct buffer_list *bl, const size_t max, const char *sep); struct buffer_list *buffer_list_file (const char *fn, int max_line_len); - -#endif - #endif /* BUFFER_H */ diff --git a/src/openvpn/clinat.c b/src/openvpn/clinat.c index af75fc9..ddefe12 100644 --- a/src/openvpn/clinat.c +++ b/src/openvpn/clinat.c @@ -30,8 +30,6 @@ #include "syshead.h" -#if defined(ENABLE_CLIENT_NAT) - #include "clinat.h" #include "proto.h" #include "socket.h" @@ -265,5 +263,3 @@ client_nat_transform (const struct client_nat_option_list *list, } } } - -#endif diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h index d55a727..a5779e1 100644 --- a/src/openvpn/clinat.h +++ b/src/openvpn/clinat.h @@ -22,7 +22,7 @@ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#if !defined(CLINAT_H) && defined(ENABLE_CLIENT_NAT) +#if !defined(CLINAT_H) #define CLINAT_H #include "buffer.h" diff --git a/src/openvpn/common.h b/src/openvpn/common.h index 2f85bec..1134101 100644 --- a/src/openvpn/common.h +++ b/src/openvpn/common.h @@ -30,7 +30,7 @@ */ #ifdef USE_64_BIT_COUNTERS typedef unsigned long long int counter_type; -# ifdef WIN32 +# ifdef _WIN32 # define counter_format "%I64u" # else # define counter_format "%llu" diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c new file mode 100644 index 0000000..395f3d2 --- /dev/null +++ b/src/openvpn/comp-lz4.c @@ -0,0 +1,307 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2013 Gert Doering <gert@greenie.muc.de> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#if defined(ENABLE_LZ4) + +#if defined(NEED_COMPAT_LZ4) +#include "compat-lz4.h" +#else +#include "lz4.h" +#endif + +#include "comp.h" +#include "error.h" + +#include "memdbg.h" + +static void +lz4_compress_init (struct compress_context *compctx) +{ + msg (D_INIT_MEDIUM, "LZ4 compression initializing"); + ASSERT(compctx->flags & COMP_F_SWAP); +} + +static void +lz4v2_compress_init (struct compress_context *compctx) +{ + msg (D_INIT_MEDIUM, "LZ4v2 compression initializing"); +} + +static void +lz4_compress_uninit (struct compress_context *compctx) +{ +} + +static bool +do_lz4_compress (struct buffer *buf, + struct buffer *work, + struct compress_context *compctx, + const struct frame* frame) +{ + /* + * In order to attempt compression, length must be at least COMPRESS_THRESHOLD. + */ + if (buf->len >= COMPRESS_THRESHOLD) + { + const size_t ps = PAYLOAD_SIZE (frame); + int zlen_max = ps + COMP_EXTRA_BUFFER (ps); + int zlen; + + ASSERT (buf_init (work, FRAME_HEADROOM (frame))); + ASSERT (buf_safe (work, zlen_max)); + + if (buf->len > ps) + { + dmsg (D_COMP_ERRORS, "LZ4 compression buffer overflow"); + buf->len = 0; + return false; + } + + zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char *)BPTR(work), BLEN(buf), zlen_max ); + + if (zlen <= 0) + { + dmsg (D_COMP_ERRORS, "LZ4 compression error"); + buf->len = 0; + return false; + } + + ASSERT (buf_safe (work, zlen)); + work->len = zlen; + + + dmsg (D_COMP, "LZ4 compress %d -> %d", buf->len, work->len); + compctx->pre_compress += buf->len; + compctx->post_compress += work->len; + return true; + } + return false; +} + + +static void +lz4_compress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + bool compressed; + if (buf->len <= 0) + return; + + compressed = do_lz4_compress(buf, &work, compctx, frame); + + /* On error do_lz4_compress sets buf len to zero, just return */ + if (buf->len == 0) + return; + + /* did compression save us anything? */ + { + uint8_t comp_head_byte = NO_COMPRESS_BYTE_SWAP; + if (compressed && work.len < buf->len) + { + *buf = work; + comp_head_byte = LZ4_COMPRESS_BYTE; + } + + { + uint8_t *head = BPTR (buf); + uint8_t *tail = BEND (buf); + ASSERT (buf_safe (buf, 1)); + ++buf->len; + + /* move head byte of payload to tail */ + *tail = *head; + *head = comp_head_byte; + } + } +} + + +static void +lz4v2_compress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + bool compressed; + if (buf->len <= 0) + return; + + compressed = do_lz4_compress(buf, &work, compctx, frame); + + /* On Error just return */ + if (buf->len == 0) + return; + + /* did compression save us anything? Include 2 byte compression header + in calculation */ + if (compressed && work.len + 2 < buf->len) + { + ASSERT(buf_prepend(&work, 2)); + uint8_t *head = BPTR (&work); + head[0] = COMP_ALGV2_INDICATOR_BYTE; + head[1] = COMP_ALGV2_LZ4_BYTE; + *buf = work; + } + else + { + compv2_escape_data_ifneeded(buf); + } +} + +void +do_lz4_decompress(size_t zlen_max, + struct buffer *work, + struct buffer *buf, + struct compress_context *compctx) +{ + int uncomp_len; + ASSERT (buf_safe (work, zlen_max)); + uncomp_len = LZ4_decompress_safe((const char *)BPTR(buf), (char *)BPTR(work), (size_t)BLEN(buf), zlen_max); + if (uncomp_len <= 0) + { + dmsg (D_COMP_ERRORS, "LZ4 decompression error: %d", uncomp_len); + buf->len = 0; + return; + } + + ASSERT (buf_safe (work, uncomp_len)); + work->len = uncomp_len; + + dmsg (D_COMP, "LZ4 decompress %d -> %d", buf->len, work->len); + compctx->pre_decompress += buf->len; + compctx->post_decompress += work->len; + + *buf = *work; +} + +static void +lz4_decompress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + size_t zlen_max = EXPANDED_SIZE (frame); + uint8_t c; /* flag indicating whether or not our peer compressed */ + + if (buf->len <= 0) + return; + + ASSERT (buf_init (&work, FRAME_HEADROOM (frame))); + + /* do unframing/swap (assumes buf->len > 0) */ + { + uint8_t *head = BPTR (buf); + c = *head; + --buf->len; + *head = *BEND (buf); + } + + if (c == LZ4_COMPRESS_BYTE) /* packet was compressed */ + { + do_lz4_decompress(zlen_max, &work, buf, compctx); + } + else if (c == NO_COMPRESS_BYTE_SWAP) /* packet was not compressed */ + { + ; + } + else + { + dmsg (D_COMP_ERRORS, "Bad LZ4 decompression header byte: %d", c); + buf->len = 0; + } +} + +static void +lz4v2_decompress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + size_t zlen_max = EXPANDED_SIZE (frame); + uint8_t c; /* flag indicating whether or not our peer compressed */ + + if (buf->len <= 0) + return; + + ASSERT (buf_init (&work, FRAME_HEADROOM (frame))); + + /* do unframing/swap (assumes buf->len > 0) */ + uint8_t *head = BPTR (buf); + c = *head; + + /* Not compressed */ + if (c != COMP_ALGV2_INDICATOR_BYTE) { + return; + } + + /* Packet to short to make sense */ + if (buf->len <= 1) + { + buf->len=0; + return; + } + + c = head[1]; + if (c == COMP_ALGV2_LZ4_BYTE) /* packet was compressed */ + { + buf_advance(buf,2); + do_lz4_decompress(zlen_max, &work, buf, compctx); + } + else if (c == COMP_ALGV2_UNCOMPRESSED_BYTE) + { + buf_advance(buf,2); + } + else + { + dmsg (D_COMP_ERRORS, "Bad LZ4v2 decompression header byte: %d", c); + buf->len = 0; + } +} + +const struct compress_alg lz4_alg = { + "lz4", + lz4_compress_init, + lz4_compress_uninit, + lz4_compress, + lz4_decompress +}; + +const struct compress_alg lz4v2_alg = { + "lz4v2", + lz4v2_compress_init, + lz4_compress_uninit, + lz4v2_compress, + lz4v2_decompress +}; + +#else +static void dummy(void) {} +#endif /* ENABLE_LZ4 */ diff --git a/src/openvpn/comp-lz4.h b/src/openvpn/comp-lz4.h new file mode 100644 index 0000000..7774ca5 --- /dev/null +++ b/src/openvpn/comp-lz4.h @@ -0,0 +1,42 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2013 Gert Doering <gert@greenie.muc.de> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifndef OPENVPN_COMP_LZ4_H +#define OPENVPN_COMP_LZ4_H + +#if defined(ENABLE_LZ4) + +#include "buffer.h" + +extern const struct compress_alg lz4_alg; +extern const struct compress_alg lz4v2_alg; + +struct lz4_workspace +{ + int dummy; +}; + +#endif /* ENABLE_LZ4 */ +#endif diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c new file mode 100644 index 0000000..499fef9 --- /dev/null +++ b/src/openvpn/comp.c @@ -0,0 +1,167 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#ifdef USE_COMP + +#include "comp.h" +#include "error.h" +#include "otime.h" + +#include "memdbg.h" + +struct compress_context * +comp_init(const struct compress_options *opt) +{ + struct compress_context *compctx = NULL; + switch (opt->alg) + { + case COMP_ALG_STUB: + ALLOC_OBJ_CLEAR (compctx, struct compress_context); + compctx->flags = opt->flags; + compctx->alg = comp_stub_alg; + break; + case COMP_ALGV2_UNCOMPRESSED: + ALLOC_OBJ_CLEAR (compctx, struct compress_context); + compctx->flags = opt->flags; + compctx->alg = compv2_stub_alg; + break; +#ifdef ENABLE_LZO + case COMP_ALG_LZO: + ALLOC_OBJ_CLEAR (compctx, struct compress_context); + compctx->flags = opt->flags; + compctx->alg = lzo_alg; + break; +#endif +#ifdef ENABLE_LZ4 + case COMP_ALG_LZ4: + ALLOC_OBJ_CLEAR (compctx, struct compress_context); + compctx->flags = opt->flags; + compctx->alg = lz4_alg; + break; + case COMP_ALGV2_LZ4: + ALLOC_OBJ_CLEAR (compctx, struct compress_context); + compctx->flags = opt->flags; + compctx->alg = lz4v2_alg; + break; +#endif + } + if (compctx) + (*compctx->alg.compress_init)(compctx); + + return compctx; +} + +/* In the v2 compression schemes, an uncompressed packet has + * has no opcode in front, unless the first byte is 0x50. In this + * case the packet needs to be escaped */ +void +compv2_escape_data_ifneeded (struct buffer *buf) +{ + uint8_t *head = BPTR (buf); + if (head[0] != COMP_ALGV2_INDICATOR_BYTE) + return; + + /* Header is 0x50 */ + ASSERT(buf_prepend(buf, 2)); + + head = BPTR (buf); + head[0] = COMP_ALGV2_INDICATOR_BYTE; + head[1] = COMP_ALGV2_UNCOMPRESSED; +} + + +void +comp_uninit(struct compress_context *compctx) +{ + if (compctx) + { + (*compctx->alg.compress_uninit)(compctx); + free(compctx); + } +} + +void +comp_add_to_extra_frame(struct frame *frame) +{ + /* Leave room for our one-byte compressed/didn't-compress prefix byte. */ + frame_add_to_extra_frame (frame, COMP_PREFIX_LEN); +} + +void +comp_add_to_extra_buffer(struct frame *frame) +{ + /* Leave room for compression buffer to expand in worst case scenario + where data is totally uncompressible */ + frame_add_to_extra_buffer (frame, COMP_EXTRA_BUFFER (EXPANDED_SIZE(frame))); +} + +void +comp_print_stats (const struct compress_context *compctx, struct status_output *so) +{ + if (compctx) + { + status_printf (so, "pre-compress bytes," counter_format, compctx->pre_compress); + status_printf (so, "post-compress bytes," counter_format, compctx->post_compress); + status_printf (so, "pre-decompress bytes," counter_format, compctx->pre_decompress); + status_printf (so, "post-decompress bytes," counter_format, compctx->post_decompress); + } +} + +/* + * Tell our peer which compression algorithms we support. + */ +void +comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out) +{ + if (opt) + { + bool lzo_avail = false; + if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) + { +#if defined(ENABLE_LZ4) + buf_printf (out, "IV_LZ4=1\n"); + buf_printf (out, "IV_LZ4v2=1\n"); +#endif +#if defined(ENABLE_LZO) + buf_printf (out, "IV_LZO=1\n"); + lzo_avail = true; +#endif + } + if (!lzo_avail) + buf_printf (out, "IV_LZO_STUB=1\n"); + buf_printf (out, "IV_COMP_STUB=1\n"); + buf_printf (out, "IV_COMP_STUBv2=1\n"); + buf_printf (out, "IV_TCPNL=1\n"); + } +} + +#endif /* USE_COMP */ diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h new file mode 100644 index 0000000..9ed9532 --- /dev/null +++ b/src/openvpn/comp.h @@ -0,0 +1,198 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * Generic compression support. Currently we support + * LZO 2 and LZ4. + */ +#ifndef OPENVPN_COMP_H +#define OPENVPN_COMP_H + +#ifdef USE_COMP + +#include "buffer.h" +#include "mtu.h" +#include "common.h" +#include "status.h" + +/* algorithms */ +#define COMP_ALG_UNDEF 0 +#define COMP_ALG_STUB 1 /* support compression command byte and framing without actual compression */ +#define COMP_ALG_LZO 2 /* LZO algorithm */ +#define COMP_ALG_SNAPPY 3 /* Snappy algorithm (no longer supported) */ +#define COMP_ALG_LZ4 4 /* LZ4 algorithm */ + + +/* algorithm v2 */ +#define COMP_ALGV2_UNCOMPRESSED 10 +#define COMP_ALGV2_LZ4 11 +/* +#define COMP_ALGV2_LZO 12 +#define COMP_ALGV2_SNAPPY 13 +*/ + +/* Compression flags */ +#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ +#define COMP_F_ASYM (1<<1) /* only downlink is compressed, not uplink */ +#define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ +#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ + + +/* + * Length of prepended prefix on compressed packets + */ +#define COMP_PREFIX_LEN 1 + +/* + * Prefix bytes + */ + +/* V1 on wire codes */ +/* Initial command byte to tell our peer if we compressed */ +#define LZO_COMPRESS_BYTE 0x66 +#define LZ4_COMPRESS_BYTE 0x69 +#define NO_COMPRESS_BYTE 0xFA +#define NO_COMPRESS_BYTE_SWAP 0xFB /* to maintain payload alignment, replace this byte with last byte of packet */ + +/* V2 on wire code */ +#define COMP_ALGV2_INDICATOR_BYTE 0x50 +#define COMP_ALGV2_UNCOMPRESSED_BYTE 0 +#define COMP_ALGV2_LZ4_BYTE 1 +#define COMP_ALGV2_LZO_BYTE 2 +#define COMP_ALGV2_SNAPPY_BYTE 3 + +/* + * Compress worst case size expansion (for any algorithm) + * + * LZO: len + len/8 + 128 + 3 + * Snappy: len + len/6 + 32 + * LZ4: len + len/255 + 16 (LZ4_COMPRESSBOUND(len)) + */ +#define COMP_EXTRA_BUFFER(len) ((len)/6 + 128 + 3 + COMP_PREFIX_LEN) + +/* + * Don't try to compress any packet smaller than this. + */ +#define COMPRESS_THRESHOLD 100 + +/* Forward declaration of compression context */ +struct compress_context; + +/* + * Virtual methods and other static info for each compression algorithm + */ +struct compress_alg +{ + const char *name; + void (*compress_init)(struct compress_context *compctx); + void (*compress_uninit)(struct compress_context *compctx); + void (*compress)(struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame); + + void (*decompress)(struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame); +}; + +/* + * Headers for each compression implementation + */ +#ifdef ENABLE_LZO +#include "lzo.h" +#endif + +#ifdef ENABLE_LZ4 +#include "comp-lz4.h" +#endif + +/* + * Information that basically identifies a compression + * algorithm and related flags. + */ +struct compress_options +{ + int alg; + unsigned int flags; +}; + +/* + * Workspace union of all supported compression algorithms + */ +union compress_workspace_union +{ +#ifdef ENABLE_LZO + struct lzo_compress_workspace lzo; +#endif +#ifdef ENABLE_LZ4 + struct lz4_workspace lz4; +#endif +}; + +/* + * Context for active compression session + */ +struct compress_context +{ + unsigned int flags; + struct compress_alg alg; + union compress_workspace_union wu; + + /* statistics */ + counter_type pre_decompress; + counter_type post_decompress; + counter_type pre_compress; + counter_type post_compress; +}; + +extern const struct compress_alg comp_stub_alg; +extern const struct compress_alg compv2_stub_alg; + +struct compress_context *comp_init(const struct compress_options *opt); + +void comp_uninit(struct compress_context *compctx); + +void comp_add_to_extra_frame(struct frame *frame); +void comp_add_to_extra_buffer(struct frame *frame); + +void comp_print_stats (const struct compress_context *compctx, struct status_output *so); + +void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out); + +void compv2_escape_data_ifneeded (struct buffer *buf); + +static inline bool +comp_enabled(const struct compress_options *info) +{ + return info->alg != COMP_ALG_UNDEF; +} + +static inline bool +comp_unswapped_prefix(const struct compress_options *info) +{ + return !(info->flags & COMP_F_SWAP); +} + +#endif /* USE_COMP */ +#endif diff --git a/src/openvpn/compstub.c b/src/openvpn/compstub.c new file mode 100644 index 0000000..9c6aad2 --- /dev/null +++ b/src/openvpn/compstub.c @@ -0,0 +1,169 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#if defined(USE_COMP) + +#include "comp.h" +#include "error.h" +#include "otime.h" + +#include "memdbg.h" + +static void +stub_compress_init (struct compress_context *compctx) +{ +} + +static void +stub_compress_uninit (struct compress_context *compctx) +{ +} + +static void +stub_compress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + if (buf->len <= 0) + return; + if (compctx->flags & COMP_F_SWAP) + { + uint8_t *head = BPTR (buf); + uint8_t *tail = BEND (buf); + ASSERT (buf_safe (buf, 1)); + ++buf->len; + + /* move head byte of payload to tail */ + *tail = *head; + *head = NO_COMPRESS_BYTE_SWAP; + } + else + { + uint8_t *header = buf_prepend (buf, 1); + *header = NO_COMPRESS_BYTE; + } +} + +static void +stub_decompress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + uint8_t c; + if (buf->len <= 0) + return; + if (compctx->flags & COMP_F_SWAP) + { + uint8_t *head = BPTR (buf); + c = *head; + --buf->len; + *head = *BEND (buf); + if (c != NO_COMPRESS_BYTE_SWAP) + { + dmsg (D_COMP_ERRORS, "Bad compression stub (swap) decompression header byte: %d", c); + buf->len = 0; + } + } + else + { + c = *BPTR (buf); + ASSERT (buf_advance (buf, 1)); + if (c != NO_COMPRESS_BYTE) + { + dmsg (D_COMP_ERRORS, "Bad compression stub decompression header byte: %d", c); + buf->len = 0; + } + } +} + + +static void +stubv2_compress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + if (buf->len <= 0) + return; + + compv2_escape_data_ifneeded (buf); +} + +static void +stubv2_decompress (struct buffer *buf, struct buffer work, + struct compress_context *compctx, + const struct frame* frame) +{ + if (buf->len <= 0) + return; + + uint8_t *head = BPTR (buf); + + /* no compression or packet to short*/ + if (head[0] != COMP_ALGV2_INDICATOR_BYTE) + return; + + /* compression header (0x50) is present */ + buf_advance(buf, 1); + + /* Packet buffer too short (only 1 byte) */ + if (buf->len <= 0) + return; + + head = BPTR (buf); + buf_advance(buf, 1); + + if (head[0] != COMP_ALGV2_UNCOMPRESSED_BYTE) { + dmsg (D_COMP_ERRORS, "Bad compression stubv2 decompression header byte: %d", *head); + buf->len = 0; + return; + } +} + +const struct compress_alg compv2_stub_alg = { + "stubv2", + stub_compress_init, + stub_compress_uninit, + stubv2_compress, + stubv2_decompress +}; + +const struct compress_alg comp_stub_alg = { + "stub", + stub_compress_init, + stub_compress_uninit, + stub_compress, + stub_decompress +}; + +#else +static void dummy(void) {} +#endif /* USE_STUB */ diff --git a/src/openvpn/console.c b/src/openvpn/console.c index 86331a1..c3bb7c3 100644 --- a/src/openvpn/console.c +++ b/src/openvpn/console.c @@ -6,6 +6,8 @@ * packet compression. * * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2014-2015 David Sommerseth <davids@redhat.com> + * Copyright (C) 2016 David Sommerseth <davids@openvpn.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -38,219 +40,43 @@ #include <systemd/sd-daemon.h> #endif -#ifdef WIN32 -#include "win32.h" +struct _query_user query_user[QUERY_USER_NUMSLOTS]; /* GLOBAL */ -/* - * Get input from console. - * - * Return false on input error, or if service - * exit event is signaled. - */ - -static bool -get_console_input_win32 (const char *prompt, const bool echo, char *input, const int capacity) -{ - HANDLE in = INVALID_HANDLE_VALUE; - HANDLE err = INVALID_HANDLE_VALUE; - DWORD len = 0; - - ASSERT (prompt); - ASSERT (input); - ASSERT (capacity > 0); - - input[0] = '\0'; - - in = GetStdHandle (STD_INPUT_HANDLE); - err = get_orig_stderr (); - - if (in != INVALID_HANDLE_VALUE - && err != INVALID_HANDLE_VALUE - && !win32_service_interrupt (&win32_signal) - && WriteFile (err, prompt, strlen (prompt), &len, NULL)) - { - bool is_console = (GetFileType (in) == FILE_TYPE_CHAR); - DWORD flags_save = 0; - int status = 0; - WCHAR *winput; - - if (is_console) - { - if (GetConsoleMode (in, &flags_save)) - { - DWORD flags = ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT; - if (echo) - flags |= ENABLE_ECHO_INPUT; - SetConsoleMode (in, flags); - } - else - is_console = 0; - } - - if (is_console) - { - winput = malloc (capacity * sizeof (WCHAR)); - if (winput == NULL) - return false; - - status = ReadConsoleW (in, winput, capacity, &len, NULL); - WideCharToMultiByte (CP_UTF8, 0, winput, len, input, capacity, NULL, NULL); - free (winput); - } - else - status = ReadFile (in, input, capacity, &len, NULL); - - string_null_terminate (input, (int)len, capacity); - chomp (input); - - if (!echo) - WriteFile (err, "\r\n", 2, &len, NULL); - if (is_console) - SetConsoleMode (in, flags_save); - if (status && !win32_service_interrupt (&win32_signal)) - return true; - } - - return false; -} - -#endif - -#ifdef HAVE_GETPASS - -static FILE * -open_tty (const bool write) -{ - FILE *ret; - ret = fopen ("/dev/tty", write ? "w" : "r"); - if (!ret) - ret = write ? stderr : stdin; - return ret; -} - -static void -close_tty (FILE *fp) -{ - if (fp != stderr && fp != stdin) - fclose (fp); -} - -#endif -#ifdef ENABLE_SYSTEMD - -/* - * is systemd running - */ - -static bool -check_systemd_running () +void query_user_clear() { - struct stat c; - - /* We simply test whether the systemd cgroup hierarchy is - * mounted, as well as the systemd-ask-password executable - * being available */ + int i; - return (sd_booted() > 0) - && (stat(SYSTEMD_ASK_PASSWORD_PATH, &c) == 0); - -} - -static bool -get_console_input_systemd (const char *prompt, const bool echo, char *input, const int capacity) -{ - int std_out; - bool ret = false; - struct argv argv; - - argv_init (&argv); - argv_printf (&argv, SYSTEMD_ASK_PASSWORD_PATH); - argv_printf_cat (&argv, "%s", prompt); - - if ((std_out = openvpn_popen (&argv, NULL)) < 0) { - return false; - } - - memset (input, 0, capacity); - if (read (std_out, input, capacity-1) > 0) - { - chomp (input); - ret = true; + for( i = 0; i < QUERY_USER_NUMSLOTS; i++ ) { + CLEAR(query_user[i]); } - close (std_out); - - argv_reset (&argv); - - return ret; } -#endif - -/* - * Get input from console - */ -bool -get_console_input (const char *prompt, const bool echo, char *input, const int capacity) +void query_user_add(char *prompt, size_t prompt_len, + char *resp, size_t resp_len, + bool echo) { - bool ret = false; - ASSERT (prompt); - ASSERT (input); - ASSERT (capacity > 0); - input[0] = '\0'; - -#ifdef ENABLE_SYSTEMD - if (check_systemd_running ()) - return get_console_input_systemd (prompt, echo, input, capacity); -#endif + int i; -#if defined(WIN32) - return get_console_input_win32 (prompt, echo, input, capacity); -#elif defined(HAVE_GETPASS) + /* Ensure input is sane. All these must be present otherwise it is + * a programming error. + */ + ASSERT( prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL ); - /* did we --daemon'ize before asking for passwords? - * (in which case neither stdin or stderr are connected to a tty and - * /dev/tty can not be open()ed anymore) - */ - if ( !isatty(0) && !isatty(2) ) - { - int fd = open( "/dev/tty", O_RDWR ); - if ( fd < 0 ) - { msg(M_FATAL, "neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for '%s'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.", prompt ); } - close(fd); - } - - if (echo) - { - FILE *fp; - - fp = open_tty (true); - fprintf (fp, "%s", prompt); - fflush (fp); - close_tty (fp); - - fp = open_tty (false); - if (fgets (input, capacity, fp) != NULL) - { - chomp (input); - ret = true; + /* Seek to the last unused slot */ + for (i = 0; i < QUERY_USER_NUMSLOTS; i++) { + if( query_user[i].prompt == NULL ) { + break; } - close_tty (fp); } - else - { - char *gp = getpass (prompt); - if (gp) - { - strncpynt (input, gp, capacity); - memset (gp, 0, strlen (gp)); - ret = true; - } - } -#else - msg (M_FATAL, "Sorry, but I can't get console input on this OS (%s)", prompt); -#endif - return ret; + ASSERT( i < QUERY_USER_NUMSLOTS ); /* Unlikely, but we want to panic if it happens */ + + /* Save the information needed for the user interaction */ + query_user[i].prompt = prompt; + query_user[i].prompt_len = prompt_len; + query_user[i].response = resp; + query_user[i].response_len = resp_len; + query_user[i].echo = echo; } diff --git a/src/openvpn/console.h b/src/openvpn/console.h index 268f3fe..ec32cf6 100644 --- a/src/openvpn/console.h +++ b/src/openvpn/console.h @@ -6,6 +6,8 @@ * packet compression. * * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2014-2015 David Sommerseth <davids@redhat.com> + * Copyright (C) 2016 David Sommerseth <davids@openvpn.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -27,7 +29,90 @@ #include "basic.h" -bool -get_console_input (const char *prompt, const bool echo, char *input, const int capacity); +/** + * Configuration setup for declaring what kind of information to ask a user for + */ +struct _query_user { + char *prompt; /**< Prompt to present to the user */ + size_t prompt_len; /**< Lenght of the prompt string */ + char *response; /**< The user's response */ + size_t response_len; /**< Lenght the of the user reposone */ + bool echo; /**< True: The user should see what is being typed, otherwise mask it */ +}; + +#define QUERY_USER_NUMSLOTS 10 +extern struct _query_user query_user[]; /**< Global variable, declared in console.c */ + +/** + * Wipes all data put into all of the query_user structs + * + */ +void query_user_clear (); + + +/** + * Adds an item to ask the user for + * + * @param prompt Prompt to display to the user + * @param prompt_len Length of the prompt string + * @param resp String containing the user response + * @param resp_len Lenght of the response string + * @param echo Should the user input be echoed to the user? If False, input will be masked + * + */ +void query_user_add (char *prompt, size_t prompt_len, + char *resp, size_t resp_len, + bool echo); + + +/** + * Executes a configured setup, using the built-in method for querying the user. + * This method uses the console/TTY directly. + * + * @param setup Pointer to the setup defining what to ask the user + * + * @return True if executing all the defined steps completed successfully + */ +bool query_user_exec_builtin (); + + +#if defined(ENABLE_SYSTEMD) +/** + * Executes a configured setup, using the compiled method for querying the user + * + * @param setup Pointer to the setup defining what to ask the user + * + * @return True if executing all the defined steps completed successfully + */ +bool query_user_exec (); + +#else /* ENABLE_SYSTEMD not defined*/ +/** + * Wrapper function enabling query_user_exec() if no alternative methods have + * been enabled + * + */ +static bool query_user_exec () +{ + return query_user_exec_builtin(); +} +#endif /* defined(ENABLE_SYSTEMD) */ + + +/** + * A plain "make Gert happy" wrapper. Same arguments as @query_user_add + * + * FIXME/TODO: Remove this when refactoring the complete user query process + * to be called at start-up initialization of OpenVPN. + * + */ +static inline bool query_user_SINGLE (char *prompt, size_t prompt_len, + char *resp, size_t resp_len, + bool echo) +{ + query_user_clear(); + query_user_add(prompt, prompt_len, resp, resp_len, echo); + return query_user_exec(); +} #endif diff --git a/src/openvpn/console_builtin.c b/src/openvpn/console_builtin.c new file mode 100644 index 0000000..6b0211d --- /dev/null +++ b/src/openvpn/console_builtin.c @@ -0,0 +1,261 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2014-2015 David Sommerseth <davids@redhat.com> + * Copyright (C) 2016 David Sommerseth <davids@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * These functions covers handing user input/output using the default consoles + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" +#include "console.h" +#include "error.h" +#include "buffer.h" +#include "misc.h" + +#ifdef _WIN32 + +#include "win32.h" + +/** + * Get input from a Windows console. + * + * @param prompt Prompt to display to the user + * @param echo Should the user input be displayed in the console + * @param input Pointer to the buffer the user input will be saved + * @param capacity Size of the buffer for the user input + * + * @return Return false on input error, or if service + * exit event is signaled. + */ +static bool get_console_input_win32 (const char *prompt, const bool echo, char *input, const int capacity) +{ + HANDLE in = INVALID_HANDLE_VALUE; + HANDLE err = INVALID_HANDLE_VALUE; + DWORD len = 0; + + ASSERT (prompt); + ASSERT (input); + ASSERT (capacity > 0); + + input[0] = '\0'; + + in = GetStdHandle (STD_INPUT_HANDLE); + err = get_orig_stderr (); + + if (in != INVALID_HANDLE_VALUE + && err != INVALID_HANDLE_VALUE + && !win32_service_interrupt (&win32_signal) + && WriteFile (err, prompt, strlen (prompt), &len, NULL)) + { + bool is_console = (GetFileType (in) == FILE_TYPE_CHAR); + DWORD flags_save = 0; + int status = 0; + WCHAR *winput; + + if (is_console) + { + if (GetConsoleMode (in, &flags_save)) + { + DWORD flags = ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT; + if (echo) + flags |= ENABLE_ECHO_INPUT; + SetConsoleMode (in, flags); + } else + is_console = 0; + } + + if (is_console) + { + winput = malloc (capacity * sizeof (WCHAR)); + if (winput == NULL) + return false; + + status = ReadConsoleW (in, winput, capacity, &len, NULL); + WideCharToMultiByte (CP_UTF8, 0, winput, len, input, capacity, NULL, NULL); + free (winput); + } else + status = ReadFile (in, input, capacity, &len, NULL); + + string_null_terminate (input, (int)len, capacity); + chomp (input); + + if (!echo) + WriteFile (err, "\r\n", 2, &len, NULL); + if (is_console) + SetConsoleMode (in, flags_save); + if (status && !win32_service_interrupt (&win32_signal)) + return true; + } + + return false; +} + +#endif /* _WIN32 */ + + +#ifdef HAVE_GETPASS + +/** + * Open the current console TTY for read/write operations + * + * @params write If true, the user wants to write to the console + * otherwise read from the console + * + * @returns Returns a FILE pointer to either the TTY in read or write mode + * or stdin/stderr, depending on the write flag + * + */ +static FILE * open_tty (const bool write) +{ + FILE *ret; + ret = fopen ("/dev/tty", write ? "w" : "r"); + if (!ret) + ret = write ? stderr : stdin; + return ret; +} + +/** + * Closes the TTY FILE pointer, but only if it is not a stdin/stderr FILE object. + * + * @params fp FILE pointer to close + * + */ +static void close_tty (FILE *fp) +{ + if (fp != stderr && fp != stdin) + fclose (fp); +} + +#endif /* HAVE_GETPASS */ + + +/** + * Core function for getting input from console + * + * @params prompt The prompt to present to the user + * @params echo Should the user see what is being typed + * @params input Pointer to the buffer used to save the user input + * @params capacity Size of the input buffer + * + * @returns Returns True if user input was gathered + */ +static bool get_console_input (const char *prompt, const bool echo, char *input, const int capacity) +{ + bool ret = false; + ASSERT (prompt); + ASSERT (input); + ASSERT (capacity > 0); + input[0] = '\0'; + +#if defined(_WIN32) + return get_console_input_win32 (prompt, echo, input, capacity); +#elif defined(HAVE_GETPASS) + + /* did we --daemon'ize before asking for passwords? + * (in which case neither stdin or stderr are connected to a tty and + * /dev/tty can not be open()ed anymore) + */ + if ( !isatty(0) && !isatty(2) ) + { + int fd = open( "/dev/tty", O_RDWR ); + if ( fd < 0 ) + { + msg(M_FATAL, "neither stdin nor stderr are a tty device and you have neither a " + "controlling tty nor systemd - can't ask for '%s'. If you used --daemon, " + "you need to use --askpass to make passphrase-protected keys work, and you " + "can not use --auth-nocache.", prompt ); + } + close(fd); + } + + if (echo) + { + FILE *fp; + + fp = open_tty (true); + fprintf (fp, "%s", prompt); + fflush (fp); + close_tty (fp); + + fp = open_tty (false); + if (fgets (input, capacity, fp) != NULL) + { + chomp (input); + ret = true; + } + close_tty (fp); + } else { + char *gp = getpass (prompt); + if (gp) + { + strncpynt (input, gp, capacity); + memset (gp, 0, strlen (gp)); + ret = true; + } + } +#else + msg (M_FATAL, "Sorry, but I can't get console input on this OS (%s)", prompt); +#endif + return ret; +} + + +/** + * @copydoc query_user_exec() + * + * Default method for querying user using default stdin/stdout on a console. + * This needs to be available as a backup interface for the alternative + * implementations in case they cannot query through their implementation + * specific methods. + * + * If no alternative implementation is declared, a wrapper in console.h will ensure + * query_user_exec() will call this function instead. + * + */ +bool query_user_exec_builtin() +{ + bool ret = true; /* Presume everything goes okay */ + int i; + + /* Loop through configured query_user slots */ + for (i = 0; i < QUERY_USER_NUMSLOTS && query_user[i].response != NULL; i++) + { + if (!get_console_input(query_user[i].prompt, query_user[i].echo, + query_user[i].response, query_user[i].response_len) ) + { + /* Force the final result state to failed on failure */ + ret = false; + } + } + + return ret; +} diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c new file mode 100644 index 0000000..8a953c9 --- /dev/null +++ b/src/openvpn/console_systemd.c @@ -0,0 +1,122 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2014-2015 David Sommerseth <davids@redhat.com> + * Copyright (C) 2016 David Sommerseth <dazo@privateinternetaccess.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/** + * @file Alternative method to query for user input, using systemd + * + */ + +#include "config.h" + +#ifdef ENABLE_SYSTEMD +#include "syshead.h" +#include "console.h" +#include "misc.h" + +#include <systemd/sd-daemon.h> + +/* + * is systemd running + */ + +static bool +check_systemd_running () +{ + struct stat c; + + /* We simply test whether the systemd cgroup hierarchy is + * mounted, as well as the systemd-ask-password executable + * being available */ + + return (sd_booted() > 0) + && (stat(SYSTEMD_ASK_PASSWORD_PATH, &c) == 0); + +} + +static bool +get_console_input_systemd (const char *prompt, const bool echo, char *input, const int capacity) +{ + int std_out; + bool ret = false; + struct argv argv = argv_new (); + + argv_printf (&argv, SYSTEMD_ASK_PASSWORD_PATH); +#ifdef SYSTEMD_NEWER_THAN_216 + /* the --echo support arrived in upstream systemd 217 */ + if( echo ) + { + argv_printf_cat(&argv, "--echo"); + } +#endif + argv_printf_cat (&argv, "--icon network-vpn"); + argv_printf_cat (&argv, "%s", prompt); + + if ((std_out = openvpn_popen (&argv, NULL)) < 0) { + return false; + } + memset (input, 0, capacity); + if (read (std_out, input, capacity-1) != 0) + { + chomp (input); + ret = true; + } + close (std_out); + + argv_reset (&argv); + + return ret; +} + +/** + * Systemd aware implementation of query_user_exec(). If systemd is not running + * it will fall back to use query_user_exec_builtin() instead. + * + */ +bool query_user_exec() +{ + bool ret = true; /* Presume everything goes okay */ + int i; + + /* If systemd is not available, use the default built-in mechanism */ + if (!check_systemd_running()) + { + return query_user_exec_builtin(); + } + + /* Loop through the complete query setup and when needed, collect the information */ + for (i = 0; i < QUERY_USER_NUMSLOTS && query_user[i].response != NULL; i++) + { + if (!get_console_input_systemd(query_user[i].prompt, query_user[i].echo, + query_user[i].response, query_user[i].response_len) ) + { + /* Force the final result state to failed on failure */ + ret = false; + } + } + + return ret; +} + +#endif /* ENABLE_SYSTEMD */ diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 400bf11..05622ce 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -6,7 +6,7 @@ * packet compression. * * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> + * Copyright (C) 2010-2016 Fox Crypto B.V. <openvpn@fox-it.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -35,7 +35,8 @@ #include "crypto.h" #include "error.h" -#include "misc.h" +#include "integer.h" +#include "platform.h" #include "memdbg.h" @@ -62,38 +63,114 @@ * happen unless the frame parameters are wrong. */ -#define CRYPT_ERROR(format) \ - do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) +static void +openvpn_encrypt_aead (struct buffer *buf, struct buffer work, + struct crypto_options *opt) { +#ifdef HAVE_AEAD_CIPHER_MODES + struct gc_arena gc; + int outlen = 0; + const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; + uint8_t *mac_out = NULL; + const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); + const int mac_len = cipher_kt_tag_size (cipher_kt); + + /* IV, packet-ID and implicit IV required for this mode. */ + ASSERT (ctx->cipher); + ASSERT (cipher_kt_mode_aead (cipher_kt)); + ASSERT (opt->flags & CO_USE_IV); + ASSERT (packet_id_initialized(&opt->packet_id)); -/** - * As memcmp(), but constant-time. - * Returns 0 when data is equal, non-zero otherwise. - */ -static int -memcmp_constant_time (const void *a, const void *b, size_t size) { - const uint8_t * a1 = a; - const uint8_t * b1 = b; - int ret = 0; - size_t i; - - for (i = 0; i < size; i++) { - ret |= *a1++ ^ *b1++; + gc_init (&gc); + + /* Prepare IV */ + { + struct buffer iv_buffer; + struct packet_id_net pin; + uint8_t iv[OPENVPN_MAX_IV_LENGTH]; + const int iv_len = cipher_ctx_iv_length (ctx->cipher); + + ASSERT (iv_len >= OPENVPN_AEAD_MIN_IV_LEN && iv_len <= OPENVPN_MAX_IV_LENGTH); + + memset(iv, 0, sizeof(iv)); + buf_set_write (&iv_buffer, iv, iv_len); + + /* IV starts with packet id to make the IV unique for packet */ + packet_id_alloc_outgoing (&opt->packet_id.send, &pin, false); + ASSERT (packet_id_write (&pin, &iv_buffer, false, false)); + + /* Remainder of IV consists of implicit part (unique per session) */ + ASSERT (buf_write (&iv_buffer, ctx->implicit_iv, ctx->implicit_iv_len)); + ASSERT (iv_buffer.len == iv_len); + + /* Write explicit part of IV to work buffer */ + ASSERT (buf_write(&work, iv, iv_len - ctx->implicit_iv_len)); + dmsg (D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex (iv, iv_len, 0, &gc)); + + /* Init cipher_ctx with IV. key & keylen are already initialized */ + ASSERT (cipher_ctx_reset(ctx->cipher, iv)); } - return ret; + /* Reserve space for authentication tag */ + mac_out = buf_write_alloc (&work, mac_len); + ASSERT (mac_out); + + dmsg (D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex (BPTR (buf), BLEN (buf), 80, &gc)); + + /* Buffer overflow check */ + if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher))) + { + msg (D_CRYPT_ERRORS, + "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", + buf->capacity, buf->offset, buf->len, work.capacity, work.offset, + work.len); + goto err; + } + + /* For AEAD ciphers, authenticate Additional Data, including opcode */ + ASSERT (cipher_ctx_update_ad (ctx->cipher, BPTR (&work), BLEN (&work) - mac_len)); + dmsg (D_PACKET_CONTENT, "ENCRYPT AD: %s", + format_hex (BPTR (&work), BLEN (&work) - mac_len, 0, &gc)); + + /* Encrypt packet ID, payload */ + ASSERT (cipher_ctx_update (ctx->cipher, BEND (&work), &outlen, BPTR (buf), BLEN (buf))); + ASSERT (buf_inc_len (&work, outlen)); + + /* Flush the encryption buffer */ + ASSERT (cipher_ctx_final (ctx->cipher, BEND (&work), &outlen)); + ASSERT (buf_inc_len (&work, outlen)); + + /* Write authentication tag */ + ASSERT (cipher_ctx_get_tag (ctx->cipher, mac_out, mac_len)); + + *buf = work; + + dmsg (D_PACKET_CONTENT, "ENCRYPT TO: %s", format_hex (BPTR (buf), BLEN (buf), 80, &gc)); + + gc_free (&gc); + return; + +err: + crypto_clear_error(); + buf->len = 0; + gc_free (&gc); + return; +#else /* HAVE_AEAD_CIPHER_MODES */ + ASSERT (0); +#endif } -void -openvpn_encrypt (struct buffer *buf, struct buffer work, - const struct crypto_options *opt, - const struct frame* frame) +static void +openvpn_encrypt_v1 (struct buffer *buf, struct buffer work, + struct crypto_options *opt) { struct gc_arena gc; gc_init (&gc); - if (buf->len > 0 && opt->key_ctx_bi) + if (buf->len > 0 && opt) { - struct key_ctx *ctx = &opt->key_ctx_bi->encrypt; + const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; + uint8_t *mac_out = NULL; + const uint8_t *hmac_start = NULL; /* Do Encrypt from buf -> work */ if (ctx->cipher) @@ -103,6 +180,14 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); int outlen; + /* Reserve space for HMAC */ + if (ctx->hmac) + { + mac_out = buf_write_alloc (&work, hmac_ctx_size(ctx->hmac)); + ASSERT (mac_out); + hmac_start = BEND(&work); + } + if (cipher_kt_mode_cbc(cipher_kt)) { CLEAR (iv_buf); @@ -111,11 +196,11 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, if (opt->flags & CO_USE_IV) prng_bytes (iv_buf, iv_size); - /* Put packet ID in plaintext buffer or IV, depending on cipher mode */ - if (opt->packet_id) + /* Put packet ID in plaintext buffer */ + if (packet_id_initialized(&opt->packet_id)) { struct packet_id_net pin; - packet_id_alloc_outgoing (&opt->packet_id->send, &pin, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM)); + packet_id_alloc_outgoing (&opt->packet_id.send, &pin, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM)); ASSERT (packet_id_write (&pin, buf, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM), true)); } } @@ -124,10 +209,11 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, struct packet_id_net pin; struct buffer b; - ASSERT (opt->flags & CO_USE_IV); /* IV and packet-ID required */ - ASSERT (opt->packet_id); /* for this mode. */ + /* IV and packet-ID required for this mode. */ + ASSERT (opt->flags & CO_USE_IV); + ASSERT (packet_id_initialized(&opt->packet_id)); - packet_id_alloc_outgoing (&opt->packet_id->send, &pin, true); + packet_id_alloc_outgoing (&opt->packet_id.send, &pin, true); memset (iv_buf, 0, iv_size); buf_set_write (&b, iv_buf, iv_size); ASSERT (packet_id_write (&pin, &b, true, false)); @@ -137,12 +223,12 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, ASSERT (0); } - /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ - ASSERT (buf_init (&work, FRAME_HEADROOM (frame))); - /* set the IV pseudo-randomly */ if (opt->flags & CO_USE_IV) - dmsg (D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex (iv_buf, iv_size, 0, &gc)); + { + ASSERT (buf_write(&work, iv_buf, iv_size)); + dmsg (D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex (iv_buf, iv_size, 0, &gc)); + } dmsg (D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex (BPTR (buf), BLEN (buf), 80, &gc)); @@ -165,52 +251,50 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, } /* Encrypt packet ID, payload */ - ASSERT (cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf))); + ASSERT (cipher_ctx_update (ctx->cipher, BEND (&work), &outlen, BPTR (buf), BLEN (buf))); ASSERT (buf_inc_len(&work, outlen)); /* Flush the encryption buffer */ - ASSERT (cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen)); + ASSERT (cipher_ctx_final(ctx->cipher, BEND (&work), &outlen)); ASSERT (buf_inc_len(&work, outlen)); /* For all CBC mode ciphers, check the last block is complete */ ASSERT (cipher_kt_mode (cipher_kt) != OPENVPN_MODE_CBC || outlen == iv_size); - - /* prepend the IV to the ciphertext */ - if (opt->flags & CO_USE_IV) - { - uint8_t *output = buf_prepend (&work, iv_size); - ASSERT (output); - memcpy (output, iv_buf, iv_size); - } - - dmsg (D_PACKET_CONTENT, "ENCRYPT TO: %s", - format_hex (BPTR (&work), BLEN (&work), 80, &gc)); } else /* No Encryption */ { - if (opt->packet_id) + if (packet_id_initialized(&opt->packet_id)) { struct packet_id_net pin; - packet_id_alloc_outgoing (&opt->packet_id->send, &pin, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM)); + packet_id_alloc_outgoing (&opt->packet_id.send, &pin, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM)); ASSERT (packet_id_write (&pin, buf, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM), true)); } + if (ctx->hmac) + { + hmac_start = BPTR(buf); + ASSERT (mac_out = buf_prepend (buf, hmac_ctx_size(ctx->hmac))); + } + if (BLEN(&work)) { + buf_write_prepend(buf, BPTR(&work), BLEN(&work)); + } work = *buf; } /* HMAC the ciphertext (or plaintext if !cipher) */ if (ctx->hmac) { - uint8_t *output = NULL; - hmac_ctx_reset (ctx->hmac); - hmac_ctx_update (ctx->hmac, BPTR(&work), BLEN(&work)); - output = buf_prepend (&work, hmac_ctx_size(ctx->hmac)); - ASSERT (output); - hmac_ctx_final (ctx->hmac, output); + hmac_ctx_update (ctx->hmac, hmac_start, BEND(&work) - hmac_start); + hmac_ctx_final (ctx->hmac, mac_out); + dmsg (D_PACKET_CONTENT, "ENCRYPT HMAC: %s", + format_hex (mac_out, hmac_ctx_size(ctx->hmac), 80, &gc)); } *buf = work; + + dmsg (D_PACKET_CONTENT, "ENCRYPT TO: %s", + format_hex (BPTR (&work), BLEN (&work), 80, &gc)); } gc_free (&gc); @@ -223,6 +307,47 @@ err: return; } +void +openvpn_encrypt (struct buffer *buf, struct buffer work, + struct crypto_options *opt) +{ + if (buf->len > 0 && opt) + { + const cipher_kt_t *cipher_kt = + cipher_ctx_get_cipher_kt(opt->key_ctx_bi.encrypt.cipher); + + if (cipher_kt_mode_aead (cipher_kt)) + openvpn_encrypt_aead(buf, work, opt); + else + openvpn_encrypt_v1(buf, work, opt); + } +} + +bool crypto_check_replay(struct crypto_options *opt, + const struct packet_id_net *pin, const char *error_prefix, + struct gc_arena *gc) { + bool ret = false; + packet_id_reap_test (&opt->packet_id.rec); + if (packet_id_test (&opt->packet_id.rec, pin)) + { + packet_id_add (&opt->packet_id.rec, pin); + if (opt->pid_persist && (opt->flags & CO_PACKET_ID_LONG_FORM)) + packet_id_persist_save_obj (opt->pid_persist, &opt->packet_id); + ret = true; + } + else + { + if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) + { + msg (D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " + "see the man page entry for --no-replay and --replay-window for " + "more info or silence this warning with --mute-replay-warnings", + error_prefix, packet_id_net_print (pin, true, gc)); + } + } + return ret; +} + /* * If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet. * @@ -231,21 +356,169 @@ err: * On success, buf is set to point to plaintext, true * is returned. */ -bool -openvpn_decrypt (struct buffer *buf, struct buffer work, - const struct crypto_options *opt, - const struct frame* frame) +static bool +openvpn_decrypt_aead (struct buffer *buf, struct buffer work, + struct crypto_options *opt, const struct frame* frame, + const uint8_t *ad_start) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + static const char error_prefix[] = "AEAD Decrypt error"; + struct packet_id_net pin = { 0 }; + const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; + const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); + uint8_t *tag_ptr = NULL; + int tag_size = 0; + int outlen; + struct gc_arena gc; + + gc_init (&gc); + + ASSERT (opt); + ASSERT (frame); + ASSERT (buf->len > 0); + ASSERT (ctx->cipher); + ASSERT (cipher_kt_mode_aead (cipher_kt)); + + dmsg (D_PACKET_CONTENT, "DECRYPT FROM: %s", + format_hex (BPTR (buf), BLEN (buf), 80, &gc)); + + ASSERT (ad_start >= buf->data && ad_start <= BPTR (buf)); + + ASSERT (buf_init (&work, FRAME_HEADROOM_ADJ (frame, FRAME_HEADROOM_MARKER_DECRYPT))); + + /* IV and Packet ID required for this mode */ + ASSERT (packet_id_initialized (&opt->packet_id)); + ASSERT (opt->flags & CO_USE_IV); + + /* Combine IV from explicit part from packet and implicit part from context */ + { + uint8_t iv[OPENVPN_MAX_IV_LENGTH] = { 0 }; + const int iv_len = cipher_ctx_iv_length (ctx->cipher); + const size_t packet_iv_len = iv_len - ctx->implicit_iv_len; + + ASSERT (ctx->implicit_iv_len <= iv_len); + if (buf->len + ctx->implicit_iv_len < iv_len) + CRYPT_ERROR ("missing IV info"); + + memcpy (iv, BPTR(buf), packet_iv_len); + memcpy (iv + packet_iv_len, ctx->implicit_iv, ctx->implicit_iv_len); + + dmsg (D_PACKET_CONTENT, "DECRYPT IV: %s", format_hex (iv, iv_len, 0, &gc)); + + /* Load IV, ctx->cipher was already initialized with key & keylen */ + if (!cipher_ctx_reset (ctx->cipher, iv)) + { + CRYPT_ERROR ("cipher init failed"); + } + } + + /* Read packet ID from packet */ + if (!packet_id_read (&pin, buf, false)) + { + CRYPT_ERROR ("error reading packet-id"); + } + + /* keep the tag value to feed in later */ + tag_size = cipher_kt_tag_size(cipher_kt); + if (buf->len < tag_size) + { + CRYPT_ERROR ("missing tag"); + } + tag_ptr = BPTR(buf); + ASSERT (buf_advance (buf, tag_size)); + dmsg (D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex (tag_ptr, tag_size, 0, &gc)); +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L + /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */ + if (!EVP_CIPHER_CTX_ctrl (ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr)) + { + CRYPT_ERROR ("setting tag failed"); + } +#endif + + if (buf->len < 1) + { + CRYPT_ERROR ("missing payload"); + } + + dmsg (D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex (BPTR(buf), BLEN(buf), 0, &gc)); + + /* Buffer overflow check (should never fail) */ + if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher))) + { + CRYPT_ERROR ("potential buffer overflow"); + } + + { + /* feed in tag and the authenticated data */ + const int ad_size = BPTR (buf) - ad_start - tag_size; + ASSERT (cipher_ctx_update_ad (ctx->cipher, ad_start, ad_size)); + dmsg (D_PACKET_CONTENT, "DECRYPT AD: %s", + format_hex (BPTR (buf) - ad_size - tag_size, ad_size, 0, &gc)); + } + + /* Decrypt and authenticate packet */ + if (!cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), + BLEN (buf))) + { + CRYPT_ERROR ("cipher update failed"); + } + ASSERT (buf_inc_len (&work, outlen)); + if (!cipher_ctx_final_check_tag (ctx->cipher, BPTR (&work) + outlen, + &outlen, tag_ptr, tag_size)) + { + CRYPT_ERROR ("cipher final failed"); + } + ASSERT (buf_inc_len (&work, outlen)); + + dmsg (D_PACKET_CONTENT, "DECRYPT TO: %s", + format_hex (BPTR (&work), BLEN (&work), 80, &gc)); + + if (!crypto_check_replay (opt, &pin, error_prefix, &gc)) + { + goto error_exit; + } + + *buf = work; + + gc_free (&gc); + return true; + + error_exit: + crypto_clear_error(); + buf->len = 0; + gc_free (&gc); + return false; +#else /* HAVE_AEAD_CIPHER_MODES */ + ASSERT (0); + return false; +#endif +} + +/* + * If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet. + * + * Set buf->len to 0 and return false on decrypt error. + * + * On success, buf is set to point to plaintext, true + * is returned. + */ +static bool +openvpn_decrypt_v1 (struct buffer *buf, struct buffer work, + struct crypto_options *opt, const struct frame* frame) { static const char error_prefix[] = "Authenticate/Decrypt packet error"; struct gc_arena gc; gc_init (&gc); - if (buf->len > 0 && opt->key_ctx_bi) + if (buf->len > 0 && opt) { - struct key_ctx *ctx = &opt->key_ctx_bi->decrypt; + const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; struct packet_id_net pin; bool have_pin = false; + dmsg (D_PACKET_CONTENT, "DECRYPT FROM: %s", + format_hex (BPTR (buf), BLEN (buf), 80, &gc)); + /* Verify the HMAC */ if (ctx->hmac) { @@ -325,7 +598,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, { if (cipher_kt_mode_cbc(cipher_kt)) { - if (opt->packet_id) + if (packet_id_initialized(&opt->packet_id)) { if (!packet_id_read (&pin, &work, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM))) CRYPT_ERROR ("error reading CBC packet-id"); @@ -336,8 +609,9 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, { struct buffer b; - ASSERT (opt->flags & CO_USE_IV); /* IV and packet-ID required */ - ASSERT (opt->packet_id); /* for this mode. */ + /* IV and packet-ID required for this mode. */ + ASSERT (opt->flags & CO_USE_IV); + ASSERT (packet_id_initialized(&opt->packet_id)); buf_set_read (&b, iv_buf, iv_size); if (!packet_id_read (&pin, &b, true)) @@ -353,7 +627,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, else { work = *buf; - if (opt->packet_id) + if (packet_id_initialized(&opt->packet_id)) { if (!packet_id_read (&pin, &work, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM))) CRYPT_ERROR ("error reading packet-id"); @@ -361,22 +635,9 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, } } - if (have_pin) + if (have_pin && !crypto_check_replay(opt, &pin, error_prefix, &gc)) { - packet_id_reap_test (&opt->packet_id->rec); - if (packet_id_test (&opt->packet_id->rec, &pin)) - { - packet_id_add (&opt->packet_id->rec, &pin); - if (opt->pid_persist && (opt->flags & CO_PACKET_ID_LONG_FORM)) - packet_id_persist_save_obj (opt->pid_persist, opt->packet_id); - } - else - { - if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) - msg (D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings", - error_prefix, packet_id_net_print (&pin, true, &gc)); - goto error_exit; - } + goto error_exit; } *buf = work; } @@ -391,14 +652,36 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, return false; } -/* - * How many bytes will we add to frame buffer for a given - * set of crypto options? - */ + +bool +openvpn_decrypt (struct buffer *buf, struct buffer work, + struct crypto_options *opt, const struct frame* frame, + const uint8_t *ad_start) +{ + bool ret = false; + + if (buf->len > 0 && opt) + { + const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; + if (cipher_kt_mode_aead (cipher_ctx_get_cipher_kt (ctx->cipher))) + { + ret = openvpn_decrypt_aead (buf, work, opt, frame, ad_start); + } + else + { + ret = openvpn_decrypt_v1 (buf, work, opt, frame); + } + } + else + { + ret = true; + } + return ret; +} + void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type* kt, - bool cipher_defined, bool use_iv, bool packet_id, bool packet_id_long_form) @@ -408,11 +691,14 @@ crypto_adjust_frame_parameters(struct frame *frame, if (packet_id) crypto_overhead += packet_id_size (packet_id_long_form); - if (cipher_defined) + if (kt->cipher) { if (use_iv) crypto_overhead += cipher_kt_iv_size (kt->cipher); + if (cipher_kt_mode_aead (kt->cipher)) + crypto_overhead += cipher_kt_tag_size (kt->cipher); + /* extra block required by cipher_ctx_update() */ crypto_overhead += cipher_kt_block_size (kt->cipher); } @@ -421,8 +707,16 @@ crypto_adjust_frame_parameters(struct frame *frame, frame_add_to_extra_frame (frame, crypto_overhead); - msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for crypto by %zu bytes", - __func__, crypto_overhead); + msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for crypto by %u bytes", + __func__, (unsigned int) crypto_overhead); +} + +size_t +crypto_max_overhead(void) +{ + return packet_id_size(true) + OPENVPN_MAX_IV_LENGTH + + OPENVPN_MAX_CIPHER_BLOCK_SIZE + + max_int (OPENVPN_MAX_HMAC_SIZE, OPENVPN_AEAD_TAG_LENGTH); } /* @@ -430,39 +724,55 @@ crypto_adjust_frame_parameters(struct frame *frame, */ void init_key_type (struct key_type *kt, const char *ciphername, - bool ciphername_defined, const char *authname, - bool authname_defined, int keysize, - bool cfb_ofb_allowed, bool warn) + const char *authname, int keysize, bool tls_mode, bool warn) { + bool aead_cipher = false; + + ASSERT(ciphername); + ASSERT(authname); + CLEAR (*kt); - if (ciphername && ciphername_defined) + if (strcmp (ciphername, "none") != 0) { kt->cipher = cipher_kt_get (translate_cipher_name_from_openvpn(ciphername)); + if (!kt->cipher) + { + msg (M_FATAL, "Cipher %s not supported", ciphername); + } + kt->cipher_length = cipher_kt_key_size (kt->cipher); if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH) kt->cipher_length = keysize; /* check legal cipher mode */ - { - if (!(cipher_kt_mode_cbc(kt->cipher) + aead_cipher = cipher_kt_mode_aead(kt->cipher); + if (!(cipher_kt_mode_cbc(kt->cipher) + || (tls_mode && aead_cipher) #ifdef ENABLE_OFB_CFB_MODE - || (cfb_ofb_allowed && cipher_kt_mode_ofb_cfb(kt->cipher)) + || (tls_mode && cipher_kt_mode_ofb_cfb(kt->cipher)) #endif - )) - msg (M_FATAL, "Cipher '%s' mode not supported", ciphername); - } + )) + msg (M_FATAL, "Cipher '%s' mode not supported", ciphername); + + if (OPENVPN_MAX_CIPHER_BLOCK_SIZE < cipher_kt_block_size(kt->cipher)) + msg (M_FATAL, "Cipher '%s' not allowed: block size too big.", ciphername); } else { if (warn) msg (M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used"); } - if (authname && authname_defined) + if (strcmp (authname, "none") != 0) { - kt->digest = md_kt_get (authname); - kt->hmac_length = md_kt_size (kt->digest); + if (!aead_cipher) { /* Ignore auth for AEAD ciphers */ + kt->digest = md_kt_get (authname); + kt->hmac_length = md_kt_size (kt->digest); + + if (OPENVPN_MAX_HMAC_SIZE < kt->hmac_length) + msg (M_FATAL, "HMAC '%s' not allowed: digest size too big.", authname); + } } - else + else if (!aead_cipher) { if (warn) msg (M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used"); @@ -486,15 +796,21 @@ init_key_ctx (struct key_ctx *ctx, struct key *key, msg (D_HANDSHAKE, "%s: Cipher '%s' initialized with %d bit key", prefix, - cipher_kt_name(kt->cipher), + translate_cipher_name_to_openvpn(cipher_kt_name(kt->cipher)), kt->cipher_length *8); dmsg (D_SHOW_KEYS, "%s: CIPHER KEY: %s", prefix, format_hex (key->cipher, kt->cipher_length, 0, &gc)); dmsg (D_CRYPTO_DEBUG, "%s: CIPHER block_size=%d iv_size=%d", - prefix, - cipher_kt_block_size(kt->cipher), - cipher_kt_iv_size(kt->cipher)); + prefix, cipher_kt_block_size(kt->cipher), + cipher_kt_iv_size(kt->cipher)); + if (cipher_kt_block_size(kt->cipher) < 128/8) + { + msg (M_WARN, "WARNING: INSECURE cipher with block size less than 128" + " bit (%d bit). This allows attacks like SWEET32. Mitigate by " + "using a --cipher with a larger block size (e.g. AES-256-CBC).", + cipher_kt_block_size(kt->cipher)*8); + } } if (kt->digest && kt->hmac_length > 0) { @@ -532,6 +848,7 @@ free_key_ctx (struct key_ctx *ctx) free(ctx->hmac); ctx->hmac = NULL; } + ctx->implicit_iv_len = 0; } void @@ -541,7 +858,6 @@ free_key_ctx_bi (struct key_ctx_bi *ctx) free_key_ctx(&ctx->decrypt); } - static bool key_is_zero (struct key *key, const struct key_type *kt) { @@ -621,8 +937,10 @@ check_replay_iv_consistency (const struct key_type *kt, bool packet_id, bool use { ASSERT(kt); - if (cipher_kt_mode_ofb_cfb(kt->cipher) && !(packet_id && use_iv)) - msg (M_FATAL, "--no-replay or --no-iv cannot be used with a CFB or OFB mode cipher"); + if (!(packet_id && use_iv) && (cipher_kt_mode_ofb_cfb(kt->cipher) || + cipher_kt_mode_aead(kt->cipher))) + msg (M_FATAL, "--no-replay or --no-iv cannot be used with a CFB, OFB or " + "AEAD mode cipher"); } /* @@ -688,7 +1006,7 @@ key2_print (const struct key2* k, } void -test_crypto (const struct crypto_options *co, struct frame* frame) +test_crypto (struct crypto_options *co, struct frame* frame) { int i, j; struct gc_arena gc = gc_new (); @@ -697,10 +1015,35 @@ test_crypto (const struct crypto_options *co, struct frame* frame) struct buffer encrypt_workspace = alloc_buf_gc (BUF_SIZE (frame), &gc); struct buffer decrypt_workspace = alloc_buf_gc (BUF_SIZE (frame), &gc); struct buffer buf = clear_buf(); + void *buf_p; /* init work */ ASSERT (buf_init (&work, FRAME_HEADROOM (frame))); +#ifdef HAVE_AEAD_CIPHER_MODES + /* init implicit IV */ + { + const cipher_kt_t *cipher = + cipher_ctx_get_cipher_kt(co->key_ctx_bi.encrypt.cipher); + + if (cipher_kt_mode_aead(cipher)) + { + size_t impl_iv_len = cipher_kt_iv_size(cipher) - sizeof(packet_id_type); + ASSERT (cipher_kt_iv_size(cipher) <= OPENVPN_MAX_IV_LENGTH); + ASSERT (cipher_kt_iv_size(cipher) >= OPENVPN_AEAD_MIN_IV_LEN); + + /* Generate dummy implicit IV */ + ASSERT (rand_bytes(co->key_ctx_bi.encrypt.implicit_iv, + OPENVPN_MAX_IV_LENGTH)); + co->key_ctx_bi.encrypt.implicit_iv_len = impl_iv_len; + + memcpy(co->key_ctx_bi.decrypt.implicit_iv, + co->key_ctx_bi.encrypt.implicit_iv, OPENVPN_MAX_IV_LENGTH); + co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len; + } + } +#endif + msg (M_INFO, "Entering " PACKAGE_NAME " crypto self-test mode."); for (i = 1; i <= TUN_MTU_SIZE (frame); ++i) { @@ -718,13 +1061,18 @@ test_crypto (const struct crypto_options *co, struct frame* frame) /* copy source to input buf */ buf = work; - memcpy (buf_write_alloc (&buf, BLEN (&src)), BPTR (&src), BLEN (&src)); + buf_p = buf_write_alloc (&buf, BLEN (&src)); + ASSERT(buf_p); + memcpy (buf_p, BPTR (&src), BLEN (&src)); + + /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ + ASSERT (buf_init (&encrypt_workspace, FRAME_HEADROOM (frame))); /* encrypt */ - openvpn_encrypt (&buf, encrypt_workspace, co, frame); + openvpn_encrypt (&buf, encrypt_workspace, co); /* decrypt */ - openvpn_decrypt (&buf, decrypt_workspace, co, frame); + openvpn_decrypt (&buf, decrypt_workspace, co, frame, BPTR (&buf)); /* compare */ if (buf.len != src.len) @@ -741,90 +1089,47 @@ test_crypto (const struct crypto_options *co, struct frame* frame) gc_free (&gc); } -#ifdef ENABLE_SSL - void -get_tls_handshake_key (const struct key_type *key_type, - struct key_ctx_bi *ctx, - const char *passphrase_file, - const int key_direction, - const unsigned int flags) +crypto_read_openvpn_key (const struct key_type *key_type, + struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, + const int key_direction, const char *key_name, const char *opt_name) { - if (passphrase_file && key_type->hmac_length) - { - struct key2 key2; - struct key_type kt = *key_type; - struct key_direction_state kds; - - /* for control channel we are only authenticating, not encrypting */ - kt.cipher_length = 0; - kt.cipher = NULL; - - if (flags & GHK_INLINE) - { - /* key was specified inline, key text is in passphrase_file */ - read_key_file (&key2, passphrase_file, RKF_INLINE|RKF_MUST_SUCCEED); - - /* succeeded? */ - if (key2.n == 2) - msg (M_INFO, "Control Channel Authentication: tls-auth using INLINE static key file"); - else - msg (M_FATAL, "INLINE tls-auth file lacks the requisite 2 keys"); - } - else - { - /* first try to parse as an OpenVPN static key file */ - read_key_file (&key2, passphrase_file, 0); - - /* succeeded? */ - if (key2.n == 2) - { - msg (M_INFO, - "Control Channel Authentication: using '%s' as a " PACKAGE_NAME " static key file", - passphrase_file); - } - else - { - int hash_size; - - CLEAR (key2); - - /* failed, now try to get hash from a freeform file */ - hash_size = read_passphrase_hash (passphrase_file, - kt.digest, - key2.keys[0].hmac, - MAX_HMAC_KEY_LENGTH); - ASSERT (hash_size == kt.hmac_length); + struct key2 key2; + struct key_direction_state kds; + char log_prefix[128] = { 0 }; - /* suceeded */ - key2.n = 1; + if (key_inline) + { + read_key_file (&key2, key_inline, RKF_MUST_SUCCEED|RKF_INLINE); + } + else + { + read_key_file (&key2, key_file, RKF_MUST_SUCCEED); + } - msg (M_INFO, - "Control Channel Authentication: using '%s' as a free-form passphrase file", - passphrase_file); - msg (M_WARN, "DEPRECATED OPTION: Using freeform files for tls-auth is deprecated and is not supported in OpenVPN 2.4 or newer versions"); - } - } - /* handle key direction */ + if (key2.n != 2) + { + msg (M_ERR, "File '%s' does not have OpenVPN Static Key format. Using " + "free-form passphrase file is not supported anymore.", key_file); + } - key_direction_state_init (&kds, key_direction); - must_have_n_keys (passphrase_file, "tls-auth", &key2, kds.need_keys); + /* check for and fix highly unlikely key problems */ + verify_fix_key2 (&key2, key_type, key_file); - /* initialize hmac key in both directions */ + /* handle key direction */ + key_direction_state_init (&kds, key_direction); + must_have_n_keys (key_file, opt_name, &key2, kds.need_keys); - init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], &kt, OPENVPN_OP_ENCRYPT, - "Outgoing Control Channel Authentication"); - init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], &kt, OPENVPN_OP_DECRYPT, - "Incoming Control Channel Authentication"); + /* initialize key in both directions */ + openvpn_snprintf (log_prefix, sizeof (log_prefix), "Outgoing %s", key_name); + init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], key_type, + OPENVPN_OP_ENCRYPT, log_prefix); + openvpn_snprintf (log_prefix, sizeof (log_prefix), "Incoming %s", key_name); + init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type, + OPENVPN_OP_DECRYPT, log_prefix); - CLEAR (key2); - } - else - { - CLEAR (*ctx); - } + CLEAR (key2); } -#endif /* header and footer for static key file */ static const char static_key_head[] = "-----BEGIN OpenVPN Static key V1-----"; @@ -1002,9 +1307,6 @@ read_key_file (struct key2 *key2, const char *file, const unsigned int flags) if (!(flags & RKF_INLINE)) buf_clear (&in); - if (key2->n) - warn_if_group_others_accessible (error_filename); - #if 0 /* DEBUGGING */ { @@ -1028,55 +1330,6 @@ read_key_file (struct key2 *key2, const char *file, const unsigned int flags) gc_free (&gc); } -int -read_passphrase_hash (const char *passphrase_file, - const md_kt_t *digest, - uint8_t *output, - int len) -{ - unsigned int outlen = 0; - md_ctx_t md; - - ASSERT (len >= md_kt_size(digest)); - memset (output, 0, len); - - md_ctx_init(&md, digest); - - /* read passphrase file */ - { - const int min_passphrase_size = 8; - uint8_t buf[64]; - int total_size = 0; - int fd = platform_open (passphrase_file, O_RDONLY, 0); - - if (fd == -1) - msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file); - - for (;;) - { - int size = read (fd, buf, sizeof (buf)); - if (size == 0) - break; - if (size == -1) - msg (M_ERR, "Read error on passphrase file: '%s'", - passphrase_file); - md_ctx_update(&md, buf, size); - total_size += size; - } - close (fd); - - warn_if_group_others_accessible (passphrase_file); - - if (total_size < min_passphrase_size) - msg (M_FATAL, - "Passphrase file '%s' is too small (must have at least %d characters)", - passphrase_file, min_passphrase_size); - } - md_ctx_final(&md, output); - md_ctx_cleanup(&md); - return md_kt_size(digest); -} - /* * Write key to file, return number of random bits * written. @@ -1367,7 +1620,6 @@ prng_bytes (uint8_t *output, int len) const int md_size = md_kt_size (nonce_md); while (len > 0) { - unsigned int outlen = 0; const int blen = min_int (len, md_size); md_full(nonce_md, nonce_data, md_size + nonce_secret_len, nonce_data); memcpy (output, nonce_data, blen); @@ -1397,79 +1649,42 @@ get_random() return l; } -#ifndef ENABLE_SSL +static const cipher_name_pair * +get_cipher_name_pair(const char *cipher_name) { + const cipher_name_pair *pair; + size_t i = 0; -void -init_ssl_lib (void) -{ - crypto_init_lib (); -} + /* Search for a cipher name translation */ + for (; i < cipher_name_translation_table_count; i++) + { + pair = &cipher_name_translation_table[i]; + if (0 == strcmp (cipher_name, pair->openvpn_name) || + 0 == strcmp (cipher_name, pair->lib_name)) + return pair; + } -void -free_ssl_lib (void) -{ - crypto_uninit_lib (); - prng_uninit(); + /* Nothing found, return null */ + return NULL; } -#endif /* ENABLE_SSL */ - -/* - * md5 functions - */ - const char * -md5sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc) -{ - uint8_t digest[MD5_DIGEST_LENGTH]; - const md_kt_t *md5_kt = md_kt_get("MD5"); - - md_full(md5_kt, buf, len, digest); - - return format_hex (digest, MD5_DIGEST_LENGTH, n_print_chars, gc); -} - -void -md5_state_init (struct md5_state *s) -{ - const md_kt_t *md5_kt = md_kt_get("MD5"); - - md_ctx_init(&s->ctx, md5_kt); -} +translate_cipher_name_from_openvpn (const char *cipher_name) { + const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); -void -md5_state_update (struct md5_state *s, void *data, size_t len) -{ - md_ctx_update(&s->ctx, data, len); -} + if (NULL == pair) + return cipher_name; -void -md5_state_final (struct md5_state *s, struct md5_digest *out) -{ - md_ctx_final(&s->ctx, out->digest); - md_ctx_cleanup(&s->ctx); + return pair->lib_name; } -void -md5_digest_clear (struct md5_digest *digest) -{ - CLEAR (*digest); -} +const char * +translate_cipher_name_to_openvpn (const char *cipher_name) { + const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); -bool -md5_digest_defined (const struct md5_digest *digest) -{ - int i; - for (i = 0; i < MD5_DIGEST_LENGTH; ++i) - if (digest->digest[i]) - return true; - return false; -} + if (NULL == pair) + return cipher_name; -bool -md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2) -{ - return memcmp(d1->digest, d2->digest, MD5_DIGEST_LENGTH) == 0; + return pair->openvpn_name; } #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index e489827..ff90745 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -86,6 +86,30 @@ * <tt> [ HMAC ] [ - IV - ] [ * packet payload * ] </tt> * * @par + * <b>GCM data channel crypto format</b> \n + * GCM modes are only supported in TLS mode. In these modes, the IV consists of + * the 32-bit packet counter followed by data from the HMAC key. The HMAC key + * can be used as IV, since in GCM and CCM modes the HMAC key is not used for + * the HMAC. The packet counter may not roll over within a single TLS sessions. + * This results in a unique IV for each packet, as required by GCM. + * + * @par + * The HMAC key data is pre-shared during the connection setup, and thus can be + * omitted in on-the-wire packets, saving 8 bytes per packet (for GCM and CCM). + * + * @par + * In GCM mode, P_DATA_V2 headers (the opcode and peer-id) are also + * authenticated as Additional Data. + * + * @par + * <i>GCM IV format:</i> \n + * <tt> [ - packet ID - ] [ - HMAC key data - ] </tt>\n + * <i>P_DATA_V1 GCM data channel crypto format:</i> \n + * <tt> [ opcode ] [ - packet ID - ] [ TAG ] [ * packet payload * ] </tt> + * <i>P_DATA_V2 GCM data channel crypto format:</i> \n + * <tt> [ - opcode/peer-id - ] [ - packet ID - ] [ TAG ] [ * packet payload * ] </tt> + * + * @par * <b>No-crypto data channel format</b> \n * In no-crypto mode (\c \-\-cipher \c none is specified), both TLS-mode and * static key mode are supported. No encryption will be performed on the packet, @@ -108,6 +132,11 @@ #include "packet_id.h" #include "mtu.h" +/** Wrapper struct to pass around MD5 digests */ +struct md5_digest { + uint8_t digest[MD5_DIGEST_LENGTH]; +}; + /* * Defines a key type and key length for both cipher and HMAC. */ @@ -133,13 +162,16 @@ struct key /** - * Container for one set of OpenSSL cipher and/or HMAC contexts. + * Container for one set of cipher and/or HMAC contexts. * @ingroup control_processor */ struct key_ctx { cipher_ctx_t *cipher; /**< Generic cipher %context. */ - hmac_ctx_t *hmac; /**< Generic HMAC %context. */ + hmac_ctx_t *hmac; /**< Generic HMAC %context. */ + uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]; + /**< The implicit part of the IV */ + size_t implicit_iv_len; /**< The length of implicit_iv */ }; #define KEY_DIRECTION_BIDIRECTIONAL 0 /* same keys for both directions */ @@ -190,10 +222,11 @@ struct key_direction_state */ struct key_ctx_bi { - struct key_ctx encrypt; /**< OpenSSL cipher and/or HMAC contexts - * for sending direction. */ - struct key_ctx decrypt; /**< OpenSSL cipher and/or HMAC contexts - * for receiving direction. */ + struct key_ctx encrypt; /**< Cipher and/or HMAC contexts for sending + * direction. */ + struct key_ctx decrypt; /**< cipher and/or HMAC contexts for + * receiving direction. */ + bool initialized; }; /** @@ -202,11 +235,11 @@ struct key_ctx_bi */ struct crypto_options { - struct key_ctx_bi *key_ctx_bi; + struct key_ctx_bi key_ctx_bi; /**< OpenSSL cipher and HMAC contexts for * both sending and receiving * directions. */ - struct packet_id *packet_id; /**< Current packet ID state for both + struct packet_id packet_id; /**< Current packet ID state for both * sending and receiving directions. */ struct packet_id_persist *pid_persist; /**< Persistent packet ID state for @@ -233,6 +266,15 @@ struct crypto_options * security operation functions. */ }; +#define CRYPT_ERROR(format) \ + do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) + +/** + * Minimal IV length for AEAD mode ciphers (in bytes): + * 4-byte packet id + 8 bytes implicit IV. + */ +#define OPENVPN_AEAD_MIN_IV_LEN (sizeof (packet_id_type) + 8) + #define RKF_MUST_SUCCEED (1<<0) #define RKF_INLINE (1<<1) void read_key_file (struct key2 *key2, const char *file, const unsigned int flags); @@ -257,9 +299,20 @@ bool write_key (const struct key *key, const struct key_type *kt, int read_key (struct key *key, const struct key_type *kt, struct buffer *buf); +/** + * Initialize a key_type structure with. + * + * @param kt The struct key_type to initialize + * @param ciphername The name of the cipher to use + * @param authname The name of the HMAC digest to use + * @param keysize The length of the cipher key to use, in bytes. Only valid + * for ciphers that support variable length keys. + * @param tls_mode Specifies wether we are running in TLS mode, which allows + * more ciphers than static key mode. + * @param warn Print warnings when null cipher / auth is used. + */ void init_key_type (struct key_type *kt, const char *ciphername, - bool ciphername_defined, const char *authname, bool authname_defined, - int keysize, bool cfb_ofb_allowed, bool warn); + const char *authname, int keysize, bool tls_mode, bool warn); /* * Key context functions @@ -296,18 +349,16 @@ void free_key_ctx_bi (struct key_ctx_bi *ctx); * * @param buf - The %buffer containing the packet on which to * perform security operations. - * @param work - A working %buffer. + * @param work - An initialized working %buffer. * @param opt - The security parameter state for this VPN tunnel. - * @param frame - The packet geometry parameters for this VPN - * tunnel. + * * @return This function returns void.\n On return, the \a buf argument * will point to the resulting %buffer. This %buffer will either * contain the processed packet ready for sending, or be empty if an * error occurred. */ void openvpn_encrypt (struct buffer *buf, struct buffer work, - const struct crypto_options *opt, - const struct frame* frame); + struct crypto_options *opt); /** @@ -333,6 +384,8 @@ void openvpn_encrypt (struct buffer *buf, struct buffer work, * @param opt - The security parameter state for this VPN tunnel. * @param frame - The packet geometry parameters for this VPN * tunnel. + * @param ad_start - A pointer into buf, indicating from where to start + * authenticating additional data (AEAD mode only). * * @return * @li True, if the packet was authenticated and decrypted successfully. @@ -342,18 +395,35 @@ void openvpn_encrypt (struct buffer *buf, struct buffer work, * an error occurred. */ bool openvpn_decrypt (struct buffer *buf, struct buffer work, - const struct crypto_options *opt, - const struct frame* frame); + struct crypto_options *opt, const struct frame* frame, + const uint8_t *ad_start); /** @} name Functions for performing security operations on data channel packets */ +/** + * Check packet ID for replay, and perform replay administration. + * + * @param opt Crypto options for this packet, contains replay state. + * @param pin Packet ID read from packet. + * @param error_prefix Prefix to use when printing error messages. + * @param gc Garbage collector to use. + * + * @return true if packet ID is validated to be not a replay, false otherwise. + */ +bool crypto_check_replay(struct crypto_options *opt, + const struct packet_id_net *pin, const char *error_prefix, + struct gc_arena *gc); + + +/** Calculate crypto overhead and adjust frame to account for that */ void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type* kt, - bool cipher_defined, bool use_iv, bool packet_id, bool packet_id_long_form); +/** Return the worst-case OpenVPN crypto overhead (in bytes) */ +size_t crypto_max_overhead(void); /* Minimum length of the nonce used by the PRNG */ #define NONCE_SECRET_LEN_MIN 16 @@ -392,7 +462,7 @@ void prng_bytes (uint8_t *output, int len); void prng_uninit (); -void test_crypto (const struct crypto_options *co, struct frame* f); +void test_crypto (struct crypto_options *co, struct frame* f); /* key direction functions */ @@ -413,45 +483,31 @@ void key2_print (const struct key2* k, const char* prefix0, const char* prefix1); -#ifdef ENABLE_SSL - -#define GHK_INLINE (1<<0) -void get_tls_handshake_key (const struct key_type *key_type, - struct key_ctx_bi *ctx, - const char *passphrase_file, - const int key_direction, - const unsigned int flags); - -#else - -void init_ssl_lib (void); -void free_ssl_lib (void); - -#endif /* ENABLE_SSL */ +void crypto_read_openvpn_key (const struct key_type *key_type, + struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, + const int key_direction, const char *key_name, const char *opt_name); /* - * md5 functions + * Inline functions */ -struct md5_state { - md_ctx_t ctx; -}; - -struct md5_digest { - uint8_t digest [MD5_DIGEST_LENGTH]; -}; - -const char *md5sum(uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc); -void md5_state_init (struct md5_state *s); -void md5_state_update (struct md5_state *s, void *data, size_t len); -void md5_state_final (struct md5_state *s, struct md5_digest *out); -void md5_digest_clear (struct md5_digest *digest); -bool md5_digest_defined (const struct md5_digest *digest); -bool md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2); - -/* - * Inline functions +/** + * As memcmp(), but constant-time. + * Returns 0 when data is equal, non-zero otherwise. */ +static inline int +memcmp_constant_time (const void *a, const void *b, size_t size) { + const uint8_t * a1 = a; + const uint8_t * b1 = b; + int ret = 0; + size_t i; + + for (i = 0; i < size; i++) { + ret |= *a1++ ^ *b1++; + } + + return ret; +} static inline bool key_ctx_bi_defined(const struct key_ctx_bi* key) diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 4c1ce9f..bf7d78c 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -33,11 +33,29 @@ #ifdef ENABLE_CRYPTO_OPENSSL #include "crypto_openssl.h" #endif -#ifdef ENABLE_CRYPTO_POLARSSL -#include "crypto_polarssl.h" +#ifdef ENABLE_CRYPTO_MBEDTLS +#include "crypto_mbedtls.h" #endif #include "basic.h" +/* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */ +#define OPENVPN_AEAD_TAG_LENGTH 16 + +/* Maximum cipher block size (bytes) */ +#define OPENVPN_MAX_CIPHER_BLOCK_SIZE 32 + +/* Maximum HMAC digest size (bytes) */ +#define OPENVPN_MAX_HMAC_SIZE 64 + +/** Struct used in cipher name translation table */ +typedef struct { + const char *openvpn_name; /**< Cipher name used by OpenVPN */ + const char *lib_name; /**< Cipher name used by crypto library */ +} cipher_name_pair; + +/** Cipher name translation table */ +extern const cipher_name_pair cipher_name_translation_table[]; +extern const size_t cipher_name_translation_table_count; /* * This routine should have additional OpenSSL crypto library initialisations @@ -177,7 +195,8 @@ void cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], * \c AES-128-CBC). * * @return A statically allocated structure containing parameters - * for the given cipher. + * for the given cipher, or NULL if no matching parameters + * were found. */ const cipher_kt_t * cipher_kt_get (const char *ciphername); @@ -221,6 +240,16 @@ int cipher_kt_iv_size (const cipher_kt_t *cipher_kt); int cipher_kt_block_size (const cipher_kt_t *cipher_kt); /** + * Returns the MAC tag size of the cipher, in bytes. + * + * @param ctx Static cipher parameters. + * + * @return Tag size in bytes, or 0 if the tag size could not be + * determined. + */ +int cipher_kt_tag_size (const cipher_kt_t *cipher_kt); + +/** * Returns the mode that the cipher runs in. * * @param cipher_kt Static cipher parameters. May not be NULL. @@ -248,6 +277,15 @@ bool cipher_kt_mode_cbc(const cipher_kt_t *cipher); */ bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher); +/** + * Check if the supplied cipher is a supported AEAD mode cipher. + * + * @param cipher Static cipher parameters. + * + * @return true iff the cipher is a AEAD mode cipher. + */ +bool cipher_kt_mode_aead(const cipher_kt_t *cipher); + /** * @@ -263,7 +301,7 @@ bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher); * @param key_len Length of the key, in bytes * @param kt Static cipher parameters to use * @param enc Whether to encrypt or decrypt (either - * \c POLARSSL_OP_ENCRYPT or \c POLARSSL_OP_DECRYPT). + * \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT). */ void cipher_ctx_init (cipher_ctx_t *ctx, uint8_t *key, int key_len, const cipher_kt_t *kt, int enc); @@ -287,6 +325,15 @@ void cipher_ctx_cleanup (cipher_ctx_t *ctx); int cipher_ctx_iv_length (const cipher_ctx_t *ctx); /** + * Gets the computed message authenticated code (MAC) tag for this cipher. + * + * @param ctx The cipher's context + * @param tag The buffer to write computed tag in. + * @param tag_size The tag buffer size, in bytes. + */ +int cipher_ctx_get_tag (cipher_ctx_t *ctx, uint8_t* tag, int tag_len); + +/** * Returns the block size of the cipher, in bytes. * * @param ctx The cipher's context @@ -308,12 +355,12 @@ int cipher_ctx_mode (const cipher_ctx_t *ctx); /** * Returns the static cipher parameters for this context. * - * @param ctx Cipher's context. May not be NULL. + * @param ctx Cipher's context. * - * @return Static cipher parameters for the supplied context. + * @return Static cipher parameters for the supplied context, or + * NULL if unable to determine cipher parameters. */ -const cipher_kt_t *cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) - __attribute__((nonnull)); +const cipher_kt_t *cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx); /** * Resets the given cipher context, setting the IV to the specified value. @@ -327,6 +374,18 @@ const cipher_kt_t *cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) int cipher_ctx_reset (cipher_ctx_t *ctx, uint8_t *iv_buf); /** + * Updates the given cipher context, providing additional data (AD) for + * authenticated encryption with additional data (AEAD) cipher modes. + * + * @param ctx Cipher's context. May not be NULL. + * @param src Source buffer + * @param src_len Length of the source buffer, in bytes + * + * @return \c 0 on failure, \c 1 on success. + */ +int cipher_ctx_update_ad (cipher_ctx_t *ctx, const uint8_t *src, int src_len); + +/** * Updates the given cipher context, encrypting data in the source buffer, and * placing any complete blocks in the destination buffer. * @@ -358,6 +417,23 @@ int cipher_ctx_update (cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, */ int cipher_ctx_final (cipher_ctx_t *ctx, uint8_t *dst, int *dst_len); +/** + * Like \c cipher_ctx_final, but check the computed authentication tag against + * the supplied (expected) tag. This function reports failure when the tags + * don't match. + * + * @param ctx Cipher's context. May not be NULL. + * @param dst Destination buffer. + * @param dst_len Length of the destination buffer, in bytes. + * @param tag The expected authentication tag. + * @param tag_len The length of tag, in bytes. + * + * @return \c 0 on failure, \c 1 on success. + */ +int cipher_ctx_final_check_tag (cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, + uint8_t *tag, size_t tag_len); + + /* * * Generic message digest information functions @@ -525,4 +601,24 @@ void hmac_ctx_update (hmac_ctx_t *ctx, const uint8_t *src, int src_len); */ void hmac_ctx_final (hmac_ctx_t *ctx, uint8_t *dst); +/** + * Translate an OpenVPN cipher name to a crypto library cipher name. + * + * @param cipher_name An OpenVPN cipher name + * + * @return The corresponding crypto library cipher name, or NULL + * if no matching cipher name was found. + */ +const char * translate_cipher_name_from_openvpn (const char *cipher_name); + +/** + * Translate a crypto library cipher name to an OpenVPN cipher name. + * + * @param cipher_name A crypto library cipher name + * + * @return The corresponding OpenVPN cipher name, or NULL if no + * matching cipher name was found. + */ +const char * translate_cipher_name_to_openvpn (const char *cipher_name); + #endif /* CRYPTO_BACKEND_H_ */ diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c new file mode 100644 index 0000000..6ad5924 --- /dev/null +++ b/src/openvpn/crypto_mbedtls.c @@ -0,0 +1,785 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/** + * @file Data Channel Cryptography mbed TLS-specific backend interface + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) + +#include "errlevel.h" +#include "basic.h" +#include "buffer.h" +#include "integer.h" +#include "crypto_backend.h" +#include "otime.h" +#include "misc.h" + +#include <mbedtls/des.h> +#include <mbedtls/error.h> +#include <mbedtls/md5.h> +#include <mbedtls/cipher.h> +#include <mbedtls/havege.h> + +#include <mbedtls/entropy.h> + + +/* + * + * Hardware engine support. Allows loading/unloading of engines. + * + */ + +void +crypto_init_lib_engine (const char *engine_name) +{ + msg (M_WARN, "Note: mbed TLS hardware crypto engine functionality is not " + "available"); +} + +/* + * + * Functions related to the core crypto library + * + */ + +void +crypto_init_lib (void) +{ +} + +void +crypto_uninit_lib (void) +{ +} + +void +crypto_clear_error (void) +{ +} + +bool mbed_log_err(unsigned int flags, int errval, const char *prefix) +{ + if (0 != errval) + { + char errstr[256]; + mbedtls_strerror(errval, errstr, sizeof(errstr)); + + if (NULL == prefix) prefix = "mbed TLS error"; + msg (flags, "%s: %s", prefix, errstr); + } + + return 0 == errval; +} + +bool mbed_log_func_line(unsigned int flags, int errval, const char *func, + int line) +{ + char prefix[256]; + + if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) + return mbed_log_err(flags, errval, func); + + return mbed_log_err(flags, errval, prefix); +} + + +#ifdef DMALLOC +void +crypto_init_dmalloc (void) +{ + msg (M_ERR, "Error: dmalloc support is not available for mbed TLS."); +} +#endif /* DMALLOC */ + +const cipher_name_pair cipher_name_translation_table[] = { + { "BF-CBC", "BLOWFISH-CBC" }, + { "BF-CFB", "BLOWFISH-CFB64" }, + { "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" }, + { "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" }, + { "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" } +}; +const size_t cipher_name_translation_table_count = + sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); + +static void print_cipher(const cipher_kt_t *info) +{ + if (info && (cipher_kt_mode_cbc(info) +#ifdef HAVE_AEAD_CIPHER_MODES + || cipher_kt_mode_aead(info) +#endif + )) + { + const char *ssl_only = cipher_kt_mode_cbc(info) ? + "" : ", TLS client/server mode only"; + const char *var_key_size = info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ? + " by default" : ""; + + printf ("%s (%d bit key%s, %d bit block%s)\n", + cipher_kt_name(info), cipher_kt_key_size(info) * 8, var_key_size, + cipher_kt_block_size(info) * 8, ssl_only); + } +} + +void +show_available_ciphers () +{ + const int *ciphers = mbedtls_cipher_list(); + +#ifndef ENABLE_SMALL + printf ("The following ciphers and cipher modes are available for use\n" + "with " PACKAGE_NAME ". Each cipher shown below may be used as a\n" + "parameter to the --cipher option. Using a CBC or GCM mode is\n" + "recommended. In static key mode only CBC mode is allowed.\n\n"); +#endif + + while (*ciphers != 0) + { + const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers); + if (info && cipher_kt_block_size(info) >= 128/8) + { + print_cipher(info); + } + ciphers++; + } + + printf ("\nThe following ciphers have a block size of less than 128 bits, \n" + "and are therefore deprecated. Do not use unless you have to.\n\n"); + ciphers = mbedtls_cipher_list(); + while (*ciphers != 0) + { + const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers); + if (info && cipher_kt_block_size(info) < 128/8) + { + print_cipher(info); + } + ciphers++; + } + printf ("\n"); +} + +void +show_available_digests () +{ + const int *digests = mbedtls_md_list(); + +#ifndef ENABLE_SMALL + printf ("The following message digests are available for use with\n" + PACKAGE_NAME ". A message digest is used in conjunction with\n" + "the HMAC function, to authenticate received packets.\n" + "You can specify a message digest as parameter to\n" + "the --auth option.\n\n"); +#endif + + while (*digests != 0) + { + const mbedtls_md_info_t *info = mbedtls_md_info_from_type(*digests); + + if (info) + printf ("%s %d bit default key\n", mbedtls_md_get_name(info), + mbedtls_md_get_size(info) * 8); + digests++; + } + printf ("\n"); +} + +void +show_available_engines () +{ + printf ("Sorry, mbed TLS hardware crypto engine functionality is not " + "available\n"); +} + +/* + * + * Random number functions, used in cases where we want + * reasonably strong cryptographic random number generation + * without depleting our entropy pool. Used for random + * IV values and a number of other miscellaneous tasks. + * + */ + +/* + * Initialise the given ctr_drbg context, using a personalisation string and an + * entropy gathering function. + */ +mbedtls_ctr_drbg_context * rand_ctx_get() +{ + static mbedtls_entropy_context ec = {0}; + static mbedtls_ctr_drbg_context cd_ctx = {0}; + static bool rand_initialised = false; + + if (!rand_initialised) + { + struct gc_arena gc = gc_new(); + struct buffer pers_string = alloc_buf_gc(100, &gc); + + /* + * Personalisation string, should be as unique as possible (see NIST + * 800-90 section 8.7.1). We have very little information at this stage. + * Include Program Name, memory address of the context and PID. + */ + buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc)); + + /* Initialise mbed TLS RNG, and built-in entropy sources */ + mbedtls_entropy_init(&ec); + + mbedtls_ctr_drbg_init(&cd_ctx); + if (!mbed_ok(mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec, + BPTR(&pers_string), BLEN(&pers_string)))) + msg (M_FATAL, "Failed to initialize random generator"); + + gc_free(&gc); + rand_initialised = true; + } + + return &cd_ctx; +} + +#ifdef ENABLE_PREDICTION_RESISTANCE +void rand_ctx_enable_prediction_resistance() +{ + mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get(); + + mbedtls_ctr_drbg_set_prediction_resistance(cd_ctx, 1); +} +#endif /* ENABLE_PREDICTION_RESISTANCE */ + +int +rand_bytes (uint8_t *output, int len) +{ + mbedtls_ctr_drbg_context *rng_ctx = rand_ctx_get(); + + while (len > 0) + { + const size_t blen = min_int (len, MBEDTLS_CTR_DRBG_MAX_REQUEST); + if (0 != mbedtls_ctr_drbg_random(rng_ctx, output, blen)) + return 0; + + output += blen; + len -= blen; + } + + return 1; +} + +/* + * + * Key functions, allow manipulation of keys. + * + */ + + +int +key_des_num_cblocks (const mbedtls_cipher_info_t *kt) +{ + int ret = 0; + if (kt->type == MBEDTLS_CIPHER_DES_CBC) + ret = 1; + if (kt->type == MBEDTLS_CIPHER_DES_EDE_CBC) + ret = 2; + if (kt->type == MBEDTLS_CIPHER_DES_EDE3_CBC) + ret = 3; + + dmsg (D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); + return ret; +} + +bool +key_des_check (uint8_t *key, int key_len, int ndc) +{ + int i; + struct buffer b; + + buf_set_read (&b, key, key_len); + + for (i = 0; i < ndc; ++i) + { + unsigned char *key = buf_read_alloc(&b, MBEDTLS_DES_KEY_SIZE); + if (!key) + { + msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material"); + goto err; + } + if (0 != mbedtls_des_key_check_weak(key)) + { + msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected"); + goto err; + } + if (0 != mbedtls_des_key_check_key_parity(key)) + { + msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected"); + goto err; + } + } + return true; + + err: + return false; +} + +void +key_des_fixup (uint8_t *key, int key_len, int ndc) +{ + int i; + struct buffer b; + + buf_set_read (&b, key, key_len); + for (i = 0; i < ndc; ++i) + { + unsigned char *key = buf_read_alloc(&b, MBEDTLS_DES_KEY_SIZE); + if (!key) + { + msg (D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); + return; + } + mbedtls_des_key_set_parity(key); + } +} + +/* + * + * Generic cipher key type functions + * + */ + + +const mbedtls_cipher_info_t * +cipher_kt_get (const char *ciphername) +{ + const mbedtls_cipher_info_t *cipher = NULL; + + ASSERT (ciphername); + + cipher = mbedtls_cipher_info_from_string(ciphername); + + if (NULL == cipher) + { + msg (D_LOW, "Cipher algorithm '%s' not found", ciphername); + return NULL; + } + + if (cipher->key_bitlen/8 > MAX_CIPHER_KEY_LENGTH) + { + msg (D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) " + "which is larger than " PACKAGE_NAME "'s current maximum key size " + "(%d bytes)", ciphername, cipher->key_bitlen/8, MAX_CIPHER_KEY_LENGTH); + return NULL; + } + + return cipher; +} + +const char * +cipher_kt_name (const mbedtls_cipher_info_t *cipher_kt) +{ + if (NULL == cipher_kt) + return "[null-cipher]"; + + return translate_cipher_name_to_openvpn(cipher_kt->name); +} + +int +cipher_kt_key_size (const mbedtls_cipher_info_t *cipher_kt) +{ + if (NULL == cipher_kt) + return 0; + + return cipher_kt->key_bitlen/8; +} + +int +cipher_kt_iv_size (const mbedtls_cipher_info_t *cipher_kt) +{ + if (NULL == cipher_kt) + return 0; + return cipher_kt->iv_size; +} + +int +cipher_kt_block_size (const mbedtls_cipher_info_t *cipher_kt) +{ + if (NULL == cipher_kt) + return 0; + return cipher_kt->block_size; +} + +int +cipher_kt_tag_size (const mbedtls_cipher_info_t *cipher_kt) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + if (cipher_kt && cipher_kt_mode_aead(cipher_kt)) + return OPENVPN_AEAD_TAG_LENGTH; +#endif + return 0; +} + +int +cipher_kt_mode (const mbedtls_cipher_info_t *cipher_kt) +{ + ASSERT(NULL != cipher_kt); + return cipher_kt->mode; +} + +bool +cipher_kt_mode_cbc(const cipher_kt_t *cipher) +{ + return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC; +} + +bool +cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) +{ + return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || + cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); +} + +bool +cipher_kt_mode_aead(const cipher_kt_t *cipher) +{ + return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_GCM; +} + + +/* + * + * Generic cipher context functions + * + */ + + +void +cipher_ctx_init (mbedtls_cipher_context_t *ctx, uint8_t *key, int key_len, + const mbedtls_cipher_info_t *kt, const mbedtls_operation_t operation) +{ + ASSERT(NULL != kt && NULL != ctx); + + CLEAR (*ctx); + + if (!mbed_ok(mbedtls_cipher_setup(ctx, kt))) + msg (M_FATAL, "mbed TLS cipher context init #1"); + + if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, key_len*8, operation))) + msg (M_FATAL, "mbed TLS cipher set key"); + + /* make sure we used a big enough key */ + ASSERT (ctx->key_bitlen <= key_len*8); +} + +void cipher_ctx_cleanup (mbedtls_cipher_context_t *ctx) +{ + mbedtls_cipher_free(ctx); +} + +int cipher_ctx_iv_length (const mbedtls_cipher_context_t *ctx) +{ + return mbedtls_cipher_get_iv_size(ctx); +} + +int cipher_ctx_get_tag (cipher_ctx_t *ctx, uint8_t* tag, int tag_len) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + if (tag_len > SIZE_MAX) + return 0; + + if (!mbed_ok (mbedtls_cipher_write_tag (ctx, (unsigned char *) tag, tag_len))) + return 0; + + return 1; +#else + ASSERT(0); +#endif /* HAVE_AEAD_CIPHER_MODES */ +} + +int cipher_ctx_block_size(const mbedtls_cipher_context_t *ctx) +{ + return mbedtls_cipher_get_block_size(ctx); +} + +int cipher_ctx_mode (const mbedtls_cipher_context_t *ctx) +{ + ASSERT(NULL != ctx); + + return cipher_kt_mode(ctx->cipher_info); +} + +const cipher_kt_t * +cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) +{ + return ctx ? ctx->cipher_info : NULL; +} + +int cipher_ctx_reset (mbedtls_cipher_context_t *ctx, uint8_t *iv_buf) +{ + if (!mbed_ok(mbedtls_cipher_reset(ctx))) + return 0; + + if (!mbed_ok(mbedtls_cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size))) + return 0; + + return 1; +} + +int cipher_ctx_update_ad (cipher_ctx_t *ctx, const uint8_t *src, int src_len) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + if (src_len > SIZE_MAX) + return 0; + + if (!mbed_ok (mbedtls_cipher_update_ad (ctx, src, src_len))) + return 0; + + return 1; +#else + ASSERT(0); +#endif /* HAVE_AEAD_CIPHER_MODES */ +} + +int cipher_ctx_update (mbedtls_cipher_context_t *ctx, uint8_t *dst, + int *dst_len, uint8_t *src, int src_len) +{ + size_t s_dst_len = *dst_len; + + if (!mbed_ok(mbedtls_cipher_update(ctx, src, (size_t) src_len, dst, + &s_dst_len))) + return 0; + + *dst_len = s_dst_len; + + return 1; +} + +int cipher_ctx_final (mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len) +{ + size_t s_dst_len = *dst_len; + + if (!mbed_ok(mbedtls_cipher_finish(ctx, dst, &s_dst_len))) + return 0; + + *dst_len = s_dst_len; + + return 1; +} + +int cipher_ctx_final_check_tag (mbedtls_cipher_context_t *ctx, uint8_t *dst, + int *dst_len, uint8_t *tag, size_t tag_len) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + size_t olen = 0; + + if (MBEDTLS_DECRYPT != ctx->operation) + return 0; + + if (tag_len > SIZE_MAX) + return 0; + + if (!mbed_ok (mbedtls_cipher_finish (ctx, dst, &olen))) + { + msg (D_CRYPT_ERRORS, "%s: cipher_ctx_final() failed", __func__); + return 0; + } + + if (olen > INT_MAX) + return 0; + *dst_len = olen; + + if (!mbed_ok (mbedtls_cipher_check_tag (ctx, (const unsigned char *) tag, + tag_len))) + return 0; + + return 1; +#else + ASSERT(0); +#endif /* HAVE_AEAD_CIPHER_MODES */ +} + +void +cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], + unsigned char *src, + unsigned char *dst) +{ + mbedtls_des_context ctx; + + ASSERT (mbed_ok(mbedtls_des_setkey_enc(&ctx, key))); + ASSERT (mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst))); +} + + + +/* + * + * Generic message digest information functions + * + */ + + +const mbedtls_md_info_t * +md_kt_get (const char *digest) +{ + const mbedtls_md_info_t *md = NULL; + ASSERT (digest); + + md = mbedtls_md_info_from_string(digest); + if (!md) + msg (M_FATAL, "Message hash algorithm '%s' not found", digest); + if (mbedtls_md_get_size(md) > MAX_HMAC_KEY_LENGTH) + msg (M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)", + digest, + mbedtls_md_get_size(md), + MAX_HMAC_KEY_LENGTH); + return md; +} + +const char * +md_kt_name (const mbedtls_md_info_t *kt) +{ + if (NULL == kt) + return "[null-digest]"; + return mbedtls_md_get_name (kt); +} + +int +md_kt_size (const mbedtls_md_info_t *kt) +{ + if (NULL == kt) + return 0; + return mbedtls_md_get_size(kt); +} + +/* + * + * Generic message digest functions + * + */ + +int +md_full (const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst) +{ + return 0 == mbedtls_md(kt, src, src_len, dst); +} + + +void +md_ctx_init (mbedtls_md_context_t *ctx, const mbedtls_md_info_t *kt) +{ + ASSERT(NULL != ctx && NULL != kt); + + mbedtls_md_init(ctx); + ASSERT(0 == mbedtls_md_setup(ctx, kt, 0)); + ASSERT(0 == mbedtls_md_starts(ctx)); +} + +void +md_ctx_cleanup(mbedtls_md_context_t *ctx) +{ +} + +int +md_ctx_size (const mbedtls_md_context_t *ctx) +{ + if (NULL == ctx) + return 0; + return mbedtls_md_get_size(ctx->md_info); +} + +void +md_ctx_update (mbedtls_md_context_t *ctx, const uint8_t *src, int src_len) +{ + ASSERT(0 == mbedtls_md_update(ctx, src, src_len)); +} + +void +md_ctx_final (mbedtls_md_context_t *ctx, uint8_t *dst) +{ + ASSERT(0 == mbedtls_md_finish(ctx, dst)); + mbedtls_md_free(ctx); +} + + +/* + * + * Generic HMAC functions + * + */ + + +/* + * TODO: re-enable dmsg for crypto debug + */ +void +hmac_ctx_init (mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, + const mbedtls_md_info_t *kt) +{ + ASSERT(NULL != kt && NULL != ctx); + + mbedtls_md_init(ctx); + ASSERT(0 == mbedtls_md_setup(ctx, kt, 1)); + ASSERT(0 == mbedtls_md_hmac_starts(ctx, key, key_len)); + + /* make sure we used a big enough key */ + ASSERT (mbedtls_md_get_size(kt) <= key_len); +} + +void +hmac_ctx_cleanup(mbedtls_md_context_t *ctx) +{ + mbedtls_md_free(ctx); +} + +int +hmac_ctx_size (const mbedtls_md_context_t *ctx) +{ + if (NULL == ctx) + return 0; + return mbedtls_md_get_size(ctx->md_info); +} + +void +hmac_ctx_reset (mbedtls_md_context_t *ctx) +{ + ASSERT(0 == mbedtls_md_hmac_reset(ctx)); +} + +void +hmac_ctx_update (mbedtls_md_context_t *ctx, const uint8_t *src, int src_len) +{ + ASSERT(0 == mbedtls_md_hmac_update(ctx, src, src_len)); +} + +void +hmac_ctx_final (mbedtls_md_context_t *ctx, uint8_t *dst) +{ + ASSERT(0 == mbedtls_md_hmac_finish(ctx, dst)); +} + +#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_MBEDTLS */ diff --git a/src/openvpn/crypto_polarssl.h b/src/openvpn/crypto_mbedtls.h index 12b5146..574a63f 100644 --- a/src/openvpn/crypto_polarssl.h +++ b/src/openvpn/crypto_mbedtls.h @@ -24,48 +24,51 @@ */ /** - * @file Data Channel Cryptography PolarSSL-specific backend interface + * @file Data Channel Cryptography mbed TLS-specific backend interface */ -#ifndef CRYPTO_POLARSSL_H_ -#define CRYPTO_POLARSSL_H_ +#ifndef CRYPTO_MBEDTLS_H_ +#define CRYPTO_MBEDTLS_H_ -#include <polarssl/cipher.h> -#include <polarssl/md.h> -#include <polarssl/ctr_drbg.h> +#include <mbedtls/cipher.h> +#include <mbedtls/md.h> +#include <mbedtls/ctr_drbg.h> /** Generic cipher key type %context. */ -typedef cipher_info_t cipher_kt_t; +typedef mbedtls_cipher_info_t cipher_kt_t; /** Generic message digest key type %context. */ -typedef md_info_t md_kt_t; +typedef mbedtls_md_info_t md_kt_t; /** Generic cipher %context. */ -typedef cipher_context_t cipher_ctx_t; +typedef mbedtls_cipher_context_t cipher_ctx_t; /** Generic message digest %context. */ -typedef md_context_t md_ctx_t; +typedef mbedtls_md_context_t md_ctx_t; /** Generic HMAC %context. */ -typedef md_context_t hmac_ctx_t; +typedef mbedtls_md_context_t hmac_ctx_t; /** Maximum length of an IV */ -#define OPENVPN_MAX_IV_LENGTH POLARSSL_MAX_IV_LENGTH +#define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH /** Cipher is in CBC mode */ -#define OPENVPN_MODE_CBC POLARSSL_MODE_CBC +#define OPENVPN_MODE_CBC MBEDTLS_MODE_CBC /** Cipher is in OFB mode */ -#define OPENVPN_MODE_OFB POLARSSL_MODE_OFB +#define OPENVPN_MODE_OFB MBEDTLS_MODE_OFB /** Cipher is in CFB mode */ -#define OPENVPN_MODE_CFB POLARSSL_MODE_CFB +#define OPENVPN_MODE_CFB MBEDTLS_MODE_CFB + +/** Cipher is in GCM mode */ +#define OPENVPN_MODE_GCM MBEDTLS_MODE_GCM /** Cipher should encrypt */ -#define OPENVPN_OP_ENCRYPT POLARSSL_ENCRYPT +#define OPENVPN_OP_ENCRYPT MBEDTLS_ENCRYPT /** Cipher should decrypt */ -#define OPENVPN_OP_DECRYPT POLARSSL_DECRYPT +#define OPENVPN_OP_DECRYPT MBEDTLS_DECRYPT #define MD4_DIGEST_LENGTH 16 #define MD5_DIGEST_LENGTH 16 @@ -73,16 +76,16 @@ typedef md_context_t hmac_ctx_t; #define DES_KEY_LENGTH 8 /** - * Returns a singleton instance of the PolarSSL random number generator. + * Returns a singleton instance of the mbed TLS random number generator. * - * For PolarSSL 1.1+, this is the CTR_DRBG random number generator. If it + * For PolarSSL/mbed TLS 1.1+, this is the CTR_DRBG random number generator. If it * hasn't been initialised yet, the RNG will be initialised using the default * entropy sources. Aside from the default platform entropy sources, an * additional entropy source, the HAVEGE random number generator will also be * added. During initialisation, a personalisation string will be added based * on the time, the PID, and a pointer to the random context. */ -ctr_drbg_context * rand_ctx_get(); +mbedtls_ctr_drbg_context *rand_ctx_get(); #ifdef ENABLE_PREDICTION_RESISTANCE /** @@ -92,34 +95,34 @@ void rand_ctx_enable_prediction_resistance(); #endif /** - * Log the supplied PolarSSL error, prefixed by supplied prefix. + * Log the supplied mbed TLS error, prefixed by supplied prefix. * * @param flags Flags to indicate error type and priority. - * @param errval PolarSSL error code to convert to error message. - * @param prefix Prefix to PolarSSL error message. + * @param errval mbed TLS error code to convert to error message. + * @param prefix Prefix to mbed TLS error message. * * @returns true if no errors are detected, false otherwise. */ -bool polar_log_err(unsigned int flags, int errval, const char *prefix); +bool mbed_log_err(unsigned int flags, int errval, const char *prefix); /** - * Log the supplied PolarSSL error, prefixed by function name and line number. + * Log the supplied mbed TLS error, prefixed by function name and line number. * * @param flags Flags to indicate error type and priority. - * @param errval PolarSSL error code to convert to error message. + * @param errval mbed TLS error code to convert to error message. * @param func Function name where error was reported. * @param line Line number where error was reported. * * @returns true if no errors are detected, false otherwise. */ -bool polar_log_func_line(unsigned int flags, int errval, const char *func, +bool mbed_log_func_line(unsigned int flags, int errval, const char *func, int line); -/** Wraps polar_log_func_line() to prevent function calls for non-errors */ -static inline bool polar_log_func_line_lite(unsigned int flags, int errval, +/** Wraps mbed_log_func_line() to prevent function calls for non-errors */ +static inline bool mbed_log_func_line_lite(unsigned int flags, int errval, const char *func, int line) { if (errval) { - return polar_log_func_line (flags, errval, func, line); + return mbed_log_func_line (flags, errval, func, line); } return true; } @@ -127,17 +130,17 @@ static inline bool polar_log_func_line_lite(unsigned int flags, int errval, /** * Check errval and log on error. * - * Convenience wrapper to put around polarssl library calls, e.g. - * if (!polar_ok(polarssl_func())) return 0; + * Convenience wrapper to put around mbed TLS library calls, e.g. + * if (!mbed_ok (mbedtls_ssl_func())) return 0; * or - * ASSERT (polar_ok(polarssl_func())); + * ASSERT (mbed_ok (mbedtls_ssl_func())); * - * @param errval PolarSSL error code to convert to error message. + * @param errval mbed TLS error code to convert to error message. * * @returns true if no errors are detected, false otherwise. */ -#define polar_ok(errval) \ - polar_log_func_line_lite (D_CRYPT_ERRORS, errval, __func__, __LINE__) +#define mbed_ok(errval) \ + mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__) -#endif /* CRYPTO_POLARSSL_H_ */ +#endif /* CRYPTO_MBEDTLS_H_ */ diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index c147245..1ea06bb 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -42,9 +42,12 @@ #include "integer.h" #include "crypto.h" #include "crypto_backend.h" -#include <openssl/objects.h> -#include <openssl/evp.h> + #include <openssl/des.h> +#include <openssl/err.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/ssl.h> /* * Check for key size creepage. @@ -58,41 +61,6 @@ #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH #endif -/* - * - * Workarounds for incompatibilites between OpenSSL libraries. - * Right now we accept OpenSSL libraries from 0.9.5 to 0.9.7. - * - */ - -#if SSLEAY_VERSION_NUMBER < 0x00907000L - -/* Workaround: EVP_CIPHER_mode is defined wrong in OpenSSL 0.9.6 but is fixed in 0.9.7 */ -#undef EVP_CIPHER_mode -#define EVP_CIPHER_mode(e) (((e)->flags) & EVP_CIPH_MODE) - -#define DES_cblock des_cblock -#define DES_is_weak_key des_is_weak_key -#define DES_check_key_parity des_check_key_parity -#define DES_set_odd_parity des_set_odd_parity - -#define HMAC_CTX_init(ctx) CLEAR (*ctx) -#define HMAC_Init_ex(ctx,sec,len,md,impl) HMAC_Init(ctx, sec, len, md) -#define HMAC_CTX_cleanup(ctx) HMAC_cleanup(ctx) -#define EVP_MD_CTX_cleanup(md) CLEAR (*md) - -#define INFO_CALLBACK_SSL_CONST - -#endif - -#ifndef EVP_CIPHER_name -#define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e)) -#endif - -#ifndef EVP_MD_name -#define EVP_MD_name(e) OBJ_nid2sn(EVP_MD_type(e)) -#endif - #if HAVE_OPENSSL_ENGINE #include <openssl/engine.h> @@ -179,14 +147,6 @@ crypto_init_lib_engine (const char *engine_name) void crypto_init_lib (void) { -#ifndef ENABLE_SSL - /* If SSL is enabled init is taken care of in ssl_openssl.c */ -#ifndef ENABLE_SMALL - ERR_load_crypto_strings (); -#endif - OpenSSL_add_all_algorithms (); -#endif - /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL @@ -201,14 +161,6 @@ crypto_init_lib (void) void crypto_uninit_lib (void) { -#ifndef ENABLE_SSL - /* If SSL is enabled cleanup is taken care of in ssl_openssl.c */ - EVP_cleanup (); -#ifndef ENABLE_SMALL - ERR_free_strings (); -#endif -#endif - #ifdef CRYPTO_MDEBUG FILE* fp = fopen ("sdlog", "w"); ASSERT (fp); @@ -237,9 +189,21 @@ crypto_print_openssl_errors(const unsigned int flags) { size_t err = 0; while ((err = ERR_get_error ())) - msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL)); + { + /* Be more clear about frequently occurring "no shared cipher" error */ + if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER)) + { + msg (D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " + "in common with the client. Your --tls-cipher setting might be " + "too restrictive."); + } + + msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL)); + } } + /* * * OpenSSL memory debugging. If dmalloc debugging is enabled, tell @@ -276,55 +240,97 @@ crypto_init_dmalloc (void) } #endif /* DMALLOC */ -const char * -translate_cipher_name_from_openvpn (const char *cipher_name) { - // OpenSSL doesn't require any translation - return cipher_name; +const cipher_name_pair cipher_name_translation_table[] = { + { "AES-128-GCM", "id-aes128-GCM" }, + { "AES-192-GCM", "id-aes192-GCM" }, + { "AES-256-GCM", "id-aes256-GCM" }, +}; +const size_t cipher_name_translation_table_count = + sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); + + +static int +cipher_name_cmp(const void *a, const void *b) +{ + const EVP_CIPHER * const *cipher_a = a; + const EVP_CIPHER * const *cipher_b = b; + + const char *cipher_name_a = + translate_cipher_name_to_openvpn(EVP_CIPHER_name(*cipher_a)); + const char *cipher_name_b = + translate_cipher_name_to_openvpn(EVP_CIPHER_name(*cipher_b)); + + return strcmp(cipher_name_a, cipher_name_b); } -const char * -translate_cipher_name_to_openvpn (const char *cipher_name) { - // OpenSSL doesn't require any translation - return cipher_name; +static void +print_cipher(const EVP_CIPHER *cipher) +{ + const char *var_key_size = + (EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? + " by default" : ""; + const char *ssl_only = cipher_kt_mode_cbc(cipher) ? + "" : ", TLS client/server mode only"; + + printf ("%s (%d bit key%s, %d bit block%s)\n", + translate_cipher_name_to_openvpn (EVP_CIPHER_name (cipher)), + EVP_CIPHER_key_length (cipher) * 8, var_key_size, + cipher_kt_block_size (cipher) * 8, ssl_only); } void show_available_ciphers () { int nid; + size_t i; + /* If we ever exceed this, we must be more selective */ + const size_t cipher_list_len = 1000; + const EVP_CIPHER *cipher_list[cipher_list_len]; + size_t num_ciphers = 0; #ifndef ENABLE_SMALL - printf ("The following ciphers and cipher modes are available\n" - "for use with " PACKAGE_NAME ". Each cipher shown below may be\n" - "used as a parameter to the --cipher option. The default\n" - "key size is shown as well as whether or not it can be\n" - "changed with the --keysize directive. Using a CBC mode\n" - "is recommended. In static key mode only CBC mode is allowed.\n\n"); + printf ("The following ciphers and cipher modes are available for use\n" + "with " PACKAGE_NAME ". Each cipher shown below may be use as a\n" + "parameter to the --cipher option. The default key size is\n" + "shown as well as whether or not it can be changed with the\n" + "--keysize directive. Using a CBC or GCM mode is recommended.\n" + "In static key mode only CBC mode is allowed.\n\n"); #endif - for (nid = 0; nid < 10000; ++nid) /* is there a better way to get the size of the nid list? */ + for (nid = 0; nid < 10000; ++nid) { - const EVP_CIPHER *cipher = EVP_get_cipherbynid (nid); - if (cipher) - { - if (cipher_kt_mode_cbc(cipher) + const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); + if (cipher && (cipher_kt_mode_cbc(cipher) #ifdef ENABLE_OFB_CFB_MODE || cipher_kt_mode_ofb_cfb(cipher) #endif - ) - { - const char *var_key_size = - (EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? - "variable" : "fixed"; - const char *ssl_only = cipher_kt_mode_ofb_cfb(cipher) ? - " (TLS client/server mode)" : ""; - - printf ("%s %d bit default key (%s)%s\n", OBJ_nid2sn (nid), - EVP_CIPHER_key_length (cipher) * 8, var_key_size, - ssl_only); - } +#ifdef HAVE_AEAD_CIPHER_MODES + || cipher_kt_mode_aead(cipher) +#endif + )) + { + cipher_list[num_ciphers++] = cipher; + } + if (num_ciphers == cipher_list_len) + { + msg (M_WARN, "WARNING: Too many ciphers, not showing all"); + break; } } + + qsort (cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp); + + for (i = 0; i < num_ciphers; i++) { + if (cipher_kt_block_size(cipher_list[i]) >= 128/8) + print_cipher(cipher_list[i]); + } + + printf ("\nThe following ciphers have a block size of less than 128 bits, \n" + "and are therefore deprecated. Do not use unless you have to.\n\n"); + for (i = 0; i < num_ciphers; i++) { + if (cipher_kt_block_size(cipher_list[i]) < 128/8) + print_cipher(cipher_list[i]); + } printf ("\n"); } @@ -498,13 +504,20 @@ cipher_kt_get (const char *ciphername) cipher = EVP_get_cipherbyname (ciphername); if (NULL == cipher) - crypto_msg (M_FATAL, "Cipher algorithm '%s' not found", ciphername); + { + crypto_msg (D_LOW, "Cipher algorithm '%s' not found", ciphername); + return NULL; + } + if (EVP_CIPHER_key_length (cipher) > MAX_CIPHER_KEY_LENGTH) - msg (M_FATAL, "Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum key size (%d bytes)", - ciphername, - EVP_CIPHER_key_length (cipher), - MAX_CIPHER_KEY_LENGTH); + { + msg (D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) " + "which is larger than " PACKAGE_NAME "'s current maximum key size " + "(%d bytes)", ciphername, EVP_CIPHER_key_length (cipher), + MAX_CIPHER_KEY_LENGTH); + return NULL; + } return cipher; } @@ -530,9 +543,46 @@ cipher_kt_iv_size (const EVP_CIPHER *cipher_kt) } int -cipher_kt_block_size (const EVP_CIPHER *cipher_kt) +cipher_kt_block_size (const EVP_CIPHER *cipher) { + /* OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work + * around that, try to replace the mode with 'CBC' and return the block size + * reported for that cipher, if possible. If that doesn't work, just return + * the value reported by OpenSSL. + */ + char *name = NULL; + char *mode_str = NULL; + const char *orig_name = NULL; + const EVP_CIPHER *cbc_cipher = NULL; + + int block_size = EVP_CIPHER_block_size(cipher); + + orig_name = cipher_kt_name(cipher); + if (!orig_name) + goto cleanup; + + name = string_alloc(translate_cipher_name_to_openvpn(orig_name), NULL); + mode_str = strrchr (name, '-'); + if (!mode_str || strlen(mode_str) < 4) + goto cleanup; + + strcpy (mode_str, "-CBC"); + + cbc_cipher = EVP_get_cipherbyname(translate_cipher_name_from_openvpn(name)); + if (cbc_cipher) + block_size = EVP_CIPHER_block_size(cbc_cipher); + +cleanup: + free (name); + return block_size; +} + +int +cipher_kt_tag_size (const EVP_CIPHER *cipher_kt) { - return EVP_CIPHER_block_size (cipher_kt); + if (cipher_kt_mode_aead(cipher_kt)) + return OPENVPN_AEAD_TAG_LENGTH; + else + return 0; } int @@ -565,6 +615,16 @@ cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) ; } +bool +cipher_kt_mode_aead(const cipher_kt_t *cipher) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_GCM); +#else + return false; +#endif +} + /* * * Generic cipher context functions @@ -606,6 +666,15 @@ cipher_ctx_iv_length (const EVP_CIPHER_CTX *ctx) return EVP_CIPHER_CTX_iv_length (ctx); } +int cipher_ctx_get_tag (EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + return EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_GET_TAG, tag_size, tag_buf); +#else + ASSERT (0); +#endif +} + int cipher_ctx_block_size(const EVP_CIPHER_CTX *ctx) { @@ -621,7 +690,7 @@ cipher_ctx_mode (const EVP_CIPHER_CTX *ctx) const cipher_kt_t * cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) { - return EVP_CIPHER_CTX_cipher(ctx); + return ctx ? EVP_CIPHER_CTX_cipher(ctx) : NULL; } @@ -632,6 +701,19 @@ cipher_ctx_reset (EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) } int +cipher_ctx_update_ad (EVP_CIPHER_CTX *ctx, const uint8_t *src, int src_len) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + int len; + if (!EVP_CipherUpdate (ctx, NULL, &len, src, src_len)) + crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__); + return 1; +#else + ASSERT (0); +#endif +} + +int cipher_ctx_update (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len) { @@ -646,6 +728,20 @@ cipher_ctx_final (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len) return EVP_CipherFinal (ctx, dst, dst_len); } +int +cipher_ctx_final_check_tag (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, + uint8_t *tag, size_t tag_len) +{ +#ifdef HAVE_AEAD_CIPHER_MODES + ASSERT (tag_len < SIZE_MAX); + if (!EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag)) + return 0; + + return cipher_ctx_final (ctx, dst, dst_len); +#else + ASSERT (0); +#endif +} void cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 42c7e9a..f157041 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -61,6 +61,13 @@ typedef HMAC_CTX hmac_ctx_t; /** Cipher is in CFB mode */ #define OPENVPN_MODE_CFB EVP_CIPH_CFB_MODE +#ifdef HAVE_AEAD_CIPHER_MODES + +/** Cipher is in GCM mode */ +#define OPENVPN_MODE_GCM EVP_CIPH_GCM_MODE + +#endif /* HAVE_AEAD_CIPHER_MODES */ + /** Cipher should encrypt */ #define OPENVPN_OP_ENCRYPT 1 diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c deleted file mode 100644 index 92fdb78..0000000 --- a/src/openvpn/crypto_polarssl.c +++ /dev/null @@ -1,712 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -/** - * @file Data Channel Cryptography PolarSSL-specific backend interface - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#elif defined(_MSC_VER) -#include "config-msvc.h" -#endif - -#include "syshead.h" - -#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL) - -#include "errlevel.h" -#include "basic.h" -#include "buffer.h" -#include "integer.h" -#include "crypto_backend.h" -#include "otime.h" -#include "misc.h" - -#include <polarssl/des.h> -#include <polarssl/error.h> -#include <polarssl/md5.h> -#include <polarssl/cipher.h> -#include <polarssl/havege.h> - -#include <polarssl/entropy.h> - -/* - * - * Hardware engine support. Allows loading/unloading of engines. - * - */ - -void -crypto_init_lib_engine (const char *engine_name) -{ - msg (M_WARN, "Note: PolarSSL hardware crypto engine functionality is not " - "available"); -} - -/* - * - * Functions related to the core crypto library - * - */ - -void -crypto_init_lib (void) -{ -} - -void -crypto_uninit_lib (void) -{ -} - -void -crypto_clear_error (void) -{ -} - -bool polar_log_err(unsigned int flags, int errval, const char *prefix) -{ - if (0 != errval) - { - char errstr[256]; - polarssl_strerror(errval, errstr, sizeof(errstr)); - - if (NULL == prefix) prefix = "PolarSSL error"; - msg (flags, "%s: %s", prefix, errstr); - } - - return 0 == errval; -} - -bool polar_log_func_line(unsigned int flags, int errval, const char *func, - int line) -{ - char prefix[256]; - - if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) - return polar_log_err(flags, errval, func); - - return polar_log_err(flags, errval, prefix); -} - - -#ifdef DMALLOC -void -crypto_init_dmalloc (void) -{ - msg (M_ERR, "Error: dmalloc support is not available for PolarSSL."); -} -#endif /* DMALLOC */ - -typedef struct { const char * openvpn_name; const char * polarssl_name; } cipher_name_pair; -cipher_name_pair cipher_name_translation_table[] = { - { "BF-CBC", "BLOWFISH-CBC" }, - { "BF-CFB", "BLOWFISH-CFB64" }, - { "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" }, - { "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" }, - { "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" } -}; - -const cipher_name_pair * -get_cipher_name_pair(const char *cipher_name) { - cipher_name_pair *pair; - size_t i = 0; - - /* Search for a cipher name translation */ - for (; i < sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); i++) - { - pair = &cipher_name_translation_table[i]; - if (0 == strcmp (cipher_name, pair->openvpn_name) || - 0 == strcmp (cipher_name, pair->polarssl_name)) - return pair; - } - - /* Nothing found, return null */ - return NULL; -} - -const char * -translate_cipher_name_from_openvpn (const char *cipher_name) { - const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); - - if (NULL == pair) - return cipher_name; - - return pair->polarssl_name; -} - -const char * -translate_cipher_name_to_openvpn (const char *cipher_name) { - const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); - - if (NULL == pair) - return cipher_name; - - return pair->openvpn_name; -} - -void -show_available_ciphers () -{ - const int *ciphers = cipher_list(); - -#ifndef ENABLE_SMALL - printf ("The following ciphers and cipher modes are available\n" - "for use with " PACKAGE_NAME ". Each cipher shown below may be\n" - "used as a parameter to the --cipher option. The default\n" - "key size is shown as well as whether or not it can be\n" - "changed with the --keysize directive. Using a CBC mode\n" - "is recommended.\n\n"); -#endif - - while (*ciphers != 0) - { - const cipher_info_t *info = cipher_info_from_type(*ciphers); - - if (info && info->mode == POLARSSL_MODE_CBC) - printf ("%s %d bit default key\n", - cipher_kt_name(info), cipher_kt_key_size(info) * 8); - - ciphers++; - } - printf ("\n"); -} - -void -show_available_digests () -{ - const int *digests = md_list(); - -#ifndef ENABLE_SMALL - printf ("The following message digests are available for use with\n" - PACKAGE_NAME ". A message digest is used in conjunction with\n" - "the HMAC function, to authenticate received packets.\n" - "You can specify a message digest as parameter to\n" - "the --auth option.\n\n"); -#endif - - while (*digests != 0) - { - const md_info_t *info = md_info_from_type(*digests); - - if (info) - printf ("%s %d bit default key\n", - info->name, info->size * 8); - digests++; - } - printf ("\n"); -} - -void -show_available_engines () -{ - printf ("Sorry, PolarSSL hardware crypto engine functionality is not " - "available\n"); -} - -/* - * - * Random number functions, used in cases where we want - * reasonably strong cryptographic random number generation - * without depleting our entropy pool. Used for random - * IV values and a number of other miscellaneous tasks. - * - */ - -/* - * Initialise the given ctr_drbg context, using a personalisation string and an - * entropy gathering function. - */ -ctr_drbg_context * rand_ctx_get() -{ - static entropy_context ec = {0}; - static ctr_drbg_context cd_ctx = {0}; - static bool rand_initialised = false; - - if (!rand_initialised) - { - struct gc_arena gc = gc_new(); - struct buffer pers_string = alloc_buf_gc(100, &gc); - - /* - * Personalisation string, should be as unique as possible (see NIST - * 800-90 section 8.7.1). We have very little information at this stage. - * Include Program Name, memory address of the context and PID. - */ - buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc)); - - /* Initialise PolarSSL RNG, and built-in entropy sources */ - entropy_init(&ec); - - if (!polar_ok(ctr_drbg_init(&cd_ctx, entropy_func, &ec, - BPTR(&pers_string), BLEN(&pers_string)))) - msg (M_FATAL, "Failed to initialize random generator"); - - gc_free(&gc); - rand_initialised = true; - } - - return &cd_ctx; -} - -#ifdef ENABLE_PREDICTION_RESISTANCE -void rand_ctx_enable_prediction_resistance() -{ - ctr_drbg_context *cd_ctx = rand_ctx_get(); - - ctr_drbg_set_prediction_resistance(cd_ctx, 1); -} -#endif /* ENABLE_PREDICTION_RESISTANCE */ - -int -rand_bytes (uint8_t *output, int len) -{ - ctr_drbg_context *rng_ctx = rand_ctx_get(); - - while (len > 0) - { - const size_t blen = min_int (len, CTR_DRBG_MAX_REQUEST); - if (0 != ctr_drbg_random(rng_ctx, output, blen)) - return 0; - - output += blen; - len -= blen; - } - - return 1; -} - -/* - * - * Key functions, allow manipulation of keys. - * - */ - - -int -key_des_num_cblocks (const cipher_info_t *kt) -{ - int ret = 0; - if (kt->type == POLARSSL_CIPHER_DES_CBC) - ret = 1; - if (kt->type == POLARSSL_CIPHER_DES_EDE_CBC) - ret = 2; - if (kt->type == POLARSSL_CIPHER_DES_EDE3_CBC) - ret = 3; - - dmsg (D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); - return ret; -} - -bool -key_des_check (uint8_t *key, int key_len, int ndc) -{ - int i; - struct buffer b; - - buf_set_read (&b, key, key_len); - - for (i = 0; i < ndc; ++i) - { - unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE); - if (!key) - { - msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material"); - goto err; - } - if (0 != des_key_check_weak(key)) - { - msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected"); - goto err; - } - if (0 != des_key_check_key_parity(key)) - { - msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected"); - goto err; - } - } - return true; - - err: - return false; -} - -void -key_des_fixup (uint8_t *key, int key_len, int ndc) -{ - int i; - struct buffer b; - - buf_set_read (&b, key, key_len); - for (i = 0; i < ndc; ++i) - { - unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE); - if (!key) - { - msg (D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); - return; - } - des_key_set_parity(key); - } -} - -/* - * - * Generic cipher key type functions - * - */ - - -const cipher_info_t * -cipher_kt_get (const char *ciphername) -{ - const cipher_info_t *cipher = NULL; - - ASSERT (ciphername); - - cipher = cipher_info_from_string(ciphername); - - if (NULL == cipher) - msg (M_FATAL, "Cipher algorithm '%s' not found", ciphername); - - if (cipher->key_length/8 > MAX_CIPHER_KEY_LENGTH) - msg (M_FATAL, "Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum key size (%d bytes)", - ciphername, - cipher->key_length/8, - MAX_CIPHER_KEY_LENGTH); - - return cipher; -} - -const char * -cipher_kt_name (const cipher_info_t *cipher_kt) -{ - if (NULL == cipher_kt) - return "[null-cipher]"; - - return translate_cipher_name_to_openvpn(cipher_kt->name); -} - -int -cipher_kt_key_size (const cipher_info_t *cipher_kt) -{ - if (NULL == cipher_kt) - return 0; - if (POLARSSL_CIPHER_ID_BLOWFISH == cipher_kt->base->cipher) - return 128/8; /* Override PolarSSL 32 bit default key size with sane 128 bit default */ - - return cipher_kt->key_length/8; -} - -int -cipher_kt_iv_size (const cipher_info_t *cipher_kt) -{ - if (NULL == cipher_kt) - return 0; - return cipher_kt->iv_size; -} - -int -cipher_kt_block_size (const cipher_info_t *cipher_kt) -{ - if (NULL == cipher_kt) - return 0; - return cipher_kt->block_size; -} - -int -cipher_kt_mode (const cipher_info_t *cipher_kt) -{ - ASSERT(NULL != cipher_kt); - return cipher_kt->mode; -} - -bool -cipher_kt_mode_cbc(const cipher_kt_t *cipher) -{ - return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC; -} - -bool -cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) -{ - return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || - cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); -} - - -/* - * - * Generic cipher context functions - * - */ - - -void -cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len, - const cipher_info_t *kt, int enc) -{ - ASSERT(NULL != kt && NULL != ctx); - - CLEAR (*ctx); - - if (!polar_ok(cipher_init_ctx(ctx, kt))) - msg (M_FATAL, "PolarSSL cipher context init #1"); - - if (!polar_ok(cipher_setkey(ctx, key, key_len*8, enc))) - msg (M_FATAL, "PolarSSL cipher set key"); - - /* make sure we used a big enough key */ - ASSERT (ctx->key_length <= key_len*8); -} - -void cipher_ctx_cleanup (cipher_context_t *ctx) -{ - cipher_free(ctx); -} - -int cipher_ctx_iv_length (const cipher_context_t *ctx) -{ - return cipher_get_iv_size(ctx); -} - -int cipher_ctx_block_size(const cipher_context_t *ctx) -{ - return cipher_get_block_size(ctx); -} - -int cipher_ctx_mode (const cipher_context_t *ctx) -{ - ASSERT(NULL != ctx); - - return cipher_kt_mode(ctx->cipher_info); -} - -const cipher_kt_t * -cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) -{ - ASSERT(NULL != ctx); - - return ctx->cipher_info; -} - -int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) -{ - if (!polar_ok(cipher_reset(ctx))) - return 0; - - if (!polar_ok(cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size))) - return 0; - - return 1; -} - -int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, - uint8_t *src, int src_len) -{ - size_t s_dst_len = *dst_len; - - if (!polar_ok(cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len))) - return 0; - - *dst_len = s_dst_len; - - return 1; -} - -int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len) -{ - size_t s_dst_len = *dst_len; - - if (!polar_ok(cipher_finish(ctx, dst, &s_dst_len))) - return 0; - - *dst_len = s_dst_len; - - return 1; -} - -void -cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], - unsigned char *src, - unsigned char *dst) -{ - des_context ctx; - - ASSERT (polar_ok(des_setkey_enc(&ctx, key))); - ASSERT (polar_ok(des_crypt_ecb(&ctx, src, dst))); -} - - - -/* - * - * Generic message digest information functions - * - */ - - -const md_info_t * -md_kt_get (const char *digest) -{ - const md_info_t *md = NULL; - ASSERT (digest); - - md = md_info_from_string(digest); - if (!md) - msg (M_FATAL, "Message hash algorithm '%s' not found", digest); - if (md->size > MAX_HMAC_KEY_LENGTH) - msg (M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)", - digest, - md->size, - MAX_HMAC_KEY_LENGTH); - return md; -} - -const char * -md_kt_name (const md_info_t *kt) -{ - if (NULL == kt) - return "[null-digest]"; - return md_get_name (kt); -} - -int -md_kt_size (const md_info_t *kt) -{ - if (NULL == kt) - return 0; - return md_get_size(kt); -} - -/* - * - * Generic message digest functions - * - */ - -int -md_full (const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst) -{ - return 0 == md(kt, src, src_len, dst); -} - - -void -md_ctx_init (md_context_t *ctx, const md_info_t *kt) -{ - ASSERT(NULL != ctx && NULL != kt); - - CLEAR(*ctx); - - ASSERT(0 == md_init_ctx(ctx, kt)); - ASSERT(0 == md_starts(ctx)); -} - -void -md_ctx_cleanup(md_context_t *ctx) -{ -} - -int -md_ctx_size (const md_context_t *ctx) -{ - if (NULL == ctx) - return 0; - return md_get_size(ctx->md_info); -} - -void -md_ctx_update (md_context_t *ctx, const uint8_t *src, int src_len) -{ - ASSERT(0 == md_update(ctx, src, src_len)); -} - -void -md_ctx_final (md_context_t *ctx, uint8_t *dst) -{ - ASSERT(0 == md_finish(ctx, dst)); - md_free(ctx); -} - - -/* - * - * Generic HMAC functions - * - */ - - -/* - * TODO: re-enable dmsg for crypto debug - */ -void -hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt) -{ - ASSERT(NULL != kt && NULL != ctx); - - CLEAR(*ctx); - - ASSERT(0 == md_init_ctx(ctx, kt)); - ASSERT(0 == md_hmac_starts(ctx, key, key_len)); - - /* make sure we used a big enough key */ - ASSERT (md_get_size(kt) <= key_len); -} - -void -hmac_ctx_cleanup(md_context_t *ctx) -{ - md_free(ctx); -} - -int -hmac_ctx_size (const md_context_t *ctx) -{ - if (NULL == ctx) - return 0; - return md_get_size(ctx->md_info); -} - -void -hmac_ctx_reset (md_context_t *ctx) -{ - ASSERT(0 == md_hmac_reset(ctx)); -} - -void -hmac_ctx_update (md_context_t *ctx, const uint8_t *src, int src_len) -{ - ASSERT(0 == md_hmac_update(ctx, src, src_len)); -} - -void -hmac_ctx_final (md_context_t *ctx, uint8_t *dst) -{ - ASSERT(0 == md_hmac_finish(ctx, dst)); -} - -#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_POLARSSL */ diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 853c07b..e107bd3 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -465,4 +465,4 @@ int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void dummy (void) {} #endif -#endif /* WIN32 */ +#endif /* _WIN32 */ diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index 3ee4ebc..9d56eb4 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -105,7 +105,6 @@ #define D_X509_ATTR LOGLEV(4, 59, 0) /* show x509-track attributes on connection */ #define D_INIT_MEDIUM LOGLEV(4, 60, 0) /* show medium frequency init messages */ #define D_MTU_INFO LOGLEV(4, 61, 0) /* show terse MTU info */ -#define D_SHOW_OCC_HASH LOGLEV(4, 62, 0) /* show MD5 hash of option compatibility string */ #define D_PID_DEBUG_LOW LOGLEV(4, 63, 0) /* show low-freq packet-id debugging info */ #define D_PID_DEBUG_MEDIUM LOGLEV(4, 64, 0) /* show medium-freq packet-id debugging info */ @@ -143,11 +142,12 @@ #define D_PS_PROXY_DEBUG LOGLEV(7, 70, M_DEBUG) /* port share proxy debug */ #define D_AUTO_USERID LOGLEV(7, 70, M_DEBUG) /* AUTO_USERID debugging */ #define D_TLS_KEYSELECT LOGLEV(7, 70, M_DEBUG) /* show information on key selection for data channel */ -#define D_ARGV_PARSE_CMD LOGLEV(7, 70, M_DEBUG) /* show parse_line() errors in argv_printf %sc */ +#define D_ARGV_PARSE_CMD LOGLEV(7, 70, M_DEBUG) /* show parse_line() errors in argv_parse_cmd */ #define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */ #define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */ #define D_PF_DROPPED_BCAST LOGLEV(7, 71, M_DEBUG) /* packet filter dropped a broadcast packet */ #define D_PF_DEBUG LOGLEV(7, 72, M_DEBUG) /* packet filter debugging, must also define PF_DEBUG in pf.h */ +#define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */ #define D_HANDSHAKE_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show detailed description of each handshake */ #define D_TLS_DEBUG_MED LOGLEV(8, 70, M_DEBUG) /* limited info from tls_session routines */ diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 6ccdeae..425bc30 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -75,6 +75,10 @@ static bool std_redir; /* GLOBAL */ /* Should messages be written to the syslog? */ static bool use_syslog; /* GLOBAL */ +/* Should stdout/stderr be be parsable and always be prefixed with time + * and message flags */ +static bool machine_readable_output; /* GLOBAL */ + /* Should timestamps be included on messages to stdout/stderr? */ static bool suppress_timestamps; /* GLOBAL */ @@ -148,10 +152,17 @@ set_suppress_timestamps (bool suppressed) } void +set_machine_readable_output (bool parsable) +{ + machine_readable_output = parsable; +} + +void error_reset () { use_syslog = std_redir = false; suppress_timestamps = false; + machine_readable_output = false; x_debug_level = 1; mute_cutoff = 0; mute_count = 0; @@ -301,7 +312,22 @@ void x_msg_va (const unsigned int flags, const char *format, va_list arglist) FILE *fp = msg_fp(flags); const bool show_usec = check_debug_level (DEBUG_LEVEL_USEC_TIME); - if ((flags & M_NOPREFIX) || suppress_timestamps) + if (machine_readable_output) + { + struct timeval tv; + gettimeofday (&tv, NULL); + + fprintf (fp, "%lu.%06lu %x %s%s%s%s", + tv.tv_sec, + (unsigned long)tv.tv_usec, + flags, + prefix, + prefix_sep, + m1, + "\n"); + + } + else if ((flags & M_NOPREFIX) || suppress_timestamps) { fprintf (fp, "%s%s%s%s", prefix, @@ -427,7 +453,7 @@ close_syslog () #endif } -#ifdef WIN32 +#ifdef _WIN32 static HANDLE orig_stderr; @@ -445,7 +471,7 @@ get_orig_stderr (void) void redirect_stdout_stderr (const char *file, bool append) { -#if defined(WIN32) +#if defined(_WIN32) if (!std_redir) { struct gc_arena gc = gc_new (); @@ -577,7 +603,7 @@ x_check_status (int status, const char *extended_msg = NULL; msg (x_cs_verbose_level, "%s %s returned %d", - sock ? proto2ascii (sock->info.proto, true) : "", + sock ? proto2ascii (sock->info.proto, sock->info.af, true) : "", description, status); @@ -596,7 +622,7 @@ x_check_status (int status, sock->info.mtu_changed = true; } } -#elif defined(WIN32) +#elif defined(_WIN32) /* get possible driver error from TAP-Windows driver */ extended_msg = tap_win_getinfo (tt, &gc); #endif @@ -605,14 +631,14 @@ x_check_status (int status, if (extended_msg) msg (x_cs_info_level, "%s %s [%s]: %s (code=%d)", description, - sock ? proto2ascii (sock->info.proto, true) : "", + sock ? proto2ascii (sock->info.proto, sock->info.af, true) : "", extended_msg, strerror_ts (my_errno, &gc), my_errno); else msg (x_cs_info_level, "%s %s: %s (code=%d)", description, - sock ? proto2ascii (sock->info.proto, true) : "", + sock ? proto2ascii (sock->info.proto, sock->info.af, true) : "", strerror_ts (my_errno, &gc), my_errno); @@ -651,7 +677,7 @@ openvpn_exit (const int status) tun_abort(); -#ifdef WIN32 +#ifdef _WIN32 uninit_win32 (); #endif @@ -711,7 +737,7 @@ crash (void) } #endif -#ifdef WIN32 +#ifdef _WIN32 const char * strerror_win32 (DWORD errnum, struct gc_arena *gc) diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 4024e5e..f43bc38 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -27,6 +27,11 @@ #include "basic.h" +#include <errno.h> +#include <stdbool.h> + +#include <assert.h> + /* #define ABORT_ON_ERROR */ #ifdef ENABLE_PKCS11 @@ -66,7 +71,7 @@ struct gc_arena; /* String and Error functions */ -#ifdef WIN32 +#ifdef _WIN32 # define openvpn_errno() GetLastError() # define openvpn_strerror(e, gc) strerror_win32(e, gc) const char *strerror_win32 (DWORD errnum, struct gc_arena *gc); @@ -138,12 +143,6 @@ extern int x_msg_line_num; /** Check muting filter */ bool dont_mute (unsigned int flags); -/** Return true if flags represent an enabled, not muted log level */ -static inline bool msg_test (unsigned int flags) -{ - return ((flags & M_DEBUG_LEVEL) <= x_debug_level) && dont_mute (flags); -} - /* Macro to ensure (and teach static analysis tools) we exit on fatal errors */ #define EXIT_FATAL(flags) do { if ((flags) & M_FATAL) _exit(1); } while (false) @@ -197,6 +196,8 @@ void error_reset (void); void errors_to_stderr (void); void set_suppress_timestamps (bool suppressed); +void set_machine_readable_output (bool parsable); + #define SDL_CONSTRAIN (1<<0) bool set_debug_level (const int level, const unsigned int flags); @@ -223,6 +224,14 @@ FILE *msg_fp(const unsigned int flags); void assert_failed (const char *filename, int line, const char *condition) __attribute__((__noreturn__)); +/* Poor-man's static_assert() for when not supplied by assert.h, taken from + * Linux's sys/cdefs.h under GPLv2 */ +#ifndef static_assert +#define static_assert(expr, diagnostic) \ + extern int (*__OpenVPN_static_assert_function (void)) \ + [!!sizeof (struct { int __error_if_negative: (expr) ? 2 : -1; })] +#endif + #ifdef ENABLE_DEBUG void crash (void); /* force a segfault (debugging only) */ #endif @@ -235,6 +244,12 @@ check_debug_level (unsigned int level) return (level & M_DEBUG_LEVEL) <= x_debug_level; } +/** Return true if flags represent an enabled, not muted log level */ +static inline bool msg_test (unsigned int flags) +{ + return check_debug_level (flags) && dont_mute (flags); +} + /* Call if we forked */ void msg_forked (void); @@ -246,7 +261,7 @@ void close_syslog (); /* log file output */ void redirect_stdout_stderr (const char *file, bool append); -#ifdef WIN32 +#ifdef _WIN32 /* get original stderr handle, even if redirected by --log/--log-append */ HANDLE get_orig_stderr (void); #endif @@ -341,7 +356,7 @@ static inline bool ignore_sys_error (const int err) { /* I/O operation pending */ -#ifdef WIN32 +#ifdef _WIN32 if (err == WSAEWOULDBLOCK || err == WSAEINVAL) return true; #else diff --git a/src/openvpn/event.c b/src/openvpn/event.c index c642691..409ad13 100644 --- a/src/openvpn/event.c +++ b/src/openvpn/event.c @@ -49,7 +49,7 @@ /* * All non-windows OSes are assumed to have select() */ -#ifdef WIN32 +#ifdef _WIN32 #define SELECT 0 #else #define SELECT 1 @@ -74,7 +74,7 @@ tv_to_ms_timeout (const struct timeval *tv) return max_int (tv->tv_sec * 1000 + (tv->tv_usec + 500) / 1000, 1); } -#ifdef WIN32 +#ifdef _WIN32 struct we_set { @@ -462,7 +462,7 @@ we_init (int *maxevents, unsigned int flags) return (struct event_set *) wes; } -#endif /* WIN32 */ +#endif /* _WIN32 */ #if EPOLL @@ -1007,7 +1007,7 @@ static struct event_set * event_set_init_simple (int *maxevents, unsigned int flags) { struct event_set *ret = NULL; -#ifdef WIN32 +#ifdef _WIN32 ret = we_init (maxevents, flags); #elif POLL && SELECT #if 0 /* Define to 1 if EVENT_METHOD_US_TIMEOUT should cause select to be favored over poll */ diff --git a/src/openvpn/event.h b/src/openvpn/event.h index bd29fdc..565343d 100644 --- a/src/openvpn/event.h +++ b/src/openvpn/event.h @@ -42,7 +42,7 @@ #define EVENT_METHOD_US_TIMEOUT (1<<0) #define EVENT_METHOD_FAST (1<<1) -#ifdef WIN32 +#ifdef _WIN32 typedef const struct rw_handle *event_t; @@ -137,7 +137,7 @@ event_set_return_init (struct event_set_return *esr) esr->arg = NULL; } -#ifdef WIN32 +#ifdef _WIN32 static inline void wait_signal (struct event_set *es, void *arg) diff --git a/src/openvpn/fdmisc.c b/src/openvpn/fdmisc.c index 7fe449c..ce01319 100644 --- a/src/openvpn/fdmisc.c +++ b/src/openvpn/fdmisc.c @@ -39,7 +39,7 @@ bool set_nonblock_action (int fd) { -#ifdef WIN32 +#ifdef _WIN32 u_long arg = 1; if (ioctlsocket (fd, FIONBIO, &arg)) return false; @@ -54,7 +54,7 @@ set_nonblock_action (int fd) bool set_cloexec_action (int fd) { -#ifndef WIN32 +#ifndef _WIN32 if (fcntl (fd, F_SETFD, FD_CLOEXEC) < 0) return false; #endif diff --git a/src/openvpn/fdmisc.h b/src/openvpn/fdmisc.h index 13d6552..d34db9b 100644 --- a/src/openvpn/fdmisc.h +++ b/src/openvpn/fdmisc.h @@ -37,7 +37,7 @@ void set_cloexec (int fd); static inline void openvpn_fd_set(int fd, fd_set *setp) { -#ifndef WIN32 /* The Windows FD_SET() implementation does not overflow */ +#ifndef _WIN32 /* The Windows FD_SET() implementation does not overflow */ ASSERT (fd >= 0 && fd < FD_SETSIZE); #endif FD_SET (fd, setp); diff --git a/src/openvpn/forward-inline.h b/src/openvpn/forward-inline.h index 5853ce2..5d4e308 100644 --- a/src/openvpn/forward-inline.h +++ b/src/openvpn/forward-inline.h @@ -35,7 +35,7 @@ static inline void check_tls (struct context *c) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#if defined(ENABLE_CRYPTO) void check_tls_dowork (struct context *c); if (c->c2.tls_multi) check_tls_dowork (c); @@ -49,7 +49,7 @@ check_tls (struct context *c) static inline void check_tls_errors (struct context *c) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#if defined(ENABLE_CRYPTO) void check_tls_errors_co (struct context *c); void check_tls_errors_nco (struct context *c); if (c->c2.tls_multi && c->c2.tls_exit_signal) @@ -125,7 +125,7 @@ check_server_poll_timeout (struct context *c) { void check_server_poll_timeout_dowork (struct context *c); - if (c->options.server_poll_timeout + if (c->options.ce.connect_timeout && event_timeout_trigger (&c->c2.server_poll_interval, &c->c2.timeval, ETT_DEFAULT)) check_server_poll_timeout_dowork (c); } diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index d55fa3b..b50a2e0 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -39,6 +39,7 @@ #include "ps.h" #include "dhcp.h" #include "common.h" +#include "ssl_verify.h" #include "memdbg.h" @@ -87,7 +88,7 @@ show_wait_status (struct context *c) * traffic on the control-channel. * */ -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO void check_tls_dowork (struct context *c) { @@ -116,9 +117,6 @@ check_tls_dowork (struct context *c) if (wakeup) context_reschedule_sec (c, wakeup); } -#endif - -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) void check_tls_errors_co (struct context *c) @@ -132,8 +130,7 @@ check_tls_errors_nco (struct context *c) { register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */ } - -#endif +#endif /* ENABLE_CRYPTO */ #if P2MP @@ -211,12 +208,14 @@ check_connection_established_dowork (struct context *c) management_set_state (management, OPENVPN_STATE_GET_CONFIG, NULL, - 0, - 0); + NULL, + NULL, + NULL, + NULL); } #endif - /* send push request in 1 sec */ - event_timeout_init (&c->c2.push_request_interval, 1, now); + /* fire up push request right away (already 1s delayed) */ + event_timeout_init (&c->c2.push_request_interval, 0, now); reset_coarse_timers (c); } else @@ -238,7 +237,7 @@ check_connection_established_dowork (struct context *c) bool send_control_channel_string (struct context *c, const char *str, int msglevel) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO if (c->c2.tls_multi) { struct gc_arena gc = gc_new (); bool stat; @@ -263,7 +262,7 @@ send_control_channel_string (struct context *c, const char *str, int msglevel) gc_free (&gc); return stat; } -#endif +#endif /* ENABLE_CRYPTO */ return true; } @@ -302,7 +301,7 @@ check_add_routes_dowork (struct context *c) { register_signal (c, SIGHUP, "ip-fail"); c->persist.restart_sleep_seconds = 10; -#ifdef WIN32 +#ifdef _WIN32 show_routes (M_INFO|M_NOPREFIX); show_adapters (M_INFO|M_NOPREFIX); #endif @@ -325,6 +324,13 @@ check_inactivity_timeout_dowork (struct context *c) register_signal (c, SIGTERM, "inactive"); } +int +get_server_poll_remaining_time (struct event_timeout* server_poll_timeout) +{ + update_time(); + int remaining = event_timeout_remaining(server_poll_timeout); + return max_int (0, remaining); +} #if P2MP void @@ -385,7 +391,7 @@ check_fragment_dowork (struct context *c) struct link_socket_info *lsi = get_link_socket_info (c); /* OS MTU Hint? */ - if (lsi->mtu_changed && c->c2.ipv4_tun) + if (lsi->mtu_changed) { frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu, c->options.ce.proto); @@ -433,6 +439,7 @@ encrypt_sign (struct context *c, bool comp_frag) { struct context_buffers *b = c->c2.buffers; const uint8_t *orig_buf = c->c2.buf.data; + struct crypto_options *co = NULL; #if P2MP_SERVER /* @@ -445,10 +452,10 @@ encrypt_sign (struct context *c, bool comp_frag) if (comp_frag) { -#ifdef ENABLE_LZO +#ifdef USE_COMP /* Compress the packet. */ - if (lzo_defined (&c->c2.lzo_compwork)) - lzo_compress (&c->c2.buf, b->lzo_compress_buf, &c->c2.lzo_compwork, &c->c2.frame); + if (c->c2.comp_context) + (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame); #endif #ifdef ENABLE_FRAGMENT if (c->c2.fragment) @@ -457,43 +464,41 @@ encrypt_sign (struct context *c, bool comp_frag) } #ifdef ENABLE_CRYPTO -#ifdef ENABLE_SSL - /* - * If TLS mode, get the key we will use to encrypt - * the packet. - */ + /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ + ASSERT (buf_init (&b->encrypt_buf, FRAME_HEADROOM (&c->c2.frame))); + if (c->c2.tls_multi) { - tls_pre_encrypt (c->c2.tls_multi, &c->c2.buf, &c->c2.crypto_options); + /* Get the key we will use to encrypt the packet. */ + tls_pre_encrypt (c->c2.tls_multi, &c->c2.buf, &co); + /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the + * packet before openvpn_encrypt(), so we can authenticate the opcode too. + */ + if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && c->c2.tls_multi->use_peer_id) + tls_prepend_opcode_v2 (c->c2.tls_multi, &b->encrypt_buf); + } + else + { + co = &c->c2.crypto_options; } -#endif - /* - * Encrypt the packet and write an optional - * HMAC signature. - */ - openvpn_encrypt (&c->c2.buf, b->encrypt_buf, &c->c2.crypto_options, &c->c2.frame); + /* Encrypt and authenticate the packet */ + openvpn_encrypt (&c->c2.buf, b->encrypt_buf, co); + + /* Do packet administration */ + if (c->c2.tls_multi) + { + if (c->c2.buf.len > 0 && (c->c2.tls_multi->opt.server || !c->c2.tls_multi->use_peer_id)) + tls_prepend_opcode_v1(c->c2.tls_multi, &c->c2.buf); + tls_post_encrypt (c->c2.tls_multi, &c->c2.buf); + } #endif + /* * Get the address we will be sending the packet to. */ link_socket_get_outgoing_addr (&c->c2.buf, get_link_socket_info (c), &c->c2.to_link_addr); -#ifdef ENABLE_CRYPTO -#ifdef ENABLE_SSL - /* - * In TLS mode, prepend the appropriate one-byte opcode - * to the packet which identifies it as a data channel - * packet and gives the low-permutation version of - * the key-id to the recipient so it knows which - * decrypt key to use. - */ - if (c->c2.tls_multi) - { - tls_post_encrypt (c->c2.tls_multi, &c->c2.buf); - } -#endif -#endif /* if null encryption, copy result to read_tun_buf */ buffer_turnover (orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); @@ -540,13 +545,16 @@ process_coarse_timers (struct context *c) return; #if P2MP - check_server_poll_timeout (c); - if (c->sig->signal_received) - return; + if (c->c2.tls_multi) + { + check_server_poll_timeout (c); + if (c->sig->signal_received) + return; - check_scheduled_exit (c); - if (c->sig->signal_received) - return; + check_scheduled_exit (c); + if (c->sig->signal_received) + return; + } #endif #ifdef ENABLE_OCC @@ -611,8 +619,6 @@ check_timeout_random_component (struct context *c) tv_add (&c->c2.timeval, &c->c2.timeout_random_component); } -#ifdef ENABLE_SOCKS - /* * Handle addition and removal of the 10-byte Socks5 header * in UDP packets. @@ -621,7 +627,7 @@ check_timeout_random_component (struct context *c) static inline void socks_postprocess_incoming_link (struct context *c) { - if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4) + if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDP) socks_process_incoming_udp (&c->c2.buf, &c->c2.from); } @@ -630,7 +636,7 @@ socks_preprocess_outgoing_link (struct context *c, struct link_socket_actual **to_addr, int *size_delta) { - if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4) + if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDP) { *size_delta += socks_process_outgoing_udp (&c->c2.to_link, c->c2.to_link_addr); *to_addr = &c->c2.link_socket->socks_relay; @@ -650,7 +656,6 @@ link_socket_write_post_size_adjust (int *size, *size = 0; } } -#endif /* * Output: c->c2.buf @@ -674,7 +679,6 @@ read_incoming_link (struct context *c) status = link_socket_read (c->c2.link_socket, &c->c2.buf, - MAX_RW_SIZE_LINK (&c->c2.frame), &c->c2.from); if (socket_connection_reset (c->c2.link_socket, status)) @@ -719,28 +723,17 @@ read_incoming_link (struct context *c) /* check recvfrom status */ check_status (status, "read", c->c2.link_socket, NULL); -#ifdef ENABLE_SOCKS /* Remove socks header if applicable */ socks_postprocess_incoming_link (c); -#endif perf_pop (); } -/* - * Input: c->c2.buf - * Output: c->c2.to_tun - */ - -void -process_incoming_link (struct context *c) +bool +process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, bool floated) { struct gc_arena gc = gc_new (); - bool decrypt_status; - struct link_socket_info *lsi = get_link_socket_info (c); - const uint8_t *orig_buf = c->c2.buf.data; - - perf_push (PERF_PROC_IN_LINK); + bool decrypt_status = false; if (c->c2.buf.len > 0) { @@ -779,7 +772,7 @@ process_incoming_link (struct context *c) fprintf (stderr, "R"); #endif msg (D_LINK_RW, "%s READ [%d] from %s: %s", - proto2ascii (lsi->proto, true), + proto2ascii (lsi->proto, lsi->af, true), BLEN (&c->c2.buf), print_link_socket_actual (&c->c2.from, &gc), PROTO_DUMP (&c->c2.buf, &gc)); @@ -793,11 +786,12 @@ process_incoming_link (struct context *c) */ if (c->c2.buf.len > 0) { + struct crypto_options *co = NULL; + const uint8_t *ad_start = NULL; if (!link_socket_verify_incoming_addr (&c->c2.buf, lsi, &c->c2.from)) link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from); #ifdef ENABLE_CRYPTO -#ifdef ENABLE_SSL if (c->c2.tls_multi) { /* @@ -810,7 +804,8 @@ process_incoming_link (struct context *c) * will load crypto_options with the correct encryption key * and return false. */ - if (tls_pre_decrypt (c->c2.tls_multi, &c->c2.from, &c->c2.buf, &c->c2.crypto_options)) + if (tls_pre_decrypt (c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, + floated, &ad_start)) { interval_action (&c->c2.tmp_int); @@ -819,6 +814,10 @@ process_incoming_link (struct context *c) event_timeout_reset (&c->c2.ping_rec_interval); } } + else + { + co = &c->c2.crypto_options; + } #if P2MP_SERVER /* * Drop non-TLS packet if client-connect script/plugin has not @@ -827,30 +826,44 @@ process_incoming_link (struct context *c) if (c->c2.context_auth != CAS_SUCCEEDED) c->c2.buf.len = 0; #endif -#endif /* ENABLE_SSL */ /* authenticate and decrypt the incoming packet */ - decrypt_status = openvpn_decrypt (&c->c2.buf, c->c2.buffers->decrypt_buf, &c->c2.crypto_options, &c->c2.frame); + decrypt_status = openvpn_decrypt (&c->c2.buf, c->c2.buffers->decrypt_buf, + co, &c->c2.frame, ad_start); if (!decrypt_status && link_socket_connection_oriented (c->c2.link_socket)) { /* decryption errors are fatal in TCP mode */ register_signal (c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */ msg (D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting"); - goto done; } - +#else /* ENABLE_CRYPTO */ + decrypt_status = true; #endif /* ENABLE_CRYPTO */ + } + else + { + buf_reset (&c->c2.to_tun); + } + gc_free (&gc); + + return decrypt_status; +} +void +process_incoming_link_part2 (struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf) +{ + if (c->c2.buf.len > 0) + { #ifdef ENABLE_FRAGMENT if (c->c2.fragment) fragment_incoming (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment); #endif -#ifdef ENABLE_LZO +#ifdef USE_COMP /* decompress the incoming packet */ - if (lzo_defined (&c->c2.lzo_compwork)) - lzo_decompress (&c->c2.buf, c->c2.buffers->lzo_decompress_buf, &c->c2.lzo_compwork, &c->c2.frame); + if (c->c2.comp_context) + (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame); #endif #ifdef PACKET_TRUNCATION_CHECK @@ -908,9 +921,20 @@ process_incoming_link (struct context *c) { buf_reset (&c->c2.to_tun); } - done: +} + +void +process_incoming_link (struct context *c) +{ + perf_push (PERF_PROC_IN_LINK); + + struct link_socket_info *lsi = get_link_socket_info (c); + const uint8_t *orig_buf = c->c2.buf.data; + + process_incoming_link_part1(c, lsi, false); + process_incoming_link_part2(c, lsi, orig_buf); + perf_pop (); - gc_free (&gc); } /* @@ -969,6 +993,76 @@ read_incoming_tun (struct context *c) perf_pop (); } +/** + * Drops UDP packets which OS decided to route via tun. + * + * On Windows and OS X when netwotk adapter is disabled or + * disconnected, platform starts to use tun as external interface. + * When packet is sent to tun, it comes to openvpn, encapsulated + * and sent to routing table, which sends it again to tun. + */ +static void +drop_if_recursive_routing (struct context *c, struct buffer *buf) +{ + bool drop = false; + struct openvpn_sockaddr tun_sa; + int ip_hdr_offset = 0; + + if (c->c2.to_link_addr == NULL) /* no remote addr known */ + return; + + tun_sa = c->c2.to_link_addr->dest; + + int proto_ver = get_tun_ip_ver (TUNNEL_TYPE (c->c1.tuntap), &c->c2.buf, &ip_hdr_offset); + + if (proto_ver == 4) + { + const struct openvpn_iphdr *pip; + + /* make sure we got whole IP header */ + if (BLEN (buf) < ((int) sizeof (struct openvpn_iphdr) + ip_hdr_offset)) + return; + + /* skip ipv4 packets for ipv6 tun */ + if (tun_sa.addr.sa.sa_family != AF_INET) + return; + + pip = (struct openvpn_iphdr *) (BPTR (buf) + ip_hdr_offset); + + /* drop packets with same dest addr as gateway */ + if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr) + drop = true; + } + else if (proto_ver == 6) + { + const struct openvpn_ipv6hdr *pip6; + + /* make sure we got whole IPv6 header */ + if (BLEN (buf) < ((int) sizeof (struct openvpn_ipv6hdr) + ip_hdr_offset)) + return; + + /* skip ipv6 packets for ipv4 tun */ + if (tun_sa.addr.sa.sa_family != AF_INET6) + return; + + /* drop packets with same dest addr as gateway */ + pip6 = (struct openvpn_ipv6hdr *) (BPTR (buf) + ip_hdr_offset); + if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr)) + drop = true; + } + + if (drop) + { + struct gc_arena gc = gc_new (); + + c->c2.buf.len = 0; + + msg(D_LOW, "Recursive routing detected, drop tun packet to %s", + print_link_socket_actual(c->c2.to_link_addr, &gc)); + gc_free (&gc); + } +} + /* * Input: c->c2.buf * Output: c->c2.to_link @@ -994,6 +1088,8 @@ process_incoming_tun (struct context *c) if (c->c2.buf.len > 0) { + if ((c->options.mode == MODE_POINT_TO_POINT) && (!c->options.allow_recursive_routing)) + drop_if_recursive_routing (c, &c->c2.buf); /* * The --passtos and --mssfix options require * us to examine the IP header (IPv4 or IPv6). @@ -1028,6 +1124,8 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) if (!c->options.passtos) flags &= ~PIPV4_PASSTOS; #endif + if (!c->options.client_nat) + flags &= ~PIPV4_CLIENT_NAT; if (!c->options.route_gateway_via_dhcp) flags &= ~PIPV4_EXTRACT_DHCP_ROUTER; @@ -1037,11 +1135,13 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) * The --passtos and --mssfix options require * us to examine the IPv4 header. */ + + if (flags & (PIP_MSSFIX #if PASSTOS_CAPABILITY - if (flags & (PIPV4_PASSTOS|PIP_MSSFIX)) -#else - if (flags & PIP_MSSFIX) + | PIPV4_PASSTOS #endif + | PIPV4_CLIENT_NAT + )) { struct buffer ipbuf = *buf; if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf)) @@ -1056,14 +1156,12 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) if (flags & PIP_MSSFIX) mss_fixup_ipv4 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); -#ifdef ENABLE_CLIENT_NAT /* possibly do NAT on packet */ if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) { const int direction = (flags & PIPV4_OUTGOING) ? CN_INCOMING : CN_OUTGOING; client_nat_transform (c->options.client_nat, &ipbuf, direction); } -#endif /* possibly extract a DHCP router message */ if (flags & PIPV4_EXTRACT_DHCP_ROUTER) { @@ -1090,6 +1188,7 @@ void process_outgoing_link (struct context *c) { struct gc_arena gc = gc_new (); + int error_code = 0; perf_push (PERF_PROC_OUT_LINK); @@ -1133,7 +1232,7 @@ process_outgoing_link (struct context *c) fprintf (stderr, "W"); #endif msg (D_LINK_RW, "%s WRITE [%d] to %s: %s", - proto2ascii (c->c2.link_socket->info.proto, true), + proto2ascii (c->c2.link_socket->info.proto, c->c2.link_socket->info.af, true), BLEN (&c->c2.to_link), print_link_socket_actual (c->c2.to_link_addr, &gc), PROTO_DUMP (&c->c2.to_link, &gc)); @@ -1141,23 +1240,18 @@ process_outgoing_link (struct context *c) /* Packet send complexified by possible Socks5 usage */ { struct link_socket_actual *to_addr = c->c2.to_link_addr; -#ifdef ENABLE_SOCKS int size_delta = 0; -#endif -#ifdef ENABLE_SOCKS /* If Socks5 over UDP, prepend header */ socks_preprocess_outgoing_link (c, &to_addr, &size_delta); -#endif + /* Send packet */ size = link_socket_write (c->c2.link_socket, &c->c2.to_link, to_addr); -#ifdef ENABLE_SOCKS /* Undo effect of prepend */ link_socket_write_post_size_adjust (&size, size_delta, &c->c2.to_link); -#endif } if (size > 0) @@ -1182,6 +1276,7 @@ process_outgoing_link (struct context *c) } /* Check return status */ + error_code = openvpn_errno(); check_status (size, "write", c->c2.link_socket, NULL); if (size > 0) @@ -1198,6 +1293,17 @@ process_outgoing_link (struct context *c) /* if not a ping/control message, indicate activity regarding --inactive parameter */ if (c->c2.buf.len > 0 ) register_activity (c, size); + + +#ifdef ENABLE_CRYPTO + /* for unreachable network and "connecting" state switch to the next host */ + if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi && + !tls_initial_packet_received (c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT) + { + msg (M_INFO, "Network unreachable, restarting"); + register_signal (c, SIGUSR1, "network-unreachable"); + } +#endif } else { @@ -1314,7 +1420,7 @@ pre_select (struct context *c) c->c2.timeval.tv_sec = BIG_TIMEOUT; c->c2.timeval.tv_usec = 0; -#if defined(WIN32) +#if defined(_WIN32) if (check_debug_level (D_TAP_WIN_DEBUG)) { c->c2.timeval.tv_sec = 1; @@ -1373,6 +1479,9 @@ io_wait_dowork (struct context *c, const unsigned int flags) #ifdef ENABLE_MANAGEMENT static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */ #endif +#ifdef ENABLE_ASYNC_PUSH + static int file_shift = 8; /* listening inotify events */ +#endif /* * Decide what kind of events we want to wait for. @@ -1467,6 +1576,11 @@ io_wait_dowork (struct context *c, const unsigned int flags) management_socket_set (management, c->c2.event_set, (void*)&management_shift, NULL); #endif +#ifdef ENABLE_ASYNC_PUSH + /* arm inotify watcher */ + event_ctl (c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void*)&file_shift); +#endif + /* * Possible scenarios: * (1) tcp/udp port has data available to read diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 1830a00..0856aa7 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -103,7 +103,7 @@ void show_wait_status (struct context *c); * once for each remaining fragment with this parameter set to false. */ void encrypt_sign (struct context *c, bool comp_frag); - +int get_server_poll_remaining_time (struct event_timeout* server_poll_timeout); /**********************************************************************/ /** @@ -127,12 +127,11 @@ void encrypt_sign (struct context *c, bool comp_frag); */ void read_incoming_link (struct context *c); - /** - * Process a packet read from the external network interface. + * Starts processing a packet read from the external network interface. * @ingroup external_multiplexer * - * This function controls the processing of a data channel packet which + * This function starts the processing of a data channel packet which * has come out of a VPN tunnel. It's high-level structure is as follows: * - Verify that a nonzero length packet has been received from a valid * source address for the given context \a c. @@ -146,6 +145,25 @@ void read_incoming_link (struct context *c); * - Call \c openvpn_decrypt() of the \link data_crypto Data Channel * Crypto module\endlink to authenticate and decrypt the packet using * the security parameters loaded by \c tls_pre_decrypt() above. + * + * @param c - The context structure of the VPN tunnel associated with the + * packet. + * @param lsi - link_socket_info obtained from context before processing. + * @param floated - Flag indicates that peer has floated. + * + * @return true if packet is authenticated, false otherwise. + */ +bool process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, bool floated); + +/** + * Continues processing a packet read from the external network interface. + * @ingroup external_multiplexer + * + * This function continues the processing of a data channel packet which + * has come out of a VPN tunnel. It must be called after + * \c process_incoming_link_part1() function. + * + * It's high-level structure is as follows: * - Call \c fragment_incoming() of the \link fragmentation Data Channel * Fragmentation module\endlink to reassemble the packet if it's * fragmented. @@ -158,9 +176,11 @@ void read_incoming_link (struct context *c); * * @param c - The context structure of the VPN tunnel associated with the * packet. + * @param lsi - link_socket_info obtained from context before processing. + * @param orig_buf - Pointer to a buffer data. + * */ -void process_incoming_link (struct context *c); - +void process_incoming_link_part2 (struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf); /** * Write a packet to the external network interface. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 62f88ec..229523d 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -200,8 +200,6 @@ helper_client_server (struct options *o) add_in6_addr( o->server_network_ipv6, 0x1000 ); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; - o->tun_ipv6 = true; - push_option( o, "tun-ipv6", M_USAGE ); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 2148777..470dc89 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -43,6 +43,9 @@ #include "lladdr.h" #include "ping.h" #include "mstats.h" +#include "ssl_verify.h" +#include "tls_crypt.h" +#include "forward-inline.h" #include "memdbg.h" @@ -125,42 +128,25 @@ management_callback_proxy_cmd (void *arg, const char **p) ret = true; else if (p[2] && p[3]) { - const int port = atoi(p[3]); - if (!legal_ipv4_port (port)) - { - msg (M_WARN, "Bad proxy port number: %s", p[3]); - return false; - } - if (streq (p[1], "HTTP")) { -#ifndef ENABLE_HTTP_PROXY - msg (M_WARN, "HTTP proxy support is not available"); -#else struct http_proxy_options *ho; - if (ce->proto != PROTO_TCPv4 && ce->proto != PROTO_TCPv4_CLIENT && - ce->proto != PROTO_TCPv6 && ce->proto != PROTO_TCPv6_CLIENT) + if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT ) { msg (M_WARN, "HTTP proxy support only works for TCP based connections"); return false; } ho = init_http_proxy_options_once (&ce->http_proxy_options, gc); ho->server = string_alloc (p[2], gc); - ho->port = port; - ho->retry = true; + ho->port = string_alloc (p[3], gc); ho->auth_retry = (p[4] && streq (p[4], "nct") ? PAR_NCT : PAR_ALL); ret = true; -#endif } else if (streq (p[1], "SOCKS")) { -#ifndef ENABLE_SOCKS - msg (M_WARN, "SOCKS proxy support is not available"); -#else ce->socks_proxy_server = string_alloc (p[2], gc); - ce->socks_proxy_port = port; + ce->socks_proxy_port = p[3]; ret = true; -#endif } } else @@ -227,8 +213,7 @@ management_callback_remote_cmd (void *arg, const char **p) } else if (!strcmp(p[1], "MOD") && p[2] && p[3]) { - const int port = atoi(p[3]); - if (strlen(p[2]) < RH_HOST_LEN && legal_ipv4_port(port)) + if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN) { struct remote_host_store *rhs = c->options.rh_store; if (!rhs) @@ -237,8 +222,10 @@ management_callback_remote_cmd (void *arg, const char **p) c->options.rh_store = rhs; } strncpynt(rhs->host, p[2], RH_HOST_LEN); + strncpynt(rhs->port, p[3], RH_PORT_LEN); + ce->remote = rhs->host; - ce->remote_port = port; + ce->remote_port = rhs->port; flags = CE_MAN_QUERY_REMOTE_MOD; ret = true; } @@ -253,7 +240,7 @@ management_callback_remote_cmd (void *arg, const char **p) } static bool -ce_management_query_remote (struct context *c, const char *remote_ip_hint) +ce_management_query_remote (struct context *c) { struct gc_arena gc = gc_new (); volatile struct connection_entry *ce = &c->options.ce; @@ -262,7 +249,7 @@ ce_management_query_remote (struct context *c, const char *remote_ip_hint) if (management) { struct buffer out = alloc_buf_gc (256, &gc); - buf_printf (&out, ">REMOTE:%s,%d,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, false)); + buf_printf (&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false)); management_notify_generic(management, BSTR (&out)); ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT); @@ -278,8 +265,6 @@ ce_management_query_remote (struct context *c, const char *remote_ip_hint) } { const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); - if (flags == CE_MAN_QUERY_REMOTE_ACCEPT && remote_ip_hint) - ce->remote = remote_ip_hint; ret = (flags != CE_MAN_QUERY_REMOTE_SKIP); } gc_free (&gc); @@ -294,95 +279,129 @@ static void init_connection_list (struct context *c) { struct connection_list *l = c->options.connection_list; - if (l) + + l->current = -1; + if (c->options.remote_random) { - l->current = -1; - if (c->options.remote_random) - { - int i; - for (i = 0; i < l->len; ++i) - { - const int j = get_random () % l->len; - if (i != j) - { - struct connection_entry *tmp; - tmp = l->array[i]; - l->array[i] = l->array[j]; - l->array[j] = tmp; - } - } - } + int i; + for (i = 0; i < l->len; ++i) + { + const int j = get_random () % l->len; + if (i != j) + { + struct connection_entry *tmp; + tmp = l->array[i]; + l->array[i] = l->array[j]; + l->array[j] = tmp; + } + } } } /* + * Clear the remote address list + */ +static void clear_remote_addrlist (struct link_socket_addr *lsa, bool free) +{ + if (lsa->remote_list && free) + freeaddrinfo(lsa->remote_list); + lsa->remote_list = NULL; + lsa->current_remote = NULL; +} + +/* * Increment to next connection entry */ static void next_connection_entry (struct context *c) { struct connection_list *l = c->options.connection_list; - if (l) - { - bool ce_defined; - struct connection_entry *ce; - int n_cycles = 0; - - do { - const char *remote_ip_hint = NULL; - bool newcycle = false; + bool ce_defined; + struct connection_entry *ce; + int n_cycles = 0; - ce_defined = true; - if (l->no_advance && l->current >= 0) - { - l->no_advance = false; - } - else - { - if (++l->current >= l->len) + do { + ce_defined = true; + if (c->options.no_advance && l->current >= 0) + { + c->options.no_advance = false; + } + else + { + /* Check if there is another resolved address to try for + * the current connection */ + if (c->c1.link_socket_addr.current_remote && + c->c1.link_socket_addr.current_remote->ai_next) + { + c->c1.link_socket_addr.current_remote = + c->c1.link_socket_addr.current_remote->ai_next; + } + else + { + /* FIXME (schwabe) fix the persist-remote-ip option for real, + * this is broken probably ever since connection lists and multiple + * remote existed + */ + if (!c->options.persist_remote_ip) { - l->current = 0; - ++l->n_cycles; - if (++n_cycles >= 2) - msg (M_FATAL, "No usable connection profiles are present"); + /* close_instance should have cleared the addrinfo objects */ + ASSERT (c->c1.link_socket_addr.current_remote == NULL); + ASSERT (c->c1.link_socket_addr.remote_list == NULL); } + else + c->c1.link_socket_addr.current_remote = + c->c1.link_socket_addr.remote_list; - if (l->current == 0) - newcycle = true; - } + /* + * Increase the number of connection attempts + * If this is connect-retry-max * size(l) + * OpenVPN will quit + */ - ce = l->array[l->current]; + c->options.unsuccessful_attempts++; - if (c->options.remote_ip_hint && !l->n_cycles) - remote_ip_hint = c->options.remote_ip_hint; + if (++l->current >= l->len) + { - if (ce->flags & CE_DISABLED) - ce_defined = false; + l->current = 0; + if (++n_cycles >= 2) + msg (M_FATAL, "No usable connection profiles are present"); + } + } + } + + ce = l->array[l->current]; - c->options.ce = *ce; + if (ce->flags & CE_DISABLED) + ce_defined = false; + + c->options.ce = *ce; #ifdef ENABLE_MANAGEMENT - if (ce_defined && management && management_query_remote_enabled(management)) - { - /* allow management interface to override connection entry details */ - ce_defined = ce_management_query_remote(c, remote_ip_hint); - if (IS_SIG (c)) - break; - } - else + if (ce_defined && management && management_query_remote_enabled(management)) + { + /* allow management interface to override connection entry details */ + ce_defined = ce_management_query_remote(c); + if (IS_SIG (c)) + break; + } + else #endif - if (remote_ip_hint) - c->options.ce.remote = remote_ip_hint; #ifdef ENABLE_MANAGEMENT - if (ce_defined && management && management_query_proxy_enabled (management)) - { - ce_defined = ce_management_query_proxy (c); - if (IS_SIG (c)) - break; - } + if (ce_defined && management && management_query_proxy_enabled (management)) + { + ce_defined = ce_management_query_proxy (c); + if (IS_SIG (c)) + break; + } #endif - } while (!ce_defined); - } + } while (!ce_defined); + + /* Check if this connection attempt would bring us over the limit */ + if (c->options.connect_retry_max > 0 && + c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) + msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting", + c->options.connect_retry_max); update_options_ce_post (&c->options); } @@ -392,7 +411,7 @@ next_connection_entry (struct context *c) void init_query_passwords (const struct context *c) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO /* Certificate password input */ if (c->options.key_pass_file) pem_password_setup (c->options.key_pass_file); @@ -415,47 +434,30 @@ init_query_passwords (const struct context *c) * Initialize/Uninitialize HTTP or SOCKS proxy */ -#ifdef GENERAL_PROXY_SUPPORT - -static int -proxy_scope (struct context *c) -{ - return connection_list_defined (&c->options) ? 2 : 1; -} - static void uninit_proxy_dowork (struct context *c) { -#ifdef ENABLE_HTTP_PROXY if (c->c1.http_proxy_owned && c->c1.http_proxy) { http_proxy_close (c->c1.http_proxy); c->c1.http_proxy = NULL; c->c1.http_proxy_owned = false; } -#endif -#ifdef ENABLE_SOCKS if (c->c1.socks_proxy_owned && c->c1.socks_proxy) { socks_proxy_close (c->c1.socks_proxy); c->c1.socks_proxy = NULL; c->c1.socks_proxy_owned = false; } -#endif } static void init_proxy_dowork (struct context *c) { -#ifdef ENABLE_HTTP_PROXY bool did_http = false; -#else - const bool did_http = false; -#endif uninit_proxy_dowork (c); -#ifdef ENABLE_HTTP_PROXY if (c->options.ce.http_proxy_options) { /* Possible HTTP proxy user/pass input */ @@ -466,51 +468,31 @@ init_proxy_dowork (struct context *c) c->c1.http_proxy_owned = true; } } -#endif -#ifdef ENABLE_SOCKS - if (!did_http && c->options.ce.socks_proxy_server) + if (!did_http && c->options.ce.socks_proxy_server) { c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server, c->options.ce.socks_proxy_port, - c->options.ce.socks_proxy_authfile, - c->options.ce.socks_proxy_retry); + c->options.ce.socks_proxy_authfile); if (c->c1.socks_proxy) { c->c1.socks_proxy_owned = true; } } -#endif } static void -init_proxy (struct context *c, const int scope) +init_proxy (struct context *c) { - if (scope == proxy_scope (c)) - init_proxy_dowork (c); + init_proxy_dowork (c); } static void uninit_proxy (struct context *c) { - if (c->sig->signal_received != SIGUSR1 || proxy_scope (c) == 2) - uninit_proxy_dowork (c); -} - -#else - -static inline void -init_proxy (struct context *c, const int scope) -{ -} - -static inline void -uninit_proxy (struct context *c) -{ + uninit_proxy_dowork (c); } -#endif - void context_init_1 (struct context *c) { @@ -544,8 +526,6 @@ context_init_1 (struct context *c) } #endif - /* initialize HTTP or SOCKS proxy object at scope level 1 */ - init_proxy (c, 1); } void @@ -598,7 +578,7 @@ init_static (void) error_reset (); /* initialize error.c */ reset_check_status (); /* initialize status check code in socket.c */ -#ifdef WIN32 +#ifdef _WIN32 init_win32 (); #endif @@ -659,8 +639,10 @@ init_static (void) #ifdef TEST_GET_DEFAULT_GATEWAY { struct route_gateway_info rgi; + struct route_ipv6_gateway_info rgi6; get_default_gateway(&rgi); - print_default_gateway(M_INFO, &rgi); + get_default_gateway_ipv6(&rgi6, NULL); + print_default_gateway(M_INFO, &rgi, &rgi6); return false; } #endif @@ -810,7 +792,7 @@ uninit_static (void) close_port_share (); #endif -#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) show_tls_performance_stats (); #endif } @@ -853,10 +835,7 @@ print_openssl_info (const struct options *options) */ #ifdef ENABLE_CRYPTO if (options->show_ciphers || options->show_digests || options->show_engines -#ifdef ENABLE_SSL - || options->show_tls_ciphers -#endif - ) + || options->show_tls_ciphers || options->show_curves) { if (options->show_ciphers) show_available_ciphers (); @@ -864,10 +843,10 @@ print_openssl_info (const struct options *options) show_available_digests (); if (options->show_engines) show_available_engines (); -#ifdef ENABLE_SSL if (options->show_tls_ciphers) show_available_tls_ciphers (options->cipher_list); -#endif + if (options->show_curves) + show_available_curves(); return true; } #endif @@ -916,10 +895,8 @@ do_persist_tuntap (const struct options *options) || options->ifconfig_remote_netmask #ifdef ENABLE_CRYPTO || options->shared_secret_file -#ifdef ENABLE_SSL || options->tls_server || options->tls_client #endif -#endif ) msg (M_FATAL|M_OPTERR, "options --mktun or --rmtun should only be used together with --dev"); @@ -1036,7 +1013,7 @@ const char * format_common_name (struct context *c, struct gc_arena *gc) { struct buffer out = alloc_buf_gc (256, gc); -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO if (c->c2.tls_multi) { buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false)); @@ -1048,7 +1025,7 @@ format_common_name (struct context *c, struct gc_arena *gc) void pre_setup (const struct options *options) { -#ifdef WIN32 +#ifdef _WIN32 if (options->exit_event_name) { win32_signal_open (&win32_signal, @@ -1080,6 +1057,19 @@ reset_coarse_timers (struct context *c) } /* + * Initialise the server poll timeout timer + * This timer is used in the http/socks proxy setup so it needs to be setup + * before + */ +static void +do_init_server_poll_timeout (struct context *c) +{ + update_time (); + if (c->options.ce.connect_timeout) + event_timeout_init (&c->c2.server_poll_interval, c->options.ce.connect_timeout, now); +} + +/* * Initialize timers */ static void @@ -1100,11 +1090,6 @@ do_init_timers (struct context *c, bool deferred) if (c->options.ping_rec_timeout) event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); -#if P2MP - if (c->options.server_poll_timeout) - event_timeout_init (&c->c2.server_poll_interval, c->options.server_poll_timeout, now); -#endif - if (!deferred) { /* initialize connection establishment timer */ @@ -1126,9 +1111,7 @@ do_init_timers (struct context *c, bool deferred) #ifdef ENABLE_CRYPTO if (c->options.packet_id_file) event_timeout_init (&c->c2.packet_id_persist_interval, 60, now); -#endif -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) /* initialize tmp_int optimization that limits the number of times we call tls_multi_process in the main event loop */ interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH); @@ -1161,9 +1144,9 @@ static void do_alloc_route_list (struct context *c) { if (!c->c1.route_list) - c->c1.route_list = new_route_list (c->options.max_routes, &c->gc); + ALLOC_OBJ_CLEAR_GC (c->c1.route_list, struct route_list, &c->gc); if (c->options.routes_ipv6 && !c->c1.route_ipv6_list) - c->c1.route_ipv6_list = new_route_ipv6_list (c->options.max_routes, &c->gc); + ALLOC_OBJ_CLEAR_GC (c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc); } @@ -1175,7 +1158,6 @@ static void do_init_route_list (const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, - bool fatal, struct env_set *es) { const char *gw = NULL; @@ -1189,18 +1171,13 @@ do_init_route_list (const struct options *options, if (options->route_default_metric) metric = options->route_default_metric; - if (!init_route_list (route_list, + if (init_route_list (route_list, options->routes, gw, metric, link_socket_current_remote (link_socket_info), es)) { - if (fatal) - openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ - } - else - { /* copy routes to environment */ setenv_routes (es, route_list); } @@ -1209,11 +1186,10 @@ do_init_route_list (const struct options *options, static void do_init_route_ipv6_list (const struct options *options, struct route_ipv6_list *route_ipv6_list, - bool fatal, + const struct link_socket_info *link_socket_info, struct env_set *es) { const char *gw = NULL; - int dev = dev_type_enum (options->dev, options->dev_type); int metric = -1; /* no metric set */ gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ @@ -1225,17 +1201,28 @@ do_init_route_ipv6_list (const struct options *options, if (options->route_default_metric) metric = options->route_default_metric; - if (!init_route_ipv6_list (route_ipv6_list, + /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics + */ + if ( options->routes_ipv6->flags & RG_REROUTE_GW ) + { + char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL }; + int i; + + for (i=0; opt_list[i]; i++) + { + add_route_ipv6_to_option_list( options->routes_ipv6, + string_alloc (opt_list[i], options->routes_ipv6->gc), + NULL, NULL ); + } + } + + if (init_route_ipv6_list (route_ipv6_list, options->routes_ipv6, gw, metric, + link_socket_current_remote_ipv6 (link_socket_info), es)) { - if (fatal) - openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ - } - else - { /* copy routes to environment */ setenv_routes_ipv6 (es, route_ipv6_list); } @@ -1250,13 +1237,16 @@ initialization_sequence_completed (struct context *c, const unsigned int flags) { static const char message[] = "Initialization Sequence Completed"; + /* Reset the unsuccessful connection counter on complete initialisation */ + c->options.unsuccessful_attempts=0; + /* If we delayed UID/GID downgrade or chroot, do it now */ do_uid_gid_chroot (c, true); /* Test if errors */ if (flags & ISC_ERRORS) { -#ifdef WIN32 +#ifdef _WIN32 show_routes (M_INFO|M_NOPREFIX); show_adapters (M_INFO|M_NOPREFIX); msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); @@ -1267,11 +1257,11 @@ initialization_sequence_completed (struct context *c, const unsigned int flags) else msg (M_INFO, "%s", message); - /* Flag connection_list that we initialized */ - if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && connection_list_defined (&c->options)) - connection_list_set_no_advance (&c->options); + /* Flag that we initialized */ + if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0) + c->options.no_advance=true; -#ifdef WIN32 +#ifdef _WIN32 fork_register_dns_action (c->c1.tuntap); #endif @@ -1279,26 +1269,52 @@ initialization_sequence_completed (struct context *c, const unsigned int flags) /* Tell management interface that we initialized */ if (management) { - in_addr_t tun_local = 0; - in_addr_t tun_remote = 0; /* FKS */ + in_addr_t *tun_local = NULL; + struct in6_addr *tun_local6 = NULL; + struct openvpn_sockaddr local, remote; + struct link_socket_actual *actual; + socklen_t sa_len = sizeof(local); const char *detail = "SUCCESS"; - if (c->c1.tuntap) - tun_local = c->c1.tuntap->local; - /* TODO(jjo): for ipv6 this will convert some 32bits in the ipv6 addr - * to a meaningless ipv4 address. - * In any case, is somewhat inconsistent to send local tunnel - * addr with remote _endpoint_ addr (?) - */ - tun_remote = htonl (c->c1.link_socket_addr.actual.dest.addr.in4.sin_addr.s_addr); if (flags & ISC_ERRORS) - detail = "ERROR"; + detail = "ERROR"; + + CLEAR (local); + actual = &get_link_socket_info(c)->lsa->actual; + remote = actual->dest; + getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len); +#if ENABLE_IP_PKTINFO + if (!addr_defined(&local)) + { + switch (local.addr.sa.sa_family) + { + case AF_INET: +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) + local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst; +#else + local.addr.in4.sin_addr = actual->pi.in4; +#endif + break; + case AF_INET6: + local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr; + break; + } + } +#endif + + if (c->c1.tuntap) + { + tun_local = &c->c1.tuntap->local; + tun_local6 = &c->c1.tuntap->local_ipv6; + } management_set_state (management, OPENVPN_STATE_CONNECTED, detail, tun_local, - tun_remote); + tun_local6, + &local, + &remote); if (tun_local) - management_post_tunnel_open (management, tun_local); + management_post_tunnel_open (management, *tun_local); } #endif } @@ -1335,12 +1351,12 @@ do_route (const struct options *options, { struct argv argv = argv_new (); setenv_str (es, "script_type", "route-up"); - argv_printf (&argv, "%sc", options->route_script); + argv_parse_cmd (&argv, options->route_script); openvpn_run_script (&argv, es, 0, "--route-up"); argv_reset (&argv); } -#ifdef WIN32 +#ifdef _WIN32 if (options->show_net_up) { show_routes (M_INFO|M_NOPREFIX); @@ -1355,21 +1371,6 @@ do_route (const struct options *options, } /* - * Save current pulled options string in the c1 context store, so we can - * compare against it after possible future restarts. - */ -#if P2MP -static void -save_pulled_options_digest (struct context *c, const struct md5_digest *newdigest) -{ - if (newdigest) - c->c1.pulled_options_digest_save = *newdigest; - else - md5_digest_clear (&c->c1.pulled_options_digest_save); -} -#endif - -/* * initialize tun/tap device object */ static void @@ -1383,14 +1384,11 @@ do_init_tun (struct context *c) c->options.ifconfig_ipv6_local, c->options.ifconfig_ipv6_netbits, c->options.ifconfig_ipv6_remote, - addr_host (&c->c1.link_socket_addr.local), - addr_host (&c->c1.link_socket_addr.remote), + c->c1.link_socket_addr.bind_local, + c->c1.link_socket_addr.remote_list, !c->options.ifconfig_nowarn, c->c2.es); - /* flag tunnel for IPv6 config if --tun-ipv6 is set */ - c->c1.tuntap->ipv6 = c->options.tun_ipv6; - init_tun_post (c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options); @@ -1408,22 +1406,39 @@ do_open_tun (struct context *c) struct gc_arena gc = gc_new (); bool ret = false; - c->c2.ipv4_tun = (!c->options.tun_ipv6 - && is_dev_type (c->options.dev, c->options.dev_type, "tun")); - +#ifndef TARGET_ANDROID if (!c->c1.tuntap) { +#endif + +#ifdef TARGET_ANDROID + /* If we emulate persist-tun on android we still have to open a new tun and + * then close the old */ + int oldtunfd=-1; + if (c->c1.tuntap) + oldtunfd = c->c1.tuntap->fd; +#endif + /* initialize (but do not open) tun/tap object */ do_init_tun (c); +#ifdef _WIN32 + /* store (hide) interactive service handle in tuntap_options */ + c->c1.tuntap->options.msg_channel = c->options.msg_channel; + msg (D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel); +#endif + /* allocate route list structure */ do_alloc_route_list (c); /* parse and resolve the route option list */ - if (c->options.routes && c->c1.route_list && c->c2.link_socket) - do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es); - if (c->options.routes_ipv6 && c->c1.route_ipv6_list ) - do_init_route_ipv6_list (&c->options, c->c1.route_ipv6_list, false, c->c2.es); + ASSERT(c->c2.link_socket); + if (c->options.routes && c->c1.route_list) + do_init_route_list (&c->options, c->c1.route_list, + &c->c2.link_socket->info, c->c2.es); + if (c->options.routes_ipv6 && c->c1.route_ipv6_list) + do_init_route_ipv6_list (&c->options, c->c1.route_ipv6_list, + &c->c2.link_socket->info, c->c2.es); /* do ifconfig */ if (!c->options.ifconfig_noexec @@ -1438,6 +1453,16 @@ do_open_tun (struct context *c) do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); } + /* possibly add routes */ + if (route_order() == ROUTE_BEFORE_TUN) { + /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */ + do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list, + c->c1.tuntap, c->plugins, c->c2.es); + } +#ifdef TARGET_ANDROID + /* Store the old fd inside the fd so open_tun can use it */ + c->c1.tuntap->fd = oldtunfd; +#endif /* open the tun device */ open_tun (c->options.dev, c->options.dev_type, c->options.dev_node, c->c1.tuntap); @@ -1458,7 +1483,7 @@ do_open_tun (struct context *c) c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name, -#ifdef WIN32 +#ifdef _WIN32 c->c1.tuntap->adapter_index, #endif dev_type_string (c->options.dev, c->options.dev_type), @@ -1471,17 +1496,17 @@ do_open_tun (struct context *c) "up", c->c2.es); -#ifdef WIN32 +#if defined(_WIN32) if (c->options.block_outside_dns) { dmsg (D_LOW, "Blocking outside DNS"); - if (!win_wfp_block_dns(c->c1.tuntap->adapter_index)) + if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel)) msg (M_FATAL, "Blocking DNS failed!"); } #endif /* possibly add routes */ - if (!c->options.route_delay_defined) + if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined)) do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap, c->plugins, c->c2.es); @@ -1495,6 +1520,7 @@ do_open_tun (struct context *c) ret = true; static_context = c; +#ifndef TARGET_ANDROID } else { @@ -1510,7 +1536,7 @@ do_open_tun (struct context *c) c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name, -#ifdef WIN32 +#ifdef _WIN32 c->c1.tuntap->adapter_index, #endif dev_type_string (c->options.dev, c->options.dev_type), @@ -1522,7 +1548,17 @@ do_open_tun (struct context *c) NULL, "up", c->c2.es); +#if defined(_WIN32) + if (c->options.block_outside_dns) + { + dmsg (D_LOW, "Blocking outside DNS"); + if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel)) + msg (M_FATAL, "Blocking DNS failed!"); + } +#endif + } +#endif gc_free (&gc); return ret; } @@ -1539,7 +1575,7 @@ do_close_tun_simple (struct context *c) c->c1.tuntap = NULL; c->c1.tuntap_owned = false; #if P2MP - save_pulled_options_digest (c, NULL); /* delete C1-saved pulled_options_digest */ + CLEAR (c->c1.pulled_options_digest_save); #endif } @@ -1550,7 +1586,7 @@ do_close_tun (struct context *c, bool force) if (c->c1.tuntap && c->c1.tuntap_owned) { const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc); -#ifdef WIN32 +#ifdef _WIN32 DWORD adapter_index = c->c1.tuntap->adapter_index; #endif const in_addr_t local = c->c1.tuntap->local; @@ -1571,12 +1607,12 @@ do_close_tun (struct context *c, bool force) /* delete any routes we added */ if (c->c1.route_list || c->c1.route_ipv6_list ) - { + { run_up_down (c->options.route_predown_script, c->plugins, OPENVPN_PLUGIN_ROUTE_PREDOWN, tuntap_actual, -#ifdef WIN32 +#ifdef _WIN32 adapter_index, #endif NULL, @@ -1604,7 +1640,7 @@ do_close_tun (struct context *c, bool force) c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual, -#ifdef WIN32 +#ifdef _WIN32 adapter_index, #endif NULL, @@ -1618,10 +1654,10 @@ do_close_tun (struct context *c, bool force) "down", c->c2.es); -#ifdef WIN32 +#if defined(_WIN32) if (c->options.block_outside_dns) { - if (!win_wfp_uninit()) + if (!win_wfp_uninit(c->options.msg_channel)) msg (M_FATAL, "Uninitialising WFP failed!"); } #endif @@ -1638,7 +1674,7 @@ do_close_tun (struct context *c, bool force) c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual, -#ifdef WIN32 +#ifdef _WIN32 adapter_index, #endif NULL, @@ -1651,6 +1687,15 @@ do_close_tun (struct context *c, bool force) c->sig->signal_text), "down", c->c2.es); + +#if defined(_WIN32) + if (c->options.block_outside_dns) + { + if (!win_wfp_uninit(c->options.msg_channel)) + msg (M_FATAL, "Uninitialising WFP failed!"); + } +#endif + } } gc_free (&gc); @@ -1671,7 +1716,22 @@ tun_abort() * Handle delayed tun/tap interface bringup due to --up-delay or --pull */ -void +#if P2MP +/** + * Helper for do_up(). Take two option hashes and return true if they are not + * equal, or either one is all-zeroes. + */ +static bool +options_hash_changed_or_zero(const struct md5_digest *a, + const struct md5_digest *b) +{ + const struct md5_digest zero = {{0}}; + return memcmp (a, b, sizeof(struct md5_digest)) || + !memcmp (a, &zero, sizeof(struct md5_digest)); +} +#endif /* P2MP */ + +bool do_up (struct context *c, bool pulled_options, unsigned int option_types_found) { if (!c->c2.do_up_ran) @@ -1679,7 +1739,13 @@ do_up (struct context *c, bool pulled_options, unsigned int option_types_found) reset_coarse_timers (c); if (pulled_options && option_types_found) - do_deferred_options (c, option_types_found); + { + if (!do_deferred_options (c, option_types_found)) + { + msg (D_PUSH_ERRORS, "ERROR: Failed to apply push options"); + return false; + } + } /* if --up-delay specified, open tun, do ifconfig, and run up script now */ if (c->options.up_delay || PULL_DEFINED (&c->options)) @@ -1695,8 +1761,8 @@ do_up (struct context *c, bool pulled_options, unsigned int option_types_found) if (!c->c2.did_open_tun && PULL_DEFINED (&c->options) && c->c1.tuntap - && (!md5_digest_defined (&c->c1.pulled_options_digest_save) || !md5_digest_defined (&c->c2.pulled_options_digest) - || !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest))) + && options_hash_changed_or_zero (&c->c1.pulled_options_digest_save, + &c->c2.pulled_options_digest)) { /* if so, close tun, delete routes, then reinitialize tun and add routes */ msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); @@ -1711,11 +1777,11 @@ do_up (struct context *c, bool pulled_options, unsigned int option_types_found) if (c->c2.did_open_tun) { #if P2MP - save_pulled_options_digest (c, &c->c2.pulled_options_digest); + c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; #endif /* if --route-delay was specified, start timer */ - if (c->options.route_delay_defined) + if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined) { event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now); event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); @@ -1734,6 +1800,7 @@ do_up (struct context *c, bool pulled_options, unsigned int option_types_found) c->c2.do_up_ran = true; } + return true; } /* @@ -1761,13 +1828,18 @@ pull_permission_mask (const struct context *c) if (!c->options.route_nopull) flags |= (OPT_P_ROUTE | OPT_P_IPWIN32); +#ifdef ENABLE_CRYPTO + if (c->options.ncp_enabled) + flags |= OPT_P_NCP; +#endif + return flags; } /* * Handle non-tun-related pulled options. */ -void +bool do_deferred_options (struct context *c, const unsigned int found) { if (found & OPT_P_MESSAGES) @@ -1794,14 +1866,12 @@ do_deferred_options (struct context *c, const unsigned int found) } #endif -#ifdef ENABLE_LZO +#ifdef USE_COMP if (found & OPT_P_COMP) { - if (lzo_defined (&c->c2.lzo_compwork)) - { - msg (D_PUSH, "OPTIONS IMPORT: LZO parms modified"); - lzo_modify_flags (&c->c2.lzo_compwork, c->options.lzo); - } + msg (D_PUSH, "OPTIONS IMPORT: compression parms modified"); + comp_uninit (c->c2.comp_context); + c->c2.comp_context = comp_init (&c->options.comp); } #endif @@ -1836,7 +1906,7 @@ do_deferred_options (struct context *c, const unsigned int found) if (found & OPT_P_SETENV) msg (D_PUSH, "OPTIONS IMPORT: environment modified"); -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO if (found & OPT_P_PEER_ID) { msg (D_PUSH, "OPTIONS IMPORT: peer-id set"); @@ -1856,20 +1926,37 @@ do_deferred_options (struct context *c, const unsigned int found) " MTU problems", TUN_MTU_SIZE(&c->c2.frame) ); } } + + /* process (potentially pushed) crypto options */ + if (c->options.pull) + { + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (found & OPT_P_NCP) + msg (D_PUSH, "OPTIONS IMPORT: data channel crypto options modified"); + /* Do not regenerate keys if server sends an extra push request */ + if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized && + !tls_session_update_crypto_params(session, &c->options, &c->c2.frame)) + { + msg (D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); + return false; + } + } #endif + return true; } /* - * Possible hold on initialization + * Possible hold on initialization, holdtime is the + * time OpenVPN would wait without management */ static bool -do_hold (void) +do_hold (int holdtime) { #ifdef ENABLE_MANAGEMENT if (management) { /* block until management hold is released */ - if (management_hold (management)) + if (management_hold (management, holdtime)) return true; } #endif @@ -1882,31 +1969,16 @@ do_hold (void) static void socket_restart_pause (struct context *c) { - bool proxy = false; int sec = 2; - -#ifdef ENABLE_HTTP_PROXY - if (c->options.ce.http_proxy_options) - proxy = true; -#endif -#ifdef ENABLE_SOCKS - if (c->options.ce.socks_proxy_server) - proxy = true; -#endif + int backoff = 0; switch (c->options.ce.proto) { - case PROTO_UDPv4: - case PROTO_UDPv6: - if (proxy) - sec = c->options.ce.connect_retry_seconds; - break; - case PROTO_TCPv4_SERVER: - case PROTO_TCPv6_SERVER: + case PROTO_TCP_SERVER: sec = 1; break; - case PROTO_TCPv4_CLIENT: - case PROTO_TCPv6_CLIENT: + case PROTO_UDP: + case PROTO_TCP_CLIENT: sec = c->options.ce.connect_retry_seconds; break; } @@ -1919,13 +1991,22 @@ socket_restart_pause (struct context *c) #if P2MP if (auth_retry_get () == AR_NOINTERACT) sec = 10; - -#if 0 /* not really needed because of c->persist.restart_sleep_seconds */ - if (c->options.server_poll_timeout && sec > 1) - sec = 1; -#endif #endif + /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */ + if (c->options.ce.proto != PROTO_TCP_SERVER) + { + backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4; + if (backoff > 0) + { + /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */ + sec = max_int (sec, 1) << min_int (backoff, 15); + } + + if (sec > c->options.ce.connect_retry_seconds_max) + sec = c->options.ce.connect_retry_seconds_max; + } + if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec) sec = c->persist.restart_sleep_seconds; else if (c->persist.restart_sleep_seconds == -1) @@ -1933,8 +2014,10 @@ socket_restart_pause (struct context *c) c->persist.restart_sleep_seconds = 0; /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */ - if (do_hold ()) + if (do_hold (sec)) + { sec = 0; + } if (sec) { @@ -1952,7 +2035,7 @@ do_startup_pause (struct context *c) if (!c->first_time) socket_restart_pause (c); else - do_hold (); /* do management hold on first context initialization */ + do_hold (0); /* do management hold on first context initialization */ } /* @@ -1977,6 +2060,7 @@ frame_finalize_options (struct context *c, const struct options *o) |FRAME_HEADROOM_MARKER_READ_STREAM); } + frame_add_to_extra_buffer (&c->c2.frame, PAYLOAD_ALIGN); frame_finalize (&c->c2.frame, o->ce.link_mtu_defined, o->ce.link_mtu, @@ -1992,13 +2076,11 @@ key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx) { #ifdef ENABLE_CRYPTO free_key_ctx_bi (&ks->static_key); -#ifdef ENABLE_SSL if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) { tls_ctx_free (&ks->ssl_ctx); - free_key_ctx_bi (&ks->tls_auth_key); + free_key_ctx_bi (&ks->tls_wrap_key); } -#endif /* ENABLE_SSL */ #endif /* ENABLE_CRYPTO */ CLEAR (*ks); } @@ -2018,14 +2100,6 @@ init_crypto_pre (struct context *c, const unsigned int flags) packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file); } - /* Initialize crypto options */ - - if (c->options.use_iv) - c->c2.crypto_options.flags |= CO_USE_IV; - - if (c->options.mute_replay_warnings) - c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; - #ifdef ENABLE_PREDICTION_RESISTANCE if (c->options.use_prediction_resistance) rand_ctx_enable_prediction_resistance(); @@ -2044,60 +2118,38 @@ do_init_crypto_static (struct context *c, const unsigned int flags) init_crypto_pre (c, flags); + /* Initialize flags */ + if (c->options.use_iv) + c->c2.crypto_options.flags |= CO_USE_IV; + + if (c->options.mute_replay_warnings) + c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; + /* Initialize packet ID tracking */ if (options->replay) { - packet_id_init (&c->c2.packet_id, - link_socket_proto_connection_oriented (options->ce.proto), + packet_id_init (&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time, "STATIC", 0); - c->c2.crypto_options.packet_id = &c->c2.packet_id; c->c2.crypto_options.pid_persist = &c->c1.pid_persist; c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; packet_id_persist_load_obj (&c->c1.pid_persist, - c->c2.crypto_options.packet_id); + &c->c2.crypto_options.packet_id); } if (!key_ctx_bi_defined (&c->c1.ks.static_key)) { - struct key2 key2; - struct key_direction_state kds; - /* Get cipher & hash algorithms */ - init_key_type (&c->c1.ks.key_type, options->ciphername, - options->ciphername_defined, options->authname, - options->authname_defined, options->keysize, - options->test_crypto, true); + init_key_type (&c->c1.ks.key_type, options->ciphername, options->authname, + options->keysize, options->test_crypto, true); /* Read cipher and hmac keys from shared secret file */ - { - unsigned int rkf_flags = RKF_MUST_SUCCEED; - const char *rkf_file = options->shared_secret_file; - - if (options->shared_secret_file_inline) - { - rkf_file = options->shared_secret_file_inline; - rkf_flags |= RKF_INLINE; - } - read_key_file (&key2, rkf_file, rkf_flags); - } - - /* Check for and fix highly unlikely key problems */ - verify_fix_key2 (&key2, &c->c1.ks.key_type, - options->shared_secret_file); - - /* Initialize OpenSSL key objects */ - key_direction_state_init (&kds, options->key_direction); - must_have_n_keys (options->shared_secret_file, "secret", &key2, - kds.need_keys); - init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key], - &c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt"); - init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key], - &c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt"); - - /* Erase the temporary copy of key */ - CLEAR (key2); + crypto_read_openvpn_key (&c->c1.ks.key_type, &c->c1.ks.static_key, + options->shared_secret_file, + options->shared_secret_file_inline, + options->key_direction, "Static Key Encryption", + "secret"); } else { @@ -2105,12 +2157,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags) } /* Get key schedule */ - c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key; + c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; /* Compute MTU parameters */ crypto_adjust_frame_parameters (&c->c2.frame, &c->c1.ks.key_type, - options->ciphername_defined, options->use_iv, options->replay, true); /* Sanity check on IV, sequence number, and cipher mode options */ @@ -2118,8 +2169,6 @@ do_init_crypto_static (struct context *c, const unsigned int flags) options->use_iv); } -#ifdef ENABLE_SSL - /* * Initialize the persistent component of OpenVPN's TLS mode, * which is preserved across SIGUSR1 resets. @@ -2160,9 +2209,8 @@ do_init_crypto_tls_c1 (struct context *c) } /* Get cipher & hash algorithms */ - init_key_type (&c->c1.ks.key_type, options->ciphername, - options->ciphername_defined, options->authname, - options->authname_defined, options->keysize, true, true); + init_key_type (&c->c1.ks.key_type, options->ciphername, options->authname, + options->keysize, true, true); /* Initialize PRNG with config-specified digest */ prng_init (options->prng_hash, options->prng_nonce_secret_len); @@ -2170,21 +2218,36 @@ do_init_crypto_tls_c1 (struct context *c) /* TLS handshake authentication (--tls-auth) */ if (options->tls_auth_file) { - unsigned int flags = 0; - const char *file = options->tls_auth_file; - - if (options->tls_auth_file_inline) + /* Initialize key_type for tls-auth with auth only */ + CLEAR (c->c1.ks.tls_auth_key_type); + if (!streq (options->authname, "none")) { - flags |= GHK_INLINE; - file = options->tls_auth_file_inline; + c->c1.ks.tls_auth_key_type.digest = md_kt_get (options->authname); + c->c1.ks.tls_auth_key_type.hmac_length = + md_kt_size (c->c1.ks.tls_auth_key_type.digest); } - get_tls_handshake_key (&c->c1.ks.key_type, - &c->c1.ks.tls_auth_key, - file, - options->key_direction, - flags); + else + { + msg (M_FATAL, "ERROR: tls-auth enabled, but no valid --auth " + "algorithm specified ('%s')", options->authname); + } + + crypto_read_openvpn_key (&c->c1.ks.tls_auth_key_type, + &c->c1.ks.tls_wrap_key, options->tls_auth_file, + options->tls_auth_file_inline, options->key_direction, + "Control Channel Authentication", "tls-auth"); } + /* TLS handshake encryption+authentication (--tls-crypt) */ + if (options->tls_crypt_file) { + tls_crypt_init_key (&c->c1.ks.tls_wrap_key, options->tls_crypt_file, + options->tls_crypt_inline, options->tls_server); + } + + c->c1.ciphername = options->ciphername; + c->c1.authname = options->authname; + c->c1.keysize = options->keysize; + #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ if (options->priv_key_file_inline) { @@ -2196,6 +2259,11 @@ do_init_crypto_tls_c1 (struct context *c) else { msg (D_INIT_MEDIUM, "Re-using SSL/TLS context"); + + /* Restore pre-NCP cipher options */ + c->options.ciphername = c->c1.ciphername; + c->options.authname = c->c1.authname; + c->options.keysize = c->c1.keysize; } } @@ -2226,17 +2294,28 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ packet_id_long_form = cipher_kt_mode_ofb_cfb (c->c1.ks.key_type.cipher); - /* Compute MTU parameters */ - crypto_adjust_frame_parameters (&c->c2.frame, - &c->c1.ks.key_type, - options->ciphername_defined, - options->use_iv, - options->replay, packet_id_long_form); + /* Compute MTU parameters (postpone if we push/pull options) */ + if (c->options.pull || c->options.mode == MODE_SERVER) + { + /* Account for worst-case crypto overhead before allocating buffers */ + frame_add_to_extra_frame (&c->c2.frame, crypto_max_overhead()); + } + else + { + crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, + options->use_iv, options->replay, packet_id_long_form); + } tls_adjust_frame_parameters (&c->c2.frame); /* Set all command-line TLS-related options */ CLEAR (to); + if (options->use_iv) + to.crypto_flags |= CO_USE_IV; + + if (options->mute_replay_warnings) + to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS; + to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM); if (packet_id_long_form) to.crypto_flags_or = CO_PACKET_ID_LONG_FORM; @@ -2249,6 +2328,9 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.replay_window = options->replay_window; to.replay_time = options->replay_time; to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto); + to.config_ciphername = c->c1.ciphername; + to.config_authname = c->c1.authname; + to.ncp_enabled = options->ncp_enabled; to.transition_window = options->transition_window; to.handshake_window = options->handshake_window; to.packet_timeout = options->tls_timeout; @@ -2256,6 +2338,8 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.renegotiate_packets = options->renegotiate_packets; to.renegotiate_seconds = options->renegotiate_seconds; to.single_session = options->single_session; + to.mode = options->mode; + to.pull = options->pull; #ifdef ENABLE_PUSH_PEER_INFO if (options->push_peer_info) /* all there is */ to.push_peer_info_detail = 2; @@ -2267,7 +2351,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) /* should we not xmit any packets until we get an initial response from client? */ - if (to.server && options->ce.proto == PROTO_TCPv4_SERVER) + if (to.server && options->ce.proto == PROTO_TCP_SERVER) to.xmit_hold = true; #ifdef ENABLE_OCC @@ -2279,6 +2363,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; + to.crl_file_inline = options->crl_file_inline; to.ssl_flags = options->ssl_flags; to.ns_cert_type = options->ns_cert_type; memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); @@ -2308,11 +2393,11 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) if (options->ccd_exclusive) to.client_config_dir_exclusive = options->client_config_dir; to.auth_user_pass_file = options->auth_user_pass_file; + to.auth_token_generate = options->auth_token_generate; + to.auth_token_lifetime = options->auth_token_lifetime; #endif -#ifdef ENABLE_X509_TRACK to.x509_track = options->x509_track; -#endif #if P2MP #ifdef ENABLE_CLIENT_CR @@ -2320,15 +2405,46 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) #endif #endif +#ifdef USE_COMP + to.comp_options = options->comp; +#endif + +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 + if (options->keying_material_exporter_label) + { + to.ekm_size = options->keying_material_exporter_length; + if (to.ekm_size < 16 || to.ekm_size > 4095) + to.ekm_size = 0; + + to.ekm_label = options->keying_material_exporter_label; + to.ekm_label_size = strlen(to.ekm_label); + } + else + { + to.ekm_size = 0; + } +#endif + /* TLS handshake authentication (--tls-auth) */ if (options->tls_auth_file) { - to.tls_auth_key = c->c1.ks.tls_auth_key; - to.tls_auth.pid_persist = &c->c1.pid_persist; - to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM; + to.tls_wrap.mode = TLS_WRAP_AUTH; + to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; + to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; + to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; crypto_adjust_frame_parameters (&to.frame, - &c->c1.ks.key_type, - false, false, true, true); + &c->c1.ks.tls_auth_key_type, + false, true, true); + } + + /* TLS handshake encryption (--tls-crypt) */ + if (options->tls_crypt_file) + { + to.tls_wrap.mode = TLS_WRAP_CRYPT; + to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; + to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; + to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; + tls_crypt_adjust_frame_parameters (&to.frame); } /* If we are running over TCP, allow for @@ -2364,10 +2480,6 @@ do_init_finalize_tls_frame (struct context *c) } } -#endif /* ENABLE_SSL */ -#endif /* ENABLE_CRYPTO */ - -#ifdef ENABLE_CRYPTO /* * No encryption or authentication. */ @@ -2386,54 +2498,70 @@ do_init_crypto (struct context *c, const unsigned int flags) #ifdef ENABLE_CRYPTO if (c->options.shared_secret_file) do_init_crypto_static (c, flags); -#ifdef ENABLE_SSL else if (c->options.tls_server || c->options.tls_client) do_init_crypto_tls (c, flags); -#endif else /* no encryption or authentication. */ do_init_crypto_none (c); #else /* ENABLE_CRYPTO */ msg (M_WARN, "******* WARNING *******: " PACKAGE_NAME - " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext"); + " built without crypto library -- encryption and authentication features disabled -- all data will be tunnelled as cleartext"); #endif /* ENABLE_CRYPTO */ } static void do_init_frame (struct context *c) { -#ifdef ENABLE_LZO +#ifdef USE_COMP /* - * Initialize LZO compression library. + * modify frame parameters if compression is enabled */ - if (c->options.lzo & LZO_SELECTED) + if (comp_enabled(&c->options.comp)) { - lzo_adjust_frame_parameters (&c->c2.frame); + comp_add_to_extra_frame (&c->c2.frame); +#if !defined(ENABLE_LZ4) /* - * LZO usage affects buffer alignment. + * Compression usage affects buffer alignment when non-swapped algs + * such as LZO is used. + * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need + * any special alignment because of the control-byte swap approach. + * LZO alignment (on the other hand) is problematic because + * the presence of the control byte means that either the output of + * decryption must be written to an unaligned buffer, or the input + * to compression (or packet dispatch if packet is uncompressed) + * must be read from an unaligned buffer. + * This code tries to align the input to compression (or packet + * dispatch if packet is uncompressed) at the cost of requiring + * decryption output to be written to an unaligned buffer, so + * it's more of a tradeoff than an optimal solution and we don't + * include it when we are doing a modern build with LZ4. + * Strictly speaking, on the server it would be better to execute + * this code for every connection after we decide the compression + * method, but currently the frame code doesn't appear to be + * flexible enough for this, since the frame is already established + * before it is known which compression options will be pushed. */ - if (CIPHER_ENABLED (c)) + if (comp_unswapped_prefix (&c->options.comp) && CIPHER_ENABLED (c)) { - frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN); + frame_add_to_align_adjust (&c->c2.frame, COMP_PREFIX_LEN); frame_or_align_flags (&c->c2.frame, FRAME_HEADROOM_MARKER_FRAGMENT |FRAME_HEADROOM_MARKER_DECRYPT); } +#endif #ifdef ENABLE_FRAGMENT - lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */ + comp_add_to_extra_frame (&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ #endif } -#endif /* ENABLE_LZO */ +#endif /* USE_COMP */ -#ifdef ENABLE_SOCKS /* * Adjust frame size for UDP Socks support. */ if (c->options.ce.socks_proxy_server) socks_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto); -#endif /* * Adjust frame size based on the --tun-mtu-extra parameter. @@ -2454,16 +2582,27 @@ do_init_frame (struct context *c) */ frame_finalize_options (c, NULL); +#ifdef USE_COMP + /* + * Modify frame parameters if compression is compiled in. + * Should be called after frame_finalize_options. + */ + comp_add_to_extra_buffer (&c->c2.frame); +#ifdef ENABLE_FRAGMENT + comp_add_to_extra_buffer (&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ +#endif +#endif /* USE_COMP */ + /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client) * and need link_mtu+3 bytes on socket reception (on server). * - * accomodate receive path in f->extra_link - * send path in f->extra_buffer (+leave room for alignment) + * accomodate receive path in f->extra_link, which has the side effect of + * also increasing send buffers (BUF_SIZE() macro), which need to be + * allocated big enough before receiving peer-id option from server. * * f->extra_frame is adjusted when peer-id option is push-received */ frame_add_to_extra_link(&c->c2.frame, 3); - frame_add_to_extra_buffer(&c->c2.frame, 8); #ifdef ENABLE_FRAGMENT /* @@ -2546,7 +2685,6 @@ do_option_warnings (struct context *c) if (!o->use_iv) msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure"); -#ifdef ENABLE_SSL if (o->tls_server) warn_on_use_of_common_subnets (); if (o->tls_client @@ -2556,12 +2694,6 @@ do_option_warnings (struct context *c) && !o->remote_cert_eku) msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); #endif -#endif - -#ifndef CONNECT_NONBLOCK - if (o->ce.connect_timeout_defined) - msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS"); -#endif /* If a script is used, print appropiate warnings */ if (o->user_script_used) @@ -2578,7 +2710,7 @@ do_option_warnings (struct context *c) static void do_init_frame_tls (struct context *c) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO do_init_finalize_tls_frame (c); #endif } @@ -2600,9 +2732,9 @@ init_context_buffers (const struct frame *frame) b->decrypt_buf = alloc_buf (BUF_SIZE (frame)); #endif -#ifdef ENABLE_LZO - b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame)); - b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame)); +#ifdef USE_COMP + b->compress_buf = alloc_buf (BUF_SIZE (frame)); + b->decompress_buf = alloc_buf (BUF_SIZE (frame)); #endif return b; @@ -2617,9 +2749,9 @@ free_context_buffers (struct context_buffers *b) free_buf (&b->read_tun_buf); free_buf (&b->aux_buf); -#ifdef ENABLE_LZO - free_buf (&b->lzo_compress_buf); - free_buf (&b->lzo_decompress_buf); +#ifdef USE_COMP + free_buf (&b->compress_buf); + free_buf (&b->decompress_buf); #endif #ifdef ENABLE_CRYPTO @@ -2658,19 +2790,6 @@ do_init_fragment (struct context *c) #endif /* - * Set the --mssfix option. - */ -static void -do_init_mssfix (struct context *c) -{ - if (c->options.ce.mssfix) - { - frame_set_mtu_dynamic (&c->c2.frame, - c->options.ce.mssfix, SET_MTU_UPPER_BOUND); - } -} - -/* * Allocate our socket object. */ static void @@ -2695,20 +2814,18 @@ do_init_socket_1 (struct context *c, const int mode) #endif link_socket_init_phase1 (c->c2.link_socket, - connection_list_defined (&c->options), c->options.ce.local, c->options.ce.local_port, c->options.ce.remote, c->options.ce.remote_port, + c->c1.dns_cache, c->options.ce.proto, + c->options.ce.af, + c->options.ce.bind_ipv6_only, mode, c->c2.accept_from, -#ifdef ENABLE_HTTP_PROXY c->c1.http_proxy, -#endif -#ifdef ENABLE_SOCKS c->c1.socks_proxy, -#endif #ifdef ENABLE_DEBUG c->options.gremlin, #endif @@ -2719,13 +2836,11 @@ do_init_socket_1 (struct context *c, const int mode) c->options.ipchange, c->plugins, c->options.resolve_retry_seconds, - c->options.ce.connect_retry_seconds, - c->options.ce.connect_timeout, - c->options.ce.connect_retry_max, c->options.ce.mtu_discover_type, c->options.rcvbuf, c->options.sndbuf, c->options.mark, + &c->c2.server_poll_interval, sockflags); } @@ -2736,7 +2851,7 @@ static void do_init_socket_2 (struct context *c) { link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame, - &c->sig->signal_received); + c->sig); } /* @@ -2767,22 +2882,14 @@ do_compute_occ_strings (struct context *c) c->c2.options_string_remote = options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc); - msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local); - msg (D_SHOW_OCC, "Expected Remote Options String: '%s'", - c->c2.options_string_remote); + msg (D_SHOW_OCC, "Local Options String (VER=%s): '%s'", + options_string_version (c->c2.options_string_local, &gc), + c->c2.options_string_local); + msg (D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'", + options_string_version (c->c2.options_string_remote, &gc), + c->c2.options_string_remote); #ifdef ENABLE_CRYPTO - msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'", - options_string_version (c->c2.options_string_local, &gc), - md5sum ((uint8_t*)c->c2.options_string_local, - strlen (c->c2.options_string_local), 9, &gc)); - msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'", - options_string_version (c->c2.options_string_remote, &gc), - md5sum ((uint8_t*)c->c2.options_string_remote, - strlen (c->c2.options_string_remote), 9, &gc)); -#endif - -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) if (c->c2.tls_multi) tls_multi_init_set_options (c->c2.tls_multi, c->c2.options_string_local, @@ -2859,7 +2966,7 @@ do_close_free_buf (struct context *c) static void do_close_tls (struct context *c) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO if (c->c2.tls_multi) { tls_multi_free (c->c2.tls_multi, true); @@ -2899,14 +3006,31 @@ do_close_link_socket (struct context *c) c->c2.link_socket = NULL; } - if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) - { - CLEAR (c->c1.link_socket_addr.remote); + + /* Preserve the resolved list of remote if the user request to or if we want + * reconnect to the same host again or there are still addresses that need + * to be tried */ + if (!(c->sig->signal_received == SIGUSR1 && + ( (c->options.persist_remote_ip) + || + ( c->sig->source != SIG_SOURCE_HARD && + ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next) + || c->options.no_advance)) + ))) + { + clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance); + } + + /* Clear the remote actual address when persist_remote_ip is not in use */ + if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) CLEAR (c->c1.link_socket_addr.actual); - } - if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) - CLEAR (c->c1.link_socket_addr.local); + if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) { + if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance) + freeaddrinfo(c->c1.link_socket_addr.bind_local); + + c->c1.link_socket_addr.bind_local=NULL; + } } /* @@ -2916,7 +3040,7 @@ static void do_close_packet_id (struct context *c) { #ifdef ENABLE_CRYPTO - packet_id_free (&c->c2.packet_id); + packet_id_free (&c->c2.crypto_options.packet_id); packet_id_persist_save (&c->c1.pid_persist); if (!(c->sig->signal_received == SIGUSR1)) packet_id_persist_close (&c->c1.pid_persist); @@ -3070,7 +3194,7 @@ do_setup_fast_io (struct context *c) { if (c->options.fast_io) { -#ifdef WIN32 +#ifdef _WIN32 msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); #else if (!proto_is_udp(c->options.ce.proto)) @@ -3093,7 +3217,7 @@ do_setup_fast_io (struct context *c) static void do_signal_on_tls_errors (struct context *c) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO if (c->options.tls_exit) c->c2.tls_exit_signal = SIGTERM; else @@ -3183,7 +3307,7 @@ management_callback_status_p2p (void *arg, const int version, struct status_outp void management_show_net_callback (void *arg, const int msglevel) { -#ifdef WIN32 +#ifdef _WIN32 show_routes (msglevel); show_adapters (msglevel); msg (msglevel, "END"); @@ -3192,6 +3316,37 @@ management_show_net_callback (void *arg, const int msglevel) #endif } +#ifdef TARGET_ANDROID +int +management_callback_network_change (void *arg, bool samenetwork) +{ + /* Check if the client should translate the network change to a SIGUSR1 to + reestablish the connection or just reprotect the socket + + At the moment just assume that, for all settings that use pull (not + --static) and are not using peer-id reestablishing the connection is + required (unless the network is the same) + + The function returns -1 on invalid fd and -2 if the socket cannot be + reused. On the -2 return value the man_network_change function triggers + a SIGUSR1 to force a reconnect. + */ + + int socketfd=-1; + struct context *c = (struct context *) arg; + if (!c->c2.link_socket) + return -1; + if (c->c2.link_socket->sd == SOCKET_UNDEFINED) + return -1; + + socketfd = c->c2.link_socket->sd; + if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork) + return socketfd; + else + return -2; +} +#endif + #endif void @@ -3207,6 +3362,9 @@ init_management_callback_p2p (struct context *c) cb.show_net = management_show_net_callback; cb.proxy_cmd = management_callback_proxy_cmd; cb.remote_cmd = management_callback_remote_cmd; +#ifdef TARGET_ANDROID + cb.network_change = management_callback_network_change; +#endif management_set_callback (management, &cb); } #endif @@ -3248,12 +3406,14 @@ open_management (struct context *c) management_set_state (management, OPENVPN_STATE_CONNECTING, NULL, - (in_addr_t)0, - (in_addr_t)0); + NULL, + NULL, + NULL, + NULL); } /* initial management hold, called early, before first context initialization */ - do_hold (); + do_hold (0); if (IS_SIG (c)) { msg (M_WARN, "Signal received from management interface, exiting"); @@ -3326,10 +3486,14 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int /* init garbage collection level */ gc_init (&c->c2.gc); + /* inherit environmental variables */ + if (env) + do_inherit_env (c, env); + /* signals caught here will abort */ c->sig->signal_received = 0; c->sig->signal_text = NULL; - c->sig->hard = false; + c->sig->source = SIG_SOURCE_SOFT; if (c->mode == CM_P2P) init_management_callback_p2p (c); @@ -3342,14 +3506,20 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int goto sig; } + if (c->options.resolve_in_advance) + { + do_preresolve (c); + if (IS_SIG (c)) + goto sig; + } + /* map in current connection entry */ next_connection_entry (c); /* link_socket_mode allows CM_CHILD_TCP instances to inherit acceptable fds from a top-level parent */ - if (c->options.ce.proto == PROTO_TCPv4_SERVER - || c->options.ce.proto == PROTO_TCPv6_SERVER) + if (c->options.ce.proto == PROTO_TCP_SERVER) { if (c->mode == CM_TOP) link_socket_mode = LS_MODE_TCP_LISTEN; @@ -3378,10 +3548,6 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int if (c->mode == CM_P2P || c->mode == CM_TOP) do_option_warnings (c); - /* inherit environmental variables */ - if (env) - do_inherit_env (c, env); - #ifdef ENABLE_PLUGIN /* initialize plugins */ if (c->mode == CM_P2P || c->mode == CM_TOP) @@ -3416,7 +3582,7 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int do_event_set_init (c, false); /* initialize HTTP or SOCKS proxy object at scope level 2 */ - init_proxy (c, 2); + init_proxy (c); /* allocate our socket object */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) @@ -3442,10 +3608,10 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int goto sig; } -#ifdef ENABLE_LZO - /* initialize LZO compression library. */ - if ((options->lzo & LZO_SELECTED) && (c->mode == CM_P2P || child)) - lzo_compress_init (&c->c2.lzo_compwork, options->lzo); +#ifdef USE_COMP + /* initialize compression library. */ + if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child)) + c->c2.comp_context = comp_init (&options->comp); #endif /* initialize MTU variables */ @@ -3465,7 +3631,7 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int #endif /* initialize dynamic MTU variable */ - do_init_mssfix (c); + frame_init_mssfix (&c->c2.frame, &c->options); /* bind the TCP/UDP socket */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) @@ -3498,16 +3664,19 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON); #endif + /* initialise connect timeout timer */ + do_init_server_poll_timeout(c); + + /* finalize the TCP/UDP socket */ + if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) + do_init_socket_2 (c); + /* * Actually do UID/GID downgrade, and chroot, if requested. * May be delayed by --client, --pull, or --up-delay. */ do_uid_gid_chroot (c, c->c2.did_open_tun); - /* finalize the TCP/UDP socket */ - if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) - do_init_socket_2 (c); - /* initialize timers */ if (c->mode == CM_P2P || child) do_init_timers (c, false); @@ -3559,9 +3728,12 @@ close_instance (struct context *c) /* if xinetd/inetd mode, don't allow restart */ do_close_check_if_restart_permitted (c); -#ifdef ENABLE_LZO - if (lzo_defined (&c->c2.lzo_compwork)) - lzo_compress_uninit (&c->c2.lzo_compwork); +#ifdef USE_COMP + if (c->c2.comp_context) + { + comp_uninit (c->c2.comp_context); + c->c2.comp_context = NULL; + } #endif /* free buffers */ @@ -3636,11 +3808,14 @@ inherit_context_child (struct context *dest, #ifdef ENABLE_CRYPTO dest->c1.ks.key_type = src->c1.ks.key_type; -#ifdef ENABLE_SSL /* inherit SSL context */ dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; - dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key; -#endif + dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key; + dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type; + /* inherit pre-NCP ciphers */ + dest->c1.ciphername = src->c1.ciphername; + dest->c1.authname = src->c1.authname; + dest->c1.keysize = src->c1.keysize; #endif /* options */ @@ -3713,7 +3888,7 @@ inherit_context_top (struct context *dest, /* detach plugins */ dest->plugins_owned = false; -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO dest->c2.tls_multi = NULL; #endif @@ -3733,6 +3908,10 @@ inherit_context_top (struct context *dest, dest->c2.event_set = NULL; if (proto_is_dgram(src->options.ce.proto)) do_event_set_init (dest, false); + +#ifdef USE_COMP + dest->c2.comp_context = NULL; +#endif } void @@ -3747,8 +3926,11 @@ close_context (struct context *c, int sig, unsigned int flags) if (c->sig->signal_received == SIGUSR1) { if ((flags & CC_USR1_TO_HUP) - || (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP))) - c->sig->signal_received = SIGHUP; + || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP))) + { + c->sig->signal_received = SIGHUP; + c->sig->signal_text = "close_context usr1 to hup"; + } } if (!(flags & CC_NO_CLOSE)) @@ -3773,6 +3955,7 @@ test_crypto_thread (void *arg) ASSERT (options->test_crypto); init_verb_mute (c, IVM_LEVEL_1); context_init_1 (c); + next_connection_entry(c); do_init_crypto_static (c, 0); frame_finalize_options (c, options); @@ -3780,13 +3963,13 @@ test_crypto_thread (void *arg) test_crypto (&c->c2.crypto_options, &c->c2.frame); key_schedule_free (&c->c1.ks, true); - packet_id_free (&c->c2.packet_id); + packet_id_free (&c->c2.crypto_options.packet_id); context_gc_free (c); return NULL; } -#endif +#endif /* ENABLE_CRYPTO */ bool do_test_crypto (const struct options *o) diff --git a/src/openvpn/init.h b/src/openvpn/init.h index a819bd2..524bc64 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -81,7 +81,7 @@ bool do_test_crypto (const struct options *o); void context_gc_free (struct context *c); -void do_up (struct context *c, +bool do_up (struct context *c, bool pulled_options, unsigned int option_types_found); @@ -91,7 +91,7 @@ const char *format_common_name (struct context *c, struct gc_arena *gc); void reset_coarse_timers (struct context *c); -void do_deferred_options (struct context *c, const unsigned int found); +bool do_deferred_options (struct context *c, const unsigned int found); void inherit_context_child (struct context *dest, const struct context *src); diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h index 4814ec9..59eb1f6 100644 --- a/src/openvpn/interval.h +++ b/src/openvpn/interval.h @@ -186,6 +186,15 @@ event_timeout_modify_wakeup (struct event_timeout* et, interval_t n) } /* + * Will return the time left for a timeout, this function does not check + * if the timeout is actually valid + */ +static inline interval_t event_timeout_remaining (struct event_timeout* et) +{ + return (int) et->last + et->n - now; +} + +/* * This is the principal function for testing and triggering recurring * timers and will return true on a timer signal event. * If et_const_retry == ETT_DEFAULT and a signal occurs, diff --git a/src/openvpn/lzo.c b/src/openvpn/lzo.c index 195b819..25a839b 100644 --- a/src/openvpn/lzo.c +++ b/src/openvpn/lzo.c @@ -34,15 +34,14 @@ #include "syshead.h" -#ifdef ENABLE_LZO +#if defined(ENABLE_LZO) -#include "lzo.h" +#include "comp.h" #include "error.h" #include "otime.h" #include "memdbg.h" -#ifndef ENABLE_LZO_STUB /** * Perform adaptive compression housekeeping. * @@ -97,101 +96,69 @@ lzo_adaptive_compress_data (struct lzo_adaptive_compress *ac, int n_total, int n ac->n_comp += n_comp; } -#endif /* ENABLE_LZO_STUB */ - -void lzo_adjust_frame_parameters (struct frame *frame) -{ - /* Leave room for our one-byte compressed/didn't-compress prefix byte. */ - frame_add_to_extra_frame (frame, LZO_PREFIX_LEN); - - /* Leave room for compression buffer to expand in worst case scenario - where data is totally uncompressible */ - frame_add_to_extra_buffer (frame, LZO_EXTRA_BUFFER (EXPANDED_SIZE(frame))); -} - -void -lzo_compress_init (struct lzo_compress_workspace *lzowork, unsigned int flags) +static void +lzo_compress_init (struct compress_context *compctx) { - CLEAR (*lzowork); - - lzowork->flags = flags; -#ifndef ENABLE_LZO_STUB - lzowork->wmem_size = LZO_WORKSPACE; - + msg (D_INIT_MEDIUM, "LZO compression initializing"); + ASSERT(!(compctx->flags & COMP_F_SWAP)); + compctx->wu.lzo.wmem_size = LZO_WORKSPACE; if (lzo_init () != LZO_E_OK) msg (M_FATAL, "Cannot initialize LZO compression library"); - lzowork->wmem = (lzo_voidp) lzo_malloc (lzowork->wmem_size); - check_malloc_return (lzowork->wmem); - msg (D_INIT_MEDIUM, "LZO compression initialized"); -#else - msg (D_INIT_MEDIUM, "LZO stub compression initialized"); -#endif - lzowork->defined = true; + compctx->wu.lzo.wmem = (lzo_voidp) lzo_malloc (compctx->wu.lzo.wmem_size); + check_malloc_return (compctx->wu.lzo.wmem); } -void -lzo_compress_uninit (struct lzo_compress_workspace *lzowork) +static void +lzo_compress_uninit (struct compress_context *compctx) { - if (lzowork) - { - ASSERT (lzowork->defined); -#ifndef ENABLE_LZO_STUB - lzo_free (lzowork->wmem); - lzowork->wmem = NULL; -#endif - lzowork->defined = false; - } + lzo_free (compctx->wu.lzo.wmem); + compctx->wu.lzo.wmem = NULL; } static inline bool -lzo_compression_enabled (struct lzo_compress_workspace *lzowork) +lzo_compression_enabled (struct compress_context *compctx) { -#ifndef ENABLE_LZO_STUB - if ((lzowork->flags & (LZO_SELECTED|LZO_ON)) == (LZO_SELECTED|LZO_ON)) + if (compctx->flags & COMP_F_ASYM) + return false; + else { - if (lzowork->flags & LZO_ADAPTIVE) - return lzo_adaptive_compress_test (&lzowork->ac); + if (compctx->flags & COMP_F_ADAPTIVE) + return lzo_adaptive_compress_test (&compctx->wu.lzo.ac); else return true; } -#endif - return false; } -void +static void lzo_compress (struct buffer *buf, struct buffer work, - struct lzo_compress_workspace *lzowork, + struct compress_context *compctx, const struct frame* frame) { -#ifndef ENABLE_LZO_STUB lzo_uint zlen = 0; int err; bool compressed = false; -#endif - - ASSERT (lzowork->defined); if (buf->len <= 0) return; -#ifndef ENABLE_LZO_STUB /* * In order to attempt compression, length must be at least COMPRESS_THRESHOLD, * and our adaptive level must give the OK. */ - if (buf->len >= COMPRESS_THRESHOLD && lzo_compression_enabled (lzowork)) + if (buf->len >= COMPRESS_THRESHOLD && lzo_compression_enabled (compctx)) { + const size_t ps = PAYLOAD_SIZE (frame); ASSERT (buf_init (&work, FRAME_HEADROOM (frame))); - ASSERT (buf_safe (&work, LZO_EXTRA_BUFFER (PAYLOAD_SIZE (frame)))); + ASSERT (buf_safe (&work, ps + COMP_EXTRA_BUFFER (ps))); - if (!(buf->len <= PAYLOAD_SIZE (frame))) + if (buf->len > ps) { dmsg (D_COMP_ERRORS, "LZO compression buffer overflow"); buf->len = 0; return; } - err = LZO_COMPRESS (BPTR (buf), BLEN (buf), BPTR (&work), &zlen, lzowork->wmem); + err = LZO_COMPRESS (BPTR (buf), BLEN (buf), BPTR (&work), &zlen, compctx->wu.lzo.wmem); if (err != LZO_E_OK) { dmsg (D_COMP_ERRORS, "LZO compression error: %d", err); @@ -203,43 +170,38 @@ lzo_compress (struct buffer *buf, struct buffer work, work.len = zlen; compressed = true; - dmsg (D_COMP, "compress %d -> %d", buf->len, work.len); - lzowork->pre_compress += buf->len; - lzowork->post_compress += work.len; + dmsg (D_COMP, "LZO compress %d -> %d", buf->len, work.len); + compctx->pre_compress += buf->len; + compctx->post_compress += work.len; /* tell adaptive level about our success or lack thereof in getting any size reduction */ - if (lzowork->flags & LZO_ADAPTIVE) - lzo_adaptive_compress_data (&lzowork->ac, buf->len, work.len); + if (compctx->flags & COMP_F_ADAPTIVE) + lzo_adaptive_compress_data (&compctx->wu.lzo.ac, buf->len, work.len); } /* did compression save us anything ? */ if (compressed && work.len < buf->len) { uint8_t *header = buf_prepend (&work, 1); - *header = YES_COMPRESS; + *header = LZO_COMPRESS_BYTE; *buf = work; } else -#endif { uint8_t *header = buf_prepend (buf, 1); - *header = NO_COMPRESS; + *header = NO_COMPRESS_BYTE; } } -void +static void lzo_decompress (struct buffer *buf, struct buffer work, - struct lzo_compress_workspace *lzowork, + struct compress_context *compctx, const struct frame* frame) { -#ifndef ENABLE_LZO_STUB lzo_uint zlen = EXPANDED_SIZE (frame); int err; -#endif uint8_t c; /* flag indicating whether or not our peer compressed */ - ASSERT (lzowork->defined); - if (buf->len <= 0) return; @@ -248,12 +210,11 @@ lzo_decompress (struct buffer *buf, struct buffer work, c = *BPTR (buf); ASSERT (buf_advance (buf, 1)); - if (c == YES_COMPRESS) /* packet was compressed */ + if (c == LZO_COMPRESS_BYTE) /* packet was compressed */ { -#ifndef ENABLE_LZO_STUB ASSERT (buf_safe (&work, zlen)); err = LZO_DECOMPRESS (BPTR (buf), BLEN (buf), BPTR (&work), &zlen, - lzowork->wmem); + compctx->wu.lzo.wmem); if (err != LZO_E_OK) { dmsg (D_COMP_ERRORS, "LZO decompression error: %d", err); @@ -264,18 +225,13 @@ lzo_decompress (struct buffer *buf, struct buffer work, ASSERT (buf_safe (&work, zlen)); work.len = zlen; - dmsg (D_COMP, "decompress %d -> %d", buf->len, work.len); - lzowork->pre_decompress += buf->len; - lzowork->post_decompress += work.len; + dmsg (D_COMP, "LZO decompress %d -> %d", buf->len, work.len); + compctx->pre_decompress += buf->len; + compctx->post_decompress += work.len; *buf = work; -#else - dmsg (D_COMP_ERRORS, "LZO decompression error: LZO capability not compiled"); - buf->len = 0; - return; -#endif } - else if (c == NO_COMPRESS) /* packet was not compressed */ + else if (c == NO_COMPRESS_BYTE) /* packet was not compressed */ { ; } @@ -286,24 +242,13 @@ lzo_decompress (struct buffer *buf, struct buffer work, } } -void -lzo_modify_flags (struct lzo_compress_workspace *lzowork, unsigned int flags) -{ - ASSERT (lzowork->defined); - lzowork->flags = flags; -} - -void lzo_print_stats (const struct lzo_compress_workspace *lzo_compwork, struct status_output *so) -{ - ASSERT (lzo_compwork->defined); - -#ifndef ENABLE_LZO_STUB - status_printf (so, "pre-compress bytes," counter_format, lzo_compwork->pre_compress); - status_printf (so, "post-compress bytes," counter_format, lzo_compwork->post_compress); - status_printf (so, "pre-decompress bytes," counter_format, lzo_compwork->pre_decompress); - status_printf (so, "post-decompress bytes," counter_format, lzo_compwork->post_decompress); -#endif -} +const struct compress_alg lzo_alg = { + "lzo", + lzo_compress_init, + lzo_compress_uninit, + lzo_compress, + lzo_decompress +}; #else static void dummy(void) {} diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h index 472204d..f33e587 100644 --- a/src/openvpn/lzo.h +++ b/src/openvpn/lzo.h @@ -32,14 +32,13 @@ */ -#ifdef ENABLE_LZO +#if defined(ENABLE_LZO) /** * @addtogroup compression * @{ */ -#ifndef ENABLE_LZO_STUB #if defined(HAVE_LZO_LZOUTIL_H) #include "lzo/lzoutil.h" #elif defined(HAVE_LZOUTIL_H) @@ -50,28 +49,16 @@ #elif defined(HAVE_LZO1X_H) #include "lzo1x.h" #endif -#endif #include "buffer.h" #include "mtu.h" #include "common.h" #include "status.h" -/**************************************************************************/ -/** @name Bit-flags which control data channel packet compression *//******/ -/** @{ */ -#define LZO_SELECTED (1<<0) /**< Bit-flag indicating that compression - * of data channel packets is enabled. */ -#define LZO_ON (1<<1) /**< Bit-flag indicating that compression - * of data channel packets is active. */ -#define LZO_ADAPTIVE (1<<2) /**< Bit-flag indicating that adaptive - * compression of data channel packets - * has been selected. */ -/** @} name Bit-flags which control data channel packet compression *//****/ +extern const struct compress_alg lzo_alg; /**************************************************************************/ /** @name LZO library interface defines *//** @{ *//***********************/ -#ifndef ENABLE_LZO_STUB #define LZO_COMPRESS lzo1x_1_15_compress /**< LZO library compression function. * @@ -93,36 +80,11 @@ * verify the integrity of incoming * packets, you might want to consider * using the non-safe version. */ -#endif /* ENABLE_LZO_STUB */ /** @} name LZO library interface *//**************************************/ /**************************************************************************/ -/** @name Miscellaneous compression defines *//** @{ *//*******************/ -#define LZO_EXTRA_BUFFER(len) ((len)/8 + 128 + 3) - /**< LZO 2.0 worst-case size expansion. */ -#ifndef ENABLE_LZO_STUB -#define COMPRESS_THRESHOLD 100 /**< Minimum packet size to attempt - * compression. */ -#endif /* ENABLE_LZO_STUB */ -/** @} name Miscellaneous compression defines *//**************************/ - - -/**************************************************************************/ -/** @name Compression header defines *//** @{ *//**************************/ -#define LZO_PREFIX_LEN 1 /**< Length in bytes of prepended - * compression header. */ -#define YES_COMPRESS 0x66 /**< Single-byte compression header - * indicating this packet has been - * compressed. */ -#define NO_COMPRESS 0xFA /**< Single-byte compression header - * indicating this packet has not been - * compressed. */ -/** @} name Compression header defines *//*********************************/ - -/**************************************************************************/ /** @name Adaptive compression defines *//** @{ *//************************/ -#ifndef ENABLE_LZO_STUB #define AC_SAMP_SEC 2 /**< Number of seconds in a sample period. */ #define AC_MIN_BYTES 1000 /**< Minimum number of bytes a sample * period must contain for it to be @@ -132,11 +94,8 @@ * turned off. */ #define AC_OFF_SEC 60 /**< Seconds to wait after compression has * been turned off before retesting. */ -#endif /* ENABLE_LZO_STUB */ /** @} name Adaptive compression defines *//*******************************/ -#ifndef ENABLE_LZO_STUB - /** * Adaptive compression state. */ @@ -147,8 +106,6 @@ struct lzo_adaptive_compress { int n_comp; }; -#endif /* ENABLE_LZO_STUB */ - /** * State for the compression and decompression routines. @@ -162,186 +119,13 @@ struct lzo_adaptive_compress { */ struct lzo_compress_workspace { - bool defined; - unsigned int flags; -#ifndef ENABLE_LZO_STUB lzo_voidp wmem; int wmem_size; struct lzo_adaptive_compress ac; - - /* statistics */ - counter_type pre_decompress; - counter_type post_decompress; - counter_type pre_compress; - counter_type post_compress; -#endif }; - -/**************************************************************************/ -/** @name Functions for initialization and cleanup *//** @{ *//************/ - -/** - * Adjust %frame parameters for data channel payload compression. - * - * Data channel packet compression requires a single-byte header to - * indicate whether a packet has been compressed or not. The packet - * handling buffers must also allow for worst-case payload compression - * where the compressed content size is actually larger than the original - * content size. This function adjusts the parameters of a given frame - * structure to include the header and allow for worst-case compression - * expansion. - * - * @param frame - The frame structure to adjust. - */ -void lzo_adjust_frame_parameters(struct frame *frame); - -/** - * Initialize a compression workspace structure. - * - * This function initializes the given workspace structure \a lzowork. - * This includes allocating a work buffer for internal use and setting its - * flags to the given value of \a flags. - * - * This function also initializes the lzo library. - * - * @param lzowork - A pointer to the workspace structure to - * initialize. - * @param flags - The initial flags to set in the workspace - * structure. - */ -void lzo_compress_init (struct lzo_compress_workspace *lzowork, unsigned int flags); - -/** - * Cleanup a compression workspace structure. - * - * This function cleans up the given workspace structure \a lzowork. This - * includes freeing the structure's internal work buffer. - * - * @param lzowork - A pointer to the workspace structure to clean up. - */ -void lzo_compress_uninit (struct lzo_compress_workspace *lzowork); - -/** - * Set a workspace structure's flags. - * - * @param lzowork - The workspace structure of which to modify the - * flags. - * @param flags - The new value to assign to the workspace - * structure's flags. - */ -void lzo_modify_flags (struct lzo_compress_workspace *lzowork, unsigned int flags); - -/** @} name Functions for initialization and cleanup *//*******************/ - - -/**************************************************************************/ -/** @name Function for packets to be sent to a remote OpenVPN peer *//*****/ -/** @{ */ - -/** - * Process an outgoing packet according to a VPN tunnel's settings. - * @ingroup compression - * - * This function processes the packet contained in \a buf. Its behavior - * depends on the settings contained within \a lzowork. If compression is - * enabled and active, this function compresses the packet. After - * compression, the size of the uncompressed and compressed packets are - * compared, and the smallest is used. - * - * This function prepends a one-byte header indicating whether the packet - * was or was not compressed, so as to let the peer know how to handle the - * packet. - * - * If an error occurs during processing, an error message is logged and - * the length of \a buf is set to zero. - * - * @param buf - A pointer to the buffer containing the outgoing - * packet. This pointer will be modified to point - * to the processed packet on return. - * @param work - A preallocated working buffer. - * @param lzowork - The compression workspace structure associated - * with this VPN tunnel. - * @param frame - The frame parameters of this tunnel. - * - * @return Void.\n On return, \a buf will point to a buffer containing - * the processed, possibly compressed, packet data with a compression - * header prepended. - */ -void lzo_compress (struct buffer *buf, struct buffer work, - struct lzo_compress_workspace *lzowork, - const struct frame* frame); - -/** @} name Function for packets to be sent to a remote OpenVPN peer *//***/ - - -/**************************************************************************/ -/** @name Function for packets received from a remote OpenVPN peer *//*****/ -/** @{ */ - -/** - * Inspect an incoming packet and decompress if it is compressed. - * - * This function inspects the incoming packet contained in \a buf. If its - * one-byte compression header indicates that it was compressed (i.e. \c - * YES_COMPRESS), then it will be decompressed. If its header indicates - * that it was not compressed (i.e. \c NO_COMPRESS), then the buffer is - * not modified except for removing the compression header. - * - * If an error occurs during processing, for example if the compression - * header has a value other than \c YES_COMPRESS or \c NO_COMPRESS, then - * the error is logged and the length of \a buf is set to zero. - * - * @param buf - A pointer to the buffer containing the incoming - * packet. This pointer will be modified to point - * to the processed packet on return. - * @param work - A preallocated working buffer. - * @param lzowork - The compression workspace structure associated - * with this VPN tunnel. - * @param frame - The frame parameters of this tunnel. - * - * @return Void.\n On return, \a buf will point to a buffer containing - * the uncompressed packet data and the one-byte compression header - * will have been removed. - */ -void lzo_decompress (struct buffer *buf, struct buffer work, - struct lzo_compress_workspace *lzowork, - const struct frame* frame); - -/** @} name Function for packets received from a remote OpenVPN peer *//***/ - - -/**************************************************************************/ -/** @name Utility functions *//** @{ *//***********************************/ - -/** - * Print statistics on compression and decompression performance. - * - * @param lzo_compwork - The workspace structure from which to get the - * statistics. - * @param so - The status output structure to which to write the - * statistics. - */ -void lzo_print_stats (const struct lzo_compress_workspace *lzo_compwork, struct status_output *so); - -/** - * Check whether compression is enabled for a workspace structure. - * - * @param lzowork - The workspace structure to check. - * - * @return true if compression is enabled; false otherwise. - */ -static inline bool -lzo_defined (const struct lzo_compress_workspace *lzowork) -{ - return lzowork->defined; -} - -/** @} name Utility functions *//******************************************/ - - /** @} addtogroup compression */ -#endif /* ENABLE_LZO */ +#endif /* ENABLE_LZO && USE_COMP */ #endif diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 0a4542a..77a8006 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -113,6 +113,8 @@ man_help () #ifdef MANAGMENT_EXTERNAL_KEY msg (M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge"); msg (M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); + msg (M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); + msg (M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); #endif msg (M_CLIENT, "signal s : Send signal s to daemon,"); msg (M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2."); @@ -268,7 +270,7 @@ man_delete_unix_socket (struct management *man) static void man_close_socket (struct management *man, const socket_descriptor_t sd) { -#ifndef WIN32 +#ifndef _WIN32 /* * Windows doesn't need this because the ne32 event is permanently * enabled at struct management scope. @@ -701,7 +703,7 @@ man_query_need_str (struct management *man, const char *type, const char *action static void man_forget_passwords (struct management *man) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO ssl_purge_auth (false); msg (M_CLIENT, "SUCCESS: Passwords were forgotten"); #endif @@ -868,6 +870,12 @@ in_extra_dispatch (struct management *man) man->connection.ext_key_input = man->connection.in_extra; man->connection.in_extra = NULL; return; + case IEC_CERTIFICATE: + man->connection.ext_cert_state = EKS_READY; + buffer_list_free (man->connection.ext_cert_input); + man->connection.ext_cert_input = man->connection.in_extra; + man->connection.in_extra = NULL; + return; #endif } in_extra_reset (&man->connection, IER_RESET); @@ -1030,6 +1038,20 @@ man_rsa_sig (struct management *man) msg (M_CLIENT, "ERROR: The rsa-sig command is not currently available"); } +static void +man_certificate (struct management *man) +{ + struct man_connection *mc = &man->connection; + if (mc->ext_cert_state == EKS_SOLICIT) + { + mc->ext_cert_state = EKS_INPUT; + mc->in_extra_cmd = IEC_CERTIFICATE; + in_extra_reset (mc, IER_NEW); + } + else + msg (M_CLIENT, "ERROR: The certificate command is not currently available"); +} + #endif static void @@ -1105,6 +1127,27 @@ man_remote (struct management *man, const char **p) } } +#ifdef TARGET_ANDROID +static void +man_network_change (struct management *man, bool samenetwork) +{ + /* Called to signal the OpenVPN that the network configuration has changed and + the client should either float or reconnect. + + The code is currently only used by ics-openvpn + */ + if (man->persist.callback.network_change) + { + int fd = (*man->persist.callback.network_change) + (man->persist.callback.arg, samenetwork); + man->connection.fdtosend = fd; + msg (M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd); + if (fd == -2) + man_signal (man, "SIGUSR1"); + } +} +#endif + static void man_dispatch_command (struct management *man, struct status_output *so, const char **p, const int nparms) { @@ -1148,6 +1191,16 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch if (man_need (man, p, 1, 0)) man_signal (man, p[1]); } +#ifdef TARGET_ANDROID + else if (streq (p[0], "network-change")) + { + bool samenetwork = false; + if (p[1] && streq(p[1], "samenetwork")) + samenetwork = true; + + man_network_change(man, samenetwork); + } +#endif else if (streq (p[0], "load-stats")) { man_load_stats (man); @@ -1311,6 +1364,10 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch { man_rsa_sig (man); } + else if (streq (p[0], "certificate")) + { + man_certificate (man); + } #endif #ifdef ENABLE_PKCS11 else if (streq (p[0], "pkcs11-id-count")) @@ -1356,7 +1413,7 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch gc_free (&gc); } -#ifdef WIN32 +#ifdef _WIN32 static void man_start_ne32 (struct management *man) @@ -1446,7 +1503,7 @@ man_new_connection_post (struct management *man, const char *description) man_connection_settings_reset (man); -#ifdef WIN32 +#ifdef _WIN32 man_start_ne32 (man); #endif @@ -1461,7 +1518,7 @@ man_new_connection_post (struct management *man, const char *description) #endif msg (D_MANAGEMENT, "MANAGEMENT: %s %s", description, - print_sockaddr (&man->settings.local, &gc)); + print_sockaddr (man->settings.local->ai_addr, &gc)); buffer_list_reset (man->connection.out); @@ -1533,7 +1590,7 @@ man_accept (struct management *man) if (socket_defined (man->connection.sd_top)) { -#ifdef WIN32 +#ifdef _WIN32 man_stop_ne32 (man); #endif } @@ -1568,8 +1625,9 @@ man_listen (struct management *man) else #endif { - man->connection.sd_top = create_socket_tcp (AF_INET); - socket_bind (man->connection.sd_top, &man->settings.local, "MANAGEMENT"); + man->connection.sd_top = create_socket_tcp (man->settings.local); + socket_bind (man->connection.sd_top, man->settings.local, + man->settings.local->ai_family, "MANAGEMENT", false); } /* @@ -1593,10 +1651,10 @@ man_listen (struct management *man) else #endif msg (D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s", - print_sockaddr (&man->settings.local, &gc)); + print_sockaddr (man->settings.local->ai_addr, &gc)); } -#ifdef WIN32 +#ifdef _WIN32 man_start_ne32 (man); #endif @@ -1634,9 +1692,9 @@ man_connect (struct management *man) else #endif { - man->connection.sd_cli = create_socket_tcp (AF_INET); + man->connection.sd_cli = create_socket_tcp (man->settings.local); status = openvpn_connect (man->connection.sd_cli, - &man->settings.local, + man->settings.local->ai_addr, 5, &signal_received); } @@ -1661,7 +1719,7 @@ man_connect (struct management *man) #endif msg (D_LINK_ERRORS, "MANAGEMENT: connect to %s failed: %s", - print_sockaddr (&man->settings.local, &gc), + print_sockaddr (man->settings.local->ai_addr, &gc), strerror_ts (status, &gc)); throw_signal_soft (SIGTERM, "management-connect-failed"); goto done; @@ -1679,7 +1737,7 @@ man_reset_client_socket (struct management *man, const bool exiting) { if (socket_defined (man->connection.sd_cli)) { -#ifdef WIN32 +#ifdef _WIN32 man_stop_ne32 (man); #endif man_close_socket (man, man->connection.sd_cli); @@ -1694,7 +1752,7 @@ man_reset_client_socket (struct management *man, const bool exiting) } if (!exiting) { -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO if (man->settings.flags & MF_FORGET_DISCONNECT) ssl_purge_auth (false); #endif @@ -1779,6 +1837,120 @@ man_io_error (struct management *man, const char *prefix) return false; } +#ifdef TARGET_ANDROID +static ssize_t man_send_with_fd (int fd, void *ptr, size_t nbytes, int flags, int sendfd) +{ + struct msghdr msg; + struct iovec iov[1]; + + union { + struct cmsghdr cm; + char control[CMSG_SPACE(sizeof(int))]; + } control_un; + struct cmsghdr *cmptr; + + msg.msg_control = control_un.control; + msg.msg_controllen = sizeof(control_un.control); + + cmptr = CMSG_FIRSTHDR(&msg); + cmptr->cmsg_len = CMSG_LEN(sizeof(int)); + cmptr->cmsg_level = SOL_SOCKET; + cmptr->cmsg_type = SCM_RIGHTS; + *((int *) CMSG_DATA(cmptr)) = sendfd; + + msg.msg_name = NULL; + msg.msg_namelen = 0; + + iov[0].iov_base = ptr; + iov[0].iov_len = nbytes; + msg.msg_iov = iov; + msg.msg_iovlen = 1; + + return (sendmsg(fd, &msg, flags)); +} + +static ssize_t man_recv_with_fd (int fd, void *ptr, size_t nbytes, int flags, int *recvfd) +{ + struct msghdr msghdr; + struct iovec iov[1]; + ssize_t n; + + union { + struct cmsghdr cm; + char control[CMSG_SPACE(sizeof (int))]; + } control_un; + struct cmsghdr *cmptr; + + msghdr.msg_control = control_un.control; + msghdr.msg_controllen = sizeof(control_un.control); + + msghdr.msg_name = NULL; + msghdr.msg_namelen = 0; + + iov[0].iov_base = ptr; + iov[0].iov_len = nbytes; + msghdr.msg_iov = iov; + msghdr.msg_iovlen = 1; + + if ( (n = recvmsg(fd, &msghdr, flags)) <= 0) + return (n); + + if ( (cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL && + cmptr->cmsg_len == CMSG_LEN(sizeof(int))) { + if (cmptr->cmsg_level != SOL_SOCKET) + msg (M_ERR, "control level != SOL_SOCKET"); + if (cmptr->cmsg_type != SCM_RIGHTS) + msg (M_ERR, "control type != SCM_RIGHTS"); + *recvfd = *((int *) CMSG_DATA(cmptr)); + } else + *recvfd = -1; /* descriptor was not passed */ + + return (n); +} + +/* + * The android control method will instruct the GUI part of openvpn to do + * the route/ifconfig/open tun command. See doc/android.txt for details. + */ +bool management_android_control (struct management *man, const char *command, const char *msg) +{ + struct user_pass up; + CLEAR(up); + strncpy (up.username, msg, sizeof(up.username)-1); + + management_query_user_pass(management, &up , command, GET_USER_PASS_NEED_OK,(void*) 0); + return strcmp ("ok", up.password)==0; +} + +/* + * In Android 4.4 it is not possible to open a new tun device and then close the + * old tun device without breaking the whole VPNService stack until the device + * is rebooted. This management method ask the UI what method should be taken to + * ensure the optimal solution for the situation + */ +int managment_android_persisttun_action (struct management *man) +{ + struct user_pass up; + CLEAR(up); + strcpy(up.username,"tunmethod"); + management_query_user_pass(management, &up , "PERSIST_TUN_ACTION", + GET_USER_PASS_NEED_OK,(void*) 0); + if (!strcmp("NOACTION", up.password)) + return ANDROID_KEEP_OLD_TUN; + else if (!strcmp ("OPEN_AFTER_CLOSE", up.password)) + return ANDROID_OPEN_AFTER_CLOSE; + else if (!strcmp ("OPEN_BEFORE_CLOSE", up.password)) + return ANDROID_OPEN_BEFORE_CLOSE; + else + msg (M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password); + + ASSERT(0); + return ANDROID_OPEN_AFTER_CLOSE; +} + + +#endif + static int man_read (struct management *man) { @@ -1788,7 +1960,15 @@ man_read (struct management *man) unsigned char buf[256]; int len = 0; +#ifdef TARGET_ANDROID + int fd; + len = man_recv_with_fd (man->connection.sd_cli, buf, sizeof (buf), MSG_NOSIGNAL, &fd); + if(fd >= 0) + man->connection.lastfdreceived = fd; +#else len = recv (man->connection.sd_cli, buf, sizeof (buf), MSG_NOSIGNAL); +#endif + if (len == 0) { man_reset_client_socket (man, false); @@ -1865,6 +2045,13 @@ man_write (struct management *man) if (buf && BLEN (buf)) { const int len = min_int (size_hint, BLEN (buf)); +#ifdef TARGET_ANDROID + if (man->connection.fdtosend > 0) + { + sent = man_send_with_fd (man->connection.sd_cli, BPTR (buf), len, MSG_NOSIGNAL,man->connection.fdtosend); + man->connection.fdtosend = -1; + } else +#endif sent = send (man->connection.sd_cli, BPTR (buf), len, MSG_NOSIGNAL); if (sent >= 0) { @@ -1957,7 +2144,7 @@ man_persist_close (struct man_persist *mp) static void man_settings_init (struct man_settings *ms, const char *addr, - const int port, + const char *port, const char *pass_file, const char *client_user, const char *client_group, @@ -2010,12 +2197,6 @@ man_settings_init (struct man_settings *ms, else #endif { - /* - * Initialize socket address - */ - ms->local.addr.in4.sin_family = AF_INET; - ms->local.addr.in4.sin_addr.s_addr = 0; - ms->local.addr.in4.sin_port = htons (port); /* * Run management over tunnel, or @@ -2027,8 +2208,15 @@ man_settings_init (struct man_settings *ms, } else { - ms->local.addr.in4.sin_addr.s_addr = getaddr - (GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL, addr, 0, NULL, NULL); + int status; + int resolve_flags = GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL; + + if (! (flags & MF_CONNECT_AS_CLIENT)) + resolve_flags |= GETADDR_PASSIVE; + + status = openvpn_getaddrinfo (resolve_flags, addr, port, 0, + NULL, AF_UNSPEC, &ms->local); + ASSERT(status==0); } } @@ -2054,6 +2242,8 @@ man_settings_init (struct man_settings *ms, static void man_settings_close (struct man_settings *ms) { + if (ms->local) + freeaddrinfo(ms->local); free (ms->write_peer_info_file); CLEAR (*ms); } @@ -2064,7 +2254,7 @@ man_connection_init (struct management *man) { if (man->connection.state == MS_INITIAL) { -#ifdef WIN32 +#ifdef _WIN32 /* * This object is a sort of TCP/IP helper * for Windows. @@ -2105,7 +2295,7 @@ man_connection_close (struct management *man) if (mc->es) event_free (mc->es); -#ifdef WIN32 +#ifdef _WIN32 net_event_win32_close (&mc->ne32); #endif if (socket_defined (mc->sd_top)) @@ -2147,7 +2337,7 @@ management_init (void) bool management_open (struct management *man, const char *addr, - const int port, + const char *port, const char *pass_file, const char *client_user, const char *client_group, @@ -2232,8 +2422,10 @@ void management_set_state (struct management *man, const int state, const char *detail, - const in_addr_t tun_local_ip, - const in_addr_t tun_remote_ip) + const in_addr_t *tun_local_ip, + const struct in6_addr *tun_local_ip6, + const struct openvpn_sockaddr *local, + const struct openvpn_sockaddr *remote) { if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE)) { @@ -2246,9 +2438,15 @@ management_set_state (struct management *man, e.timestamp = now; e.u.state = state; e.string = detail; - e.local_ip = tun_local_ip; - e.remote_ip = tun_remote_ip; - + if (tun_local_ip) + e.local_ip = *tun_local_ip; + if (tun_local_ip6) + e.local_ip6 = *tun_local_ip6; + if (local) + e.local_sock = *local; + if (remote) + e.remote_sock = *remote; + log_history_add (man->persist.state, &e); if (man->connection.state_realtime) @@ -2361,33 +2559,6 @@ management_notify_generic (struct management *man, const char *str) #ifdef MANAGEMENT_DEF_AUTH -static bool -validate_peer_info_line(const char *line) -{ - uint8_t c; - int state = 0; - while ((c=*line++)) - { - switch (state) - { - case 0: - case 1: - if (c == '=' && state == 1) - state = 2; - else if (isalnum(c) || c == '_') - state = 1; - else - return false; - case 2: - if (isprint(c)) - ; - else - return false; - } - } - return (state == 2); -} - static void man_output_peer_info_env (struct management *man, struct man_def_auth_context *mdac) { @@ -2426,7 +2597,8 @@ management_notify_client_needing_auth (struct management *management, mode = "REAUTH"; msg (M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id); man_output_extra_env (management, "CLIENT"); - man_output_peer_info_env(management, mdac); + if (management->connection.env_filter_level>0) + man_output_peer_info_env(management, mdac); man_output_env (es, true, management->connection.env_filter_level, "CLIENT"); mdac->flags |= DAF_INITIAL_AUTH; } @@ -2513,7 +2685,13 @@ management_post_tunnel_open (struct management *man, const in_addr_t tun_local_i && man->connection.state == MS_INITIAL) { /* listen on our local TUN/TAP IP address */ - man->settings.local.addr.in4.sin_addr.s_addr = htonl (tun_local_ip); + struct in_addr ia; + int ret; + + ia.s_addr = htonl(tun_local_ip); + ret = openvpn_getaddrinfo(GETADDR_PASSIVE, inet_ntoa(ia), NULL, 0, NULL, + AF_INET, &man->settings.local); + ASSERT (ret==0); man_connection_init (man); } @@ -2553,7 +2731,7 @@ man_persist_state (unsigned int *persistent, const int n) return true; } -#ifdef WIN32 +#ifdef _WIN32 void management_socket_set (struct management *man, @@ -2845,7 +3023,8 @@ management_event_loop_n_seconds (struct management *man, int sec) man_check_for_signals (&signal_received); if (signal_received) return; - } while (expire); + update_time(); + } while (expire && expire > now); /* revert state */ man->persist.standalone_disabled = standalone_disabled_save; @@ -2984,15 +3163,14 @@ management_query_user_pass (struct management *man, #ifdef MANAGMENT_EXTERNAL_KEY -char * /* returns allocated base64 signature */ -management_query_rsa_sig (struct management *man, - const char *b64_data) +int +management_query_multiline (struct management *man, + const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) { struct gc_arena gc = gc_new (); - char *ret = NULL; + int ret = 0; volatile int signal_received = 0; struct buffer alert_msg = clear_buf(); - struct buffer *buf; const bool standalone_disabled_save = man->persist.standalone_disabled; struct man_connection *mc = &man->connection; @@ -3001,10 +3179,15 @@ management_query_rsa_sig (struct management *man, man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; - mc->ext_key_state = EKS_SOLICIT; + *state = EKS_SOLICIT; - alert_msg = alloc_buf_gc (strlen(b64_data)+64, &gc); - buf_printf (&alert_msg, ">RSA_SIGN:%s", b64_data); + if (b64_data) { + alert_msg = alloc_buf_gc (strlen(b64_data)+strlen(prompt)+3, &gc); + buf_printf (&alert_msg, ">%s:%s", prompt, b64_data); + } else { + alert_msg = alloc_buf_gc (strlen(prompt)+3, &gc); + buf_printf (&alert_msg, ">%s", prompt); + } man_wait_for_client_connection (man, &signal_received, 0, MWCC_OTHER_WAIT); @@ -3022,40 +3205,107 @@ management_query_rsa_sig (struct management *man, man_check_for_signals (&signal_received); if (signal_received) goto done; - } while (mc->ext_key_state != EKS_READY); + } while (*state != EKS_READY); - if (buffer_list_defined(mc->ext_key_input)) - { - buffer_list_aggregate (mc->ext_key_input, 2048); - buf = buffer_list_peek (mc->ext_key_input); - if (buf && BLEN(buf) > 0) - { - ret = (char *) malloc(BLEN(buf)+1); - check_malloc_return(ret); - memcpy(ret, buf->data, BLEN(buf)); - ret[BLEN(buf)] = '\0'; - } - } + ret = 1; } done: - if (mc->ext_key_state == EKS_READY && ret) - msg (M_CLIENT, "SUCCESS: rsa-sig command succeeded"); - else if (mc->ext_key_state == EKS_INPUT || mc->ext_key_state == EKS_READY) - msg (M_CLIENT, "ERROR: rsa-sig command failed"); + if (*state == EKS_READY && ret) + msg (M_CLIENT, "SUCCESS: %s command succeeded", cmd); + else if (*state == EKS_INPUT || *state == EKS_READY) + msg (M_CLIENT, "ERROR: %s command failed", cmd); /* revert state */ man->persist.standalone_disabled = standalone_disabled_save; man->persist.special_state_msg = NULL; in_extra_reset (mc, IER_RESET); - mc->ext_key_state = EKS_UNDEF; - buffer_list_free (mc->ext_key_input); - mc->ext_key_input = NULL; + *state = EKS_UNDEF; gc_free (&gc); return ret; } +char * /* returns allocated base64 signature */ +management_query_multiline_flatten_newline (struct management *man, + const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) +{ + int ok; + char *result = NULL; + struct buffer *buf; + + ok = management_query_multiline(man, b64_data, prompt, cmd, state, input); + if (ok && buffer_list_defined(*input)) + { + buffer_list_aggregate_separator (*input, 10000, "\n"); + buf = buffer_list_peek (*input); + if (buf && BLEN(buf) > 0) + { + result = (char *) malloc(BLEN(buf)+1); + check_malloc_return(result); + memcpy(result, buf->data, BLEN(buf)); + result[BLEN(buf)] = '\0'; + } + } + + buffer_list_free (*input); + *input = NULL; + + return result; +} + +char * /* returns allocated base64 signature */ +management_query_multiline_flatten (struct management *man, + const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) +{ + int ok; + char *result = NULL; + struct buffer *buf; + + ok = management_query_multiline(man, b64_data, prompt, cmd, state, input); + if (ok && buffer_list_defined(*input)) + { + buffer_list_aggregate (*input, 2048); + buf = buffer_list_peek (*input); + if (buf && BLEN(buf) > 0) + { + result = (char *) malloc(BLEN(buf)+1); + check_malloc_return(result); + memcpy(result, buf->data, BLEN(buf)); + result[BLEN(buf)] = '\0'; + } + } + + buffer_list_free (*input); + *input = NULL; + + return result; +} + +char * /* returns allocated base64 signature */ +management_query_rsa_sig (struct management *man, + const char *b64_data) +{ + return management_query_multiline_flatten(man, b64_data, "RSA_SIGN", "rsa-sign", + &man->connection.ext_key_state, &man->connection.ext_key_input); +} + + +char* management_query_cert (struct management *man, const char *cert_name) +{ + const char prompt_1[] = "NEED-CERTIFICATE:"; + struct buffer buf_prompt = alloc_buf(strlen(cert_name) + 20); + buf_write(&buf_prompt, prompt_1, strlen(prompt_1)); + buf_write(&buf_prompt, cert_name, strlen(cert_name)+1); // +1 for \0 + + char *result; + result = management_query_multiline_flatten_newline(management, + NULL, (char*)buf_bptr(&buf_prompt), "certificate", + &man->connection.ext_cert_state, &man->connection.ext_cert_input); + free_buf(&buf_prompt); + return result; +} + #endif /* @@ -3082,12 +3332,13 @@ management_should_daemonize (struct management *man) * Return true if the caller should not sleep for an additional time interval. */ bool -management_hold (struct management *man) +management_hold (struct management *man, int holdtime) { if (management_would_hold (man)) { volatile int signal_received = 0; const bool standalone_disabled_save = man->persist.standalone_disabled; + struct gc_arena gc = gc_new (); man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; @@ -3097,7 +3348,9 @@ management_hold (struct management *man) if (!signal_received) { - man->persist.special_state_msg = ">HOLD:Waiting for hold release"; + struct buffer out = alloc_buf_gc (128, &gc); + buf_printf (&out, ">HOLD:Waiting for hold release:%d", holdtime); + man->persist.special_state_msg = BSTR (&out); msg (M_CLIENT, "%s", man->persist.special_state_msg); /* run command processing event loop until we get our username/password */ @@ -3116,6 +3369,7 @@ management_hold (struct management *man) man->persist.special_state_msg = NULL; man->settings.mansig &= ~MANSIG_IGNORE_USR1_HUP; + gc_free (&gc); return true; } return false; @@ -3218,7 +3472,14 @@ log_entry_print (const struct log_entry *e, unsigned int flags, struct gc_arena if (flags & LOG_PRINT_LOCAL_IP) buf_printf (&out, ",%s", print_in_addr_t (e->local_ip, IA_EMPTY_IF_UNDEF, gc)); if (flags & LOG_PRINT_REMOTE_IP) - buf_printf (&out, ",%s", print_in_addr_t (e->remote_ip, IA_EMPTY_IF_UNDEF, gc)); + { + buf_printf (&out, ",%s", (!addr_defined (&e->remote_sock) ? "," : + print_sockaddr_ex (&e->remote_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc))); + buf_printf (&out, ",%s", (!addr_defined (&e->local_sock) ? "," : + print_sockaddr_ex (&e->local_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc))); + } + if (flags & LOG_PRINT_LOCAL_IP && !IN6_IS_ADDR_UNSPECIFIED(&e->local_ip6)) + buf_printf (&out, ",%s", print_in6_addr (e->local_ip6, IA_EMPTY_IF_UNDEF, gc)); if (flags & LOG_ECHO_TO_LOG) msg (D_MANAGEMENT, "MANAGEMENT: %s", BSTR (&out)); if (flags & LOG_PRINT_CRLF) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 28da69f..3ffced0 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -88,7 +88,9 @@ struct log_entry time_t timestamp; const char *string; in_addr_t local_ip; - in_addr_t remote_ip; + struct in6_addr local_ip6; + struct openvpn_sockaddr local_sock; + struct openvpn_sockaddr remote_sock; union log_entry_union u; }; @@ -173,6 +175,9 @@ struct management_callback #endif bool (*proxy_cmd) (void *arg, const char **p); bool (*remote_cmd) (void *arg, const char **p); +#ifdef TARGET_ANDROID + int (*network_change) (void *arg, bool samenetwork); +#endif }; /* @@ -212,7 +217,7 @@ struct man_persist { struct man_settings { bool defined; unsigned int flags; /* MF_x flags */ - struct openvpn_sockaddr local; + struct addrinfo* local; #if UNIX_SOCK_SUPPORT struct sockaddr_un local_unix; #endif @@ -252,7 +257,7 @@ struct man_connection { socket_descriptor_t sd_cli; struct openvpn_sockaddr remote; -#ifdef WIN32 +#ifdef _WIN32 struct net_event_win32 ne32; #endif @@ -268,6 +273,7 @@ struct man_connection { # define IEC_CLIENT_AUTH 1 # define IEC_CLIENT_PF 2 # define IEC_RSA_SIGN 3 +# define IEC_CERTIFICATE 4 int in_extra_cmd; struct buffer_list *in_extra; #ifdef MANAGEMENT_DEF_AUTH @@ -281,6 +287,8 @@ struct man_connection { # define EKS_READY 3 int ext_key_state; struct buffer_list *ext_key_input; + int ext_cert_state; + struct buffer_list *ext_cert_input; #endif #endif struct event_set *es; @@ -299,6 +307,10 @@ struct man_connection { #ifdef MANAGMENT_EXTERNAL_KEY struct buffer_list *rsa_sig; #endif +#ifdef TARGET_ANDROID + int fdtosend; + int lastfdreceived; +#endif }; struct management @@ -334,10 +346,11 @@ struct management *management_init (void); #define MF_UP_DOWN (1<<10) #define MF_QUERY_REMOTE (1<<11) #define MF_QUERY_PROXY (1<<12) +#define MF_EXTERNAL_CERT (1<<13) bool management_open (struct management *man, const char *addr, - const int port, + const char *port, const char *pass_file, const char *client_user, const char *client_group, @@ -372,9 +385,18 @@ bool management_query_user_pass (struct management *man, const unsigned int flags, const char *static_challenge); +#ifdef TARGET_ANDROID +bool management_android_control (struct management *man, const char *command, const char *msg); + +#define ANDROID_KEEP_OLD_TUN 1 +#define ANDROID_OPEN_AFTER_CLOSE 2 +#define ANDROID_OPEN_BEFORE_CLOSE 3 +int managment_android_persisttun_action (struct management *man); +#endif + bool management_should_daemonize (struct management *man); bool management_would_hold (struct management *man); -bool management_hold (struct management *man); +bool management_hold (struct management *man, int holdtime); void management_event_loop_n_seconds (struct management *man, int sec); @@ -407,6 +429,7 @@ void management_learn_addr (struct management *management, #ifdef MANAGMENT_EXTERNAL_KEY char *management_query_rsa_sig (struct management *man, const char *b64_data); +char* management_query_cert (struct management *man, const char *cert_name); #endif @@ -475,8 +498,10 @@ management_enable_def_auth (const struct management *man) void management_set_state (struct management *man, const int state, const char *detail, - const in_addr_t tun_local_ip, - const in_addr_t tun_remote_ip); + const in_addr_t *tun_local_ip, + const struct in6_addr *tun_local_ip6, + const struct openvpn_sockaddr *local_addr, + const struct openvpn_sockaddr *remote_addr); /* * The management object keeps track of OpenVPN --echo diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 48ca0d5..56d43e0 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -6,6 +6,8 @@ * packet compression. * * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2014-2015 David Sommerseth <davids@redhat.com> + * Copyright (C) 2016 David Sommerseth <davids@openvpn.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -62,7 +64,7 @@ run_up_down (const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, -#ifdef WIN32 +#ifdef _WIN32 DWORD adapter_index, #endif const char *dev_type, @@ -85,7 +87,7 @@ run_up_down (const char *command, setenv_str (es, "dev", arg); if (dev_type) setenv_str (es, "dev_type", dev_type); -#ifdef WIN32 +#ifdef _WIN32 setenv_int (es, "dev_idx", adapter_index); #endif @@ -118,13 +120,9 @@ run_up_down (const char *command, struct argv argv = argv_new (); ASSERT (arg); setenv_str (es, "script_type", script_type); - argv_printf (&argv, - "%sc %s %d %d %s %s %s", - command, - arg, - tun_mtu, link_mtu, - ifconfig_local, ifconfig_remote, - context); + argv_parse_cmd (&argv, command); + argv_printf_cat (&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu, + ifconfig_local, ifconfig_remote, context); argv_msg (M_INFO, &argv); openvpn_run_script (&argv, es, S_FATAL, "--up/--down"); argv_reset (&argv); @@ -192,38 +190,13 @@ save_inetd_socket_descriptor (void) } /* - * Warn if a given file is group/others accessible. - */ -void -warn_if_group_others_accessible (const char* filename) -{ -#ifndef WIN32 -#ifdef HAVE_STAT - if (strcmp (filename, INLINE_FILE_TAG)) - { - struct stat st; - if (stat (filename, &st)) - { - msg (M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", filename); - } - else - { - if (st.st_mode & (S_IRWXG|S_IRWXO)) - msg (M_WARN, "WARNING: file '%s' is group or others accessible", filename); - } - } -#endif -#endif -} - -/* * Print an error message based on the status code returned by system(). */ const char * system_error_message (int stat, struct gc_arena *gc) { struct buffer out = alloc_buf_gc (256, gc); -#ifdef WIN32 +#ifdef _WIN32 if (stat == -1) buf_printf (&out, "external program did not execute -- "); buf_printf (&out, "returned error code %d", stat); @@ -279,7 +252,7 @@ openvpn_execve_allowed (const unsigned int flags) } -#ifndef WIN32 +#ifndef _WIN32 /* * Run execve() inside a fork(). Designed to replicate the semantics of system() but * in a safer way that doesn't require the invocation of a shell or the risks @@ -362,27 +335,29 @@ openvpn_popen (const struct argv *a, const struct env_set *es) pid = fork (); if (pid == (pid_t)0) /* child side */ { - close (pipe_stdout[0]); + close (pipe_stdout[0]); /* Close read end */ dup2 (pipe_stdout[1],1); execve (cmd, argv, envp); exit (127); } - else if (pid < (pid_t)0) /* fork failed */ - { - msg (M_ERR, "openvpn_popen: unable to fork"); - } - else /* parent side */ + else if (pid > (pid_t)0) /* parent side */ { int status = 0; + close (pipe_stdout[1]); /* Close write end */ waitpid(pid, &status, 0); ret = pipe_stdout[0]; + } + else /* fork failed */ + { + close (pipe_stdout[0]); close (pipe_stdout[1]); + msg (M_ERR, "openvpn_popen: unable to fork %s", cmd); } } else { - msg (M_WARN, "openvpn_popen: unable to create stdout pipe"); - ret = -1; + msg (M_WARN, "openvpn_popen: unable to create stdout pipe for %s", cmd); + ret = -1; } } else if (!warn_shown && (script_security < SSEC_SCRIPTS)) @@ -611,6 +586,16 @@ env_set_add (struct env_set *es, const char *str) env_set_add_nolock (es, str); } +const char* +env_set_get (const struct env_set *es, const char *name) +{ + const struct env_item *item = es->list; + while (item && !env_string_equal(item->string, name)) { + item = item->next; + } + return item ? item->string : NULL; +} + void env_set_print (int msglevel, const struct env_set *es) { @@ -701,14 +686,6 @@ env_set_remove_from_environment (const struct env_set *es) } } -#ifdef HAVE_PUTENV - -/* companion functions to putenv */ - -static struct env_item *global_env = NULL; /* GLOBAL */ - -#endif - /* add/modify/delete environmental strings */ void @@ -753,6 +730,28 @@ setenv_str_safe (struct env_set *es, const char *name, const char *value) msg (M_WARN, "setenv_str_safe: name overflow"); } +void setenv_str_incr(struct env_set *es, const char *name, const char *value) +{ + unsigned int counter = 1; + const size_t tmpname_len = strlen(name) + 5; /* 3 digits counter max */ + char *tmpname = gc_malloc(tmpname_len, true, NULL); + strcpy(tmpname, name); + while (NULL != env_set_get(es, tmpname) && counter < 1000) + { + ASSERT (openvpn_snprintf (tmpname, tmpname_len, "%s_%u", name, counter)); + counter++; + } + if (counter < 1000) + { + setenv_str (es, tmpname, value); + } + else + { + msg (D_TLS_DEBUG_MED, "Too many same-name env variables, ignoring: %s", name); + } + free (tmpname); +} + void setenv_del (struct env_set *es, const char *name) { @@ -830,32 +829,6 @@ setenv_str_i (struct env_set *es, const char *name, const char *value, const int gc_free (&gc); } -/* - * taken from busybox networking/ifupdown.c - */ -unsigned int -count_bits(unsigned int a) -{ - unsigned int result; - result = (a & 0x55) + ((a >> 1) & 0x55); - result = (result & 0x33) + ((result >> 2) & 0x33); - return((result & 0x0F) + ((result >> 4) & 0x0F)); -} - -int -count_netmask_bits(const char *dotted_quad) -{ - unsigned int result, a, b, c, d; - /* Found a netmask... Check if it is dotted quad */ - if (sscanf(dotted_quad, "%u.%u.%u.%u", &a, &b, &c, &d) != 4) - return -1; - result = count_bits(a); - result += count_bits(b); - result += count_bits(c); - result += count_bits(d); - return ((int)result); -} - /* return true if filename can be opened for read */ bool test_file (const char *filename) @@ -977,7 +950,7 @@ hostname_randomize(const char *hostname, struct gc_arena *gc) const char * gen_path (const char *directory, const char *filename, struct gc_arena *gc) { -#if WIN32 +#ifdef _WIN32 const int CC_PATH_RESERVED = CC_LESS_THAN|CC_GREATER_THAN|CC_COLON| CC_DOUBLE_QUOTE|CC_SLASH|CC_BACKSLASH|CC_PIPE|CC_QUESTION_MARK|CC_ASTERISK; #else @@ -988,7 +961,7 @@ gen_path (const char *directory, const char *filename, struct gc_arena *gc) if (safe_filename && strcmp (safe_filename, ".") && strcmp (safe_filename, "..") -#ifdef WIN32 +#ifdef _WIN32 && win_safe_filename (safe_filename) #endif ) @@ -1016,7 +989,7 @@ absolute_pathname (const char *pathname) if (pathname) { const int c = pathname[0]; -#ifdef WIN32 +#ifdef _WIN32 return c == '\\' || (isalpha(c) && pathname[1] == ':' && pathname[2] == '\\'); #else return c == '/'; @@ -1085,13 +1058,23 @@ get_user_pass_cr (struct user_pass *up, struct buffer user_prompt = alloc_buf_gc (128, &gc); buf_printf (&user_prompt, "NEED-OK|%s|%s:", prefix, up->username); - - if (!get_console_input (BSTR (&user_prompt), true, up->password, USER_PASS_LEN)) - msg (M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); + if (!query_user_SINGLE (BSTR(&user_prompt), BLEN(&user_prompt), + up->password, USER_PASS_LEN, false)) + { + msg (M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); + } if (!strlen (up->password)) strcpy (up->password, "ok"); } + else if (flags & GET_USER_PASS_INLINE_CREDS) + { + struct buffer buf; + buf_set_read (&buf, (uint8_t*) auth_file, strlen (auth_file) + 1); + if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) + buf_parse (&buf, '\n', up->username, USER_PASS_LEN); + buf_parse (&buf, '\n', up->password, USER_PASS_LEN); + } /* * Read from auth file unless this is a dynamic challenge request. */ @@ -1103,8 +1086,6 @@ get_user_pass_cr (struct user_pass *up, FILE *fp; char password_buf[USER_PASS_LEN] = { '\0' }; - warn_if_group_others_accessible (auth_file); - fp = platform_fopen (auth_file, "r"); if (!fp) msg (M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file); @@ -1155,13 +1136,17 @@ get_user_pass_cr (struct user_pass *up, if (ac) { char *response = (char *) gc_malloc (USER_PASS_LEN, false, &gc); - struct buffer packed_resp; + struct buffer packed_resp, challenge; + challenge = alloc_buf_gc (14+strlen(ac->challenge_text), &gc); + buf_printf (&challenge, "CHALLENGE: %s", ac->challenge_text); buf_set_write (&packed_resp, (uint8_t*)up->password, USER_PASS_LEN); - msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", ac->challenge_text); - if (!get_console_input (ac->challenge_text, BOOL_CAST(ac->flags&CR_ECHO), - response, USER_PASS_LEN)) - msg (M_FATAL, "ERROR: could not read challenge response from stdin"); + + if (!query_user_SINGLE (BSTR(&challenge), BLEN(&challenge), + response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO))) + { + msg (M_FATAL, "ERROR: could not read challenge response from stdin"); + } strncpynt (up->username, ac->user, USER_PASS_LEN); buf_printf (&packed_resp, "CRV1::%s::%s", ac->state_id, response); } @@ -1176,32 +1161,49 @@ get_user_pass_cr (struct user_pass *up, struct buffer user_prompt = alloc_buf_gc (128, &gc); struct buffer pass_prompt = alloc_buf_gc (128, &gc); + query_user_clear (); buf_printf (&user_prompt, "Enter %s Username:", prefix); buf_printf (&pass_prompt, "Enter %s Password:", prefix); if (username_from_stdin && !(flags & GET_USER_PASS_PASSWORD_ONLY)) { - if (!get_console_input (BSTR (&user_prompt), true, up->username, USER_PASS_LEN)) - msg (M_FATAL, "ERROR: could not read %s username from stdin", prefix); + query_user_add (BSTR(&user_prompt), BLEN(&user_prompt), + up->username, USER_PASS_LEN, true); + } + + if (password_from_stdin) + { + query_user_add (BSTR(&pass_prompt), BLEN(&pass_prompt), + up->password, USER_PASS_LEN, false); + } + + if( !query_user_exec () ) + { + msg(M_FATAL, "ERROR: Failed retrieving username or password"); + } + + if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) + { if (strlen (up->username) == 0) msg (M_FATAL, "ERROR: %s username is empty", prefix); } - if (password_from_stdin && !get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN)) - msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix); - #ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin) { char *response = (char *) gc_malloc (USER_PASS_LEN, false, &gc); - struct buffer packed_resp; + struct buffer packed_resp, challenge; char *pw64=NULL, *resp64=NULL; - msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", auth_challenge); + challenge = alloc_buf_gc (14+strlen(auth_challenge), &gc); + buf_printf (&challenge, "CHALLENGE: %s", auth_challenge); - if (!get_console_input (auth_challenge, BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), - response, USER_PASS_LEN)) - msg (M_FATAL, "ERROR: could not read static challenge response from stdin"); + if (!query_user_SINGLE (BSTR(&challenge), BLEN(&challenge), + response, USER_PASS_LEN, + BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO))) + { + msg (M_FATAL, "ERROR: could not retrieve static challenge response"); + } if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1 || openvpn_base64_encode(response, strlen(response), &resp64) == -1) msg (M_FATAL, "ERROR: could not base64-encode password/static_response"); @@ -1555,465 +1557,6 @@ adjust_power_of_2 (size_t u) } /* - * A printf-like function (that only recognizes a subset of standard printf - * format operators) that prints arguments to an argv list instead - * of a standard string. This is used to build up argv arrays for passing - * to execve. - */ - -void -argv_init (struct argv *a) -{ - a->capacity = 0; - a->argc = 0; - a->argv = NULL; - a->system_str = NULL; -} - -struct argv -argv_new (void) -{ - struct argv ret; - argv_init (&ret); - return ret; -} - -void -argv_reset (struct argv *a) -{ - size_t i; - for (i = 0; i < a->argc; ++i) - free (a->argv[i]); - free (a->argv); - free (a->system_str); - argv_init (a); -} - -static void -argv_extend (struct argv *a, const size_t newcap) -{ - if (newcap > a->capacity) - { - char **newargv; - size_t i; - ALLOC_ARRAY_CLEAR (newargv, char *, newcap); - for (i = 0; i < a->argc; ++i) - newargv[i] = a->argv[i]; - free (a->argv); - a->argv = newargv; - a->capacity = newcap; - } -} - -static void -argv_grow (struct argv *a, const size_t add) -{ - const size_t newargc = a->argc + add + 1; - ASSERT (newargc > a->argc); - argv_extend (a, adjust_power_of_2 (newargc)); -} - -static void -argv_append (struct argv *a, char *str) /* str must have been malloced or be NULL */ -{ - argv_grow (a, 1); - a->argv[a->argc++] = str; -} - -static void -argv_system_str_append (struct argv *a, const char *str, const bool enquote) -{ - if (str) - { - char *newstr; - - /* compute length of new system_str */ - size_t l = strlen (str) + 1; /* space for new string plus trailing '\0' */ - if (a->system_str) - l += strlen (a->system_str) + 1; /* space for existing string + space (" ") separator */ - if (enquote) - l += 2; /* space for two quotes */ - - /* build new system_str */ - newstr = (char *) malloc (l); - newstr[0] = '\0'; - check_malloc_return (newstr); - if (a->system_str) - { - strcpy (newstr, a->system_str); - strcat (newstr, " "); - } - if (enquote) - strcat (newstr, "\""); - strcat (newstr, str); - if (enquote) - strcat (newstr, "\""); - free (a->system_str); - a->system_str = newstr; - } -} - -static char * -argv_extract_cmd_name (const char *path) -{ - char *ret = NULL; - if (path) - { - char *path_cp = string_alloc(path, NULL); /* POSIX basename() implementaions may modify its arguments */ - const char *bn = basename (path_cp); - if (bn) - { - char *dot = NULL; - ret = string_alloc (bn, NULL); - dot = strrchr (ret, '.'); - if (dot) - *dot = '\0'; - free(path_cp); - if (ret[0] == '\0') - { - free(ret); - ret = NULL; - } - } - } - return ret; -} - -const char * -argv_system_str (const struct argv *a) -{ - return a->system_str; -} - -struct argv -argv_clone (const struct argv *a, const size_t headroom) -{ - struct argv r; - size_t i; - - argv_init (&r); - for (i = 0; i < headroom; ++i) - argv_append (&r, NULL); - if (a) - { - for (i = 0; i < a->argc; ++i) - argv_append (&r, string_alloc (a->argv[i], NULL)); - r.system_str = string_alloc (a->system_str, NULL); - } - return r; -} - -struct argv -argv_insert_head (const struct argv *a, const char *head) -{ - struct argv r; - char *s; - - r = argv_clone (a, 1); - r.argv[0] = string_alloc (head, NULL); - s = r.system_str; - r.system_str = string_alloc (head, NULL); - if (s) - { - argv_system_str_append (&r, s, false); - free (s); - } - return r; -} - -char * -argv_term (const char **f) -{ - const char *p = *f; - const char *term = NULL; - size_t termlen = 0; - - if (*p == '\0') - return NULL; - - while (true) - { - const int c = *p; - if (c == '\0') - break; - if (term) - { - if (!isspace (c)) - ++termlen; - else - break; - } - else - { - if (!isspace (c)) - { - term = p; - termlen = 1; - } - } - ++p; - } - *f = p; - - if (term) - { - char *ret; - ASSERT (termlen > 0); - ret = malloc (termlen + 1); - check_malloc_return (ret); - memcpy (ret, term, termlen); - ret[termlen] = '\0'; - return ret; - } - else - return NULL; -} - -const char * -argv_str (const struct argv *a, struct gc_arena *gc, const unsigned int flags) -{ - if (a->argv) - return print_argv ((const char **)a->argv, gc, flags); - else - return ""; -} - -void -argv_msg (const int msglev, const struct argv *a) -{ - struct gc_arena gc = gc_new (); - msg (msglev, "%s", argv_str (a, &gc, 0)); - gc_free (&gc); -} - -void -argv_msg_prefix (const int msglev, const struct argv *a, const char *prefix) -{ - struct gc_arena gc = gc_new (); - msg (msglev, "%s: %s", prefix, argv_str (a, &gc, 0)); - gc_free (&gc); -} - -void -argv_printf (struct argv *a, const char *format, ...) -{ - va_list arglist; - va_start (arglist, format); - argv_printf_arglist (a, format, 0, arglist); - va_end (arglist); - } - -void -argv_printf_cat (struct argv *a, const char *format, ...) -{ - va_list arglist; - va_start (arglist, format); - argv_printf_arglist (a, format, APA_CAT, arglist); - va_end (arglist); -} - -void -argv_printf_arglist (struct argv *a, const char *format, const unsigned int flags, va_list arglist) -{ - struct gc_arena gc = gc_new (); - char *term; - const char *f = format; - - if (!(flags & APA_CAT)) - argv_reset (a); - argv_extend (a, 1); /* ensure trailing NULL */ - - while ((term = argv_term (&f)) != NULL) - { - if (term[0] == '%') - { - if (!strcmp (term, "%s")) - { - char *s = va_arg (arglist, char *); - if (!s) - s = ""; - argv_append (a, string_alloc (s, NULL)); - argv_system_str_append (a, s, true); - } - else if (!strcmp (term, "%sc")) - { - char *s = va_arg (arglist, char *); - if (s) - { - int nparms; - char *parms[MAX_PARMS+1]; - int i; - - nparms = parse_line (s, parms, MAX_PARMS, "SCRIPT-ARGV", 0, D_ARGV_PARSE_CMD, &gc); - if (nparms) - { - for (i = 0; i < nparms; ++i) - argv_append (a, string_alloc (parms[i], NULL)); - } - else - argv_append (a, string_alloc (s, NULL)); - - argv_system_str_append (a, s, false); - } - else - { - argv_append (a, string_alloc ("", NULL)); - argv_system_str_append (a, "echo", false); - } - } - else if (!strcmp (term, "%d")) - { - char numstr[64]; - openvpn_snprintf (numstr, sizeof (numstr), "%d", va_arg (arglist, int)); - argv_append (a, string_alloc (numstr, NULL)); - argv_system_str_append (a, numstr, false); - } - else if (!strcmp (term, "%u")) - { - char numstr[64]; - openvpn_snprintf (numstr, sizeof (numstr), "%u", va_arg (arglist, unsigned int)); - argv_append (a, string_alloc (numstr, NULL)); - argv_system_str_append (a, numstr, false); - } - else if (!strcmp (term, "%s/%d")) - { - char numstr[64]; - char *s = va_arg (arglist, char *); - - if (!s) - s = ""; - - openvpn_snprintf (numstr, sizeof (numstr), "%d", va_arg (arglist, int)); - - { - const size_t len = strlen(s) + strlen(numstr) + 2; - char *combined = (char *) malloc (len); - check_malloc_return (combined); - - strcpy (combined, s); - strcat (combined, "/"); - strcat (combined, numstr); - argv_append (a, combined); - argv_system_str_append (a, combined, false); - } - } - else if (!strcmp (term, "%s%sc")) - { - char *s1 = va_arg (arglist, char *); - char *s2 = va_arg (arglist, char *); - char *combined; - char *cmd_name; - - if (!s1) s1 = ""; - if (!s2) s2 = ""; - combined = (char *) malloc (strlen(s1) + strlen(s2) + 1); - check_malloc_return (combined); - strcpy (combined, s1); - strcat (combined, s2); - argv_append (a, combined); - - cmd_name = argv_extract_cmd_name (combined); - if (cmd_name) - { - argv_system_str_append (a, cmd_name, false); - free (cmd_name); - } - } - else - ASSERT (0); - free (term); - } - else - { - argv_append (a, term); - argv_system_str_append (a, term, false); - } - } - gc_free (&gc); -} - -#ifdef ARGV_TEST -void -argv_test (void) -{ - struct gc_arena gc = gc_new (); - const char *s; - - struct argv a; - - argv_init (&a); - argv_printf (&a, "%sc foo bar %s", "c:\\\\src\\\\test\\\\jyargs.exe", "foo bar"); - argv_msg_prefix (M_INFO, &a, "ARGV"); - msg (M_INFO, "ARGV-S: %s", argv_system_str(&a)); - /*openvpn_execve_check (&a, NULL, 0, "command failed");*/ - - argv_printf (&a, "%sc %s %s", "c:\\\\src\\\\test files\\\\batargs.bat", "foo", "bar"); - argv_msg_prefix (M_INFO, &a, "ARGV"); - msg (M_INFO, "ARGV-S: %s", argv_system_str(&a)); - /*openvpn_execve_check (&a, NULL, 0, "command failed");*/ - - argv_printf (&a, "%s%sc foo bar %s %s/%d %d %u", "/foo", "/bar.exe", "one two", "1.2.3.4", 24, -69, 96); - argv_msg_prefix (M_INFO, &a, "ARGV"); - msg (M_INFO, "ARGV-S: %s", argv_system_str(&a)); - /*openvpn_execve_check (&a, NULL, 0, "command failed");*/ - - argv_printf (&a, "this is a %s test of int %d unsigned %u", "FOO", -69, 42); - s = argv_str (&a, &gc, PA_BRACKET); - printf ("PF: %s\n", s); - printf ("PF-S: %s\n", argv_system_str(&a)); - - { - struct argv b = argv_insert_head (&a, "MARK"); - s = argv_str (&b, &gc, PA_BRACKET); - printf ("PF: %s\n", s); - printf ("PF-S: %s\n", argv_system_str(&b)); - argv_reset (&b); - } - - argv_printf (&a, "%sc foo bar %d", "\"multi term\" command following \\\"spaces", 99); - s = argv_str (&a, &gc, PA_BRACKET); - printf ("PF: %s\n", s); - printf ("PF-S: %s\n", argv_system_str(&a)); - argv_reset (&a); - - s = argv_str (&a, &gc, PA_BRACKET); - printf ("PF: %s\n", s); - printf ("PF-S: %s\n", argv_system_str(&a)); - argv_reset (&a); - - argv_printf (&a, "foo bar %d", 99); - argv_printf_cat (&a, "bar %d foo %sc", 42, "nonesuch"); - argv_printf_cat (&a, "cool %s %d u %s/%d end", "frood", 4, "hello", 7); - s = argv_str (&a, &gc, PA_BRACKET); - printf ("PF: %s\n", s); - printf ("PF-S: %s\n", argv_system_str(&a)); - argv_reset (&a); - -#if 0 - { - char line[512]; - while (fgets (line, sizeof(line), stdin) != NULL) - { - char *term; - const char *f = line; - int i = 0; - - while ((term = argv_term (&f)) != NULL) - { - printf ("[%d] '%s'\n", i, term); - ++i; - free (term); - } - } - } -#endif - - argv_reset (&a); - gc_free (&gc); -} -#endif - -/* * Remove security-sensitive strings from control message * so that they will not be output to log file. */ @@ -2040,6 +1583,15 @@ sanitize_control_message(const char *src, struct gc_arena *gc) skip = 4; redact = true; } + else if (!check_debug_level(D_SHOW_KEYS) + && (c == 'a' && !strncmp(src, "auth-token ", 11))) + { + /* Unless --verb is 7 or higher (D_SHOW_KEYS), hide + * the auth-token value coming in the src string + */ + skip = 10; + redact = true; + } if (c == ',') /* end of redacted item? */ { @@ -2084,3 +1636,59 @@ compat_flag (unsigned int flag) return (compat_flags & (flag >> 1)); } + +#if P2MP_SERVER + +/* helper to parse peer_info received from multi client, validate + * (this is untrusted data) and put into environment + */ +bool +validate_peer_info_line(char *line) +{ + uint8_t c; + int state = 0; + while (*line) + { + c = *line; + switch (state) + { + case 0: + case 1: + if (c == '=' && state == 1) + state = 2; + else if (isalnum(c) || c == '_') + state = 1; + else + return false; + case 2: + /* after the '=', replace non-printable or shell meta with '_' */ + if (!isprint(c) || isspace(c) || + c == '$' || c == '(' || c == '`' ) + *line = '_'; + } + line++; + } + return (state == 2); +} + +void +output_peer_info_env (struct env_set *es, const char * peer_info) +{ + char line[256]; + struct buffer buf; + buf_set_read (&buf, (const uint8_t *) peer_info, strlen(peer_info)); + while (buf_parse (&buf, '\n', line, sizeof (line))) + { + chomp (line); + if (validate_peer_info_line(line) && + (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) ) + { + msg (M_INFO, "peer info: %s", line); + env_set_add(es, line); + } + else + msg (M_WARN, "validation failed on peer_info line received from client"); + } +} + +#endif /* P2MP_SERVER */ diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index c1942b6..b8bbaa7 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -25,6 +25,7 @@ #ifndef MISC_H #define MISC_H +#include "argv.h" #include "basic.h" #include "common.h" #include "integer.h" @@ -37,14 +38,6 @@ /* forward declarations */ struct plugin_list; -/* used by argv_x functions */ -struct argv { - size_t capacity; - size_t argc; - char **argv; - char *system_str; -}; - /* * Handle environmental variable lists */ @@ -63,7 +56,7 @@ void run_up_down (const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, -#ifdef WIN32 +#ifdef _WIN32 DWORD adapter_index, #endif const char *dev_type, @@ -78,9 +71,6 @@ void run_up_down (const char *command, void write_pid (const char *filename); -/* check file protections */ -void warn_if_group_others_accessible(const char* filename); - /* system flags */ #define S_SCRIPT (1<<0) #define S_FATAL (1<<1) @@ -136,6 +126,12 @@ void setenv_str (struct env_set *es, const char *name, const char *value); void setenv_str_safe (struct env_set *es, const char *name, const char *value); void setenv_del (struct env_set *es, const char *name); +/** + * Store the supplied name value pair in the env_set. If the variable with the + * supplied name already exists, append _N to the name, starting at N=1. + */ +void setenv_str_incr(struct env_set *es, const char *name, const char *value); + void setenv_int_i (struct env_set *es, const char *name, const int value, const int i); void setenv_str_i (struct env_set *es, const char *name, const char *value, const int i); @@ -145,6 +141,7 @@ struct env_set *env_set_create (struct gc_arena *gc); void env_set_destroy (struct env_set *es); bool env_set_del (struct env_set *es, const char *str); void env_set_add (struct env_set *es, const char *str); +const char* env_set_get (const struct env_set *es, const char *name); void env_set_print (int msglevel, const struct env_set *es); @@ -162,10 +159,6 @@ const char **make_env_array (const struct env_set *es, const char **make_arg_array (const char *first, const char *parms, struct gc_arena *gc); const char **make_extended_arg_array (char **p, struct gc_arena *gc); -/* convert netmasks for iproute2 */ -int count_netmask_bits(const char *); -unsigned int count_bits(unsigned int ); - /* an analogue to the random() function, but use OpenSSL functions if available */ #ifdef ENABLE_CRYPTO long int get_random(void); @@ -253,6 +246,8 @@ struct static_challenge_info {}; #define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /* SCRV1 protocol -- static challenge */ #define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */ +#define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */ + bool get_user_pass_cr (struct user_pass *up, const char *auth_file, const char *prefix, @@ -320,49 +315,17 @@ extern int script_security; /* GLOBAL */ /* return the next largest power of 2 */ size_t adjust_power_of_2 (size_t u); -/* - * A printf-like function (that only recognizes a subset of standard printf - * format operators) that prints arguments to an argv list instead - * of a standard string. This is used to build up argv arrays for passing - * to execve. - */ -void argv_init (struct argv *a); -struct argv argv_new (void); -void argv_reset (struct argv *a); -char *argv_term (const char **f); -const char *argv_str (const struct argv *a, struct gc_arena *gc, const unsigned int flags); -struct argv argv_insert_head (const struct argv *a, const char *head); -void argv_msg (const int msglev, const struct argv *a); -void argv_msg_prefix (const int msglev, const struct argv *a, const char *prefix); -const char *argv_system_str (const struct argv *a); - -#define APA_CAT (1<<0) /* concatentate onto existing struct argv list */ -void argv_printf_arglist (struct argv *a, const char *format, const unsigned int flags, va_list arglist); - -void argv_printf (struct argv *a, const char *format, ...) -#ifdef __GNUC__ -#if __USE_MINGW_ANSI_STDIO - __attribute__ ((format (gnu_printf, 2, 3))) -#else - __attribute__ ((format (__printf__, 2, 3))) -#endif -#endif - ; - -void argv_printf_cat (struct argv *a, const char *format, ...) -#ifdef __GNUC__ -#if __USE_MINGW_ANSI_STDIO - __attribute__ ((format (gnu_printf, 2, 3))) -#else - __attribute__ ((format (__printf__, 2, 3))) -#endif -#endif - ; - #define COMPAT_FLAG_QUERY 0 /** compat_flags operator: Query for a flag */ #define COMPAT_FLAG_SET (1<<0) /** compat_flags operator: Set a compat flag */ #define COMPAT_NAMES (1<<1) /** compat flag: --compat-names set */ #define COMPAT_NO_NAME_REMAPPING (1<<2) /** compat flag: --compat-names without char remapping */ bool compat_flag (unsigned int flag); +#if P2MP_SERVER +/* helper to parse peer_info received from multi client, validate + * (this is untrusted data) and put into environment */ +bool validate_peer_info_line(char *line); +void output_peer_info_env (struct env_set *es, const char * peer_info); +#endif /* P2MP_SERVER */ + #endif diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 850e336..c905af7 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -58,7 +58,8 @@ is_mac_mcast_addr (const uint8_t *mac) static inline bool is_mac_mcast_maddr (const struct mroute_addr *addr) { - return (addr->type & MR_ADDR_MASK) == MR_ADDR_ETHER && is_mac_mcast_addr (addr->addr); + return (addr->type & MR_ADDR_MASK) == MR_ADDR_ETHER && + is_mac_mcast_addr (addr->eth_addr); } /* @@ -73,7 +74,7 @@ mroute_learnable_address (const struct mroute_addr *addr) for (i = 0; i < addr->len; ++i) { - int b = addr->addr[i]; + int b = addr->raw_addr[i]; if (b != 0x00) not_all_zeros = true; if (b != 0xFF) @@ -90,7 +91,7 @@ mroute_get_in_addr_t (struct mroute_addr *ma, const in_addr_t src, unsigned int ma->type = MR_ADDR_IPV4 | mask; ma->netbits = 0; ma->len = 4; - *(in_addr_t*)ma->addr = src; + ma->v4.addr = src; } } @@ -102,7 +103,7 @@ mroute_get_in6_addr (struct mroute_addr *ma, const struct in6_addr src, unsigned ma->type = MR_ADDR_IPV6 | mask; ma->netbits = 0; ma->len = 16; - *(struct in6_addr *)ma->addr = src; + ma->v6.addr = src; } } @@ -226,14 +227,14 @@ mroute_extract_addr_ether (struct mroute_addr *src, src->type = MR_ADDR_ETHER; src->netbits = 0; src->len = 6; - memcpy (src->addr, eth->source, 6); + memcpy (src->eth_addr, eth->source, sizeof(dest->eth_addr)); } if (dest) { dest->type = MR_ADDR_ETHER; dest->netbits = 0; dest->len = 6; - memcpy (dest->addr, eth->dest, 6); + memcpy (dest->eth_addr, eth->dest, sizeof(dest->eth_addr)); /* ethernet broadcast/multicast packet? */ if (is_mac_mcast_addr (eth->dest)) @@ -281,15 +282,15 @@ bool mroute_extract_openvpn_sockaddr (struct mroute_addr *addr, addr->type = MR_ADDR_IPV4 | MR_WITH_PORT; addr->netbits = 0; addr->len = 6; - memcpy (addr->addr, &osaddr->addr.in4.sin_addr.s_addr, 4); - memcpy (addr->addr + 4, &osaddr->addr.in4.sin_port, 2); + addr->v4.addr = osaddr->addr.in4.sin_addr.s_addr; + addr->v4.port = osaddr->addr.in4.sin_port; } else { addr->type = MR_ADDR_IPV4; addr->netbits = 0; addr->len = 4; - memcpy (addr->addr, &osaddr->addr.in4.sin_addr.s_addr, 4); + addr->v4.addr = osaddr->addr.in4.sin_addr.s_addr; } return true; } @@ -299,15 +300,15 @@ bool mroute_extract_openvpn_sockaddr (struct mroute_addr *addr, addr->type = MR_ADDR_IPV6 | MR_WITH_PORT; addr->netbits = 0; addr->len = 18; - memcpy (addr->addr, &osaddr->addr.in6.sin6_addr, 16); - memcpy (addr->addr + 16, &osaddr->addr.in6.sin6_port, 2); + addr->v6.addr = osaddr->addr.in6.sin6_addr; + addr->v6.port = osaddr->addr.in6.sin6_port; } else { addr->type = MR_ADDR_IPV6; addr->netbits = 0; addr->len = 16; - memcpy (addr->addr, &osaddr->addr.in6.sin6_addr, 16); + addr->v6.addr = osaddr->addr.in6.sin6_addr; } return true; } @@ -326,23 +327,29 @@ bool mroute_extract_openvpn_sockaddr (struct mroute_addr *addr, void mroute_addr_mask_host_bits (struct mroute_addr *ma) { - in_addr_t addr = ntohl(*(in_addr_t*)ma->addr); if ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV4) { + in_addr_t addr = ntohl (ma->v4.addr); addr &= netbits_to_netmask (ma->netbits); - *(in_addr_t*)ma->addr = htonl (addr); + ma->v4.addr = htonl (addr); } else if ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV6) { - int byte = ma->len-1; /* rightmost byte in address */ + int byte = sizeof (ma->v6.addr) - 1; /* rightmost byte in address */ int bits_to_clear = 128 - ma->netbits; while( byte >= 0 && bits_to_clear > 0 ) { if ( bits_to_clear >= 8 ) - { ma->addr[byte--] = 0; bits_to_clear -= 8; } + { + ma->v6.addr.s6_addr[byte--] = 0; + bits_to_clear -= 8; + } else - { ma->addr[byte--] &= (IPV4_NETMASK_HOST << bits_to_clear); bits_to_clear = 0; } + { + ma->v6.addr.s6_addr[byte--] &= (IPV4_NETMASK_HOST << bits_to_clear); + bits_to_clear = 0; + } } ASSERT( bits_to_clear == 0 ); } @@ -390,44 +397,42 @@ mroute_addr_print_ex (const struct mroute_addr *ma, switch (maddr.type & MR_ADDR_MASK) { case MR_ADDR_ETHER: - buf_printf (&out, "%s", format_hex_ex (ma->addr, 6, 0, 1, ":", gc)); + buf_printf (&out, "%s", format_hex_ex (ma->eth_addr, + sizeof(ma->eth_addr), 0, 1, ":", gc)); break; case MR_ADDR_IPV4: { - struct buffer buf; - in_addr_t addr; - int port; - bool status; - buf_set_read (&buf, maddr.addr, maddr.len); - addr = buf_read_u32 (&buf, &status); - if (status) + if ((flags & MAPF_SHOW_ARP) && (maddr.type & MR_ARP)) + buf_printf (&out, "ARP/"); + buf_printf (&out, "%s", print_in_addr_t (ntohl (maddr.v4.addr), + (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc)); + if (maddr.type & MR_WITH_NETBITS) { - if ((flags & MAPF_SHOW_ARP) && (maddr.type & MR_ARP)) - buf_printf (&out, "ARP/"); - buf_printf (&out, "%s", print_in_addr_t (addr, (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc)); - if (maddr.type & MR_WITH_NETBITS) + if (flags & MAPF_SUBNET) { - if (flags & MAPF_SUBNET) - { - const in_addr_t netmask = netbits_to_netmask (maddr.netbits); - buf_printf (&out, "/%s", print_in_addr_t (netmask, 0, gc)); - } - else - buf_printf (&out, "/%d", maddr.netbits); + const in_addr_t netmask = netbits_to_netmask (maddr.netbits); + buf_printf (&out, "/%s", print_in_addr_t (netmask, 0, gc)); } + else + buf_printf (&out, "/%d", maddr.netbits); } if (maddr.type & MR_WITH_PORT) { - port = buf_read_u16 (&buf); - if (port >= 0) - buf_printf (&out, ":%d", port); + buf_printf (&out, ":%d", ntohs (maddr.v4.port)); } } break; case MR_ADDR_IPV6: { - buf_printf (&out, "%s", - print_in6_addr( *(struct in6_addr*)&maddr.addr, 0, gc)); + if ( IN6_IS_ADDR_V4MAPPED( &maddr.v6.addr ) ) + { + buf_printf (&out, "%s", print_in_addr_t (maddr.v4mappedv6.addr, + IA_NET_ORDER, gc)); + } + else + { + buf_printf (&out, "%s", print_in6_addr (maddr.v6.addr, 0, gc)); + } if (maddr.type & MR_WITH_NETBITS) { buf_printf (&out, "/%d", maddr.netbits); @@ -487,62 +492,28 @@ mroute_helper_regenerate (struct mroute_helper *mh) } void -mroute_helper_add_iroute (struct mroute_helper *mh, const struct iroute *ir) -{ - if (ir->netbits >= 0) - { - ASSERT (ir->netbits < MR_HELPER_NET_LEN); - ++mh->cache_generation; - ++mh->net_len_refcount[ir->netbits]; - if (mh->net_len_refcount[ir->netbits] == 1) - mroute_helper_regenerate (mh); - } -} - -void -mroute_helper_del_iroute (struct mroute_helper *mh, const struct iroute *ir) -{ - if (ir->netbits >= 0) - { - ASSERT (ir->netbits < MR_HELPER_NET_LEN); - ++mh->cache_generation; - --mh->net_len_refcount[ir->netbits]; - ASSERT (mh->net_len_refcount[ir->netbits] >= 0); - if (!mh->net_len_refcount[ir->netbits]) - mroute_helper_regenerate (mh); - } -} - -/* this is a bit inelegant, we really should have a helper to that - * is only passed the netbits value, and not the whole struct iroute * - * - thus one helper could do IPv4 and IPv6. For the sake of "not change - * code unrelated to IPv4" this is left for later cleanup, for now. - */ -void -mroute_helper_add_iroute6 (struct mroute_helper *mh, - const struct iroute_ipv6 *ir6) +mroute_helper_add_iroute46 (struct mroute_helper *mh, int netbits) { - if (ir6->netbits >= 0) + if (netbits >= 0) { - ASSERT (ir6->netbits < MR_HELPER_NET_LEN); + ASSERT (netbits < MR_HELPER_NET_LEN); ++mh->cache_generation; - ++mh->net_len_refcount[ir6->netbits]; - if (mh->net_len_refcount[ir6->netbits] == 1) + ++mh->net_len_refcount[netbits]; + if (mh->net_len_refcount[netbits] == 1) mroute_helper_regenerate (mh); } } void -mroute_helper_del_iroute6 (struct mroute_helper *mh, - const struct iroute_ipv6 *ir6) +mroute_helper_del_iroute46 (struct mroute_helper *mh, int netbits) { - if (ir6->netbits >= 0) + if (netbits >= 0) { - ASSERT (ir6->netbits < MR_HELPER_NET_LEN); + ASSERT (netbits < MR_HELPER_NET_LEN); ++mh->cache_generation; - --mh->net_len_refcount[ir6->netbits]; - ASSERT (mh->net_len_refcount[ir6->netbits] >= 0); - if (!mh->net_len_refcount[ir6->netbits]) + --mh->net_len_refcount[netbits]; + ASSERT (mh->net_len_refcount[netbits] >= 0); + if (!mh->net_len_refcount[netbits]) mroute_helper_regenerate (mh); } } diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index b72b5ff..8f7a064 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -31,6 +31,8 @@ #include "list.h" #include "route.h" +#include <stddef.h> + #define IP_MCAST_SUBNET_MASK ((in_addr_t)240<<24) #define IP_MCAST_NETWORK ((in_addr_t)224<<24) @@ -79,9 +81,45 @@ struct mroute_addr { uint8_t type; /* MR_ADDR/MR_WITH flags */ uint8_t netbits; /* number of bits in network part of address, valid if MR_WITH_NETBITS is set */ - uint8_t addr[MR_MAX_ADDR_LEN]; /* actual address */ + union { + uint8_t raw_addr[MR_MAX_ADDR_LEN]; /* actual address */ + uint8_t eth_addr[OPENVPN_ETH_ALEN]; + struct { + in_addr_t addr; /* _network order_ IPv4 address */ + in_port_t port; /* _network order_ TCP/UDP port */ + } v4; + struct { + struct in6_addr addr; + in_port_t port; /* _network order_ TCP/UDP port */ + } v6; + struct { + uint8_t prefix[12]; + in_addr_t addr; /* _network order_ IPv4 address */ + } v4mappedv6; + } +#ifndef HAVE_ANONYMOUS_UNION_SUPPORT +/* Wrappers to support compilers that do not grok anonymous unions */ + mroute_union +#define raw_addr mroute_union.raw_addr +#define eth_addr mroute_union.eth_addr +#define v4 mroute_union.v4 +#define v6 mroute_union.v6 +#define v4mappedv6 mroute_union.v4mappedv6 +#endif + ; }; +/* Double-check that struct packing works as expected */ +static_assert (offsetof(struct mroute_addr, v4.port) == + offsetof(struct mroute_addr, v4) + 4, + "Unexpected struct packing of v4"); +static_assert (offsetof(struct mroute_addr, v6.port) == + offsetof(struct mroute_addr, v6) + 16, + "Unexpected struct packing of v6"); +static_assert (offsetof(struct mroute_addr, v4mappedv6.addr) == + offsetof(struct mroute_addr, v4mappedv6) + 12, + "Unexpected struct packing of v4mappedv6"); + /* * Number of bits in an address. Should be raised for IPv6. */ @@ -125,10 +163,8 @@ void mroute_addr_mask_host_bits (struct mroute_addr *ma); struct mroute_helper *mroute_helper_init (int ageable_ttl_secs); void mroute_helper_free (struct mroute_helper *mh); -void mroute_helper_add_iroute (struct mroute_helper *mh, const struct iroute *ir); -void mroute_helper_del_iroute (struct mroute_helper *mh, const struct iroute *ir); -void mroute_helper_add_iroute6 (struct mroute_helper *mh, const struct iroute_ipv6 *ir6); -void mroute_helper_del_iroute6 (struct mroute_helper *mh, const struct iroute_ipv6 *ir6); +void mroute_helper_add_iroute46 (struct mroute_helper *mh, int netbits); +void mroute_helper_del_iroute46 (struct mroute_helper *mh, int netbits); /* * Given a raw packet in buf, return the src and dest @@ -169,7 +205,7 @@ mroute_addr_equal (const struct mroute_addr *a1, const struct mroute_addr *a2) return false; if (a1->len != a2->len) return false; - return memcmp (a1->addr, a2->addr, a1->len) == 0; + return memcmp (a1->raw_addr, a2->raw_addr, a1->len) == 0; } static inline const uint8_t * @@ -191,16 +227,17 @@ mroute_extract_in_addr_t (struct mroute_addr *dest, const in_addr_t src) dest->type = MR_ADDR_IPV4; dest->netbits = 0; dest->len = 4; - *(in_addr_t*)dest->addr = htonl (src); + dest->v4.addr = htonl (src); } static inline in_addr_t in_addr_t_from_mroute_addr (const struct mroute_addr *addr) { - if ((addr->type & MR_ADDR_MASK) == MR_ADDR_IPV4 && addr->netbits == 0 && addr->len == 4) - return ntohl(*(in_addr_t*)addr->addr); - else + if ((addr->type & MR_ADDR_MASK) == MR_ADDR_IPV4 && addr->netbits == 0 && addr->len == 4) { + return ntohl(addr->v4.addr); + } else { return 0; + } } static inline void diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index dc15f09..78e5ccd 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -37,6 +37,10 @@ #include "memdbg.h" +#ifdef HAVE_SYS_INOTIFY_H +#include <sys/inotify.h> +#endif + /* * TCP States */ @@ -62,6 +66,10 @@ # define MTCP_MANAGEMENT ((void*)4) #endif +#ifdef ENABLE_ASYNC_PUSH +#define MTCP_FILE_CLOSE_WRITE ((void*)5) +#endif + #define MTCP_N ((void*)16) /* upper bound on MTCP_x */ struct ta_iow_flags @@ -245,6 +253,12 @@ multi_tcp_wait (const struct context *c, if (management) management_socket_set (management, mtcp->es, MTCP_MANAGEMENT, &mtcp->management_persist_flags); #endif + +#ifdef ENABLE_ASYNC_PUSH + /* arm inotify watcher */ + event_ctl (mtcp->es, c->c2.inotify_fd, EVENT_READ, MTCP_FILE_CLOSE_WRITE); +#endif + status = event_wait (mtcp->es, &c->c2.timeval, mtcp->esr, mtcp->maxevents); update_time (); mtcp->n_esr = 0; @@ -636,6 +650,12 @@ multi_tcp_process_io (struct multi_context *m) { get_signal (&m->top.sig->signal_received); } +#ifdef ENABLE_ASYNC_PUSH + else if (e->arg == MTCP_FILE_CLOSE_WRITE) + { + multi_process_file_closed (m, MPP_PRE_SELECT | MPP_RECORD_TOUCH); + } +#endif } if (IS_SIG (&m->top)) break; @@ -676,7 +696,7 @@ tunnel_server_tcp (struct context *top) multi_init (&multi, top, true, MC_SINGLE_THREADED); /* initialize our cloned top object */ - multi_top_init (&multi, top, true); + multi_top_init (&multi, top); /* initialize management interface */ init_management_callback_multi (&multi); @@ -684,6 +704,14 @@ tunnel_server_tcp (struct context *top) /* finished with initialization */ initialization_sequence_completed (top, ISC_SERVER); /* --mode server --proto tcp-server */ +#ifdef ENABLE_ASYNC_PUSH + multi.top.c2.inotify_fd = inotify_init(); + if (multi.top.c2.inotify_fd < 0) + { + msg (D_MULTI_ERRORS, "MULTI: inotify_init error: %s", strerror(errno)); + } +#endif + /* per-packet event loop */ while (true) { @@ -712,6 +740,10 @@ tunnel_server_tcp (struct context *top) perf_pop (); } +#ifdef ENABLE_ASYNC_PUSH + close(top->c2.inotify_fd); +#endif + /* shut down management interface */ uninit_management_callback_multi (&multi); diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 13f3f6c..8cbaa86 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -35,6 +35,7 @@ #include "error.h" #include "integer.h" #include "mtu.h" +#include "options.h" #include "memdbg.h" @@ -78,8 +79,6 @@ frame_finalize (struct frame *frame, } frame->link_mtu_dynamic = frame->link_mtu; - - frame->extra_buffer += PAYLOAD_ALIGN; } /* @@ -127,6 +126,15 @@ frame_subtract_extra (struct frame *frame, const struct frame *src) } void +frame_init_mssfix (struct frame *frame, const struct options *options) +{ + if (options->ce.mssfix) + { + frame_set_mtu_dynamic (frame, options->ce.mssfix, SET_MTU_UPPER_BOUND); + } +} + +void frame_print (const struct frame *frame, int level, const char *prefix) @@ -153,18 +161,32 @@ frame_print (const struct frame *frame, #define MTUDISC_NOT_SUPPORTED_MSG "--mtu-disc is not supported on this OS" void -set_mtu_discover_type (int sd, int mtu_type) +set_mtu_discover_type (int sd, int mtu_type, sa_family_t proto_af) { if (mtu_type >= 0) { -#if defined(HAVE_SETSOCKOPT) && defined(SOL_IP) && defined(IP_MTU_DISCOVER) - if (setsockopt - (sd, SOL_IP, IP_MTU_DISCOVER, &mtu_type, sizeof (mtu_type))) - msg (M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket", - mtu_type); -#else - msg (M_FATAL, MTUDISC_NOT_SUPPORTED_MSG); + switch (proto_af) + { +#if defined(HAVE_SETSOCKOPT) && defined(IP_MTU_DISCOVER) + case AF_INET: + if (setsockopt + (sd, IPPROTO_IP, IP_MTU_DISCOVER, &mtu_type, sizeof (mtu_type))) + msg (M_ERR, "Error setting IP_MTU_DISCOVER type=%d on TCP/UDP socket", + mtu_type); + break; +#endif +#if defined(HAVE_SETSOCKOPT) && defined(IPV6_MTU_DISCOVER) + case AF_INET6: + if (setsockopt + (sd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, &mtu_type, sizeof (mtu_type))) + msg (M_ERR, "Error setting IPV6_MTU_DISCOVER type=%d on TCP6/UDP6 socket", + mtu_type); + break; #endif + default: + msg (M_FATAL, MTUDISC_NOT_SUPPORTED_MSG); + break; + } } } @@ -288,7 +310,7 @@ void set_sock_extended_error_passing (int sd) { int on = 1; - if (setsockopt (sd, SOL_IP, IP_RECVERR, &on, sizeof (on))) + if (setsockopt (sd, SOL_IP, IP_RECVERR, (void *) &on, sizeof (on))) msg (M_WARN | M_ERRNO, "Note: enable extended error passing on TCP/UDP socket failed (IP_RECVERR)"); } diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index bccd681..0320545 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -135,6 +135,9 @@ struct frame { int align_adjust; }; +/* Forward declarations, to prevent includes */ +struct options; + /* Routines which read struct frame should use the macros below */ /* @@ -207,7 +210,7 @@ void frame_print (const struct frame *frame, int level, const char *prefix); -void set_mtu_discover_type (int sd, int mtu_type); +void set_mtu_discover_type (int sd, int mtu_type, sa_family_t proto_af); int translate_mtu_discover_type_name (const char *name); /* @@ -227,6 +230,9 @@ void alloc_buf_sock_tun (struct buffer *buf, const bool tuntap_buffer, const unsigned int align_mask); +/** Set the --mssfix option. */ +void frame_init_mssfix (struct frame *frame, const struct options *options); + /* * EXTENDED_SOCKET_ERROR_CAPABILITY functions -- print extra error info * on socket errors, such as PMTU size. As of 2003.05.11, only works diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 3468dab..fec5e8d 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -33,10 +33,15 @@ #if P2MP_SERVER #include "multi.h" +#include <inttypes.h> #include "forward-inline.h" #include "memdbg.h" +#ifdef HAVE_SYS_INOTIFY_H +#include <sys/inotify.h> +#endif + /* * Get a client instance based on real address. If * the instance doesn't exist, create it while @@ -44,26 +49,54 @@ */ struct multi_instance * -multi_get_create_instance_udp (struct multi_context *m) +multi_get_create_instance_udp (struct multi_context *m, bool *floated) { struct gc_arena gc = gc_new (); struct mroute_addr real; struct multi_instance *mi = NULL; struct hash *hash = m->hash; - if (mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true)) + if (mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true) && + m->top.c2.buf.len > 0) { struct hash_element *he; const uint32_t hv = hash_value (hash, &real); struct hash_bucket *bucket = hash_bucket (hash, hv); - - he = hash_lookup_fast (hash, bucket, &real, hv); + uint8_t* ptr = BPTR(&m->top.c2.buf); + uint8_t op = ptr[0] >> P_OPCODE_SHIFT; + bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3)); + bool peer_id_disabled = false; - if (he) + /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ + if (v2) { - mi = (struct multi_instance *) he->value; + uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFFFFFF; + peer_id_disabled = (peer_id == MAX_PEER_ID); + + if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) + { + mi = m->instances[peer_id]; + + *floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from); + + if (*floated) + { + /* reset prefix, since here we are not sure peer is the one it claims to be */ + ungenerate_prefix(mi); + msg (D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id, + mroute_addr_print (&real, &gc)); + } + } } - else + if (!v2 || peer_id_disabled) + { + he = hash_lookup_fast (hash, bucket, &real, hv); + if (he) + { + mi = (struct multi_instance *) he->value; + } + } + if (!mi) { if (!m->top.c2.tls_auth_standalone || tls_pre_decrypt_lite (m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) @@ -73,8 +106,27 @@ multi_get_create_instance_udp (struct multi_context *m) mi = multi_create_instance (m, &real); if (mi) { + int i; + hash_add_fast (hash, bucket, &mi->real, hv, mi); mi->did_real_hash = true; + + /* max_clients must be less then max peer-id value */ + ASSERT(m->max_clients < MAX_PEER_ID); + + for (i = 0; i < m->max_clients; ++i) + { + if (!m->instances[i]) + { + mi->context.c2.tls_multi->peer_id = i; + m->instances[i] = mi; + break; + } + } + + /* should not really end up here, since multi_create_instance returns null + * if amount of clients exceeds max_clients */ + ASSERT(i < m->max_clients); } } else @@ -89,15 +141,8 @@ multi_get_create_instance_udp (struct multi_context *m) #ifdef ENABLE_DEBUG if (check_debug_level (D_MULTI_DEBUG)) { - const char *status; - - if (he && mi) - status = "[succeeded]"; - else if (!he && mi) - status = "[created]"; - else - status = "[failed]"; - + const char *status = mi ? "[ok]" : "[failed]"; + dmsg (D_MULTI_DEBUG, "GET INST BY REAL: %s %s", mroute_addr_print (&real, &gc), status); @@ -143,6 +188,10 @@ multi_process_io_udp (struct multi_context *m) strcat (buf, "TR/"); else if (status & TUN_WRITE) strcat (buf, "TW/"); +#ifdef ENABLE_ASYNC_PUSH + else if (status & FILE_CLOSED) + strcat (buf, "FC/"); +#endif printf ("IO %s\n", buf); #endif @@ -168,7 +217,6 @@ multi_process_io_udp (struct multi_context *m) else if (status & SOCKET_READ) { read_incoming_link (&m->top); - multi_release_io_lock (m); if (!IS_SIG (&m->top)) multi_process_incoming_link (m, NULL, mpp_flags); } @@ -176,10 +224,16 @@ multi_process_io_udp (struct multi_context *m) else if (status & TUN_READ) { read_incoming_tun (&m->top); - multi_release_io_lock (m); if (!IS_SIG (&m->top)) multi_process_incoming_tun (m, mpp_flags); } +#ifdef ENABLE_ASYNC_PUSH + /* INOTIFY callback */ + else if (status & FILE_CLOSED) + { + multi_process_file_closed(m, mpp_flags); + } +#endif } /* @@ -234,7 +288,7 @@ tunnel_server_udp_single_threaded (struct context *top) multi_init (&multi, top, false, MC_SINGLE_THREADED); /* initialize our cloned top object */ - multi_top_init (&multi, top, true); + multi_top_init (&multi, top); /* initialize management interface */ init_management_callback_multi (&multi); @@ -242,6 +296,14 @@ tunnel_server_udp_single_threaded (struct context *top) /* finished with initialization */ initialization_sequence_completed (top, ISC_SERVER); /* --mode server --proto udp */ +#ifdef ENABLE_ASYNC_PUSH + multi.top.c2.inotify_fd = inotify_init(); + if (multi.top.c2.inotify_fd < 0) + { + msg (D_MULTI_ERRORS, "MULTI: inotify_init error: %s", strerror(errno)); + } +#endif + /* per-packet event loop */ while (true) { @@ -270,6 +332,10 @@ tunnel_server_udp_single_threaded (struct context *top) perf_pop (); } +#ifdef ENABLE_ASYNC_PUSH + close(top->c2.inotify_fd); +#endif + /* shut down management interface */ uninit_management_callback_multi (&multi); diff --git a/src/openvpn/mudp.h b/src/openvpn/mudp.h index 97f961b..1f15d9d 100644 --- a/src/openvpn/mudp.h +++ b/src/openvpn/mudp.h @@ -65,7 +65,7 @@ void tunnel_server_udp (struct context *top); * packet's source address or if one was a newly created successfully. * NULL if one did not yet exist and a new one was not created. */ -struct multi_instance *multi_get_create_instance_udp (struct multi_context *m); +struct multi_instance *multi_get_create_instance_udp (struct multi_context *m, bool *floated); #endif #endif diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 577c5d3..8f3d34e 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -28,6 +28,11 @@ #include "config-msvc.h" #endif +#ifdef HAVE_SYS_INOTIFY_H +#include <sys/inotify.h> +#define INOTIFY_EVENT_BUFFER_SIZE 16384 +#endif + #include "syshead.h" #if P2MP_SERVER @@ -38,6 +43,8 @@ #include "otime.h" #include "gremlin.h" #include "mstats.h" +#include "ssl_verify.h" +#include <inttypes.h> #include "memdbg.h" @@ -119,10 +126,8 @@ learn_address_script (const struct multi_context *m, { struct argv argv = argv_new (); setenv_str (es, "script_type", "learn-address"); - argv_printf (&argv, "%sc %s %s", - m->top.options.learn_address_script, - op, - mroute_addr_print (addr, &gc)); + argv_parse_cmd (&argv, m->top.options.learn_address_script); + argv_printf_cat (&argv, "%s %s", op, mroute_addr_print (addr, &gc)); if (mi) argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false)); if (!openvpn_run_script (&argv, es, 0, "--learn-address")) @@ -241,6 +246,23 @@ cid_compare_function (const void *key1, const void *key2) #endif +#ifdef ENABLE_ASYNC_PUSH +static uint32_t +/* + * inotify watcher descriptors are used as hash value + */ +int_hash_function (const void *key, uint32_t iv) +{ + return (unsigned long)key; +} + +static bool +int_compare_function (const void *key1, const void *key2) +{ + return (unsigned long)key1 == (unsigned long)key2; +} +#endif + /* * Main initialization function, init multi_context object. */ @@ -302,6 +324,17 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa cid_compare_function); #endif +#ifdef ENABLE_ASYNC_PUSH + /* + * Mapping between inotify watch descriptors and + * multi_instances. + */ + m->inotify_watchers = hash_init (t->options.real_hash_size, + get_random(), + int_hash_function, + int_compare_function); +#endif + /* * This is our scheduler, for time-based wakeup * events. @@ -372,6 +405,8 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa */ m->max_clients = t->options.max_clients; + m->instances = calloc(m->max_clients, sizeof(struct multi_instance*)); + /* * Initialize multi-socket TCP I/O wait object */ @@ -392,6 +427,8 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time); event_timeout_init (&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0); } + + m->deferred_shutdown_signal.signal_received = 0; } const char * @@ -399,7 +436,7 @@ multi_instance_string (const struct multi_instance *mi, bool null, struct gc_are { if (mi) { - struct buffer out = alloc_buf_gc (256, gc); + struct buffer out = alloc_buf_gc (MULTI_PREFIX_MAX_LENGTH, gc); const char *cn = tls_common_name (mi->context.c2.tls_multi, true); if (cn) @@ -416,21 +453,27 @@ multi_instance_string (const struct multi_instance *mi, bool null, struct gc_are void generate_prefix (struct multi_instance *mi) { - mi->msg_prefix = multi_instance_string (mi, true, &mi->gc); + struct gc_arena gc = gc_new(); + const char *prefix = multi_instance_string (mi, true, &gc); + if (prefix) + strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix)); + else + mi->msg_prefix[0] = '\0'; set_prefix (mi); + gc_free(&gc); } void ungenerate_prefix (struct multi_instance *mi) { - mi->msg_prefix = NULL; + mi->msg_prefix[0] = '\0'; set_prefix (mi); } static const char * mi_prefix (const struct multi_instance *mi) { - if (mi && mi->msg_prefix) + if (mi && mi->msg_prefix[0]) return mi->msg_prefix; else return "UNDEF_I"; @@ -450,10 +493,10 @@ multi_del_iroutes (struct multi_context *m, if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN) { for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next) - mroute_helper_del_iroute (m->route_helper, ir); + mroute_helper_del_iroute46 (m->route_helper, ir->netbits); for ( ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next ) - mroute_helper_del_iroute6 (m->route_helper, ir6); + mroute_helper_del_iroute46 (m->route_helper, ir6->netbits); } } @@ -500,7 +543,7 @@ multi_client_disconnect_script (struct multi_context *m, { struct argv argv = argv_new (); setenv_str (mi->context.c2.es, "script_type", "client-disconnect"); - argv_printf (&argv, "%sc", mi->context.options.client_disconnect_script); + argv_parse_cmd (&argv, mi->context.options.client_disconnect_script); openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-disconnect"); argv_reset (&argv); } @@ -552,6 +595,17 @@ multi_close_instance (struct multi_context *m, } #endif +#ifdef ENABLE_ASYNC_PUSH + if (mi->inotify_watch != -1) + { + hash_remove(m->inotify_watchers, (void*) (unsigned long)mi->inotify_watch); + mi->inotify_watch = -1; + } +#endif + + if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID) + m->instances[mi->context.c2.tls_multi->peer_id] = NULL; + schedule_remove_entry (m->schedule, (struct schedule_entry *) mi); ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, false); @@ -628,6 +682,13 @@ multi_uninit (struct multi_context *m) #endif m->hash = NULL; + free(m->instances); + +#ifdef ENABLE_ASYNC_PUSH + hash_free (m->inotify_watchers); + m->inotify_watchers = NULL; +#endif + schedule_free (m->schedule); mbuf_free (m->mbuf); ifconfig_pool_free (m->ifconfig_pool); @@ -704,6 +765,11 @@ multi_create_instance (struct multi_context *m, const struct mroute_addr *real) mi->context.c2.push_reply_deferred = true; +#ifdef ENABLE_ASYNC_PUSH + mi->context.c2.push_request_received = false; + mi->inotify_watch = -1; +#endif + if (!multi_process_post (m, mi, MPP_PRE_SELECT)) { msg (D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization"); @@ -807,8 +873,8 @@ multi_print_status (struct multi_context *m, struct status_output *so, const int */ status_printf (so, "TITLE%c%s", sep, title_string); status_printf (so, "TIME%c%s%c%u", sep, time_string (now, 0, false, &gc_top), sep, (unsigned int)now); - status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername", - sep, sep, sep, sep, sep, sep, sep, sep, sep); + status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID", + sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep); hash_iterator_init (m->hash, &hi); while ((he = hash_iterator_next (&hi))) { @@ -817,15 +883,28 @@ multi_print_status (struct multi_context *m, struct status_output *so, const int if (!mi->halt) { - status_printf (so, "CLIENT_LIST%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s", + status_printf (so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c" +#ifdef MANAGEMENT_DEF_AUTH + "%lu" +#else + "" +#endif + "%c%"PRIu32, sep, tls_common_name (mi->context.c2.tls_multi, false), sep, mroute_addr_print (&mi->real, &gc), sep, print_in_addr_t (mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc), + sep, print_in6_addr (mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc), sep, mi->context.c2.link_read_bytes, sep, mi->context.c2.link_write_bytes, sep, time_string (mi->created, 0, false, &gc), sep, (unsigned int)mi->created, - sep, tls_username (mi->context.c2.tls_multi, false)); + sep, tls_username (mi->context.c2.tls_multi, false), +#ifdef MANAGEMENT_DEF_AUTH + sep, mi->context.c2.mda_context.cid, +#else + sep, +#endif + sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX); } gc_free (&gc); } @@ -896,6 +975,13 @@ multi_print_status (struct multi_context *m, struct status_output *so, const int status_flush (so); gc_free (&gc_top); } + +#ifdef ENABLE_ASYNC_PUSH + if (m->inotify_watchers) + { + msg (D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers)); + } +#endif } /* @@ -1113,7 +1199,7 @@ multi_learn_in6_addr (struct multi_context *m, addr.len = 16; addr.type = MR_ADDR_IPV6; addr.netbits = 0; - memcpy( &addr.addr, &a6, sizeof(a6) ); + addr.v6.addr = a6; if (netbits >= 0) { @@ -1158,23 +1244,18 @@ multi_add_iroutes (struct multi_context *m, print_in_addr_t (ir->network, 0, &gc), multi_instance_string (mi, false, &gc)); - mroute_helper_add_iroute (m->route_helper, ir); + mroute_helper_add_iroute46 (m->route_helper, ir->netbits); multi_learn_in_addr_t (m, mi, ir->network, ir->netbits, false); } for ( ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next ) { - if (ir6->netbits >= 0) - msg (D_MULTI_LOW, "MULTI: internal route %s/%d -> %s", + msg (D_MULTI_LOW, "MULTI: internal route %s/%d -> %s", print_in6_addr (ir6->network, 0, &gc), ir6->netbits, multi_instance_string (mi, false, &gc)); - else - msg (D_MULTI_LOW, "MULTI: internal route %s -> %s", - print_in6_addr (ir6->network, 0, &gc), - multi_instance_string (mi, false, &gc)); - mroute_helper_add_iroute6 (m->route_helper, ir6); + mroute_helper_add_iroute46 (m->route_helper, ir6->netbits); multi_learn_in6_addr (m, mi, ir6->network, ir6->netbits, false); } @@ -1289,16 +1370,13 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) mi->context.c2.push_ifconfig_defined = true; mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local; mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask; -#ifdef ENABLE_CLIENT_NAT mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias; -#endif /* the current implementation does not allow "static IPv4, pool IPv6", * (see below) so issue a warning if that happens - don't break the * session, though, as we don't even know if this client WANTS IPv6 */ - if ( mi->context.c1.tuntap->ipv6 && - mi->context.options.ifconfig_ipv6_pool_defined && + if ( mi->context.options.ifconfig_ipv6_pool_defined && ! mi->context.options.push_ifconfig_ipv6_defined ) { msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." ); @@ -1351,10 +1429,10 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) if ( mi->context.options.ifconfig_ipv6_pool_defined ) { mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6; - mi->context.c2.push_ifconfig_ipv6_remote = + mi->context.c2.push_ifconfig_ipv6_remote = mi->context.c1.tuntap->local_ipv6; - mi->context.c2.push_ifconfig_ipv6_netbits = - mi->context.options.ifconfig_ipv6_pool_netbits; + mi->context.c2.push_ifconfig_ipv6_netbits = + mi->context.options.ifconfig_ipv6_netbits; mi->context.c2.push_ifconfig_ipv6_defined = true; } } @@ -1371,8 +1449,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) * way round ("dynamic IPv4, static IPv6") or "both static" makes sense * -> and so it's implemented right now */ - if ( mi->context.c1.tuntap->ipv6 && - mi->context.options.push_ifconfig_ipv6_defined ) + if ( mi->context.options.push_ifconfig_ipv6_defined ) { mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local; @@ -1430,7 +1507,7 @@ multi_set_virtual_addr_env (struct multi_context *m, struct multi_instance *mi) setenv_del (mi->context.c2.es, "ifconfig_pool_remote_ip6"); setenv_del (mi->context.c2.es, "ifconfig_pool_ip6_netbits"); - if (mi->context.c1.tuntap->ipv6 && mi->context.c2.push_ifconfig_ipv6_defined) + if (mi->context.c2.push_ifconfig_ipv6_defined) { setenv_in6_addr (mi->context.c2.es, "ifconfig_pool_remote", @@ -1755,9 +1832,8 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi goto script_failed; } - argv_printf (&argv, "%sc %s", - mi->context.options.client_connect_script, - dc_file); + argv_parse_cmd (&argv, mi->context.options.client_connect_script); + argv_printf_cat (&argv, "%s", dc_file); if (openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-connect")) { @@ -1868,9 +1944,18 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi /* set our client's VPN endpoint for status reporting purposes */ mi->reporting_addr = mi->context.c2.push_ifconfig_local; + mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local; /* set context-level authentication flag */ mi->context.c2.context_auth = CAS_SUCCEEDED; + +#ifdef ENABLE_ASYNC_PUSH + /* authentication complete, send push reply */ + if (mi->context.c2.push_request_received) + { + process_incoming_push_request(&mi->context); + } +#endif } else { @@ -1900,6 +1985,58 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi mi->context.c2.push_reply_deferred = false; } +#ifdef ENABLE_ASYNC_PUSH +/* + * Called when inotify event is fired, which happens when acf file is closed or deleted. + * Continues authentication and sends push_reply. + */ +void +multi_process_file_closed (struct multi_context *m, const unsigned int mpp_flags) +{ + char buffer[INOTIFY_EVENT_BUFFER_SIZE]; + size_t buffer_i = 0; + int r = read (m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE); + + while (buffer_i < r) + { + /* parse inotify events */ + struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i]; + size_t event_size = sizeof (struct inotify_event) + pevent->len; + buffer_i += event_size; + + msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask); + + struct multi_instance* mi = hash_lookup(m->inotify_watchers, (void*) (unsigned long) pevent->wd); + + if (pevent->mask & IN_CLOSE_WRITE) + { + if (mi) + { + /* continue authentication and send push_reply */ + multi_process_post (m, mi, mpp_flags); + } + else + { + msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!"); + } + } + else if (pevent->mask & IN_IGNORED) + { + /* this event is _always_ fired when watch is removed or file is deleted */ + if (mi) + { + hash_remove(m->inotify_watchers, (void*) (unsigned long) pevent->wd); + mi->inotify_watch = -1; + } + } + else + { + msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask); + } + } +} +#endif + /* * Add a mbuf buffer to a particular * instance. @@ -2060,19 +2197,50 @@ multi_process_post (struct multi_context *m, struct multi_instance *mi, const un if (!IS_SIG (&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT (&mi->context)))) { +#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) + bool was_authenticated = false; + struct key_state *ks = NULL; + if (mi->context.c2.tls_multi) + { + ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; + was_authenticated = ks->authenticated; + } +#endif + /* figure timeouts and fetch possible outgoing to_link packets (such as ping or TLS control) */ pre_select (&mi->context); - if (!IS_SIG (&mi->context)) +#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) + if (ks && ks->auth_control_file && ks->auth_deferred && !was_authenticated) { - /* tell scheduler to wake us up at some point in the future */ - multi_schedule_context_wakeup(m, mi); + /* watch acf file */ + long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT); + if (watch_descriptor >= 0) + { + if (mi->inotify_watch != -1) + { + hash_remove(m->inotify_watchers, (void*) (unsigned long)mi->inotify_watch); + } + hash_add (m->inotify_watchers, (const uintptr_t*)watch_descriptor, mi, true); + mi->inotify_watch = watch_descriptor; + } + else + { + msg(M_NONFATAL, "MULTI: inotify_add_watch error: %s", strerror(errno)); + } + } +#endif + if (!IS_SIG (&mi->context)) + { /* connection is "established" when SSL/TLS key negotiation succeeds and (if specified) auth user/pass succeeds */ if (!mi->connection_established_flag && CONNECTION_ESTABLISHED (&mi->context)) multi_connection_established (m, mi); + + /* tell scheduler to wake us up at some point in the future */ + multi_schedule_context_wakeup(m, mi); } } @@ -2107,6 +2275,72 @@ multi_process_post (struct multi_context *m, struct multi_instance *mi, const un return ret; } +void multi_process_float (struct multi_context* m, struct multi_instance* mi) +{ + struct mroute_addr real; + struct hash *hash = m->hash; + struct gc_arena gc = gc_new (); + + if (!mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true)) + goto done; + + const uint32_t hv = hash_value (hash, &real); + struct hash_bucket *bucket = hash_bucket (hash, hv); + + /* make sure that we don't float to an address taken by another client */ + struct hash_element *he = hash_lookup_fast (hash, bucket, &real, hv); + if (he) + { + struct multi_instance *ex_mi = (struct multi_instance *) he->value; + + struct tls_multi *m1 = mi->context.c2.tls_multi; + struct tls_multi *m2 = ex_mi->context.c2.tls_multi; + + /* do not float if target address is taken by client with another cert */ + if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) + { + msg (D_MULTI_LOW, "Disallow float to an address taken by another client %s", + multi_instance_string (ex_mi, false, &gc)); + + mi->context.c2.buf.len = 0; + + goto done; + } + + msg (D_MULTI_MEDIUM, "closing instance %s", multi_instance_string (ex_mi, false, &gc)); + multi_close_instance(m, ex_mi, false); + } + + msg (D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", + mi->context.c2.tls_multi->peer_id, + tls_common_name (mi->context.c2.tls_multi, false), + mroute_addr_print (&mi->real, &gc), + print_link_socket_actual (&m->top.c2.from, &gc)); + + /* change external network address of the remote peer */ + mi->real = real; + generate_prefix (mi); + + mi->context.c2.from = m->top.c2.from; + mi->context.c2.to_link_addr = &mi->context.c2.from; + + /* inherit parent link_socket and link_socket_info */ + mi->context.c2.link_socket = m->top.c2.link_socket; + mi->context.c2.link_socket_info->lsa->actual = m->top.c2.from; + + tls_update_remote_addr (mi->context.c2.tls_multi, &mi->context.c2.from); + + ASSERT (hash_add (m->hash, &mi->real, mi, true)); + ASSERT (hash_add (m->iter, &mi->real, mi, true)); + +#ifdef MANAGEMENT_DEF_AUTH + ASSERT (hash_add (m->cid_hash, &mi->context.c2.mda_context.cid, mi, true)); +#endif + +done: + gc_free (&gc); +} + /* * Process packets in the TCP/UDP socket -> TUN/TAP interface direction, * i.e. client -> server direction. @@ -2121,6 +2355,7 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins unsigned int mroute_flags; struct multi_instance *mi; bool ret = true; + bool floated = false; if (m->pending) return true; @@ -2130,7 +2365,7 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins #ifdef MULTI_DEBUG_EVENT_LOOP printf ("TCP/UDP -> TUN [%d]\n", BLEN (&m->top.c2.buf)); #endif - multi_set_pending (m, multi_get_create_instance_udp (m)); + multi_set_pending (m, multi_get_create_instance_udp (m, &floated)); } else multi_set_pending (m, instance); @@ -2148,13 +2383,30 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins c->c2.buf = m->top.c2.buf; /* transfer from-addr from top-level context buffer to instance */ - c->c2.from = m->top.c2.from; + if (!floated) + c->c2.from = m->top.c2.from; } if (BLEN (&c->c2.buf) > 0) { + struct link_socket_info *lsi; + const uint8_t *orig_buf; + /* decrypt in instance context */ - process_incoming_link (c); + + perf_push (PERF_PROC_IN_LINK); + lsi = get_link_socket_info (c); + orig_buf = c->c2.buf.data; + if (process_incoming_link_part1(c, lsi, floated)) + { + if (floated) + { + multi_process_float (m, m->pending); + } + + process_incoming_link_part2(c, lsi, orig_buf); + } + perf_pop (); if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TUN) { @@ -2176,7 +2428,7 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins { /* IPv6 link-local address (fe80::xxx)? */ if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6 && - src.addr[0] == 0xfe && src.addr[1] == 0x80 ) + IN6_IS_ADDR_LINKLOCAL (&src.v6.addr) ) { /* do nothing, for now. TODO: add address learning */ } @@ -2478,10 +2730,18 @@ multi_process_timeout (struct multi_context *m, const unsigned int mpp_flags) /* instance marked for wakeup? */ if (m->earliest_wakeup) { - set_prefix (m->earliest_wakeup); - ret = multi_process_post (m, m->earliest_wakeup, mpp_flags); + if (m->earliest_wakeup == (struct multi_instance*)&m->deferred_shutdown_signal) + { + schedule_remove_entry(m->schedule, (struct schedule_entry*) &m->deferred_shutdown_signal); + throw_signal(m->deferred_shutdown_signal.signal_received); + } + else + { + set_prefix (m->earliest_wakeup); + ret = multi_process_post (m, m->earliest_wakeup, mpp_flags); + clear_prefix (); + } m->earliest_wakeup = NULL; - clear_prefix (); } return ret; } @@ -2591,12 +2851,10 @@ multi_process_per_second_timers_dowork (struct multi_context *m) } void -multi_top_init (struct multi_context *m, const struct context *top, const bool alloc_buffers) +multi_top_init (struct multi_context *m, const struct context *top) { inherit_context_top (&m->top, top); - m->top.c2.buffers = NULL; - if (alloc_buffers) - m->top.c2.buffers = init_context_buffers (&top->c2.frame); + m->top.c2.buffers = init_context_buffers (&top->c2.frame); } void @@ -2606,6 +2864,48 @@ multi_top_free (struct multi_context *m) free_context_buffers (m->top.c2.buffers); } +static bool +is_exit_restart(int sig) +{ + return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT); +} + +static void +multi_push_restart_schedule_exit(struct multi_context *m, bool next_server) +{ + struct hash_iterator hi; + struct hash_element *he; + struct timeval tv; + + /* tell all clients to restart */ + hash_iterator_init (m->iter, &hi); + while ((he = hash_iterator_next (&hi))) + { + struct multi_instance *mi = (struct multi_instance *) he->value; + if (!mi->halt) + { + send_control_channel_string (&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH); + multi_schedule_context_wakeup(m, mi); + } + } + hash_iterator_free (&hi); + + /* reschedule signal */ + ASSERT (!openvpn_gettimeofday (&m->deferred_shutdown_signal.wakeup, NULL)); + tv.tv_sec = 2; + tv.tv_usec = 0; + tv_add (&m->deferred_shutdown_signal.wakeup, &tv); + + m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received; + + schedule_add_entry (m->schedule, + (struct schedule_entry *) &m->deferred_shutdown_signal, + &m->deferred_shutdown_signal.wakeup, + compute_wakeup_sigma (&m->deferred_shutdown_signal.wakeup)); + + m->top.sig->signal_received = 0; +} + /* * Return true if event loop should break, * false if it should continue. @@ -2621,6 +2921,14 @@ multi_process_signal (struct multi_context *m) m->top.sig->signal_received = 0; return false; } + else if (proto_is_dgram(m->top.options.ce.proto) && + is_exit_restart(m->top.sig->signal_received) && + (m->deferred_shutdown_signal.signal_received == 0) && + m->top.options.ce.explicit_exit_notification != 0) + { + multi_push_restart_schedule_exit(m, m->top.options.ce.explicit_exit_notification == 2); + return false; + } return true; } diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 2bc0c8a..0d369f3 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -42,6 +42,8 @@ #include "mtcp.h" #include "perf.h" +#define MULTI_PREFIX_MAX_LENGTH 256 + /* * Walk (don't run) through the routing table, * deleting old entries, and possibly multi_instance @@ -55,6 +57,13 @@ struct multi_reap }; +struct deferred_signal_schedule_entry +{ + struct schedule_entry se; + int signal_received; + struct timeval wakeup; +}; + /** * Server-mode state structure for one single VPN tunnel. * @@ -80,7 +89,7 @@ struct multi_instance { struct mroute_addr real; /**< External network address of the * remote peer. */ ifconfig_pool_handle vaddr_handle; - const char *msg_prefix; + char msg_prefix[MULTI_PREFIX_MAX_LENGTH]; /* queued outgoing data in Server/TCP mode */ unsigned int tcp_rwflags; @@ -88,6 +97,7 @@ struct multi_instance { bool socket_set_called; in_addr_t reporting_addr; /* IP address shown in status listing */ + struct in6_addr reporting_addr_ipv6; /* IPv6 address in status listing */ bool did_open_context; bool did_real_hash; @@ -102,6 +112,10 @@ struct multi_instance { struct context context; /**< The context structure storing state * for this VPN tunnel. */ + +#ifdef ENABLE_ASYNC_PUSH + int inotify_watch; /* watch descriptor for acf */ +#endif }; @@ -124,6 +138,9 @@ struct multi_context { # define MC_WORK_THREAD (MC_MULTI_THREADED_WORKER|MC_MULTI_THREADED_SCHEDULER) int thread_mode; + struct multi_instance** instances; /**< Array of multi_instances. An instance can be + * accessed using peer-id as an index. */ + struct hash *hash; /**< VPN tunnel instances indexed by real * address of the remote peer. */ struct hash *vhash; /**< VPN tunnel instances indexed by @@ -166,6 +183,13 @@ struct multi_context { * Timer object for stale route check */ struct event_timeout stale_routes_check_et; + +#ifdef ENABLE_ASYNC_PUSH + /* mapping between inotify watch descriptors and multi_instances */ + struct hash *inotify_watchers; +#endif + + struct deferred_signal_schedule_entry deferred_shutdown_signal; }; /* @@ -209,7 +233,7 @@ const char *multi_instance_string (const struct multi_instance *mi, bool null, s void multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode); void multi_uninit (struct multi_context *m); -void multi_top_init (struct multi_context *m, const struct context *top, const bool alloc_buffers); +void multi_top_init (struct multi_context *m, const struct context *top); void multi_top_free (struct multi_context *m); struct multi_instance *multi_create_instance (struct multi_context *m, const struct mroute_addr *real); @@ -217,6 +241,16 @@ void multi_close_instance (struct multi_context *m, struct multi_instance *mi, b bool multi_process_timeout (struct multi_context *m, const unsigned int mpp_flags); +/** + * Handles peer floating. + * + * If peer is floated to a taken address, either drops packet + * (if peer that owns address has different CN) or disconnects + * existing peer. Updates multi_instance with new address, + * updates hashtables in multi_context. + */ +void multi_process_float (struct multi_context* m, struct multi_instance* mi); + #define MPP_PRE_SELECT (1<<0) #define MPP_CONDITIONAL_PRE_SELECT (1<<1) #define MPP_CLOSE_ON_SIGNAL (1<<2) @@ -311,6 +345,18 @@ void multi_close_instance_on_signal (struct multi_context *m, struct multi_insta void init_management_callback_multi (struct multi_context *m); void uninit_management_callback_multi (struct multi_context *m); + +#ifdef ENABLE_ASYNC_PUSH +/** + * Called when inotify event is fired, which happens when acf file is closed or deleted. + * Continues authentication and sends push_repl + * + * @param m multi_context + * @param mpp_flags + */ +void multi_process_file_closed (struct multi_context *m, const unsigned int mpp_flags); +#endif + /* * Return true if our output queue is not full */ @@ -418,6 +464,12 @@ multi_route_defined (const struct multi_context *m, } /* + * Takes prefix away from multi_instance. + */ +void +ungenerate_prefix (struct multi_instance *mi); + +/* * Set a msg() function prefix with our current client instance ID. */ @@ -425,10 +477,10 @@ static inline void set_prefix (struct multi_instance *mi) { #ifdef MULTI_DEBUG_EVENT_LOOP - if (mi->msg_prefix) + if (mi->msg_prefix[0]) printf ("[%s]\n", mi->msg_prefix); #endif - msg_set_prefix (mi->msg_prefix); + msg_set_prefix (mi->msg_prefix[0] ? mi->msg_prefix : NULL); } static inline void @@ -573,10 +625,5 @@ multi_set_pending (struct multi_context *m, struct multi_instance *mi) m->pending = mi; } -static inline void -multi_release_io_lock (struct multi_context *m) -{ -} - #endif /* P2MP_SERVER */ #endif /* MULTI_H */ diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index ff48706..d71381d 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -379,7 +379,7 @@ process_received_occ_msg (struct context *c) && c->c2.max_send_size_local > TUN_MTU_MIN && (c->c2.max_recv_size_remote < c->c2.max_send_size_local || c->c2.max_recv_size_local < c->c2.max_send_size_remote)) - msg (M_INFO, "NOTE: This connection is unable to accomodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.", + msg (M_INFO, "NOTE: This connection is unable to accommodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.", c->c2.max_send_size_local); } event_timeout_clear (&c->c2.occ_mtu_load_test_interval); diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 823c3dd..5fb2fd9 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -138,7 +138,7 @@ openvpn_main (int argc, char *argv[]) return 1; #endif -#ifdef WIN32 +#ifdef _WIN32 SetConsoleOutputCP (CP_UTF8); #endif @@ -172,7 +172,7 @@ openvpn_main (int argc, char *argv[]) /* initialize environmental variable store */ c.es = env_set_create (NULL); -#ifdef WIN32 +#ifdef _WIN32 set_win_sys_path_via_env (c.es); #endif @@ -220,7 +220,7 @@ openvpn_main (int argc, char *argv[]) /* print version number */ msg (M_INFO, "%s", title_string); -#ifdef WIN32 +#ifdef _WIN32 show_windows_version(M_INFO); #endif show_library_versions(M_INFO); @@ -312,7 +312,7 @@ openvpn_main (int argc, char *argv[]) return 0; /* NOTREACHED */ } -#ifdef WIN32 +#ifdef _WIN32 int wmain (int argc, wchar_t *wargv[]) { char **argv; diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 36c3100..fa5cc1d 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -31,7 +31,7 @@ #include "crypto.h" #include "ssl.h" #include "packet_id.h" -#include "lzo.h" +#include "comp.h" #include "tun.h" #include "interval.h" #include "status.h" @@ -62,14 +62,12 @@ struct key_schedule /* pre-shared static key, read from a file */ struct key_ctx_bi static_key; -#ifdef ENABLE_SSL /* our global SSL context */ struct tls_root_ctx ssl_ctx; - /* optional authentication HMAC key for TLS control channel */ - struct key_ctx_bi tls_auth_key; - -#endif /* ENABLE_SSL */ + /* optional TLS control channel wrapping */ + struct key_type tls_auth_key_type; + struct key_ctx_bi tls_wrap_key; #else /* ENABLE_CRYPTO */ int dummy; #endif /* ENABLE_CRYPTO */ @@ -104,10 +102,10 @@ struct context_buffers struct buffer decrypt_buf; #endif - /* workspace buffers for LZO compression */ -#ifdef ENABLE_LZO - struct buffer lzo_compress_buf; - struct buffer lzo_decompress_buf; + /* workspace buffers for compression */ +#ifdef USE_COMP + struct buffer compress_buf; + struct buffer decompress_buf; #endif /* @@ -165,6 +163,9 @@ struct context_1 /* tunnel session keys */ struct key_schedule ks; + /* preresolved and cached host names */ + struct cached_dns_entry *dns_cache; + /* persist crypto sequence number to/from file */ struct packet_id_persist pid_persist; @@ -184,17 +185,13 @@ struct context_1 struct status_output *status_output; bool status_output_owned; -#ifdef ENABLE_HTTP_PROXY /* HTTP proxy object */ struct http_proxy_info *http_proxy; bool http_proxy_owned; -#endif -#ifdef ENABLE_SOCKS /* SOCKS proxy object */ struct socks_proxy_info *socks_proxy; bool socks_proxy_owned; -#endif #if P2MP @@ -213,6 +210,10 @@ struct context_1 struct user_pass *auth_user_pass; /**< Username and password for * authentication. */ + + const char *ciphername; /**< Data channel cipher from config file */ + const char *authname; /**< Data channel auth from config file */ + int keysize; /**< Data channel keysize from config file */ #endif }; @@ -247,6 +248,9 @@ struct context_2 # define MANAGEMENT_READ (1<<6) # define MANAGEMENT_WRITE (1<<7) # endif +#ifdef ENABLE_ASYNC_PUSH +# define FILE_CLOSED (1<<8) +#endif unsigned int event_set_status; @@ -335,8 +339,6 @@ struct context_2 /* * TLS-mode crypto objects. */ -#ifdef ENABLE_SSL - struct tls_multi *tls_multi; /**< TLS state structure for this VPN * tunnel. */ @@ -357,23 +359,19 @@ struct context_2 /* throw this signal on TLS errors */ int tls_exit_signal; -#endif /* ENABLE_SSL */ - struct crypto_options crypto_options; /**< Security parameters and crypto state * used by the \link data_crypto Data * Channel Crypto module\endlink to * process data channel packet. */ - /* used to keep track of data channel packet sequence numbers */ - struct packet_id packet_id; struct event_timeout packet_id_persist_interval; #endif /* ENABLE_CRYPTO */ -#ifdef ENABLE_LZO - struct lzo_compress_workspace lzo_compwork; - /**< Compression workspace used by the +#ifdef USE_COMP + struct compress_context *comp_context; + /**< Compression context used by the * \link compression Data Channel * Compression module\endlink. */ #endif @@ -393,11 +391,6 @@ struct context_2 struct buffer to_tun; struct buffer to_link; - /* - * IPv4 TUN device? - */ - bool ipv4_tun; - /* should we print R|W|r|w to console on packet transfers? */ bool log_rw; @@ -423,6 +416,10 @@ struct context_2 time_t update_timeout_random_component; struct timeval timeout_random_component; + /* Timer for everything up to the first packet from the *OpenVPN* server + * socks, http proxy, and tcp packets do not count */ + struct event_timeout server_poll_interval; + /* indicates that the do_up_delay function has run */ bool do_up_ran; @@ -446,13 +443,14 @@ struct context_2 #if P2MP_SERVER /* --ifconfig endpoints to be pushed to client */ bool push_reply_deferred; +#ifdef ENABLE_ASYNC_PUSH + bool push_request_received; +#endif bool push_ifconfig_defined; time_t sent_push_reply_expiry; in_addr_t push_ifconfig_local; in_addr_t push_ifconfig_remote_netmask; -#ifdef ENABLE_CLIENT_NAT in_addr_t push_ifconfig_local_alias; -#endif bool push_ifconfig_ipv6_defined; struct in6_addr push_ifconfig_ipv6_local; @@ -474,11 +472,9 @@ struct context_2 /* hash of pulled options, so we can compare when options change */ bool pulled_options_md5_init_done; - struct md5_state pulled_options_state; + md_ctx_t pulled_options_state; struct md5_digest pulled_options_digest; - struct event_timeout server_poll_interval; - struct event_timeout scheduled_exit; int scheduled_exit_signal; #endif @@ -491,6 +487,10 @@ struct context_2 #ifdef MANAGEMENT_DEF_AUTH struct man_def_auth_context mda_context; #endif + +#ifdef ENABLE_ASYNC_PUSH + int inotify_fd; /* descriptor for monitoring file changes */ +#endif }; @@ -566,7 +566,7 @@ struct context * have been compiled in. */ -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO #define TLS_MODE(c) ((c)->c2.tls_multi != NULL) #define PROTO_DUMP_FLAGS (check_debug_level (D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0) #define PROTO_DUMP(buf, gc) protocol_dump((buf), \ @@ -591,4 +591,7 @@ struct context #define CIPHER_ENABLED(c) (false) #endif +/* this represents "disabled peer-id" */ +#define MAX_PEER_ID 0xFFFFFF + #endif diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index d691500..8dfbea5 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -64,7 +64,7 @@ <AdditionalIncludeDirectories>$(SOURCEBASE);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> </ResourceCompile> <Link> - <AdditionalDependencies>libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies> + <AdditionalDependencies>libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies> <AdditionalLibraryDirectories>$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> <GenerateDebugInformation>true</GenerateDebugInformation> <SubSystem>Console</SubSystem> @@ -89,7 +89,7 @@ <AdditionalIncludeDirectories>$(SOURCEBASE);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> </ResourceCompile> <Link> - <AdditionalDependencies>libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies> + <AdditionalDependencies>libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies> <AdditionalLibraryDirectories>$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> <GenerateDebugInformation>true</GenerateDebugInformation> <SubSystem>Console</SubSystem> @@ -102,6 +102,9 @@ <ClCompile Include="base64.c" /> <ClCompile Include="buffer.c" /> <ClCompile Include="clinat.c" /> + <ClCompile Include="comp-lz4.c" /> + <ClCompile Include="comp.c" /> + <ClCompile Include="compstub.c" /> <ClCompile Include="console.c" /> <ClCompile Include="crypto.c" /> <ClCompile Include="crypto_openssl.c" /> @@ -171,6 +174,9 @@ <ClInclude Include="circ_list.h" /> <ClInclude Include="clinat.h" /> <ClInclude Include="common.h" /> + <ClInclude Include="comp-lz4.h" /> + <ClInclude Include="comp.h" /> + <ClInclude Include="compstub.h" /> <ClInclude Include="console.h" /> <ClInclude Include="crypto.h" /> <ClInclude Include="crypto_backend.h" /> @@ -262,4 +268,4 @@ <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <ImportGroup Label="ExtensionTargets"> </ImportGroup> -</Project>
\ No newline at end of file +</Project> diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index dbed3cd..8b6a269 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -207,6 +207,15 @@ <ClCompile Include="win32.c"> <Filter>Source Files</Filter> </ClCompile> + <ClCompile Include="comp.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="compstub.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="comp-lz4.c"> + <Filter>Source Files</Filter> + </ClCompile> </ItemGroup> <ItemGroup> <ClInclude Include="base64.h"> @@ -227,6 +236,12 @@ <ClInclude Include="common.h"> <Filter>Header Files</Filter> </ClInclude> + <ClInclude Include="comp.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="comp-lz4.h"> + <Filter>Header Files</Filter> + </ClInclude> <ClInclude Include="console.h"> <Filter>Header Files</Filter> </ClInclude> @@ -449,9 +464,6 @@ <ClInclude Include="win32.h"> <Filter>Header Files</Filter> </ClInclude> - <ClInclude Include="win32_wfp.h"> - <Filter>Header Files</Filter> - </ClInclude> </ItemGroup> <ItemGroup> <ResourceCompile Include="openvpn_win32_resources.rc"> diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a49a4fb..7f128c3 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -56,39 +56,38 @@ #include "helper.h" #include "manage.h" #include "forward.h" +#include "ssl_verify.h" +#include "platform.h" #include <ctype.h> #include "memdbg.h" const char title_string[] = PACKAGE_STRING +#ifdef CONFIGURE_GIT_REVISION + " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]" +#endif " " TARGET_ALIAS #ifdef ENABLE_CRYPTO -#ifdef ENABLE_SSL -#if defined(ENABLE_CRYPTO_POLARSSL) - " [SSL (PolarSSL)]" +#if defined(ENABLE_CRYPTO_MBEDTLS) + " [SSL (mbed TLS)]" #elif defined(ENABLE_CRYPTO_OPENSSL) " [SSL (OpenSSL)]" #else " [SSL]" -#endif /* defined(ENABLE_CRYPTO_POLARSSL) */ -#else /* ! ENABLE_SSL */ -#if defined(ENABLE_CRYPTO_POLARSSL) - " [CRYPTO (PolarSSL)]" -#elif defined(ENABLE_CRYPTO_OPENSSL) - " [CRYPTO (OpenSSL)]" -#else - " [CRYPTO]" -#endif /* defined(ENABLE_CRYPTO_POLARSSL) */ -#endif /* ENABLE_SSL */ +#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */ #endif /* ENABLE_CRYPTO */ +#ifdef USE_COMP #ifdef ENABLE_LZO -#ifdef ENABLE_LZO_STUB - " [LZO (STUB)]" -#else " [LZO]" #endif +#ifdef ENABLE_LZ4 + " [LZ4]" +#endif +#ifdef ENABLE_COMP_STUB + " [COMP_STUB]" #endif +#endif /* USE_COMP */ #if EPOLL " [EPOLL]" #endif @@ -99,9 +98,15 @@ const char title_string[] = " [PKCS11]" #endif #if ENABLE_IP_PKTINFO - " [MH]" +# if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) + " [MH/PKTINFO]" +# elif defined(IP_RECVDSTADDR) + " [MH/RECVDA]" +# endif +#endif +#ifdef HAVE_AEAD_CIPHER_MODES + " [AEAD]" #endif - " [IPv6]" " built on " __DATE__ ; @@ -125,11 +130,11 @@ static const char usage_message[] = " p = udp (default), tcp-server, or tcp-client\n" "--proto-force p : only consider protocol p in list of connection profiles.\n" " p = udp6, tcp6-server, or tcp6-client (ipv6)\n" - "--connect-retry n : For --proto tcp-client, number of seconds to wait\n" - " between connection retries (default=%d).\n" - "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n" + "--connect-retry n [m] : For client, number of seconds to wait between\n" + " connection retries (default=%d). On repeated retries\n" + " the wait time is exponentially increased to a maximum of m\n" + " (default=%d).\n" "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n" -#ifdef ENABLE_HTTP_PROXY "--http-proxy s p [up] [auth] : Connect to remote host\n" " through an HTTP proxy at address s and port p.\n" " If proxy authentication is required,\n" @@ -139,21 +144,16 @@ static const char usage_message[] = "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n" " determine auth method and query for username/password\n" " if needed. auto-nct disables weak proxy auth methods.\n" - "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n" - "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n" "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n" " Repeat to set multiple options.\n" " VERSION version (default=1.0)\n" " AGENT user-agent\n" -#endif -#ifdef ENABLE_SOCKS "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n" " address s and port p (default port = 1080).\n" " If proxy authentication is required,\n" " up is a file containing username/password on 2 lines, or\n" " 'stdin' to prompt for console.\n" "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n" -#endif "--resolv-retry n: If hostname resolve fails for --remote, retry\n" " resolve for n seconds before failing (disabled by default).\n" " Set n=\"infinite\" to retry indefinitely.\n" @@ -162,16 +162,12 @@ static const char usage_message[] = "--ipchange cmd : Run command cmd on remote ip address initial\n" " setting or change -- execute as: cmd ip-address port#\n" "--port port : TCP/UDP port # for both local and remote.\n" - "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n" - "--rport port : TCP/UDP port # for remote (default=%d).\n" + "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n" + "--rport port : TCP/UDP port # for remote (default=%s).\n" "--bind : Bind to local address and port. (This is the default unless\n" " --proto tcp-client" -#ifdef ENABLE_HTTP_PROXY " or --http-proxy" -#endif -#ifdef ENABLE_SOCKS " or --socks-proxy" -#endif " is used).\n" "--nobind : Do not bind to local address and port.\n" "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n" @@ -182,7 +178,6 @@ static const char usage_message[] = " /dev/net/tun, /dev/tun, /dev/tap, etc.\n" "--lladdr hw : Set the link layer address of the tap device.\n" "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n" - "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n" #ifdef ENABLE_IPROUTE "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n" #endif @@ -207,9 +202,7 @@ static const char usage_message[] = "--route-ipv6 network/bits [gateway] [metric] :\n" " Add IPv6 route to routing table after connection\n" " is established. Multiple routes can be specified.\n" - " gateway default: taken from --route-ipv6-gateway or --ifconfig\n" - "--max-routes n : Specify the maximum number of routes that may be defined\n" - " or pulled from a server.\n" + " gateway default: taken from 'remote' in --ifconfig-ipv6\n" "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n" "--route-metric m : Specify a default metric for use with --route.\n" "--route-delay n [w] : Delay n seconds after connection initiation before\n" @@ -234,9 +227,7 @@ static const char usage_message[] = " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n" "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n" " the default gateway. Useful when pushing private subnets.\n" -#ifdef ENABLE_CLIENT_NAT "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n" -#endif #ifdef ENABLE_PUSH_PEER_INFO "--push-peer-info : (client only) push client info to server.\n" #endif @@ -335,6 +326,7 @@ static const char usage_message[] = "--log file : Output log to file which is created/truncated on open.\n" "--log-append file : Append log to file, or create file if nonexistent.\n" "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n" + "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n" "--writepid file : Write main process ID to file.\n" "--nice n : Change process priority (>0 = lower, <0 = higher).\n" "--echo [parms ...] : Echo parameters to log output.\n" @@ -359,12 +351,15 @@ static const char usage_message[] = #ifdef ENABLE_DEBUG "--gremlin mask : Special stress testing mode (for debugging only).\n" #endif -#ifdef ENABLE_LZO - "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n" +#if defined(USE_COMP) + "--compress alg : Use compression algorithm alg\n" +#if defined(ENABLE_LZO) + "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n" " packet for uncompressible data.\n" "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n" " is specified.\n" #endif +#endif #ifdef ENABLE_MANAGEMENT "--management ip port [pass] : Enable a TCP server on ip:port to handle\n" " management functions. pass is a password file\n" @@ -442,6 +437,9 @@ static const char usage_message[] = " Only valid in a client-specific config file.\n" "--client-cert-not-required : Don't require client certificate, client\n" " will authenticate using username/password.\n" + "--verify-client-cert [none|optional|require] : perform no, optional or\n" + " mandatory client certificate verification.\n" + " Default is to require the client to supply a certificate.\n" "--username-as-common-name : For auth-user-pass authentication, use\n" " the authenticated username as the common name,\n" " rather than the common name from the client cert.\n" @@ -449,6 +447,11 @@ static const char usage_message[] = " run command cmd to verify. If method='via-env', pass\n" " user/pass via environment, if method='via-file', pass\n" " user/pass via temporary file.\n" + "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n" + " to each client, replacing the password. Usefull when\n" + " OTP based two-factor auth mechanisms are in use and\n" + " --reneg-* options are enabled. Optionally a lifetime in seconds\n" + " for generated tokens can be set.\n" "--opt-verify : Clients that connect with options that are incompatible\n" " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" @@ -476,6 +479,9 @@ static const char usage_message[] = "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n" " older than n seconds. Run this check every t\n" " seconds (defaults to n).\n" + "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n" + " clients. n = 1 - reconnect to same server,\n" + " 2 - advance to next server, default=1.\n" #if PORT_SHARE "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n" " sessions to a web server at host:port. dir specifies an\n" @@ -493,13 +499,20 @@ static const char usage_message[] = "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n" + "--pull-filter accept|ignore|reject t : Filter each option received from the\n" + " server if it starts with the text t. The action flag accept,\n" + " ignore or reject causes the option to be allowed, removed or\n" + " rejected with error. May be specified multiple times, and\n" + " each filter is applied in the order of appearance.\n" "--auth-retry t : How to handle auth failures. Set t to\n" " none (default), interact, or nointeract.\n" "--static-challenge t e : Enable static challenge/response protocol using\n" " challenge text t, with e indicating echo flag (0|1)\n" - "--server-poll-timeout n : when polling possible remote servers to connect to\n" + "--connect-timeout n : when polling possible remote servers to connect to\n" " in a round-robin fashion, spend no more than n seconds\n" " waiting for a response before trying the next server.\n" + "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n" + " incoming tun packets with same destination as host.\n" #endif #ifdef ENABLE_OCC "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n" @@ -522,13 +535,15 @@ static const char usage_message[] = "--cipher alg : Encrypt packets with cipher algorithm alg\n" " (default=%s).\n" " Set alg=none to disable encryption.\n" + "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n" + "--ncp-disable : Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH "--keysize n : Size of cipher key in bits (optional).\n" " If unspecified, defaults to cipher-specific default.\n" #endif -#ifndef ENABLE_CRYPTO_POLARSSL +#ifndef ENABLE_CRYPTO_MBEDTLS "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif "--no-replay : Disable replay protection.\n" @@ -545,7 +560,6 @@ static const char usage_message[] = "--use-prediction-resistance: Enable prediction resistance on the random\n" " number generator.\n" #endif -#ifdef ENABLE_SSL "\n" "TLS Key Negotiation Options:\n" "(These options are meaningful only for TLS-mode)\n" @@ -555,15 +569,10 @@ static const char usage_message[] = " number, such as 1 (default), 2, etc.\n" "--ca file : Certificate authority file in .pem format containing\n" " root certificate.\n" -#ifndef ENABLE_CRYPTO_POLARSSL +#ifndef ENABLE_CRYPTO_MBEDTLS "--capath dir : A directory of trusted certificates (CAs" -#if OPENSSL_VERSION_NUMBER >= 0x00907000L " and CRLs).\n" -#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ - ").\n" - " WARNING: no support of CRL available with this version.\n" -#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ -#endif /* ENABLE_CRYPTO_POLARSSL */ +#endif /* ENABLE_CRYPTO_MBEDTLS */ "--dh file : File containing Diffie Hellman parameters\n" " in .pem format (for --tls-server only).\n" " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n" @@ -575,7 +584,7 @@ static const char usage_message[] = " will accept from the peer. If version is unrecognized and 'or-highest'\n" " is specified, require max TLS version supported by SSL implementation.\n" "--tls-version-max <version> : sets the maximum TLS version we will use.\n" -#ifndef ENABLE_CRYPTO_POLARSSL +#ifndef ENABLE_CRYPTO_MBEDTLS "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" " and optionally the root CA certificate.\n" #endif @@ -584,7 +593,7 @@ static const char usage_message[] = " Default is CN in the Subject field.\n" #endif "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n" -#ifdef WIN32 +#ifdef _WIN32 "--cryptoapicert select-string : Load the certificate and private key from the\n" " Windows Certificate System Store.\n" #endif @@ -602,10 +611,17 @@ static const char usage_message[] = "--single-session: Allow only one session (reset state on restart).\n" "--tls-exit : Exit on TLS negotiation failure.\n" "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n" - " control channel to protect against DoS attacks.\n" - " f (required) is a shared-secret passphrase file.\n" + " control channel to protect against attacks on the TLS stack\n" + " and DoS attacks.\n" + " f (required) is a shared-secret key file.\n" " The optional d parameter controls key directionality,\n" " see --secret option for more info.\n" + "--tls-crypt key : Add an additional layer of authenticated encryption on top\n" + " of the TLS control channel to hide the TLS certificate,\n" + " provide basic post-quantum security and protect against\n" + " attacks on the TLS stack and DoS attacks.\n" + " key (required) provides the pre-shared key file.\n" + " see --secret option for more info.\n" "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n" "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n" "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n" @@ -622,11 +638,12 @@ static const char usage_message[] = " of verification.\n" "--ns-cert-type t: Require that peer certificate was signed with an explicit\n" " nsCertType designation t = 'client' | 'server'.\n" -#ifdef ENABLE_X509_TRACK "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 + "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n" + " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n" #endif -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL "--remote-cert-ku v ... : Require that the peer certificate was signed with\n" " explicit key usage, you can specify more than one value.\n" " value should be given in hex format.\n" @@ -636,8 +653,6 @@ static const char usage_message[] = "--remote-cert-tls t: Require that peer certificate was signed with explicit\n" " key usage and extended key usage based on RFC3280 TLS rules.\n" " t = 'client' | 'server'.\n" -#endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */ -#endif /* ENABLE_SSL */ #ifdef ENABLE_PKCS11 "\n" "PKCS#11 Options:\n" @@ -662,10 +677,8 @@ static const char usage_message[] = "--show-ciphers : Show cipher algorithms to use with --cipher option.\n" "--show-digests : Show message digest algorithms to use with --auth option.\n" "--show-engines : Show hardware crypto accelerator engines (if available).\n" -#ifdef ENABLE_SSL "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n" -#endif -#ifdef WIN32 +#ifdef _WIN32 "\n" "Windows Specific:\n" "--win-sys path : Pathname of Windows system directory. Default is the pathname\n" @@ -715,7 +728,9 @@ static const char usage_message[] = " optional parameter controls the initial state of ex.\n" "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n" " after TAP adapter is up and routes have been added.\n" +#ifdef _WIN32 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n" +#endif "Windows Standalone Options:\n" "\n" "--show-adapters : Show all TAP-Windows adapters.\n" @@ -775,10 +790,13 @@ init_options (struct options *o, const bool init_gc) } o->mode = MODE_POINT_TO_POINT; o->topology = TOP_NET30; - o->ce.proto = PROTO_UDPv4; + o->ce.proto = PROTO_UDP; + o->ce.af = AF_UNSPEC; + o->ce.bind_ipv6_only = false; o->ce.connect_retry_seconds = 5; - o->ce.connect_timeout = 10; - o->ce.connect_retry_max = 0; + o->ce.connect_retry_seconds_max = 300; + o->ce.connect_timeout = 120; + o->connect_retry_max = 0; o->ce.local_port = o->ce.remote_port = OPENVPN_PORT; o->verbosity = 1; o->status_file_update_freq = 60; @@ -789,8 +807,8 @@ init_options (struct options *o, const bool init_gc) o->ce.mtu_discover_type = -1; o->ce.mssfix = MSSFIX_DEFAULT; o->route_delay_window = 30; - o->max_routes = MAX_ROUTES_DEFAULT; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; + o->resolve_in_advance = false; o->proto_force = -1; #ifdef ENABLE_OCC o->occ = true; @@ -806,7 +824,7 @@ init_options (struct options *o, const bool init_gc) #ifdef TARGET_LINUX o->tuntap_options.txqueuelen = 100; #endif -#ifdef WIN32 +#ifdef _WIN32 #if 0 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE; #else @@ -829,13 +847,16 @@ init_options (struct options *o, const bool init_gc) #endif #if P2MP o->scheduled_exit_interval = 5; - o->server_poll_timeout = 0; #endif #ifdef ENABLE_CRYPTO o->ciphername = "BF-CBC"; - o->ciphername_defined = true; +#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ + o->ncp_enabled = true; +#else + o->ncp_enabled = false; +#endif + o->ncp_ciphers = "AES-256-GCM:AES-128-GCM"; o->authname = "SHA1"; - o->authname_defined = true; o->prng_hash = "SHA1"; o->prng_nonce_secret_len = 16; o->replay = true; @@ -846,25 +867,27 @@ init_options (struct options *o, const bool init_gc) #ifdef ENABLE_PREDICTION_RESISTANCE o->use_prediction_resistance = false; #endif -#ifdef ENABLE_SSL o->key_method = 2; o->tls_timeout = 2; + o->renegotiate_bytes = -1; o->renegotiate_seconds = 3600; o->handshake_window = 60; o->transition_window = 3600; + o->ecdh_curve = NULL; #ifdef ENABLE_X509ALTUSERNAME o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif -#endif /* ENABLE_SSL */ #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; #endif /* ENABLE_PKCS11 */ -/* tmp is only used in P2MP server context */ +/* P2MP server context features */ #if P2MP_SERVER + o->auth_token_generate = false; + /* Set default --tmp-dir */ -#ifdef WIN32 +#ifdef _WIN32 /* On Windows, find temp dir via enviroment variables */ o->tmp_dir = win_get_tempdir(); #else @@ -873,8 +896,9 @@ init_options (struct options *o, const bool init_gc) if( !o->tmp_dir ) { o->tmp_dir = "/tmp"; } -#endif /* WIN32 */ +#endif /* _WIN32 */ #endif /* P2MP_SERVER */ + o->allow_recursive_routing = false; } void @@ -886,6 +910,37 @@ uninit_options (struct options *o) } } +struct pull_filter +{ +# define PUF_TYPE_UNDEF 0 /** undefined filter type */ +# define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */ +# define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */ +# define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */ + int type; + int size; + char *pattern; + struct pull_filter *next; +}; + +struct pull_filter_list +{ + struct pull_filter *head; + struct pull_filter *tail; +}; + +static const char * +pull_filter_type_name (int type) +{ + if (type == PUF_TYPE_ACCEPT) + return "accept"; + if (type == PUF_TYPE_IGNORE) + return "ignore"; + if (type == PUF_TYPE_REJECT) + return "reject"; + else + return "???"; +} + #ifndef ENABLE_SMALL #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value)) @@ -902,26 +957,22 @@ setenv_connection_entry (struct env_set *es, const struct connection_entry *e, const int i) { - setenv_str_i (es, "proto", proto2ascii (e->proto, false), i); + setenv_str_i (es, "proto", proto2ascii (e->proto, e->af, false), i); setenv_str_i (es, "local", e->local, i); - setenv_int_i (es, "local_port", e->local_port, i); + setenv_str_i (es, "local_port", e->local_port, i); setenv_str_i (es, "remote", e->remote, i); - setenv_int_i (es, "remote_port", e->remote_port, i); + setenv_str_i (es, "remote_port", e->remote_port, i); -#ifdef ENABLE_HTTP_PROXY if (e->http_proxy_options) { setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i); - setenv_int_i (es, "http_proxy_port", e->http_proxy_options->port, i); + setenv_str_i (es, "http_proxy_port", e->http_proxy_options->port, i); } -#endif -#ifdef ENABLE_SOCKS if (e->socks_proxy_server) { setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i); - setenv_int_i (es, "socks_proxy_port", e->socks_proxy_port, i); + setenv_str_i (es, "socks_proxy_port", e->socks_proxy_port, i); } -#endif } void @@ -1064,7 +1115,7 @@ string_substitute (const char *src, int from, int to, struct gc_arena *gc) return ret; } -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO static uint8_t * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc) { @@ -1098,7 +1149,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren } #endif -#ifdef WIN32 +#ifdef _WIN32 #ifndef ENABLE_SMALL @@ -1141,7 +1192,9 @@ show_tuntap_options (const struct tuntap_options *o) } #endif +#endif +#if defined(_WIN32) || defined(TARGET_ANDROID) static void dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel) { @@ -1231,9 +1284,11 @@ show_p2mp_parms (const struct options *o) SHOW_INT (max_routes_per_client); SHOW_STR (auth_user_pass_verify_script); SHOW_BOOL (auth_user_pass_verify_script_via_file); + SHOW_BOOL (auth_token_generate); + SHOW_INT (auth_token_lifetime); #if PORT_SHARE SHOW_STR (port_share_host); - SHOW_INT (port_share_port); + SHOW_STR (port_share_port); #endif #endif /* P2MP_SERVER */ @@ -1298,19 +1353,27 @@ option_iroute_ipv6 (struct options *o, #endif /* P2MP_SERVER */ #endif /* P2MP */ -#if defined(ENABLE_HTTP_PROXY) && !defined(ENABLE_SMALL) +#ifndef ENABLE_SMALL static void show_http_proxy_options (const struct http_proxy_options *o) { + int i; msg (D_SHOW_PARMS, "BEGIN http_proxy"); SHOW_STR (server); - SHOW_INT (port); + SHOW_STR (port); SHOW_STR (auth_method_string); SHOW_STR (auth_file); - SHOW_BOOL (retry); - SHOW_INT (timeout); SHOW_STR (http_version); SHOW_STR (user_agent); + for (i=0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name;i++) + { + if (o->custom_headers[i].content) + msg (D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, + o->custom_headers[i].name, o->custom_headers[i].content); + else + msg (D_SHOW_PARMS, " custom_header[%d] = %s", i, + o->custom_headers[i].name); + } msg (D_SHOW_PARMS, "END http_proxy"); } #endif @@ -1320,9 +1383,7 @@ options_detach (struct options *o) { gc_detach (&o->gc); o->routes = NULL; -#ifdef ENABLE_CLIENT_NAT o->client_nat = NULL; -#endif #if P2MP_SERVER clone_push_list(o); #endif @@ -1332,50 +1393,43 @@ void rol_check_alloc (struct options *options) { if (!options->routes) - options->routes = new_route_option_list (options->max_routes, &options->gc); + options->routes = new_route_option_list (&options->gc); } void rol6_check_alloc (struct options *options) { if (!options->routes_ipv6) - options->routes_ipv6 = new_route_ipv6_option_list (options->max_routes, &options->gc); + options->routes_ipv6 = new_route_ipv6_option_list (&options->gc); } -#ifdef ENABLE_CLIENT_NAT static void cnol_check_alloc (struct options *options) { if (!options->client_nat) options->client_nat = new_client_nat_list (&options->gc); } -#endif #ifndef ENABLE_SMALL static void show_connection_entry (const struct connection_entry *o) { - msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, false)); + msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, o->af, false)); SHOW_STR (local); - SHOW_INT (local_port); + SHOW_STR (local_port); SHOW_STR (remote); - SHOW_INT (remote_port); + SHOW_STR (remote_port); SHOW_BOOL (remote_float); SHOW_BOOL (bind_defined); SHOW_BOOL (bind_local); + SHOW_BOOL (bind_ipv6_only); SHOW_INT (connect_retry_seconds); SHOW_INT (connect_timeout); - SHOW_INT (connect_retry_max); -#ifdef ENABLE_HTTP_PROXY if (o->http_proxy_options) show_http_proxy_options (o->http_proxy_options); -#endif -#ifdef ENABLE_SOCKS SHOW_STR (socks_proxy_server); - SHOW_INT (socks_proxy_port); - SHOW_BOOL (socks_proxy_retry); -#endif + SHOW_STR (socks_proxy_port); SHOW_INT (tun_mtu); SHOW_BOOL (tun_mtu_defined); SHOW_INT (link_mtu); @@ -1399,8 +1453,6 @@ show_connection_entry (const struct connection_entry *o) static void show_connection_entries (const struct options *o) { - msg (D_SHOW_PARMS, "Connection profiles [default]:"); - show_connection_entry (&o->ce); if (o->connection_list) { const struct connection_list *l = o->connection_list; @@ -1411,9 +1463,28 @@ show_connection_entries (const struct options *o) show_connection_entry (l->array[i]); } } + else + { + msg (D_SHOW_PARMS, "Connection profiles [default]:"); + show_connection_entry (&o->ce); + } msg (D_SHOW_PARMS, "Connection profiles END"); } +static void +show_pull_filter_list (const struct pull_filter_list *l) +{ + struct pull_filter *f; + if (!l) + return; + + msg (D_SHOW_PARMS, " Pull filters:"); + for (f = l->head; f; f = f->next) + { + msg (D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern); + } +} + #endif void @@ -1436,12 +1507,11 @@ show_settings (const struct options *o) SHOW_BOOL (show_digests); SHOW_BOOL (show_engines); SHOW_BOOL (genkey); -#ifdef ENABLE_SSL SHOW_STR (key_pass_file); SHOW_BOOL (show_tls_ciphers); #endif -#endif + SHOW_INT (connect_retry_max); show_connection_entries (o); SHOW_BOOL (remote_random); @@ -1452,7 +1522,6 @@ show_settings (const struct options *o) SHOW_STR (dev_node); SHOW_STR (lladdr); SHOW_INT (topology); - SHOW_BOOL (tun_ipv6); SHOW_STR (ifconfig_local); SHOW_STR (ifconfig_remote_netmask); SHOW_BOOL (ifconfig_noexec); @@ -1488,6 +1557,7 @@ show_settings (const struct options *o) #endif SHOW_INT (resolve_retry_seconds); + SHOW_BOOL (resolve_in_advance); SHOW_STR (username); SHOW_STR (groupname); @@ -1506,6 +1576,7 @@ show_settings (const struct options *o) SHOW_INT (inetd); SHOW_BOOL (log); SHOW_BOOL (suppress_timestamps); + SHOW_BOOL (machine_readable_output); SHOW_INT (nice); SHOW_INT (verbosity); SHOW_INT (mute); @@ -1528,8 +1599,9 @@ show_settings (const struct options *o) SHOW_BOOL (fast_io); -#ifdef ENABLE_LZO - SHOW_INT (lzo); +#ifdef USE_COMP + SHOW_INT (comp.alg); + SHOW_INT (comp.flags); #endif SHOW_STR (route_script); @@ -1541,19 +1613,18 @@ show_settings (const struct options *o) SHOW_BOOL (route_delay_defined); SHOW_BOOL (route_nopull); SHOW_BOOL (route_gateway_via_dhcp); - SHOW_INT (max_routes); SHOW_BOOL (allow_pull_fqdn); + show_pull_filter_list (o->pull_filter_list); + if (o->routes) print_route_options (o->routes, D_SHOW_PARMS); - -#ifdef ENABLE_CLIENT_NAT + if (o->client_nat) print_client_nat_list(o->client_nat, D_SHOW_PARMS); -#endif #ifdef ENABLE_MANAGEMENT SHOW_STR (management_addr); - SHOW_INT (management_port); + SHOW_STR (management_port); SHOW_STR (management_user_pass); SHOW_INT (management_log_history_cache); SHOW_INT (management_echo_buffer_size); @@ -1570,16 +1641,14 @@ show_settings (const struct options *o) #ifdef ENABLE_CRYPTO SHOW_STR (shared_secret_file); SHOW_INT (key_direction); - SHOW_BOOL (ciphername_defined); SHOW_STR (ciphername); - SHOW_BOOL (authname_defined); SHOW_STR (authname); SHOW_STR (prng_hash); SHOW_INT (prng_nonce_secret_len); SHOW_INT (keysize); -#ifndef ENABLE_CRYPTO_POLARSSL +#ifndef ENABLE_CRYPTO_MBEDTLS SHOW_BOOL (engine); -#endif /* ENABLE_CRYPTO_POLARSSL */ +#endif /* ENABLE_CRYPTO_MBEDTLS */ SHOW_BOOL (replay); SHOW_BOOL (mute_replay_warnings); SHOW_INT (replay_window); @@ -1591,13 +1660,17 @@ show_settings (const struct options *o) SHOW_BOOL (use_prediction_resistance); #endif -#ifdef ENABLE_SSL SHOW_BOOL (tls_server); SHOW_BOOL (tls_client); SHOW_INT (key_method); SHOW_STR (ca_file); SHOW_STR (ca_path); SHOW_STR (dh_file); +#ifdef MANAGMENT_EXTERNAL_KEY + if((o->management_flags & MF_EXTERNAL_CERT)) + SHOW_PARM ("cert_file","EXTERNAL_CERT","%s"); + else +#endif SHOW_STR (cert_file); SHOW_STR (extra_certs_file); @@ -1607,7 +1680,7 @@ show_settings (const struct options *o) else #endif SHOW_STR (priv_key_file); -#ifndef ENABLE_CRYPTO_POLARSSL +#ifndef ENABLE_CRYPTO_MBEDTLS SHOW_STR (pkcs12_file); #endif #ifdef ENABLE_CRYPTOAPI @@ -1644,8 +1717,8 @@ show_settings (const struct options *o) SHOW_BOOL (tls_exit); SHOW_STR (tls_auth_file); -#endif -#endif + SHOW_STR (tls_crypt_file); +#endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 { @@ -1677,7 +1750,7 @@ show_settings (const struct options *o) show_p2mp_parms (o); #endif -#ifdef WIN32 +#ifdef _WIN32 SHOW_BOOL (show_net_up); SHOW_INT (route_method); SHOW_BOOL (block_outside_dns); @@ -1691,7 +1764,7 @@ show_settings (const struct options *o) #undef SHOW_INT #undef SHOW_BOOL -#if HTTP_PROXY_OVERRIDE +#ifdef ENABLE_MANAGEMENT static struct http_proxy_options * parse_http_proxy_override (const char *server, @@ -1703,19 +1776,9 @@ parse_http_proxy_override (const char *server, if (server && port) { struct http_proxy_options *ho; - const int int_port = atoi(port); - - if (!legal_ipv4_port (int_port)) - { - msg (msglevel, "Bad http-proxy port number: %s", port); - return NULL; - } - ALLOC_OBJ_CLEAR_GC (ho, struct http_proxy_options, gc); ho->server = string_alloc(server, gc); - ho->port = int_port; - ho->retry = true; - ho->timeout = 5; + ho->port = port; if (flags && !strcmp(flags, "nct")) ho->auth_retry = PAR_NCT; else @@ -1732,32 +1795,31 @@ void options_postprocess_http_proxy_override (struct options *o) { const struct connection_list *l = o->connection_list; - if (l) + int i; + bool succeed = false; + for (i = 0; i < l->len; ++i) + { + struct connection_entry *ce = l->array[i]; + if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP) + { + ce->http_proxy_options = o->http_proxy_override; + succeed = true; + } + } + if (succeed) { - int i; - bool succeed = false; for (i = 0; i < l->len; ++i) - { - struct connection_entry *ce = l->array[i]; - if (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv4) - { - ce->http_proxy_options = o->http_proxy_override; - succeed = true; - } - } - if (succeed) - { - for (i = 0; i < l->len; ++i) - { - struct connection_entry *ce = l->array[i]; - if (ce->proto == PROTO_UDPv4) - { - ce->flags |= CE_DISABLED; - } - } - } - else - msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined"); + { + struct connection_entry *ce = l->array[i]; + if (ce->proto == PROTO_UDP) + { + ce->flags |= CE_DISABLED; + } + } + } + else + { + msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined"); } } @@ -1811,15 +1873,46 @@ alloc_remote_entry (struct options *options, const int msglevel) return e; } +static struct pull_filter_list * +alloc_pull_filter_list (struct options *o) +{ + if (!o->pull_filter_list) + ALLOC_OBJ_CLEAR_GC (o->pull_filter_list, struct pull_filter_list, &o->gc); + return o->pull_filter_list; +} + +static struct pull_filter * +alloc_pull_filter (struct options *o, const int msglevel) +{ + struct pull_filter_list *l = alloc_pull_filter_list (o); + struct pull_filter *f; + + ALLOC_OBJ_CLEAR_GC (f, struct pull_filter, &o->gc); + if (l->head) + { + ASSERT (l->tail); + l->tail->next = f; + } + else + { + ASSERT (!l->tail); + l->head = f; + } + l->tail = f; + return f; +} + void connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re) { if (re->remote) ce->remote = re->remote; - if (re->remote_port >= 0) + if (re->remote_port) ce->remote_port = re->remote_port; if (re->proto >= 0) ce->proto = re->proto; + if (re->af > 0) + ce->af = re->af; } static void @@ -1849,10 +1942,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne * If "proto tcp" is specified, make sure we know whether it is * tcp-client or tcp-server. */ - if (ce->proto == PROTO_TCPv4) + if (ce->proto == PROTO_TCP) msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"); - if (ce->proto == PROTO_TCPv6) - msg (M_USAGE, "--proto tcp6 is ambiguous in this context. Please specify --proto tcp6-server or --proto tcp6-client"); /* * Sanity check on daemon/inetd modes @@ -1864,14 +1955,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if (options->inetd && (ce->local || ce->remote)) msg (M_USAGE, "--local or --remote cannot be used with --inetd"); - if (options->inetd && ce->proto == PROTO_TCPv4_CLIENT) + if (options->inetd && ce->proto == PROTO_TCP_CLIENT) msg (M_USAGE, "--proto tcp-client cannot be used with --inetd"); - if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCPv4_SERVER) + if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER) msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server"); if (options->inetd == INETD_NOWAIT -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO && !(options->tls_server || options->tls_client) #endif ) @@ -1885,20 +1976,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--lladdr can only be used in --dev tap mode"); /* - * Sanity check on TCP mode options - */ - - if (ce->connect_retry_defined && ce->proto != PROTO_TCPv4_CLIENT - && ce->proto != PROTO_TCPv6_CLIENT) - msg (M_USAGE, "--connect-retry doesn't make sense unless also used with " - "--proto tcp-client or tcp6-client"); - - if (ce->connect_timeout_defined && ce->proto != PROTO_TCPv4_CLIENT - && ce->proto != PROTO_TCPv6_CLIENT) - msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with " - "--proto tcp-client or tcp6-client"); - - /* * Sanity check on MTU parameters */ if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined) @@ -1920,7 +1997,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if (proto_is_net(ce->proto) && string_defined_equal (ce->local, ce->remote) - && ce->local_port == ce->remote_port) + && string_defined_equal (ce->local_port, ce->remote_port)) msg (M_USAGE, "--remote and --local addresses are the same"); if (string_defined_equal (ce->remote, options->ifconfig_local) @@ -1965,7 +2042,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne * Windows-specific options. */ -#ifdef WIN32 +#ifdef _WIN32 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask))) msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used"); @@ -1993,29 +2070,21 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp"); #endif - if (!ce->remote && (ce->proto == PROTO_TCPv4_CLIENT - || ce->proto == PROTO_TCPv6_CLIENT)) + if (!ce->remote && ce->proto == PROTO_TCP_CLIENT) msg (M_USAGE, "--remote MUST be used in TCP Client mode"); -#ifdef ENABLE_HTTP_PROXY - if ((ce->http_proxy_options) && ce->proto != PROTO_TCPv4_CLIENT) + if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT) msg (M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)"); if ((ce->http_proxy_options) && !ce->http_proxy_options->server) msg (M_USAGE, "--http-proxy not specified but other http proxy options present"); -#endif -#if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS) if (ce->http_proxy_options && ce->socks_proxy_server) msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy"); -#endif -#ifdef ENABLE_SOCKS - if (ce->socks_proxy_server && ce->proto == PROTO_TCPv4_SERVER) + if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER) msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode"); -#endif - if ((ce->proto == PROTO_TCPv4_SERVER || ce->proto == PROTO_TCPv6_SERVER) - && connection_list_defined (options)) + if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1)) msg (M_USAGE, "TCP server mode allows at most one --remote address"); #if P2MP_SERVER @@ -2029,13 +2098,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--mode server only works with --dev tun or --dev tap"); if (options->pull) msg (M_USAGE, "--pull cannot be used with --mode server"); - if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCPv4_SERVER - || ce->proto == PROTO_TCPv6_SERVER)) + if (options->pull_filter_list) + msg (M_USAGE, "--pull-filter cannot be used with --mode server"); + if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER)) msg (M_USAGE, "--mode server currently only supports " "--proto udp or --proto tcp-server or proto tcp6-server"); #if PORT_SHARE if ((options->port_share_host || options->port_share_port) && - (ce->proto != PROTO_TCPv4_SERVER && ce->proto != PROTO_TCPv6_SERVER)) + (ce->proto != PROTO_TCP_SERVER)) msg (M_USAGE, "--port-share only works in TCP server mode " "(--proto tcp-server or tcp6-server)"); #endif @@ -2045,38 +2115,29 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--remote cannot be used with --mode server"); if (!ce->bind_local) msg (M_USAGE, "--nobind cannot be used with --mode server"); -#ifdef ENABLE_HTTP_PROXY if (ce->http_proxy_options) msg (M_USAGE, "--http-proxy cannot be used with --mode server"); -#endif -#ifdef ENABLE_SOCKS if (ce->socks_proxy_server) msg (M_USAGE, "--socks-proxy cannot be used with --mode server"); -#endif - if (options->connection_list) - msg (M_USAGE, "<connection> cannot be used with --mode server"); -#if 0 - if (options->tun_ipv6) - msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server"); -#endif + /* <connection> blocks force to have a remote embedded, so we check for the + * --remote and bail out if it is present */ + if (options->connection_list->len >1 || + options->connection_list->array[0]->remote) + msg (M_USAGE, "<connection> cannot be used with --mode server"); + if (options->shaper) msg (M_USAGE, "--shaper cannot be used with --mode server"); if (options->inetd) msg (M_USAGE, "--inetd cannot be used with --mode server"); if (options->ipchange) msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)"); - if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCPv4_SERVER - || ce->proto == PROTO_TCPv6_SERVER)) + if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER)) msg (M_USAGE, "--mode server currently only supports " "--proto udp or --proto tcp-server or --proto tcp6-server"); if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per)) msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead."); if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask) msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode"); -#ifdef ENABLE_OCC - if (ce->explicit_exit_notification) - msg (M_USAGE, "--explicit-exit-notify cannot be used with --mode server"); -#endif if (options->routes && (options->routes->flags & RG_ENABLE)) msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)"); if (options->route_delay_defined) @@ -2087,9 +2148,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool"); if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local ) msg (M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6"); - if (options->ifconfig_ipv6_local && !options->tun_ipv6 ) - msg (M_INFO, "Warning: --ifconfig-ipv6 without --tun-ipv6 will not do IPv6"); - + if (options->allow_recursive_routing) + msg (M_USAGE, "--allow-recursive-routing cannot be used with --mode server"); if (options->auth_user_pass_file) msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)"); if (options->ccd_exclusive && !options->client_config_dir) @@ -2102,8 +2162,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne || PLUGIN_OPTION_LIST (options) || MAN_CLIENT_AUTH_ENABLED (options)); const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; - if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr) - msg (M_USAGE, "--client-cert-not-required %s", postfix); + if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr) + msg (M_USAGE, "--verify-client-cert none|optional %s", postfix); if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr) msg (M_USAGE, "--username-as-common-name %s", postfix); if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr) @@ -2137,8 +2197,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--duplicate-cn requires --mode server"); if (options->cf_max || options->cf_per) msg (M_USAGE, "--connect-freq requires --mode server"); - if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) - msg (M_USAGE, "--client-cert-not-required requires --mode server"); + if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) + msg (M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server"); if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) msg (M_USAGE, "--username-as-common-name requires --mode server"); if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) @@ -2151,6 +2211,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne "tcp-nodelay in the server configuration instead."); if (options->auth_user_pass_verify_script) msg (M_USAGE, "--auth-user-pass-verify requires --mode server"); + if (options->auth_token_generate) + msg (M_USAGE, "--auth-gen-token requires --mode server"); #if PORT_SHARE if (options->port_share_host || options->port_share_port) msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)"); @@ -2165,14 +2227,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne #ifdef ENABLE_CRYPTO + if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers)) + { + msg (M_USAGE, "NCP cipher list contains unsupported ciphers."); + } + /* * Check consistency of replay options */ - if ((!proto_is_udp(ce->proto)) - && (options->replay_window != defaults.replay_window - || options->replay_time != defaults.replay_time)) - msg (M_USAGE, "--replay-window only makes sense with --proto udp"); - if (!options->replay && (options->replay_window != defaults.replay_window || options->replay_time != defaults.replay_time)) @@ -2181,16 +2243,24 @@ options_postprocess_verify_ce (const struct options *options, const struct conne /* * SSL/TLS mode sanity checks. */ - -#ifdef ENABLE_SSL if (options->tls_server + options->tls_client + (options->shared_secret_file != NULL) > 1) msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret"); - if (options->tls_server) + if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) + { + msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " + "--verify-client-cert none|optional (or --client-cert-not-required) " + "may accept clients which do not present a certificate"); + } + + if (options->key_method == 1) { - notnull (options->dh_file, "DH file (--dh)"); + msg (M_WARN, "WARNING: --key-method 1 is deprecated and will be removed " + "in OpenVPN 2.5. By default --key-method 2 will be used if not set " + "in the configuration file, which is the recommended approach."); } + if (options->tls_server || options->tls_client) { #ifdef ENABLE_PKCS11 @@ -2209,6 +2279,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne #ifdef MANAGMENT_EXTERNAL_KEY if (options->management_flags & MF_EXTERNAL_KEY) msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); + if (options->management_flags & MF_EXTERNAL_CERT) + msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified."); #endif if (options->pkcs12_file) msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified."); @@ -2224,6 +2296,13 @@ options_postprocess_verify_ce (const struct options *options, const struct conne { msg (M_USAGE, "--key and --management-external-key are mutually exclusive"); } + else if((options->management_flags & MF_EXTERNAL_CERT)) + { + if (options->cert_file) + msg (M_USAGE, "--cert and --management-external-cert are mutually exclusive"); + else if(!(options->management_flags & MF_EXTERNAL_KEY)) + msg (M_USAGE, "--management-external-cert must be used with --management-external-key"); + } else #endif #ifdef ENABLE_CRYPTOAPI @@ -2240,14 +2319,16 @@ options_postprocess_verify_ce (const struct options *options, const struct conne #ifdef MANAGMENT_EXTERNAL_KEY if (options->management_flags & MF_EXTERNAL_KEY) msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified."); + if (options->management_flags & MF_EXTERNAL_CERT) + msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified."); #endif } else #endif if (options->pkcs12_file) { -#ifdef ENABLE_CRYPTO_POLARSSL - msg(M_USAGE, "Parameter --pkcs12 cannot be used with the PolarSSL version version of OpenVPN."); +#ifdef ENABLE_CRYPTO_MBEDTLS + msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN."); #else if (options->ca_path) msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified."); @@ -2257,17 +2338,19 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); #ifdef MANAGMENT_EXTERNAL_KEY if (options->management_flags & MF_EXTERNAL_KEY) - msg(M_USAGE, "Parameter --external-management-key cannot be used when --pkcs12 is also specified."); + msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified."); + if (options->management_flags & MF_EXTERNAL_CERT) + msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified."); #endif #endif } else { -#ifdef ENABLE_CRYPTO_POLARSSL +#ifdef ENABLE_CRYPTO_MBEDTLS if (!(options->ca_file)) msg(M_USAGE, "You must define CA file (--ca)"); if (options->ca_path) - msg(M_USAGE, "Parameter --capath cannot be used with the PolarSSL version version of OpenVPN."); + msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); #else if ((!(options->ca_file)) && (!(options->ca_path))) msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); @@ -2275,14 +2358,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if (pull) { - const int sum = (options->cert_file != NULL) + + const int sum = #ifdef MANAGMENT_EXTERNAL_KEY - ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); + ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) + + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); #else - (options->priv_key_file != NULL); + (options->cert_file != NULL) + (options->priv_key_file != NULL); #endif - if (sum == 0) { #if P2MP @@ -2299,6 +2382,9 @@ options_postprocess_verify_ce (const struct options *options, const struct conne } else { +#ifdef MANAGMENT_EXTERNAL_KEY + if (!(options->management_flags & MF_EXTERNAL_CERT)) +#endif notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); #ifdef MANAGMENT_EXTERNAL_KEY if (!(options->management_flags & MF_EXTERNAL_KEY)) @@ -2306,6 +2392,10 @@ options_postprocess_verify_ce (const struct options *options, const struct conne notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); } } + if (options->tls_auth_file && options->tls_crypt_file) + { + msg (M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive"); + } } else { @@ -2323,7 +2413,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne MUST_BE_UNDEF (dh_file); MUST_BE_UNDEF (cert_file); MUST_BE_UNDEF (priv_key_file); -#ifndef ENABLE_CRYPTO_POLARSSL +#ifndef ENABLE_CRYPTO_MBEDTLS MUST_BE_UNDEF (pkcs12_file); #endif MUST_BE_UNDEF (cipher_list); @@ -2337,6 +2427,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne MUST_BE_UNDEF (handshake_window); MUST_BE_UNDEF (transition_window); MUST_BE_UNDEF (tls_auth_file); + MUST_BE_UNDEF (tls_crypt_file); MUST_BE_UNDEF (single_session); #ifdef ENABLE_PUSH_PEER_INFO MUST_BE_UNDEF (push_peer_info); @@ -2353,16 +2444,12 @@ options_postprocess_verify_ce (const struct options *options, const struct conne MUST_BE_UNDEF (pkcs11_id); MUST_BE_UNDEF (pkcs11_id_management); #endif -#if P2MP - MUST_BE_UNDEF (server_poll_timeout); -#endif if (pull) msg (M_USAGE, err, "--pull"); } #undef MUST_BE_UNDEF #endif /* ENABLE_CRYPTO */ -#endif /* ENABLE_SSL */ #if P2MP if (options->auth_user_pass_file && !options->pull) @@ -2380,35 +2467,29 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce) #if P2MP_SERVER if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp) { - if (ce->proto == PROTO_TCPv4) - ce->proto = PROTO_TCPv4_SERVER; - else if (ce->proto == PROTO_TCPv6) - ce->proto = PROTO_TCPv6_SERVER; + if (ce->proto == PROTO_TCP) + ce->proto = PROTO_TCP_SERVER; } #endif #if P2MP if (o->client) { - if (ce->proto == PROTO_TCPv4) - ce->proto = PROTO_TCPv4_CLIENT; - else if (ce->proto == PROTO_TCPv6) - ce->proto = PROTO_TCPv6_CLIENT; + if (ce->proto == PROTO_TCP) + ce->proto = PROTO_TCP_CLIENT; } #endif - if (ce->proto == PROTO_TCPv4_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined) + if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined) ce->bind_local = false; -#ifdef ENABLE_SOCKS - if (ce->proto == PROTO_UDPv4 && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined) + if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined) ce->bind_local = false; -#endif if (!ce->bind_local) - ce->local_port = 0; + ce->local_port = NULL; /* if protocol forcing is enabled, disable all protocols except for the forced one */ - if (o->proto_force >= 0 && proto_is_tcp(o->proto_force) != proto_is_tcp(ce->proto)) + if (o->proto_force >= 0 && o->proto_force != ce->proto) ce->flags |= CE_DISABLED; /* @@ -2445,7 +2526,9 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce) static void options_postprocess_mutate_invariant (struct options *options) { +#ifdef _WIN32 const int dev = dev_type_enum (options->dev, options->dev_type); +#endif /* * In forking TCP server mode, you don't need to ifconfig @@ -2454,7 +2537,7 @@ options_postprocess_mutate_invariant (struct options *options) if (options->inetd == INETD_NOWAIT) options->ifconfig_noexec = true; -#ifdef WIN32 +#ifdef _WIN32 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined) { if (options->mode == MODE_POINT_TO_POINT) @@ -2477,7 +2560,7 @@ options_postprocess_mutate_invariant (struct options *options) */ if (options->mode == MODE_SERVER) { -#ifdef WIN32 +#ifdef _WIN32 /* * We need to explicitly set --tap-sleep because * we do not schedule event timers in the top-level context. @@ -2516,6 +2599,7 @@ options_postprocess_verify (const struct options *o) static void options_postprocess_mutate (struct options *o) { + int i; /* * Process helper-type options which map to other, more complex * sequences of options. @@ -2529,48 +2613,57 @@ options_postprocess_mutate (struct options *o) if (o->remote_list && !o->connection_list) { /* - * For compatibility with 2.0.x, map multiple --remote options - * into connection list (connection lists added in 2.1). + * Convert remotes into connection list */ - if (o->remote_list->len > 1 || o->force_connection_list) - { - const struct remote_list *rl = o->remote_list; - int i; - for (i = 0; i < rl->len; ++i) - { - const struct remote_entry *re = rl->array[i]; - struct connection_entry ce = o->ce; - struct connection_entry *ace; - - ASSERT (re->remote); - connection_entry_load_re (&ce, re); - ace = alloc_connection_entry (o, M_USAGE); - ASSERT (ace); - *ace = ce; - } - } - else if (o->remote_list->len == 1) /* one --remote option specified */ - { - connection_entry_load_re (&o->ce, o->remote_list->array[0]); - } - else - { - ASSERT (0); - } + const struct remote_list *rl = o->remote_list; + for (i = 0; i < rl->len; ++i) + { + const struct remote_entry *re = rl->array[i]; + struct connection_entry ce = o->ce; + struct connection_entry *ace; + + ASSERT (re->remote); + connection_entry_load_re (&ce, re); + ace = alloc_connection_entry (o, M_USAGE); + ASSERT (ace); + *ace = ce; + } } - if (o->connection_list) + else if(!o->remote_list && !o->connection_list) { - int i; - for (i = 0; i < o->connection_list->len; ++i) + struct connection_entry *ace; + ace = alloc_connection_entry (o, M_USAGE); + ASSERT (ace); + *ace = o->ce; + } + + ASSERT (o->connection_list); + for (i = 0; i < o->connection_list->len; ++i) options_postprocess_mutate_ce (o, o->connection_list->array[i]); -#if HTTP_PROXY_OVERRIDE - if (o->http_proxy_override) +#ifdef ENABLE_CRYPTO + if (o->tls_server) + { + /* Check that DH file is specified, or explicitly disabled */ + notnull (o->dh_file, "DH file (--dh)"); + if (streq (o->dh_file, "none")) + o->dh_file = NULL; + } + + /* cipher negotiation (NCP) currently assumes --pull or --mode server */ + if ( o->ncp_enabled && + ! (o->pull || o->mode == MODE_SERVER) ) + { + msg( M_WARN, "disabling NCP mode (--ncp-disable) because not " + "in P2MP client or server mode" ); + o->ncp_enabled = false; + } +#endif + +#if ENABLE_MANAGEMENT + if (o->http_proxy_override) options_postprocess_http_proxy_override(o); #endif - } - else - options_postprocess_mutate_ce (o, &o->ce); #ifdef ENABLE_CRYPTOAPI if (o->cryptoapi_cert) @@ -2609,6 +2702,7 @@ options_postprocess_mutate (struct options *o) #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */ #define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */ #define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */ +#define CHKACC_PRIVATE (1<<5) /** Warn if this (private) file is group/others accessible */ static bool check_file_access(const int type, const char *file, const int mode, const char *opt) @@ -2649,6 +2743,23 @@ check_file_access(const int type, const char *file, const int mode, const char * if (platform_access (file, W_OK) != 0) errcode = errno; + /* Warn if a given private file is group/others accessible. */ + if (type & CHKACC_PRIVATE) + { + platform_stat_t st; + if (platform_stat (file, &st)) + { + msg (M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file); + } +#ifndef _WIN32 + else + { + if (st.st_mode & (S_IRWXG|S_IRWXO)) + msg (M_WARN, "WARNING: file '%s' is group or others accessible", file); + } +#endif + } + /* Scream if an error is found */ if( errcode > 0 ) msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': %s", @@ -2724,7 +2835,7 @@ check_cmd_access(const char *command, const char *opt, const char *chroot) /* Extract executable path and arguments */ argv = argv_new (); - argv_printf (&argv, "%sc", command); + argv_parse_cmd (&argv, command); /* if an executable is specified then check it; otherwise, complain */ if (argv.argv[0]) @@ -2754,8 +2865,8 @@ options_postprocess_filechecks (struct options *options) { bool errs = false; +#ifdef ENABLE_CRYPTO /* ** SSL/TLS/crypto related files ** */ -#ifdef ENABLE_SSL errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh"); errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca"); errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); @@ -2765,41 +2876,40 @@ options_postprocess_filechecks (struct options *options) #ifdef MANAGMENT_EXTERNAL_KEY if(!(options->management_flags & MF_EXTERNAL_KEY)) #endif - errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->priv_key_file, R_OK, - "--key"); - errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->pkcs12_file, R_OK, - "--pkcs12"); + { + errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, + options->priv_key_file, R_OK, "--key"); + } + errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, + options->pkcs12_file, R_OK, "--pkcs12"); if (options->ssl_flags & SSLF_CRL_VERIFY_DIR) errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK, "--crl-verify directory"); else - errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK, - "--crl-verify"); - - errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK, - "--tls-auth"); -#endif /* ENABLE_SSL */ -#ifdef ENABLE_CRYPTO - errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->shared_secret_file, R_OK, - "--secret"); + errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE|CHKACC_INLINE, + options->crl_file, R_OK, "--crl-verify"); + + errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, + options->tls_auth_file, R_OK, "--tls-auth"); + errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, + options->tls_crypt_file, R_OK, "--tls-crypt"); + errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, + options->shared_secret_file, R_OK, "--secret"); errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR, - options->packet_id_file, R_OK|W_OK, "--replay-persist"); -#endif /* ENABLE_CRYPTO */ - + options->packet_id_file, R_OK|W_OK, "--replay-persist"); /* ** Password files ** */ -#ifdef ENABLE_SSL - errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN, - options->key_pass_file, R_OK, "--askpass"); -#endif /* ENABLE_SSL */ + errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, + options->key_pass_file, R_OK, "--askpass"); +#endif /* ENABLE_CRYPTO */ #ifdef ENABLE_MANAGEMENT - errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN, + errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, options->management_user_pass, R_OK, "--management user/password file"); #endif /* ENABLE_MANAGEMENT */ #if P2MP - errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN, + errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, options->auth_user_pass_file, R_OK, "--auth-user-pass"); #endif /* P2MP */ @@ -2815,10 +2925,10 @@ options_postprocess_filechecks (struct options *options) R_OK|W_OK, "--status"); /* ** Config related ** */ -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->tls_export_cert, R_OK|W_OK|X_OK, "--tls-export-cert"); -#endif /* ENABLE_SSL */ +#endif /* ENABLE_CRYPTO */ #if P2MP_SERVER errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->client_config_dir, R_OK|X_OK, "--client-config-dir"); @@ -2872,18 +2982,16 @@ pre_pull_save (struct options *o) o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc); o->pre_pull->routes_ipv6_defined = true; } -#ifdef ENABLE_CLIENT_NAT if (o->client_nat) { o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc); o->pre_pull->client_nat_defined = true; } -#endif } } void -pre_pull_restore (struct options *o) +pre_pull_restore (struct options *o, struct gc_arena *gc) { const struct options_pre_pull *pp = o->pre_pull; if (pp) @@ -2895,7 +3003,7 @@ pre_pull_restore (struct options *o) if (pp->routes_defined) { rol_check_alloc (o); - copy_route_option_list (o->routes, pp->routes); + copy_route_option_list (o->routes, pp->routes, gc); } else o->routes = NULL; @@ -2903,12 +3011,11 @@ pre_pull_restore (struct options *o) if (pp->routes_ipv6_defined) { rol6_check_alloc (o); - copy_route_ipv6_option_list (o->routes_ipv6, pp->routes_ipv6); + copy_route_ipv6_option_list (o->routes_ipv6, pp->routes_ipv6, gc); } else o->routes_ipv6 = NULL; -#ifdef ENABLE_CLIENT_NAT if (pp->client_nat_defined) { cnol_check_alloc (o); @@ -2916,7 +3023,6 @@ pre_pull_restore (struct options *o) } else o->client_nat = NULL; -#endif o->foreign_option_index = pp->foreign_option_index; } @@ -2929,6 +3035,37 @@ pre_pull_restore (struct options *o) #ifdef ENABLE_OCC +/** + * Calculate the link-mtu to advertise to our peer. The actual value is not + * relevant, because we will possibly perform data channel cipher negotiation + * after this, but older clients will log warnings if we do not supply them the + * value they expect. This assumes that the traditional cipher/auth directives + * in the config match the config of the peer. + */ +static size_t +calc_options_string_link_mtu(const struct options *o, const struct frame *frame) +{ + size_t link_mtu = EXPANDED_SIZE (frame); +#ifdef ENABLE_CRYPTO + if (o->pull || o->mode == MODE_SERVER) + { + struct frame fake_frame = *frame; + struct key_type fake_kt; + init_key_type (&fake_kt, o->ciphername, o->authname, o->keysize, true, + false); + frame_add_to_extra_frame (&fake_frame, -(crypto_max_overhead())); + crypto_adjust_frame_parameters (&fake_frame, &fake_kt, o->use_iv, + o->replay, cipher_kt_mode_ofb_cfb (fake_kt.cipher)); + frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, + o->ce.tun_mtu_defined, o->ce.tun_mtu); + msg (D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu, + EXPANDED_SIZE (&fake_frame)); + link_mtu = EXPANDED_SIZE (&fake_frame); + } +#endif + return link_mtu; +} + /* * Build an options string to represent data channel encryption options. * This string must match exactly between peers. The keysize is checked @@ -2953,6 +3090,7 @@ pre_pull_restore (struct options *o) * the other end of the connection] * * --comp-lzo + * --compress alg * --fragment * * Crypto Options: @@ -2972,7 +3110,6 @@ pre_pull_restore (struct options *o) * --tls-server [matched with --tls-client on * the other end of the connection] */ - char * options_string (const struct options *o, const struct frame *frame, @@ -2990,14 +3127,14 @@ options_string (const struct options *o, */ buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type)); - buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame)); + buf_printf (&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame)); - buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote), true)); + buf_printf (&out, ",proto %s", proto_remote (o->ce.proto, remote)); /* send tun_ipv6 only in peer2peer mode - in client/server mode, it * is usually pushed by the server, triggering a non-helpful warning */ - if (o->tun_ipv6 && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o)) + if (o->ifconfig_ipv6_local && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o)) buf_printf (&out, ",tun-ipv6"); /* @@ -3014,8 +3151,8 @@ options_string (const struct options *o, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits, o->ifconfig_ipv6_remote, - (in_addr_t)0, - (in_addr_t)0, + NULL, + NULL, false, NULL); if (tt) @@ -3034,9 +3171,9 @@ options_string (const struct options *o, tt = NULL; } -#ifdef ENABLE_LZO - if (o->lzo & LZO_SELECTED) - buf_printf (&out, ",comp-lzo"); +#ifdef USE_COMP + if (o->comp.alg != COMP_ALG_UNDEF) + buf_printf (&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */ #endif #ifdef ENABLE_FRAGMENT @@ -3046,13 +3183,8 @@ options_string (const struct options *o, #ifdef ENABLE_CRYPTO -#ifdef ENABLE_SSL #define TLS_CLIENT (o->tls_client) #define TLS_SERVER (o->tls_server) -#else -#define TLS_CLIENT (false) -#define TLS_SERVER (false) -#endif /* * Key direction @@ -3075,11 +3207,11 @@ options_string (const struct options *o, + (TLS_SERVER == true) <= 1); - init_key_type (&kt, o->ciphername, o->ciphername_defined, - o->authname, o->authname_defined, - o->keysize, true, false); + init_key_type (&kt, o->ciphername, o->authname, o->keysize, true, + false); - buf_printf (&out, ",cipher %s", cipher_kt_name (kt.cipher)); + buf_printf (&out, ",cipher %s", + translate_cipher_name_to_openvpn(cipher_kt_name (kt.cipher))); buf_printf (&out, ",auth %s", md_kt_name (kt.digest)); buf_printf (&out, ",keysize %d", kt.cipher_length * 8); if (o->shared_secret_file) @@ -3095,7 +3227,6 @@ options_string (const struct options *o, #endif } -#ifdef ENABLE_SSL /* * SSL Options */ @@ -3104,6 +3235,9 @@ options_string (const struct options *o, { if (o->tls_auth_file) buf_printf (&out, ",tls-auth"); + /* Not adding tls-crypt here, because we won't reach this code if + * tls-auth/tls-crypt does not match. Removing tls-auth here would + * break stuff, so leaving that in place. */ if (o->key_method > 1) buf_printf (&out, ",key-method %d", o->key_method); @@ -3124,7 +3258,6 @@ options_string (const struct options *o, buf_printf (&out, ",tls-server"); } } -#endif /* ENABLE_SSL */ #undef TLS_CLIENT #undef TLS_SERVER @@ -3447,10 +3580,11 @@ usage (void) struct options o; init_options (&o, true); -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO fprintf (fp, usage_message, title_string, o.ce.connect_retry_seconds, + o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT, o.verbosity, @@ -3458,15 +3592,6 @@ usage (void) o.replay_window, o.replay_time, o.tls_timeout, o.renegotiate_seconds, o.handshake_window, o.transition_window); -#elif defined(ENABLE_CRYPTO) - fprintf (fp, usage_message, - title_string, - o.ce.connect_retry_seconds, - o.ce.local_port, o.ce.remote_port, - TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT, - o.verbosity, - o.authname, o.ciphername, - o.replay_window, o.replay_time); #else fprintf (fp, usage_message, title_string, @@ -3489,7 +3614,7 @@ usage_small (void) openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */ } -#ifdef WIN32 +#ifdef _WIN32 void show_windows_version(const unsigned int flags) { struct gc_arena gc = gc_new (); @@ -3501,7 +3626,7 @@ void show_windows_version(const unsigned int flags) void show_library_versions(const unsigned int flags) { -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO #define SSL_LIB_VER_STR get_ssl_library_version() #else #define SSL_LIB_VER_STR "" @@ -3523,7 +3648,7 @@ usage_version (void) { msg (M_INFO|M_NOPREFIX, "%s", title_string); show_library_versions( M_INFO|M_NOPREFIX ); -#ifdef WIN32 +#ifdef _WIN32 show_windows_version( M_INFO|M_NOPREFIX ); #endif msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); @@ -3535,9 +3660,6 @@ usage_version (void) #ifdef CONFIGURE_SPECIAL_BUILD msg (M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD); #endif -#ifdef CONFIGURE_GIT_REVISION - msg (M_INFO|M_NOPREFIX, "git revision: %s", CONFIGURE_GIT_REVISION); -#endif #endif openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */ } @@ -3573,7 +3695,7 @@ positive_atoi (const char *str) return i < 0 ? 0 : i; } -#ifdef WIN32 /* This function is only used when compiling on Windows */ +#ifdef _WIN32 /* This function is only used when compiling on Windows */ static unsigned int atou (const char *str) { @@ -3809,7 +3931,7 @@ read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc) buf_printf (&buf, "%s", line); } if (!endtagfound) - msg (M_WARN, "WARNING: Endtag %s missing", close_tag); + msg (M_FATAL, "ERROR: Endtag %s missing", close_tag); ret = string_alloc (BSTR (&buf), gc); buf_clear (&buf); free_buf (&buf); @@ -4019,6 +4141,45 @@ parse_argv (struct options *options, } } +/** + * Filter an option line by all pull filters. + * + * If a match is found, the line is modified depending on + * the filter type, and returns true. If the filter type is + * reject, SIGUSR1 is triggered and the return value is false. + * In that case the caller must end the push processing. + */ +static bool +apply_pull_filter (const struct options *o, char *line) +{ + struct pull_filter *f; + + if (!o->pull_filter_list) return true; + + for (f = o->pull_filter_list->head; f; f = f->next) + { + if (f->type == PUF_TYPE_ACCEPT && strncmp (line, f->pattern, f->size) == 0) + { + msg (D_LOW, "Pushed option accepted by filter: '%s'", line); + return true; + } + else if (f->type == PUF_TYPE_IGNORE && strncmp (line, f->pattern, f->size) == 0) + { + msg (D_PUSH, "Pushed option removed by filter: '%s'", line); + *line = '\0'; + return true; + } + else if (f->type == PUF_TYPE_REJECT && strncmp (line, f->pattern, f->size) == 0) + { + msg (M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line); + *line = '\0'; + throw_signal_soft (SIGUSR1, "Offending option received from server"); + return false; + } + } + return true; +} + bool apply_push_options (struct options *options, struct buffer *buf, @@ -4036,6 +4197,10 @@ apply_push_options (struct options *options, char *p[MAX_PARMS]; CLEAR (p); ++line_num; + if (!apply_pull_filter(options, line)) + { + return false; /* Cause push/pull error and stop push processing */ + } if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc)) { add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); @@ -4222,13 +4387,18 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); usage (); + if (p[1]) + { + msg (msglevel, "--help does not accept any parameters"); + goto err; + } } - if (streq (p[0], "version")) + if (streq (p[0], "version") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); usage_version (); } - else if (streq (p[0], "config") && p[1]) + else if (streq (p[0], "config") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_CONFIG); @@ -4239,12 +4409,17 @@ add_option (struct options *options, read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es); } #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) - else if (streq (p[0], "show-gateway")) + else if (streq (p[0], "show-gateway") && !p[2]) { struct route_gateway_info rgi; + struct route_ipv6_gateway_info rgi6; + struct in6_addr remote = IN6ADDR_ANY_INIT; VERIFY_PERMISSION (OPT_P_GENERAL); + if (p[1]) + get_ipv6_addr (p[1], &remote, NULL, M_WARN); get_default_gateway(&rgi); - print_default_gateway(M_INFO, &rgi); + get_default_gateway_ipv6(&rgi6, &remote); + print_default_gateway(M_INFO, &rgi, &rgi6); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } #endif @@ -4289,10 +4464,8 @@ add_option (struct options *options, msg (M_WARN, "echo/parameter option overflow"); } #ifdef ENABLE_MANAGEMENT - else if (streq (p[0], "management") && p[1] && p[2]) + else if (streq (p[0], "management") && p[1] && p[2] && !p[4]) { - int port = 0; - VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[2], "unix")) { @@ -4303,104 +4476,93 @@ add_option (struct options *options, goto err; #endif } - else - { - port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "port number associated with --management directive is out of range"); - goto err; - } - } options->management_addr = p[1]; - options->management_port = port; + options->management_port = p[2]; if (p[3]) { options->management_user_pass = p[3]; } } - else if (streq (p[0], "management-client-user") && p[1]) + else if (streq (p[0], "management-client-user") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_client_user = p[1]; } - else if (streq (p[0], "management-client-group") && p[1]) + else if (streq (p[0], "management-client-group") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_client_group = p[1]; } - else if (streq (p[0], "management-query-passwords")) + else if (streq (p[0], "management-query-passwords") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_QUERY_PASSWORDS; } - else if (streq (p[0], "management-query-remote")) + else if (streq (p[0], "management-query-remote") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_QUERY_REMOTE; } - else if (streq (p[0], "management-query-proxy")) + else if (streq (p[0], "management-query-proxy") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_QUERY_PROXY; - options->force_connection_list = true; } - else if (streq (p[0], "management-hold")) + else if (streq (p[0], "management-hold") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_HOLD; } - else if (streq (p[0], "management-signal")) + else if (streq (p[0], "management-signal") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_SIGNAL; } - else if (streq (p[0], "management-forget-disconnect")) + else if (streq (p[0], "management-forget-disconnect") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_FORGET_DISCONNECT; } - else if (streq (p[0], "management-up-down")) + else if (streq (p[0], "management-up-down") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_UP_DOWN; } - else if (streq (p[0], "management-client")) + else if (streq (p[0], "management-client") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_CONNECT_AS_CLIENT; options->management_write_peer_info_file = p[1]; } #ifdef MANAGMENT_EXTERNAL_KEY - else if (streq (p[0], "management-external-key")) + else if (streq (p[0], "management-external-key") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_EXTERNAL_KEY; } -#endif -#ifdef MANAGEMENT_DEF_AUTH - else if (streq (p[0], "management-client-auth")) + else if (streq (p[0], "management-external-cert") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); - options->management_flags |= MF_CLIENT_AUTH; + options->management_flags |= MF_EXTERNAL_CERT; + options->management_certificate = p[1]; } #endif -#ifdef ENABLE_X509_TRACK - else if (streq (p[0], "x509-track") && p[1]) +#ifdef MANAGEMENT_DEF_AUTH + else if (streq (p[0], "management-client-auth") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); - x509_track_add (&options->x509_track, p[1], msglevel, &options->gc); + options->management_flags |= MF_CLIENT_AUTH; } #endif #ifdef MANAGEMENT_PF - else if (streq (p[0], "management-client-pf")) + else if (streq (p[0], "management-client-pf") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH); } #endif - else if (streq (p[0], "management-log-cache") && p[1]) + else if (streq (p[0], "management-log-cache") && p[1] && !p[2]) { int cache; @@ -4415,7 +4577,7 @@ add_option (struct options *options, } #endif #ifdef ENABLE_PLUGIN - else if (streq (p[0], "plugin") && p[1]) + else if (streq (p[0], "plugin") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_PLUGIN); if (!options->plugin_list) @@ -4427,7 +4589,7 @@ add_option (struct options *options, } } #endif - else if (streq (p[0], "mode") && p[1]) + else if (streq (p[0], "mode") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "p2p")) @@ -4442,22 +4604,22 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "dev") && p[1]) + else if (streq (p[0], "dev") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->dev = p[1]; } - else if (streq (p[0], "dev-type") && p[1]) + else if (streq (p[0], "dev-type") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->dev_type = p[1]; } - else if (streq (p[0], "dev-node") && p[1]) + else if (streq (p[0], "dev-node") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->dev_node = p[1]; } - else if (streq (p[0], "lladdr") && p[1]) + else if (streq (p[0], "lladdr") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_UP); if (mac_addr_safe (p[1])) /* MAC address only */ @@ -4468,24 +4630,24 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "topology") && p[1]) + else if (streq (p[0], "topology") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_UP); options->topology = parse_topology (p[1], msglevel); } - else if (streq (p[0], "tun-ipv6")) + else if (streq (p[0], "tun-ipv6") && !p[1]) { VERIFY_PERMISSION (OPT_P_UP); - options->tun_ipv6 = true; + msg (M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore."); } #ifdef ENABLE_IPROUTE - else if (streq (p[0], "iproute") && p[1]) + else if (streq (p[0], "iproute") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); iproute_path = p[1]; } #endif - else if (streq (p[0], "ifconfig") && p[1] && p[2]) + else if (streq (p[0], "ifconfig") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION (OPT_P_UP); if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */ @@ -4499,7 +4661,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] ) + else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3]) { unsigned int netbits; @@ -4523,27 +4685,27 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ifconfig-noexec")) + else if (streq (p[0], "ifconfig-noexec") && !p[1]) { VERIFY_PERMISSION (OPT_P_UP); options->ifconfig_noexec = true; } - else if (streq (p[0], "ifconfig-nowarn")) + else if (streq (p[0], "ifconfig-nowarn") && !p[1]) { VERIFY_PERMISSION (OPT_P_UP); options->ifconfig_nowarn = true; } - else if (streq (p[0], "local") && p[1]) + else if (streq (p[0], "local") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.local = p[1]; } - else if (streq (p[0], "remote-random")) + else if (streq (p[0], "remote-random") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->remote_random = true; } - else if (streq (p[0], "connection") && p[1]) + else if (streq (p[0], "connection") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], INLINE_FILE_TAG) && p[2]) @@ -4605,47 +4767,38 @@ add_option (struct options *options, options->ignore_unknown_option[i] = NULL; } - else if (streq (p[0], "remote-ip-hint") && p[1]) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->remote_ip_hint = p[1]; - } -#if HTTP_PROXY_OVERRIDE - else if (streq (p[0], "http-proxy-override") && p[1] && p[2]) +#if ENABLE_MANAGEMENT + else if (streq (p[0], "http-proxy-override") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc); if (!options->http_proxy_override) goto err; - options->force_connection_list = true; } #endif - else if (streq (p[0], "remote") && p[1]) + else if (streq (p[0], "remote") && p[1] && !p[4]) { struct remote_entry re; - re.remote = NULL; - re.remote_port = re.proto = -1; + re.remote = re.remote_port= NULL; + re.proto = -1; + re.af=0; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); re.remote = p[1]; if (p[2]) { - const int port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "remote: port number associated with host %s is out of range", p[1]); - goto err; - } - re.remote_port = port; + re.remote_port = p[2]; if (p[3]) { const int proto = ascii2proto (p[3]); + const sa_family_t af = ascii2af (p[3]); if (proto < 0) { msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]); goto err; } re.proto = proto; + re.af = af; } } if (permission_mask & OPT_P_GENERAL) @@ -4660,7 +4813,7 @@ add_option (struct options *options, connection_entry_load_re (&options->ce, &re); } } - else if (streq (p[0], "resolv-retry") && p[1]) + else if (streq (p[0], "resolv-retry") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "infinite")) @@ -4668,22 +4821,44 @@ add_option (struct options *options, else options->resolve_retry_seconds = positive_atoi (p[1]); } - else if (streq (p[0], "connect-retry") && p[1]) + else if ((streq (p[0], "preresolve") || streq (p[0], "ip-remote-hint")) && !p[2]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->resolve_in_advance = true; + /* Note the ip-remote-hint and the argument p[1] are for + backward compatibility */ + if (p[1]) + options->ip_remote_hint=p[1]; + } + else if (streq (p[0], "connect-retry") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.connect_retry_seconds = positive_atoi (p[1]); - options->ce.connect_retry_defined = true; + /* + * Limit the base value of retry wait interval to 16 bits to avoid + * overflow when scaled up for exponential backoff + */ + if (options->ce.connect_retry_seconds > 0xFFFF) + { + options->ce.connect_retry_seconds = 0xFFFF; + msg (M_WARN, "connect retry wait interval truncated to %d", + options->ce.connect_retry_seconds); + } + + if (p[2]) + options->ce.connect_retry_seconds_max = + max_int (positive_atoi (p[2]), options->ce.connect_retry_seconds); } - else if (streq (p[0], "connect-timeout") && p[1]) + else if ((streq (p[0], "connect-timeout") || streq (p[0], "server-poll-timeout")) + && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.connect_timeout = positive_atoi (p[1]); - options->ce.connect_timeout_defined = true; } - else if (streq (p[0], "connect-retry-max") && p[1]) + else if (streq (p[0], "connect-retry-max") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - options->ce.connect_retry_max = positive_atoi (p[1]); + options->connect_retry_max = positive_atoi (p[1]); } else if (streq (p[0], "ipchange") && p[1]) { @@ -4695,24 +4870,24 @@ add_option (struct options *options, string_substitute (p[1], ',', ' ', &options->gc), "ipchange", true); } - else if (streq (p[0], "float")) + else if (streq (p[0], "float") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.remote_float = true; } #ifdef ENABLE_DEBUG - else if (streq (p[0], "gremlin") && p[1]) + else if (streq (p[0], "gremlin") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->gremlin = positive_atoi (p[1]); } #endif - else if (streq (p[0], "chroot") && p[1]) + else if (streq (p[0], "chroot") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->chroot_dir = p[1]; } - else if (streq (p[0], "cd") && p[1]) + else if (streq (p[0], "cd") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (platform_chdir (p[1])) @@ -4723,13 +4898,13 @@ add_option (struct options *options, options->cd_dir = p[1]; } #ifdef ENABLE_SELINUX - else if (streq (p[0], "setcon") && p[1]) + else if (streq (p[0], "setcon") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->selinux_context = p[1]; } #endif - else if (streq (p[0], "writepid") && p[1]) + else if (streq (p[0], "writepid") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->writepid = p[1]; @@ -4748,27 +4923,27 @@ add_option (struct options *options, goto err; set_user_script (options, &options->down_script, p[1], "down", true); } - else if (streq (p[0], "down-pre")) + else if (streq (p[0], "down-pre") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->down_pre = true; } - else if (streq (p[0], "up-delay")) + else if (streq (p[0], "up-delay") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->up_delay = true; } - else if (streq (p[0], "up-restart")) + else if (streq (p[0], "up-restart") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->up_restart = true; } - else if (streq (p[0], "syslog")) + else if (streq (p[0], "syslog") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); open_syslog (p[1], false); } - else if (streq (p[0], "daemon")) + else if (streq (p[0], "daemon") && !p[2]) { bool didit = false; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -4786,7 +4961,7 @@ add_option (struct options *options, } } } - else if (streq (p[0], "inetd")) + else if (streq (p[0], "inetd") && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (!options->inetd) @@ -4841,44 +5016,50 @@ add_option (struct options *options, open_syslog (name, true); } } - else if (streq (p[0], "log") && p[1]) + else if (streq (p[0], "log") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->log = true; redirect_stdout_stderr (p[1], false); } - else if (streq (p[0], "suppress-timestamps")) + else if (streq (p[0], "suppress-timestamps") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->suppress_timestamps = true; set_suppress_timestamps(true); } - else if (streq (p[0], "log-append") && p[1]) + else if (streq (p[0], "machine-readable-output") && !p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->machine_readable_output = true; + set_machine_readable_output(true); + } + else if (streq (p[0], "log-append") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->log = true; redirect_stdout_stderr (p[1], true); } #ifdef ENABLE_MEMSTATS - else if (streq (p[0], "memstats") && p[1]) + else if (streq (p[0], "memstats") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->memstats_fn = p[1]; } #endif - else if (streq (p[0], "mlock")) + else if (streq (p[0], "mlock") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->mlock = true; } #if ENABLE_IP_PKTINFO - else if (streq (p[0], "multihome")) + else if (streq (p[0], "multihome") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->sockflags |= SF_USE_IP_PKTINFO; } #endif - else if (streq (p[0], "verb") && p[1]) + else if (streq (p[0], "verb") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MESSAGES); options->verbosity = positive_atoi (p[1]); @@ -4889,17 +5070,17 @@ add_option (struct options *options, options->verbosity); #endif } - else if (streq (p[0], "mute") && p[1]) + else if (streq (p[0], "mute") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MESSAGES); options->mute = positive_atoi (p[1]); } - else if (streq (p[0], "errors-to-stderr")) + else if (streq (p[0], "errors-to-stderr") && !p[1]) { VERIFY_PERMISSION (OPT_P_MESSAGES); errors_to_stderr(); } - else if (streq (p[0], "status") && p[1]) + else if (streq (p[0], "status") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->status_file = p[1]; @@ -4908,7 +5089,7 @@ add_option (struct options *options, options->status_file_update_freq = positive_atoi (p[2]); } } - else if (streq (p[0], "status-version") && p[1]) + else if (streq (p[0], "status-version") && p[1] && !p[2]) { int version; @@ -4921,7 +5102,7 @@ add_option (struct options *options, } options->status_file_version = version; } - else if (streq (p[0], "remap-usr1") && p[1]) + else if (streq (p[0], "remap-usr1") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "SIGHUP")) @@ -4934,19 +5115,19 @@ add_option (struct options *options, goto err; } } - else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1]) + else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.link_mtu = positive_atoi (p[1]); options->ce.link_mtu_defined = true; } - else if (streq (p[0], "tun-mtu") && p[1]) + else if (streq (p[0], "tun-mtu") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi (p[1]); options->ce.tun_mtu_defined = true; } - else if (streq (p[0], "tun-mtu-extra") && p[1]) + else if (streq (p[0], "tun-mtu-extra") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.tun_mtu_extra = positive_atoi (p[1]); @@ -4959,41 +5140,41 @@ add_option (struct options *options, msg (msglevel, "--mtu-dynamic has been replaced by --fragment"); goto err; } - else if (streq (p[0], "fragment") && p[1]) + else if (streq (p[0], "fragment") && p[1] && !p[2]) { /* VERIFY_PERMISSION (OPT_P_MTU); */ VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.fragment = positive_atoi (p[1]); } #endif - else if (streq (p[0], "mtu-disc") && p[1]) + else if (streq (p[0], "mtu-disc") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.mtu_discover_type = translate_mtu_discover_type_name (p[1]); } #ifdef ENABLE_OCC - else if (streq (p[0], "mtu-test")) + else if (streq (p[0], "mtu-test") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->mtu_test = true; } #endif - else if (streq (p[0], "nice") && p[1]) + else if (streq (p[0], "nice") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_NICE); options->nice = atoi (p[1]); } - else if (streq (p[0], "rcvbuf") && p[1]) + else if (streq (p[0], "rcvbuf") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_SOCKBUF); options->rcvbuf = positive_atoi (p[1]); } - else if (streq (p[0], "sndbuf") && p[1]) + else if (streq (p[0], "sndbuf") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_SOCKBUF); options->sndbuf = positive_atoi (p[1]); } - else if (streq (p[0], "mark") && p[1]) + else if (streq (p[0], "mark") && p[1] && !p[2]) { #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK VERIFY_PERMISSION (OPT_P_GENERAL); @@ -5012,7 +5193,7 @@ add_option (struct options *options, msg (msglevel, "unknown socket flag: %s", p[j]); } } - else if (streq (p[0], "txqueuelen") && p[1]) + else if (streq (p[0], "txqueuelen") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); #ifdef TARGET_LINUX @@ -5022,7 +5203,7 @@ add_option (struct options *options, goto err; #endif } - else if (streq (p[0], "shaper") && p[1]) + else if (streq (p[0], "shaper") && p[1] && !p[2]) { #ifdef ENABLE_FEATURE_SHAPER int shaper; @@ -5042,73 +5223,54 @@ add_option (struct options *options, goto err; #endif /* ENABLE_FEATURE_SHAPER */ } - else if (streq (p[0], "port") && p[1]) + else if (streq (p[0], "port") && p[1] && !p[2]) { - int port; - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - port = atoi (p[1]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "Bad port number: %s", p[1]); - goto err; - } - options->ce.local_port = options->ce.remote_port = port; + options->ce.local_port = options->ce.remote_port = p[1]; } - else if (streq (p[0], "lport") && p[1]) + else if (streq (p[0], "lport") && p[1] && !p[2]) { - int port; - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - port = atoi (p[1]); - if ((port != 0) && !legal_ipv4_port (port)) - { - msg (msglevel, "Bad local port number: %s", p[1]); - goto err; - } options->ce.local_port_defined = true; - options->ce.local_port = port; + options->ce.local_port = p[1]; } - else if (streq (p[0], "rport") && p[1]) + else if (streq (p[0], "rport") && p[1] && !p[2]) { - int port; - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - port = atoi (p[1]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "Bad remote port number: %s", p[1]); - goto err; - } - options->ce.remote_port = port; + options->ce.remote_port = p[1]; } - else if (streq (p[0], "bind")) + else if (streq (p[0], "bind") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.bind_defined = true; + if (p[1] && streq (p[1], "ipv6only")) + options->ce.bind_ipv6_only=true; + } - else if (streq (p[0], "nobind")) + else if (streq (p[0], "nobind") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.bind_local = false; } - else if (streq (p[0], "fast-io")) + else if (streq (p[0], "fast-io") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->fast_io = true; } - else if (streq (p[0], "inactive") && p[1]) + else if (streq (p[0], "inactive") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_TIMER); options->inactivity_timeout = positive_atoi (p[1]); if (p[2]) options->inactivity_minimum_bytes = positive_atoi (p[2]); } - else if (streq (p[0], "proto") && p[1]) + else if (streq (p[0], "proto") && p[1] && !p[2]) { int proto; + sa_family_t af; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); proto = ascii2proto (p[1]); + af = ascii2af(p[1]); if (proto < 0) { msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", @@ -5117,8 +5279,9 @@ add_option (struct options *options, goto err; } options->ce.proto = proto; + options->ce.af = af; } - else if (streq (p[0], "proto-force") && p[1]) + else if (streq (p[0], "proto-force") && p[1] && !p[2]) { int proto_force; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -5129,33 +5292,24 @@ add_option (struct options *options, goto err; } options->proto_force = proto_force; - options->force_connection_list = true; } -#ifdef ENABLE_HTTP_PROXY - else if (streq (p[0], "http-proxy") && p[1]) + else if (streq (p[0], "http-proxy") && p[1] && !p[5]) { struct http_proxy_options *ho; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); { - int port; if (!p[2]) { msg (msglevel, "http-proxy port number not defined"); goto err; } - port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "Bad http-proxy port number: %s", p[2]); - goto err; - } ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); ho->server = p[1]; - ho->port = port; + ho->port = p[2]; } if (p[3]) @@ -5183,101 +5337,124 @@ add_option (struct options *options, ho->auth_method_string = "none"; } } - else if (streq (p[0], "http-proxy-retry")) + else if (streq (p[0], "http-proxy-user-pass") && p[1]) { struct http_proxy_options *ho; - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION (OPT_P_GENERAL); ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); - ho->retry = true; + if (streq (p[1], INLINE_FILE_TAG) && p[2]) + { + ho->auth_file = p[2]; + ho->inline_creds = true; + } + else + ho->auth_file = p[1]; } - else if (streq (p[0], "http-proxy-timeout") && p[1]) + else if (streq (p[0], "http-proxy-retry") || streq (p[0], "socks-proxy-retry")) { - struct http_proxy_options *ho; - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); - ho->timeout = positive_atoi (p[1]); + msg (M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: " + "In OpenVPN 2.4 proxy connection retries are handled like regular connections. " + "Use connect-retry-max 1 to get a similar behavior as before."); } - else if (streq (p[0], "http-proxy-option") && p[1]) + else if (streq (p[0], "http-proxy-timeout") && p[1] && !p[2]) + { + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); + msg (M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a " + "server is established is managed with a single timeout set by connect-timeout"); + } + else if (streq (p[0], "http-proxy-option") && p[1] && !p[4]) { struct http_proxy_options *ho; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); - if (streq (p[1], "VERSION") && p[2]) + if (streq (p[1], "VERSION") && p[2] && !p[3]) { ho->http_version = p[2]; } - else if (streq (p[1], "AGENT") && p[2]) + else if (streq (p[1], "AGENT") && p[2] && !p[3]) { ho->user_agent = p[2]; } + else if ((streq (p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER")) + && p[2]) + { + /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER + * with either two argument or one */ + + struct http_custom_header *custom_header = NULL; + int i; + /* Find the first free header */ + for (i=0; i < MAX_CUSTOM_HTTP_HEADER; i++) { + if (!ho->custom_headers[i].name) { + custom_header = &ho->custom_headers[i]; + break; + } + } + if (!custom_header) + { + msg (msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]); + } + else + { + /* We will save p[2] and p[3], the proxy code will detect if + * p[3] is NULL */ + custom_header->name = p[2]; + custom_header->content = p[3]; + } + } else { - msg (msglevel, "Bad http-proxy-option or missing parameter: '%s'", p[1]); + msg (msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]); } } -#endif -#ifdef ENABLE_SOCKS - else if (streq (p[0], "socks-proxy") && p[1]) + else if (streq (p[0], "socks-proxy") && p[1] && !p[4]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); if (p[2]) - { - int port; - port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "Bad socks-proxy port number: %s", p[2]); - goto err; - } - options->ce.socks_proxy_port = port; + { + options->ce.socks_proxy_port = p[2]; } else { - options->ce.socks_proxy_port = 1080; + options->ce.socks_proxy_port = "1080"; } options->ce.socks_proxy_server = p[1]; options->ce.socks_proxy_authfile = p[3]; /* might be NULL */ } - else if (streq (p[0], "socks-proxy-retry")) - { - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); - options->ce.socks_proxy_retry = true; - } -#endif - else if (streq (p[0], "keepalive") && p[1] && p[2]) + else if (streq (p[0], "keepalive") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->keepalive_ping = atoi (p[1]); options->keepalive_timeout = atoi (p[2]); } - else if (streq (p[0], "ping") && p[1]) + else if (streq (p[0], "ping") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TIMER); options->ping_send_timeout = positive_atoi (p[1]); } - else if (streq (p[0], "ping-exit") && p[1]) + else if (streq (p[0], "ping-exit") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TIMER); options->ping_rec_timeout = positive_atoi (p[1]); options->ping_rec_timeout_action = PING_EXIT; } - else if (streq (p[0], "ping-restart") && p[1]) + else if (streq (p[0], "ping-restart") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TIMER); options->ping_rec_timeout = positive_atoi (p[1]); options->ping_rec_timeout_action = PING_RESTART; } - else if (streq (p[0], "ping-timer-rem")) + else if (streq (p[0], "ping-timer-rem") && !p[1]) { VERIFY_PERMISSION (OPT_P_TIMER); options->ping_timer_remote = true; } #ifdef ENABLE_OCC - else if (streq (p[0], "explicit-exit-notify")) + else if (streq (p[0], "explicit-exit-notify") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY); if (p[1]) @@ -5290,35 +5467,33 @@ add_option (struct options *options, } } #endif - else if (streq (p[0], "persist-tun")) + else if (streq (p[0], "persist-tun") && !p[1]) { VERIFY_PERMISSION (OPT_P_PERSIST); options->persist_tun = true; } - else if (streq (p[0], "persist-key")) + else if (streq (p[0], "persist-key") && !p[1]) { VERIFY_PERMISSION (OPT_P_PERSIST); options->persist_key = true; } - else if (streq (p[0], "persist-local-ip")) + else if (streq (p[0], "persist-local-ip") && !p[1]) { VERIFY_PERMISSION (OPT_P_PERSIST_IP); options->persist_local_ip = true; } - else if (streq (p[0], "persist-remote-ip")) + else if (streq (p[0], "persist-remote-ip") && !p[1]) { VERIFY_PERMISSION (OPT_P_PERSIST_IP); options->persist_remote_ip = true; } -#ifdef ENABLE_CLIENT_NAT - else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4]) + else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5]) { VERIFY_PERMISSION (OPT_P_ROUTE); cnol_check_alloc (options); add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel); } -#endif - else if (streq (p[0], "route") && p[1]) + else if (streq (p[0], "route") && p[1] && !p[5]) { VERIFY_PERMISSION (OPT_P_ROUTE); rol_check_alloc (options); @@ -5342,7 +5517,7 @@ add_option (struct options *options, } add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]); } - else if (streq (p[0], "route-ipv6") && p[1]) + else if (streq (p[0], "route-ipv6") && p[1] && !p[4]) { VERIFY_PERMISSION (OPT_P_ROUTE); rol6_check_alloc (options); @@ -5362,25 +5537,14 @@ add_option (struct options *options, } add_route_ipv6_to_option_list (options->routes_ipv6, p[1], p[2], p[3]); } - else if (streq (p[0], "max-routes") && p[1]) + else if (streq (p[0], "max-routes") && !p[2]) { - int max_routes; - - VERIFY_PERMISSION (OPT_P_GENERAL); - max_routes = atoi (p[1]); - if (max_routes < 0 || max_routes > 100000000) - { - msg (msglevel, "--max-routes parameter is out of range"); - goto err; - } - if (options->routes || options->routes_ipv6) - { - msg (msglevel, "--max-routes must to be specifed before any route/route-ipv6/redirect-gateway option"); - goto err; - } - options->max_routes = max_routes; + msg (M_WARN, "DEPRECATED OPTION: --max-routes option ignored." + "The number of routes is unlimited as of version 2.4. " + "This option will be removed in a future version, " + "please remove it from your configuration."); } - else if (streq (p[0], "route-gateway") && p[1]) + else if (streq (p[0], "route-gateway") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); if (streq (p[1], "dhcp")) @@ -5400,12 +5564,12 @@ add_option (struct options *options, } } } - else if (streq (p[0], "route-metric") && p[1]) + else if (streq (p[0], "route-metric") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_ROUTE); options->route_default_metric = positive_atoi (p[1]); } - else if (streq (p[0], "route-delay")) + else if (streq (p[0], "route-delay") && !p[3]) { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); options->route_delay_defined = true; @@ -5439,17 +5603,37 @@ add_option (struct options *options, p[1], "route-pre-down", true); } - else if (streq (p[0], "route-noexec")) + else if (streq (p[0], "route-noexec") && !p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); options->route_noexec = true; } - else if (streq (p[0], "route-nopull")) + else if (streq (p[0], "route-nopull") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->route_nopull = true; } - else if (streq (p[0], "allow-pull-fqdn")) + else if (streq (p[0], "pull-filter") && p[1] && p[2] && !p[3]) + { + struct pull_filter *f; + VERIFY_PERMISSION (OPT_P_GENERAL) + f = alloc_pull_filter (options, msglevel); + + if (strcmp ("accept", p[1]) == 0) + f->type = PUF_TYPE_ACCEPT; + else if (strcmp ("ignore", p[1]) == 0) + f->type = PUF_TYPE_IGNORE; + else if (strcmp ("reject", p[1]) == 0) + f->type = PUF_TYPE_REJECT; + else + { + msg (msglevel, "Unknown --pull-filter type: %s", p[1]); + goto err; + } + f->pattern = p[2]; + f->size = strlen(p[2]); + } + else if (streq (p[0], "allow-pull-fqdn") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->allow_pull_fqdn = true; @@ -5475,6 +5659,13 @@ add_option (struct options *options, options->routes->flags |= RG_BYPASS_DNS; else if (streq (p[j], "block-local")) options->routes->flags |= RG_BLOCK_LOCAL; + else if (streq (p[j], "ipv6")) + { + rol6_check_alloc (options); + options->routes_ipv6->flags |= RG_REROUTE_GW; + } + else if (streq (p[j], "!ipv4")) + options->routes->flags &= ~RG_REROUTE_GW; else { msg (msglevel, "unknown --%s flag: %s", p[0], p[j]); @@ -5483,15 +5674,15 @@ add_option (struct options *options, } options->routes->flags |= RG_ENABLE; } - else if (streq (p[0], "remote-random-hostname")) + else if (streq (p[0], "remote-random-hostname") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->sockflags |= SF_HOST_RANDOMIZE; } - else if (streq (p[0], "setenv") && p[1]) + else if (streq (p[0], "setenv") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); - if (streq (p[1], "REMOTE_RANDOM_HOSTNAME")) + if (streq (p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2]) { options->sockflags |= SF_HOST_RANDOMIZE; } @@ -5501,17 +5692,15 @@ add_option (struct options *options, goto err; } #ifdef ENABLE_PUSH_PEER_INFO - else if (streq (p[1], "PUSH_PEER_INFO")) + else if (streq (p[1], "PUSH_PEER_INFO") && !p[2]) { options->push_peer_info = true; } #endif -#if P2MP else if (streq (p[1], "SERVER_POLL_TIMEOUT") && p[2]) { - options->server_poll_timeout = positive_atoi(p[2]); + options->ce.connect_timeout = positive_atoi(p[2]); } -#endif else { if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1")) @@ -5522,17 +5711,17 @@ add_option (struct options *options, setenv_str (es, p[1], p[2] ? p[2] : ""); } } - else if (streq (p[0], "setenv-safe") && p[1]) + else if (streq (p[0], "setenv-safe") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_SETENV); setenv_str_safe (es, p[1], p[2] ? p[2] : ""); } - else if (streq (p[0], "script-security") && p[1]) + else if (streq (p[0], "script-security") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); script_security = atoi (p[1]); } - else if (streq (p[0], "mssfix")) + else if (streq (p[0], "mssfix") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) @@ -5544,7 +5733,7 @@ add_option (struct options *options, } #ifdef ENABLE_OCC - else if (streq (p[0], "disable-occ")) + else if (streq (p[0], "disable-occ") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->occ = false; @@ -5552,7 +5741,7 @@ add_option (struct options *options, #endif #if P2MP #if P2MP_SERVER - else if (streq (p[0], "server") && p[1] && p[2]) + else if (streq (p[0], "server") && p[1] && p[2] && !p[4]) { const int lev = M_WARN; bool error = false; @@ -5581,7 +5770,7 @@ add_option (struct options *options, } } } - else if (streq (p[0], "server-ipv6") && p[1] ) + else if (streq (p[0], "server-ipv6") && p[1] && !p[3]) { const int lev = M_WARN; struct in6_addr network; @@ -5608,7 +5797,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4]) + else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5]) { const int lev = M_WARN; bool error = false; @@ -5630,7 +5819,7 @@ add_option (struct options *options, options->server_bridge_pool_start = pool_start; options->server_bridge_pool_end = pool_end; } - else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw")) + else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->server_bridge_proxy_dhcp = true; @@ -5641,17 +5830,23 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->server_bridge_proxy_dhcp = true; } - else if (streq (p[0], "push") && p[1]) + else if (streq (p[0], "push") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_PUSH); push_options (options, &p[1], msglevel, &options->gc); } - else if (streq (p[0], "push-reset")) + else if (streq (p[0], "push-reset") && !p[1]) { VERIFY_PERMISSION (OPT_P_INSTANCE); push_reset (options); } - else if (streq (p[0], "ifconfig-pool") && p[1] && p[2]) + else if (streq (p[0], "push-remove") && p[1] && !p[2]) + { + VERIFY_PERMISSION (OPT_P_INSTANCE); + msg (D_PUSH, "PUSH_REMOVE '%s'", p[1]); + push_remove_option (options,p[1]); + } + else if (streq (p[0], "ifconfig-pool") && p[1] && p[2] && !p[4]) { const int lev = M_WARN; bool error = false; @@ -5678,7 +5873,7 @@ add_option (struct options *options, if (netmask) options->ifconfig_pool_netmask = netmask; } - else if (streq (p[0], "ifconfig-pool-persist") && p[1]) + else if (streq (p[0], "ifconfig-pool-persist") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ifconfig_pool_persist_filename = p[1]; @@ -5687,12 +5882,12 @@ add_option (struct options *options, options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]); } } - else if (streq (p[0], "ifconfig-pool-linear")) + else if (streq (p[0], "ifconfig-pool-linear") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->topology = TOP_P2P; } - else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] ) + else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] && !p[2]) { const int lev = M_WARN; struct in6_addr network; @@ -5714,7 +5909,7 @@ add_option (struct options *options, options->ifconfig_ipv6_pool_base = network; options->ifconfig_ipv6_pool_netbits = netbits; } - else if (streq (p[0], "hash-size") && p[1] && p[2]) + else if (streq (p[0], "hash-size") && p[1] && p[2] && !p[3]) { int real, virtual; @@ -5729,7 +5924,7 @@ add_option (struct options *options, options->real_hash_size = real; options->virtual_hash_size = real; } - else if (streq (p[0], "connect-freq") && p[1] && p[2]) + else if (streq (p[0], "connect-freq") && p[1] && p[2] && !p[3]) { int cf_max, cf_per; @@ -5744,7 +5939,7 @@ add_option (struct options *options, options->cf_max = cf_max; options->cf_per = cf_per; } - else if (streq (p[0], "max-clients") && p[1]) + else if (streq (p[0], "max-clients") && p[1] && !p[2]) { int max_clients; @@ -5755,29 +5950,55 @@ add_option (struct options *options, msg (msglevel, "--max-clients must be at least 1"); goto err; } + if (max_clients >= MAX_PEER_ID) /* max peer-id value */ + { + msg (msglevel, "--max-clients must be less than %d", MAX_PEER_ID); + goto err; + } options->max_clients = max_clients; } - else if (streq (p[0], "max-routes-per-client") && p[1]) + else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_INHERIT); options->max_routes_per_client = max_int (atoi (p[1]), 1); } - else if (streq (p[0], "client-cert-not-required")) + else if (streq (p[0], "client-cert-not-required") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; + msg (M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead"); + } + else if (streq (p[0], "verify-client-cert") && !p[2]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + + /* Reset any existing flags */ + options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL; + options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED; + if (p[1]) + { + if (streq (p[1], "none")) + options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; + else if (streq (p[1], "optional")) + options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL; + else if (!streq (p[1], "require")) + { + msg (msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'"); + goto err; + } + } } - else if (streq (p[0], "username-as-common-name")) + else if (streq (p[0], "username-as-common-name") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME; } - else if (streq (p[0], "auth-user-pass-optional")) + else if (streq (p[0], "auth-user-pass-optional") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; } - else if (streq (p[0], "opt-verify")) + else if (streq (p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_OPT_VERIFY; @@ -5808,6 +6029,12 @@ add_option (struct options *options, &options->auth_user_pass_verify_script, p[1], "auth-user-pass-verify", true); } + else if (streq (p[0], "auth-gen-token")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->auth_token_generate = true; + options->auth_token_lifetime = p[1] ? positive_atoi (p[1]) : 0; + } else if (streq (p[0], "client-connect") && p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); @@ -5832,22 +6059,22 @@ add_option (struct options *options, set_user_script (options, &options->learn_address_script, p[1], "learn-address", true); } - else if (streq (p[0], "tmp-dir") && p[1]) + else if (streq (p[0], "tmp-dir") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tmp_dir = p[1]; } - else if (streq (p[0], "client-config-dir") && p[1]) + else if (streq (p[0], "client-config-dir") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->client_config_dir = p[1]; } - else if (streq (p[0], "ccd-exclusive")) + else if (streq (p[0], "ccd-exclusive") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ccd_exclusive = true; } - else if (streq (p[0], "bcast-buffers") && p[1]) + else if (streq (p[0], "bcast-buffers") && p[1] && !p[2]) { int n_bcast_buf; @@ -5857,7 +6084,7 @@ add_option (struct options *options, msg (msglevel, "--bcast-buffers parameter must be > 0"); options->n_bcast_buf = n_bcast_buf; } - else if (streq (p[0], "tcp-queue-limit") && p[1]) + else if (streq (p[0], "tcp-queue-limit") && p[1] && !p[2]) { int tcp_queue_limit; @@ -5868,34 +6095,25 @@ add_option (struct options *options, options->tcp_queue_limit = tcp_queue_limit; } #if PORT_SHARE - else if (streq (p[0], "port-share") && p[1] && p[2]) + else if (streq (p[0], "port-share") && p[1] && p[2] && !p[4]) { - int port; - VERIFY_PERMISSION (OPT_P_GENERAL); - port = atoi (p[2]); - if (!legal_ipv4_port (port)) - { - msg (msglevel, "port number associated with --port-share directive is out of range"); - goto err; - } - options->port_share_host = p[1]; - options->port_share_port = port; + options->port_share_port = p[2]; options->port_share_journal_dir = p[3]; } #endif - else if (streq (p[0], "client-to-client")) + else if (streq (p[0], "client-to-client") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->enable_c2c = true; } - else if (streq (p[0], "duplicate-cn")) + else if (streq (p[0], "duplicate-cn") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->duplicate_cn = true; } - else if (streq (p[0], "iroute") && p[1]) + else if (streq (p[0], "iroute") && p[1] && !p[3]) { const char *netmask = NULL; @@ -5906,12 +6124,12 @@ add_option (struct options *options, } option_iroute (options, p[1], netmask, msglevel); } - else if (streq (p[0], "iroute-ipv6") && p[1]) + else if (streq (p[0], "iroute-ipv6") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_INSTANCE); option_iroute_ipv6 (options, p[1], msglevel); } - else if (streq (p[0], "ifconfig-push") && p[1] && p[2]) + else if (streq (p[0], "ifconfig-push") && p[1] && p[2] && !p[4]) { in_addr_t local, remote_netmask; @@ -5923,10 +6141,8 @@ add_option (struct options *options, options->push_ifconfig_defined = true; options->push_ifconfig_local = local; options->push_ifconfig_remote_netmask = remote_netmask; -#ifdef ENABLE_CLIENT_NAT if (p[3]) options->push_ifconfig_local_alias = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL); -#endif } else { @@ -5934,7 +6150,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2]) + else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3]) { in_addr_t network, netmask; @@ -5953,7 +6169,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ifconfig-ipv6-push") && p[1] ) + else if (streq (p[0], "ifconfig-ipv6-push") && p[1] && !p[3]) { struct in6_addr local, remote; unsigned int netbits; @@ -5989,18 +6205,19 @@ add_option (struct options *options, options->push_ifconfig_ipv6_local = local; options->push_ifconfig_ipv6_netbits = netbits; options->push_ifconfig_ipv6_remote = remote; + options->push_ifconfig_ipv6_blocked = false; } - else if (streq (p[0], "disable")) + else if (streq (p[0], "disable") && !p[1]) { VERIFY_PERMISSION (OPT_P_INSTANCE); options->disable = true; } - else if (streq (p[0], "tcp-nodelay")) + else if (streq (p[0], "tcp-nodelay") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->server_flags |= SF_TCP_NODELAY_HELPER; } - else if (streq (p[0], "stale-routes-check") && p[1]) + else if (streq (p[0], "stale-routes-check") && p[1] && !p[3]) { int ageing_time, check_interval; @@ -6021,27 +6238,22 @@ add_option (struct options *options, } #endif /* P2MP_SERVER */ - else if (streq (p[0], "client")) + else if (streq (p[0], "client") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->client = true; } - else if (streq (p[0], "pull")) + else if (streq (p[0], "pull") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pull = true; } - else if (streq (p[0], "push-continuation") && p[1]) + else if (streq (p[0], "push-continuation") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_PULL_MODE); options->push_continuation = atoi(p[1]); } - else if (streq (p[0], "server-poll-timeout") && p[1]) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->server_poll_timeout = positive_atoi(p[1]); - } - else if (streq (p[0], "auth-user-pass")) + else if (streq (p[0], "auth-user-pass") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[1]) @@ -6051,13 +6263,13 @@ add_option (struct options *options, else options->auth_user_pass_file = "stdin"; } - else if (streq (p[0], "auth-retry") && p[1]) + else if (streq (p[0], "auth-retry") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); auth_retry_set (msglevel, p[1]); } #ifdef ENABLE_CLIENT_CR - else if (streq (p[0], "static-challenge") && p[1] && p[2]) + else if (streq (p[0], "static-challenge") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->sc_info.challenge_text = p[1]; @@ -6066,8 +6278,26 @@ add_option (struct options *options, } #endif #endif -#ifdef WIN32 - else if (streq (p[0], "win-sys") && p[1]) + else if (streq (p[0], "msg-channel") && p[1]) + { +#ifdef _WIN32 + VERIFY_PERMISSION (OPT_P_GENERAL); + HANDLE process = GetCurrentProcess (); + HANDLE handle = (HANDLE) atoi (p[1]); + if (!DuplicateHandle (process, handle, process, &options->msg_channel, 0, + FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) + { + msg (msglevel, "could not duplicate service pipe handle"); + goto err; + } + options->route_method = ROUTE_METHOD_SERVICE; +#else + msg (msglevel, "--msg-channel is only supported on Windows"); + goto err; +#endif + } +#ifdef _WIN32 + else if (streq (p[0], "win-sys") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "env")) @@ -6077,7 +6307,7 @@ add_option (struct options *options, else set_win_sys_path (p[1], es); } - else if (streq (p[0], "route-method") && p[1]) + else if (streq (p[0], "route-method") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); if (streq (p[1], "adaptive")) @@ -6092,7 +6322,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ip-win32") && p[1]) + else if (streq (p[0], "ip-win32") && p[1] && !p[4]) { const int index = ascii2ipset (p[1]); struct tuntap_options *to = &options->tuntap_options; @@ -6146,7 +6376,9 @@ add_option (struct options *options, to->ip_win32_type = index; to->ip_win32_defined = true; } - else if (streq (p[0], "dhcp-option") && p[1]) +#endif +#if defined(_WIN32) || defined(TARGET_ANDROID) + else if (streq (p[0], "dhcp-option") && p[1] && !p[3]) { struct tuntap_options *o = &options->tuntap_options; VERIFY_PERMISSION (OPT_P_IPWIN32); @@ -6186,36 +6418,38 @@ add_option (struct options *options, { dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel); } - else if (streq (p[1], "DISABLE-NBT")) + else if (streq (p[1], "DISABLE-NBT") && !p[2]) { o->disable_nbt = 1; } else { - msg (msglevel, "--dhcp-option: unknown option type '%s' or missing parameter", p[1]); + msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]); goto err; } o->dhcp_options = true; } - else if (streq (p[0], "show-adapters")) +#endif +#ifdef _WIN32 + else if (streq (p[0], "show-adapters") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); show_tap_win_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "show-net")) + else if (streq (p[0], "show-net") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); show_routes (M_INFO|M_NOPREFIX); show_adapters (M_INFO|M_NOPREFIX); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "show-net-up")) + else if (streq (p[0], "show-net-up") && !p[1]) { VERIFY_PERMISSION (OPT_P_UP); options->show_net_up = true; } - else if (streq (p[0], "tap-sleep") && p[1]) + else if (streq (p[0], "tap-sleep") && p[1] && !p[2]) { int s; VERIFY_PERMISSION (OPT_P_IPWIN32); @@ -6227,22 +6461,22 @@ add_option (struct options *options, } options->tuntap_options.tap_sleep = s; } - else if (streq (p[0], "dhcp-renew")) + else if (streq (p[0], "dhcp-renew") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); options->tuntap_options.dhcp_renew = true; } - else if (streq (p[0], "dhcp-pre-release")) + else if (streq (p[0], "dhcp-pre-release") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); options->tuntap_options.dhcp_pre_release = true; } - else if (streq (p[0], "dhcp-release")) + else if (streq (p[0], "dhcp-release") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); options->tuntap_options.dhcp_release = true; } - else if (streq (p[0], "dhcp-internal") && p[1]) /* standalone method for internal use */ + else if (streq (p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */ { unsigned int adapter_index; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6255,28 +6489,17 @@ add_option (struct options *options, dhcp_renew_by_adapter_index (adapter_index); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "register-dns")) + else if (streq (p[0], "register-dns") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); options->tuntap_options.register_dns = true; } -#ifdef WIN32 else if (streq (p[0], "block-outside-dns") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); - if (win_wfp_init_funcs()) - { - options->block_outside_dns = true; - } - else - { - msg (msglevel_fc, "Failed to enable --block-outside-dns. " - "Maybe WFP is not supported on your system?"); - goto err; - } + options->block_outside_dns = true; } -#endif - else if (streq (p[0], "rdns-internal")) + else if (streq (p[0], "rdns-internal") && !p[1]) /* standalone method for internal use * * (if --register-dns is set, openvpn needs to call itself in a @@ -6290,18 +6513,18 @@ add_option (struct options *options, ipconfig_register_dns (NULL); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "show-valid-subnets")) + else if (streq (p[0], "show-valid-subnets") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); show_valid_win32_tun_subnets (); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "pause-exit")) + else if (streq (p[0], "pause-exit") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); set_pause_exit_win32 (); } - else if (streq (p[0], "service") && p[1]) + else if (streq (p[0], "service") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->exit_event_name = p[1]; @@ -6310,62 +6533,75 @@ add_option (struct options *options, options->exit_event_initial_state = (atoi(p[2]) != 0); } } - else if (streq (p[0], "allow-nonadmin")) + else if (streq (p[0], "allow-nonadmin") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); tap_allow_nonadmin_access (p[1]); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "user") && p[1]) + else if (streq (p[0], "user") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); msg (M_WARN, "NOTE: --user option is not implemented on Windows"); } - else if (streq (p[0], "group") && p[1]) + else if (streq (p[0], "group") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); msg (M_WARN, "NOTE: --group option is not implemented on Windows"); } #else - else if (streq (p[0], "user") && p[1]) + else if (streq (p[0], "user") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->username = p[1]; } - else if (streq (p[0], "group") && p[1]) + else if (streq (p[0], "group") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->groupname = p[1]; } - else if (streq (p[0], "dhcp-option") && p[1]) + else if (streq (p[0], "dhcp-option") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_IPWIN32); foreign_option (options, p, 3, es); } - else if (streq (p[0], "route-method") && p[1]) /* ignore when pushed to non-Windows OS */ + else if (streq (p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */ { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); } #endif #if PASSTOS_CAPABILITY - else if (streq (p[0], "passtos")) + else if (streq (p[0], "passtos") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->passtos = true; } #endif -#ifdef ENABLE_LZO - else if (streq (p[0], "comp-lzo")) +#if defined(USE_COMP) + else if (streq (p[0], "comp-lzo") && !p[2]) { VERIFY_PERMISSION (OPT_P_COMP); - if (p[1]) + +#if defined(ENABLE_LZO) + if (p[1] && streq (p[1], "no")) +#endif + { + options->comp.alg = COMP_ALG_STUB; + options->comp.flags = 0; + } +#if defined(ENABLE_LZO) + else if (p[1]) { if (streq (p[1], "yes")) - options->lzo = LZO_SELECTED|LZO_ON; - else if (streq (p[1], "no")) - options->lzo = LZO_SELECTED; + { + options->comp.alg = COMP_ALG_LZO; + options->comp.flags = 0; + } else if (streq (p[1], "adaptive")) - options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE; + { + options->comp.alg = COMP_ALG_LZO; + options->comp.flags = COMP_F_ADAPTIVE; + } else { msg (msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]); @@ -6373,31 +6609,81 @@ add_option (struct options *options, } } else - options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE; + { + options->comp.alg = COMP_ALG_LZO; + options->comp.flags = COMP_F_ADAPTIVE; + } +#endif + } + else if (streq (p[0], "comp-noadapt") && !p[1]) + { + VERIFY_PERMISSION (OPT_P_COMP); + options->comp.flags &= ~COMP_F_ADAPTIVE; } - else if (streq (p[0], "comp-noadapt")) + else if (streq (p[0], "compress") && !p[2]) { VERIFY_PERMISSION (OPT_P_COMP); - options->lzo &= ~LZO_ADAPTIVE; + if (p[1]) + { + if (streq (p[1], "stub")) + { + options->comp.alg = COMP_ALG_STUB; + options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); + } + else if (streq(p[1], "stub-v2")) + { + options->comp.alg = COMP_ALGV2_UNCOMPRESSED; + options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY; + } +#if defined(ENABLE_LZO) + else if (streq (p[1], "lzo")) + { + options->comp.alg = COMP_ALG_LZO; + options->comp.flags = 0; + } +#endif +#if defined(ENABLE_LZ4) + else if (streq (p[1], "lz4")) + { + options->comp.alg = COMP_ALG_LZ4; + options->comp.flags = COMP_F_SWAP; + } + else if (streq (p[1], "lz4-v2")) + { + options->comp.alg = COMP_ALGV2_LZ4; + options->comp.flags = 0; + } +#endif + else + { + msg (msglevel, "bad comp option: %s", p[1]); + goto err; + } + } + else + { + options->comp.alg = COMP_ALG_STUB; + options->comp.flags = COMP_F_SWAP; + } } -#endif /* ENABLE_LZO */ +#endif /* USE_COMP */ #ifdef ENABLE_CRYPTO - else if (streq (p[0], "show-ciphers")) + else if (streq (p[0], "show-ciphers") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_ciphers = true; } - else if (streq (p[0], "show-digests")) + else if (streq (p[0], "show-digests") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_digests = true; } - else if (streq (p[0], "show-engines")) + else if (streq (p[0], "show-engines") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_engines = true; } - else if (streq (p[0], "key-direction") && p[1]) + else if (streq (p[0], "key-direction") && p[1] && !p[2]) { int key_direction; @@ -6407,7 +6693,7 @@ add_option (struct options *options, else goto err; } - else if (streq (p[0], "secret") && p[1]) + else if (streq (p[0], "secret") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], INLINE_FILE_TAG) && p[2]) @@ -6427,46 +6713,34 @@ add_option (struct options *options, } options->shared_secret_file = p[1]; } - else if (streq (p[0], "genkey")) + else if (streq (p[0], "genkey") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->genkey = true; } - else if (streq (p[0], "auth") && p[1]) + else if (streq (p[0], "auth") && p[1] && !p[2]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); - options->authname_defined = true; + VERIFY_PERMISSION (OPT_P_GENERAL); options->authname = p[1]; - if (streq (options->authname, "none")) - { - options->authname_defined = false; - options->authname = NULL; - } } - else if (streq (p[0], "auth")) + else if (streq (p[0], "cipher") && p[1] && !p[2]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); - options->authname_defined = true; + VERIFY_PERMISSION (OPT_P_NCP); + options->ciphername = p[1]; } - else if (streq (p[0], "cipher") && p[1]) + else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); - options->ciphername_defined = true; - options->ciphername = p[1]; - if (streq (options->ciphername, "none")) - { - options->ciphername_defined = false; - options->ciphername = NULL; - } + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); + options->ncp_ciphers = p[1]; } - else if (streq (p[0], "cipher")) + else if (streq (p[0], "ncp-disable") && !p[1]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); - options->ciphername_defined = true; + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); + options->ncp_enabled = false; } - else if (streq (p[0], "prng") && p[1]) + else if (streq (p[0], "prng") && p[1] && !p[3]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); + VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "none")) options->prng_hash = NULL; else @@ -6486,14 +6760,14 @@ add_option (struct options *options, } } } - else if (streq (p[0], "no-replay")) + else if (streq (p[0], "no-replay") && !p[1]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); + VERIFY_PERMISSION (OPT_P_GENERAL); options->replay = false; } - else if (streq (p[0], "replay-window")) + else if (streq (p[0], "replay-window") && !p[3]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); + VERIFY_PERMISSION (OPT_P_GENERAL); if (p[1]) { int replay_window; @@ -6531,28 +6805,28 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "mute-replay-warnings")) + else if (streq (p[0], "mute-replay-warnings") && !p[1]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); + VERIFY_PERMISSION (OPT_P_GENERAL); options->mute_replay_warnings = true; } - else if (streq (p[0], "no-iv")) + else if (streq (p[0], "no-iv") && !p[1]) { - VERIFY_PERMISSION (OPT_P_CRYPTO); + VERIFY_PERMISSION (OPT_P_GENERAL); options->use_iv = false; } - else if (streq (p[0], "replay-persist") && p[1]) + else if (streq (p[0], "replay-persist") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->packet_id_file = p[1]; } - else if (streq (p[0], "test-crypto")) + else if (streq (p[0], "test-crypto") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->test_crypto = true; } -#ifndef ENABLE_CRYPTO_POLARSSL - else if (streq (p[0], "engine")) +#ifndef ENABLE_CRYPTO_MBEDTLS + else if (streq (p[0], "engine") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[1]) @@ -6562,13 +6836,13 @@ add_option (struct options *options, else options->engine = "auto"; } -#endif /* ENABLE_CRYPTO_POLARSSL */ +#endif /* ENABLE_CRYPTO_MBEDTLS */ #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH - else if (streq (p[0], "keysize") && p[1]) + else if (streq (p[0], "keysize") && p[1] && !p[2]) { int keysize; - VERIFY_PERMISSION (OPT_P_CRYPTO); + VERIFY_PERMISSION (OPT_P_NCP); keysize = atoi (p[1]) / 8; if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH) { @@ -6579,29 +6853,38 @@ add_option (struct options *options, } #endif #ifdef ENABLE_PREDICTION_RESISTANCE - else if (streq (p[0], "use-prediction-resistance")) + else if (streq (p[0], "use-prediction-resistance") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->use_prediction_resistance = true; } #endif -#ifdef ENABLE_SSL - else if (streq (p[0], "show-tls")) + else if (streq (p[0], "show-tls") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_tls_ciphers = true; } - else if (streq (p[0], "tls-server")) + else if (streq (p[0], "show-curves") && !p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->show_curves = true; + } + else if (streq (p[0], "ecdh-curve") && p[1] && !p[2]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->ecdh_curve= p[1]; + } + else if (streq (p[0], "tls-server") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_server = true; } - else if (streq (p[0], "tls-client")) + else if (streq (p[0], "tls-client") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_client = true; } - else if (streq (p[0], "ca") && p[1]) + else if (streq (p[0], "ca") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ca_file = p[1]; @@ -6610,14 +6893,14 @@ add_option (struct options *options, options->ca_file_inline = p[2]; } } -#ifndef ENABLE_CRYPTO_POLARSSL - else if (streq (p[0], "capath") && p[1]) +#ifndef ENABLE_CRYPTO_MBEDTLS + else if (streq (p[0], "capath") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ca_path = p[1]; } -#endif /* ENABLE_CRYPTO_POLARSSL */ - else if (streq (p[0], "dh") && p[1]) +#endif /* ENABLE_CRYPTO_MBEDTLS */ + else if (streq (p[0], "dh") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->dh_file = p[1]; @@ -6626,7 +6909,7 @@ add_option (struct options *options, options->dh_file_inline = p[2]; } } - else if (streq (p[0], "cert") && p[1]) + else if (streq (p[0], "cert") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->cert_file = p[1]; @@ -6635,7 +6918,7 @@ add_option (struct options *options, options->cert_file_inline = p[2]; } } - else if (streq (p[0], "extra-certs") && p[1]) + else if (streq (p[0], "extra-certs") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->extra_certs_file = p[1]; @@ -6644,19 +6927,19 @@ add_option (struct options *options, options->extra_certs_file_inline = p[2]; } } - else if (streq (p[0], "verify-hash") && p[1]) + else if (streq (p[0], "verify-hash") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc); } #ifdef ENABLE_CRYPTOAPI - else if (streq (p[0], "cryptoapicert") && p[1]) + else if (streq (p[0], "cryptoapicert") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->cryptoapi_cert = p[1]; } #endif - else if (streq (p[0], "key") && p[1]) + else if (streq (p[0], "key") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->priv_key_file = p[1]; @@ -6665,7 +6948,7 @@ add_option (struct options *options, options->priv_key_file_inline = p[2]; } } - else if (streq (p[0], "tls-version-min") && p[1]) + else if (streq (p[0], "tls-version-min") && p[1] && !p[3]) { int ver; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6679,7 +6962,7 @@ add_option (struct options *options, ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT); } - else if (streq (p[0], "tls-version-max") && p[1]) + else if (streq (p[0], "tls-version-max") && p[1] && !p[2]) { int ver; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6693,8 +6976,8 @@ add_option (struct options *options, ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT); } -#ifndef ENABLE_CRYPTO_POLARSSL - else if (streq (p[0], "pkcs12") && p[1]) +#ifndef ENABLE_CRYPTO_MBEDTLS + else if (streq (p[0], "pkcs12") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs12_file = p[1]; @@ -6703,8 +6986,8 @@ add_option (struct options *options, options->pkcs12_file_inline = p[2]; } } -#endif /* ENABLE_CRYPTO_POLARSSL */ - else if (streq (p[0], "askpass")) +#endif /* ENABLE_CRYPTO_MBEDTLS */ + else if (streq (p[0], "askpass") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[1]) @@ -6714,12 +6997,12 @@ add_option (struct options *options, else options->key_pass_file = "stdin"; } - else if (streq (p[0], "auth-nocache")) + else if (streq (p[0], "auth-nocache") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); ssl_set_auth_nocache (); } - else if (streq (p[0], "auth-token") && p[1]) + else if (streq (p[0], "auth-token") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_ECHO); ssl_set_auth_token(p[1]); @@ -6728,34 +7011,39 @@ add_option (struct options *options, management_auth_token (management, p[1]); #endif } - else if (streq (p[0], "single-session")) + else if (streq (p[0], "single-session") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->single_session = true; } #ifdef ENABLE_PUSH_PEER_INFO - else if (streq (p[0], "push-peer-info")) + else if (streq (p[0], "push-peer-info") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->push_peer_info = true; } #endif - else if (streq (p[0], "tls-exit")) + else if (streq (p[0], "tls-exit") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_exit = true; } - else if (streq (p[0], "tls-cipher") && p[1]) + else if (streq (p[0], "tls-cipher") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->cipher_list = p[1]; } - else if (streq (p[0], "crl-verify") && p[1]) + else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) + || (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[2] && streq(p[2], "dir")) options->ssl_flags |= SSLF_CRL_VERIFY_DIR; options->crl_file = p[1]; + if (streq (p[1], INLINE_FILE_TAG) && p[2]) + { + options->crl_file_inline = p[2]; + } } else if (streq (p[0], "tls-verify") && p[1]) { @@ -6766,85 +7054,48 @@ add_option (struct options *options, string_substitute (p[1], ',', ' ', &options->gc), "tls-verify", true); } -#ifndef ENABLE_CRYPTO_POLARSSL - else if (streq (p[0], "tls-export-cert") && p[1]) +#ifndef ENABLE_CRYPTO_MBEDTLS + else if (streq (p[0], "tls-export-cert") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_export_cert = p[1]; } #endif - else if (streq (p[0], "compat-names")) +#if P2MP_SERVER + else if (streq (p[0], "compat-names") && ((p[1] && streq (p[1], "no-remapping")) || !p[1]) && !p[2]) +#else + else if (streq (p[0], "compat-names") && !p[1]) +#endif { VERIFY_PERMISSION (OPT_P_GENERAL); - if (options->verify_x509_type != VERIFY_X509_NONE && - options->verify_x509_type != TLS_REMOTE_SUBJECT_DN && - options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + if (options->verify_x509_type != VERIFY_X509_NONE) { msg (msglevel, "you cannot use --compat-names with --verify-x509-name"); goto err; } - msg (M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration"); + msg (M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN v2.5."); compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); #if P2MP_SERVER if (p[1] && streq (p[1], "no-remapping")) compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); } - else if (streq (p[0], "no-name-remapping")) + else if (streq (p[0], "no-name-remapping") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); - if (options->verify_x509_type != VERIFY_X509_NONE && - options->verify_x509_type != TLS_REMOTE_SUBJECT_DN && - options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + if (options->verify_x509_type != VERIFY_X509_NONE) { msg (msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); goto err; } - msg (M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration"); + msg (M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN v2.5."); compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); #endif } - else if (streq (p[0], "tls-remote") && p[1]) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - - if (options->verify_x509_type != VERIFY_X509_NONE && - options->verify_x509_type != TLS_REMOTE_SUBJECT_DN && - options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) - { - msg (msglevel, "you cannot use --tls-remote with --verify-x509-name"); - goto err; - } - msg (M_WARN, "DEPRECATED OPTION: --tls-remote, please update your configuration"); - - if (strlen (p[1])) - { - int is_username = (!strchr (p[1], '=') || !strstr (p[1], ", ")); - int type = TLS_REMOTE_SUBJECT_DN; - if (p[1][0] != '/' && is_username) - type = TLS_REMOTE_SUBJECT_RDN_PREFIX; - - /* - * Enable legacy openvpn format for DNs that have not been converted - * yet and --x509-username-field (not containing an '=' or ', ') - */ - if (p[1][0] == '/' || is_username) - compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); - - options->verify_x509_type = type; - options->verify_x509_name = p[1]; - } - } - else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1])) + else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1]) && !p[3]) { int type = VERIFY_X509_SUBJECT_DN; VERIFY_PERMISSION (OPT_P_GENERAL); - if (options->verify_x509_type == TLS_REMOTE_SUBJECT_DN || - options->verify_x509_type == TLS_REMOTE_SUBJECT_RDN_PREFIX) - { - msg (msglevel, "you cannot use --verify-x509-name with --tls-remote"); - goto err; - } if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES)) { msg (msglevel, "you cannot use --verify-x509-name with " @@ -6868,7 +7119,7 @@ add_option (struct options *options, options->verify_x509_type = type; options->verify_x509_name = p[1]; } - else if (streq (p[0], "ns-cert-type") && p[1]) + else if (streq (p[0], "ns-cert-type") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "server")) @@ -6881,7 +7132,6 @@ add_option (struct options *options, goto err; } } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL else if (streq (p[0], "remote-cert-ku")) { int j; @@ -6891,12 +7141,12 @@ add_option (struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) sscanf (p[j], "%x", &(options->remote_cert_ku[j-1])); } - else if (streq (p[0], "remote-cert-eku") && p[1]) + else if (streq (p[0], "remote-cert-eku") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->remote_cert_eku = p[1]; } - else if (streq (p[0], "remote-cert-tls") && p[1]) + else if (streq (p[0], "remote-cert-tls") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6919,38 +7169,37 @@ add_option (struct options *options, goto err; } } -#endif /* OPENSSL_VERSION_NUMBER */ - else if (streq (p[0], "tls-timeout") && p[1]) + else if (streq (p[0], "tls-timeout") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->tls_timeout = positive_atoi (p[1]); } - else if (streq (p[0], "reneg-bytes") && p[1]) + else if (streq (p[0], "reneg-bytes") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->renegotiate_bytes = positive_atoi (p[1]); } - else if (streq (p[0], "reneg-pkts") && p[1]) + else if (streq (p[0], "reneg-pkts") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->renegotiate_packets = positive_atoi (p[1]); } - else if (streq (p[0], "reneg-sec") && p[1]) + else if (streq (p[0], "reneg-sec") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->renegotiate_seconds = positive_atoi (p[1]); } - else if (streq (p[0], "hand-window") && p[1]) + else if (streq (p[0], "hand-window") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->handshake_window = positive_atoi (p[1]); } - else if (streq (p[0], "tran-window") && p[1]) + else if (streq (p[0], "tran-window") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->transition_window = positive_atoi (p[1]); } - else if (streq (p[0], "tls-auth") && p[1]) + else if (streq (p[0], "tls-auth") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], INLINE_FILE_TAG) && p[2]) @@ -6970,7 +7219,16 @@ add_option (struct options *options, } options->tls_auth_file = p[1]; } - else if (streq (p[0], "key-method") && p[1]) + else if (streq (p[0], "tls-crypt") && p[1] && !p[3]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + if (streq (p[1], INLINE_FILE_TAG) && p[2]) + { + options->tls_crypt_inline = p[2]; + } + options->tls_crypt_file = p[1]; + } + else if (streq (p[0], "key-method") && p[1] && !p[2]) { int key_method; @@ -6986,8 +7244,13 @@ add_option (struct options *options, } options->key_method = key_method; } + else if (streq (p[0], "x509-track") && p[1] && !p[2]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + x509_track_add (&options->x509_track, p[1], msglevel, &options->gc); + } #ifdef ENABLE_X509ALTUSERNAME - else if (streq (p[0], "x509-username-field") && p[1]) + else if (streq (p[0], "x509-username-field") && p[1] && !p[2]) { /* This option used to automatically upcase the fieldname passed as the * option argument, e.g., "ou" became "OU". Now, this "helpfulness" is @@ -7014,10 +7277,9 @@ add_option (struct options *options, options->x509_username_field = p[1]; } #endif /* ENABLE_X509ALTUSERNAME */ -#endif /* ENABLE_SSL */ #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 - else if (streq (p[0], "show-pkcs11-ids")) + else if (streq (p[0], "show-pkcs11-ids") && !p[3]) { char *provider = p[1]; bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 )); @@ -7087,40 +7349,68 @@ add_option (struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0; } - else if (streq (p[0], "pkcs11-pin-cache") && p[1]) + else if (streq (p[0], "pkcs11-pin-cache") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs11_pin_cache_period = atoi (p[1]); } - else if (streq (p[0], "pkcs11-id") && p[1]) + else if (streq (p[0], "pkcs11-id") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs11_id = p[1]; } - else if (streq (p[0], "pkcs11-id-management")) + else if (streq (p[0], "pkcs11-id-management") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs11_id_management = true; } #endif - else if (streq (p[0], "rmtun")) + else if (streq (p[0], "rmtun") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->persist_config = true; options->persist_mode = 0; } - else if (streq (p[0], "mktun")) + else if (streq (p[0], "mktun") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->persist_config = true; options->persist_mode = 1; } - else if (streq (p[0], "peer-id") && p[1]) + else if (streq (p[0], "peer-id") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_PEER_ID); options->use_peer_id = true; options->peer_id = atoi(p[1]); } +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 + else if (streq (p[0], "keying-material-exporter") && p[1] && p[2]) + { + int ekm_length = positive_atoi (p[2]); + + VERIFY_PERMISSION (OPT_P_GENERAL); + + if (strncmp(p[1], "EXPORTER", 8)) + { + msg (msglevel, "Keying material exporter label must begin with " + "\"EXPORTER\""); + goto err; + } + if (ekm_length < 16 || ekm_length > 4095) + { + msg (msglevel, "Invalid keying material exporter length"); + goto err; + } + + options->keying_material_exporter_label = p[1]; + options->keying_material_exporter_length = ekm_length; + } +#endif + else if (streq (p[0], "allow-recursive-routing") && !p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->allow_recursive_routing = true; + } else { int i; @@ -7136,9 +7426,9 @@ add_option (struct options *options, } } if (file) - msg (msglevel, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION); + msg (msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION); else - msg (msglevel, "Unrecognized option or missing parameter(s): --%s (%s)", p[0], PACKAGE_VERSION); + msg (msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION); } err: gc_free (&gc); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 26b09ea..a028556 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -39,7 +39,7 @@ #include "plugin.h" #include "manage.h" #include "proxy.h" -#include "lzo.h" +#include "comp.h" #include "pushlist.h" #include "clinat.h" @@ -71,44 +71,37 @@ struct options_pre_pull bool routes_ipv6_defined; struct route_ipv6_option_list *routes_ipv6; -#ifdef ENABLE_CLIENT_NAT bool client_nat_defined; struct client_nat_option_list *client_nat; -#endif int foreign_option_index; }; #endif -#if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_POLARSSL) -# error "At least one of OpenSSL or PolarSSL needs to be defined." +#if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS) +# error "At least one of OpenSSL or mbed TLS needs to be defined." #endif struct connection_entry { int proto; - int local_port; + sa_family_t af; + const char* local_port; bool local_port_defined; - int remote_port; + const char *remote_port; const char *local; const char *remote; bool remote_float; bool bind_defined; + bool bind_ipv6_only; bool bind_local; int connect_retry_seconds; - bool connect_retry_defined; - int connect_retry_max; + int connect_retry_seconds_max; int connect_timeout; - bool connect_timeout_defined; -#ifdef ENABLE_HTTP_PROXY struct http_proxy_options *http_proxy_options; -#endif -#ifdef ENABLE_SOCKS const char *socks_proxy_server; - int socks_proxy_port; + const char *socks_proxy_port; const char *socks_proxy_authfile; - bool socks_proxy_retry; -#endif int tun_mtu; /* MTU of tun device */ bool tun_mtu_defined; /* true if user overriding parm with command line option */ @@ -124,9 +117,7 @@ struct connection_entry int mssfix; /* Upper bound on TCP MSS */ bool mssfix_default; /* true if --mssfix was supplied without a parameter */ -#ifdef ENABLE_OCC - int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT message */ -#endif + int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */ # define CE_DISABLED (1<<0) # define CE_MAN_QUERY_PROXY (1<<1) @@ -143,8 +134,9 @@ struct connection_entry struct remote_entry { const char *remote; - int remote_port; + const char *remote_port; int proto; + sa_family_t af; }; #define CONNECTION_LIST_SIZE 64 @@ -153,8 +145,6 @@ struct connection_list { int len; int current; - int n_cycles; - bool no_advance; struct connection_entry *array[CONNECTION_LIST_SIZE]; }; @@ -168,6 +158,8 @@ struct remote_host_store { # define RH_HOST_LEN 80 char host[RH_HOST_LEN]; +#define RH_PORT_LEN 20 + char port[RH_PORT_LEN]; }; /* Command line options */ @@ -198,20 +190,23 @@ struct options bool show_ciphers; bool show_digests; bool show_engines; -#ifdef ENABLE_SSL bool show_tls_ciphers; -#endif + bool show_curves; bool genkey; #endif /* Networking parms */ + int connect_retry_max; struct connection_entry ce; - char *remote_ip_hint; struct connection_list *connection_list; + struct remote_list *remote_list; - bool force_connection_list; + /* Do not advanced the connection or remote addr list*/ + bool no_advance; + /* Counts the number of unsuccessful connection attempts */ + unsigned int unsuccessful_attempts; -#if HTTP_PROXY_OVERRIDE +#if ENABLE_MANAGEMENT struct http_proxy_options *http_proxy_override; #endif @@ -256,7 +251,6 @@ struct options int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */ int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */ bool ping_timer_remote; /* Run ping timer only if we have a remote address */ - bool tun_ipv6; /* Build tun dev that supports IPv6 */ # define PING_UNDEF 0 # define PING_EXIT 1 @@ -273,6 +267,8 @@ struct options #endif int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */ + bool resolve_in_advance; + const char *ip_remote_hint; struct tuntap_options tuntap_options; @@ -300,6 +296,7 @@ struct options bool log; bool suppress_timestamps; + bool machine_readable_output; int nice; int verbosity; int mute; @@ -315,9 +312,8 @@ struct options /* optimize TUN/TAP/UDP writes */ bool fast_io; -#ifdef ENABLE_LZO - /* LZO_x flags from lzo.h */ - unsigned int lzo; +#ifdef USE_COMP + struct compress_options comp; #endif /* buffer sizes */ @@ -339,16 +335,12 @@ struct options int route_delay; int route_delay_window; bool route_delay_defined; - int max_routes; struct route_option_list *routes; struct route_ipv6_option_list *routes_ipv6; /* IPv6 */ bool route_nopull; bool route_gateway_via_dhcp; bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */ - -#ifdef ENABLE_CLIENT_NAT struct client_nat_option_list *client_nat; -#endif #ifdef ENABLE_OCC /* Enable options consistency check between peers */ @@ -357,7 +349,7 @@ struct options #ifdef ENABLE_MANAGEMENT const char *management_addr; - int management_port; + const char *management_port; const char *management_user_pass; int management_log_history_cache; int management_echo_buffer_size; @@ -369,6 +361,7 @@ struct options /* Mask of MF_ values of manage.h */ unsigned int management_flags; + const char *management_certificate; #endif #ifdef ENABLE_PLUGIN @@ -429,9 +422,7 @@ struct options bool push_ifconfig_defined; in_addr_t push_ifconfig_local; in_addr_t push_ifconfig_remote_netmask; -#ifdef ENABLE_CLIENT_NAT in_addr_t push_ifconfig_local_alias; -#endif bool push_ifconfig_constraint_defined; in_addr_t push_ifconfig_constraint_network; in_addr_t push_ifconfig_constraint_netmask; @@ -439,6 +430,7 @@ struct options struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ int push_ifconfig_ipv6_netbits; /* IPv6 */ struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */ + bool push_ifconfig_ipv6_blocked; /* IPv6 */ bool enable_c2c; bool duplicate_cn; int cf_max; @@ -450,9 +442,11 @@ struct options const char *auth_user_pass_verify_script; bool auth_user_pass_verify_script_via_file; + bool auth_token_generate; + unsigned int auth_token_lifetime; #if PORT_SHARE char *port_share_host; - int port_share_port; + char *port_share_port; const char *port_share_journal_dir; #endif #endif @@ -464,8 +458,6 @@ struct options const char *auth_user_pass_file; struct options_pre_pull *pre_pull; - int server_poll_timeout; - int scheduled_exit_interval; #ifdef ENABLE_CLIENT_CR @@ -478,9 +470,9 @@ struct options const char *shared_secret_file; const char *shared_secret_file_inline; int key_direction; - bool ciphername_defined; const char *ciphername; - bool authname_defined; + bool ncp_enabled; + const char *ncp_ciphers; const char *authname; int keysize; const char *prng_hash; @@ -497,7 +489,6 @@ struct options bool use_prediction_resistance; #endif -#ifdef ENABLE_SSL /* TLS (control channel) parms */ bool tls_server; bool tls_client; @@ -509,6 +500,7 @@ struct options const char *priv_key_file; const char *pkcs12_file; const char *cipher_list; + const char *ecdh_curve; const char *tls_verify; int verify_x509_type; const char *verify_x509_name; @@ -518,6 +510,7 @@ struct options const char *ca_file_inline; const char *cert_file_inline; const char *extra_certs_file_inline; + const char *crl_file_inline; char *priv_key_file_inline; const char *dh_file_inline; const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */ @@ -565,10 +558,14 @@ struct options /* Old key allowed to live n seconds after new key goes active */ int transition_window; - /* Special authentication MAC for TLS control channel */ - const char *tls_auth_file; /* shared secret */ + /* Shared secret used for TLS control channel authentication */ + const char *tls_auth_file; const char *tls_auth_file_inline; + /* Shared secret used for TLS control channel authenticated encryption */ + const char *tls_crypt_file; + const char *tls_crypt_inline; + /* Allow only one session */ bool single_session; @@ -578,17 +575,15 @@ struct options bool tls_exit; -#endif /* ENABLE_SSL */ #endif /* ENABLE_CRYPTO */ -#ifdef ENABLE_X509_TRACK const struct x509_track *x509_track; -#endif /* special state parms */ int foreign_option_index; -#ifdef WIN32 +#ifdef _WIN32 + HANDLE msg_channel; const char *exit_event_name; bool exit_event_initial_state; bool show_net_up; @@ -598,6 +593,18 @@ struct options bool use_peer_id; uint32_t peer_id; + +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 + /* Keying Material Exporters [RFC 5705] */ + const char *keying_material_exporter_label; + int keying_material_exporter_length; +#endif + + struct pull_filter_list *pull_filter_list; + + /* Useful when packets sent by openvpn itself are not subject + to the routing tables that would move packets into the tunnel. */ + bool allow_recursive_routing; }; #define streq(x, y) (!strcmp((x), (y))) @@ -617,7 +624,7 @@ struct options #define OPT_P_PERSIST_IP (1<<9) #define OPT_P_COMP (1<<10) /* TODO */ #define OPT_P_MESSAGES (1<<11) -#define OPT_P_CRYPTO (1<<12) /* TODO */ +#define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */ #define OPT_P_TLS_PARMS (1<<13) /* TODO */ #define OPT_P_MTU (1<<14) /* TODO */ #define OPT_P_NICE (1<<15) @@ -652,7 +659,7 @@ struct options #define PUSH_DEFINED(opt) (false) #endif -#ifdef WIN32 +#ifdef _WIN32 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK) #else #define ROUTE_OPTION_FLAGS(o) (0) @@ -690,7 +697,7 @@ void usage_small (void); void show_library_versions(const unsigned int flags); -#ifdef WIN32 +#ifdef _WIN32 void show_windows_version(const unsigned int flags); #endif @@ -722,7 +729,7 @@ void options_warning (char *actual, const char *expected); void options_postprocess (struct options *options); void pre_pull_save (struct options *o); -void pre_pull_restore (struct options *o); +void pre_pull_restore (struct options *o, struct gc_arena *gc); bool apply_push_options (struct options *options, struct buffer *buf, @@ -784,20 +791,5 @@ void options_string_import (struct options *options, bool get_ipv6_addr( const char * prefix_str, struct in6_addr *network, unsigned int * netbits, int msglevel ); -/* - * inline functions - */ -static inline bool -connection_list_defined (const struct options *o) -{ - return o->connection_list != NULL; -} - -static inline void -connection_list_set_no_advance (struct options *o) -{ - if (o->connection_list) - o->connection_list->no_advance = true; -} #endif diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h index 4ca1032..c0b0f38 100644 --- a/src/openvpn/otime.h +++ b/src/openvpn/otime.h @@ -76,8 +76,8 @@ openvpn_gettimeofday (struct timeval *tv, void *tz) static inline void update_time (void) { -#ifdef WIN32 - /* on WIN32, gettimeofday is faster than time(NULL) */ +#ifdef _WIN32 + /* on _WIN32, gettimeofday is faster than time(NULL) */ struct timeval tv; openvpn_gettimeofday (&tv, NULL); #else @@ -90,8 +90,8 @@ update_time (void) static inline void update_time (void) { -#if defined(WIN32) - /* on WIN32, gettimeofday is faster than time(NULL) */ +#if defined(_WIN32) + /* on _WIN32, gettimeofday is faster than time(NULL) */ struct timeval tv; if (!gettimeofday (&tv, NULL)) { diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index baa4966..9874519 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -76,10 +76,9 @@ packet_id_debug (int msglevel, } void -packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit) +packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit) { - dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d time_backtrack=%d", - tcp_mode, + dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", seq_backtrack, time_backtrack); @@ -88,7 +87,7 @@ packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_ p->rec.name = name; p->rec.unit = unit; - if (seq_backtrack && !tcp_mode) + if (seq_backtrack) { ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK); ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK); diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index 3ddaab6..fb059b7 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -210,7 +210,7 @@ struct packet_id struct packet_id_rec rec; }; -void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit); +void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit); void packet_id_free (struct packet_id *p); /* should we accept an incoming packet id ? */ @@ -258,6 +258,12 @@ bool packet_id_write (const struct packet_id_net *pin, struct buffer *buf, bool * Inline functions. */ +/** Is this struct packet_id initialized? */ +static inline bool packet_id_initialized (const struct packet_id *pid) +{ + return pid->rec.initialized; +} + /* are we in enabled state? */ static inline bool packet_id_persist_enabled (const struct packet_id_persist *p) diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c index 461beed..a3208db 100644 --- a/src/openvpn/pf.c +++ b/src/openvpn/pf.c @@ -35,8 +35,8 @@ #if defined(ENABLE_PF) #include "init.h" - #include "memdbg.h" +#include "ssl_verify.h" #include "pf-inline.h" diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index a1f13c5..2621058 100644 --- a/src/openvpn/pkcs11.c +++ b/src/openvpn/pkcs11.c @@ -744,9 +744,10 @@ _pkcs11_openvpn_show_pkcs11_ids_pin_prompt ( ASSERT (token!=NULL); buf_printf (&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display); - - if (!get_console_input (BSTR (&pass_prompt), false, pin, pin_max)) { - msg (M_FATAL, "Cannot read password from stdin"); + if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt), + pin, pin_max, false)) + { + msg (M_FATAL, "Could not retrieve the PIN"); } gc_free (&gc); diff --git a/src/openvpn/pkcs11_polarssl.c b/src/openvpn/pkcs11_mbedtls.c index a58beef..e208b61 100644 --- a/src/openvpn/pkcs11_polarssl.c +++ b/src/openvpn/pkcs11_mbedtls.c @@ -24,7 +24,7 @@ */ /** - * @file PKCS #11 PolarSSL backend + * @file PKCS #11 mbed TLS backend */ #ifdef HAVE_CONFIG_H @@ -35,12 +35,12 @@ #include "syshead.h" -#if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_POLARSSL) +#if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) #include "errlevel.h" #include "pkcs11_backend.h" -#include <polarssl/pkcs11.h> -#include <polarssl/x509.h> +#include <mbedtls/pkcs11.h> +#include <mbedtls/x509.h> int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, @@ -50,21 +50,22 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate, ASSERT (NULL != ssl_ctx); - ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, x509_crt); - if (pkcs11_x509_cert_init(ssl_ctx->crt_chain, certificate)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve PolarSSL certificate object"); + ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, mbedtls_x509_crt); + if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) { + msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } - ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, pkcs11_context); - if (pkcs11_priv_key_init(ssl_ctx->priv_key_pkcs11, certificate)) { - msg (M_FATAL, "PKCS#11: Cannot initialize PolarSSL private key object"); + ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); + if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) { + msg (M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); goto cleanup; } - ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, pk_context); - if (0 != pk_init_ctx_rsa_alt(ssl_ctx->priv_key, ssl_ctx->priv_key_pkcs11, - ssl_pkcs11_decrypt, ssl_pkcs11_sign, ssl_pkcs11_key_len)) { + ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, mbedtls_pk_context); + if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, + ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, + mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) { goto cleanup; } @@ -80,22 +81,22 @@ pkcs11_certificate_dn (pkcs11h_certificate_t cert, struct gc_arena *gc) char *ret = NULL; char dn[1024] = {0}; - x509_crt polar_cert = {0}; + mbedtls_x509_crt mbed_crt = {0}; - if (pkcs11_x509_cert_init(&polar_cert, cert)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve PolarSSL certificate object"); + if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { + msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } - if (-1 == x509_dn_gets (dn, sizeof(dn), &polar_cert.subject)) { - msg (M_FATAL, "PKCS#11: PolarSSL cannot parse subject"); + if (-1 == mbedtls_x509_dn_gets (dn, sizeof(dn), &mbed_crt.subject)) { + msg (M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); goto cleanup; } ret = string_alloc(dn, gc); cleanup: - x509_crt_free(&polar_cert); + mbedtls_x509_crt_free(&mbed_crt); return ret; } @@ -106,23 +107,23 @@ pkcs11_certificate_serial (pkcs11h_certificate_t cert, char *serial, { int ret = 1; - x509_crt polar_cert = {0}; + mbedtls_x509_crt mbed_crt = {0}; - if (pkcs11_x509_cert_init(&polar_cert, cert)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve PolarSSL certificate object"); + if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { + msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } - if (-1 == x509_serial_gets (serial, serial_len, &polar_cert.serial)) { - msg (M_FATAL, "PKCS#11: PolarSSL cannot parse serial"); + if (-1 == mbedtls_x509_serial_gets (serial, serial_len, &mbed_crt.serial)) { + msg (M_FATAL, "PKCS#11: mbed TLS cannot parse serial"); goto cleanup; } ret = 0; cleanup: - x509_crt_free(&polar_cert); + mbedtls_x509_crt_free(&mbed_crt); return ret; } -#endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_POLARSSL) */ +#endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) */ diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index 16d4dac..6343647 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -158,7 +158,7 @@ platform_nice (int niceval) unsigned int platform_getpid () { -#ifdef WIN32 +#ifdef _WIN32 return (unsigned int) GetCurrentProcessId (); #else #ifdef HAVE_GETPID @@ -190,7 +190,7 @@ int platform_chdir (const char* dir) { #ifdef HAVE_CHDIR -#ifdef WIN32 +#ifdef _WIN32 int res; struct gc_arena gc = gc_new (); res = _wchdir (wide_string (dir, &gc)); @@ -210,7 +210,7 @@ platform_chdir (const char* dir) bool platform_system_ok (int stat) { -#ifdef WIN32 +#ifdef _WIN32 return stat == 0; #else return stat != -1 && WIFEXITED (stat) && WEXITSTATUS (stat) == 0; @@ -220,7 +220,7 @@ platform_system_ok (int stat) int platform_access (const char *path, int mode) { -#ifdef WIN32 +#ifdef _WIN32 struct gc_arena gc = gc_new (); int ret = _waccess (wide_string (path, &gc), mode & ~X_OK); gc_free (&gc); @@ -236,7 +236,7 @@ platform_access (const char *path, int mode) void platform_sleep_milliseconds (unsigned int n) { -#ifdef WIN32 +#ifdef _WIN32 Sleep (n); #else struct timeval tv; @@ -252,7 +252,7 @@ platform_sleep_milliseconds (unsigned int n) void platform_sleep_until_signal (void) { -#ifdef WIN32 +#ifdef _WIN32 ASSERT (0); #else select (0, NULL, NULL, NULL, NULL); @@ -263,7 +263,7 @@ platform_sleep_until_signal (void) bool platform_unlink (const char *filename) { -#if defined(WIN32) +#if defined(_WIN32) struct gc_arena gc = gc_new (); BOOL ret = DeleteFileW (wide_string (filename, &gc)); gc_free (&gc); @@ -278,7 +278,7 @@ platform_unlink (const char *filename) FILE * platform_fopen (const char *path, const char *mode) { -#ifdef WIN32 +#ifdef _WIN32 struct gc_arena gc = gc_new (); FILE *f = _wfopen (wide_string (path, &gc), wide_string (mode, &gc)); gc_free (&gc); @@ -291,7 +291,7 @@ platform_fopen (const char *path, const char *mode) int platform_open (const char *path, int flags, int mode) { -#ifdef WIN32 +#ifdef _WIN32 struct gc_arena gc = gc_new (); int fd = _wopen (wide_string (path, &gc), flags, mode); gc_free (&gc); @@ -304,7 +304,7 @@ platform_open (const char *path, int flags, int mode) int platform_stat (const char *path, platform_stat_t *buf) { -#ifdef WIN32 +#ifdef _WIN32 struct gc_arena gc = gc_new (); int res = _wstat (wide_string (path, &gc), buf); gc_free (&gc); diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h index 7c0a4d7..fe2685a 100644 --- a/src/openvpn/platform.h +++ b/src/openvpn/platform.h @@ -130,7 +130,7 @@ int platform_putenv (char *string); FILE *platform_fopen (const char *path, const char *mode); int platform_open (const char *path, int flags, int mode); -#ifdef WIN32 +#ifdef _WIN32 typedef struct _stat platform_stat_t; #else typedef struct stat platform_stat_t; diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 4e5e6ce..2443438 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -27,6 +27,9 @@ #elif defined(_MSC_VER) #include "config-msvc.h" #endif +#ifdef HAVE_CONFIG_VERSION_H +#include "config-version.h" +#endif #include "syshead.h" @@ -172,7 +175,7 @@ plugin_option_list_print (const struct plugin_option_list *list, int msglevel) } #endif -#ifndef WIN32 +#ifndef _WIN32 static void libdl_resolve_symbol (void *handle, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags) @@ -203,7 +206,7 @@ plugin_init_item (struct plugin *p, const struct plugin_option *o) p->so_pathname = o->so_pathname; p->plugin_type_mask = plugin_supported_types (); -#ifndef WIN32 +#ifndef _WIN32 p->handle = NULL; #if defined(PLUGIN_LIBDIR) @@ -347,6 +350,17 @@ static struct openvpn_plugin_callbacks callbacks = { plugin_vlog }; + +/* Provide a wrapper macro for a version patch level string to plug-ins. + * This is located here purely to not make the code too messy with #ifndef + * inside a struct declaration + */ +#ifndef CONFIGURE_GIT_REVISION +# define _OPENVPN_PATCH_LEVEL OPENVPN_VERSION_PATCH +#else +# define _OPENVPN_PATCH_LEVEL "git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS +#endif + static void plugin_open_item (struct plugin *p, const struct plugin_option *o, @@ -375,7 +389,12 @@ plugin_open_item (struct plugin *p, (const char ** const) o->argv, (const char ** const) envp, &callbacks, - SSLAPI }; + SSLAPI, + PACKAGE_VERSION, + OPENVPN_VERSION_MAJOR, + OPENVPN_VERSION_MINOR, + _OPENVPN_PATCH_LEVEL + }; struct openvpn_plugin_args_open_return retargs; CLEAR(retargs); @@ -420,7 +439,7 @@ plugin_call_item (const struct plugin *p, const struct argv *av, struct openvpn_plugin_string_list **retlist, const char **envp -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO , int certdepth, openvpn_x509_cert_t *current_cert #endif @@ -449,7 +468,7 @@ plugin_call_item (const struct plugin *p, (const char ** const) envp, p->plugin_handle, per_client_context, -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO (current_cert ? certdepth : -1), current_cert #else @@ -500,10 +519,10 @@ plugin_close_item (struct plugin *p) if (p->plugin_handle) (*p->close)(p->plugin_handle); -#ifndef WIN32 +#ifndef _WIN32 if (dlclose (p->handle)) msg (M_WARN, "PLUGIN_CLOSE: dlclose() failed on plugin: %s", p->so_pathname); -#elif defined(WIN32) +#elif defined(_WIN32) if (!FreeLibrary (p->module)) msg (M_WARN, "PLUGIN_CLOSE: FreeLibrary() failed on plugin: %s", p->so_pathname); #endif @@ -659,7 +678,7 @@ plugin_call_ssl (const struct plugin_list *pl, const struct argv *av, struct plugin_return *pr, struct env_set *es -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO , int certdepth, openvpn_x509_cert_t *current_cert #endif @@ -689,7 +708,7 @@ plugin_call_ssl (const struct plugin_list *pl, av, pr ? &pr->list[i] : NULL, envp -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO ,certdepth, current_cert #endif diff --git a/src/openvpn/plugin.h b/src/openvpn/plugin.h index 2f8416b..b1e0458 100644 --- a/src/openvpn/plugin.h +++ b/src/openvpn/plugin.h @@ -32,8 +32,8 @@ #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_verify_openssl.h" #endif -#ifdef ENABLE_CRYPTO_POLARSSL -#include "ssl_verify_polarssl.h" +#ifdef ENABLE_CRYPTO_MBEDTLS +#include "ssl_verify_mbedtls.h" #endif #include "openvpn-plugin.h" @@ -59,7 +59,7 @@ struct plugin { unsigned int plugin_type_mask; int requested_initialization_point; -#ifndef WIN32 +#ifndef _WIN32 void *handle; #else HMODULE module; @@ -127,7 +127,7 @@ int plugin_call_ssl (const struct plugin_list *pl, const struct argv *av, struct plugin_return *pr, struct env_set *es -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO , int current_cert_depth, openvpn_x509_cert_t *current_cert #endif @@ -183,7 +183,7 @@ plugin_call_ssl (const struct plugin_list *pl, const struct argv *av, struct plugin_return *pr, struct env_set *es -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO , int current_cert_depth, openvpn_x509_cert_t *current_cert #endif @@ -202,7 +202,7 @@ plugin_call(const struct plugin_list *pl, struct env_set *es) { return plugin_call_ssl(pl, type, av, pr, es -#ifdef ENABLE_SSL +#ifdef ENABLE_CRYPTO , -1, NULL #endif ); diff --git a/src/openvpn/proto.h b/src/openvpn/proto.h index f91e787..07612c8 100644 --- a/src/openvpn/proto.h +++ b/src/openvpn/proto.h @@ -219,6 +219,45 @@ struct ip_tcp_udp_hdr { - sizeof(struct openvpn_tcphdr)) /* + * This returns an ip protocol version of packet inside tun + * and offset of IP header (via parameter). + */ +inline static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset) +{ + int ip_ver = -1; + + /* for tun get ip version from ip header */ + if (tunnel_type == DEV_TYPE_TUN) + { + *ip_hdr_offset = 0; + if (likely(BLEN (buf) >= (int) sizeof (struct openvpn_iphdr))) + { + ip_ver = OPENVPN_IPH_GET_VER (*BPTR(buf)); + } + } + else if (tunnel_type == DEV_TYPE_TAP) + { + *ip_hdr_offset = (int)(sizeof (struct openvpn_ethhdr)); + /* for tap get ip version from eth header */ + if (likely(BLEN (buf) >= *ip_hdr_offset)) + { + const struct openvpn_ethhdr *eh = (const struct openvpn_ethhdr *) BPTR (buf); + uint16_t proto = ntohs (eh->proto); + if (proto == OPENVPN_ETH_P_IPV6) + { + ip_ver = 6; + } + else if (proto == OPENVPN_ETH_P_IPV4) + { + ip_ver = 4; + } + } + } + + return ip_ver; +} + +/* * If raw tunnel packet is IPv4 or IPv6, return true and increment * buffer offset to start of IP header. */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 89989d1..0f78020 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -41,8 +41,7 @@ #include "httpdigest.h" #include "ntlm.h" #include "memdbg.h" - -#ifdef ENABLE_HTTP_PROXY +#include "forward.h" #define UP_TYPE_PROXY "HTTP Proxy" @@ -54,7 +53,6 @@ init_http_proxy_options_once (struct http_proxy_options **hpo, { ALLOC_OBJ_CLEAR_GC (*hpo, struct http_proxy_options, gc); /* http proxy defaults */ - (*hpo)->timeout = 5; (*hpo)->http_version = "1.0"; } return *hpo; @@ -243,6 +241,8 @@ get_user_pass_http (struct http_proxy_info *p, const bool force) unsigned int flags = GET_USER_PASS_MANAGEMENT; if (p->queried_creds) flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; + if (p->options.inline_creds) + flags |= GET_USER_PASS_INLINE_CREDS; get_user_pass (&static_proxy_user_pass, p->options.auth_file, UP_TYPE_PROXY, @@ -257,6 +257,8 @@ clear_user_pass_http (void) purge_user_pass (&static_proxy_user_pass, true); } +#if 0 +/* function only used in #if 0 debug statement */ static void dump_residual (socket_descriptor_t sd, int timeout, @@ -271,6 +273,7 @@ dump_residual (socket_descriptor_t sd, msg (D_PROXY, "PROXY HEADER: '%s'", buf); } } +#endif /* * Extract the Proxy-Authenticate header from the stream. @@ -439,12 +442,11 @@ struct http_proxy_info * http_proxy_new (const struct http_proxy_options *o) { struct http_proxy_info *p; - struct http_proxy_options opt; if (!o || !o->server) msg (M_FATAL, "HTTP_PROXY: server not specified"); - ASSERT (legal_ipv4_port (o->port)); + ASSERT ( o->port); ALLOC_OBJ_CLEAR (p, struct http_proxy_info); p->options = *o; @@ -490,10 +492,72 @@ http_proxy_close (struct http_proxy_info *hp) } bool +add_proxy_headers (struct http_proxy_info *p, + socket_descriptor_t sd, /* already open to proxy */ + const char *host, /* openvpn server remote */ + const char* port /* openvpn server port */ + ) +{ + char buf[512]; + int i; + bool host_header_sent=false; + + /* + * Send custom headers if provided + * If content is NULL the whole header is in name + * Also remember if we already sent a Host: header + */ + for (i=0; i < MAX_CUSTOM_HTTP_HEADER && p->options.custom_headers[i].name;i++) + { + if (p->options.custom_headers[i].content) + { + openvpn_snprintf (buf, sizeof(buf), "%s: %s", + p->options.custom_headers[i].name, + p->options.custom_headers[i].content); + if (!strcasecmp(p->options.custom_headers[i].name, "Host")) + host_header_sent=true; + } + else + { + openvpn_snprintf (buf, sizeof(buf), "%s", + p->options.custom_headers[i].name); + if (!strncasecmp(p->options.custom_headers[i].name, "Host:", 5)) + host_header_sent=true; + } + + msg (D_PROXY, "Send to HTTP proxy: '%s'", buf); + if (!send_line_crlf (sd, buf)) + return false; + } + + if (!host_header_sent) + { + openvpn_snprintf (buf, sizeof(buf), "Host: %s", host); + msg (D_PROXY, "Send to HTTP proxy: '%s'", buf); + if (!send_line_crlf(sd, buf)) + return false; + } + + /* send User-Agent string if provided */ + if (p->options.user_agent) + { + openvpn_snprintf (buf, sizeof(buf), "User-Agent: %s", + p->options.user_agent); + msg (D_PROXY, "Send to HTTP proxy: '%s'", buf); + if (!send_line_crlf (sd, buf)) + return false; + } + + return true; +} + + +bool establish_http_proxy_passthru (struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ - const int port, /* openvpn server port */ + const char *port, /* openvpn server port */ + struct event_timeout* server_poll_timeout, struct buffer *lookahead, volatile int *signal_received) { @@ -521,7 +585,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, else { /* format HTTP CONNECT message */ - openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s", + openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version); @@ -532,18 +596,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p, if (!send_line_crlf (sd, buf)) goto error; - openvpn_snprintf(buf, sizeof(buf), "Host: %s", host); - if (!send_line_crlf(sd, buf)) - goto error; - - /* send User-Agent string if provided */ - if (p->options.user_agent) - { - openvpn_snprintf (buf, sizeof(buf), "User-Agent: %s", - p->options.user_agent); - if (!send_line_crlf (sd, buf)) - goto error; - } + if (!add_proxy_headers (p, sd, host, port)) + goto error; /* auth specified? */ switch (p->auth_method) @@ -586,7 +640,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, goto error; /* receive reply from proxy */ - if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received)) + if (!recv_line (sd, buf, sizeof(buf), get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received)) goto error; /* remove trailing CR, LF */ @@ -615,7 +669,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, while (true) { - if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received)) + if (!recv_line (sd, buf, sizeof(buf), get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received)) goto error; chomp (buf); msg (D_PROXY, "HTTP proxy returned: '%s'", buf); @@ -642,7 +696,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, /* now send the phase 3 reply */ /* format HTTP CONNECT message */ - openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s", + openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%s HTTP/%s", host, port, p->options.http_version); @@ -658,14 +712,11 @@ establish_http_proxy_passthru (struct http_proxy_info *p, if (!send_line_crlf (sd, buf)) goto error; - /* send HOST etc, */ - openvpn_snprintf (buf, sizeof(buf), "Host: %s", host); - msg (D_PROXY, "Send to HTTP proxy: '%s'", buf); - if (!send_line_crlf (sd, buf)) - goto error; + if (!add_proxy_headers (p, sd, host, port)) + goto error; - msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 3"); + msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 3"); { const char *np3 = ntlm_phase_3 (p, buf2, &gc); if (!np3) @@ -685,7 +736,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, goto error; /* receive reply from proxy */ - if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received)) + if (!recv_line (sd, buf, sizeof(buf), get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received)) goto error; /* remove trailing CR, LF */ @@ -730,7 +781,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, /* build the digest response */ - openvpn_snprintf (uri, sizeof(uri), "%s:%d", + openvpn_snprintf (uri, sizeof(uri), "%s:%s", host, port); @@ -771,9 +822,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, goto error; /* send HOST etc, */ - openvpn_snprintf (buf, sizeof(buf), "Host: %s", host); - msg (D_PROXY, "Send to HTTP proxy: '%s'", buf); - if (!send_line_crlf (sd, buf)) + if (!add_proxy_headers (p, sd, host, port)) goto error; /* send digest response */ @@ -795,7 +844,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, goto error; /* receive reply from proxy */ - if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received)) + if (!recv_line (sd, buf, sizeof(buf), get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received)) goto error; /* remove trailing CR, LF */ @@ -819,7 +868,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, /* figure out what kind of authentication the proxy needs */ char *pa = NULL; const int method = get_proxy_authenticate(sd, - p->options.timeout, + get_server_poll_remaining_time (server_poll_timeout), &pa, NULL, signal_received); @@ -863,7 +912,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, msg (D_LINK_ERRORS, "HTTP proxy returned bad status"); #if 0 /* DEBUGGING -- show a multi-line HTTP error response */ - dump_residual(sd, p->options.timeout, signal_received); + dump_residual(sd, get_server_poll_remaining_time (server_poll_timeout), signal_received); #endif goto error; } @@ -871,7 +920,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p, /* SUCCESS */ /* receive line from proxy and discard */ - if (!recv_line (sd, NULL, 0, p->options.timeout, true, NULL, signal_received)) + if (!recv_line (sd, NULL, 0, get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received)) goto error; /* @@ -894,14 +943,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p, return ret; error: - /* on error, should we exit or restart? */ if (!*signal_received) - *signal_received = (p->options.retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- HTTP proxy error */ + *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- HTTP proxy error */ gc_free (&gc); return ret; } - -#else -static void dummy(void) {} -#endif /* ENABLE_HTTP_PROXY */ - diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index 5e476f1..7d2581c 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -28,8 +28,6 @@ #include "buffer.h" #include "misc.h" -#ifdef ENABLE_HTTP_PROXY - /* HTTP CONNECT authentication methods */ #define HTTP_AUTH_NONE 0 #define HTTP_AUTH_BASIC 1 @@ -38,11 +36,15 @@ #define HTTP_AUTH_NTLM2 4 #define HTTP_AUTH_N 5 /* number of HTTP_AUTH methods */ +struct http_custom_header { + const char *name; + const char *content; +}; + +#define MAX_CUSTOM_HTTP_HEADER 10 struct http_proxy_options { const char *server; - int port; - bool retry; - int timeout; + const char *port; # define PAR_NO 0 /* don't support any auth retries */ # define PAR_ALL 1 /* allow all proxy auth protocols */ @@ -53,11 +55,13 @@ struct http_proxy_options { const char *auth_file; const char *http_version; const char *user_agent; + struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; + bool inline_creds; }; struct http_proxy_options_simple { const char *server; - int port; + const char *port; int auth_retry; }; @@ -80,13 +84,12 @@ void http_proxy_close (struct http_proxy_info *hp); bool establish_http_proxy_passthru (struct http_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ - const int port, /* openvpn server port */ + const char *port, /* openvpn server port */ + struct event_timeout* server_poll_timeout, struct buffer *lookahead, volatile int *signal_received); uint8_t *make_base64_string2 (const uint8_t *str, int str_len, struct gc_arena *gc); uint8_t *make_base64_string (const uint8_t *str, struct gc_arena *gc); -#endif /* ENABLE_HTTP_PROXY */ - #endif /* PROXY_H */ diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index 6495dc7..2cb68f1 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -223,12 +223,12 @@ port_share_sendmsg (const socket_descriptor_t sd, if (socket_defined (sd_send)) { - *((socket_descriptor_t*)CMSG_DATA(h)) = sd_send; + memcpy (CMSG_DATA(h), &sd_send, sizeof (sd_send)); } else { socketpair (PF_UNIX, SOCK_DGRAM, 0, sd_null); - *((socket_descriptor_t*)CMSG_DATA(h)) = sd_null[0]; + memcpy (CMSG_DATA(h), &sd_null[0], sizeof (sd_null[0])); } status = sendmsg (sd, &mesg, MSG_NOSIGNAL); @@ -330,8 +330,8 @@ journal_add (const char *journal_dir, struct proxy_connection *pc, struct proxy_ if (!getpeername (pc->sd, (struct sockaddr *) &from.addr.sa, &slen) && !getsockname (cp->sd, (struct sockaddr *) &to.addr.sa, &dlen)) { - const char *f = print_sockaddr_ex (&from, ":", PS_SHOW_PORT, &gc); - const char *t = print_sockaddr_ex (&to, ":", PS_SHOW_PORT, &gc); + const char *f = print_openvpn_sockaddr (&from, &gc); + const char *t = print_openvpn_sockaddr (&to, &gc); fnlen = strlen(journal_dir) + strlen(t) + 2; jfn = (char *) malloc(fnlen); check_malloc_return (jfn); @@ -340,7 +340,8 @@ journal_add (const char *journal_dir, struct proxy_connection *pc, struct proxy_ fd = platform_open (jfn, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP); if (fd != -1) { - write(fd, f, strlen(f)); + if (write(fd, f, strlen(f)) != strlen(f)) + msg(M_WARN, "PORT SHARE: writing to journal file (%s) failed", jfn); close (fd); cp->jfn = jfn; } @@ -371,17 +372,6 @@ proxy_list_close (struct proxy_connection **list) } } -static void -sock_addr_set (struct openvpn_sockaddr *osaddr, - const in_addr_t addr, - const int port) -{ - CLEAR (*osaddr); - osaddr->addr.in4.sin_family = AF_INET; - osaddr->addr.in4.sin_addr.s_addr = htonl (addr); - osaddr->addr.in4.sin_port = htons (port); -} - static inline void proxy_connection_io_requeue (struct proxy_connection *pc, const int rwflags_new, struct event_set *es) { @@ -403,26 +393,23 @@ proxy_connection_io_requeue (struct proxy_connection *pc, const int rwflags_new, static bool proxy_entry_new (struct proxy_connection **list, struct event_set *es, - const in_addr_t server_addr, - const int server_port, + const struct sockaddr_in server_addr, const socket_descriptor_t sd_client, struct buffer *initial_data, const char *journal_dir) { - struct openvpn_sockaddr osaddr; socket_descriptor_t sd_server; int status; struct proxy_connection *pc; struct proxy_connection *cp; /* connect to port share server */ - sock_addr_set (&osaddr, server_addr, server_port); if ((sd_server = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { msg (M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket"); return false; } - status = openvpn_connect (sd_server, &osaddr, 5, NULL); + status = openvpn_connect (sd_server,(const struct sockaddr*) &server_addr, 5, NULL); if (status) { msg (M_WARN, "PORT SHARE PROXY: connect to port-share server failed"); @@ -482,8 +469,7 @@ static bool control_message_from_parent (const socket_descriptor_t sd_control, struct proxy_connection **list, struct event_set *es, - const in_addr_t server_addr, - const int server_port, + const struct sockaddr_in server_addr, const int max_initial_buf, const char *journal_dir) { @@ -516,7 +502,8 @@ control_message_from_parent (const socket_descriptor_t sd_control, h->cmsg_len = CMSG_LEN(sizeof(socket_descriptor_t)); h->cmsg_level = SOL_SOCKET; h->cmsg_type = SCM_RIGHTS; - *((socket_descriptor_t*)CMSG_DATA(h)) = SOCKET_UNDEFINED; + static const socket_descriptor_t socket_undefined = SOCKET_UNDEFINED; + memcpy (CMSG_DATA(h), &socket_undefined, sizeof(socket_undefined)); status = recvmsg (sd_control, &mesg, MSG_NOSIGNAL); if (status != -1) @@ -530,7 +517,8 @@ control_message_from_parent (const socket_descriptor_t sd_control, } else { - const socket_descriptor_t received_fd = *((socket_descriptor_t*)CMSG_DATA(h)); + socket_descriptor_t received_fd; + memcpy (&received_fd, CMSG_DATA(h), sizeof(received_fd)); dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: RECEIVED sd=%d", (int)received_fd); if (status >= 2 && command == COMMAND_REDIRECT) @@ -539,7 +527,6 @@ control_message_from_parent (const socket_descriptor_t sd_control, if (proxy_entry_new (list, es, server_addr, - server_port, received_fd, &buf, journal_dir)) @@ -716,8 +703,7 @@ proxy_connection_io_dispatch (struct proxy_connection *pc, * This is the main function for the port share proxy background process. */ static void -port_share_proxy (const in_addr_t hostaddr, - const int port, +port_share_proxy (const struct sockaddr_in hostaddr, const socket_descriptor_t sd_control, const int max_initial_buf, const char *journal_dir) @@ -754,7 +740,7 @@ port_share_proxy (const in_addr_t hostaddr, const struct event_set_return *e = &esr[i]; if (e->arg == sd_control_marker) { - if (!control_message_from_parent (sd_control, &list, es, hostaddr, port, max_initial_buf, journal_dir)) + if (!control_message_from_parent (sd_control, &list, es, hostaddr, max_initial_buf, journal_dir)) goto done; } else @@ -789,14 +775,16 @@ port_share_proxy (const in_addr_t hostaddr, */ struct port_share * port_share_open (const char *host, - const int port, + const char *port, const int max_initial_buf, const char *journal_dir) { pid_t pid; socket_descriptor_t fd[2]; - in_addr_t hostaddr; + struct sockaddr_in hostaddr; struct port_share *ps; + int status; + struct addrinfo* ai; ALLOC_OBJ_CLEAR (ps, struct port_share); ps->foreground_fd = -1; @@ -805,7 +793,12 @@ port_share_open (const char *host, /* * Get host's IP address */ - hostaddr = getaddr (GETADDR_RESOLVE|GETADDR_HOST_ORDER|GETADDR_FATAL, host, 0, NULL, NULL); + + status = openvpn_getaddrinfo (GETADDR_RESOLVE|GETADDR_FATAL, + host, port, 0, NULL, AF_INET, &ai); + ASSERT (status==0); + hostaddr = *((struct sockaddr_in*) ai->ai_addr); + freeaddrinfo(ai); /* * Make a socket for foreground and background processes @@ -881,7 +874,7 @@ port_share_open (const char *host, prng_init (NULL, 0); /* execute the event loop */ - port_share_proxy (hostaddr, port, fd[1], max_initial_buf, journal_dir); + port_share_proxy (hostaddr, fd[1], max_initial_buf, journal_dir); openvpn_close_socket (fd[1]); diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h index 4280635..e8919d4 100644 --- a/src/openvpn/ps.h +++ b/src/openvpn/ps.h @@ -44,7 +44,7 @@ struct port_share { extern struct port_share *port_share; struct port_share *port_share_open (const char *host, - const int port, + const char *port, const int max_initial_buf, const char *journal_dir); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 71f39c1..f86bdd3 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -33,12 +33,40 @@ #include "push.h" #include "options.h" #include "ssl.h" +#include "ssl_verify.h" #include "manage.h" #include "memdbg.h" #if P2MP +static char push_reply_cmd[] = "PUSH_REPLY"; + +/** + * Add an option to the given push list by providing a format string. + * + * The string added to the push options is allocated in o->gc, so the caller + * does not have to preserve anything. + * + * @param gc GC arena where options are allocated + * @param push_list Push list containing options + * @param msglevel The message level to use when printing errors + * @param fmt Format string for the option + * @param ... Format string arguments + * + * @return true on success, false on failure. + */ +static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, + int msglevel, const char *fmt, ...) +#ifdef __GNUC__ +#if __USE_MINGW_ANSI_STDIO + __attribute__ ((format (gnu_printf, 4, 5))) +#else + __attribute__ ((format (__printf__, 4, 5))) +#endif +#endif + ; + /* * Auth username/password * @@ -49,7 +77,8 @@ void receive_auth_failed (struct context *c, const struct buffer *buffer) { msg (M_VERB0, "AUTH: Received control message: %s", BSTR(buffer)); - connection_list_set_no_advance(&c->options); + c->options.no_advance=true; + if (c->options.pull) { switch (auth_retry_get ()) @@ -120,8 +149,7 @@ server_pushed_signal (struct context *c, const struct buffer *buffer, const bool else if (m[i] == 'N') { /* next server? */ - if (c->options.connection_list) - c->options.connection_list->no_advance = false; + c->options.no_advance = false; } } } @@ -214,11 +242,37 @@ incoming_push_message (struct context *c, const struct buffer *buffer) { c->options.push_option_types_found |= option_types_found; + /* delay bringing tun/tap up until --push parms received from remote */ if (status == PUSH_MSG_REPLY) - do_up (c, true, c->options.push_option_types_found ); /* delay bringing tun/tap up until --push parms received from remote */ + { + if (!do_up (c, true, c->options.push_option_types_found)) + { + msg (D_PUSH_ERRORS, "Failed to open tun/tap interface"); + goto error; + } + } event_timeout_clear (&c->c2.push_request_interval); } + else if (status == PUSH_MSG_REQUEST) + { + if (c->options.mode == MODE_SERVER) + { + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + /* Do not regenerate keys if client send a second push request */ + if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized && + !tls_session_update_crypto_params (session, &c->options, + &c->c2.frame)) + { + msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed"); + goto error; + } + } + } + goto cleanup; +error: + register_signal (c, SIGUSR1, "process-push-msg-failed"); +cleanup: gc_free (&gc); } @@ -241,79 +295,158 @@ send_push_request (struct context *c) #if P2MP_SERVER -bool -send_push_reply (struct context *c) +/** + * Prepare push options, based on local options and available peer info. + * + * @param context context structure storing data for VPN tunnel + * @param gc gc arena for allocating push options + * @param push_list push list to where options are added + * + * @return true on success, false on failure. + */ +static bool +prepare_push_reply (struct context *c, struct gc_arena *gc, + struct push_list *push_list) { - struct gc_arena gc = gc_new (); - struct buffer buf = alloc_buf_gc (PUSH_BUNDLE_SIZE, &gc); - struct push_entry *e = c->options.push_list.head; - bool multi_push = false; - static char cmd[] = "PUSH_REPLY"; - const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */ - const int safe_cap = BCAP (&buf) - extra; - bool push_sent = false; + const char *optstr = NULL; + struct tls_multi *tls_multi = c->c2.tls_multi; + const char * const peer_info = tls_multi->peer_info; + struct options *o = &c->options; - msg( M_INFO, "send_push_reply(): safe_cap=%d", safe_cap ); + /* ipv6 */ + if (c->c2.push_ifconfig_ipv6_defined && !o->push_ifconfig_ipv6_blocked) + { + push_option_fmt (gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s", + print_in6_addr (c->c2.push_ifconfig_ipv6_local, 0, gc), + c->c2.push_ifconfig_ipv6_netbits, + print_in6_addr (c->c2.push_ifconfig_ipv6_remote, + 0, gc)); + } - buf_printf (&buf, "%s", cmd); + /* ipv4 */ + if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local && + c->c2.push_ifconfig_remote_netmask) + { + in_addr_t ifconfig_local = c->c2.push_ifconfig_local; + if (c->c2.push_ifconfig_local_alias) + ifconfig_local = c->c2.push_ifconfig_local_alias; + push_option_fmt (gc, push_list, M_USAGE, "ifconfig %s %s", + print_in_addr_t (ifconfig_local, 0, gc), + print_in_addr_t (c->c2.push_ifconfig_remote_netmask, + 0, gc)); + } + + /* Send peer-id if client supports it */ + optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL; + if (optstr) + { + int proto = 0; + int r = sscanf(optstr, "IV_PROTO=%d", &proto); + if ((r == 1) && (proto >= 2)) + { + push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", + tls_multi->peer_id); + } + } - if ( c->c2.push_ifconfig_ipv6_defined ) + /* Push cipher if client supports Negotiable Crypto Parameters */ + if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled) { - /* IPv6 is put into buffer first, could be lengthy */ - buf_printf( &buf, ",ifconfig-ipv6 %s/%d %s", - print_in6_addr( c->c2.push_ifconfig_ipv6_local, 0, &gc), - c->c2.push_ifconfig_ipv6_netbits, - print_in6_addr( c->c2.push_ifconfig_ipv6_remote, 0, &gc) ); - if (BLEN (&buf) >= safe_cap) + /* if we have already created our key, we cannot change our own + * cipher, so disable NCP and warn = explain why + */ + const struct tls_session *session = &tls_multi->session[TM_ACTIVE]; + if ( session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized ) + { + msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but " + "server has already generated data channel keys, " + "ignoring client request" ); + } + else { - msg (M_WARN, "--push ifconfig-ipv6 option is too long"); - goto fail; + /* Push the first cipher from --ncp-ciphers to the client. + * TODO: actual negotiation, instead of server dictatorship. */ + char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc); + o->ciphername = strtok (push_cipher, ":"); + push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); } } + /* If server uses --auth-gen-token and we have an auth token + * to send to the client + */ + if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token) + { + push_option_fmt(gc, push_list, M_USAGE, + "auth-token %s", tls_multi->auth_token); + tls_multi->auth_token_sent = true; + } + return true; +} + +static bool +send_push_options (struct context *c, struct buffer *buf, + struct push_list *push_list, int safe_cap, + bool *push_sent, bool *multi_push) +{ + struct push_entry *e = push_list->head; + while (e) { if (e->enable) { const int l = strlen (e->option); - if (BLEN (&buf) + l >= safe_cap) + if (BLEN (buf) + l >= safe_cap) { - buf_printf (&buf, ",push-continuation 2"); - { - const bool status = send_control_channel_string (c, BSTR (&buf), D_PUSH); - if (!status) - goto fail; - push_sent = true; - multi_push = true; - buf_reset_len (&buf); - buf_printf (&buf, "%s", cmd); - } + buf_printf (buf, ",push-continuation 2"); + { + const bool status = send_control_channel_string (c, BSTR (buf), D_PUSH); + if (!status) + return false; + *push_sent = true; + *multi_push = true; + buf_reset_len (buf); + buf_printf (buf, "%s", push_reply_cmd); + } } - if (BLEN (&buf) + l >= safe_cap) + if (BLEN (buf) + l >= safe_cap) { msg (M_WARN, "--push option is too long"); - goto fail; + return false; } - buf_printf (&buf, ",%s", e->option); + buf_printf (buf, ",%s", e->option); } e = e->next; } + return true; +} + +static bool +send_push_reply (struct context *c, struct push_list *per_client_push_list) +{ + struct gc_arena gc = gc_new (); + struct buffer buf = alloc_buf_gc (PUSH_BUNDLE_SIZE, &gc); + bool multi_push = false; + const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */ + const int safe_cap = BCAP (&buf) - extra; + bool push_sent = false; + + buf_printf (&buf, "%s", push_reply_cmd); + + /* send options which are common to all clients */ + if (!send_push_options (c, &buf, &c->options.push_list, safe_cap, + &push_sent, &multi_push)) + goto fail; + + /* send client-specific options */ + if (!send_push_options (c, &buf, per_client_push_list, safe_cap, + &push_sent, &multi_push)) + goto fail; - if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local && c->c2.push_ifconfig_remote_netmask) - { - in_addr_t ifconfig_local = c->c2.push_ifconfig_local; -#ifdef ENABLE_CLIENT_NAT - if (c->c2.push_ifconfig_local_alias) - ifconfig_local = c->c2.push_ifconfig_local_alias; -#endif - buf_printf (&buf, ",ifconfig %s %s", - print_in_addr_t (ifconfig_local, 0, &gc), - print_in_addr_t (c->c2.push_ifconfig_remote_netmask, 0, &gc)); - } if (multi_push) buf_printf (&buf, ",push-continuation 1"); - if (BLEN (&buf) > sizeof(cmd)-1) + if (BLEN (&buf) > sizeof(push_reply_cmd)-1) { const bool status = send_control_channel_string (c, BSTR (&buf), D_PUSH); if (!status) @@ -329,7 +462,7 @@ send_push_reply (struct context *c) bool status = false; buf_reset_len (&buf); - buf_printf (&buf, "%s", cmd); + buf_printf (&buf, "%s", push_reply_cmd); status = send_control_channel_string (c, BSTR(&buf), D_PUSH); if (!status) goto fail; @@ -344,7 +477,8 @@ send_push_reply (struct context *c) } static void -push_option_ex (struct options *o, const char *opt, bool enable, int msglevel) +push_option_ex (struct gc_arena *gc, struct push_list *push_list, + const char *opt, bool enable, int msglevel) { if (!string_class (opt, CC_ANY, CC_COMMA)) { @@ -353,20 +487,20 @@ push_option_ex (struct options *o, const char *opt, bool enable, int msglevel) else { struct push_entry *e; - ALLOC_OBJ_CLEAR_GC (e, struct push_entry, &o->gc); + ALLOC_OBJ_CLEAR_GC (e, struct push_entry, gc); e->enable = true; e->option = opt; - if (o->push_list.head) + if (push_list->head) { - ASSERT(o->push_list.tail); - o->push_list.tail->next = e; - o->push_list.tail = e; + ASSERT(push_list->tail); + push_list->tail->next = e; + push_list->tail = e; } else { - ASSERT(!o->push_list.tail); - o->push_list.head = e; - o->push_list.tail = e; + ASSERT(!push_list->tail); + push_list->head = e; + push_list->tail = e; } } } @@ -374,7 +508,7 @@ push_option_ex (struct options *o, const char *opt, bool enable, int msglevel) void push_option (struct options *o, const char *opt, int msglevel) { - push_option_ex (o, opt, true, msglevel); + push_option_ex (&o->gc, &o->push_list, opt, true, msglevel); } void @@ -386,7 +520,8 @@ clone_push_list (struct options *o) push_reset (o); while (e) { - push_option_ex (o, string_alloc (e->option, &o->gc), true, M_FATAL); + push_option_ex (&o->gc, &o->push_list, + string_alloc (e->option, &o->gc), true, M_FATAL); e = e->next; } } @@ -400,55 +535,137 @@ push_options (struct options *o, char **p, int msglevel, struct gc_arena *gc) push_option (o, opt, msglevel); } +static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, + int msglevel, const char *format, ...) +{ + va_list arglist; + char tmp[256] = {0}; + int len; + va_start (arglist, format); + len = vsnprintf (tmp, sizeof(tmp), format, arglist); + va_end (arglist); + if (len > sizeof(tmp)-1) + return false; + push_option_ex (gc, push_list, string_alloc (tmp, gc), true, msglevel); + return true; +} + void push_reset (struct options *o) { CLEAR (o->push_list); } + +void +push_remove_option (struct options *o, const char *p) +{ + msg (D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p); + + /* ifconfig-ipv6 is special, as not part of the push list */ + if ( streq( p, "ifconfig-ipv6" )) + { + o->push_ifconfig_ipv6_blocked = true; + return; + } + + if (o && o->push_list.head ) + { + struct push_entry *e = o->push_list.head; + + /* cycle through the push list */ + while (e) + { + if ( e->enable && + strncmp( e->option, p, strlen(p) ) == 0 ) + { + msg (D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option); + e->enable = false; + } + + e = e->next; + } + } +} #endif +#if P2MP_SERVER int -process_incoming_push_msg (struct context *c, - const struct buffer *buffer, - bool honor_received_options, - unsigned int permission_mask, - unsigned int *option_types_found) +process_incoming_push_request (struct context *c) { int ret = PUSH_MSG_ERROR; - struct buffer buf = *buffer; -#if P2MP_SERVER - if (buf_string_compare_advance (&buf, "PUSH_REQUEST")) +#ifdef ENABLE_ASYNC_PUSH + c->c2.push_request_received = true; +#endif + if (tls_authentication_status (c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) { - if (tls_authentication_status (c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) + const char *client_reason = tls_client_reason (c->c2.tls_multi); + send_auth_failed (c, client_reason); + ret = PUSH_MSG_AUTH_FAILURE; + } + else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) + { + time_t now; + + openvpn_time (&now); + if (c->c2.sent_push_reply_expiry > now) { - const char *client_reason = tls_client_reason (c->c2.tls_multi); - send_auth_failed (c, client_reason); - ret = PUSH_MSG_AUTH_FAILURE; + ret = PUSH_MSG_ALREADY_REPLIED; } - else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) + else { - time_t now; + /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */ + struct push_list push_list; + struct gc_arena gc = gc_new (); - openvpn_time(&now); - if (c->c2.sent_push_reply_expiry > now) + CLEAR (push_list); + if (prepare_push_reply (c, &gc, &push_list) && + send_push_reply (c, &push_list)) { - ret = PUSH_MSG_ALREADY_REPLIED; - } - else - { - if (send_push_reply (c)) - { - ret = PUSH_MSG_REQUEST; - c->c2.sent_push_reply_expiry = now + 30; - } + ret = PUSH_MSG_REQUEST; + c->c2.sent_push_reply_expiry = now + 30; } + gc_free(&gc); } - else + } + else + { + ret = PUSH_MSG_REQUEST_DEFERRED; + } + + return ret; +} +#endif + +static void +push_update_digest(md_ctx_t *ctx, struct buffer *buf) +{ + char line[OPTION_PARM_SIZE]; + while (buf_parse (buf, ',', line, sizeof (line))) + { + /* peer-id might change on restart and this should not trigger reopening tun */ + if (strstr (line, "peer-id ") != line) { - ret = PUSH_MSG_REQUEST_DEFERRED; + md_ctx_update (ctx, (const uint8_t *) line, strlen(line)); } } +} + +int +process_incoming_push_msg (struct context *c, + const struct buffer *buffer, + bool honor_received_options, + unsigned int permission_mask, + unsigned int *option_types_found) +{ + int ret = PUSH_MSG_ERROR; + struct buffer buf = *buffer; + +#if P2MP_SERVER + if (buf_string_compare_advance (&buf, "PUSH_REQUEST")) + { + ret = process_incoming_push_request(c); + } else #endif @@ -460,12 +677,12 @@ process_incoming_push_msg (struct context *c, struct buffer buf_orig = buf; if (!c->c2.pulled_options_md5_init_done) { - md5_state_init (&c->c2.pulled_options_state); + md_ctx_init(&c->c2.pulled_options_state, md_kt_get("MD5")); c->c2.pulled_options_md5_init_done = true; } if (!c->c2.did_pre_pull_restore) { - pre_pull_restore (&c->options); + pre_pull_restore (&c->options, &c->c2.gc); c->c2.did_pre_pull_restore = true; } if (apply_push_options (&c->options, @@ -473,20 +690,22 @@ process_incoming_push_msg (struct context *c, permission_mask, option_types_found, c->c2.es)) - switch (c->options.push_continuation) - { - case 0: - case 1: - md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); - md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); - c->c2.pulled_options_md5_init_done = false; - ret = PUSH_MSG_REPLY; - break; - case 2: - md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); - ret = PUSH_MSG_CONTINUATION; - break; - } + { + push_update_digest (&c->c2.pulled_options_state, &buf_orig); + switch (c->options.push_continuation) + { + case 0: + case 1: + md_ctx_final (&c->c2.pulled_options_state, c->c2.pulled_options_digest.digest); + md_ctx_cleanup (&c->c2.pulled_options_state); + c->c2.pulled_options_md5_init_done = false; + ret = PUSH_MSG_REPLY; + break; + case 2: + ret = PUSH_MSG_CONTINUATION; + break; + } + } } else if (ch == '\0') { @@ -518,7 +737,8 @@ remove_iroutes_from_push_route_list (struct options *o) /* parse the push item */ CLEAR (p); - if (parse_line (e->option, p, SIZE (p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) + if ( e->enable && + parse_line (e->option, p, SIZE (p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) { /* is the push item a route directive? */ if (p[0] && !strcmp (p[0], "route") && !p[3]) @@ -544,12 +764,12 @@ remove_iroutes_from_push_route_list (struct options *o) } } } - } - /* should we copy the push item? */ - e->enable = enable; - if (!enable) - msg (D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option); + /* should we copy the push item? */ + e->enable = enable; + if (!enable) + msg (D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option); + } e = e->next; } diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 8c3f157..d6cb4b1 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -37,8 +37,7 @@ #define PUSH_MSG_CONTINUATION 5 #define PUSH_MSG_ALREADY_REPLIED 6 -void incoming_push_message (struct context *c, - const struct buffer *buffer); +int process_incoming_push_request (struct context *c); int process_incoming_push_msg (struct context *c, const struct buffer *buffer, @@ -54,14 +53,15 @@ void server_pushed_signal (struct context *c, const struct buffer *buffer, const #if P2MP_SERVER +void incoming_push_message (struct context *c, const struct buffer *buffer); + void clone_push_list (struct options *o); void push_option (struct options *o, const char *opt, int msglevel); void push_options (struct options *o, char **p, int msglevel, struct gc_arena *gc); void push_reset (struct options *o); - -bool send_push_reply (struct context *c); +void push_remove_option (struct options *o, const char *p); void remove_iroutes_from_push_route_list (struct options *o); diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 763169e..22883a7 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -35,7 +35,7 @@ #include "syshead.h" -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO #include "buffer.h" #include "error.h" @@ -754,4 +754,4 @@ reliable_debug_print (const struct reliable *rel, char *desc) #else static void dummy(void) {} -#endif /* ENABLE_CRYPTO && ENABLE_SSL*/ +#endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h index 594ab82..828dcd3 100644 --- a/src/openvpn/reliable.h +++ b/src/openvpn/reliable.h @@ -29,7 +29,7 @@ */ -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO #ifndef RELIABLE_H #define RELIABLE_H @@ -477,4 +477,4 @@ void reliable_ack_debug_print (const struct reliable_ack *ack, char *desc); #endif /* RELIABLE_H */ -#endif /* ENABLE_CRYPTO && ENABLE_SSL */ +#endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 827bd79..fec12c1 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -42,12 +42,21 @@ #include "manage.h" #include "win32.h" #include "options.h" -#include "win32.h" #include "memdbg.h" -#ifdef WIN32 +#if defined(TARGET_LINUX) || defined(TARGET_ANDROID) +#include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */ +#endif + +#ifdef _WIN32 +#include "openvpn-msg.h" + #define METRIC_NOT_USED ((DWORD)-1) +static bool add_route_service (const struct route_ipv4 *, const struct tuntap *); +static bool del_route_service (const struct route_ipv4 *, const struct tuntap *); +static bool add_route_ipv6_service (const struct route_ipv6 *, const struct tuntap *); +static bool del_route_ipv6_service (const struct route_ipv6 *, const struct tuntap *); #endif static void delete_route (struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es); @@ -93,76 +102,62 @@ add_bypass_address (struct route_bypass *rb, const in_addr_t a) } struct route_option_list * -new_route_option_list (const int max_routes, struct gc_arena *a) +new_route_option_list (struct gc_arena *a) { struct route_option_list *ret; - ALLOC_VAR_ARRAY_CLEAR_GC (ret, struct route_option_list, struct route_option, max_routes, a); - ret->capacity = max_routes; + ALLOC_OBJ_CLEAR_GC (ret, struct route_option_list, a); + ret->gc = a; return ret; } struct route_ipv6_option_list * -new_route_ipv6_option_list (const int max_routes, struct gc_arena *a) +new_route_ipv6_option_list (struct gc_arena *a) { struct route_ipv6_option_list *ret; - ALLOC_VAR_ARRAY_CLEAR_GC (ret, struct route_ipv6_option_list, struct route_ipv6_option, max_routes, a); - ret->capacity = max_routes; + ALLOC_OBJ_CLEAR_GC (ret, struct route_ipv6_option_list, a); + ret->gc = a; return ret; } +/* + * NOTE: structs are cloned/copied shallow by design. + * The routes list from src will stay intact since it is allocated using + * the options->gc. The cloned/copied lists will share this common tail + * to avoid copying the data around between pulls. Pulled routes use + * the c2->gc so they get freed immediately after a reconnect. + */ struct route_option_list * clone_route_option_list (const struct route_option_list *src, struct gc_arena *a) { - const size_t rl_size = array_mult_safe (sizeof(struct route_option), src->capacity, sizeof(struct route_option_list)); - struct route_option_list *ret = gc_malloc (rl_size, false, a); - memcpy (ret, src, rl_size); + struct route_option_list *ret; + ALLOC_OBJ_GC (ret, struct route_option_list, a); + *ret = *src; return ret; } struct route_ipv6_option_list * clone_route_ipv6_option_list (const struct route_ipv6_option_list *src, struct gc_arena *a) { - const size_t rl_size = array_mult_safe (sizeof(struct route_ipv6_option), src->capacity, sizeof(struct route_ipv6_option_list)); - struct route_ipv6_option_list *ret = gc_malloc (rl_size, false, a); - memcpy (ret, src, rl_size); + struct route_ipv6_option_list *ret; + ALLOC_OBJ_GC (ret, struct route_ipv6_option_list, a); + *ret = *src; return ret; } void -copy_route_option_list (struct route_option_list *dest, const struct route_option_list *src) +copy_route_option_list (struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a) { - const size_t src_size = array_mult_safe (sizeof(struct route_option), src->capacity, sizeof(struct route_option_list)); - if (src->capacity > dest->capacity) - msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->capacity, dest->capacity); - memcpy (dest, src, src_size); + *dest = *src; + dest->gc = a; } void copy_route_ipv6_option_list (struct route_ipv6_option_list *dest, - const struct route_ipv6_option_list *src) + const struct route_ipv6_option_list *src, + struct gc_arena *a) { - const size_t src_size = array_mult_safe (sizeof(struct route_ipv6_option), src->capacity, sizeof(struct route_ipv6_option_list)); - if (src->capacity > dest->capacity) - msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->capacity, dest->capacity); - memcpy (dest, src, src_size); -} - -struct route_list * -new_route_list (const int max_routes, struct gc_arena *a) -{ - struct route_list *ret; - ALLOC_VAR_ARRAY_CLEAR_GC (ret, struct route_list, struct route_ipv4, max_routes, a); - ret->capacity = max_routes; - return ret; -} - -struct route_ipv6_list * -new_route_ipv6_list (const int max_routes, struct gc_arena *a) -{ - struct route_ipv6_list *ret; - ALLOC_VAR_ARRAY_CLEAR_GC (ret, struct route_ipv6_list, struct route_ipv6, max_routes, a); - ret->capacity = max_routes; - return ret; + *dest = *src; + dest->gc = a; } static const char * @@ -292,15 +287,15 @@ init_route (struct route_ipv4 *r, /* get_special_addr replaces specialaddr with a special ip addr like gw. getaddrinfo is called to convert a a addrinfo struct */ - if(get_special_addr (rl, ro->network, &special.s_addr, &status)) + if(get_special_addr (rl, ro->network, (in_addr_t *) &special.s_addr, &status)) { special.s_addr = htonl(special.s_addr); - ret = openvpn_getaddrinfo(0, inet_ntoa(special), 0, NULL, + ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL, AF_INET, network_list); } else ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, - ro->network, 0, NULL, AF_INET, network_list); + ro->network, NULL, 0, NULL, AF_INET, network_list); status = (ret == 0); @@ -389,7 +384,7 @@ init_route_ipv6 (struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6 ) { - r6->defined = false; + CLEAR (*r6); if ( !get_ipv6_addr( r6o->prefix, &r6->network, &r6->netbits, M_WARN )) goto fail; @@ -402,7 +397,7 @@ init_route_ipv6 (struct route_ipv6 *r6, msg( M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway ); } } - else if (rl6->remote_endpoint_defined) + else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT) { r6->gateway = rl6->remote_endpoint_ipv6; } @@ -414,7 +409,6 @@ init_route_ipv6 (struct route_ipv6 *r6, /* metric */ - r6->metric_defined = false; r6->metric = -1; if (is_route_parm_defined (r6o->metric)) { @@ -426,22 +420,21 @@ init_route_ipv6 (struct route_ipv6 *r6, r6o->metric); goto fail; } - r6->metric_defined = true; + r6->flags |= RT_METRIC_DEFINED; } - else if (rl6->default_metric_defined) + else if (rl6->spec_flags & RTSA_DEFAULT_METRIC) { r6->metric = rl6->default_metric; - r6->metric_defined = true; + r6->flags |= RT_METRIC_DEFINED; } - r6->defined = true; + r6->flags |= RT_DEFINED; return true; fail: msg (M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s", r6o->prefix); - r6->defined = false; return false; } @@ -453,15 +446,14 @@ add_route_to_option_list (struct route_option_list *l, const char *metric) { struct route_option *ro; - if (l->n >= l->capacity) - msg (M_FATAL, PACKAGE_NAME " ROUTE: cannot add more than %d routes -- please increase the max-routes option in the client configuration file", - l->capacity); - ro = &l->routes[l->n]; + ALLOC_OBJ_GC (ro, struct route_option, l->gc); ro->network = network; ro->netmask = netmask; ro->gateway = gateway; ro->metric = metric; - ++l->n; + ro->next = l->routes; + l->routes = ro; + } void @@ -471,32 +463,26 @@ add_route_ipv6_to_option_list (struct route_ipv6_option_list *l, const char *metric) { struct route_ipv6_option *ro; - if (l->n >= l->capacity) - msg (M_FATAL, PACKAGE_NAME " ROUTE: cannot add more than %d IPv6 routes -- please increase the max-routes option in the client configuration file", - l->capacity); - ro = &l->routes_ipv6[l->n]; + ALLOC_OBJ_GC (ro, struct route_ipv6_option, l->gc); ro->prefix = prefix; ro->gateway = gateway; ro->metric = metric; - ++l->n; + ro->next = l->routes_ipv6; + l->routes_ipv6 = ro; } void clear_route_list (struct route_list *rl) { - const int capacity = rl->capacity; - const size_t rl_size = array_mult_safe (sizeof(struct route_ipv4), capacity, sizeof(struct route_list)); - memset(rl, 0, rl_size); - rl->capacity = capacity; + gc_free (&rl->gc); + CLEAR (*rl); } void clear_route_ipv6_list (struct route_ipv6_list *rl6) { - const int capacity = rl6->capacity; - const size_t rl6_size = array_mult_safe (sizeof(struct route_ipv6), capacity, sizeof(struct route_ipv6_list)); - memset(rl6, 0, rl6_size); - rl6->capacity = capacity; + gc_free (&rl6->gc); + CLEAR (*rl6); } void @@ -517,22 +503,27 @@ add_block_local_item (struct route_list *rl, { const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED); if ((rl->rgi.flags & rgi_needed) == rgi_needed - && rl->rgi.gateway.netmask < 0xFFFFFFFF - && (rl->n)+2 <= rl->capacity) + && rl->rgi.gateway.netmask < 0xFFFFFFFF) { - struct route_ipv4 r; + struct route_ipv4 *r1, *r2; unsigned int l2; + ALLOC_OBJ_GC (r1, struct route_ipv4, &rl->gc); + ALLOC_OBJ_GC (r2, struct route_ipv4, &rl->gc); + /* split a route into two smaller blocking routes, and direct them to target */ - CLEAR(r); - r.flags = RT_DEFINED; - r.gateway = target; - r.network = gateway->addr & gateway->netmask; l2 = ((~gateway->netmask)+1)>>1; - r.netmask = ~(l2-1); - rl->routes[rl->n++] = r; - r.network += l2; - rl->routes[rl->n++] = r; + r1->flags = RT_DEFINED; + r1->gateway = target; + r1->network = gateway->addr & gateway->netmask; + r1->netmask = ~(l2-1); + r1->next = rl->routes; + rl->routes = r1; + + *r2 = *r1; + r2->network += l2; + r2->next = rl->routes; + rl->routes = r2; } } @@ -547,8 +538,10 @@ add_block_local (struct route_list *rl) { size_t i; +#ifndef TARGET_ANDROID /* add bypass for gateway addr */ add_bypass_address (&rl->spec.bypass, rl->rgi.gateway.addr); +#endif /* block access to local subnet */ add_block_local_item (rl, &rl->rgi.gateway, rl->spec.remote_endpoint); @@ -597,7 +590,7 @@ init_route_list (struct route_list *rl, { setenv_route_addr (es, "net_gateway", rl->rgi.gateway.addr, -1); #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) - print_default_gateway (D_ROUTE, &rl->rgi); + print_default_gateway (D_ROUTE, &rl->rgi, NULL); #endif } else @@ -644,72 +637,108 @@ init_route_list (struct route_list *rl, /* parse the routes from opt to rl */ { - int i = 0; - int j = rl->n; - bool warned = false; - for (i = 0; i < opt->n; ++i) + struct route_option *ro; + for (ro = opt->routes; ro; ro = ro->next) { struct addrinfo* netlist = NULL; struct route_ipv4 r; - if (!init_route (&r, - &netlist, - &opt->routes[i], - rl)) + if (!init_route (&r, &netlist, ro, rl)) ret = false; else { struct addrinfo* curele; for (curele = netlist; curele; curele = curele->ai_next) { - if (j < rl->capacity) - { - r.network = ntohl(((struct sockaddr_in*)(curele)->ai_addr)->sin_addr.s_addr); - rl->routes[j++] = r; - } - else - { - if (!warned) - { - msg (M_WARN, PACKAGE_NAME " ROUTE: routes dropped because number of expanded routes is greater than route list capacity (%d)", rl->capacity); - warned = true; - } - } + struct route_ipv4 *new; + ALLOC_OBJ_GC (new, struct route_ipv4, &rl->gc); + *new = r; + new->network = ntohl (((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr); + new->next = rl->routes; + rl->routes = new; } } if (netlist) - freeaddrinfo(netlist); + gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc); } - rl->n = j; } gc_free (&gc); return ret; } +/* check whether an IPv6 host address is covered by a given route_ipv6 + * (not the most beautiful implementation in the world, but portable and + * "good enough") + */ +static bool +route_ipv6_match_host( const struct route_ipv6 *r6, + const struct in6_addr *host ) +{ + unsigned int bits = r6->netbits; + int i; + unsigned int mask; + + if ( bits>128 ) + return false; + + for( i=0; bits >= 8; i++, bits -= 8 ) + { + if ( r6->network.s6_addr[i] != host->s6_addr[i] ) + return false; + } + + if ( bits == 0 ) + return true; + + mask = 0xff << (8-bits); + + if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask )) + return true; + + return false; +} + bool init_route_ipv6_list (struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, + const struct in6_addr *remote_host_ipv6, struct env_set *es) { struct gc_arena gc = gc_new (); bool ret = true; + bool need_remote_ipv6_route; clear_route_ipv6_list (rl6); rl6->flags = opt6->flags; + if (remote_host_ipv6) + { + rl6->remote_host_ipv6 = *remote_host_ipv6; + rl6->spec_flags |= RTSA_REMOTE_HOST; + } + if (default_metric >= 0 ) { rl6->default_metric = default_metric; - rl6->default_metric_defined = true; + rl6->spec_flags |= RTSA_DEFAULT_METRIC; } - /* "default_gateway" is stuff for "redirect-gateway", which we don't - * do for IPv6 yet -> TODO - */ + msg (D_ROUTE, "GDG6: remote_host_ipv6=%s", + remote_host_ipv6? print_in6_addr (*remote_host_ipv6, 0, &gc): "n/a" ); + + get_default_gateway_ipv6 (&rl6->rgi6, remote_host_ipv6); + if (rl6->rgi6.flags & RGI_ADDR_DEFINED) + { + setenv_str (es, "net_gateway_ipv6", print_in6_addr (rl6->rgi6.gateway.addr_ipv6, 0, &gc)); +#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) + print_default_gateway (D_ROUTE, NULL, &rl6->rgi6); +#endif + } + else { dmsg (D_ROUTE, "ROUTE6: default_gateway=UNDEF"); } @@ -719,36 +748,81 @@ init_route_ipv6_list (struct route_ipv6_list *rl6, if ( inet_pton( AF_INET6, remote_endpoint, &rl6->remote_endpoint_ipv6) == 1 ) { - rl6->remote_endpoint_defined = true; + rl6->spec_flags |= RTSA_REMOTE_ENDPOINT; } else { - msg (M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s", remote_endpoint); + msg (M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint); ret = false; } } - else - rl6->remote_endpoint_defined = false; + /* parse the routes from opt6 to rl6 + * discovering potential overlaps with remote_host_ipv6 in the process + */ + need_remote_ipv6_route = false; - if (!(opt6->n >= 0 && opt6->n <= rl6->capacity)) - msg (M_FATAL, PACKAGE_NAME " ROUTE6: (init) number of route options (%d) is greater than route list capacity (%d)", opt6->n, rl6->capacity); - - /* parse the routes from opt to rl6 */ { - int i, j = 0; - for (i = 0; i < opt6->n; ++i) + struct route_ipv6_option *ro6; + for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next) { - if (!init_route_ipv6 (&rl6->routes_ipv6[j], - &opt6->routes_ipv6[i], - rl6 )) + struct route_ipv6 *r6; + ALLOC_OBJ_GC (r6, struct route_ipv6, &rl6->gc); + if (!init_route_ipv6 (r6, ro6, rl6)) ret = false; else - ++j; + { + r6->next = rl6->routes_ipv6; + rl6->routes_ipv6 = r6; + +#ifndef TARGET_ANDROID + /* On Android the VPNService protect function call will take of + * avoiding routing loops, so ignore this part and let + * need_remote_ipv6_route always evaluate to false + */ + if ( remote_host_ipv6 && + route_ipv6_match_host( r6, remote_host_ipv6 ) ) + { + need_remote_ipv6_route = true; + msg (D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint", + print_in6_addr (r6->network, 0, &gc), r6->netbits, + print_in6_addr (*remote_host_ipv6, 0, &gc)); + } +#endif + } } - rl6->n = j; } + /* add VPN server host route if needed */ + if ( need_remote_ipv6_route ) + { + if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) == + (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) + { + struct route_ipv6 *r6; + ALLOC_OBJ_CLEAR_GC (r6, struct route_ipv6, &rl6->gc); + + r6->network = *remote_host_ipv6; + r6->netbits = 128; + if ( !(rl6->rgi6.flags & RGI_ON_LINK) ) + { r6->gateway = rl6->rgi6.gateway.addr_ipv6; } + r6->metric = 1; +#ifdef _WIN32 + r6->adapter_index = rl6->rgi6.adapter_index; +#else + r6->iface = rl6->rgi6.iface; +#endif + r6->flags = RT_DEFINED | RT_METRIC_DEFINED; + + r6->next = rl6->routes_ipv6; + rl6->routes_ipv6 = r6; + } + else + { + msg (M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" ); + } + } + gc_free (&gc); return ret; } @@ -854,6 +928,7 @@ redirect_default_route_to_vpn (struct route_list *rl, const struct tuntap *tt, u } else { +#ifndef TARGET_ANDROID bool local = BOOL_CAST(rl->flags & RG_LOCAL); if (rl->flags & RG_AUTO_LOCAL) { const int tla = rl->spec.remote_host_local; @@ -886,6 +961,7 @@ redirect_default_route_to_vpn (struct route_list *rl, const struct tuntap *tt, u dmsg (D_ROUTE, "ROUTE remote_host protocol differs from tunneled"); } } +#endif /* route DHCP/DNS server traffic through original default gateway */ add_bypass_routes (&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es); @@ -1015,22 +1091,23 @@ add_routes (struct route_list *rl, struct route_ipv6_list *rl6, const struct tun redirect_default_route_to_vpn (rl, tt, flags, es); if ( rl && !(rl->iflags & RL_ROUTES_ADDED) ) { - int i; + struct route_ipv4 *r; #ifdef ENABLE_MANAGEMENT - if (management && rl->n) + if (management && rl->routes) { management_set_state (management, OPENVPN_STATE_ADD_ROUTES, NULL, - 0, - 0); + NULL, + NULL, + NULL, + NULL); } #endif - - for (i = 0; i < rl->n; ++i) + + for (r = rl->routes; r; r = r->next) { - struct route_ipv4 *r = &rl->routes[i]; check_subnet_conflict (r->network, r->netmask, "route"); if (flags & ROUTE_DELETE_FIRST) delete_route (r, tt, flags, &rl->rgi, es); @@ -1038,18 +1115,16 @@ add_routes (struct route_list *rl, struct route_ipv6_list *rl6, const struct tun } rl->iflags |= RL_ROUTES_ADDED; } - if (rl6 && !rl6->routes_added) + if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) ) { - int i; - - for (i = 0; i < rl6->n; ++i) + struct route_ipv6 *r; + for (r = rl6->routes_ipv6; r; r = r->next) { - struct route_ipv6 *r = &rl6->routes_ipv6[i]; if (flags & ROUTE_DELETE_FIRST) delete_route_ipv6 (r, tt, flags, es); add_route_ipv6 (r, tt, flags, es); } - rl6->routes_added = true; + rl6->iflags |= RL_ROUTES_ADDED; } } @@ -1059,10 +1134,9 @@ delete_routes (struct route_list *rl, struct route_ipv6_list *rl6, { if ( rl && rl->iflags & RL_ROUTES_ADDED ) { - int i; - for (i = rl->n - 1; i >= 0; --i) + struct route_ipv4 *r; + for (r = rl->routes; r; r = r->next) { - struct route_ipv4 * r = &rl->routes[i]; delete_route (r, tt, flags, &rl->rgi, es); } rl->iflags &= ~RL_ROUTES_ADDED; @@ -1075,15 +1149,14 @@ delete_routes (struct route_list *rl, struct route_ipv6_list *rl6, clear_route_list (rl); } - if ( rl6 && rl6->routes_added ) + if ( rl6 && (rl6->iflags & RL_ROUTES_ADDED) ) { - int i; - for (i = rl6->n - 1; i >= 0; --i) + struct route_ipv6 *r6; + for (r6 = rl6->routes_ipv6; r6; r6 = r6->next) { - const struct route_ipv6 *r6 = &rl6->routes_ipv6[i]; delete_route_ipv6 (r6, tt, flags, es); } - rl6->routes_added = false; + rl6->iflags &= ~RL_ROUTES_ADDED; } if ( rl6 ) @@ -1098,7 +1171,7 @@ static const char * show_opt (const char *option) { if (!option) - return "nil"; + return "default (not set)"; else return option; } @@ -1117,19 +1190,21 @@ void print_route_options (const struct route_option_list *rol, int level) { - int i; + struct route_option *ro; if (rol->flags & RG_ENABLE) msg (level, " [redirect_default_gateway local=%d]", (rol->flags & RG_LOCAL) != 0); - for (i = 0; i < rol->n; ++i) - print_route_option (&rol->routes[i], level); + for (ro = rol->routes; ro; ro = ro->next) + print_route_option (ro, level); } void -print_default_gateway(const int msglevel, const struct route_gateway_info *rgi) +print_default_gateway(const int msglevel, + const struct route_gateway_info *rgi, + const struct route_ipv6_gateway_info *rgi6) { struct gc_arena gc = gc_new (); - if (rgi->flags & RGI_ADDR_DEFINED) + if (rgi && (rgi->flags & RGI_ADDR_DEFINED)) { struct buffer out = alloc_buf_gc (256, &gc); buf_printf (&out, "ROUTE_GATEWAY"); @@ -1139,7 +1214,7 @@ print_default_gateway(const int msglevel, const struct route_gateway_info *rgi) buf_printf (&out, " %s", print_in_addr_t (rgi->gateway.addr, 0, &gc)); if (rgi->flags & RGI_NETMASK_DEFINED) buf_printf (&out, "/%s", print_in_addr_t (rgi->gateway.netmask, 0, &gc)); -#ifdef WIN32 +#ifdef _WIN32 if (rgi->flags & RGI_IFACE_DEFINED) buf_printf (&out, " I=%u", (unsigned int)rgi->adapter_index); #else @@ -1150,6 +1225,27 @@ print_default_gateway(const int msglevel, const struct route_gateway_info *rgi) buf_printf (&out, " HWADDR=%s", format_hex_ex (rgi->hwaddr, 6, 0, 1, ":", &gc)); msg (msglevel, "%s", BSTR (&out)); } + + if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED)) + { + struct buffer out = alloc_buf_gc (256, &gc); + buf_printf (&out, "ROUTE6_GATEWAY"); + buf_printf (&out, " %s", print_in6_addr (rgi6->gateway.addr_ipv6, 0, &gc)); + if (rgi6->flags & RGI_ON_LINK) + buf_printf (&out, " ON_LINK"); + if (rgi6->flags & RGI_NETMASK_DEFINED) + buf_printf (&out, "/%d", rgi6->gateway.netbits_ipv6); +#ifdef _WIN32 + if (rgi6->flags & RGI_IFACE_DEFINED) + buf_printf (&out, " I=%u", (unsigned int)rgi6->adapter_index); +#else + if (rgi6->flags & RGI_IFACE_DEFINED) + buf_printf (&out, " IFACE=%s", rgi6->iface); +#endif + if (rgi6->flags & RGI_HWADDR_DEFINED) + buf_printf (&out, " HWADDR=%s", format_hex_ex (rgi6->hwaddr, 6, 0, 1, ":", &gc)); + msg (msglevel, "%s", BSTR (&out)); + } gc_free (&gc); } @@ -1167,9 +1263,9 @@ print_route (const struct route_ipv4 *r, int level) void print_routes (const struct route_list *rl, int level) { - int i; - for (i = 0; i < rl->n; ++i) - print_route (&rl->routes[i], level); + struct route_ipv4 *r; + for (r = rl->routes; r; r = r->next) + print_route (r, level); } static void @@ -1195,16 +1291,17 @@ setenv_route (struct env_set *es, const struct route_ipv4 *r, int i) void setenv_routes (struct env_set *es, const struct route_list *rl) { - int i; - for (i = 0; i < rl->n; ++i) - setenv_route (es, &rl->routes[i], i + 1); + int i = 1; + struct route_ipv4 *r; + for (r = rl->routes; r; r = r->next) + setenv_route (es, r, i++); } static void setenv_route_ipv6 (struct env_set *es, const struct route_ipv6 *r6, int i) { struct gc_arena gc = gc_new (); - if (r6->defined) + if (r6->flags & RT_DEFINED) { struct buffer name1 = alloc_buf_gc( 256, &gc ); struct buffer val = alloc_buf_gc( 256, &gc ); @@ -1223,9 +1320,10 @@ setenv_route_ipv6 (struct env_set *es, const struct route_ipv6 *r6, int i) void setenv_routes_ipv6 (struct env_set *es, const struct route_ipv6_list *rl6) { - int i; - for (i = 0; i < rl6->n; ++i) - setenv_route_ipv6 (es, &rl6->routes_ipv6[i], i + 1); + int i = 1; + struct route_ipv6 *r6; + for (r6 = rl6->routes_ipv6; r6; r6 = r6->next) + setenv_route_ipv6 (es, r6, i++); } /* @@ -1297,7 +1395,7 @@ add_route (struct route_ipv4 *r, const struct env_set *es) { struct gc_arena gc; - struct argv argv; + struct argv argv = argv_new (); const char *network; const char *netmask; const char *gateway; @@ -1308,7 +1406,6 @@ add_route (struct route_ipv4 *r, return; gc_init (&gc); - argv_init (&argv); network = print_in_addr_t (r->network, 0, &gc); netmask = print_in_addr_t (r->netmask, 0, &gc); @@ -1323,7 +1420,7 @@ add_route (struct route_ipv4 *r, argv_printf (&argv, "%s route add %s/%d", iproute_path, network, - count_netmask_bits(netmask)); + netmask_to_netbits2(r->netmask)); if (r->flags & RT_METRIC_DEFINED) argv_printf_cat (&argv, "metric %d", r->metric); @@ -1348,7 +1445,16 @@ add_route (struct route_ipv4 *r, argv_msg (D_ROUTE, &argv); status = openvpn_execve_check (&argv, es, 0, "ERROR: Linux route add command failed"); -#elif defined (WIN32) +#elif defined (TARGET_ANDROID) + struct buffer out = alloc_buf_gc (128, &gc); + + if (rgi) + buf_printf (&out, "%s %s %s dev %s", network, netmask, gateway, rgi->iface); + else + buf_printf (&out, "%s %s %s", network, netmask, gateway); + management_android_control (management, "ROUTE", buf_bptr(&out)); + +#elif defined (_WIN32) { DWORD ai = TUN_ADAPTER_INDEX_INVALID; argv_printf (&argv, "%s%sc ADD %s MASK %s %s", @@ -1367,7 +1473,12 @@ add_route (struct route_ipv4 *r, argv_msg (D_ROUTE, &argv); - if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI) + if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE) + { + status = add_route_service (r, tt); + msg (D_ROUTE, "Route addition via service %s", status ? "succeeded" : "failed"); + } + else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI) { status = add_route_ipapi (r, tt, ai); msg (D_ROUTE, "Route addition via IPAPI %s", status ? "succeeded" : "failed"); @@ -1511,6 +1622,17 @@ add_route (struct route_ipv4 *r, argv_msg (D_ROUTE, &argv); status = openvpn_execve_check (&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); +#elif defined(TARGET_AIX) + + { + int netbits = netmask_to_netbits2(r->netmask); + argv_printf (&argv, "%s add -net %s/%d %s", + ROUTE_PATH, + network, netbits, gateway); + argv_msg (D_ROUTE, &argv); + status = openvpn_execve_check (&argv, es, 0, "ERROR: AIX route add command failed"); + } + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif @@ -1525,33 +1647,30 @@ add_route (struct route_ipv4 *r, } -static const char * -print_in6_addr_netbits_only( struct in6_addr network_copy, int netbits, - struct gc_arena * gc) +static void +route_ipv6_clear_host_bits( struct route_ipv6 *r6 ) { /* clear host bit parts of route * (needed if routes are specified improperly, or if we need to * explicitely setup/clear the "connected" network routes on some OSes) */ int byte = 15; - int bits_to_clear = 128 - netbits; + int bits_to_clear = 128 - r6->netbits; while( byte >= 0 && bits_to_clear > 0 ) { if ( bits_to_clear >= 8 ) - { network_copy.s6_addr[byte--] = 0; bits_to_clear -= 8; } + { r6->network.s6_addr[byte--] = 0; bits_to_clear -= 8; } else - { network_copy.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0; } + { r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0; } } - - return print_in6_addr( network_copy, 0, gc); } void add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es) { struct gc_arena gc; - struct argv argv; + struct argv argv = argv_new (); const char *network; const char *gateway; @@ -1560,19 +1679,48 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla bool gateway_needed = false; - if (!r6->defined) + if (! (r6->flags & RT_DEFINED) ) return; +#ifndef _WIN32 + if ( r6->iface != NULL ) /* vpn server special route */ + { + device = r6->iface; + if ( !IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) ) + gateway_needed = true; + } +#endif + gc_init (&gc); - argv_init (&argv); - network = print_in6_addr_netbits_only( r6->network, r6->netbits, &gc); + route_ipv6_clear_host_bits (r6); + + network = print_in6_addr( r6->network, 0, &gc); gateway = print_in6_addr( r6->gateway, 0, &gc); - if ( !tt->ipv6 ) +#if defined(TARGET_DARWIN) || \ + defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || \ + defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) + + /* the BSD platforms cannot specify gateway and interface independently, + * but for link-local destinations, we MUST specify the interface, so + * we build a combined "$gateway%$interface" gateway string + */ + if ( r6->iface != NULL && gateway_needed && + IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */ { - msg( M_INFO, "add_route_ipv6(): not adding %s/%d, no IPv6 on if %s", - network, r6->netbits, device ); + int len = strlen(gateway) + 1 + strlen(r6->iface)+1; + char * tmp = gc_malloc( len, true, &gc ); + snprintf( tmp, len, "%s%%%s", gateway, r6->iface ); + gateway = tmp; + } +#endif + + if (!tt->did_ifconfig_ipv6_setup) + { + msg( M_INFO, "add_route_ipv6(): not adding %s/%d: " + "no IPv6 address been configured on interface %s", + network, r6->netbits, device); return; } @@ -1591,7 +1739,7 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla * gateway unless the route is to be an on-link network */ if ( tt->type == DEV_TYPE_TAP && - !(r6->metric_defined && r6->metric == 0 ) ) + !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) ) { gateway_needed = true; } @@ -1605,7 +1753,7 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla device); if (gateway_needed) argv_printf_cat (&argv, "via %s", gateway); - if (r6->metric_defined && r6->metric > 0 ) + if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0 ) argv_printf_cat (&argv, " metric %d", r6->metric); #else @@ -1616,70 +1764,95 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla device); if (gateway_needed) argv_printf_cat (&argv, "gw %s", gateway); - if (r6->metric_defined && r6->metric > 0 ) + if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0 ) argv_printf_cat (&argv, " metric %d", r6->metric); #endif /*ENABLE_IPROUTE*/ argv_msg (D_ROUTE, &argv); status = openvpn_execve_check (&argv, es, 0, "ERROR: Linux route -6/-A inet6 add command failed"); -#elif defined (WIN32) +#elif defined (TARGET_ANDROID) + struct buffer out = alloc_buf_gc (64, &gc); + + buf_printf (&out, "%s/%d %s", network, r6->netbits, device); + + management_android_control (management, "ROUTE6", buf_bptr(&out)); + +#elif defined (_WIN32) - if (win32_version_info() != WIN_XP) + if (tt->options.msg_channel) + status = add_route_ipv6_service (r6, tt); + else { struct buffer out = alloc_buf_gc (64, &gc); - buf_printf (&out, "interface=%d", tt->adapter_index ); + if ( r6->adapter_index ) /* vpn server special route */ + { + buf_printf (&out, "interface=%d", r6->adapter_index ); + gateway_needed = true; + } + else + { + buf_printf (&out, "interface=%d", tt->adapter_index ); + } device = buf_bptr(&out); - } - /* netsh interface ipv6 add route 2001:db8::/32 MyTunDevice */ - argv_printf (&argv, "%s%sc interface ipv6 add route %s/%d %s", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - network, - r6->netbits, - device); - - /* next-hop depends on TUN or TAP mode: - * - in TAP mode, we use the "real" next-hop - * - in TUN mode we use a special-case link-local address that the tapdrvr - * knows about and will answer ND (neighbor discovery) packets for - */ - if ( tt->type == DEV_TYPE_TUN ) - argv_printf_cat( &argv, " %s", "fe80::8" ); - else - argv_printf_cat( &argv, " %s", gateway ); + /* netsh interface ipv6 add route 2001:db8::/32 MyTunDevice */ + argv_printf (&argv, "%s%sc interface ipv6 add route %s/%d %s", + get_win_sys_path(), + NETSH_PATH_SUFFIX, + network, + r6->netbits, + device); + + /* next-hop depends on TUN or TAP mode: + * - in TAP mode, we use the "real" next-hop + * - in TUN mode we use a special-case link-local address that the tapdrvr + * knows about and will answer ND (neighbor discovery) packets for + */ + if ( tt->type == DEV_TYPE_TUN && !gateway_needed ) + argv_printf_cat( &argv, " %s", "fe80::8" ); + else if ( !IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) ) + argv_printf_cat( &argv, " %s", gateway ); #if 0 - if (r->metric_defined) - argv_printf_cat (&argv, " METRIC %d", r->metric); + if (r6->flags & RT_METRIC_DEFINED) + argv_printf_cat (&argv, " METRIC %d", r->metric); #endif - /* in some versions of Windows, routes are persistent across reboots by - * default, unless "store=active" is set (pointed out by Tony Lim, thanks) - */ - argv_printf_cat( &argv, " store=active" ); + /* in some versions of Windows, routes are persistent across reboots by + * default, unless "store=active" is set (pointed out by Tony Lim, thanks) + */ + argv_printf_cat( &argv, " store=active" ); - argv_msg (D_ROUTE, &argv); + argv_msg (D_ROUTE, &argv); - netcmd_semaphore_lock (); - status = openvpn_execve_check (&argv, es, 0, "ERROR: Windows route add ipv6 command failed"); - netcmd_semaphore_release (); + netcmd_semaphore_lock (); + status = openvpn_execve_check (&argv, es, 0, "ERROR: Windows route add ipv6 command failed"); + netcmd_semaphore_release (); + } #elif defined (TARGET_SOLARIS) /* example: route add -inet6 2001:db8::/32 somegateway 0 */ - /* for some weird reason, this does not work for me unless I set + /* for some reason, routes to tun/tap do not work for me unless I set * "metric 0" - otherwise, the routes will be nicely installed, but - * packets will just disappear somewhere. So we use "0" now... + * packets will just disappear somewhere. So we always use "0" now, + * unless the route points to "gateway on other interface"... + * + * (Note: OpenSolaris can not specify host%interface gateways, so we just + * use the GW addresses - it seems to still work for fe80:: addresses, + * however this is done internally. NUD maybe?) */ - - argv_printf (&argv, "%s add -inet6 %s/%d %s 0", + argv_printf (&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway ); + /* on tun/tap, not "elsewhere"? -> metric 0 */ + if ( !r6->iface ) + argv_printf_cat (&argv, "0"); + argv_msg (D_ROUTE, &argv); status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add -inet6 command failed"); @@ -1730,11 +1903,22 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla argv_msg (D_ROUTE, &argv); status = openvpn_execve_check (&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed"); +#elif defined(TARGET_AIX) + + argv_printf (&argv, "%s add -inet6 %s/%d %s", + ROUTE_PATH, + network, r6->netbits, gateway); + argv_msg (D_ROUTE, &argv); + status = openvpn_execve_check (&argv, es, 0, "ERROR: AIX route add command failed"); + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script"); #endif - r6->defined = status; + if (status) + r6->flags |= RT_ADDED; + else + r6->flags &= ~RT_ADDED; argv_reset (&argv); gc_free (&gc); } @@ -1747,7 +1931,7 @@ delete_route (struct route_ipv4 *r, const struct env_set *es) { struct gc_arena gc; - struct argv argv; + struct argv argv = argv_new (); const char *network; const char *netmask; const char *gateway; @@ -1757,7 +1941,6 @@ delete_route (struct route_ipv4 *r, return; gc_init (&gc); - argv_init (&argv); network = print_in_addr_t (r->network, 0, &gc); netmask = print_in_addr_t (r->netmask, 0, &gc); @@ -1772,7 +1955,7 @@ delete_route (struct route_ipv4 *r, argv_printf (&argv, "%s route del %s/%d", iproute_path, network, - count_netmask_bits(netmask)); + netmask_to_netbits2(r->netmask)); #else argv_printf (&argv, "%s del -net %s netmask %s", ROUTE_PATH, @@ -1784,7 +1967,7 @@ delete_route (struct route_ipv4 *r, argv_msg (D_ROUTE, &argv); openvpn_execve_check (&argv, es, 0, "ERROR: Linux route delete command failed"); -#elif defined (WIN32) +#elif defined (_WIN32) argv_printf (&argv, "%s%sc DELETE %s MASK %s %s", get_win_sys_path(), @@ -1795,7 +1978,12 @@ delete_route (struct route_ipv4 *r, argv_msg (D_ROUTE, &argv); - if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI) + if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE) + { + const bool status = del_route_service (r, tt); + msg (D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed"); + } + else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI) { const bool status = del_route_ipapi (r, tt); msg (D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed"); @@ -1889,6 +2077,20 @@ delete_route (struct route_ipv4 *r, argv_msg (D_ROUTE, &argv); openvpn_execve_check (&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed"); +#elif defined(TARGET_ANDROID) + msg (M_NONFATAL, "Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only."); + +#elif defined(TARGET_AIX) + + { + int netbits = netmask_to_netbits2(r->netmask); + argv_printf (&argv, "%s delete -net %s/%d %s", + ROUTE_PATH, + network, netbits, gateway); + argv_msg (D_ROUTE, &argv); + openvpn_execve_check (&argv, es, 0, "ERROR: AIX route delete command failed"); + } + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif @@ -1903,27 +2105,45 @@ void delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es) { struct gc_arena gc; - struct argv argv; + struct argv argv = argv_new (); const char *network; const char *gateway; const char *device = tt->actual_name; bool gateway_needed = false; - if (!r6->defined) + if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED)) return; +#ifndef _WIN32 + if ( r6->iface != NULL ) /* vpn server special route */ + { + device = r6->iface; + gateway_needed = true; + } +#endif + gc_init (&gc); - argv_init (&argv); - network = print_in6_addr_netbits_only( r6->network, r6->netbits, &gc); + network = print_in6_addr( r6->network, 0, &gc); gateway = print_in6_addr( r6->gateway, 0, &gc); - if ( !tt->ipv6 ) +#if defined(TARGET_DARWIN) || \ + defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || \ + defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) + + /* the BSD platforms cannot specify gateway and interface independently, + * but for link-local destinations, we MUST specify the interface, so + * we build a combined "$gateway%$interface" gateway string + */ + if ( r6->iface != NULL && gateway_needed && + IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */ { - msg( M_INFO, "delete_route_ipv6(): not deleting %s/%d, no IPv6 on if %s", - network, r6->netbits, device ); - return; + int len = strlen(gateway) + 1 + strlen(r6->iface)+1; + char * tmp = gc_malloc( len, true, &gc ); + snprintf( tmp, len, "%s%%%s", gateway, r6->iface ); + gateway = tmp; } +#endif msg( M_INFO, "delete_route_ipv6(%s/%d)", network, r6->netbits ); @@ -1931,7 +2151,7 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt, unsigne * delete, otherwise some OSes will refuse to delete the route */ if ( tt->type == DEV_TYPE_TAP && - !(r6->metric_defined && r6->metric == 0 ) ) + !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) ) { gateway_needed = true; } @@ -1954,61 +2174,70 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt, unsigne device); if (gateway_needed) argv_printf_cat (&argv, "gw %s", gateway); - if (r6->metric_defined && r6->metric > 0 ) + if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0 ) argv_printf_cat (&argv, " metric %d", r6->metric); #endif /*ENABLE_IPROUTE*/ argv_msg (D_ROUTE, &argv); openvpn_execve_check (&argv, es, 0, "ERROR: Linux route -6/-A inet6 del command failed"); -#elif defined (WIN32) +#elif defined (_WIN32) - if (win32_version_info() != WIN_XP) + if (tt->options.msg_channel) + del_route_ipv6_service (r6, tt); + else { struct buffer out = alloc_buf_gc (64, &gc); - buf_printf (&out, "interface=%d", tt->adapter_index ); + if ( r6->adapter_index ) /* vpn server special route */ + { + buf_printf (&out, "interface=%d", r6->adapter_index ); + gateway_needed = true; + } + else + { + buf_printf (&out, "interface=%d", tt->adapter_index ); + } device = buf_bptr(&out); - } - /* netsh interface ipv6 delete route 2001:db8::/32 MyTunDevice */ - argv_printf (&argv, "%s%sc interface ipv6 delete route %s/%d %s", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - network, - r6->netbits, - device); - - /* next-hop depends on TUN or TAP mode: - * - in TAP mode, we use the "real" next-hop - * - in TUN mode we use a special-case link-local address that the tapdrvr - * knows about and will answer ND (neighbor discovery) packets for - * (and "route deletion without specifying next-hop" does not work...) - */ - if ( tt->type == DEV_TYPE_TUN ) - argv_printf_cat( &argv, " %s", "fe80::8" ); - else - argv_printf_cat( &argv, " %s", gateway ); + /* netsh interface ipv6 delete route 2001:db8::/32 MyTunDevice */ + argv_printf (&argv, "%s%sc interface ipv6 delete route %s/%d %s", + get_win_sys_path(), + NETSH_PATH_SUFFIX, + network, + r6->netbits, + device); + + /* next-hop depends on TUN or TAP mode: + * - in TAP mode, we use the "real" next-hop + * - in TUN mode we use a special-case link-local address that the tapdrvr + * knows about and will answer ND (neighbor discovery) packets for + * (and "route deletion without specifying next-hop" does not work...) + */ + if ( tt->type == DEV_TYPE_TUN && !gateway_needed ) + argv_printf_cat( &argv, " %s", "fe80::8" ); + else if ( !IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) ) + argv_printf_cat( &argv, " %s", gateway ); #if 0 - if (r->metric_defined) - argv_printf_cat (&argv, "METRIC %d", r->metric); + if (r6->flags & RT_METRIC_DEFINED) + argv_printf_cat (&argv, "METRIC %d", r->metric); #endif - /* Windows XP to 7 "just delete" routes, wherever they came from, but - * in Windows 8(.1?), if you create them with "store=active", this is - * how you should delete them as well (pointed out by Cedric Tabary) - */ - argv_printf_cat( &argv, " store=active" ); + /* Windows XP to 7 "just delete" routes, wherever they came from, but + * in Windows 8(.1?), if you create them with "store=active", this is + * how you should delete them as well (pointed out by Cedric Tabary) + */ + argv_printf_cat( &argv, " store=active" ); - argv_msg (D_ROUTE, &argv); + argv_msg (D_ROUTE, &argv); - netcmd_semaphore_lock (); - openvpn_execve_check (&argv, es, 0, "ERROR: Windows route delete ipv6 command failed"); - netcmd_semaphore_release (); + netcmd_semaphore_lock (); + openvpn_execve_check (&argv, es, 0, "ERROR: Windows route delete ipv6 command failed"); + netcmd_semaphore_release (); + } #elif defined (TARGET_SOLARIS) /* example: route delete -inet6 2001:db8::/32 somegateway */ - /* GERT-TODO: this is untested, but should work */ argv_printf (&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, @@ -2066,6 +2295,14 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt, unsigne argv_msg (D_ROUTE, &argv); openvpn_execve_check (&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed"); +#elif defined(TARGET_AIX) + + argv_printf (&argv, "%s delete -inet6 %s/%d %s", + ROUTE_PATH, + network, r6->netbits, gateway); + argv_msg (D_ROUTE, &argv); + openvpn_execve_check (&argv, es, 0, "ERROR: AIX route add command failed"); + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script"); #endif @@ -2079,7 +2316,7 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt, unsigne * to get the current default gateway. */ -#if defined(WIN32) +#if defined(_WIN32) static const MIB_IPFORWARDTABLE * get_windows_routing_table (struct gc_arena *gc) @@ -2148,6 +2385,7 @@ test_routes (const struct route_list *rl, const struct tuntap *tt) int count = 0; int good = 0; int ambig = 0; + int len = -1; bool adapter_up = false; if (is_adapter_up (tt, adapters)) @@ -2157,9 +2395,9 @@ test_routes (const struct route_list *rl, const struct tuntap *tt) if (rl) { - int i; - for (i = 0; i < rl->n; ++i) - test_route_helper (&ret, &count, &good, &ambig, adapters, rl->routes[i].gateway); + struct route_ipv4 *r; + for (r = rl->routes, len = 0; r; r = r->next, ++len) + test_route_helper (&ret, &count, &good, &ambig, adapters, r->gateway); if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)) test_route_helper (&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint); @@ -2169,7 +2407,7 @@ test_routes (const struct route_list *rl, const struct tuntap *tt) msg (D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", good, count, - rl ? rl->n : -1, + len, (int)ret, ambig, adapter_up ? "up" : "down"); @@ -2301,6 +2539,81 @@ windows_route_find_if_index (const struct route_ipv4 *r, const struct tuntap *tt return ret; } +/* IPv6 implementation using GetBestRoute2() + * (TBD: dynamic linking so the binary can still run on XP?) + * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx + * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx + */ +void +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, + const struct in6_addr *dest) +{ + struct gc_arena gc = gc_new (); + MIB_IPFORWARD_ROW2 BestRoute; + SOCKADDR_INET DestinationAddress, BestSourceAddress; + DWORD BestIfIndex; + DWORD status; + NET_LUID InterfaceLuid; + + CLEAR(*rgi6); + CLEAR(InterfaceLuid); // cleared = not used for lookup + CLEAR(DestinationAddress); + + DestinationAddress.si_family = AF_INET6; + if ( dest ) + { + DestinationAddress.Ipv6.sin6_addr = *dest; + } + + status = GetBestInterfaceEx( &DestinationAddress, &BestIfIndex ); + + if (status != NO_ERROR) + { + msg (D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)", + strerror_win32 (status, &gc), + (unsigned int)status); + goto done; + } + + msg( D_ROUTE, "GetBestInterfaceEx() returned if=%d", (int) BestIfIndex ); + + status = GetBestRoute2( &InterfaceLuid, BestIfIndex, NULL, + &DestinationAddress, 0, + &BestRoute, &BestSourceAddress ); + + if (status != NO_ERROR) + { + msg (D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)", + strerror_win32 (status, &gc), + (unsigned int)status); + goto done; + } + + msg( D_ROUTE, "GDG6: II=%d DP=%s/%d NH=%s", + BestRoute.InterfaceIndex, + print_in6_addr( BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc), + BestRoute.DestinationPrefix.PrefixLength, + print_in6_addr( BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc) ); + msg( D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", + (int) BestRoute.Metric, + (int) BestRoute.Loopback, + (int) BestRoute.AutoconfigureAddress, + (int) BestRoute.Immortal ); + + rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr; + rgi6->adapter_index = BestRoute.InterfaceIndex; + rgi6->flags |= RGI_ADDR_DEFINED | RGI_IFACE_DEFINED; + + /* on-link is signalled by receiving an empty (::) NextHop */ + if ( IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr) ) + { + rgi6->flags |= RGI_ON_LINK; + } + + done: + gc_free (&gc); +} + bool add_route_ipapi (const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index) { @@ -2407,6 +2720,126 @@ del_route_ipapi (const struct route_ipv4 *r, const struct tuntap *tt) return ret; } +static bool +do_route_service (const bool add, const route_message_t *rt, const size_t size, HANDLE pipe) +{ + DWORD len; + bool ret = false; + ack_message_t ack; + struct gc_arena gc = gc_new (); + + if (!WriteFile (pipe, rt, size, &len, NULL) || + !ReadFile (pipe, &ack, sizeof (ack), &len, NULL)) + { + msg (M_WARN, "ROUTE: could not talk to service: %s [%lu]", + strerror_win32 (GetLastError (), &gc), GetLastError ()); + goto out; + } + + if (ack.error_number != NO_ERROR) + { + msg (M_WARN, "ROUTE: route %s failed using service: %s [status=%u if_index=%lu]", + (add ? "addition" : "deletion"), strerror_win32 (ack.error_number, &gc), + ack.error_number, rt->iface.index); + goto out; + } + + ret = true; + +out: + gc_free (&gc); + return ret; +} + +static bool +do_route_ipv4_service (const bool add, const struct route_ipv4 *r, const struct tuntap *tt) +{ + DWORD if_index = windows_route_find_if_index (r, tt); + if (if_index == ~0) + return false; + + route_message_t msg = { + .header = { + (add ? msg_add_route : msg_del_route), + sizeof (route_message_t), + 0 }, + .family = AF_INET, + .prefix.ipv4.s_addr = htonl(r->network), + .gateway.ipv4.s_addr = htonl(r->gateway), + .iface = { .index = if_index, .name = "" }, + .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) + }; + + netmask_to_netbits (r->network, r->netmask, &msg.prefix_len); + if (msg.prefix_len == -1) + msg.prefix_len = 32; + + return do_route_service (add, &msg, sizeof (msg), tt->options.msg_channel); +} + +static bool +do_route_ipv6_service (const bool add, const struct route_ipv6 *r, const struct tuntap *tt) +{ + bool status; + route_message_t msg = { + .header = { + (add ? msg_add_route : msg_del_route), + sizeof (route_message_t), + 0 }, + .family = AF_INET6, + .prefix.ipv6 = r->network, + .prefix_len = r->netbits, + .gateway.ipv6 = r->gateway, + .iface = { .index = tt->adapter_index, .name = "" }, + .metric = ( (r->flags & RT_METRIC_DEFINED) ? r->metric : -1) + }; + + if ( r->adapter_index ) /* vpn server special route */ + msg.iface.index = r->adapter_index; + + /* In TUN mode we use a special link-local address as the next hop. + * The tapdrvr knows about it and will answer neighbor discovery packets. + */ + if (tt->type == DEV_TYPE_TUN) + inet_pton (AF_INET6, "fe80::8", &msg.gateway.ipv6); + + if (msg.iface.index == TUN_ADAPTER_INDEX_INVALID) + { + strncpy (msg.iface.name, tt->actual_name, sizeof (msg.iface.name)); + msg.iface.name[sizeof (msg.iface.name) - 1] = '\0'; + } + + status = do_route_service (add, &msg, sizeof (msg), tt->options.msg_channel); + msg (D_ROUTE, "IPv6 route %s via service %s", + add ? "addition" : "deletion", + status ? "succeeded" : "failed"); + return status; +} + +static bool +add_route_service (const struct route_ipv4 *r, const struct tuntap *tt) +{ + return do_route_ipv4_service (true, r, tt); +} + +static bool +del_route_service (const struct route_ipv4 *r, const struct tuntap *tt) +{ + return do_route_ipv4_service (false, r, tt); +} + +static bool +add_route_ipv6_service (const struct route_ipv6 *r, const struct tuntap *tt) +{ + return do_route_ipv6_service (true, r, tt); +} + +static bool +del_route_ipv6_service (const struct route_ipv6 *r, const struct tuntap *tt) +{ + return do_route_ipv6_service (false, r, tt); +} + static const char * format_route_entry (const MIB_IPFORWARDROW *r, struct gc_arena *gc) { @@ -2451,7 +2884,7 @@ show_routes (int msglev) gc_free (&gc); } -#elif defined(TARGET_LINUX) +#elif defined(TARGET_LINUX) || defined(TARGET_ANDROID) void get_default_gateway (struct route_gateway_info *rgi) @@ -2463,6 +2896,7 @@ get_default_gateway (struct route_gateway_info *rgi) CLEAR(*rgi); +#ifndef TARGET_ANDROID /* get default gateway IP addr */ { FILE *fp = fopen ("/proc/net/route", "r"); @@ -2519,6 +2953,19 @@ get_default_gateway (struct route_gateway_info *rgi) } } } +#else + /* Android, set some pseudo GW, addr is in host byte order, + * Determining the default GW on Android 5.0+ is non trivial + * and serves almost no purpose since OpenVPN only uses the + * default GW address to add routes for networks that should + * NOT be routed over the VPN. Using a well known address + * (127.'d'.'g'.'w') for the default GW make detecting + * these routes easier from the controlling app. + */ + rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w'; + rgi->flags |= RGI_ADDR_DEFINED; + strcpy(best_name, "android-gw"); +#endif /* scan adapter list */ if (rgi->flags & RGI_ADDR_DEFINED) @@ -2617,136 +3064,149 @@ get_default_gateway (struct route_gateway_info *rgi) gc_free (&gc); } -#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)||defined(TARGET_SOLARIS) - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <net/route.h> - -struct { - struct rt_msghdr m_rtm; - char m_space[512]; -} m_rtmsg; - -#define ROUNDUP(a) \ - ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) - -/* - * FIXME -- add support for netmask, hwaddr, and iface +/* IPv6 implementation using netlink + * http://www.linuxjournal.com/article/7356 + * netlink(3), netlink(7), rtnetlink(7) + * http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c */ -void -get_default_gateway (struct route_gateway_info *rgi) -{ - struct gc_arena gc = gc_new (); - int s, seq, l, pid, rtm_addrs; - unsigned int i; - struct sockaddr so_dst, so_mask; - char *cp = m_rtmsg.m_space; - struct sockaddr *gate = NULL, *sa; - struct rt_msghdr *rtm_aux; - -#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY) - -#define NEXTADDR(w, u) \ - if (rtm_addrs & (w)) {\ - l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\ - } - -#define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len)) - -#else /* TARGET_SOLARIS */ - -#define NEXTADDR(w, u) \ - if (rtm_addrs & (w)) {\ - l = ROUNDUP(sizeof(struct sockaddr_in)); memmove(cp, &(u), l); cp += l;\ - } - -#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in))) +struct rtreq { + struct nlmsghdr nh; + struct rtmsg rtm; + char attrbuf[512]; +}; -#endif +void +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, + const struct in6_addr *dest) +{ + int nls = -1; + struct rtreq rtreq; + struct rtattr *rta; + + char rtbuf[2000]; + ssize_t ssize; + + CLEAR(*rgi6); + + nls = socket( PF_NETLINK, SOCK_RAW, NETLINK_ROUTE ); + if ( nls < 0 ) + { msg(M_WARN|M_ERRNO, "GDG6: socket() failed" ); goto done; } + + /* bind() is not needed, no unsolicited msgs coming in */ + + /* request best matching route, see netlink(7) for explanations + */ + CLEAR(rtreq); + rtreq.nh.nlmsg_type = RTM_GETROUTE; + rtreq.nh.nlmsg_flags = NLM_F_REQUEST; /* best match only */ + rtreq.rtm.rtm_family = AF_INET6; + rtreq.rtm.rtm_src_len = 0; /* not source dependent */ + rtreq.rtm.rtm_dst_len = 128; /* exact dst */ + rtreq.rtm.rtm_table = RT_TABLE_MAIN; + rtreq.rtm.rtm_protocol = RTPROT_UNSPEC; + rtreq.nh.nlmsg_len = NLMSG_SPACE(sizeof(rtreq.rtm)); + + /* set RTA_DST for target IPv6 address we want */ + rta = (struct rtattr *)(((char *) &rtreq)+NLMSG_ALIGN(rtreq.nh.nlmsg_len)); + rta->rta_type = RTA_DST; + rta->rta_len = RTA_LENGTH(16); + rtreq.nh.nlmsg_len = NLMSG_ALIGN(rtreq.nh.nlmsg_len) + + RTA_LENGTH(16); + + if ( dest == NULL ) /* ::, unspecified */ + memset( RTA_DATA(rta), 0, 16 ); /* :: = all-zero */ + else + memcpy( RTA_DATA(rta), (void *)dest, 16 ); + /* send and receive reply */ + if ( send( nls, &rtreq, rtreq.nh.nlmsg_len, 0 ) < 0 ) + { msg(M_WARN|M_ERRNO, "GDG6: send() failed" ); goto done; } -#define rtm m_rtmsg.m_rtm + ssize = recv(nls, rtbuf, sizeof(rtbuf), MSG_TRUNC); - CLEAR(*rgi); + if (ssize < 0) + { msg(M_WARN|M_ERRNO, "GDG6: recv() failed" ); goto done; } - pid = getpid(); - seq = 0; - rtm_addrs = RTA_DST | RTA_NETMASK; + if (ssize > sizeof(rtbuf)) + { + msg(M_WARN, "get_default_gateway_ipv6: returned message too big for buffer (%d>%d)", (int)ssize, (int)sizeof(rtbuf) ); + goto done; + } - bzero(&so_dst, sizeof(so_dst)); - bzero(&so_mask, sizeof(so_mask)); - bzero(&rtm, sizeof(struct rt_msghdr)); + struct nlmsghdr *nh; - rtm.rtm_type = RTM_GET; - rtm.rtm_flags = RTF_UP | RTF_GATEWAY; - rtm.rtm_version = RTM_VERSION; - rtm.rtm_seq = ++seq; - rtm.rtm_addrs = rtm_addrs; + for (nh = (struct nlmsghdr *)rtbuf; + NLMSG_OK(nh, ssize); + nh = NLMSG_NEXT(nh, ssize)) + { + struct rtmsg *rtm; + int attrlen; - so_dst.sa_family = AF_INET; - so_mask.sa_family = AF_INET; + if (nh->nlmsg_type == NLMSG_DONE) { break; } -#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY) - so_dst.sa_len = sizeof(struct sockaddr_in); - so_mask.sa_len = sizeof(struct sockaddr_in); -#endif + if (nh->nlmsg_type == NLMSG_ERROR) { + struct nlmsgerr *ne = (struct nlmsgerr *)NLMSG_DATA(nh); + msg(M_WARN, "GDG6: NLSMG_ERROR: error %d\n", ne->error); + break; + } - NEXTADDR(RTA_DST, so_dst); - NEXTADDR(RTA_NETMASK, so_mask); + if (nh->nlmsg_type != RTM_NEWROUTE) { + /* shouldn't happen */ + msg(M_WARN, "GDG6: unexpected msg_type %d", nh->nlmsg_type ); + continue; + } - rtm.rtm_msglen = l = cp - (char *)&m_rtmsg; + rtm = (struct rtmsg *)NLMSG_DATA(nh); + attrlen = RTM_PAYLOAD(nh); - s = socket(PF_ROUTE, SOCK_RAW, 0); + /* we're only looking for routes in the main table, as "we have + * no IPv6" will lead to a lookup result in "Local" (::/0 reject) + */ + if (rtm->rtm_family != AF_INET6 || + rtm->rtm_table != RT_TABLE_MAIN) + { continue; } /* we're not interested */ - if (write(s, (char *)&m_rtmsg, l) < 0) - { - msg(M_WARN|M_ERRNO, "Could not retrieve default gateway from route socket:"); - gc_free (&gc); - close(s); - return; + for (rta = RTM_RTA(rtm); + RTA_OK(rta, attrlen); + rta = RTA_NEXT(rta, attrlen)) + { + if (rta->rta_type == RTA_GATEWAY) { + if ( RTA_PAYLOAD(rta) != sizeof(struct in6_addr) ) + { msg(M_WARN, "GDG6: RTA_GW size mismatch"); continue; } + rgi6->gateway.addr_ipv6 = *(struct in6_addr*) RTA_DATA(rta); + rgi6->flags |= RGI_ADDR_DEFINED; + } + else if (rta->rta_type == RTA_OIF) { + char ifname[IF_NAMESIZE+1]; + int oif; + if ( RTA_PAYLOAD(rta) != sizeof(oif) ) + { msg(M_WARN, "GDG6: oif size mismatch"); continue; } + + memcpy(&oif, RTA_DATA(rta), sizeof(oif)); + if_indextoname(oif,ifname); + strncpy( rgi6->iface, ifname, sizeof(rgi6->iface)-1 ); + rgi6->flags |= RGI_IFACE_DEFINED; + } + } } - do { - l = read(s, (char *)&m_rtmsg, sizeof(m_rtmsg)); - } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); - - close(s); - - rtm_aux = &rtm; - - cp = ((char *)(rtm_aux + 1)); - if (rtm_aux->rtm_addrs) { - for (i = 1; i; i <<= 1) - if (i & rtm_aux->rtm_addrs) { - sa = (struct sockaddr *)cp; - if (i == RTA_GATEWAY ) - gate = sa; - ADVANCE(cp, sa); - } - } - else + /* if we have an interface but no gateway, the destination is on-link */ + if ( ( rgi6->flags & (RGI_IFACE_DEFINED|RGI_ADDR_DEFINED) ) == + RGI_IFACE_DEFINED ) { - gc_free (&gc); - return; + rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK); + if ( dest ) + rgi6->gateway.addr_ipv6 = *dest; } - - if (gate != NULL ) - { - rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr); - rgi->flags |= RGI_ADDR_DEFINED; - - gc_free (&gc); - } - else - { - gc_free (&gc); - } + done: + if (nls >= 0) + close (nls); } -#elif defined(TARGET_DARWIN) +#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) || \ + defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || \ + defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) #include <sys/types.h> #include <sys/socket.h> @@ -2759,15 +3219,41 @@ struct rtmsg { char m_space[512]; }; -#define ROUNDUP(a) \ +/* the route socket code is identical for all 4 supported BSDs and for + * MacOS X (Darwin), with one crucial difference: when going from + * 32 bit to 64 bit, the BSDs increased the structure size but kept + * source code compatibility by keeping the use of "long", while + * MacOS X decided to keep binary compatibility by *changing* the API + * to use "uint32_t", thus 32 bit on all OS X variants + * + * We used to have a large amount of duplicate code here which really + * differed only in this (long) vs. (uint32_t) - IMHO, worse than + * having a combined block for all BSDs with this single #ifdef inside + */ + +#if defined(TARGET_DARWIN) +# define ROUNDUP(a) \ ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t)) +#else +# define ROUNDUP(a) \ + ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) +#endif + +#if defined(TARGET_SOLARIS) +#define NEXTADDR(w, u) \ + if (rtm_addrs & (w)) {\ + l = ROUNDUP(sizeof(u)); memmove(cp, &(u), l); cp += l;\ + } +#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in))) +#else #define NEXTADDR(w, u) \ if (rtm_addrs & (w)) {\ - l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\ + l = ROUNDUP( ((struct sockaddr *)&(u))->sa_len); memmove(cp, &(u), l); cp += l;\ } #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len)) +#endif #define max(a,b) ((a) > (b) ? (a) : (b)) @@ -2805,9 +3291,12 @@ get_default_gateway (struct route_gateway_info *rgi) rtm.rtm_addrs = rtm_addrs; so_dst.sa_family = AF_INET; - so_dst.sa_len = sizeof(struct sockaddr_in); so_mask.sa_family = AF_INET; + +#ifndef TARGET_SOLARIS + so_dst.sa_len = sizeof(struct sockaddr_in); so_mask.sa_len = sizeof(struct sockaddr_in); +#endif NEXTADDR(RTA_DST, so_dst); NEXTADDR(RTA_NETMASK, so_mask); @@ -2865,7 +3354,6 @@ get_default_gateway (struct route_gateway_info *rgi) { /* get interface name */ const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp; - int len = adl->sdl_nlen; if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface)) { memcpy (rgi->iface, adl->sdl_data, adl->sdl_nlen); @@ -2932,7 +3420,12 @@ get_default_gateway (struct route_gateway_info *rgi) for (cp = buffer; cp <= buffer + ifc.ifc_len - sizeof(struct ifreq); ) { ifr = (struct ifreq *)cp; +#if defined(TARGET_SOLARIS) + const size_t len = sizeof(ifr->ifr_name) + sizeof(ifr->ifr_addr); +#else const size_t len = sizeof(ifr->ifr_name) + max(sizeof(ifr->ifr_addr), ifr->ifr_addr.sa_len); +#endif + if (!ifr->ifr_addr.sa_family) break; if (!strncmp(ifr->ifr_name, rgi->iface, IFNAMSIZ)) @@ -2954,121 +3447,162 @@ get_default_gateway (struct route_gateway_info *rgi) gc_free (&gc); } -#undef max - -#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <net/route.h> - -struct { - struct rt_msghdr m_rtm; - char m_space[512]; -} m_rtmsg; - -#define ROUNDUP(a) \ - ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) +/* BSD implementation using routing socket (as does IPv4) + * (the code duplication is somewhat unavoidable if we want this to + * work on OpenSolaris as well. *sigh*) + */ -/* - * FIXME -- add support for netmask, hwaddr, and iface +/* Solaris has no length field - this is ugly, but less #ifdef in total */ +#if defined(TARGET_SOLARIS) +# undef ADVANCE +# define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6))) +#endif + void -get_default_gateway (struct route_gateway_info *rgi) +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, + const struct in6_addr *dest) { - struct gc_arena gc = gc_new (); - int s, seq, l, rtm_addrs; - unsigned int i; - pid_t pid; - struct sockaddr so_dst, so_mask; - char *cp = m_rtmsg.m_space; - struct sockaddr *gate = NULL, *sa; - struct rt_msghdr *rtm_aux; -#define NEXTADDR(w, u) \ - if (rtm_addrs & (w)) {\ - l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\ - } + struct rtmsg m_rtmsg; + int sockfd = -1; + int seq, l, pid, rtm_addrs; + unsigned int i; + struct sockaddr_in6 so_dst, so_mask; + char *cp = m_rtmsg.m_space; + struct sockaddr *gate = NULL, *ifp = NULL, *sa; + struct rt_msghdr *rtm_aux; -#define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len)) + CLEAR(*rgi6); -#define rtm m_rtmsg.m_rtm + /* setup data to send to routing socket */ + pid = getpid(); + seq = 0; + rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP; - CLEAR(*rgi); + bzero(&m_rtmsg, sizeof(m_rtmsg)); + bzero(&so_dst, sizeof(so_dst)); + bzero(&so_mask, sizeof(so_mask)); + bzero(&rtm, sizeof(struct rt_msghdr)); - pid = getpid(); - seq = 0; - rtm_addrs = RTA_DST | RTA_NETMASK; + rtm.rtm_type = RTM_GET; + rtm.rtm_flags = RTF_UP; + rtm.rtm_version = RTM_VERSION; + rtm.rtm_seq = ++seq; - bzero(&so_dst, sizeof(so_dst)); - bzero(&so_mask, sizeof(so_mask)); - bzero(&rtm, sizeof(struct rt_msghdr)); + so_dst.sin6_family = AF_INET6; + so_mask.sin6_family = AF_INET6; - rtm.rtm_type = RTM_GET; - rtm.rtm_flags = RTF_UP | RTF_GATEWAY; - rtm.rtm_version = RTM_VERSION; - rtm.rtm_seq = ++seq; - rtm.rtm_addrs = rtm_addrs; + if ( dest != NULL && /* specific host? */ + !IN6_IS_ADDR_UNSPECIFIED(dest) ) + { + so_dst.sin6_addr = *dest; + /* :: needs /0 "netmask", host route wants "no netmask */ + rtm_addrs &= ~RTA_NETMASK; + } - so_dst.sa_family = AF_INET; - so_dst.sa_len = sizeof(struct sockaddr_in); - so_mask.sa_family = AF_INET; - so_mask.sa_len = sizeof(struct sockaddr_in); + rtm.rtm_addrs = rtm_addrs; - NEXTADDR(RTA_DST, so_dst); - NEXTADDR(RTA_NETMASK, so_mask); +#ifndef TARGET_SOLARIS + so_dst.sin6_len = sizeof(struct sockaddr_in6); + so_mask.sin6_len = sizeof(struct sockaddr_in6); +#endif - rtm.rtm_msglen = l = cp - (char *)&m_rtmsg; + NEXTADDR(RTA_DST, so_dst); + NEXTADDR(RTA_NETMASK, so_mask); - s = socket(PF_ROUTE, SOCK_RAW, 0); + rtm.rtm_msglen = l = cp - (char *)&m_rtmsg; - if (write(s, (char *)&m_rtmsg, l) < 0) + /* transact with routing socket */ + sockfd = socket(PF_ROUTE, SOCK_RAW, 0); + if (sockfd < 0) { - msg(M_WARN|M_ERRNO, "Could not retrieve default gateway from route socket:"); - gc_free (&gc); - close(s); - return; + msg (M_WARN, "GDG6: socket #1 failed"); + goto done; + } + if (write(sockfd, (char *)&m_rtmsg, l) < 0) + { + msg (M_WARN, "GDG6: problem writing to routing socket"); + goto done; } - do { - l = read(s, (char *)&m_rtmsg, sizeof(m_rtmsg)); - } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); - - close(s); - - rtm_aux = &rtm; - - cp = ((char *)(rtm_aux + 1)); - if (rtm_aux->rtm_addrs) { - for (i = 1; i; i <<= 1) - if (i & rtm_aux->rtm_addrs) { - sa = (struct sockaddr *)cp; - if (i == RTA_GATEWAY ) - gate = sa; - ADVANCE(cp, sa); - } - } - else + do { - gc_free (&gc); - return; + l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg)); } + while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); + close(sockfd); + sockfd = -1; - if (gate != NULL ) + /* extract return data from routing socket */ + rtm_aux = &rtm; + cp = ((char *)(rtm_aux + 1)); + if (rtm_aux->rtm_addrs) { - rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr); - rgi->flags |= RGI_ADDR_DEFINED; - - gc_free (&gc); + for (i = 1; i; i <<= 1) + { + if (i & rtm_aux->rtm_addrs) + { + sa = (struct sockaddr *)cp; + if (i == RTA_GATEWAY ) + gate = sa; + else if (i == RTA_IFP) + ifp = sa; + ADVANCE(cp, sa); + } + } } - else + else + goto done; + + /* get gateway addr and interface name */ + if (gate != NULL ) { - gc_free (&gc); + struct sockaddr_in6 * s6 = (struct sockaddr_in6 *)gate; + struct in6_addr gw = s6->sin6_addr; + +#ifndef TARGET_SOLARIS + /* You do not really want to know... from FreeBSD's route.c + * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3], + * but for a correct link-local address these must be :0000: ) + */ + if ( gate->sa_len == sizeof(struct sockaddr_in6) && + IN6_IS_ADDR_LINKLOCAL(&gw) ) + { + gw.s6_addr[2] = gw.s6_addr[3] = 0; + } + + if ( gate->sa_len != sizeof(struct sockaddr_in6) || + IN6_IS_ADDR_UNSPECIFIED(&gw) ) + { + rgi6->flags |= RGI_ON_LINK; + } + else +#endif + + rgi6->gateway.addr_ipv6 = gw; + rgi6->flags |= RGI_ADDR_DEFINED; + + if (ifp) + { + /* get interface name */ + const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp; + if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface)) + { + memcpy (rgi6->iface, adl->sdl_data, adl->sdl_nlen); + rgi6->flags |= RGI_IFACE_DEFINED; + } + } } + + done: + if (sockfd >= 0) + close(sockfd); } +#undef max + #else /* @@ -3100,6 +3634,13 @@ get_default_gateway (struct route_gateway_info *rgi) { CLEAR(*rgi); } +void +get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, + const struct in6_addr *dest) +{ + msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system"); + CLEAR(*rgi6); +} #endif @@ -3127,13 +3668,33 @@ netmask_to_netbits (const in_addr_t network, const in_addr_t netmask, int *netbi return false; } +/* similar to netmask_to_netbits(), but don't mess with base address + * etc., just convert to netbits - non-mappable masks are returned as "-1" + */ +int netmask_to_netbits2 (in_addr_t netmask) +{ + int i; + const int addrlen = sizeof (in_addr_t) * 8; + + for (i = 0; i <= addrlen; ++i) + { + in_addr_t mask = netbits_to_netmask (i); + if (mask == netmask) + { + return i; + } + } + return -1; +} + + /* * get_bypass_addresses() is used by the redirect-gateway bypass-x * functions to build a route bypass to selected DHCP/DNS servers, * so that outgoing packets to these servers don't end up in the tunnel. */ -#if defined(WIN32) +#if defined(_WIN32) static void add_host_route_if_nonlocal (struct route_bypass *rb, const in_addr_t addr) @@ -3207,7 +3768,7 @@ get_bypass_addresses (struct route_bypass *rb, const unsigned int flags) /* PLA * Used by redirect-gateway autolocal feature */ -#if defined(WIN32) +#if defined(_WIN32) int test_local_addr (const in_addr_t addr, const struct route_gateway_info *rgi) diff --git a/src/openvpn/route.h b/src/openvpn/route.h index fe9b461..c358681 100644 --- a/src/openvpn/route.h +++ b/src/openvpn/route.h @@ -33,15 +33,14 @@ #include "tun.h" #include "misc.h" -#define MAX_ROUTES_DEFAULT 100 - -#ifdef WIN32 +#ifdef _WIN32 /* * Windows route methods */ #define ROUTE_METHOD_ADAPTIVE 0 /* try IP helper first then route.exe */ #define ROUTE_METHOD_IPAPI 1 /* use IP helper API */ #define ROUTE_METHOD_EXE 2 /* use route.exe */ +#define ROUTE_METHOD_SERVICE 3 /* use the privileged Windows service */ #define ROUTE_METHOD_MASK 3 #endif @@ -74,6 +73,7 @@ struct route_special_addr }; struct route_option { + struct route_option *next; const char *network; const char *netmask; const char *gateway; @@ -92,28 +92,28 @@ struct route_option { struct route_option_list { unsigned int flags; /* RG_x flags */ - int capacity; - int n; - struct route_option routes[EMPTY_ARRAY_SIZE]; + struct route_option *routes; + struct gc_arena *gc; }; struct route_ipv6_option { + struct route_ipv6_option *next; const char *prefix; /* e.g. "2001:db8:1::/64" */ const char *gateway; /* e.g. "2001:db8:0::2" */ const char *metric; /* e.g. "5" */ }; struct route_ipv6_option_list { - unsigned int flags; - int capacity; - int n; - struct route_ipv6_option routes_ipv6[EMPTY_ARRAY_SIZE]; + unsigned int flags; /* RG_x flags, see route_option-list */ + struct route_ipv6_option *routes_ipv6; + struct gc_arena *gc; }; struct route_ipv4 { # define RT_DEFINED (1<<0) # define RT_ADDED (1<<1) # define RT_METRIC_DEFINED (1<<2) + struct route_ipv4 *next; unsigned int flags; const struct route_option *option; in_addr_t network; @@ -123,26 +123,18 @@ struct route_ipv4 { }; struct route_ipv6 { - bool defined; + struct route_ipv6 *next; + unsigned int flags; /* RT_ flags, see route_ipv4 */ struct in6_addr network; unsigned int netbits; struct in6_addr gateway; - bool metric_defined; int metric; -}; - -struct route_ipv6_list { - bool routes_added; - unsigned int flags; - int default_metric; - bool default_metric_defined; - struct in6_addr remote_endpoint_ipv6; - bool remote_endpoint_defined; - bool did_redirect_default_gateway; /* TODO (?) */ - bool did_local; /* TODO (?) */ - int capacity; - int n; - struct route_ipv6 routes_ipv6[EMPTY_ARRAY_SIZE]; + /* gateway interface */ +# ifdef _WIN32 + DWORD adapter_index; /* interface or ~0 if undefined */ +#else + char * iface; /* interface name (null terminated) */ +#endif }; @@ -161,7 +153,7 @@ struct route_gateway_info { unsigned int flags; /* gateway interface */ -# ifdef WIN32 +# ifdef _WIN32 DWORD adapter_index; /* interface or ~0 if undefined */ #else char iface[16]; /* interface name (null terminated), may be empty */ @@ -179,6 +171,34 @@ struct route_gateway_info { struct route_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */ }; +struct route_ipv6_gateway_address { + struct in6_addr addr_ipv6; + int netbits_ipv6; +}; + +struct route_ipv6_gateway_info { +/* RGI_ flags used as in route_gateway_info */ + unsigned int flags; + + /* gateway interface */ +# ifdef _WIN32 + DWORD adapter_index; /* interface or ~0 if undefined */ +#else + char iface[16]; /* interface name (null terminated), may be empty */ +#endif + + /* gateway interface hardware address */ + uint8_t hwaddr[6]; + + /* gateway/router address */ + struct route_ipv6_gateway_address gateway; + + /* address/netmask pairs bound to interface */ +# define RGI_N_ADDRESSES 8 + int n_addrs; /* len of addrs, may be 0 */ + struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */ +}; + struct route_list { # define RL_DID_REDIRECT_DEFAULT_GATEWAY (1<<0) # define RL_DID_LOCAL (1<<1) @@ -188,9 +208,22 @@ struct route_list { struct route_special_addr spec; struct route_gateway_info rgi; unsigned int flags; /* RG_x flags */ - int capacity; - int n; - struct route_ipv4 routes[EMPTY_ARRAY_SIZE]; + struct route_ipv4 *routes; + struct gc_arena gc; +}; + +struct route_ipv6_list { + unsigned int iflags; /* RL_ flags, see route_list */ + + unsigned int spec_flags; /* RTSA_ flags, route_special_addr */ + struct in6_addr remote_endpoint_ipv6; /* inside tun */ + struct in6_addr remote_host_ipv6; /* --remote address */ + int default_metric; + + struct route_ipv6_gateway_info rgi6; + unsigned int flags; /* RG_x flags, see route_option_list */ + struct route_ipv6 *routes_ipv6; + struct gc_arena gc; }; #if P2MP @@ -208,17 +241,15 @@ struct iroute_ipv6 { }; #endif -struct route_option_list *new_route_option_list (const int max_routes, struct gc_arena *a); -struct route_ipv6_option_list *new_route_ipv6_option_list (const int max_routes, struct gc_arena *a); +struct route_option_list *new_route_option_list (struct gc_arena *a); +struct route_ipv6_option_list *new_route_ipv6_option_list (struct gc_arena *a); struct route_option_list *clone_route_option_list (const struct route_option_list *src, struct gc_arena *a); struct route_ipv6_option_list *clone_route_ipv6_option_list (const struct route_ipv6_option_list *src, struct gc_arena *a); -void copy_route_option_list (struct route_option_list *dest, const struct route_option_list *src); +void copy_route_option_list (struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a); void copy_route_ipv6_option_list (struct route_ipv6_option_list *dest, - const struct route_ipv6_option_list *src); - -struct route_list *new_route_list (const int max_routes, struct gc_arena *a); -struct route_ipv6_list *new_route_ipv6_list (const int max_routes, struct gc_arena *a); + const struct route_ipv6_option_list *src, + struct gc_arena *a); void add_route_ipv6 (struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es); void delete_route_ipv6 (const struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es); @@ -251,6 +282,7 @@ bool init_route_ipv6_list (struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, + const struct in6_addr *remote_host, struct env_set *es); void route_list_add_vpn_gateway (struct route_list *rl, @@ -277,7 +309,11 @@ void setenv_routes_ipv6 (struct env_set *es, const struct route_ipv6_list *rl6); bool is_special_addr (const char *addr_str); void get_default_gateway (struct route_gateway_info *rgi); -void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi); +void get_default_gateway_ipv6 (struct route_ipv6_gateway_info *rgi, + const struct in6_addr *dest); +void print_default_gateway(const int msglevel, + const struct route_gateway_info *rgi, + const struct route_ipv6_gateway_info *rgi6); /* * Test if addr is reachable via a local interface (return ILA_LOCAL), @@ -297,7 +333,7 @@ void print_route_options (const struct route_option_list *rol, void print_routes (const struct route_list *rl, int level); -#ifdef WIN32 +#ifdef _WIN32 void show_routes (int msglev); bool test_routes (const struct route_list *rl, const struct tuntap *tt); @@ -309,6 +345,7 @@ static inline bool test_routes (const struct route_list *rl, const struct tuntap #endif bool netmask_to_netbits (const in_addr_t network, const in_addr_t netmask, int *netbits); +int netmask_to_netbits2 (in_addr_t netmask); static inline in_addr_t netbits_to_netmask (const int netbits) diff --git a/src/openvpn/session_id.c b/src/openvpn/session_id.c index 2e07b54..0ebff65 100644 --- a/src/openvpn/session_id.c +++ b/src/openvpn/session_id.c @@ -39,7 +39,7 @@ #include "syshead.h" -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO #include "error.h" #include "common.h" @@ -64,4 +64,4 @@ session_id_print (const struct session_id *sid, struct gc_arena *gc) #else static void dummy(void) {} -#endif /* ENABLE_CRYPTO && ENABLE_SSL*/ +#endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/session_id.h b/src/openvpn/session_id.h index 33909dd..2a1f41f 100644 --- a/src/openvpn/session_id.h +++ b/src/openvpn/session_id.h @@ -30,7 +30,7 @@ * negotiated). */ -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO #ifndef SESSION_ID_H #define SESSION_ID_H @@ -83,4 +83,4 @@ void session_id_random (struct session_id *sid); const char *session_id_print (const struct session_id *sid, struct gc_arena *gc); #endif /* SESSION_ID_H */ -#endif /* ENABLE_CRYPTO && ENABLE_SSL */ +#endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/shaper.h b/src/openvpn/shaper.h index afeb9c3..fa132c4 100644 --- a/src/openvpn/shaper.h +++ b/src/openvpn/shaper.h @@ -75,7 +75,7 @@ bool shaper_soonest_event (struct timeval *tv, int delay); static inline void shaper_reset (struct shaper *s, int bytes_per_second) { - s->bytes_per_second = bytes_per_second ? constrain_int (bytes_per_second, SHAPER_MIN, SHAPER_MAX) : 0; + s->bytes_per_second = constrain_int (bytes_per_second, SHAPER_MIN, SHAPER_MAX); #ifdef SHAPER_USE_FP s->factor = 1000000.0 / (double)s->bytes_per_second; diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index 0ebde24..0ff1437 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -97,14 +97,14 @@ void throw_signal (const int signum) { siginfo_static.signal_received = signum; - siginfo_static.hard = true; + siginfo_static.source = SIG_SOURCE_HARD; } void throw_signal_soft (const int signum, const char *signal_text) { siginfo_static.signal_received = signum; - siginfo_static.hard = false; + siginfo_static.source = SIG_SOURCE_SOFT; siginfo_static.signal_text = signal_text; } @@ -115,7 +115,7 @@ signal_reset (struct signal_info *si) { si->signal_received = 0; si->signal_text = NULL; - si->hard = false; + si->source = SIG_SOURCE_SOFT; } } @@ -124,9 +124,23 @@ print_signal (const struct signal_info *si, const char *title, int msglevel) { if (si) { - const char *hs = (si->hard ? "hard" : "soft"); const char *type = (si->signal_text ? si->signal_text : ""); const char *t = (title ? title : "process"); + const char *hs = NULL; + switch (si->source) + { + case SIG_SOURCE_SOFT: + hs= "soft"; + break; + case SIG_SOURCE_HARD: + hs = "hard"; + break; + case SIG_SOURCE_CONNECTION_FAILED: + hs = "connection failed(soft)"; + break; + default: + ASSERT(0); + } switch (si->signal_received) { @@ -175,8 +189,10 @@ signal_restart_status (const struct signal_info *si) management_set_state (management, state, si->signal_text ? si->signal_text : signal_name (si->signal_received, true), - (in_addr_t)0, - (in_addr_t)0); + NULL, + NULL, + NULL, + NULL); } #endif } @@ -205,7 +221,7 @@ static int signal_mode; /* GLOBAL */ void pre_init_signal_catch (void) { -#ifndef WIN32 +#ifndef _WIN32 #ifdef HAVE_SIGNAL_H signal_mode = SM_PRE_INIT; signal (SIGINT, signal_handler); @@ -215,13 +231,13 @@ pre_init_signal_catch (void) signal (SIGUSR2, SIG_IGN); signal (SIGPIPE, SIG_IGN); #endif /* HAVE_SIGNAL_H */ -#endif /* WIN32 */ +#endif /* _WIN32 */ } void post_init_signal_catch (void) { -#ifndef WIN32 +#ifndef _WIN32 #ifdef HAVE_SIGNAL_H signal_mode = SM_POST_INIT; signal (SIGINT, signal_handler); @@ -265,9 +281,9 @@ print_status (const struct context *c, struct status_output *so) status_printf (so, "TCP/UDP read bytes," counter_format, c->c2.link_read_bytes); status_printf (so, "TCP/UDP write bytes," counter_format, c->c2.link_write_bytes); status_printf (so, "Auth read bytes," counter_format, c->c2.link_read_bytes_auth); -#ifdef ENABLE_LZO - if (lzo_defined (&c->c2.lzo_compwork)) - lzo_print_stats (&c->c2.lzo_compwork, so); +#ifdef USE_COMP + if (c->c2.comp_context) + comp_print_stats (c->c2.comp_context, so); #endif #ifdef PACKET_TRUNCATION_CHECK status_printf (so, "TUN read truncations," counter_format, c->c2.n_trunc_tun_read); @@ -275,7 +291,7 @@ print_status (const struct context *c, struct status_output *so) status_printf (so, "Pre-encrypt truncations," counter_format, c->c2.n_trunc_pre_encrypt); status_printf (so, "Post-decrypt truncations," counter_format, c->c2.n_trunc_post_decrypt); #endif -#ifdef WIN32 +#ifdef _WIN32 if (tuntap_defined (c->c1.tuntap)) status_printf (so, "TAP-WIN32 driver status,\"%s\"", tap_win_getinfo (c->c1.tuntap, &gc)); @@ -360,12 +376,35 @@ process_sigterm (struct context *c) return ret; } +/** + * If a restart signal is received during exit-notification, reset the + * signal and return true. + */ +static bool +ignore_restart_signals (struct context *c) +{ + bool ret = false; +#ifdef ENABLE_OCC + if ( (c->sig->signal_received == SIGUSR1 || c->sig->signal_received == SIGHUP) && + event_timeout_defined(&c->c2.explicit_exit_notification_interval) ) + { + msg (M_INFO, "Ignoring %s received during exit notification", + signal_name(c->sig->signal_received, true)); + signal_reset (c->sig); + ret = true; + } +#endif + return ret; +} + bool process_signal (struct context *c) { bool ret = true; - if (c->sig->signal_received == SIGTERM || c->sig->signal_received == SIGINT) + if (ignore_restart_signals (c)) + ret = false; + else if (c->sig->signal_received == SIGTERM || c->sig->signal_received == SIGINT) { ret = process_sigterm (c); } diff --git a/src/openvpn/sig.h b/src/openvpn/sig.h index 987efef..2875a4c 100644 --- a/src/openvpn/sig.h +++ b/src/openvpn/sig.h @@ -28,6 +28,15 @@ #include "status.h" #include "win32.h" + + +#define SIG_SOURCE_SOFT 0 +#define SIG_SOURCE_HARD 1 +/* CONNECTION_FAILED is also a "soft" status, + * It is thrown if a connection attempt fails + */ +#define SIG_SOURCE_CONNECTION_FAILED 2 + /* * Signal information, including signal code * and descriptive text. @@ -35,7 +44,7 @@ struct signal_info { volatile int signal_received; - volatile bool hard; + volatile int source; const char *signal_text; }; @@ -70,7 +79,7 @@ void register_signal (struct context *c, int sig, const char *text); void process_explicit_exit_notification_timer_wakeup (struct context *c); #endif -#ifdef WIN32 +#ifdef _WIN32 static inline void get_signal (volatile int *sig) diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index b7ac339..c233f2b 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -38,6 +38,9 @@ #include "ps.h" #include "manage.h" #include "misc.h" +#include "manage.h" +#include "openvpn.h" +#include "forward.h" #include "memdbg.h" @@ -69,23 +72,6 @@ sf2gaf(const unsigned int getaddr_flags, * Functions related to the translation of DNS names to IP addresses. */ -static const char* -h_errno_msg(int h_errno_err) -{ - switch (h_errno_err) - { - case HOST_NOT_FOUND: - return "[HOST_NOT_FOUND] The specified host is unknown."; - case NO_DATA: - return "[NO_DATA] The requested name is valid but does not have an IP address."; - case NO_RECOVERY: - return "[NO_RECOVERY] A non-recoverable name server error occurred."; - case TRY_AGAIN: - return "[TRY_AGAIN] A temporary error occurred on an authoritative name server."; - } - return "[unknown h_errno value]"; -} - /* * Translate IP addr or hostname to in_addr_t. * If resolve error, try again for @@ -100,8 +86,8 @@ getaddr (unsigned int flags, { struct addrinfo *ai; int status; - status = openvpn_getaddrinfo(flags, hostname, resolve_retry_seconds, - signal_received, AF_INET, &ai); + status = openvpn_getaddrinfo (flags & ~GETADDR_HOST_ORDER, hostname, NULL, + resolve_retry_seconds, signal_received, AF_INET, &ai); if(status==0) { struct in_addr ia; if(succeeded) @@ -116,6 +102,178 @@ getaddr (unsigned int flags, } } +static inline bool +streqnull (const char* a, const char* b) +{ + if (a == NULL && b == NULL) + return true; + else if (a == NULL || b == NULL) + return false; + else + return streq (a, b); +} + +/* + get_cached_dns_entry return 0 on success and -1 + otherwise. (like getaddrinfo) + */ +static int +get_cached_dns_entry (struct cached_dns_entry* dns_cache, + const char* hostname, + const char* servname, + int ai_family, + int resolve_flags, + struct addrinfo **ai) +{ + struct cached_dns_entry *ph; + int flags; + + /* Only use flags that are relevant for the structure */ + flags = resolve_flags & GETADDR_CACHE_MASK; + + for (ph = dns_cache; ph ; ph = ph->next) + { + if (streqnull (ph->hostname, hostname) && + streqnull (ph->servname, servname) && + ph->ai_family == ai_family && + ph->flags == flags) + { + *ai = ph->ai; + return 0; + } + } + return -1; +} + + +static int +do_preresolve_host (struct context *c, + const char *hostname, + const char *servname, + const int af, + const int flags) +{ + struct addrinfo *ai; + int status; + + if (get_cached_dns_entry(c->c1.dns_cache, + hostname, + servname, + af, + flags, + &ai) == 0 ) + { + /* entry already cached, return success */ + return 0; + } + + status = openvpn_getaddrinfo (flags, hostname, servname, + c->options.resolve_retry_seconds, NULL, + af, &ai); + if (status == 0) + { + struct cached_dns_entry *ph; + + ALLOC_OBJ_CLEAR_GC (ph, struct cached_dns_entry, &c->gc); + ph->ai = ai; + ph->hostname = hostname; + ph->servname = servname; + ph->flags = flags & GETADDR_CACHE_MASK; + + if (!c->c1.dns_cache) + c->c1.dns_cache = ph; + else + { + struct cached_dns_entry *prev = c->c1.dns_cache; + while (prev->next) + prev = prev->next; + prev->next = ph; + } + + gc_addspecial (ai, &gc_freeaddrinfo_callback, &c->gc); + + } + return status; +} + +void +do_preresolve (struct context *c) +{ + int i; + struct connection_list *l = c->options.connection_list; + const unsigned int preresolve_flags = GETADDR_RESOLVE| + GETADDR_UPDATE_MANAGEMENT_STATE| + GETADDR_MENTION_RESOLVE_RETRY| + GETADDR_FATAL; + + + for (i = 0; i < l->len; ++i) + { + int status; + const char *remote; + int flags = preresolve_flags; + + struct connection_entry* ce = c->options.connection_list->array[i]; + + if (proto_is_dgram(ce->proto)) + flags |= GETADDR_DATAGRAM; + + if (c->options.sockflags & SF_HOST_RANDOMIZE) + flags |= GETADDR_RANDOMIZE; + + if (c->options.ip_remote_hint) + remote = c->options.ip_remote_hint; + else + remote = ce->remote; + + /* HTTP remote hostname does not need to be resolved */ + if (! ce->http_proxy_options) + { + status = do_preresolve_host (c, remote, ce->remote_port, ce->af, flags); + if (status != 0) + goto err; + } + + /* Preresolve proxy */ + if (ce->http_proxy_options) + { + status = do_preresolve_host (c, + ce->http_proxy_options->server, + ce->http_proxy_options->port, + ce->af, + preresolve_flags); + + if (status != 0) + goto err; + } + + if (ce->socks_proxy_server) + { + status = do_preresolve_host (c, + ce->socks_proxy_server, + ce->socks_proxy_port, + ce->af, + flags); + if (status != 0) + goto err; + } + + if (ce->bind_local) + { + flags |= GETADDR_PASSIVE; + flags &= ~GETADDR_RANDOMIZE; + status = do_preresolve_host (c, ce->local, ce->local_port, ce->af, flags); + if (status != 0) + goto err; + + } + + } + return; + + err: + throw_signal_soft (SIGHUP, "Preresolving failed"); +} /* * Translate IPv4/IPv6 addr or hostname into struct addrinfo @@ -124,6 +282,7 @@ getaddr (unsigned int flags, int openvpn_getaddrinfo (unsigned int flags, const char *hostname, + const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, @@ -134,15 +293,27 @@ openvpn_getaddrinfo (unsigned int flags, int sigrec = 0; int msglevel = (flags & GETADDR_FATAL) ? M_FATAL : D_RESOLVE_ERRORS; struct gc_arena gc = gc_new (); + const char *print_hostname; + const char *print_servname; ASSERT(res); - if (!hostname) - hostname = "::"; + ASSERT (hostname || servname); + ASSERT (!(flags & GETADDR_HOST_ORDER)); - if (flags & GETADDR_RANDOMIZE) + if (hostname && (flags & GETADDR_RANDOMIZE)) hostname = hostname_randomize(hostname, &gc); + if(hostname) + print_hostname = hostname; + else + print_hostname = "undefined"; + + if(servname) + print_servname = servname; + else + print_servname = ""; + if (flags & GETADDR_MSG_VIRT_OUT) msglevel |= M_MSG_VIRT_OUT; @@ -154,25 +325,35 @@ openvpn_getaddrinfo (unsigned int flags, CLEAR(hints); hints.ai_family = ai_family; hints.ai_flags = AI_NUMERICHOST; - hints.ai_socktype = SOCK_STREAM; - status = getaddrinfo(hostname, NULL, &hints, res); + if(flags & GETADDR_PASSIVE) + hints.ai_flags |= AI_PASSIVE; + + if(flags & GETADDR_DATAGRAM) + hints.ai_socktype = SOCK_DGRAM; + else + hints.ai_socktype = SOCK_STREAM; + + status = getaddrinfo(hostname, servname, &hints, res); if (status != 0) /* parse as numeric address failed? */ { const int fail_wait_interval = 5; /* seconds */ - int resolve_retries = (flags & GETADDR_TRY_ONCE) ? 1 : (resolve_retry_seconds / fail_wait_interval); + /* Add +4 to cause integer division rounding up (1 + 4) = 5, (0+4)/5=0 */ + int resolve_retries = (flags & GETADDR_TRY_ONCE) ? 1 : + ((resolve_retry_seconds + 4)/ fail_wait_interval); const char *fmt; int level = 0; - fmt = "RESOLVE: Cannot resolve host address: %s: %s"; + fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s)"; if ((flags & GETADDR_MENTION_RESOLVE_RETRY) && !resolve_retry_seconds) - fmt = "RESOLVE: Cannot resolve host address: %s: %s (I would have retried this name query if you had specified the --resolv-retry option.)"; + fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s) (I would have retried this name query if you had specified the --resolv-retry option.)"; if (!(flags & GETADDR_RESOLVE) || status == EAI_FAIL) { - msg (msglevel, "RESOLVE: Cannot parse IP address: %s", hostname); + msg (msglevel, "RESOLVE: Cannot parse IP address: %s:%s (%s)", + print_hostname,print_servname, gai_strerror(status)); goto done; } @@ -183,8 +364,10 @@ openvpn_getaddrinfo (unsigned int flags, management_set_state (management, OPENVPN_STATE_RESOLVE, NULL, - (in_addr_t)0, - (in_addr_t)0); + NULL, + NULL, + NULL, + NULL); } #endif @@ -193,14 +376,14 @@ openvpn_getaddrinfo (unsigned int flags, */ while (true) { -#ifndef WIN32 +#ifndef _WIN32 res_init (); #endif /* try hostname lookup */ - hints.ai_flags = 0; + hints.ai_flags &= ~AI_NUMERICHOST; dmsg (D_SOCKET_DEBUG, "GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d", flags, hints.ai_family, hints.ai_socktype); - status = getaddrinfo(hostname, NULL, &hints, res); + status = getaddrinfo(hostname, servname, &hints, res); if (signal_received) { @@ -239,7 +422,8 @@ openvpn_getaddrinfo (unsigned int flags, msg (level, fmt, - hostname, + print_hostname, + print_servname, gai_strerror(status)); if (--resolve_retries <= 0) @@ -252,7 +436,8 @@ openvpn_getaddrinfo (unsigned int flags, /* hostname resolve succeeded */ - /* Do not chose an IP Addresse by random or change the order * + /* + * Do not choose an IP Addresse by random or change the order * * of IP addresses, doing so will break RFC 3484 address selection * */ } @@ -422,59 +607,6 @@ mac_addr_safe (const char *mac_addr) return true; } -static void -update_remote (const char* host, - struct openvpn_sockaddr *addr, - bool *changed, - const unsigned int sockflags) -{ - switch(addr->addr.sa.sa_family) - { - case AF_INET: - if (host && addr) - { - const in_addr_t new_addr = getaddr ( - sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sockflags), - host, - 1, - NULL, - NULL); - if (new_addr && addr->addr.in4.sin_addr.s_addr != new_addr) - { - addr->addr.in4.sin_addr.s_addr = new_addr; - *changed = true; - } - } - break; - case AF_INET6: - if (host && addr) - { - int status; - struct addrinfo* ai; - - status = openvpn_getaddrinfo(sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sockflags), host, 1, NULL, AF_INET6, &ai); - - if ( status ==0 ) - { - struct sockaddr_in6 sin6; - CLEAR(sin6); - sin6 = *((struct sockaddr_in6*)ai->ai_addr); - if (!IN6_ARE_ADDR_EQUAL(&sin6.sin6_addr, &addr->addr.in6.sin6_addr)) - { - int port = addr->addr.in6.sin6_port; - /* ipv6 requires also eg. sin6_scope_id => easier to fully copy and override port */ - addr->addr.in6 = sin6; - addr->addr.in6.sin6_port = port; - } - freeaddrinfo(ai); - } - } - break; - default: - ASSERT(0); - } -} - static int socket_get_sndbuf (int sd) { @@ -558,7 +690,7 @@ socket_set_buffers (int fd, const struct socket_buffer_size *sbs) static bool socket_set_tcp_nodelay (int sd, int state) { -#if defined(WIN32) || (defined(HAVE_SETSOCKOPT) && defined(IPPROTO_TCP) && defined(TCP_NODELAY)) +#if defined(_WIN32) || (defined(HAVE_SETSOCKOPT) && defined(IPPROTO_TCP) && defined(TCP_NODELAY)) if (setsockopt (sd, IPPROTO_TCP, TCP_NODELAY, (void *) &state, sizeof (state)) != 0) { msg (M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed", state); @@ -579,7 +711,7 @@ static inline void socket_set_mark (int sd, int mark) { #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK - if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, &mark, sizeof (mark)) != 0) + if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, (void *) &mark, sizeof (mark)) != 0) msg (M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark); #endif } @@ -619,14 +751,17 @@ link_socket_update_buffer_sizes (struct link_socket *ls, int rcvbuf, int sndbuf) */ socket_descriptor_t -create_socket_tcp (int af) +create_socket_tcp (struct addrinfo* addrinfo) { socket_descriptor_t sd; - if ((sd = socket (af, SOCK_STREAM, IPPROTO_TCP)) < 0) + ASSERT (addrinfo); + ASSERT (addrinfo->ai_socktype == SOCK_STREAM); + + if ((sd = socket (addrinfo->ai_family, addrinfo->ai_socktype, addrinfo->ai_protocol)) < 0) msg (M_ERR, "Cannot create TCP socket"); -#ifndef WIN32 /* using SO_REUSEADDR on Windows will cause bind to succeed on port conflicts! */ +#ifndef _WIN32 /* using SO_REUSEADDR on Windows will cause bind to succeed on port conflicts! */ /* set SO_REUSEADDR on socket */ { int on = 1; @@ -640,106 +775,134 @@ create_socket_tcp (int af) } static socket_descriptor_t -create_socket_udp (const unsigned int flags) +create_socket_udp (struct addrinfo* addrinfo, const unsigned int flags) { socket_descriptor_t sd; - if ((sd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) - msg (M_ERR, "UDP: Cannot create UDP socket"); + ASSERT (addrinfo); + ASSERT (addrinfo->ai_socktype == SOCK_DGRAM); + + if ((sd = socket (addrinfo->ai_family, addrinfo->ai_socktype, addrinfo->ai_protocol)) < 0) + msg (M_ERR, "UDP: Cannot create UDP/UDP6 socket"); #if ENABLE_IP_PKTINFO else if (flags & SF_USE_IP_PKTINFO) { int pad = 1; -#ifdef IP_PKTINFO - if (setsockopt (sd, SOL_IP, IP_PKTINFO, - (void*)&pad, sizeof(pad)) < 0) - msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO"); + if(addrinfo->ai_family == AF_INET) + { +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) + if (setsockopt (sd, SOL_IP, IP_PKTINFO, + (void*)&pad, sizeof(pad)) < 0) + msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO"); #elif defined(IP_RECVDSTADDR) - if (setsockopt (sd, IPPROTO_IP, IP_RECVDSTADDR, - (void*)&pad, sizeof(pad)) < 0) - msg(M_ERR, "UDP: failed setsockopt for IP_RECVDSTADDR"); + if (setsockopt (sd, IPPROTO_IP, IP_RECVDSTADDR, + (void*)&pad, sizeof(pad)) < 0) + msg(M_ERR, "UDP: failed setsockopt for IP_RECVDSTADDR"); #else #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif - } -#endif - return sd; -} - -static socket_descriptor_t -create_socket_udp6 (const unsigned int flags) -{ - socket_descriptor_t sd; - - if ((sd = socket (PF_INET6, SOCK_DGRAM, IPPROTO_UDP)) < 0) - msg (M_ERR, "UDP: Cannot create UDP6 socket"); -#if ENABLE_IP_PKTINFO - else if (flags & SF_USE_IP_PKTINFO) - { - int pad = 1; + } + else if (addrinfo->ai_family == AF_INET6 ) + { #ifndef IPV6_RECVPKTINFO /* Some older Darwin platforms require this */ - if (setsockopt (sd, IPPROTO_IPV6, IPV6_PKTINFO, - (void*)&pad, sizeof(pad)) < 0) + if (setsockopt (sd, IPPROTO_IPV6, IPV6_PKTINFO, + (void*)&pad, sizeof(pad)) < 0) #else - if (setsockopt (sd, IPPROTO_IPV6, IPV6_RECVPKTINFO, - (void*)&pad, sizeof(pad)) < 0) + if (setsockopt (sd, IPPROTO_IPV6, IPV6_RECVPKTINFO, + (void*)&pad, sizeof(pad)) < 0) #endif - msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO"); + msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO"); + } } #endif return sd; } +static void bind_local (struct link_socket *sock, const sa_family_t ai_family) +{ + /* bind to local address/port */ + if (sock->bind_local) + { + if (sock->socks_proxy && sock->info.proto == PROTO_UDP) + socket_bind (sock->ctrl_sd, sock->info.lsa->bind_local, + ai_family, "SOCKS", false); + else + socket_bind (sock->sd, sock->info.lsa->bind_local, + ai_family, + "TCP/UDP", sock->info.bind_ipv6_only); + } +} + static void -create_socket (struct link_socket *sock) +create_socket (struct link_socket* sock, struct addrinfo* addr) { - /* create socket */ - if (sock->info.proto == PROTO_UDPv4) + if (addr->ai_protocol == IPPROTO_UDP || addr->ai_socktype == SOCK_DGRAM) { - sock->sd = create_socket_udp (sock->sockflags); + sock->sd = create_socket_udp (addr, sock->sockflags); sock->sockflags |= SF_GETADDRINFO_DGRAM; -#ifdef ENABLE_SOCKS + /* Assume that control socket and data socket to the socks proxy + * are using the same IP family */ if (sock->socks_proxy) - sock->ctrl_sd = create_socket_tcp (AF_INET); -#endif - } - else if (sock->info.proto == PROTO_TCPv4_SERVER - || sock->info.proto == PROTO_TCPv4_CLIENT) - { - sock->sd = create_socket_tcp (AF_INET); - } - else if (sock->info.proto == PROTO_TCPv6_SERVER - || sock->info.proto == PROTO_TCPv6_CLIENT) - { - sock->sd = create_socket_tcp (AF_INET6); + { + /* Construct a temporary addrinfo to create the socket, + * currently resolve two remote addresses is not supported, + * TODO: Rewrite the whole resolve_remote */ + struct addrinfo addrinfo_tmp = *addr; + addrinfo_tmp.ai_socktype = SOCK_STREAM; + addrinfo_tmp.ai_protocol = IPPROTO_TCP; + sock->ctrl_sd = create_socket_tcp (&addrinfo_tmp); + } } - else if (sock->info.proto == PROTO_UDPv6) + else if (addr->ai_protocol == IPPROTO_TCP || addr->ai_socktype == SOCK_STREAM) { - sock->sd = create_socket_udp6 (sock->sockflags); - sock->sockflags |= SF_GETADDRINFO_DGRAM; + sock->sd = create_socket_tcp (addr); } else { ASSERT (0); } + /* set socket buffers based on --sndbuf and --rcvbuf options */ + socket_set_buffers (sock->sd, &sock->socket_buffer_sizes); + + /* set socket to --mark packets with given value */ + socket_set_mark (sock->sd, sock->mark); + + bind_local (sock, addr->ai_family); +} + +#ifdef TARGET_ANDROID +static void protect_fd_nonlocal (int fd, const struct sockaddr* addr) +{ + /* pass socket FD to management interface to pass on to VPNService API + * as "protected socket" (exempt from being routed into tunnel) + */ + if (addr_local (addr)) { + msg(D_SOCKET_DEBUG, "Address is local, not protecting socket fd %d", fd); + return; + } + + msg(D_SOCKET_DEBUG, "Protecting socket fd %d", fd); + management->connection.fdtosend = fd; + management_android_control (management, "PROTECTFD", __func__); } +#endif /* * Functions used for establishing a TCP stream connection. */ - static void socket_do_listen (socket_descriptor_t sd, - const struct openvpn_sockaddr *local, + const struct addrinfo *local, bool do_listen, bool do_set_nonblock) { struct gc_arena gc = gc_new (); if (do_listen) { + ASSERT(local); msg (M_INFO, "Listening for incoming TCP connection on %s", - print_sockaddr (local, &gc)); + print_sockaddr (local->ai_addr, &gc)); if (listen (sd, 1)) msg (M_ERR, "TCP: listen() failed"); } @@ -821,8 +984,7 @@ static int socket_listen_accept (socket_descriptor_t sd, struct link_socket_actual *act, const char *remote_dynamic, - bool *remote_changed, - const struct openvpn_sockaddr *local, + const struct addrinfo *local, bool do_listen, bool nowait, volatile int *signal_received) @@ -868,18 +1030,26 @@ socket_listen_accept (socket_descriptor_t sd, if (socket_defined (new_sd)) { - update_remote (remote_dynamic, &remote_verify, remote_changed, 0); - if (addr_defined (&remote_verify) - && !addr_match (&remote_verify, &act->dest)) - { - msg (M_WARN, - "TCP NOTE: Rejected connection attempt from %s due to --remote setting", - print_link_socket_actual (act, &gc)); - if (openvpn_close_socket (new_sd)) - msg (M_ERR, "TCP: close socket failed (new_sd)"); - } + struct addrinfo* ai = NULL; + if(remote_dynamic) + openvpn_getaddrinfo(0, remote_dynamic, NULL, 1, NULL, + remote_verify.addr.sa.sa_family, &ai); + + if(ai && !addrlist_match(&remote_verify, ai)) + { + msg (M_WARN, + "TCP NOTE: Rejected connection attempt from %s due to --remote setting", + print_link_socket_actual (act, &gc)); + if (openvpn_close_socket (new_sd)) + msg (M_ERR, "TCP: close socket failed (new_sd)"); + freeaddrinfo(ai); + } else - break; + { + if(ai) + freeaddrinfo(ai); + break; + } } openvpn_sleep (1); } @@ -893,19 +1063,61 @@ socket_listen_accept (socket_descriptor_t sd, return new_sd; } +/* older mingw versions and WinXP do not have this define, + * but Vista and up support the functionality - just define it here + */ +#ifdef _WIN32 +# ifndef IPV6_V6ONLY +# define IPV6_V6ONLY 27 +# endif +#endif void socket_bind (socket_descriptor_t sd, - struct openvpn_sockaddr *local, - const char *prefix) + struct addrinfo *local, + int ai_family, + const char *prefix, + bool ipv6only) { struct gc_arena gc = gc_new (); - if (bind (sd, &local->addr.sa, af_addr_size(local->addr.sa.sa_family))) + /* FIXME (schwabe) + * getaddrinfo for the bind address might return multiple AF_INET/AF_INET6 + * entries for the requested protocol. + * For example if an address has multiple A records + * What is the correct way to deal with it? + */ + + struct addrinfo* cur; + + ASSERT(local); + + + /* find the first addrinfo with correct ai_family */ + for (cur = local; cur; cur=cur->ai_next) + { + if(cur->ai_family == ai_family) + break; + } + if (!cur) + msg (M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", + prefix, addr_family_name(ai_family)); + + if (ai_family == AF_INET6) + { + int v6only = ipv6only ? 1: 0; /* setsockopt must have an "int" */ + + msg (M_INFO, "setsockopt(IPV6_V6ONLY=%d)", v6only); + if (setsockopt (sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *) &v6only, sizeof(v6only))) + { + msg (M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only); + } + } + if (bind (sd, cur->ai_addr, cur->ai_addrlen)) { const int errnum = openvpn_errno (); msg (M_FATAL, "%s: Socket bind failed on local address %s: %s", prefix, - print_sockaddr (local, &gc), + print_sockaddr_ex (local->ai_addr, ":", PS_SHOW_PORT, &gc), strerror_ts (errnum, &gc)); } gc_free (&gc); @@ -913,19 +1125,23 @@ socket_bind (socket_descriptor_t sd, int openvpn_connect (socket_descriptor_t sd, - struct openvpn_sockaddr *remote, + const struct sockaddr *remote, int connect_timeout, volatile int *signal_received) { int status = 0; +#ifdef TARGET_ANDROID + protect_fd_nonlocal(sd, remote); +#endif + #ifdef CONNECT_NONBLOCK set_nonblock (sd); - status = connect (sd, &remote->addr.sa, af_addr_size(remote->addr.sa.sa_family)); + status = connect (sd, remote, af_addr_size(remote->sa_family)); if (status) status = openvpn_errno (); if ( -#ifdef WIN32 +#ifdef _WIN32 status == WSAEWOULDBLOCK #else status == EINPROGRESS @@ -968,7 +1184,7 @@ openvpn_connect (socket_descriptor_t sd, { if (--connect_timeout < 0) { -#ifdef WIN32 +#ifdef _WIN32 status = WSAETIMEDOUT; #else status = ETIMEDOUT; @@ -995,7 +1211,7 @@ openvpn_connect (socket_descriptor_t sd, } } #else - status = connect (sd, &remote->addr.sa, af_addr_size(remote->addr.sa.sa_family)); + status = connect (sd, remote, af_addr_size(remote->sa_family)); if (status) status = openvpn_errno (); #endif @@ -1003,85 +1219,72 @@ openvpn_connect (socket_descriptor_t sd, return status; } +void set_actual_address (struct link_socket_actual* actual, struct addrinfo* ai) +{ + CLEAR (*actual); + ASSERT (ai); + + if (ai->ai_family == AF_INET) + actual->dest.addr.in4 = + *((struct sockaddr_in*) ai->ai_addr); + else if (ai->ai_family == AF_INET6) + actual->dest.addr.in6 = + *((struct sockaddr_in6*) ai->ai_addr); + else + ASSERT(0); + +} + void -socket_connect (socket_descriptor_t *sd, - struct openvpn_sockaddr *local, - bool bind_local, - struct openvpn_sockaddr *remote, - const bool connection_profiles_defined, - const char *remote_dynamic, - bool *remote_changed, - const int connect_retry_seconds, - const int connect_timeout, - const int connect_retry_max, - const unsigned int sockflags, - volatile int *signal_received) +socket_connect (socket_descriptor_t* sd, + const struct sockaddr* dest, + const int connect_timeout, + struct signal_info* sig_info) { struct gc_arena gc = gc_new (); - int retry = 0; + int status; #ifdef CONNECT_NONBLOCK - msg (M_INFO, "Attempting to establish TCP connection with %s [nonblock]", - print_sockaddr (remote, &gc)); + msg (M_INFO, "Attempting to establish TCP connection with %s [nonblock]", + print_sockaddr (dest, &gc)); #else - msg (M_INFO, "Attempting to establish TCP connection with %s", - print_sockaddr (remote, &gc)); + msg (M_INFO, "Attempting to establish TCP connection with %s", + print_sockaddr (dest, &gc)); #endif - while (true) - { - int status; - #ifdef ENABLE_MANAGEMENT - if (management) + if (management) management_set_state (management, OPENVPN_STATE_TCP_CONNECT, NULL, - (in_addr_t)0, - (in_addr_t)0); + NULL, + NULL, + NULL, + NULL); #endif - status = openvpn_connect (*sd, remote, connect_timeout, signal_received); + /* Set the actual address */ + status = openvpn_connect (*sd, dest, connect_timeout, &sig_info->signal_received); - get_signal (signal_received); - if (*signal_received) + get_signal (&sig_info->signal_received); + if (sig_info->signal_received) goto done; - if (!status) - break; + if (status) { - msg (D_LINK_ERRORS, - "TCP: connect to %s failed, will try again in %d seconds: %s", - print_sockaddr (remote, &gc), - connect_retry_seconds, - strerror_ts (status, &gc)); + msg (D_LINK_ERRORS, + "TCP: connect to %s failed: %s", + print_sockaddr (dest, &gc), + strerror_ts (status, &gc)); - gc_reset (&gc); - - openvpn_close_socket (*sd); - *sd = SOCKET_UNDEFINED; - - if ((connect_retry_max > 0 && ++retry >= connect_retry_max) || connection_profiles_defined) - { - *signal_received = SIGUSR1; - goto done; - } - - openvpn_sleep (connect_retry_seconds); - - get_signal (signal_received); - if (*signal_received) - goto done; - - *sd = create_socket_tcp (local->addr.sa.sa_family); - - if (bind_local) - socket_bind (*sd, local, "TCP Client"); - update_remote (remote_dynamic, remote, remote_changed, sockflags); - } - - msg (M_INFO, "TCP connection established with %s", - print_sockaddr (remote, &gc)); + openvpn_close_socket (*sd); + *sd = SOCKET_UNDEFINED; + sig_info->signal_received = SIGUSR1; + sig_info->source = SIG_SOURCE_CONNECTION_FAILED; + } else { + msg (M_INFO, "TCP connection established with %s", + print_sockaddr (dest, &gc)); + } done: gc_free (&gc); @@ -1093,7 +1296,7 @@ socket_connect (socket_descriptor_t *sd, static void socket_frame_init (const struct frame *frame, struct link_socket *sock) { -#ifdef WIN32 +#ifdef _WIN32 overlapped_io_init (&sock->reads, frame, FALSE, false); overlapped_io_init (&sock->writes, frame, TRUE, false); sock->rw_handle.read = sock->reads.overlapped.hEvent; @@ -1102,7 +1305,7 @@ socket_frame_init (const struct frame *frame, struct link_socket *sock) if (link_socket_connection_oriented (sock)) { -#ifdef WIN32 +#ifdef _WIN32 stream_buf_init (&sock->stream_buf, &sock->reads.buf_init, sock->sockflags, @@ -1132,70 +1335,39 @@ frame_adjust_path_mtu (struct frame *frame, int pmtu, int proto) } static void -resolve_bind_local (struct link_socket *sock) +resolve_bind_local (struct link_socket *sock, const sa_family_t af) { struct gc_arena gc = gc_new (); /* resolve local address if undefined */ - if (!addr_defined (&sock->info.lsa->local)) - { - /* may return AF_{INET|INET6} guessed from local_host */ - switch(addr_guess_family(sock->info.proto, sock->local_host)) - { - case AF_INET: - sock->info.lsa->local.addr.in4.sin_family = AF_INET; - sock->info.lsa->local.addr.in4.sin_addr.s_addr = - (sock->local_host ? getaddr (GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | GETADDR_FATAL, - sock->local_host, - 0, - NULL, - NULL) - : htonl (INADDR_ANY)); - sock->info.lsa->local.addr.in4.sin_port = htons (sock->local_port); - break; - case AF_INET6: - { - int status; - CLEAR(sock->info.lsa->local.addr.in6); - if (sock->local_host) - { - struct addrinfo *ai; - - status = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | GETADDR_FATAL, - sock->local_host, 0, NULL, AF_INET6, &ai); - if(status ==0) { - sock->info.lsa->local.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr)); - freeaddrinfo(ai); - } - } - else - { - sock->info.lsa->local.addr.in6.sin6_family = AF_INET6; - sock->info.lsa->local.addr.in6.sin6_addr = in6addr_any; - status = 0; - } - if (!status == 0) - { - msg (M_FATAL, "getaddr6() failed for local \"%s\": %s", - sock->local_host, - gai_strerror(status)); - } - sock->info.lsa->local.addr.in6.sin6_port = htons (sock->local_port); - } - break; - } - } - - /* bind to local address/port */ - if (sock->bind_local) + if (!sock->info.lsa->bind_local) { -#ifdef ENABLE_SOCKS - if (sock->socks_proxy && sock->info.proto == PROTO_UDPv4) - socket_bind (sock->ctrl_sd, &sock->info.lsa->local, "SOCKS"); - else -#endif - socket_bind (sock->sd, &sock->info.lsa->local, "TCP/UDP"); + int flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL | + GETADDR_FATAL | GETADDR_PASSIVE; + int status; + + if(proto_is_dgram(sock->info.proto)) + flags |= GETADDR_DATAGRAM; + + /* will return AF_{INET|INET6}from local_host */ + status = get_cached_dns_entry (sock->dns_cache, + sock->local_host, + sock->local_port, + af, + flags, + &sock->info.lsa->bind_local); + + if (status) + status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, + NULL, af, &sock->info.lsa->bind_local); + + if(status !=0) { + msg (M_FATAL, "getaddrinfo() failed for local \"%s:%s\": %s", + sock->local_host, sock->local_port, + gai_strerror(status)); + } } + gc_free (&gc); } @@ -1206,132 +1378,113 @@ resolve_remote (struct link_socket *sock, volatile int *signal_received) { struct gc_arena gc = gc_new (); - int af; - if (!sock->did_resolve_remote) + /* resolve remote address if undefined */ + if (!sock->info.lsa->remote_list) { - /* resolve remote address if undefined */ - if (!addr_defined (&sock->info.lsa->remote)) + if (sock->remote_host) { - af = addr_guess_family(sock->info.proto, sock->remote_host); - switch(af) - { - case AF_INET: - sock->info.lsa->remote.addr.in4.sin_family = AF_INET; - sock->info.lsa->remote.addr.in4.sin_addr.s_addr = 0; - break; - case AF_INET6: - CLEAR(sock->info.lsa->remote.addr.in6); - sock->info.lsa->remote.addr.in6.sin6_family = AF_INET6; - sock->info.lsa->remote.addr.in6.sin6_addr = in6addr_any; - break; - } - - if (sock->remote_host) + unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); + int retry = 0; + int status = -1; + struct addrinfo* ai; + if (proto_is_dgram(sock->info.proto)) + flags |= GETADDR_DATAGRAM; + + if (sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) { - unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); - int retry = 0; - int status = -1; - struct addrinfo* ai; - - if (sock->connection_profiles_defined && sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) + if (phase == 2) + flags |= (GETADDR_TRY_ONCE | GETADDR_FATAL); + retry = 0; + } + else if (phase == 1) + { + if (sock->resolve_retry_seconds) { - if (phase == 2) - flags |= (GETADDR_TRY_ONCE | GETADDR_FATAL); retry = 0; } - else if (phase == 1) + else { - if (sock->resolve_retry_seconds) - { - retry = 0; - } - else - { - flags |= (GETADDR_FATAL | GETADDR_MENTION_RESOLVE_RETRY); - retry = 0; - } + flags |= (GETADDR_FATAL | GETADDR_MENTION_RESOLVE_RETRY); + retry = 0; } - else if (phase == 2) + } + else if (phase == 2) + { + if (sock->resolve_retry_seconds) { - if (sock->resolve_retry_seconds) - { - flags |= GETADDR_FATAL; - retry = sock->resolve_retry_seconds; - } - else - { - ASSERT (0); - } + flags |= GETADDR_FATAL; + retry = sock->resolve_retry_seconds; } else { ASSERT (0); } + } + else + { + ASSERT (0); + } - /* Temporary fix, this need to be changed for dual stack */ - status = openvpn_getaddrinfo(flags, sock->remote_host, retry, - signal_received, af, &ai); - if(status == 0) - { - if ( ai->ai_family == AF_INET6 ) - sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr)); - else - sock->info.lsa->remote.addr.in4 = *((struct sockaddr_in*)(ai->ai_addr)); - freeaddrinfo(ai); - - dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", - flags, - phase, - retry, - signal_received ? *signal_received : -1, - status); - } - if (signal_received) - { - if (*signal_received) - goto done; - } + + status = get_cached_dns_entry (sock->dns_cache, + sock->remote_host, + sock->remote_port, + sock->info.af, + flags, &ai); + if (status) + status = openvpn_getaddrinfo (flags, sock->remote_host, sock->remote_port, + retry, signal_received, sock->info.af, &ai); + + if(status == 0) { + sock->info.lsa->remote_list = ai; + sock->info.lsa->current_remote = ai; + + dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", + flags, + phase, + retry, + signal_received ? *signal_received : -1, + status); + } + if (signal_received) + { + if (*signal_received) + goto done; + } if (status!=0) { if (signal_received) *signal_received = SIGUSR1; goto done; } - } - switch(af) - { - case AF_INET: - sock->info.lsa->remote.addr.in4.sin_port = htons (sock->remote_port); - break; - case AF_INET6: - sock->info.lsa->remote.addr.in6.sin6_port = htons (sock->remote_port); - break; - } } + } - /* should we re-use previous active remote address? */ - if (link_socket_actual_defined (&sock->info.lsa->actual)) - { - msg (M_INFO, "TCP/UDP: Preserving recently used remote address: %s", - print_link_socket_actual (&sock->info.lsa->actual, &gc)); - if (remote_dynamic) - *remote_dynamic = NULL; - } - else + /* should we re-use previous active remote address? */ + if (link_socket_actual_defined (&sock->info.lsa->actual)) + { + msg (M_INFO, "TCP/UDP: Preserving recently used remote address: %s", + print_link_socket_actual (&sock->info.lsa->actual, &gc)); + if (remote_dynamic) + *remote_dynamic = NULL; + } + else + { + CLEAR (sock->info.lsa->actual); + if(sock->info.lsa->current_remote) { - CLEAR (sock->info.lsa->actual); - sock->info.lsa->actual.dest = sock->info.lsa->remote; + set_actual_address (&sock->info.lsa->actual, + sock->info.lsa->current_remote); } - - /* remember that we finished */ - sock->did_resolve_remote = true; } done: gc_free (&gc); } + + struct link_socket * link_socket_new (void) { @@ -1339,29 +1492,24 @@ link_socket_new (void) ALLOC_OBJ_CLEAR (sock, struct link_socket); sock->sd = SOCKET_UNDEFINED; -#ifdef ENABLE_SOCKS sock->ctrl_sd = SOCKET_UNDEFINED; -#endif return sock; } -/* bind socket if necessary */ void link_socket_init_phase1 (struct link_socket *sock, - const bool connection_profiles_defined, const char *local_host, - int local_port, + const char *local_port, const char *remote_host, - int remote_port, + const char *remote_port, + struct cached_dns_entry *dns_cache, int proto, + sa_family_t af, + bool bind_ipv6_only, int mode, const struct link_socket *accept_from, -#ifdef ENABLE_HTTP_PROXY struct http_proxy_info *http_proxy, -#endif -#ifdef ENABLE_SOCKS struct socks_proxy_info *socks_proxy, -#endif #ifdef ENABLE_DEBUG int gremlin, #endif @@ -1372,38 +1520,25 @@ link_socket_init_phase1 (struct link_socket *sock, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, - int connect_retry_seconds, - int connect_timeout, - int connect_retry_max, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, + struct event_timeout* server_poll_timeout, unsigned int sockflags) { ASSERT (sock); - sock->connection_profiles_defined = connection_profiles_defined; - sock->local_host = local_host; sock->local_port = local_port; sock->remote_host = remote_host; sock->remote_port = remote_port; - -#ifdef ENABLE_HTTP_PROXY + sock->dns_cache = dns_cache; sock->http_proxy = http_proxy; -#endif - -#ifdef ENABLE_SOCKS sock->socks_proxy = socks_proxy; -#endif - sock->bind_local = bind_local; sock->inetd = inetd; sock->resolve_retry_seconds = resolve_retry_seconds; - sock->connect_retry_seconds = connect_retry_seconds; - sock->connect_timeout = connect_timeout; - sock->connect_retry_max = connect_retry_max; sock->mtu_discover_type = mtu_discover_type; #ifdef ENABLE_DEBUG @@ -1414,31 +1549,30 @@ link_socket_init_phase1 (struct link_socket *sock, sock->socket_buffer_sizes.sndbuf = sndbuf; sock->sockflags = sockflags; + sock->mark = mark; sock->info.proto = proto; + sock->info.af = af; sock->info.remote_float = remote_float; sock->info.lsa = lsa; + sock->info.bind_ipv6_only = bind_ipv6_only; sock->info.ipchange_command = ipchange_command; sock->info.plugins = plugins; + sock->server_poll_timeout = server_poll_timeout; sock->mode = mode; if (mode == LS_MODE_TCP_ACCEPT_FROM) { ASSERT (accept_from); - ASSERT (sock->info.proto == PROTO_TCPv4_SERVER - || sock->info.proto == PROTO_TCPv6_SERVER - ); + ASSERT (sock->info.proto == PROTO_TCP_SERVER); ASSERT (!sock->inetd); sock->sd = accept_from->sd; } - if (false) - ; -#ifdef ENABLE_HTTP_PROXY /* are we running in HTTP proxy mode? */ - else if (sock->http_proxy) + if (sock->http_proxy) { - ASSERT (sock->info.proto == PROTO_TCPv4_CLIENT); + ASSERT (sock->info.proto == PROTO_TCP_CLIENT); ASSERT (!sock->inetd); /* the proxy server */ @@ -1449,12 +1583,9 @@ link_socket_init_phase1 (struct link_socket *sock, sock->proxy_dest_host = remote_host; sock->proxy_dest_port = remote_port; } -#endif -#ifdef ENABLE_SOCKS /* or in Socks proxy mode? */ else if (sock->socks_proxy) { - ASSERT (sock->info.proto == PROTO_TCPv4_CLIENT || sock->info.proto == PROTO_UDPv4); ASSERT (!sock->inetd); /* the proxy server */ @@ -1465,7 +1596,6 @@ link_socket_init_phase1 (struct link_socket *sock, sock->proxy_dest_host = remote_host; sock->proxy_dest_port = remote_port; } -#endif else { sock->remote_host = remote_host; @@ -1473,7 +1603,7 @@ link_socket_init_phase1 (struct link_socket *sock, } /* bind behavior for TCP server vs. client */ - if (sock->info.proto == PROTO_TCPv4_SERVER) + if (sock->info.proto == PROTO_TCP_SERVER) { if (sock->mode == LS_MODE_TCP_ACCEPT_FROM) sock->bind_local = false; @@ -1484,43 +1614,255 @@ link_socket_init_phase1 (struct link_socket *sock, /* were we started by inetd or xinetd? */ if (sock->inetd) { - ASSERT (sock->info.proto != PROTO_TCPv4_CLIENT - && sock->info.proto != PROTO_TCPv6_CLIENT); + ASSERT (sock->info.proto != PROTO_TCP_CLIENT); ASSERT (socket_defined (inetd_socket_descriptor)); sock->sd = inetd_socket_descriptor; } else if (mode != LS_MODE_TCP_ACCEPT_FROM) { - create_socket (sock); + if (sock->bind_local) { + resolve_bind_local (sock, sock->info.af); + } + resolve_remote (sock, 1, NULL, NULL); + } +} - /* set socket buffers based on --sndbuf and --rcvbuf options */ - socket_set_buffers (sock->sd, &sock->socket_buffer_sizes); +static +void phase2_inetd (struct link_socket* sock, const struct frame *frame, + const char *remote_dynamic, volatile int *signal_received) +{ + bool remote_changed = false; - /* set socket to --mark packets with given value */ - socket_set_mark (sock->sd, mark); + if (sock->info.proto == PROTO_TCP_SERVER) { + /* AF_INET as default (and fallback) for inetd */ + sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET; +#ifdef HAVE_GETSOCKNAME + { + /* inetd: hint family type for dest = local's */ + struct openvpn_sockaddr local_addr; + socklen_t addrlen = sizeof(local_addr); + if (getsockname (sock->sd, &local_addr.addr.sa, &addrlen) == 0) { + sock->info.lsa->actual.dest.addr.sa.sa_family = local_addr.addr.sa.sa_family; + dmsg (D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from getsockname(%d)", + proto2ascii(sock->info.proto, sock->info.af, false), + local_addr.addr.sa.sa_family, sock->sd); + } else + msg (M_WARN, "inetd(%s): getsockname(%d) failed, using AF_INET", + proto2ascii(sock->info.proto, sock->info.af, false), sock->sd); + } +#else + msg (M_WARN, "inetd(%s): this OS does not provide the getsockname() " + "function, using AF_INET", + proto2ascii(sock->info.proto, false)); +#endif + sock->sd = + socket_listen_accept (sock->sd, + &sock->info.lsa->actual, + remote_dynamic, + sock->info.lsa->bind_local, + false, + sock->inetd == INETD_NOWAIT, + signal_received); - resolve_bind_local (sock); - resolve_remote (sock, 1, NULL, NULL); + } + ASSERT (!remote_changed); +} + +static void +phase2_set_socket_flags (struct link_socket* sock) +{ + /* set misc socket parameters */ + socket_set_flags (sock->sd, sock->sockflags); + + /* set socket to non-blocking mode */ + set_nonblock (sock->sd); + + /* set socket file descriptor to not pass across execs, so that + scripts don't have access to it */ + set_cloexec (sock->sd); + + if (socket_defined (sock->ctrl_sd)) + set_cloexec (sock->ctrl_sd); + + /* set Path MTU discovery options on the socket */ + set_mtu_discover_type (sock->sd, sock->mtu_discover_type, sock->info.af); + +#if EXTENDED_SOCKET_ERROR_CAPABILITY + /* if the OS supports it, enable extended error passing on the socket */ + set_sock_extended_error_passing (sock->sd); +#endif +} + + +static void +linksock_print_addr (struct link_socket *sock) +{ + struct gc_arena gc = gc_new (); + const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO; + + /* print local address */ + if (sock->inetd) + msg (msglevel, "%s link local: [inetd]", proto2ascii (sock->info.proto, sock->info.af, true)); + else if (sock->bind_local) + { + sa_family_t ai_family = sock->info.lsa->actual.dest.addr.sa.sa_family; + /* Socket is always bound on the first matching address, + * For bound sockets with no remote addr this is the element of + * the list */ + struct addrinfo *cur; + for (cur = sock->info.lsa->bind_local; cur; cur=cur->ai_next) + { + if(!ai_family || ai_family == cur->ai_family) + break; + } + ASSERT (cur); + msg (msglevel, "%s link local (bound): %s", + proto2ascii (sock->info.proto, sock->info.af, true), + print_sockaddr(cur->ai_addr,&gc)); } + else + msg (msglevel, "%s link local: (not bound)", + proto2ascii (sock->info.proto, sock->info.af, true)); + + /* print active remote address */ + msg (msglevel, "%s link remote: %s", + proto2ascii (sock->info.proto, sock->info.af, true), + print_link_socket_actual_ex (&sock->info.lsa->actual, + ":", + PS_SHOW_PORT_IF_DEFINED, + &gc)); + gc_free(&gc); +} + +static void +phase2_tcp_server (struct link_socket *sock, const char *remote_dynamic, + volatile int *signal_received) +{ + switch (sock->mode) + { + case LS_MODE_DEFAULT: + sock->sd = socket_listen_accept (sock->sd, + &sock->info.lsa->actual, + remote_dynamic, + sock->info.lsa->bind_local, + true, + false, + signal_received); + break; + case LS_MODE_TCP_LISTEN: + socket_do_listen (sock->sd, + sock->info.lsa->bind_local, + true, + false); + break; + case LS_MODE_TCP_ACCEPT_FROM: + sock->sd = socket_do_accept (sock->sd, + &sock->info.lsa->actual, + false); + if (!socket_defined (sock->sd)) + { + *signal_received = SIGTERM; + return; + } + tcp_connection_established (&sock->info.lsa->actual); + break; + default: + ASSERT (0); + } +} + + +static void +phase2_tcp_client (struct link_socket *sock, struct signal_info *sig_info) +{ + bool proxy_retry = false; + do { + socket_connect (&sock->sd, + sock->info.lsa->current_remote->ai_addr, + get_server_poll_remaining_time (sock->server_poll_timeout), + sig_info); + + if (sig_info->signal_received) + return; + + if (sock->http_proxy) + { + proxy_retry = establish_http_proxy_passthru (sock->http_proxy, + sock->sd, + sock->proxy_dest_host, + sock->proxy_dest_port, + sock->server_poll_timeout, + &sock->stream_buf.residual, + &sig_info->signal_received); + } + else if (sock->socks_proxy) + { + establish_socks_proxy_passthru (sock->socks_proxy, + sock->sd, + sock->proxy_dest_host, + sock->proxy_dest_port, + &sig_info->signal_received); + } + if (proxy_retry) + { + openvpn_close_socket (sock->sd); + sock->sd = create_socket_tcp (sock->info.lsa->current_remote); + } + + } while (proxy_retry); + +} + +static void +phase2_socks_client (struct link_socket *sock, struct signal_info *sig_info) +{ + socket_connect (&sock->ctrl_sd, + sock->info.lsa->current_remote->ai_addr, + get_server_poll_remaining_time (sock->server_poll_timeout), + sig_info); + + if (sig_info->signal_received) + return; + + establish_socks_proxy_udpassoc (sock->socks_proxy, + sock->ctrl_sd, + sock->sd, + &sock->socks_relay.dest, + &sig_info->signal_received); + + if (sig_info->signal_received) + return; + + sock->remote_host = sock->proxy_dest_host; + sock->remote_port = sock->proxy_dest_port; + + addr_zero_host(&sock->info.lsa->actual.dest); + if (sock->info.lsa->remote_list) + { + freeaddrinfo(sock->info.lsa->remote_list); + sock->info.lsa->current_remote = NULL; + sock->info.lsa->remote_list = NULL; + } + + resolve_remote (sock, 1, NULL, &sig_info->signal_received); } /* finalize socket initialization */ void link_socket_init_phase2 (struct link_socket *sock, const struct frame *frame, - volatile int *signal_received) + struct signal_info *sig_info) { - struct gc_arena gc = gc_new (); const char *remote_dynamic = NULL; - bool remote_changed = false; int sig_save = 0; ASSERT (sock); + ASSERT (sig_info); - if (signal_received && *signal_received) + if (sig_info->signal_received) { - sig_save = *signal_received; - *signal_received = 0; + sig_save = sig_info->signal_received; + sig_info->signal_received = 0; } /* initialize buffers */ @@ -1537,246 +1879,83 @@ link_socket_init_phase2 (struct link_socket *sock, /* were we started by inetd or xinetd? */ if (sock->inetd) { - if (sock->info.proto == PROTO_TCPv4_SERVER - || sock->info.proto == PROTO_TCPv6_SERVER) { - /* AF_INET as default (and fallback) for inetd */ - sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET; -#ifdef HAVE_GETSOCKNAME - { - /* inetd: hint family type for dest = local's */ - struct openvpn_sockaddr local_addr; - socklen_t addrlen = sizeof(local_addr); - if (getsockname (sock->sd, (struct sockaddr *)&local_addr, &addrlen) == 0) { - sock->info.lsa->actual.dest.addr.sa.sa_family = local_addr.addr.sa.sa_family; - dmsg (D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from getsockname(%d)", - proto2ascii(sock->info.proto, false), local_addr.addr.sa.sa_family, - sock->sd); - } else - msg (M_WARN, "inetd(%s): getsockname(%d) failed, using AF_INET", - proto2ascii(sock->info.proto, false), sock->sd); - } -#else - msg (M_WARN, "inetd(%s): this OS does not provide the getsockname() " - "function, using AF_INET", - proto2ascii(sock->info.proto, false)); -#endif - sock->sd = - socket_listen_accept (sock->sd, - &sock->info.lsa->actual, - remote_dynamic, - &remote_changed, - &sock->info.lsa->local, - false, - sock->inetd == INETD_NOWAIT, - signal_received); - } - ASSERT (!remote_changed); - if (*signal_received) + phase2_inetd (sock, frame, remote_dynamic, &sig_info->signal_received); + if (sig_info->signal_received) goto done; + } else { - resolve_remote (sock, 2, &remote_dynamic, signal_received); + /* Second chance to resolv/create socket */ + resolve_remote (sock, 2, &remote_dynamic, &sig_info->signal_received); - if (*signal_received) - goto done; + /* If a valid remote has been found, create the socket with its addrinfo */ + if (sock->info.lsa->current_remote) + create_socket (sock, sock->info.lsa->current_remote); - /* TCP client/server */ - if (sock->info.proto == PROTO_TCPv4_SERVER - ||sock->info.proto == PROTO_TCPv6_SERVER) + /* If socket has not already been created create it now */ + if (sock->sd == SOCKET_UNDEFINED) { - switch (sock->mode) + /* If we have no --remote and have still not figured out the + * protocol family to use we will use the first of the bind */ + + if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local) { - case LS_MODE_DEFAULT: - sock->sd = socket_listen_accept (sock->sd, - &sock->info.lsa->actual, - remote_dynamic, - &remote_changed, - &sock->info.lsa->local, - true, - false, - signal_received); - break; - case LS_MODE_TCP_LISTEN: - socket_do_listen (sock->sd, - &sock->info.lsa->local, - true, - false); - break; - case LS_MODE_TCP_ACCEPT_FROM: - sock->sd = socket_do_accept (sock->sd, - &sock->info.lsa->actual, - false); - if (!socket_defined (sock->sd)) - { - *signal_received = SIGTERM; - goto done; + /* Warn if this is because neither v4 or v6 was specified + * and we should not connect a remote */ + if (sock->info.af == AF_UNSPEC) + { + msg (M_WARN, "Could not determine IPv4/IPv6 protocol. Using %s", + addr_family_name(sock->info.lsa->bind_local->ai_family)); + sock->info.af = sock->info.lsa->bind_local->ai_family; } - tcp_connection_established (&sock->info.lsa->actual); - break; - default: - ASSERT (0); + + create_socket (sock, sock->info.lsa->bind_local); } } - else if (sock->info.proto == PROTO_TCPv4_CLIENT - ||sock->info.proto == PROTO_TCPv6_CLIENT) - { -#ifdef GENERAL_PROXY_SUPPORT - bool proxy_retry = false; -#else - const bool proxy_retry = false; -#endif - do { - socket_connect (&sock->sd, - &sock->info.lsa->local, - sock->bind_local, - &sock->info.lsa->actual.dest, - sock->connection_profiles_defined, - remote_dynamic, - &remote_changed, - sock->connect_retry_seconds, - sock->connect_timeout, - sock->connect_retry_max, - sock->sockflags, - signal_received); - - if (*signal_received) - goto done; - - if (false) - ; -#ifdef ENABLE_HTTP_PROXY - else if (sock->http_proxy) - { - proxy_retry = establish_http_proxy_passthru (sock->http_proxy, - sock->sd, - sock->proxy_dest_host, - sock->proxy_dest_port, - &sock->stream_buf.residual, - signal_received); - } -#endif -#ifdef ENABLE_SOCKS - else if (sock->socks_proxy) - { - establish_socks_proxy_passthru (sock->socks_proxy, - sock->sd, - sock->proxy_dest_host, - sock->proxy_dest_port, - signal_received); - } -#endif - if (proxy_retry) - { - openvpn_close_socket (sock->sd); - sock->sd = create_socket_tcp (AF_INET); - } - } while (proxy_retry); - } -#ifdef ENABLE_SOCKS - else if (sock->info.proto == PROTO_UDPv4 && sock->socks_proxy) + /* Socket still undefined, give a warning and abort connection */ + if (sock->sd == SOCKET_UNDEFINED) { - socket_connect (&sock->ctrl_sd, - &sock->info.lsa->local, - sock->bind_local, - &sock->info.lsa->actual.dest, - sock->connection_profiles_defined, - remote_dynamic, - &remote_changed, - sock->connect_retry_seconds, - sock->connect_timeout, - sock->connect_retry_max, - sock->sockflags, - signal_received); - - if (*signal_received) - goto done; - - establish_socks_proxy_udpassoc (sock->socks_proxy, - sock->ctrl_sd, - sock->sd, - &sock->socks_relay.dest, - signal_received); - - if (*signal_received) - goto done; - - sock->remote_host = sock->proxy_dest_host; - sock->remote_port = sock->proxy_dest_port; - sock->did_resolve_remote = false; - - addr_zero_host(&sock->info.lsa->actual.dest); - addr_zero_host(&sock->info.lsa->remote); - - resolve_remote (sock, 1, NULL, signal_received); - - if (*signal_received) - goto done; + msg (M_WARN, "Could not determine IPv4/IPv6 protocol"); + sig_info->signal_received = SIGUSR1; + goto done; } -#endif - if (*signal_received) + if (sig_info->signal_received) goto done; - if (remote_changed) + if (sock->info.proto == PROTO_TCP_SERVER) { - msg (M_INFO, "TCP/UDP: Dynamic remote address changed during TCP connection establishment"); - addr_copy_host(&sock->info.lsa->remote, &sock->info.lsa->actual.dest); + phase2_tcp_server (sock, remote_dynamic, + &sig_info->signal_received); } - } - - /* set misc socket parameters */ - socket_set_flags (sock->sd, sock->sockflags); - - /* set socket to non-blocking mode */ - set_nonblock (sock->sd); - - /* set socket file descriptor to not pass across execs, so that - scripts don't have access to it */ - set_cloexec (sock->sd); - -#ifdef ENABLE_SOCKS - if (socket_defined (sock->ctrl_sd)) - set_cloexec (sock->ctrl_sd); -#endif - - /* set Path MTU discovery options on the socket */ - set_mtu_discover_type (sock->sd, sock->mtu_discover_type); + else if (sock->info.proto == PROTO_TCP_CLIENT) + { + phase2_tcp_client (sock, sig_info); -#if EXTENDED_SOCKET_ERROR_CAPABILITY - /* if the OS supports it, enable extended error passing on the socket */ - set_sock_extended_error_passing (sock->sd); + } + else if (sock->info.proto == PROTO_UDP && sock->socks_proxy) + { + phase2_socks_client (sock, sig_info); + } +#ifdef TARGET_ANDROID + if (sock->sd != -1) + protect_fd_nonlocal (sock->sd, &sock->info.lsa->actual.dest.addr.sa); #endif + if (sig_info->signal_received) + goto done; + } - /* print local address */ - { - const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO; - - if (sock->inetd) - msg (msglevel, "%s link local: [inetd]", proto2ascii (sock->info.proto, true)); - else - msg (msglevel, "%s link local%s: %s", - proto2ascii (sock->info.proto, true), - (sock->bind_local ? " (bound)" : ""), - print_sockaddr_ex (&sock->info.lsa->local, ":", sock->bind_local ? PS_SHOW_PORT : 0, &gc)); - - /* print active remote address */ - msg (msglevel, "%s link remote: %s", - proto2ascii (sock->info.proto, true), - print_link_socket_actual_ex (&sock->info.lsa->actual, - ":", - PS_SHOW_PORT_IF_DEFINED, - &gc)); - } + phase2_set_socket_flags(sock); + linksock_print_addr(sock); done: - if (sig_save && signal_received) + if (sig_save) { - if (!*signal_received) - *signal_received = sig_save; + if (!sig_info->signal_received) + sig_info->signal_received = sig_save; } - gc_free (&gc); } void @@ -1792,7 +1971,7 @@ link_socket_close (struct link_socket *sock) if (socket_defined (sock->sd)) { -#ifdef WIN32 +#ifdef _WIN32 close_net_event_win32 (&sock->listen_handle, sock->sd, 0); #endif if (!gremlin) @@ -1802,7 +1981,7 @@ link_socket_close (struct link_socket *sock) msg (M_WARN | M_ERRNO, "TCP/UDP: Close Socket failed"); } sock->sd = SOCKET_UNDEFINED; -#ifdef WIN32 +#ifdef _WIN32 if (!gremlin) { overlapped_io_close (&sock->reads); @@ -1811,14 +1990,12 @@ link_socket_close (struct link_socket *sock) #endif } -#ifdef ENABLE_SOCKS if (socket_defined (sock->ctrl_sd)) { if (openvpn_close_socket (sock->ctrl_sd)) msg (M_WARN | M_ERRNO, "TCP/UDP: Close Socket (ctrl_sd) failed"); sock->ctrl_sd = SOCKET_UNDEFINED; } -#endif stream_buf_close (&sock->stream_buf); free_buf (&sock->stream_buf_data); @@ -1844,17 +2021,15 @@ setenv_trusted (struct env_set *es, const struct link_socket_info *info) static void ipchange_fmt (const bool include_cmd, struct argv *argv, const struct link_socket_info *info, struct gc_arena *gc) { - const char *ip = print_sockaddr_ex (&info->lsa->actual.dest, NULL, 0, gc); - const char *port = print_sockaddr_ex (&info->lsa->actual.dest, NULL, PS_DONT_SHOW_ADDR|PS_SHOW_PORT, gc); + const char *host = print_sockaddr_ex (&info->lsa->actual.dest.addr.sa, " ", PS_SHOW_PORT , gc); if (include_cmd) - argv_printf (argv, "%sc %s %s", - info->ipchange_command, - ip, - port); + { + argv_parse_cmd (argv, info->ipchange_command); + argv_printf_cat (argv, "%s", host); + } else - argv_printf (argv, "%s %s", - ip, - port); + argv_printf (argv, "%s", host); + } void @@ -1911,6 +2086,7 @@ link_socket_bad_incoming_addr (struct buffer *buf, const struct link_socket_actual *from_addr) { struct gc_arena gc = gc_new (); + struct addrinfo* ai; switch(from_addr->dest.addr.sa.sa_family) { @@ -1920,7 +2096,12 @@ link_socket_bad_incoming_addr (struct buffer *buf, "TCP/UDP: Incoming packet rejected from %s[%d], expected peer address: %s (allow this incoming source address/port by removing --remote or adding --float)", print_link_socket_actual (from_addr, &gc), (int)from_addr->dest.addr.sa.sa_family, - print_sockaddr (&info->lsa->remote, &gc)); + print_sockaddr_ex (info->lsa->remote_list->ai_addr,":" ,PS_SHOW_PORT, &gc)); + /* print additional remote addresses */ + for(ai=info->lsa->remote_list->ai_next;ai;ai=ai->ai_next) { + msg(D_LINK_ERRORS,"or from peer address: %s", + print_sockaddr_ex(ai->ai_addr,":",PS_SHOW_PORT, &gc)); + } break; } buf->len = 0; @@ -1945,18 +2126,43 @@ link_socket_current_remote (const struct link_socket_info *info) * Maybe in the future consider PF_INET6 endpoints also ... * by now just ignore it * + * For --remote entries with multiple addresses this + * only return the actual endpoint we have sucessfully connected to */ if (lsa->actual.dest.addr.sa.sa_family != AF_INET) return IPV4_INVALID_ADDR; if (link_socket_actual_defined (&lsa->actual)) return ntohl (lsa->actual.dest.addr.in4.sin_addr.s_addr); - else if (addr_defined (&lsa->remote)) - return ntohl (lsa->remote.addr.in4.sin_addr.s_addr); + else if (lsa->current_remote) + return ntohl (((struct sockaddr_in*)lsa->current_remote->ai_addr) + ->sin_addr.s_addr); else return 0; } +const struct in6_addr * +link_socket_current_remote_ipv6 (const struct link_socket_info *info) +{ + const struct link_socket_addr *lsa = info->lsa; + +/* This logic supports "redirect-gateway" semantic, + * for PF_INET6 routes over PF_INET6 endpoints + * + * For --remote entries with multiple addresses this + * only return the actual endpoint we have sucessfully connected to + */ + if (lsa->actual.dest.addr.sa.sa_family != AF_INET6) + return NULL; + + if (link_socket_actual_defined (&lsa->actual)) + return &(lsa->actual.dest.addr.in6.sin6_addr); + else if (lsa->current_remote) + return &(((struct sockaddr_in6*)lsa->current_remote->ai_addr) ->sin6_addr); + else + return NULL; +} + /* * Return a status string describing socket state. */ @@ -1970,7 +2176,7 @@ socket_stat (const struct link_socket *s, unsigned int rwflags, struct gc_arena { buf_printf (&out, "S%s", (s->rwflags_debug & EVENT_READ) ? "R" : "r"); -#ifdef WIN32 +#ifdef _WIN32 buf_printf (&out, "%s", overlapped_io_state_ascii (&s->reads)); #endif @@ -1979,7 +2185,7 @@ socket_stat (const struct link_socket *s, unsigned int rwflags, struct gc_arena { buf_printf (&out, "S%s", (s->rwflags_debug & EVENT_WRITE) ? "W" : "w"); -#ifdef WIN32 +#ifdef _WIN32 buf_printf (&out, "%s", overlapped_io_state_ascii (&s->writes)); #endif @@ -2019,7 +2225,7 @@ stream_buf_init (struct stream_buf *sb, sb->residual = alloc_buf (sb->maxlen); sb->error = false; #if PORT_SHARE - sb->port_share_state = ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCPv4_SERVER)) + sb->port_share_state = ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCP_SERVER)) ? PS_ENABLED : PS_DISABLED; #endif @@ -2154,7 +2360,7 @@ stream_buf_close (struct stream_buf* sb) event_t socket_listen_event_handle (struct link_socket *s) { -#ifdef WIN32 +#ifdef _WIN32 if (!defined_net_event_win32 (&s->listen_handle)) init_net_event_win32 (&s->listen_handle, FD_ACCEPT, s->sd, 0); return &s->listen_handle; @@ -2168,67 +2374,65 @@ socket_listen_event_handle (struct link_socket *s) */ const char * -print_sockaddr (const struct openvpn_sockaddr *addr, struct gc_arena *gc) -{ - return print_sockaddr_ex (addr, ":", PS_SHOW_PORT, gc); -} - -const char * -print_sockaddr_ex (const struct openvpn_sockaddr *addr, - const char* separator, - const unsigned int flags, - struct gc_arena *gc) +print_sockaddr_ex (const struct sockaddr *sa, + const char* separator, + const unsigned int flags, + struct gc_arena *gc) { struct buffer out = alloc_buf_gc (128, gc); - bool addr_is_defined; - addr_is_defined = addr_defined (addr); - if (!addr_is_defined) { - return "[undef]"; - } - switch(addr->addr.sa.sa_family) + bool addr_is_defined = false; + char hostaddr[NI_MAXHOST] = ""; + char servname[NI_MAXSERV] = ""; + int status; + + socklen_t salen = 0; + switch(sa->sa_family) { case AF_INET: - { - const int port= ntohs (addr->addr.in4.sin_port); - buf_puts (&out, "[AF_INET]"); - - if (!(flags & PS_DONT_SHOW_ADDR)) - buf_printf (&out, "%s", (addr_defined (addr) ? inet_ntoa (addr->addr.in4.sin_addr) : "[undef]")); - - if (((flags & PS_SHOW_PORT) || (addr_defined (addr) && (flags & PS_SHOW_PORT_IF_DEFINED))) - && port) - { - if (separator) - buf_printf (&out, "%s", separator); - - buf_printf (&out, "%d", port); - } - } + if (!(flags & PS_DONT_SHOW_FAMILY)) + buf_puts (&out, "[AF_INET]"); + salen = sizeof (struct sockaddr_in); + addr_is_defined = ((struct sockaddr_in*) sa)->sin_addr.s_addr != 0; break; case AF_INET6: - { - const int port= ntohs (addr->addr.in6.sin6_port); - char buf[INET6_ADDRSTRLEN] = ""; - buf_puts (&out, "[AF_INET6]"); - if (addr_is_defined) - { - getnameinfo(&addr->addr.sa, sizeof (struct sockaddr_in6), - buf, sizeof (buf), NULL, 0, NI_NUMERICHOST); - buf_puts (&out, buf); - } - if (((flags & PS_SHOW_PORT) || (addr_is_defined && (flags & PS_SHOW_PORT_IF_DEFINED))) - && port) - { - if (separator) - buf_puts (&out, separator); - - buf_printf (&out, "%d", port); - } - } + if (!(flags & PS_DONT_SHOW_FAMILY)) + buf_puts (&out, "[AF_INET6]"); + salen = sizeof (struct sockaddr_in6); + addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6*) sa)->sin6_addr); break; + case AF_UNSPEC: + if (!(flags & PS_DONT_SHOW_FAMILY)) + return "[AF_UNSPEC]"; + else + return ""; default: ASSERT(0); } + + status = getnameinfo(sa, salen, hostaddr, sizeof (hostaddr), + servname, sizeof(servname), NI_NUMERICHOST | NI_NUMERICSERV); + + if(status!=0) { + buf_printf(&out,"[nameinfo() err: %s]",gai_strerror(status)); + return BSTR(&out); + } + + if (!(flags & PS_DONT_SHOW_ADDR)) + { + if (addr_is_defined) + buf_puts (&out, hostaddr); + else + buf_puts (&out, "[undef]"); + } + + if ((flags & PS_SHOW_PORT) || (flags & PS_SHOW_PORT_IF_DEFINED)) + { + if (separator) + buf_puts (&out, separator); + + buf_puts (&out, servname); + } + return BSTR (&out); } @@ -2252,7 +2456,7 @@ print_link_socket_actual_ex (const struct link_socket_actual *act, { char ifname[IF_NAMESIZE] = "[undef]"; struct buffer out = alloc_buf_gc (128, gc); - buf_printf (&out, "%s", print_sockaddr_ex (&act->dest, separator, flags, gc)); + buf_printf (&out, "%s", print_sockaddr_ex (&act->dest.addr.sa, separator, flags, gc)); #if ENABLE_IP_PKTINFO if ((flags & PS_SHOW_PKTINFO) && addr_defined_ipi(act)) { @@ -2263,7 +2467,7 @@ print_link_socket_actual_ex (const struct link_socket_actual *act, struct openvpn_sockaddr sa; CLEAR (sa); sa.addr.in4.sin_family = AF_INET; -#ifdef IP_PKTINFO +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst; if_indextoname(act->pi.in4.ipi_ifindex, ifname); #elif defined(IP_RECVDSTADDR) @@ -2273,7 +2477,7 @@ print_link_socket_actual_ex (const struct link_socket_actual *act, #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif buf_printf (&out, " (via %s%%%s)", - print_sockaddr_ex (&sa, separator, 0, gc), + print_sockaddr_ex (&sa.addr.sa, separator, 0, gc), ifname); } break; @@ -2392,9 +2596,20 @@ setenv_sockaddr (struct env_set *es, const char *name_prefix, const struct openv } break; case AF_INET6: - openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip6", name_prefix); - getnameinfo(&addr->addr.sa, sizeof (struct sockaddr_in6), - buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); + if ( IN6_IS_ADDR_V4MAPPED( &addr->addr.in6.sin6_addr )) + { + struct in_addr ia; + memcpy (&ia.s_addr, &addr->addr.in6.sin6_addr.s6_addr[12], + sizeof (ia.s_addr)); + openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip", name_prefix); + openvpn_snprintf (buf, sizeof(buf), "%s", inet_ntoa(ia) ); + } + else + { + openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip6", name_prefix); + getnameinfo(&addr->addr.sa, sizeof (struct sockaddr_in6), + buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); + } setenv_str (es, name_buf, buf); if ((flags & SA_IP_PORT) && addr->addr.in6.sin6_port) @@ -2451,22 +2666,28 @@ setenv_link_socket_actual (struct env_set *es, struct proto_names { const char *short_form; const char *display_form; - bool is_dgram; - bool is_net; - unsigned short proto_af; + sa_family_t proto_af; + int proto; }; /* Indexed by PROTO_x */ -static const struct proto_names proto_names[PROTO_N] = { - {"proto-uninitialized", "proto-NONE",0,0, AF_UNSPEC}, - {"udp", "UDPv4",1,1, AF_INET}, - {"tcp-server", "TCPv4_SERVER",0,1, AF_INET}, - {"tcp-client", "TCPv4_CLIENT",0,1, AF_INET}, - {"tcp", "TCPv4",0,1, AF_INET}, - {"udp6" ,"UDPv6",1,1, AF_INET6}, - {"tcp6-server","TCPv6_SERVER",0,1, AF_INET6}, - {"tcp6-client","TCPv6_CLIENT",0,1, AF_INET6}, - {"tcp6" ,"TCPv6",0,1, AF_INET6}, +static const struct proto_names proto_names[] = { + {"proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE}, + /* try IPv4 and IPv6 (client), bind dual-stack (server) */ + {"udp", "UDP", AF_UNSPEC, PROTO_UDP}, + {"tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER}, + {"tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT}, + {"tcp", "TCP", AF_UNSPEC, PROTO_TCP}, + /* force IPv4 */ + {"udp4", "UDPv4", AF_INET, PROTO_UDP}, + {"tcp4-server","TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER}, + {"tcp4-client","TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT}, + {"tcp4", "TCPv4", AF_INET, PROTO_TCP}, + /* force IPv6 */ + {"udp6" ,"UDPv6", AF_INET6, PROTO_UDP}, + {"tcp6-server","TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER}, + {"tcp6-client","TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT}, + {"tcp6" ,"TCPv6", AF_INET6, PROTO_TCP}, }; bool @@ -2474,59 +2695,66 @@ proto_is_net(int proto) { if (proto < 0 || proto >= PROTO_N) ASSERT(0); - return proto_names[proto].is_net; + return proto != PROTO_NONE; } bool proto_is_dgram(int proto) { - if (proto < 0 || proto >= PROTO_N) - ASSERT(0); - return proto_names[proto].is_dgram; + return proto_is_udp(proto); } + bool proto_is_udp(int proto) { if (proto < 0 || proto >= PROTO_N) ASSERT(0); - return proto_names[proto].is_dgram&&proto_names[proto].is_net; + return proto == PROTO_UDP; } + bool proto_is_tcp(int proto) { if (proto < 0 || proto >= PROTO_N) ASSERT(0); - return (!proto_names[proto].is_dgram)&&proto_names[proto].is_net; -} - -unsigned short -proto_sa_family(int proto) -{ - if (proto < 0 || proto >= PROTO_N) - ASSERT(0); - return proto_names[proto].proto_af; + return proto == PROTO_TCP_CLIENT || proto == PROTO_TCP_SERVER; } int ascii2proto (const char* proto_name) { int i; - ASSERT (PROTO_N == SIZE (proto_names)); - for (i = 0; i < PROTO_N; ++i) + for (i = 0; i < SIZE (proto_names); ++i) if (!strcmp (proto_name, proto_names[i].short_form)) - return i; + return proto_names[i].proto; return -1; } +sa_family_t +ascii2af (const char* proto_name) +{ + int i; + for (i = 0; i < SIZE (proto_names); ++i) + if (!strcmp (proto_name, proto_names[i].short_form)) + return proto_names[i].proto_af; + return 0; +} + const char * -proto2ascii (int proto, bool display_form) +proto2ascii (int proto, sa_family_t af, bool display_form) { - ASSERT (PROTO_N == SIZE (proto_names)); - if (proto < 0 || proto >= PROTO_N) - return "[unknown protocol]"; - else if (display_form) - return proto_names[proto].display_form; - else - return proto_names[proto].short_form; + unsigned int i; + for (i = 0; i < SIZE (proto_names); ++i) + { + if(proto_names[i].proto_af == af && proto_names[i].proto == proto) + { + if(display_form) + return proto_names[i].display_form; + else + return proto_names[i].short_form; + } + } + + return "[unknown protocol]"; } const char * @@ -2535,40 +2763,15 @@ proto2ascii_all (struct gc_arena *gc) struct buffer out = alloc_buf_gc (256, gc); int i; - ASSERT (PROTO_N == SIZE (proto_names)); - for (i = 0; i < PROTO_N; ++i) + for (i = 0; i < SIZE (proto_names); ++i) { if (i) buf_printf(&out, " "); - buf_printf(&out, "[%s]", proto2ascii(i, false)); + buf_printf(&out, "[%s]", proto_names[i].short_form); } return BSTR (&out); } -int -addr_guess_family(int proto, const char *name) -{ - unsigned short ret; - if (proto) - { - return proto_sa_family(proto); /* already stamped */ - } - else - { - struct addrinfo hints , *ai; - int err; - CLEAR(hints); - hints.ai_flags = AI_NUMERICHOST; - err = getaddrinfo(name, NULL, &hints, &ai); - if ( 0 == err ) - { - ret=ai->ai_family; - freeaddrinfo(ai); - return ret; - } - } - return AF_INET; /* default */ -} const char * addr_family_name (int af) { @@ -2592,31 +2795,22 @@ addr_family_name (int af) * has always sent UDPv4, TCPv4 over the wire. Keep these * strings for backward compatbility */ -int +const char* proto_remote (int proto, bool remote) { ASSERT (proto >= 0 && proto < PROTO_N); - if (remote) - { - switch (proto) - { - case PROTO_TCPv4_SERVER: return PROTO_TCPv4_CLIENT; - case PROTO_TCPv4_CLIENT: return PROTO_TCPv4_SERVER; - case PROTO_TCPv6_SERVER: return PROTO_TCPv4_CLIENT; - case PROTO_TCPv6_CLIENT: return PROTO_TCPv4_SERVER; - case PROTO_UDPv6: return PROTO_UDPv4; - } - } - else - { - switch (proto) - { - case PROTO_TCPv6_SERVER: return PROTO_TCPv4_SERVER; - case PROTO_TCPv6_CLIENT: return PROTO_TCPv4_CLIENT; - case PROTO_UDPv6: return PROTO_UDPv4; - } - } - return proto; + if (proto == PROTO_UDP) + return "UDPv4"; + + if ( (remote && proto == PROTO_TCP_CLIENT) || + (!remote && proto == PROTO_TCP_SERVER)) + return "TCPv4_SERVER"; + if ( (remote && proto == PROTO_TCP_SERVER) || + (!remote && proto == PROTO_TCP_CLIENT)) + return "TCPv4_CLIENT"; + + ASSERT (0); + return ""; /* Make the compiler happy */ } /* @@ -2643,7 +2837,7 @@ link_socket_read_tcp (struct link_socket *sock, if (!sock->stream_buf.residual_fully_formed) { -#ifdef WIN32 +#ifdef _WIN32 len = socket_finalize (sock->sd, &sock->reads, buf, NULL); #else struct buffer frag; @@ -2668,51 +2862,39 @@ link_socket_read_tcp (struct link_socket *sock, return buf->len = 0; /* no error, but packet is still incomplete */ } -#ifndef WIN32 +#ifndef _WIN32 #if ENABLE_IP_PKTINFO -#pragma pack(1) /* needed to keep structure size consistent for 32 vs. 64-bit architectures */ -struct openvpn_in4_pktinfo -{ - struct cmsghdr cmsghdr; -#ifdef HAVE_IN_PKTINFO - struct in_pktinfo pi4; -#elif defined(IP_RECVDSTADDR) - struct in_addr pi4; +/* make the buffer large enough to handle ancilliary socket data for + * both IPv4 and IPv6 destination addresses, plus padding (see RFC 2292) + */ +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) +#define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof (struct in6_pktinfo)), \ + CMSG_SPACE(sizeof (struct in_pktinfo)) ) +#else +#define PKTINFO_BUF_SIZE max_int( CMSG_SPACE(sizeof (struct in6_pktinfo)), \ + CMSG_SPACE(sizeof (struct in_addr)) ) #endif -}; -struct openvpn_in6_pktinfo -{ - struct cmsghdr cmsghdr; - struct in6_pktinfo pi6; -}; - -union openvpn_pktinfo { - struct openvpn_in4_pktinfo msgpi4; - struct openvpn_in6_pktinfo msgpi6; -}; -#pragma pack() static socklen_t link_socket_read_udp_posix_recvmsg (struct link_socket *sock, struct buffer *buf, - int maxsize, struct link_socket_actual *from) { struct iovec iov; - union openvpn_pktinfo opi; + uint8_t pktinfo_buf[PKTINFO_BUF_SIZE]; struct msghdr mesg; socklen_t fromlen = sizeof (from->dest.addr); iov.iov_base = BPTR (buf); - iov.iov_len = maxsize; + iov.iov_len = buf_forward_capacity_total (buf); mesg.msg_iov = &iov; mesg.msg_iovlen = 1; mesg.msg_name = &from->dest.addr; mesg.msg_namelen = fromlen; - mesg.msg_control = &opi; - mesg.msg_controllen = sizeof opi; + mesg.msg_control = pktinfo_buf; + mesg.msg_controllen = sizeof pktinfo_buf; buf->len = recvmsg (sock->sd, &mesg, 0); if (buf->len >= 0) { @@ -2721,18 +2903,19 @@ link_socket_read_udp_posix_recvmsg (struct link_socket *sock, cmsg = CMSG_FIRSTHDR (&mesg); if (cmsg != NULL && CMSG_NXTHDR (&mesg, cmsg) == NULL -#ifdef IP_PKTINFO +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) && cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_PKTINFO + && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_pktinfo)) ) #elif defined(IP_RECVDSTADDR) && cmsg->cmsg_level == IPPROTO_IP && cmsg->cmsg_type == IP_RECVDSTADDR + && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in_addr)) ) #else #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif - && cmsg->cmsg_len >= sizeof (struct openvpn_in4_pktinfo)) { -#ifdef IP_PKTINFO +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA (cmsg); from->pi.in4.ipi_ifindex = pkti->ipi_ifindex; from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst; @@ -2746,13 +2929,18 @@ link_socket_read_udp_posix_recvmsg (struct link_socket *sock, && CMSG_NXTHDR (&mesg, cmsg) == NULL && cmsg->cmsg_level == IPPROTO_IPV6 && cmsg->cmsg_type == IPV6_PKTINFO - && cmsg->cmsg_len >= sizeof (struct openvpn_in6_pktinfo)) + && cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo)) ) { struct in6_pktinfo *pkti6 = (struct in6_pktinfo *) CMSG_DATA (cmsg); from->pi.in6.ipi6_ifindex = pkti6->ipi6_ifindex; from->pi.in6.ipi6_addr = pkti6->ipi6_addr; } + else if (cmsg != NULL) + { + msg(M_WARN, "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)", (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len ); + } } + return fromlen; } #endif @@ -2760,21 +2948,20 @@ link_socket_read_udp_posix_recvmsg (struct link_socket *sock, int link_socket_read_udp_posix (struct link_socket *sock, struct buffer *buf, - int maxsize, struct link_socket_actual *from) { socklen_t fromlen = sizeof (from->dest.addr); - socklen_t expectedlen = af_addr_size(proto_sa_family(sock->info.proto)); + socklen_t expectedlen = af_addr_size(sock->info.af); addr_zero_host(&from->dest); - ASSERT (buf_safe (buf, maxsize)); #if ENABLE_IP_PKTINFO /* Both PROTO_UDPv4 and PROTO_UDPv6 */ - if (proto_is_udp(sock->info.proto) && sock->sockflags & SF_USE_IP_PKTINFO) - fromlen = link_socket_read_udp_posix_recvmsg (sock, buf, maxsize, from); + if (sock->info.proto == PROTO_UDP && sock->sockflags & SF_USE_IP_PKTINFO) + fromlen = link_socket_read_udp_posix_recvmsg (sock, buf, from); else #endif - buf->len = recvfrom (sock->sd, BPTR (buf), maxsize, 0, + buf->len = recvfrom (sock->sd, BPTR (buf), buf_forward_capacity(buf), 0, &from->dest.addr.sa, &fromlen); + /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */ if (buf->len >= 0 && expectedlen && fromlen != expectedlen) bad_address_length (fromlen, expectedlen); return buf->len; @@ -2796,7 +2983,7 @@ link_socket_write_tcp (struct link_socket *sock, ASSERT (len <= sock->stream_buf.maxlen); len = htonps (len); ASSERT (buf_write_prepend (buf, &len, sizeof (len))); -#ifdef WIN32 +#ifdef _WIN32 return link_socket_write_win32 (sock, buf, to); #else return link_socket_write_tcp_posix (sock, buf, to); @@ -2805,7 +2992,7 @@ link_socket_write_tcp (struct link_socket *sock, #if ENABLE_IP_PKTINFO -int +size_t link_socket_write_udp_posix_sendmsg (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -2813,24 +3000,24 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock, struct iovec iov; struct msghdr mesg; struct cmsghdr *cmsg; - union openvpn_pktinfo opi; + uint8_t pktinfo_buf[PKTINFO_BUF_SIZE]; iov.iov_base = BPTR (buf); iov.iov_len = BLEN (buf); mesg.msg_iov = &iov; mesg.msg_iovlen = 1; - switch (sock->info.lsa->remote.addr.sa.sa_family) + switch (to->dest.addr.sa.sa_family) { case AF_INET: { mesg.msg_name = &to->dest.addr.sa; mesg.msg_namelen = sizeof (struct sockaddr_in); - mesg.msg_control = &opi; + mesg.msg_control = pktinfo_buf; mesg.msg_flags = 0; -#ifdef HAVE_IN_PKTINFO - mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo); +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) + mesg.msg_controllen = CMSG_SPACE(sizeof (struct in_pktinfo)); cmsg = CMSG_FIRSTHDR (&mesg); - cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo); + cmsg->cmsg_len = CMSG_LEN(sizeof (struct in_pktinfo)); cmsg->cmsg_level = SOL_IP; cmsg->cmsg_type = IP_PKTINFO; { @@ -2841,7 +3028,7 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock, pkti->ipi_addr.s_addr = 0; } #elif defined(IP_RECVDSTADDR) - ASSERT( CMSG_SPACE(sizeof (struct in_addr)) <= sizeof(opi) ); + ASSERT( CMSG_SPACE(sizeof (struct in_addr)) <= sizeof(pktinfo_buf) ); mesg.msg_controllen = CMSG_SPACE(sizeof (struct in_addr)); cmsg = CMSG_FIRSTHDR (&mesg); cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); @@ -2858,13 +3045,16 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock, struct in6_pktinfo *pkti6; mesg.msg_name = &to->dest.addr.sa; mesg.msg_namelen = sizeof (struct sockaddr_in6); - mesg.msg_control = &opi; - mesg.msg_controllen = sizeof (struct openvpn_in6_pktinfo); + + ASSERT( CMSG_SPACE(sizeof (struct in6_pktinfo)) <= sizeof(pktinfo_buf) ); + mesg.msg_control = pktinfo_buf; + mesg.msg_controllen = CMSG_SPACE(sizeof (struct in6_pktinfo)); mesg.msg_flags = 0; cmsg = CMSG_FIRSTHDR (&mesg); - cmsg->cmsg_len = sizeof (struct openvpn_in6_pktinfo); + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_PKTINFO; + pkti6 = (struct in6_pktinfo *) CMSG_DATA (cmsg); pkti6->ipi6_ifindex = to->pi.in6.ipi6_ifindex; pkti6->ipi6_addr = to->pi.in6.ipi6_addr; @@ -2881,7 +3071,7 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock, * Win32 overlapped socket I/O functions. */ -#ifdef WIN32 +#ifdef _WIN32 int socket_recv_queue (struct link_socket *sock, int maxsize) @@ -2919,10 +3109,7 @@ socket_recv_queue (struct link_socket *sock, int maxsize) if (proto_is_udp(sock->info.proto)) { sock->reads.addr_defined = true; - if (sock->info.proto == PROTO_UDPv6) - sock->reads.addrlen = sizeof (sock->reads.addr6); - else - sock->reads.addrlen = sizeof (sock->reads.addr); + sock->reads.addrlen = sizeof (sock->reads.addr6); status = WSARecvFrom( sock->sd, wsabuf, @@ -2954,9 +3141,10 @@ socket_recv_queue (struct link_socket *sock, int maxsize) if (!status) /* operation completed immediately? */ { - int addrlen = af_addr_size(sock->info.lsa->local.addr.sa.sa_family); - if (sock->reads.addr_defined && sock->reads.addrlen != addrlen) - bad_address_length (sock->reads.addrlen, addrlen); + /* FIXME: won't do anything when sock->info.af == AF_UNSPEC */ + int af_len = af_addr_size (sock->info.af); + if (sock->reads.addr_defined && af_len && sock->reads.addrlen != af_len) + bad_address_length (sock->reads.addrlen, af_len); sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN; /* since we got an immediate return, we must signal the event object ourselves */ @@ -3018,7 +3206,7 @@ socket_send_queue (struct link_socket *sock, struct buffer *buf, const struct li { /* set destination address for UDP writes */ sock->writes.addr_defined = true; - if (sock->info.proto == PROTO_UDPv6) + if (to->dest.addr.sa.sa_family == AF_INET6) { sock->writes.addr6 = to->dest.addr.in6; sock->writes.addrlen = sizeof (sock->writes.addr6); @@ -3191,7 +3379,7 @@ socket_finalize (SOCKET s, case sizeof(struct sockaddr_in): case sizeof(struct sockaddr_in6): /* TODO(jjo): for some reason (?) I'm getting 24,28 for AF_INET6 - * under WIN32*/ + * under _WIN32*/ case sizeof(struct sockaddr_in6)-4: break; default: @@ -3217,7 +3405,7 @@ socket_finalize (SOCKET s, return ret; } -#endif /* WIN32 */ +#endif /* _WIN32 */ /* * Socket event notification @@ -3238,7 +3426,7 @@ socket_set (struct link_socket *s, rwflags &= ~EVENT_READ; } -#ifdef WIN32 +#ifdef _WIN32 if (rwflags & EVENT_READ) socket_recv_queue (s, 0); #endif diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index b7a4e01..2a82d88 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -39,7 +39,7 @@ /* * OpenVPN's default port number as assigned by IANA. */ -#define OPENVPN_PORT 1194 +#define OPENVPN_PORT "1194" /* * Number of seconds that "resolv-retry infinite" @@ -72,14 +72,25 @@ struct openvpn_sockaddr } addr; }; +/* struct to hold preresolved host names */ +struct cached_dns_entry { + const char *hostname; + const char *servname; + int ai_family; + int flags; + struct addrinfo *ai; + struct cached_dns_entry *next; +}; + /* actual address of remote, based on source address of received packets */ struct link_socket_actual { /*int dummy;*/ /* add offset to force a bug if dest not explicitly dereferenced */ + struct openvpn_sockaddr dest; #if ENABLE_IP_PKTINFO union { -#ifdef HAVE_IN_PKTINFO +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) struct in_pktinfo in4; #elif defined(IP_RECVDSTADDR) struct in_addr in4; @@ -92,8 +103,10 @@ struct link_socket_actual /* IP addresses which are persistant across SIGUSR1s */ struct link_socket_addr { - struct openvpn_sockaddr local; - struct openvpn_sockaddr remote; /* initial remote */ + struct addrinfo* bind_local; + struct addrinfo* remote_list; /* complete remote list */ + struct addrinfo* current_remote; /* remote used in the + current connection attempt */ struct link_socket_actual actual; /* reply to this address */ }; @@ -105,6 +118,8 @@ struct link_socket_info const struct plugin_list *plugins; bool remote_float; int proto; /* Protocol (PROTO_x defined below) */ + sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/ + bool bind_ipv6_only; int mtu_changed; /* Set to true when mtu value is changed */ }; @@ -152,12 +167,9 @@ struct link_socket struct link_socket_info info; socket_descriptor_t sd; - -#ifdef ENABLE_SOCKS socket_descriptor_t ctrl_sd; /* only used for UDP over Socks */ -#endif -#ifdef WIN32 +#ifdef _WIN32 struct overlapped_io reads; struct overlapped_io writes; struct rw_handle rw_handle; @@ -170,13 +182,11 @@ struct link_socket /* used for long-term queueing of pre-accepted socket listen */ bool listen_persistent_queued; - /* Does config file contain any <connection> ... </connection> blocks? */ - bool connection_profiles_defined; - const char *remote_host; - int remote_port; + const char *remote_port; const char *local_host; - int local_port; + const char *local_port; + struct cached_dns_entry *dns_cache; bool bind_local; # define INETD_NONE 0 @@ -190,45 +200,39 @@ struct link_socket int mode; int resolve_retry_seconds; - int connect_retry_seconds; - int connect_timeout; - int connect_retry_max; int mtu_discover_type; struct socket_buffer_size socket_buffer_sizes; int mtu; /* OS discovered MTU, or 0 if unknown */ - bool did_resolve_remote; - # define SF_USE_IP_PKTINFO (1<<0) # define SF_TCP_NODELAY (1<<1) # define SF_PORT_SHARE (1<<2) # define SF_HOST_RANDOMIZE (1<<3) # define SF_GETADDRINFO_DGRAM (1<<4) unsigned int sockflags; + int mark; /* for stream sockets */ struct stream_buf stream_buf; struct buffer stream_buf_data; bool stream_reset; -#ifdef ENABLE_HTTP_PROXY /* HTTP proxy */ struct http_proxy_info *http_proxy; -#endif -#ifdef ENABLE_SOCKS /* Socks proxy */ struct socks_proxy_info *socks_proxy; struct link_socket_actual socks_relay; /* Socks UDP relay address */ -#endif -#if defined(ENABLE_HTTP_PROXY) || defined(ENABLE_SOCKS) /* The OpenVPN server we will use the proxy to connect to */ const char *proxy_dest_host; - int proxy_dest_port; -#endif + const char *proxy_dest_port; + + /* Pointer to the server-poll to trigger the timeout in function which have + * their own loop instead of using the main oop */ + struct event_timeout* server_poll_timeout; #if PASSTOS_CAPABILITY /* used to get/set TOS. */ @@ -253,7 +257,7 @@ struct link_socket #define MSG_NOSIGNAL 0 #endif -#ifdef WIN32 +#ifdef _WIN32 #define openvpn_close_socket(s) closesocket(s) @@ -278,34 +282,36 @@ int socket_finalize ( struct link_socket *link_socket_new (void); void socket_bind (socket_descriptor_t sd, - struct openvpn_sockaddr *local, - const char *prefix); + struct addrinfo *local, + int af_family, + const char *prefix, + bool ipv6only); int openvpn_connect (socket_descriptor_t sd, - struct openvpn_sockaddr *remote, + const struct sockaddr *remote, int connect_timeout, volatile int *signal_received); + + /* * Initialize link_socket object. */ void link_socket_init_phase1 (struct link_socket *sock, - const bool connection_profiles_defined, const char *local_host, - int local_port, + const char *local_port, const char *remote_host, - int remote_port, + const char *remote_port, + struct cached_dns_entry *dns_cache, int proto, + sa_family_t af, + bool bind_ipv6_only, int mode, const struct link_socket *accept_from, -#ifdef ENABLE_HTTP_PROXY struct http_proxy_info *http_proxy, -#endif -#ifdef ENABLE_SOCKS struct socks_proxy_info *socks_proxy, -#endif #ifdef ENABLE_DEBUG int gremlin, #endif @@ -316,18 +322,18 @@ link_socket_init_phase1 (struct link_socket *sock, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, - int connect_retry_seconds, - int connect_timeout, - int connect_retry_max, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, + struct event_timeout* server_poll_timeout, unsigned int sockflags); void link_socket_init_phase2 (struct link_socket *sock, const struct frame *frame, - volatile int *signal_received); + struct signal_info *sig_info); + +void do_preresolve(struct context *c); void socket_adjust_frame_parameters (struct frame *frame, int proto); @@ -341,15 +347,37 @@ void sd_close (socket_descriptor_t *sd); #define PS_SHOW_PORT (1<<1) #define PS_SHOW_PKTINFO (1<<2) #define PS_DONT_SHOW_ADDR (1<<3) +#define PS_DONT_SHOW_FAMILY (1<<4) -const char *print_sockaddr_ex (const struct openvpn_sockaddr *addr, +const char *print_sockaddr_ex (const struct sockaddr *addr, const char* separator, const unsigned int flags, struct gc_arena *gc); +static inline +const char *print_openvpn_sockaddr_ex (const struct openvpn_sockaddr *addr, + const char* separator, + const unsigned int flags, + struct gc_arena *gc) +{ + return print_sockaddr_ex(&addr->addr.sa, separator, flags, gc); +} + +static inline +const char *print_openvpn_sockaddr (const struct openvpn_sockaddr *addr, + struct gc_arena *gc) +{ + return print_sockaddr_ex (&addr->addr.sa, ":", PS_SHOW_PORT, gc); +} + +static inline +const char *print_sockaddr (const struct sockaddr *addr, + struct gc_arena *gc) +{ + return print_sockaddr_ex (addr, ":", PS_SHOW_PORT, gc); +} + -const char *print_sockaddr (const struct openvpn_sockaddr *addr, - struct gc_arena *gc); const char *print_link_socket_actual_ex (const struct link_socket_actual *act, const char* separator, @@ -395,6 +423,8 @@ void bad_address_length (int actual, int expected); */ #define IPV4_INVALID_ADDR 0xffffffff in_addr_t link_socket_current_remote (const struct link_socket_info *info); +const struct in6_addr * link_socket_current_remote_ipv6 + (const struct link_socket_info *info); void link_socket_connection_initiated (const struct buffer *buf, struct link_socket_info *info, @@ -406,6 +436,9 @@ void link_socket_bad_incoming_addr (struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr); +void set_actual_address (struct link_socket_actual* actual, + struct addrinfo* ai); + void link_socket_bad_outgoing_addr (void); void setenv_trusted (struct env_set *es, const struct link_socket_info *info); @@ -429,7 +462,7 @@ bool ip_or_dns_addr_safe (const char *addr, const bool allow_fqdn); bool mac_addr_safe (const char *mac_addr); bool ipv6_addr_safe (const char *ipv6_text_addr); -socket_descriptor_t create_socket_tcp (int af); +socket_descriptor_t create_socket_tcp (struct addrinfo*); socket_descriptor_t socket_do_accept (socket_descriptor_t sd, struct link_socket_actual *act, @@ -481,6 +514,10 @@ bool unix_socket_get_peer_uid_gid (const socket_descriptor_t sd, int *uid, int * #define GETADDR_TRY_ONCE (1<<7) #define GETADDR_UPDATE_MANAGEMENT_STATE (1<<8) #define GETADDR_RANDOMIZE (1<<9) +#define GETADDR_PASSIVE (1<<10) +#define GETADDR_DATAGRAM (1<<11) + +#define GETADDR_CACHE_MASK (GETADDR_DATAGRAM|GETADDR_PASSIVE) in_addr_t getaddr (unsigned int flags, const char *hostname, @@ -490,6 +527,7 @@ in_addr_t getaddr (unsigned int flags, int openvpn_getaddrinfo (unsigned int flags, const char *hostname, + const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, @@ -505,21 +543,18 @@ int openvpn_getaddrinfo (unsigned int flags, */ enum proto_num { PROTO_NONE, /* catch for uninitialized */ - PROTO_UDPv4, - PROTO_TCPv4_SERVER, - PROTO_TCPv4_CLIENT, - PROTO_TCPv4, - PROTO_UDPv6, - PROTO_TCPv6_SERVER, - PROTO_TCPv6_CLIENT, - PROTO_TCPv6, + PROTO_UDP, + PROTO_TCP, + PROTO_TCP_SERVER, + PROTO_TCP_CLIENT, PROTO_N }; int ascii2proto (const char* proto_name); -const char *proto2ascii (int proto, bool display_form); +sa_family_t ascii2af (const char* proto_name); +const char *proto2ascii (int proto, sa_family_t af, bool display_form); const char *proto2ascii_all (struct gc_arena *gc); -int proto_remote (int proto, bool remote); +const char *proto_remote (int proto, bool remote); const char *addr_family_name(int af); /* @@ -544,12 +579,6 @@ datagram_overhead (int proto) */ static inline bool -legal_ipv4_port (int port) -{ - return port > 0 && port < 65536; -} - -static inline bool link_socket_proto_connection_oriented (int proto) { return !proto_is_dgram(proto); @@ -574,13 +603,30 @@ addr_defined (const struct openvpn_sockaddr *addr) default: return 0; } } + +static inline bool +addr_local (const struct sockaddr *addr) +{ + if (!addr) + return false; + switch (addr->sa_family) { + case AF_INET: + return ((const struct sockaddr_in*)addr)->sin_addr.s_addr == htonl(INADDR_LOOPBACK); + case AF_INET6: + return IN6_IS_ADDR_LOOPBACK(&((const struct sockaddr_in6*)addr)->sin6_addr); + default: + return false; + } +} + + static inline bool addr_defined_ipi (const struct link_socket_actual *lsa) { #if ENABLE_IP_PKTINFO if (!lsa) return 0; switch (lsa->dest.addr.sa.sa_family) { -#ifdef HAVE_IN_PKTINFO +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0; #elif defined(IP_RECVDSTADDR) case AF_INET: return lsa->pi.in4.s_addr != 0; @@ -613,6 +659,29 @@ addr_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2 return false; } +static inline bool +addrlist_match (const struct openvpn_sockaddr *a1, const struct addrinfo *addrlist) +{ + const struct addrinfo *curele; + for (curele = addrlist; curele; curele=curele->ai_next) + { + switch(a1->addr.sa.sa_family) + { + case AF_INET: + if (a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr) + return true; + break; + case AF_INET6: + if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6*) curele->ai_addr)->sin6_addr)) + return true; + break; + default: + ASSERT(0); + } + } + return false; +} + static inline in_addr_t addr_host (const struct openvpn_sockaddr *addr) { @@ -626,6 +695,36 @@ addr_host (const struct openvpn_sockaddr *addr) return ntohl (addr->addr.in4.sin_addr.s_addr); } + +static inline bool +addrlist_port_match (const struct openvpn_sockaddr *a1, const struct addrinfo *a2) +{ + const struct addrinfo *curele; + for(curele=a2;curele;curele = curele->ai_next) + { + switch(a1->addr.sa.sa_family) + { + case AF_INET: + if (curele->ai_family == AF_INET + && a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr + && a1->addr.in4.sin_port == ((struct sockaddr_in*)curele->ai_addr)->sin_port) + return true; + break; + case AF_INET6: + if (curele->ai_family == AF_INET6 + && IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6*) curele->ai_addr)->sin6_addr) + && a1->addr.in6.sin6_port == ((struct sockaddr_in6*) curele->ai_addr)->sin6_port) + return true; + break; + default: + ASSERT(0); + } + } + return false; +} + + + static inline bool addr_port_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { @@ -634,7 +733,7 @@ addr_port_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockadd return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr && a1->addr.in4.sin_port == a2->addr.in4.sin_port; case AF_INET6: - return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr) + return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr) && a1->addr.in6.sin6_port == a2->addr.in6.sin6_port; } ASSERT(0); @@ -651,6 +750,17 @@ addr_match_proto (const struct openvpn_sockaddr *a1, : addr_port_match (a1, a2); } + +static inline bool +addrlist_match_proto (const struct openvpn_sockaddr *a1, + struct addrinfo *addr_list, + const int proto) +{ + return link_socket_proto_connection_oriented (proto) + ? addrlist_match (a1, addr_list) + : addrlist_port_match (a1, addr_list); +} + static inline void addr_zero_host(struct openvpn_sockaddr *addr) { @@ -670,28 +780,15 @@ addr_copy_sa(struct openvpn_sockaddr *dst, const struct openvpn_sockaddr *src) dst->addr = src->addr; } -static inline void -addr_copy_host(struct openvpn_sockaddr *dst, const struct openvpn_sockaddr *src) -{ - switch(src->addr.sa.sa_family) { - case AF_INET: - dst->addr.in4.sin_addr.s_addr = src->addr.in4.sin_addr.s_addr; - break; - case AF_INET6: - dst->addr.in6.sin6_addr = src->addr.in6.sin6_addr; - break; - } -} - static inline bool addr_inet4or6(struct sockaddr *addr) { return addr->sa_family == AF_INET || addr->sa_family == AF_INET6; } -int addr_guess_family(int proto, const char *name); +int addr_guess_family(sa_family_t af,const char *name); static inline int -af_addr_size(unsigned short af) +af_addr_size(sa_family_t af) { switch(af) { case AF_INET: return sizeof (struct sockaddr_in); @@ -745,7 +842,7 @@ socket_connection_reset (const struct link_socket *sock, int status) else if (status < 0) { const int err = openvpn_errno (); -#ifdef WIN32 +#ifdef _WIN32 return err == WSAECONNRESET || err == WSAECONNABORTED; #else return err == ECONNRESET; @@ -767,9 +864,9 @@ link_socket_verify_incoming_addr (struct buffer *buf, case AF_INET: if (!link_socket_actual_defined (from_addr)) return false; - if (info->remote_float || !addr_defined (&info->lsa->remote)) + if (info->remote_float || (!info->lsa->remote_list)) return true; - if (addr_match_proto (&from_addr->dest, &info->lsa->remote, info->proto)) + if (addrlist_match_proto (&from_addr->dest, info->lsa->remote_list, info->proto)) return true; } } @@ -806,13 +903,15 @@ link_socket_set_outgoing_addr (const struct buffer *buf, { struct link_socket_addr *lsa = info->lsa; if ( - /* new or changed address? */ - (!info->connection_established - || !addr_match_proto (&act->dest, &lsa->actual.dest, info->proto)) - /* address undef or address == remote or --float */ - && (info->remote_float - || !addr_defined (&lsa->remote) - || addr_match_proto (&act->dest, &lsa->remote, info->proto)) + /* new or changed address? */ + (!info->connection_established + || !addr_match_proto (&act->dest, &lsa->actual.dest, info->proto) + ) + && + /* address undef or address == remote or --float */ + (info->remote_float || + (!lsa->remote_list || addrlist_match_proto (&act->dest, lsa->remote_list, info->proto)) + ) ) { link_socket_connection_initiated (buf, info, act, common_name, es); @@ -851,7 +950,7 @@ stream_buf_read_setup (struct link_socket* sock) int link_socket_read_tcp (struct link_socket *sock, struct buffer *buf); -#ifdef WIN32 +#ifdef _WIN32 static inline int link_socket_read_udp_win32 (struct link_socket *sock, @@ -865,7 +964,6 @@ link_socket_read_udp_win32 (struct link_socket *sock, int link_socket_read_udp_posix (struct link_socket *sock, struct buffer *buf, - int maxsize, struct link_socket_actual *from); #endif @@ -874,17 +972,16 @@ int link_socket_read_udp_posix (struct link_socket *sock, static inline int link_socket_read (struct link_socket *sock, struct buffer *buf, - int maxsize, struct link_socket_actual *from) { if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { int res; -#ifdef WIN32 +#ifdef _WIN32 res = link_socket_read_udp_win32 (sock, buf, from); #else - res = link_socket_read_udp_posix (sock, buf, maxsize, from); + res = link_socket_read_udp_posix (sock, buf, from); #endif return res; } @@ -909,7 +1006,7 @@ int link_socket_write_tcp (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to); -#ifdef WIN32 +#ifdef _WIN32 static inline int link_socket_write_win32 (struct link_socket *sock, @@ -936,13 +1033,13 @@ link_socket_write_win32 (struct link_socket *sock, #else -static inline int +static inline size_t link_socket_write_udp_posix (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { #if ENABLE_IP_PKTINFO - int link_socket_write_udp_posix_sendmsg (struct link_socket *sock, + size_t link_socket_write_udp_posix_sendmsg (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to); @@ -956,7 +1053,7 @@ link_socket_write_udp_posix (struct link_socket *sock, (socklen_t) af_addr_size(to->dest.addr.sa.sa_family)); } -static inline int +static inline size_t link_socket_write_tcp_posix (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) @@ -966,12 +1063,12 @@ link_socket_write_tcp_posix (struct link_socket *sock, #endif -static inline int +static inline size_t link_socket_write_udp (struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { -#ifdef WIN32 +#ifdef _WIN32 return link_socket_write_win32 (sock, buf, to); #else return link_socket_write_udp_posix (sock, buf, to); @@ -1041,7 +1138,7 @@ socket_read_residual (const struct link_socket *s) static inline event_t socket_event_handle (const struct link_socket *s) { -#ifdef WIN32 +#ifdef _WIN32 return &s->rw_handle; #else return s->sd; @@ -1072,7 +1169,7 @@ socket_set_listen_persistent (struct link_socket *s, static inline void socket_reset_listen_persistent (struct link_socket *s) { -#ifdef WIN32 +#ifdef _WIN32 reset_net_event_win32 (&s->listen_handle, s->sd); #endif } diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 57dc02a..5a9ea6c 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -38,8 +38,6 @@ #include "syshead.h" -#ifdef ENABLE_SOCKS - #include "common.h" #include "misc.h" #include "win32.h" @@ -55,22 +53,21 @@ void socks_adjust_frame_parameters (struct frame *frame, int proto) { - if (proto == PROTO_UDPv4) + if (proto == PROTO_UDP) frame_add_to_extra_link (frame, 10); } struct socks_proxy_info * socks_proxy_new (const char *server, - int port, - const char *authfile, - bool retry) + const char *port, + const char *authfile) { struct socks_proxy_info *p; ALLOC_OBJ_CLEAR (p, struct socks_proxy_info); ASSERT (server); - ASSERT (legal_ipv4_port (port)); + ASSERT (port); strncpynt (p->server, server, sizeof (p->server)); p->port = port; @@ -80,7 +77,6 @@ socks_proxy_new (const char *server, else p->authfile[0] = 0; - p->retry = retry; p->defined = true; return p; @@ -404,11 +400,27 @@ recv_socks_reply (socket_descriptor_t sd, return true; } +static int +port_from_servname(const char* servname) +{ + int port =0; + port = atoi(servname); + if(port >0 && port < 65536) + return port; + + struct servent* service; + service = getservbyname(servname, NULL); + if(service) + return service->s_port; + + return 0; +} + void establish_socks_proxy_passthru (struct socks_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ - const int port, /* openvpn server port */ + const char *servname, /* openvpn server port */ volatile int *signal_received) { char buf[128]; @@ -429,6 +441,13 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p, buf[4] = (char) len; memcpy(buf + 5, host, len); + int port = port_from_servname (servname); + if (port ==0) + { + msg (D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", servname); + goto error; + } + buf[5 + len] = (char) (port >> 8); buf[5 + len + 1] = (char) (port & 0xff); @@ -441,6 +460,7 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p, } } + /* receive reply from Socks proxy and discard */ if (!recv_socks_reply (sd, NULL, signal_received)) goto error; @@ -448,9 +468,8 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p, return; error: - /* on error, should we exit or restart? */ if (!*signal_received) - *signal_received = (p->retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- socks error */ + *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */ return; } @@ -486,9 +505,8 @@ establish_socks_proxy_udpassoc (struct socks_proxy_info *p, return; error: - /* on error, should we exit or restart? */ if (!*signal_received) - *signal_received = (p->retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- socks error */ + *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */ return; } @@ -553,7 +571,3 @@ socks_process_outgoing_udp (struct buffer *buf, return 10; } - -#else -static void dummy(void) {} -#endif /* ENABLE_SOCKS */ diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h index b55ff6f..a2843b9 100644 --- a/src/openvpn/socks.h +++ b/src/openvpn/socks.h @@ -30,8 +30,6 @@ #ifndef SOCKS_H #define SOCKS_H -#ifdef ENABLE_SOCKS - #include "buffer.h" struct openvpn_sockaddr; @@ -39,26 +37,24 @@ struct link_socket_actual; struct socks_proxy_info { bool defined; - bool retry; char server[128]; - int port; + const char *port; char authfile[256]; }; void socks_adjust_frame_parameters (struct frame *frame, int proto); struct socks_proxy_info *socks_proxy_new (const char *server, - int port, - const char *authfile, - bool retry); + const char *port, + const char *authfile); void socks_proxy_close (struct socks_proxy_info *sp); void establish_socks_proxy_passthru (struct socks_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ - const int port, /* openvpn server port */ + const char *servname, /* openvpn server port */ volatile int *signal_received); void establish_socks_proxy_udpassoc (struct socks_proxy_info *p, @@ -74,4 +70,3 @@ int socks_process_outgoing_udp (struct buffer *buf, const struct link_socket_actual *to); #endif -#endif diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9e31c3c..dc06350 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -35,7 +35,6 @@ * Both the TLS session and the data channel are multiplexed * over the same TCP/UDP port. */ - #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) @@ -45,11 +44,10 @@ #include "syshead.h" #include "win32.h" -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#if defined(ENABLE_CRYPTO) #include "error.h" #include "common.h" -#include "integer.h" #include "socket.h" #include "misc.h" #include "fdmisc.h" @@ -58,9 +56,8 @@ #include "status.h" #include "gremlin.h" #include "pkcs11.h" -#include "list.h" -#include "base64.h" #include "route.h" +#include "tls_crypt.h" #include "ssl.h" #include "ssl_verify.h" @@ -150,6 +147,7 @@ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"}, {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"}, {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"}, @@ -178,6 +176,7 @@ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"}, {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"}, {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"}, @@ -193,6 +192,7 @@ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"}, {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"}, @@ -237,21 +237,37 @@ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"}, {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"}, #ifdef ENABLE_CRYPTO_OPENSSL + /* OpenSSL-specific group names */ {"DEFAULT", "DEFAULT"}, {"ALL", "ALL"}, - {"HIGH", "HIGH"}, - {"MEDIUM", "MEDIUM"}, - {"LOW", "LOW"}, - {"ECDH", "ECDH"}, - {"ECDSA", "ECDSA"}, - {"EDH", "EDH"}, - {"EXP", "EXP"}, - {"RSA", "RSA"}, - {"SRP", "SRP"}, + {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"}, + {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"}, + {"LOW", "LOW"}, {"!LOW", "!LOW"}, + {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"}, + {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"}, + {"EDH", "EDH"}, {"!EDH", "!EDH"}, + {"EXP", "EXP"}, {"!EXP", "!EXP"}, + {"RSA", "RSA"}, {"!RSA", "!RSA"}, + {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"}, + {"SRP", "SRP"}, {"!SRP", "!SRP"}, #endif {NULL, NULL} }; +/** + * Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher + * used. + * + * Note that the implicit IV is based on the HMAC key, but only in AEAD modes + * where the HMAC key is not used for an actual HMAC. + * + * @param ctx Encrypt/decrypt key context + * @param key HMAC key, used to calculate implicit IV + * @param key_len HMAC key length + */ +static void +key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len); + const tls_cipher_name_pair * tls_get_cipher_name_pair (const char * cipher_name, size_t len) { const tls_cipher_name_pair * pair = tls_cipher_name_translation_table; @@ -268,6 +284,27 @@ tls_get_cipher_name_pair (const char * cipher_name, size_t len) { return NULL; } +/** + * Limit the reneg_bytes value when using a small-block (<128 bytes) cipher. + * + * @param cipher The current cipher (may be NULL). + * @param reneg_bytes Pointer to the current reneg_bytes, updated if needed. + * May *not* be NULL. + */ +static void +tls_limit_reneg_bytes (const cipher_kt_t *cipher, int *reneg_bytes) +{ + if (cipher && (cipher_kt_block_size(cipher) < 128/8)) + { + if (*reneg_bytes == -1) /* Not user-specified */ + { + msg (M_WARN, "WARNING: cipher with small block size in use, " + "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks."); + *reneg_bytes = 64 * 1024 * 1024; + } + } +} + /* * Max number of bytes we will add * for data structures common to both @@ -488,12 +525,15 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) if (options->tls_server) { - tls_ctx_server_new(new_ctx, options->ssl_flags); - tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline); + tls_ctx_server_new(new_ctx); + + if (options->dh_file) + tls_ctx_load_dh_params(new_ctx, options->dh_file, + options->dh_file_inline); } else /* if client */ { - tls_ctx_client_new(new_ctx, options->ssl_flags); + tls_ctx_client_new(new_ctx); } tls_ctx_set_options(new_ctx, options->ssl_flags); @@ -522,10 +562,19 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) } #endif #ifdef MANAGMENT_EXTERNAL_KEY - else if ((options->management_flags & MF_EXTERNAL_KEY) && options->cert_file) - { - tls_ctx_use_external_private_key(new_ctx, options->cert_file, - options->cert_file_inline); + else if ((options->management_flags & MF_EXTERNAL_KEY) && + (options->cert_file || options->management_flags & MF_EXTERNAL_CERT)) + { + if (options->cert_file) { + tls_ctx_use_external_private_key(new_ctx, options->cert_file, + options->cert_file_inline); + } else { + char *external_certificate = management_query_cert(management, + options->management_certificate); + tls_ctx_use_external_private_key(new_ctx, INLINE_FILE_TAG, + external_certificate); + free(external_certificate); + } } #endif else @@ -552,7 +601,7 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) /* Load extra certificates that are part of our own certificate chain but shouldn't be included in the verify chain */ - if (options->extra_certs_file || options->extra_certs_file_inline) + if (options->extra_certs_file) { tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline); } @@ -560,10 +609,20 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) /* Check certificate notBefore and notAfter */ tls_ctx_check_cert_time(new_ctx); + /* Read CRL */ + if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR)) + { + tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline); + } + + /* Once keys and cert are loaded, load ECDH parameters */ + if (options->tls_server) + tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); + /* Allowable ciphers */ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); -#ifdef ENABLE_CRYPTO_POLARSSL +#ifdef ENABLE_CRYPTO_MBEDTLS /* Personalise the random by mixing in the certificate */ tls_ctx_personalise_random (new_ctx); #endif @@ -766,11 +825,17 @@ key_state_init (struct tls_session *session, struct key_state *ks) reliable_set_timeout (ks->send_reliable, session->opt->packet_timeout); /* init packet ID tracker */ - packet_id_init (&ks->packet_id, - session->opt->tcp_mode, - session->opt->replay_window, - session->opt->replay_time, - "SSL", ks->key_id); + if (session->opt->replay) + { + packet_id_init (&ks->crypto_options.packet_id, + session->opt->replay_window, session->opt->replay_time, "SSL", + ks->key_id); + } + + ks->crypto_options.pid_persist = NULL; + ks->crypto_options.flags = session->opt->crypto_flags; + ks->crypto_options.flags &= session->opt->crypto_flags_and; + ks->crypto_options.flags |= session->opt->crypto_flags_or; #ifdef MANAGEMENT_DEF_AUTH ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++; @@ -798,7 +863,7 @@ key_state_free (struct key_state *ks, bool clear) key_state_ssl_free(&ks->ks_ssl); - free_key_ctx_bi (&ks->key); + free_key_ctx_bi (&ks->crypto_options.key_ctx_bi); free_buf (&ks->plaintext_read_buf); free_buf (&ks->plaintext_write_buf); free_buf (&ks->ack_write_buf); @@ -822,7 +887,7 @@ key_state_free (struct key_state *ks, bool clear) if (ks->key_src) free (ks->key_src); - packet_id_free (&ks->packet_id); + packet_id_free (&ks->crypto_options.packet_id); #ifdef PLUGIN_DEF_AUTH key_state_rm_auth_control_file (ks); @@ -837,11 +902,23 @@ key_state_free (struct key_state *ks, bool clear) /** @} addtogroup control_processor */ -/* - * Must be called if we move a tls_session in memory. +/** + * Returns whether or not the server should check for username/password + * + * @param session The current TLS session + * + * @return true if username and password verification is enabled, + * false if not. */ -static inline void tls_session_set_self_referential_pointers (struct tls_session* session) { - session->tls_auth.packet_id = &session->tls_auth_pid; +static inline bool +tls_session_user_pass_enabled(struct tls_session *session) +{ + return (session->opt->auth_user_pass_verify_script + || plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) +#ifdef MANAGEMENT_DEF_AUTH + || management_enable_def_auth (management) +#endif + ); } @@ -895,20 +972,18 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session) } /* Initialize control channel authentication parameters */ - session->tls_auth = session->opt->tls_auth; - - /* Set session internal pointers (also called if session object is moved in memory) */ - tls_session_set_self_referential_pointers (session); + session->tls_wrap = session->opt->tls_wrap; + session->tls_wrap.work = alloc_buf (TLS_CHANNEL_BUF_SIZE); /* initialize packet ID replay window for --tls-auth */ - packet_id_init (session->tls_auth.packet_id, - session->opt->tcp_mode, + packet_id_init (&session->tls_wrap.opt.packet_id, session->opt->replay_window, session->opt->replay_time, - "TLS_AUTH", session->key_id); + "TLS_WRAP", session->key_id); /* load most recent packet-id to replay protect on --tls-auth */ - packet_id_persist_load_obj (session->tls_auth.pid_persist, session->tls_auth.packet_id); + packet_id_persist_load_obj (session->tls_wrap.opt.pid_persist, + &session->tls_wrap.opt.packet_id); key_state_init (session, &session->key[KS_PRIMARY]); @@ -935,8 +1010,10 @@ tls_session_free (struct tls_session *session, bool clear) { int i; - if (session->tls_auth.packet_id) - packet_id_free (session->tls_auth.packet_id); + if (packet_id_initialized(&session->tls_wrap.opt.packet_id)) + packet_id_free (&session->tls_wrap.opt.packet_id); + + free_buf (&session->tls_wrap.work); for (i = 0; i < KS_SIZE; ++i) key_state_free (&session->key[i], false); @@ -967,7 +1044,6 @@ move_session (struct tls_multi* multi, int dest, int src, bool reinit_src) ASSERT (dest >= 0 && dest < TM_SIZE); tls_session_free (&multi->session[dest], false); multi->session[dest] = multi->session[src]; - tls_session_set_self_referential_pointers (&multi->session[dest]); if (reinit_src) tls_session_init (multi, &multi->session[src]); @@ -984,22 +1060,6 @@ reset_session (struct tls_multi *multi, struct tls_session *session) tls_session_init (multi, session); } -#if 0 -/* - * Transmit a TLS reset on our untrusted channel. - */ -static void -initiate_untrusted_session (struct tls_multi *multi, struct sockaddr_in *to) -{ - struct tls_session *session = &multi->session[TM_UNTRUSTED]; - struct key_state *ks = &session->key[KS_PRIMARY]; - - reset_session (multi, session); - ks->remote_addr = *to; - msg (D_TLS_DEBUG_LOW, "TLS: initiate_untrusted_session: addr=%s", print_sockaddr (to)); -} -#endif - /* * Used to determine in how many seconds we should be * called again. @@ -1048,9 +1108,6 @@ tls_multi_init (struct tls_options *tls_options) /* get command line derived options */ ret->opt = *tls_options; - /* set up pointer to HMAC object for TLS packet authentication */ - ret->opt.tls_auth.key_ctx_bi = &ret->opt.tls_auth_key; - /* set up list of keys to be scanned by data channel encrypt and decrypt routines */ ASSERT (SIZE (ret->key_scan) == 3); ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY]; @@ -1088,10 +1145,14 @@ tls_auth_standalone_init (struct tls_options *tls_options, ALLOC_OBJ_CLEAR_GC (tas, struct tls_auth_standalone, gc); - /* set up pointer to HMAC object for TLS packet authentication */ - tas->tls_auth_key = tls_options->tls_auth_key; - tas->tls_auth_options.key_ctx_bi = &tas->tls_auth_key; - tas->tls_auth_options.flags |= CO_PACKET_ID_LONG_FORM; + tas->tls_wrap = tls_options->tls_wrap; + + /* + * Standalone tls-auth is in read-only mode with respect to TLS + * control channel state. After we build a new client instance + * object, we will process this session-initiating packet for real. + */ + tas->tls_wrap.opt.flags |= CO_IGNORE_PACKET_ID; /* get initial frame parms, still need to finalize */ tas->frame = tls_options->frame; @@ -1136,6 +1197,8 @@ tls_multi_free (struct tls_multi *multi, bool clear) #ifdef MANAGEMENT_DEF_AUTH man_def_auth_set_client_reason(multi, NULL); +#endif +#if P2MP_SERVER free (multi->peer_info); #endif @@ -1147,6 +1210,12 @@ tls_multi_free (struct tls_multi *multi, bool clear) cert_hash_free (multi->locked_cert_hash_set); + if (multi->auth_token) + { + memset (multi->auth_token, 0, AUTH_TOKEN_SIZE); + free (multi->auth_token); + } + for (i = 0; i < TM_SIZE; ++i) tls_session_free (&multi->session[i], false); @@ -1171,11 +1240,11 @@ tls_multi_free (struct tls_multi *multi, bool clear) static bool swap_hmac (struct buffer *buf, const struct crypto_options *co, bool incoming) { - struct key_ctx *ctx; + const struct key_ctx *ctx; ASSERT (co); - ctx = (incoming ? &co->key_ctx_bi->decrypt : &co->key_ctx_bi->encrypt); + ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt); ASSERT (ctx->hmac); { @@ -1230,20 +1299,34 @@ write_control_auth (struct tls_session *session, int max_ack, bool prepend_ack) { - uint8_t *header; + uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT); struct buffer null = clear_buf (); ASSERT (link_socket_actual_defined (&ks->remote_addr)); ASSERT (reliable_ack_write (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack)); - ASSERT (session_id_write_prepend (&session->session_id, buf)); - ASSERT (header = buf_prepend (buf, 1)); - *header = ks->key_id | (opcode << P_OPCODE_SHIFT); - if (session->tls_auth.key_ctx_bi->encrypt.hmac) + + if (session->tls_wrap.mode == TLS_WRAP_AUTH || + session->tls_wrap.mode == TLS_WRAP_NONE) + { + ASSERT (session_id_write_prepend (&session->session_id, buf)); + ASSERT (buf_write_prepend (buf, &header, sizeof(header))); + } + if (session->tls_wrap.mode == TLS_WRAP_AUTH) { /* no encryption, only write hmac */ - openvpn_encrypt (buf, null, &session->tls_auth, NULL); - ASSERT (swap_hmac (buf, &session->tls_auth, false)); + openvpn_encrypt (buf, null, &session->tls_wrap.opt); + ASSERT (swap_hmac (buf, &session->tls_wrap.opt, false)); + } + else if (session->tls_wrap.mode == TLS_WRAP_CRYPT) + { + buf_init (&session->tls_wrap.work, buf->offset); + ASSERT (buf_write (&session->tls_wrap.work, &header, sizeof(header))); + ASSERT (session_id_write (&session->session_id, &session->tls_wrap.work)); + ASSERT (tls_crypt_wrap (buf, &session->tls_wrap.work, &session->tls_wrap.opt)); + /* Don't change the original data in buf, it's used by the reliability + * layer to resend on failure. */ + *buf = session->tls_wrap.work; } *to_link_addr = &ks->remote_addr; } @@ -1253,17 +1336,18 @@ write_control_auth (struct tls_session *session, */ static bool read_control_auth (struct buffer *buf, - const struct crypto_options *co, + struct tls_wrap_ctx *ctx, const struct link_socket_actual *from) { struct gc_arena gc = gc_new (); + bool ret = false; - if (co->key_ctx_bi->decrypt.hmac) + if (ctx->mode == TLS_WRAP_AUTH) { struct buffer null = clear_buf (); /* move the hmac record to the front of the packet */ - if (!swap_hmac (buf, co, true)) + if (!swap_hmac (buf, &ctx->opt, true)) { msg (D_TLS_ERRORS, "TLS Error: cannot locate HMAC in incoming packet from %s", @@ -1274,24 +1358,41 @@ read_control_auth (struct buffer *buf, /* authenticate only (no decrypt) and remove the hmac record from the head of the buffer */ - openvpn_decrypt (buf, null, co, NULL); + openvpn_decrypt (buf, null, &ctx->opt, NULL, BPTR (buf)); if (!buf->len) { msg (D_TLS_ERRORS, "TLS Error: incoming packet authentication failed from %s", print_link_socket_actual (from, &gc)); - gc_free (&gc); - return false; + goto cleanup; } } + else if (ctx->mode == TLS_WRAP_CRYPT) + { + struct buffer tmp = alloc_buf (buf_forward_capacity_total (buf)); + if (!tls_crypt_unwrap (buf, &tmp, &ctx->opt)) + { + msg (D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s", + print_link_socket_actual (from, &gc)); + goto cleanup; + } + ASSERT (buf_init (buf, buf->offset)); + ASSERT (buf_copy (buf, &tmp)); + free_buf (&tmp); + } - /* advance buffer pointer past opcode & session_id since our caller - already read it */ - buf_advance (buf, SID_SIZE + 1); + if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH) + { + /* advance buffer pointer past opcode & session_id since our caller + already read it */ + buf_advance (buf, SID_SIZE + 1); + } + ret = true; +cleanup: gc_free (&gc); - return true; + return ret; } /* @@ -1352,7 +1453,7 @@ tls1_P_hash(const md_kt_t *md_kt, int olen) { struct gc_arena gc = gc_new (); - int chunk,n; + int chunk; hmac_ctx_t ctx; hmac_ctx_t ctx_tmp; uint8_t A1[MAX_HMAC_KEY_LENGTH]; @@ -1378,7 +1479,6 @@ tls1_P_hash(const md_kt_t *md_kt, hmac_ctx_update(&ctx,seed,seed_len); hmac_ctx_final(&ctx, A1); - n=0; for (;;) { hmac_ctx_reset(&ctx); @@ -1429,7 +1529,7 @@ tls1_P_hash(const md_kt_t *md_kt, * (2) The pre-master secret is generated by the client. */ static void -tls1_PRF(uint8_t *label, +tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, @@ -1581,6 +1681,13 @@ generate_key_expansion (struct key_ctx_bi *key, OPENVPN_OP_DECRYPT, "Data Channel Decrypt"); + /* Initialize implicit IVs */ + key_ctx_update_implicit_iv (&key->encrypt, key2.keys[(int)server].hmac, + MAX_HMAC_KEY_LENGTH); + key_ctx_update_implicit_iv (&key->decrypt, key2.keys[1-(int)server].hmac, + MAX_HMAC_KEY_LENGTH); + + key->initialized = true; ret = true; exit: @@ -1590,6 +1697,96 @@ generate_key_expansion (struct key_ctx_bi *key, return ret; } +static void +key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) { + const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); + + /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */ + if (cipher_kt_mode_aead (cipher_kt)) + { + size_t impl_iv_len = 0; + ASSERT (cipher_kt_iv_size (cipher_kt) >= OPENVPN_AEAD_MIN_IV_LEN); + impl_iv_len = cipher_kt_iv_size (cipher_kt) - sizeof (packet_id_type); + ASSERT (impl_iv_len <= OPENVPN_MAX_IV_LENGTH); + ASSERT (impl_iv_len <= key_len); + memcpy (ctx->implicit_iv, key, impl_iv_len); + ctx->implicit_iv_len = impl_iv_len; + } +} + +static bool +item_in_list(const char *item, const char *list) +{ + char *tmp_ciphers = string_alloc (list, NULL); + char *tmp_ciphers_orig = tmp_ciphers; + + const char *token = strtok (tmp_ciphers, ":"); + while(token) + { + if (0 == strcmp (token, item)) + break; + token = strtok (NULL, ":"); + } + free(tmp_ciphers_orig); + + return token != NULL; +} + +bool +tls_session_update_crypto_params(struct tls_session *session, + const struct options *options, struct frame *frame) +{ + bool ret = false; + struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + + ASSERT (ks->authenticated); + + if (!session->opt->server && + 0 != strcmp(options->ciphername, session->opt->config_ciphername) && + !item_in_list(options->ciphername, options->ncp_ciphers)) + { + msg (D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s", + options->ciphername, session->opt->config_ciphername, + options->ncp_ciphers); + return false; + } + + init_key_type (&session->opt->key_type, options->ciphername, + options->authname, options->keysize, true, true); + + bool packet_id_long_form = cipher_kt_mode_ofb_cfb (session->opt->key_type.cipher); + session->opt->crypto_flags_and &= ~(CO_PACKET_ID_LONG_FORM); + if (packet_id_long_form) + session->opt->crypto_flags_and = CO_PACKET_ID_LONG_FORM; + + /* Update frame parameters: undo worst-case overhead, add actual overhead */ + frame_add_to_extra_frame (frame, -(crypto_max_overhead())); + crypto_adjust_frame_parameters (frame, &session->opt->key_type, + options->use_iv, options->replay, packet_id_long_form); + frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, + options->ce.tun_mtu_defined, options->ce.tun_mtu); + frame_init_mssfix(frame, options); + frame_print (frame, D_MTU_INFO, "Data Channel MTU parms"); + + const struct session_id *client_sid = session->opt->server ? + &ks->session_id_remote : &session->session_id; + const struct session_id *server_sid = !session->opt->server ? + &ks->session_id_remote : &session->session_id; + if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, + &session->opt->key_type, ks->key_src, client_sid, server_sid, + session->opt->server)) + { + msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed"); + goto cleanup; + } + tls_limit_reneg_bytes (session->opt->key_type.cipher, + &session->opt->renegotiate_bytes); + ret = true; +cleanup: + CLEAR (*ks->key_src); + return ret; +} + static bool random_bytes_to_buf (struct buffer *buf, uint8_t *out, @@ -1762,7 +1959,6 @@ key_method_1_write (struct buffer *buf, struct tls_session *session) { struct key key; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ ASSERT (session->opt->key_method == 1); ASSERT (buf_init (buf, 0)); @@ -1780,8 +1976,9 @@ key_method_1_write (struct buffer *buf, struct tls_session *session) return false; } - init_key_ctx (&ks->key.encrypt, &key, &session->opt->key_type, - OPENVPN_OP_ENCRYPT, "Data Channel Encrypt"); + init_key_ctx (&ks->crypto_options.key_ctx_bi.encrypt, &key, + &session->opt->key_type, OPENVPN_OP_ENCRYPT, + "Data Channel Encrypt"); CLEAR (key); /* send local options string */ @@ -1827,17 +2024,30 @@ push_peer_info(struct buffer *buf, struct tls_session *session) buf_printf (&out, "IV_PLAT=netbsd\n"); #elif defined(TARGET_FREEBSD) buf_printf (&out, "IV_PLAT=freebsd\n"); -#elif defined(WIN32) +#elif defined(TARGET_ANDROID) + buf_printf (&out, "IV_PLAT=android\n"); +#elif defined(_WIN32) buf_printf (&out, "IV_PLAT=win\n"); #endif - /* push LZO status */ -#ifdef ENABLE_LZO_STUB - buf_printf (&out, "IV_LZO_STUB=1\n"); -#endif /* support for P_DATA_V2 */ buf_printf(&out, "IV_PROTO=2\n"); + /* support for Negotiable Crypto Paramters */ + if (session->opt->ncp_enabled && + (session->opt->mode == MODE_SERVER || session->opt->pull)) + { + buf_printf(&out, "IV_NCP=2\n"); + } + + /* push compression status */ +#ifdef USE_COMP + comp_generate_peer_info_string(&session->opt->comp_options, &out); +#endif + + /* support for redirecting IPv6 gateway */ + buf_printf(&out, "IV_RGI6=1\n"); + if (session->opt->push_peer_info_detail >= 2) { /* push mac addr */ @@ -1846,17 +2056,19 @@ push_peer_info(struct buffer *buf, struct tls_session *session) if (rgi.flags & RGI_HWADDR_DEFINED) buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc)); buf_printf (&out, "IV_SSL=%s\n", get_ssl_library_version() ); -#if defined(WIN32) +#if defined(_WIN32) buf_printf (&out, "IV_PLAT_VER=%s\n", win32_version_string (&gc, false)); #endif } - /* push env vars that begin with UV_ and IV_GUI_VER */ + /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */ for (e=es->list; e != NULL; e=e->next) { if (e->string) { - if (((strncmp(e->string, "UV_", 3)==0 && session->opt->push_peer_info_detail >= 2) + if ((((strncmp(e->string, "UV_", 3)==0 || + strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0) + && session->opt->push_peer_info_detail >= 2) || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0)) && buf_safe(&out, strlen(e->string)+1)) buf_printf (&out, "%s\n", e->string); @@ -1883,7 +2095,6 @@ static bool key_method_2_write (struct buffer *buf, struct tls_session *session) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ ASSERT (session->opt->key_method == 2); ASSERT (buf_init (buf, 0)); @@ -1931,14 +2142,17 @@ key_method_2_write (struct buffer *buf, struct tls_session *session) if (!push_peer_info (buf, session)) goto error; - /* - * generate tunnel keys if server + /* Generate tunnel keys if we're a TLS server. + * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key + * generation is postponed until after the pull/push, so we can process pushed + * cipher directives. */ - if (session->opt->server) + if (session->opt->server && !(session->opt->ncp_enabled && + session->opt->mode == MODE_SERVER && ks->key_id <= 0)) { if (ks->authenticated) { - if (!generate_key_expansion (&ks->key, + if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, &session->opt->key_type, ks->key_src, &ks->session_id_remote, @@ -1951,6 +2165,8 @@ key_method_2_write (struct buffer *buf, struct tls_session *session) } CLEAR (*ks->key_src); + tls_limit_reneg_bytes (session->opt->key_type.cipher, + &session->opt->renegotiate_bytes); } return true; @@ -1967,7 +2183,6 @@ key_method_1_read (struct buffer *buf, struct tls_session *session) int status; struct key key; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ ASSERT (session->opt->key_method == 1); @@ -2010,8 +2225,9 @@ key_method_1_read (struct buffer *buf, struct tls_session *session) buf_clear (buf); - init_key_ctx (&ks->key.decrypt, &key, &session->opt->key_type, - OPENVPN_OP_DECRYPT, "Data Channel Decrypt"); + init_key_ctx (&ks->crypto_options.key_ctx_bi.decrypt, &key, + &session->opt->key_type, OPENVPN_OP_DECRYPT, + "Data Channel Decrypt"); CLEAR (key); ks->authenticated = true; return true; @@ -2026,13 +2242,13 @@ static bool key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_session *session) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ int key_method_flags; bool username_status, password_status; struct gc_arena gc = gc_new (); char *options; + struct user_pass *up; /* allocate temporary objects */ ALLOC_ARRAY_CLEAR_GC (options, char, TLS_OPTIONS_LEN, &gc); @@ -2072,15 +2288,31 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi ks->authenticated = false; - if (verify_user_pass_enabled(session)) - { - /* Perform username/password authentication */ - struct user_pass *up; + /* always extract username + password fields from buf, even if not + * authenticating for it, because otherwise we can't get at the + * peer_info data which follows behind + */ + ALLOC_OBJ_CLEAR_GC (up, struct user_pass, &gc); + username_status = read_string (buf, up->username, USER_PASS_LEN); + password_status = read_string (buf, up->password, USER_PASS_LEN); + +#if P2MP_SERVER + /* get peer info from control channel */ + free (multi->peer_info); + multi->peer_info = read_string_alloc (buf); + if ( multi->peer_info ) + output_peer_info_env (session->opt->es, multi->peer_info); - ALLOC_OBJ_CLEAR_GC (up, struct user_pass, &gc); - username_status = read_string (buf, up->username, USER_PASS_LEN); - password_status = read_string (buf, up->password, USER_PASS_LEN); + if (tls_peer_info_ncp_ver (multi->peer_info) < 2) + { + /* Peer does not support NCP */ + session->opt->ncp_enabled = false; + } +#endif + if (tls_session_user_pass_enabled(session)) + { + /* Perform username/password authentication */ if (!username_status || !password_status) { CLEAR (*up); @@ -2091,14 +2323,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi } } -#ifdef MANAGEMENT_DEF_AUTH - /* get peer info from control channel */ - free (multi->peer_info); - multi->peer_info = read_string_alloc (buf); -#endif - verify_user_pass(up, multi, session); - CLEAR (*up); } else { @@ -2112,6 +2337,9 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi ks->authenticated = true; } + /* clear username and password from memory */ + CLEAR (*up); + /* Perform final authentication checks */ if (ks->authenticated) { @@ -2140,16 +2368,22 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi */ if (ks->authenticated && plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL)) { + key_state_export_keying_material(&ks->ks_ssl, session); + if (plugin_call (session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS) ks->authenticated = false; + + setenv_del (session->opt->es, "exported_keying_material"); } /* - * Generate tunnel keys if client + * Generate tunnel keys if we're a client. + * If --pull is enabled, the first key generation is postponed until after the + * pull/push, so we can process pushed cipher directives. */ - if (!session->opt->server) + if (!session->opt->server && (!session->opt->pull || ks->key_id > 0)) { - if (!generate_key_expansion (&ks->key, + if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, &session->opt->key_type, ks->key_src, &session->session_id, @@ -2159,8 +2393,10 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi msg (D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed"); goto error; } - + CLEAR (*ks->key_src); + tls_limit_reneg_bytes (session->opt->key_type.cipher, + &session->opt->renegotiate_bytes); } gc_free (&gc); @@ -2217,11 +2453,11 @@ tls_process (struct tls_multi *multi, if (ks->state >= S_ACTIVE && ((session->opt->renegotiate_seconds && now >= ks->established + session->opt->renegotiate_seconds) - || (session->opt->renegotiate_bytes + || (session->opt->renegotiate_bytes > 0 && ks->n_bytes >= session->opt->renegotiate_bytes) || (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets) - || (packet_id_close_to_wrapping (&ks->packet_id.send)))) + || (packet_id_close_to_wrapping (&ks->crypto_options.packet_id.send)))) { msg (D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d bytes=" counter_format "/%d pkts=" counter_format "/%d", @@ -2257,269 +2493,274 @@ tls_process (struct tls_multi *multi, * CHANGED with 2.0 -> now we may send tunnel configuration * info over the control channel. */ - if (true) + + /* Initial handshake */ + if (ks->state == S_INITIAL) { - /* Initial handshake */ - if (ks->state == S_INITIAL) + buf = reliable_get_buf_output_sequenced (ks->send_reliable); + if (buf) { - buf = reliable_get_buf_output_sequenced (ks->send_reliable); - if (buf) - { - ks->must_negotiate = now + session->opt->handshake_window; - ks->auth_deferred_expire = now + auth_deferred_expire_window (session->opt); + ks->must_negotiate = now + session->opt->handshake_window; + ks->auth_deferred_expire = now + auth_deferred_expire_window (session->opt); - /* null buffer */ - reliable_mark_active_outgoing (ks->send_reliable, buf, ks->initial_opcode); - INCR_GENERATED; + /* null buffer */ + reliable_mark_active_outgoing (ks->send_reliable, buf, ks->initial_opcode); + INCR_GENERATED; - ks->state = S_PRE_START; - state_change = true; - dmsg (D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s", - session_id_print (&session->session_id, &gc)); + ks->state = S_PRE_START; + state_change = true; + dmsg (D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s", + session_id_print (&session->session_id, &gc)); #ifdef ENABLE_MANAGEMENT - if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1) - { - management_set_state (management, - OPENVPN_STATE_WAIT, - NULL, - 0, - 0); - } -#endif + if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1) + { + management_set_state (management, + OPENVPN_STATE_WAIT, + NULL, + NULL, + NULL, + NULL, + NULL); } +#endif } + } - /* Are we timed out on receive? */ - if (now >= ks->must_negotiate) + /* Are we timed out on receive? */ + if (now >= ks->must_negotiate) + { + if (ks->state < S_ACTIVE) { - if (ks->state < S_ACTIVE) - { - msg (D_TLS_ERRORS, - "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", - session->opt->handshake_window); - goto error; - } - else /* assume that ks->state == S_ACTIVE */ - { - dmsg (D_TLS_DEBUG_MED, "STATE S_NORMAL_OP"); - ks->state = S_NORMAL_OP; - ks->must_negotiate = 0; - } + msg (D_TLS_ERRORS, + "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", + session->opt->handshake_window); + goto error; } + else /* assume that ks->state == S_ACTIVE */ + { + dmsg (D_TLS_DEBUG_MED, "STATE S_NORMAL_OP"); + ks->state = S_NORMAL_OP; + ks->must_negotiate = 0; + } + } - /* Wait for Initial Handshake ACK */ - if (ks->state == S_PRE_START && FULL_SYNC) + /* Wait for Initial Handshake ACK */ + if (ks->state == S_PRE_START && FULL_SYNC) + { + ks->state = S_START; + state_change = true; + + /* Reload the CRL before TLS negotiation */ + if (session->opt->crl_file && + !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) { - ks->state = S_START; - state_change = true; - dmsg (D_TLS_DEBUG_MED, "STATE S_START"); + tls_ctx_reload_crl(&session->opt->ssl_ctx, + session->opt->crl_file, session->opt->crl_file_inline); } - /* Wait for ACK */ - if (((ks->state == S_GOT_KEY && !session->opt->server) || - (ks->state == S_SENT_KEY && session->opt->server))) + dmsg (D_TLS_DEBUG_MED, "STATE S_START"); + } + + /* Wait for ACK */ + if (((ks->state == S_GOT_KEY && !session->opt->server) || + (ks->state == S_SENT_KEY && session->opt->server))) + { + if (FULL_SYNC) { - if (FULL_SYNC) - { - ks->established = now; - dmsg (D_TLS_DEBUG_MED, "STATE S_ACTIVE"); - if (check_debug_level (D_HANDSHAKE)) - print_details (&ks->ks_ssl, "Control Channel:"); - state_change = true; - ks->state = S_ACTIVE; - INCR_SUCCESS; + ks->established = now; + dmsg (D_TLS_DEBUG_MED, "STATE S_ACTIVE"); + if (check_debug_level (D_HANDSHAKE)) + print_details (&ks->ks_ssl, "Control Channel:"); + state_change = true; + ks->state = S_ACTIVE; + INCR_SUCCESS; - /* Set outgoing address for data channel packets */ - link_socket_set_outgoing_addr (NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es); + /* Set outgoing address for data channel packets */ + link_socket_set_outgoing_addr (NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es); - /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */ - flush_payload_buffer (ks); + /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */ + flush_payload_buffer (ks); #ifdef MEASURE_TLS_HANDSHAKE_STATS - show_tls_performance_stats(); + show_tls_performance_stats(); #endif - } } + } - /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs - for previously received packets) */ - if (!to_link->len && reliable_can_send (ks->send_reliable)) - { - int opcode; - struct buffer b; - - buf = reliable_send (ks->send_reliable, &opcode); - ASSERT (buf); - b = *buf; - INCR_SENT; - - write_control_auth (session, ks, &b, to_link_addr, opcode, - CONTROL_SEND_ACK_MAX, true); - *to_link = b; - active = true; - state_change = true; - dmsg (D_TLS_DEBUG, "Reliable -> TCP/UDP"); - break; - } + /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs + for previously received packets) */ + if (!to_link->len && reliable_can_send (ks->send_reliable)) + { + int opcode; + struct buffer b; + + buf = reliable_send (ks->send_reliable, &opcode); + ASSERT (buf); + b = *buf; + INCR_SENT; + + write_control_auth (session, ks, &b, to_link_addr, opcode, + CONTROL_SEND_ACK_MAX, true); + *to_link = b; + active = true; + state_change = true; + dmsg (D_TLS_DEBUG, "Reliable -> TCP/UDP"); + break; + } #ifndef TLS_AGGREGATE_ACK - /* Send 1 or more ACKs (each received control packet gets one ACK) */ - if (!to_link->len && !reliable_ack_empty (ks->rec_ack)) - { - buf = &ks->ack_write_buf; - ASSERT (buf_init (buf, FRAME_HEADROOM (&multi->opt.frame))); - write_control_auth (session, ks, buf, to_link_addr, P_ACK_V1, - RELIABLE_ACK_SIZE, false); - *to_link = *buf; - active = true; - state_change = true; - dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); - break; - } + /* Send 1 or more ACKs (each received control packet gets one ACK) */ + if (!to_link->len && !reliable_ack_empty (ks->rec_ack)) + { + buf = &ks->ack_write_buf; + ASSERT (buf_init (buf, FRAME_HEADROOM (&multi->opt.frame))); + write_control_auth (session, ks, buf, to_link_addr, P_ACK_V1, + RELIABLE_ACK_SIZE, false); + *to_link = *buf; + active = true; + state_change = true; + dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); + break; + } #endif - /* Write incoming ciphertext to TLS object */ - buf = reliable_get_buf_sequenced (ks->rec_reliable); - if (buf) - { - int status = 0; - if (buf->len) - { - status = key_state_write_ciphertext (&ks->ks_ssl, buf); - if (status == -1) - { - msg (D_TLS_ERRORS, - "TLS Error: Incoming Ciphertext -> TLS object write error"); - goto error; - } - } - else - { - status = 1; - } - if (status == 1) - { - reliable_mark_deleted (ks->rec_reliable, buf, true); - state_change = true; - dmsg (D_TLS_DEBUG, "Incoming Ciphertext -> TLS"); - } - } - - /* Read incoming plaintext from TLS object */ - buf = &ks->plaintext_read_buf; - if (!buf->len) + /* Write incoming ciphertext to TLS object */ + buf = reliable_get_buf_sequenced (ks->rec_reliable); + if (buf) + { + int status = 0; + if (buf->len) { - int status; - - ASSERT (buf_init (buf, 0)); - status = key_state_read_plaintext (&ks->ks_ssl, buf, TLS_CHANNEL_BUF_SIZE); - update_time (); + status = key_state_write_ciphertext (&ks->ks_ssl, buf); if (status == -1) { - msg (D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error"); + msg (D_TLS_ERRORS, + "TLS Error: Incoming Ciphertext -> TLS object write error"); goto error; } - if (status == 1) - { - state_change = true; - dmsg (D_TLS_DEBUG, "TLS -> Incoming Plaintext"); - } -#if 0 /* show null plaintext reads */ - if (!status) - msg (M_INFO, "TLS plaintext read -> NULL return"); -#endif } - - /* Send Key */ - buf = &ks->plaintext_write_buf; - if (!buf->len && ((ks->state == S_START && !session->opt->server) || - (ks->state == S_GOT_KEY && session->opt->server))) + else { - if (session->opt->key_method == 1) - { - if (!key_method_1_write (buf, session)) - goto error; - } - else if (session->opt->key_method == 2) - { - if (!key_method_2_write (buf, session)) - goto error; - } - else - { - ASSERT (0); - } + status = 1; + } + if (status == 1) + { + reliable_mark_deleted (ks->rec_reliable, buf, true); + state_change = true; + dmsg (D_TLS_DEBUG, "Incoming Ciphertext -> TLS"); + } + } + + /* Read incoming plaintext from TLS object */ + buf = &ks->plaintext_read_buf; + if (!buf->len) + { + int status; + ASSERT (buf_init (buf, 0)); + status = key_state_read_plaintext (&ks->ks_ssl, buf, TLS_CHANNEL_BUF_SIZE); + update_time (); + if (status == -1) + { + msg (D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error"); + goto error; + } + if (status == 1) + { state_change = true; - dmsg (D_TLS_DEBUG_MED, "STATE S_SENT_KEY"); - ks->state = S_SENT_KEY; + dmsg (D_TLS_DEBUG, "TLS -> Incoming Plaintext"); } + } - /* Receive Key */ - buf = &ks->plaintext_read_buf; - if (buf->len - && ((ks->state == S_SENT_KEY && !session->opt->server) - || (ks->state == S_START && session->opt->server))) + /* Send Key */ + buf = &ks->plaintext_write_buf; + if (!buf->len && ((ks->state == S_START && !session->opt->server) || + (ks->state == S_GOT_KEY && session->opt->server))) + { + if (session->opt->key_method == 1) { - if (session->opt->key_method == 1) - { - if (!key_method_1_read (buf, session)) - goto error; - } - else if (session->opt->key_method == 2) - { - if (!key_method_2_read (buf, multi, session)) - goto error; - } - else - { - ASSERT (0); - } + if (!key_method_1_write (buf, session)) + goto error; + } + else if (session->opt->key_method == 2) + { + if (!key_method_2_write (buf, session)) + goto error; + } + else + { + ASSERT (0); + } + + state_change = true; + dmsg (D_TLS_DEBUG_MED, "STATE S_SENT_KEY"); + ks->state = S_SENT_KEY; + } + /* Receive Key */ + buf = &ks->plaintext_read_buf; + if (buf->len + && ((ks->state == S_SENT_KEY && !session->opt->server) + || (ks->state == S_START && session->opt->server))) + { + if (session->opt->key_method == 1) + { + if (!key_method_1_read (buf, session)) + goto error; + } + else if (session->opt->key_method == 2) + { + if (!key_method_2_read (buf, multi, session)) + goto error; + } + else + { + ASSERT (0); + } + + state_change = true; + dmsg (D_TLS_DEBUG_MED, "STATE S_GOT_KEY"); + ks->state = S_GOT_KEY; + } + + /* Write outgoing plaintext to TLS object */ + buf = &ks->plaintext_write_buf; + if (buf->len) + { + int status = key_state_write_plaintext (&ks->ks_ssl, buf); + if (status == -1) + { + msg (D_TLS_ERRORS, + "TLS ERROR: Outgoing Plaintext -> TLS object write error"); + goto error; + } + if (status == 1) + { state_change = true; - dmsg (D_TLS_DEBUG_MED, "STATE S_GOT_KEY"); - ks->state = S_GOT_KEY; + dmsg (D_TLS_DEBUG, "Outgoing Plaintext -> TLS"); } + } - /* Write outgoing plaintext to TLS object */ - buf = &ks->plaintext_write_buf; - if (buf->len) + /* Outgoing Ciphertext to reliable buffer */ + if (ks->state >= S_START) + { + buf = reliable_get_buf_output_sequenced (ks->send_reliable); + if (buf) { - int status = key_state_write_plaintext (&ks->ks_ssl, buf); + int status = key_state_read_ciphertext (&ks->ks_ssl, buf, PAYLOAD_SIZE_DYNAMIC (&multi->opt.frame)); if (status == -1) { msg (D_TLS_ERRORS, - "TLS ERROR: Outgoing Plaintext -> TLS object write error"); + "TLS Error: Ciphertext -> reliable TCP/UDP transport read error"); goto error; } if (status == 1) { + reliable_mark_active_outgoing (ks->send_reliable, buf, P_CONTROL_V1); + INCR_GENERATED; state_change = true; - dmsg (D_TLS_DEBUG, "Outgoing Plaintext -> TLS"); - } - } - - /* Outgoing Ciphertext to reliable buffer */ - if (ks->state >= S_START) - { - buf = reliable_get_buf_output_sequenced (ks->send_reliable); - if (buf) - { - int status = key_state_read_ciphertext (&ks->ks_ssl, buf, PAYLOAD_SIZE_DYNAMIC (&multi->opt.frame)); - if (status == -1) - { - msg (D_TLS_ERRORS, - "TLS Error: Ciphertext -> reliable TCP/UDP transport read error"); - goto error; - } - if (status == 1) - { - reliable_mark_active_outgoing (ks->send_reliable, buf, P_CONTROL_V1); - INCR_GENERATED; - state_change = true; - dmsg (D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable"); - } + dmsg (D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable"); } } } @@ -2532,11 +2773,11 @@ tls_process (struct tls_multi *multi, /* Send 1 or more ACKs (each received control packet gets one ACK) */ if (!to_link->len && !reliable_ack_empty (ks->rec_ack)) { - buf = &ks->ack_write_buf; - ASSERT (buf_init (buf, FRAME_HEADROOM (&multi->opt.frame))); - write_control_auth (session, ks, buf, to_link_addr, P_ACK_V1, + struct buffer buf = ks->ack_write_buf; + ASSERT (buf_init (&buf, FRAME_HEADROOM (&multi->opt.frame))); + write_control_auth (session, ks, &buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false); - *to_link = *buf; + *to_link = buf; active = true; state_change = true; dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); @@ -2775,7 +3016,9 @@ bool tls_pre_decrypt (struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, - struct crypto_options *opt) + struct crypto_options **opt, + bool floated, + const uint8_t **ad_start) { struct gc_arena gc = gc_new (); bool ret = false; @@ -2819,18 +3062,29 @@ tls_pre_decrypt (struct tls_multi *multi, #ifdef ENABLE_DEF_AUTH && !ks->auth_deferred #endif - && link_socket_actual_match (from, &ks->remote_addr)) + && (floated || link_socket_actual_match (from, &ks->remote_addr))) { - /* return appropriate data channel decrypt key in opt */ - opt->key_ctx_bi = &ks->key; - opt->packet_id = multi->opt.replay ? &ks->packet_id : NULL; - opt->pid_persist = NULL; - opt->flags &= multi->opt.crypto_flags_and; - opt->flags |= multi->opt.crypto_flags_or; + if (!ks->crypto_options.key_ctx_bi.initialized) + { + msg (D_TLS_DEBUG_LOW, + "Key %s [%d] not initialized (yet), dropping packet.", + print_link_socket_actual (from, &gc), key_id); + goto error_lite; + } - ASSERT (buf_advance (buf, 1)); + /* return appropriate data channel decrypt key in opt */ + *opt = &ks->crypto_options; if (op == P_DATA_V2) { + *ad_start = BPTR(buf); + } + ASSERT (buf_advance (buf, 1)); + if (op == P_DATA_V1) + { + *ad_start = BPTR(buf); + } + else if (op == P_DATA_V2) + { if (buf->len < 4) { msg (D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", @@ -2848,23 +3102,6 @@ tls_pre_decrypt (struct tls_multi *multi, gc_free (&gc); return ret; } -#if 0 /* keys out of sync? */ - else - { - dmsg (D_TLS_ERRORS, "TLS_PRE_DECRYPT: [%d] dken=%d rkid=%d lkid=%d auth=%d def=%d match=%d", - i, - DECRYPT_KEY_ENABLED (multi, ks), - key_id, - ks->key_id, - ks->authenticated, -#ifdef ENABLE_DEF_AUTH - ks->auth_deferred, -#else - -1, -#endif - link_socket_actual_match (from, &ks->remote_addr)); - } -#endif } msg (D_TLS_ERRORS, @@ -2991,8 +3228,10 @@ tls_pre_decrypt (struct tls_multi *multi, management_set_state (management, OPENVPN_STATE_AUTH, NULL, - 0, - 0); + NULL, + NULL, + NULL, + NULL); } #endif @@ -3036,7 +3275,7 @@ tls_pre_decrypt (struct tls_multi *multi, goto error; } - if (!read_control_auth (buf, &session->tls_auth, from)) + if (!read_control_auth (buf, &session->tls_wrap, from)) goto error; /* @@ -3087,7 +3326,7 @@ tls_pre_decrypt (struct tls_multi *multi, if (op == P_CONTROL_SOFT_RESET_V1 && DECRYPT_KEY_ENABLED (multi, ks)) { - if (!read_control_auth (buf, &session->tls_auth, from)) + if (!read_control_auth (buf, &session->tls_wrap, from)) goto error; key_state_soft_reset (session); @@ -3104,7 +3343,7 @@ tls_pre_decrypt (struct tls_multi *multi, if (op == P_CONTROL_SOFT_RESET_V1) do_burst = true; - if (!read_control_auth (buf, &session->tls_auth, from)) + if (!read_control_auth (buf, &session->tls_wrap, from)) goto error; dmsg (D_TLS_DEBUG, @@ -3215,10 +3454,7 @@ tls_pre_decrypt (struct tls_multi *multi, done: buf->len = 0; - opt->key_ctx_bi = NULL; - opt->packet_id = NULL; - opt->pid_persist = NULL; - opt->flags &= multi->opt.crypto_flags_and; + *opt = NULL; gc_free (&gc); return ret; @@ -3297,18 +3533,11 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, { struct buffer newbuf = clone_buf (buf); - struct crypto_options co = tas->tls_auth_options; + struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap; bool status; - /* - * We are in read-only mode at this point with respect to TLS - * control channel state. After we build a new client instance - * object, we will process this session-initiating packet for real. - */ - co.flags |= CO_IGNORE_PACKET_ID; - /* HMAC test, if --tls-auth was specified */ - status = read_control_auth (&newbuf, &co, from); + status = read_control_auth (&newbuf, &tls_wrap_tmp, from); free_buf (&newbuf); if (!status) goto error; @@ -3344,7 +3573,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, /* Choose the key with which to encrypt a data packet */ void tls_pre_encrypt (struct tls_multi *multi, - struct buffer *buf, struct crypto_options *opt) + struct buffer *buf, struct crypto_options **opt) { multi->save_ks = NULL; if (buf->len > 0) @@ -3356,6 +3585,7 @@ tls_pre_encrypt (struct tls_multi *multi, struct key_state *ks = multi->key_scan[i]; if (ks->state >= S_ACTIVE && ks->authenticated + && ks->crypto_options.key_ctx_bi.initialized #ifdef ENABLE_DEF_AUTH && !ks->auth_deferred #endif @@ -3373,11 +3603,7 @@ tls_pre_encrypt (struct tls_multi *multi, if (ks_select) { - opt->key_ctx_bi = &ks_select->key; - opt->packet_id = multi->opt.replay ? &ks_select->packet_id : NULL; - opt->pid_persist = NULL; - opt->flags &= multi->opt.crypto_flags_and; - opt->flags |= multi->opt.crypto_flags_or; + *opt = &ks_select->crypto_options; multi->save_ks = ks_select; dmsg (D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id); return; @@ -3392,36 +3618,48 @@ tls_pre_encrypt (struct tls_multi *multi, } buf->len = 0; - opt->key_ctx_bi = NULL; - opt->packet_id = NULL; - opt->pid_persist = NULL; - opt->flags &= multi->opt.crypto_flags_and; + *opt = NULL; } -/* Prepend the appropriate opcode to encrypted buffer prior to TCP/UDP send */ void -tls_post_encrypt (struct tls_multi *multi, struct buffer *buf) +tls_prepend_opcode_v1 (const struct tls_multi *multi, struct buffer *buf) { - struct key_state *ks; - uint8_t *op; + struct key_state *ks = multi->save_ks; + uint8_t op; + + msg (D_TLS_DEBUG, __func__); + + ASSERT (ks); + + op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id; + ASSERT (buf_write_prepend (buf, &op, 1)); +} + +void +tls_prepend_opcode_v2 (const struct tls_multi *multi, struct buffer *buf) +{ + struct key_state *ks = multi->save_ks; uint32_t peer; - ks = multi->save_ks; + msg (D_TLS_DEBUG, __func__); + + ASSERT (ks); + + peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 + | (multi->peer_id & 0xFFFFFF)); + ASSERT (buf_write_prepend (buf, &peer, 4)); +} + +void +tls_post_encrypt (struct tls_multi *multi, struct buffer *buf) +{ + struct key_state *ks = multi->save_ks; multi->save_ks = NULL; + if (buf->len > 0) { ASSERT (ks); - if (!multi->opt.server && multi->use_peer_id) - { - peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 | (multi->peer_id & 0xFFFFFF)); - ASSERT (buf_write_prepend (buf, &peer, 4)); - } - else - { - ASSERT (op = buf_prepend (buf, 1)); - *op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id; - } ++ks->n_packets; ks->n_bytes += buf->len; } @@ -3494,6 +3732,70 @@ tls_rec_payload (struct tls_multi *multi, return ret; } +void +tls_update_remote_addr (struct tls_multi *multi, const struct link_socket_actual *addr) +{ + struct gc_arena gc = gc_new (); + int i, j; + + for (i = 0; i < TM_SIZE; ++i) + { + struct tls_session *session = &multi->session[i]; + + for (j = 0; j < KS_SIZE; ++j) + { + struct key_state *ks = &session->key[j]; + + if (!link_socket_actual_defined(&ks->remote_addr) || + link_socket_actual_match (addr, &ks->remote_addr)) + continue; + + dmsg (D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s", + print_link_socket_actual (&ks->remote_addr, &gc), + print_link_socket_actual (addr, &gc)); + + ks->remote_addr = *addr; + } + } + gc_free (&gc); +} + +int +tls_peer_info_ncp_ver(const char *peer_info) +{ + const char *ncpstr = peer_info ? strstr (peer_info, "IV_NCP=") : NULL; + if (ncpstr) + { + int ncp = 0; + int r = sscanf(ncpstr, "IV_NCP=%d", &ncp); + if (r == 1) + return ncp; + } + return 0; +} + +bool +tls_check_ncp_cipher_list(const char *list) { + bool unsupported_cipher_found = false; + + ASSERT (list); + + char * const tmp_ciphers = string_alloc (list, NULL); + const char *token = strtok (tmp_ciphers, ":"); + while (token) + { + if (!cipher_kt_get (translate_cipher_name_from_openvpn (token))) + { + msg (M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token); + unsupported_cipher_found = true; + } + token = strtok (NULL, ":"); + } + free (tmp_ciphers); + + return 0 < strlen(list) && !unsupported_cipher_found; +} + /* * Dump a human-readable rendition of an openvpn packet * into a garbage collectable string which is returned. @@ -3594,4 +3896,4 @@ done: #else static void dummy(void) {} -#endif /* ENABLE_CRYPTO && ENABLE_SSL*/ +#endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 6a14768..777b621 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -30,7 +30,7 @@ #ifndef OPENVPN_SSL_H #define OPENVPN_SSL_H -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#if defined(ENABLE_CRYPTO) #include "basic.h" #include "common.h" @@ -44,7 +44,6 @@ #include "plugin.h" #include "ssl_common.h" -#include "ssl_verify.h" #include "ssl_backend.h" /* Used in the TLS PRF function */ @@ -137,8 +136,7 @@ */ struct tls_auth_standalone { - struct key_ctx_bi tls_auth_key; - struct crypto_options tls_auth_options; + struct tls_wrap_ctx tls_wrap; struct frame frame; }; @@ -294,9 +292,10 @@ int tls_multi_process (struct tls_multi *multi, * of this packet. * @param from - The source address of the packet. * @param buf - A buffer structure containing the incoming packet. - * @param opt - A crypto options structure that will be loaded with the - * appropriate security parameters to handle the packet if it is a - * data channel packet. + * @param opt - Returns a crypto options structure with the appropriate security + * parameters to handle the packet if it is a data channel packet. + * @param ad_start - Returns a pointer to the start of the authenticated data of + * of this packet * * @return * @li True if the packet is a control channel packet that has been @@ -307,7 +306,9 @@ int tls_multi_process (struct tls_multi *multi, bool tls_pre_decrypt (struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, - struct crypto_options *opt); + struct crypto_options **opt, + bool floated, + const uint8_t **ad_start); /**************************************************************************/ @@ -356,20 +357,53 @@ bool tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, * @ingroup data_crypto * * If no appropriate security parameters can be found, or if some other - * error occurs, then the buffer is set to empty. + * error occurs, then the buffer is set to empty, and the parameters to a NULL + * pointer. * * @param multi - The TLS state for this packet's destination VPN tunnel. * @param buf - The buffer containing the outgoing packet. - * @param opt - The crypto options structure into which the appropriate - * security parameters should be loaded. + * @param opt - Returns a crypto options structure with the security parameters. */ void tls_pre_encrypt (struct tls_multi *multi, - struct buffer *buf, struct crypto_options *opt); + struct buffer *buf, struct crypto_options **opt); /** - * Prepend the one-byte OpenVPN header to the packet, and perform some - * accounting for the key state used. + * Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet. + * + * The opcode identifies the packet as a V1 data channel packet and gives the + * low-permutation version of the key-id to the recipient, so it knows which + * decrypt key to use. + * + * @param multi - The TLS state for this packet's destination VPN tunnel. + * @param buf - The buffer to write the header to. + * + * @ingroup data_crypto + */ +void +tls_prepend_opcode_v1 (const struct tls_multi *multi, struct buffer *buf); + +/** + * Prepend an OpenVPN data channel P_DATA_V2 header to the packet. The + * P_DATA_V2 header consists of a 1-byte opcode, followed by a 3-byte peer-id. + * + * The opcode identifies the packet as a V2 data channel packet and gives the + * low-permutation version of the key-id to the recipient, so it knows which + * decrypt key to use. + * + * The peer-id is sent by clients to servers to help the server determine to + * select the decrypt key when the client is roaming between addresses/ports. + * + * @param multi - The TLS state for this packet's destination VPN tunnel. + * @param buf - The buffer to write the header to. + * + * @ingroup data_crypto + */ +void +tls_prepend_opcode_v2 (const struct tls_multi *multi, struct buffer *buf); + +/** + * Perform some accounting for the key state used. * @ingroup data_crypto * * @param multi - The TLS state for this packet's destination VPN tunnel. @@ -432,6 +466,29 @@ bool tls_send_payload (struct tls_multi *multi, bool tls_rec_payload (struct tls_multi *multi, struct buffer *buf); +/** + * Updates remote address in TLS sessions. + * + * @param multi - Tunnel to update + * @param addr - new address + */ +void tls_update_remote_addr (struct tls_multi *multi, + const struct link_socket_actual *addr); + +/** + * Update TLS session crypto parameters (cipher and auth) and derive data + * channel keys based on the supplied options. + * + * @param session The TLS session to update. + * @param options The options to use when updating session. + * @param frame The frame options for this session (frame overhead is + * adjusted based on the selected cipher/auth). + * + * @return true if updating succeeded, false otherwise. + */ +bool tls_session_update_crypto_params(struct tls_session *session, + const struct options *options, struct frame *frame); + #ifdef MANAGEMENT_DEF_AUTH static inline char * tls_get_peer_info(const struct tls_multi *multi) @@ -440,6 +497,21 @@ tls_get_peer_info(const struct tls_multi *multi) } #endif +/** + * Return the Negotiable Crypto Parameters version advertised in the peer info + * string, or 0 if none specified. + */ +int tls_peer_info_ncp_ver(const char *peer_info); + +/** + * Check whether the ciphers in the supplied list are supported. + * + * @param list Colon-separated list of ciphers + * + * @returns true iff all ciphers in list are supported. + */ +bool tls_check_ncp_cipher_list(const char *list); + /* * inline functions */ @@ -503,6 +575,6 @@ void show_tls_performance_stats(void); /*#define EXTRACT_X509_FIELD_TEST*/ void extract_x509_field_test (void); -#endif /* ENABLE_CRYPTO && ENABLE_SSL */ +#endif /* ENABLE_CRYPTO */ #endif diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 4b35e51..0777c61 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -38,10 +38,10 @@ #include "ssl_verify_openssl.h" #define SSLAPI SSLAPI_OPENSSL #endif -#ifdef ENABLE_CRYPTO_POLARSSL -#include "ssl_polarssl.h" -#include "ssl_verify_polarssl.h" -#define SSLAPI SSLAPI_POLARSSL +#ifdef ENABLE_CRYPTO_MBEDTLS +#include "ssl_mbedtls.h" +#include "ssl_verify_mbedtls.h" +#define SSLAPI SSLAPI_MBEDTLS #endif /* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */ @@ -124,21 +124,21 @@ int tls_version_parse(const char *vstr, const char *extra); */ int tls_version_max(void); +#ifdef ENABLE_CRYPTO + /** * Initialise a library-specific TLS context for a server. * * @param ctx TLS context to initialise - * @param ssl_flags SSLF_x flags from ssl_common.h */ -void tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags); +void tls_ctx_server_new(struct tls_root_ctx *ctx); /** * Initialises a library-specific TLS context for a client. * * @param ctx TLS context to initialise - * @param ssl_flags SSLF_x flags from ssl_common.h */ -void tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags); +void tls_ctx_client_new(struct tls_root_ctx *ctx); /** * Frees the library-specific TLSv1 context @@ -170,8 +170,9 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags); /** * Restrict the list of ciphers that can be used within the TLS context. * - * @param ctx TLS context to restrict - * @param ciphers String containing : delimited cipher names. + * @param ctx TLS context to restrict, must be valid. + * @param ciphers String containing : delimited cipher names, or NULL to use + * sane defaults. */ void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); @@ -197,6 +198,16 @@ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, const char *dh_file_inline); /** + * Load Elliptic Curve Parameters, and load them into the library-specific + * TLS context. + * + * @param ctx TLS context to use + * @param curve_name The name of the elliptic curve to load. + */ +void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name + ); + +/** * Load PKCS #12 file for key, cert and (optionally) CA certs, and add to * library-specific TLS context. * @@ -221,7 +232,7 @@ int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, */ #ifdef ENABLE_CRYPTOAPI void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert); -#endif /* WIN32 */ +#endif /* _WIN32 */ /** * Load certificate file into the given TLS context. If the given certificate @@ -299,9 +310,9 @@ void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs const char *extra_certs_file_inline ); -#ifdef ENABLE_CRYPTO_POLARSSL +#ifdef ENABLE_CRYPTO_MBEDTLS /** - * Add a personalisation string to the PolarSSL RNG, based on the certificate + * Add a personalisation string to the mbed TLS RNG, based on the certificate * loaded into the given context. * * @param ctx TLS context to use @@ -334,6 +345,30 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl, */ void key_state_ssl_free(struct key_state_ssl *ks_ssl); +/** + * Reload the Certificate Revocation List for the SSL channel + * + * @param ssl_ctx The TLS context to use when reloading the CRL + * @param crl_file The file name to load the CRL from, or + * "[[INLINE]]" in the case of inline files. + * @param crl_inline A string containing the CRL + */ +void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, + const char *crl_file, const char *crl_inline); + +/** + * Keying Material Exporters [RFC 5705] allows additional keying material to be + * derived from existing TLS channel. This exported keying material can then be + * used for a variety of purposes. + * + * @param ks_ssl The SSL channel's state info + * @param session The session associated with the given key_state + */ + +void +key_state_export_keying_material(struct key_state_ssl *ks_ssl, + struct tls_session *session) __attribute__((nonnull)); + /**************************************************************************/ /** @addtogroup control_tls * @{ */ @@ -472,6 +507,11 @@ void print_details (struct key_state_ssl * ks_ssl, const char *prefix); void show_available_tls_ciphers (const char *tls_ciphers); /* + * Show the available elliptic curves in the crypto library + */ +void show_available_curves (void); + +/* * The OpenSSL library has a notion of preference in TLS ciphers. Higher * preference == more secure. Return the highest preference cipher. */ @@ -483,4 +523,5 @@ void get_highest_preference_tls_cipher (char *buf, int size); */ const char * get_ssl_library_version(void); +#endif /* ENABLE_CRYPTO */ #endif /* SSL_BACKEND_H_ */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 449172d..28702af 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -149,7 +149,12 @@ struct key_source2 { struct key_state { int state; - int key_id; /* inherited from struct tls_session below */ + + /** + * Key id for this key_state, inherited from struct tls_session. + * @see tls_session::key_id. + */ + int key_id; struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */ @@ -160,9 +165,8 @@ struct key_state int initial_opcode; /* our initial P_ opcode */ struct session_id session_id_remote; /* peer's random session ID */ struct link_socket_actual remote_addr; /* peer's IP addr */ - struct packet_id packet_id; /* for data channel, to prevent replay attacks */ - struct key_ctx_bi key; /* data channel keys for encrypt/decrypt/hmac */ + struct crypto_options crypto_options;/* data channel crypto options */ struct key_source2 *key_src; /* source entropy for key expansion */ @@ -200,6 +204,18 @@ struct key_state #endif }; +/** Control channel wrapping (--tls-auth/--tls-crypt) context */ +struct tls_wrap_ctx +{ + enum { + TLS_WRAP_NONE = 0, /**< No control channel wrapping */ + TLS_WRAP_AUTH, /**< Control channel authentication */ + TLS_WRAP_CRYPT, /**< Control channel encryption and authentication */ + } mode; /**< Control channel wrapping mode */ + struct crypto_options opt; /**< Crypto state */ + struct buffer work; /**< Work buffer (only for --tls-crypt) */ +}; + /* * Our const options, obtained directly or derived from * command line options. @@ -232,6 +248,8 @@ struct tls_options #ifdef ENABLE_OCC bool disable_occ; #endif + int mode; + bool pull; #ifdef ENABLE_PUSH_PEER_INFO int push_peer_info_detail; #endif @@ -248,6 +266,7 @@ struct tls_options int verify_x509_type; const char *verify_x509_name; const char *crl_file; + const char *crl_file_inline; int ns_cert_type; unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; @@ -259,6 +278,7 @@ struct tls_options bool pass_config_info; /* struct crypto_option flags */ + unsigned int crypto_flags; unsigned int crypto_flags_and; unsigned int crypto_flags_or; @@ -266,9 +286,12 @@ struct tls_options int replay_time; /* --replay-window parm */ bool tcp_mode; - /* packet authentication for TLS handshake */ - struct crypto_options tls_auth; - struct key_ctx_bi tls_auth_key; + const char *config_ciphername; + const char *config_authname; + bool ncp_enabled; + + /** TLS handshake wrapping state */ + struct tls_wrap_ctx tls_wrap; /* frame parameters for TLS control channel */ struct frame frame; @@ -278,6 +301,9 @@ struct tls_options bool auth_user_pass_verify_script_via_file; const char *tmp_dir; const char *auth_user_pass_file; + bool auth_token_generate; /**< Generate auth-tokens on successful user/pass auth, + * set via options->auth_token_generate. */ + unsigned int auth_token_lifetime; /* use the client-config-dir as a positive authenticator */ const char *client_config_dir_exclusive; @@ -286,10 +312,16 @@ struct tls_options struct env_set *es; const struct plugin_list *plugins; + /* compression parms */ +#ifdef USE_COMP + struct compress_options comp_options; +#endif + /* configuration file SSL-related boolean and low-permutation options */ # define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0) -# define SSLF_USERNAME_AS_COMMON_NAME (1<<1) -# define SSLF_AUTH_USER_PASS_OPTIONAL (1<<2) +# define SSLF_CLIENT_CERT_OPTIONAL (1<<1) +# define SSLF_USERNAME_AS_COMMON_NAME (1<<2) +# define SSLF_AUTH_USER_PASS_OPTIONAL (1<<3) # define SSLF_OPT_VERIFY (1<<4) # define SSLF_CRL_VERIFY_DIR (1<<5) # define SSLF_TLS_VERSION_MIN_SHIFT 6 @@ -302,9 +334,7 @@ struct tls_options struct man_def_auth_context *mda_context; #endif -#ifdef ENABLE_X509_TRACK const struct x509_track *x509_track; -#endif #ifdef ENABLE_CLIENT_CR const struct static_challenge_info *sci; @@ -312,6 +342,11 @@ struct tls_options /* --gremlin bits */ int gremlin; + + /* Keying Material Exporter [RFC 5705] parameters */ + const char *ekm_label; + size_t ekm_label_size; + size_t ekm_size; }; /** @addtogroup control_processor @@ -328,6 +363,9 @@ struct tls_options /** @} name Index of key_state objects within a tls_session structure */ /** @} addtogroup control_processor */ +#define AUTH_TOKEN_SIZE 32 /**< Size of server side generated auth tokens. + * 32 bytes == 256 bits + */ /** * Security parameter state of a single session within a VPN tunnel. @@ -354,12 +392,17 @@ struct tls_session bool burst; /* authenticate control packets */ - struct crypto_options tls_auth; - struct packet_id tls_auth_pid; + struct tls_wrap_ctx tls_wrap; int initial_opcode; /* our initial P_ opcode */ struct session_id session_id; /* our random session ID */ - int key_id; /* increments with each soft reset (for key renegotiation) */ + + /** + * The current active key id, used to keep track of renegotiations. + * key_id increments with each soft reset to KEY_ID_MASK then recycles back + * to 1. This way you know that if key_id is 0, it is the first key. + */ + int key_id; int limit_next; /* used for traffic shaping on the control channel */ @@ -481,20 +524,29 @@ struct tls_multi */ char *client_reason; + /* Time of last call to tls_authentication_status */ + time_t tas_last; +#endif + +#if P2MP_SERVER /* * A multi-line string of general-purpose info received from peer * over control channel. */ char *peer_info; - - /* Time of last call to tls_authentication_status */ - time_t tas_last; #endif /* For P_DATA_V2 */ uint32_t peer_id; bool use_peer_id; + char *auth_token; /**< If server sends a generated auth-token, + * this is the token to use for future + * user/pass authentications in this session. + */ + time_t auth_token_tstamp; /**< timestamp of the generated token */ + bool auth_token_sent; /**< If server uses --auth-gen-token and + * token has been sent to client */ /* * Our session objects. */ diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_mbedtls.c index 1f58369..7fa35a7 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_mbedtls.c @@ -25,7 +25,7 @@ */ /** - * @file Control Channel PolarSSL Backend + * @file Control Channel mbed TLS Backend */ #ifdef HAVE_CONFIG_H @@ -36,7 +36,7 @@ #include "syshead.h" -#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) +#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) #include "errlevel.h" #include "ssl_backend.h" @@ -46,15 +46,16 @@ #include "manage.h" #include "ssl_common.h" -#include <polarssl/havege.h> +#include <mbedtls/havege.h> -#include "ssl_verify_polarssl.h" -#include <polarssl/debug.h> -#include <polarssl/error.h> -#include <polarssl/oid.h> -#include <polarssl/pem.h> -#include <polarssl/sha256.h> -#include <polarssl/version.h> +#include "ssl_verify_mbedtls.h" +#include <mbedtls/debug.h> +#include <mbedtls/error.h> +#include <mbedtls/net.h> +#include <mbedtls/oid.h> +#include <mbedtls/pem.h> +#include <mbedtls/sha256.h> +#include <mbedtls/version.h> void tls_init_lib() @@ -72,29 +73,29 @@ tls_clear_error() } void -tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags) +tls_ctx_server_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); CLEAR(*ctx); - ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context); + ALLOC_OBJ_CLEAR(ctx->dhm_ctx, mbedtls_dhm_context); - ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt); + ALLOC_OBJ_CLEAR(ctx->ca_chain, mbedtls_x509_crt); - ctx->endpoint = SSL_IS_SERVER; + ctx->endpoint = MBEDTLS_SSL_IS_SERVER; ctx->initialised = true; } void -tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags) +tls_ctx_client_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); CLEAR(*ctx); - ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context); - ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt); + ALLOC_OBJ_CLEAR(ctx->dhm_ctx, mbedtls_dhm_context); + ALLOC_OBJ_CLEAR(ctx->ca_chain, mbedtls_x509_crt); - ctx->endpoint = SSL_IS_CLIENT; + ctx->endpoint = MBEDTLS_SSL_IS_CLIENT; ctx->initialised = true; } @@ -103,25 +104,31 @@ tls_ctx_free(struct tls_root_ctx *ctx) { if (ctx) { - pk_free(ctx->priv_key); + mbedtls_pk_free(ctx->priv_key); if (ctx->priv_key) free(ctx->priv_key); - x509_crt_free(ctx->ca_chain); + mbedtls_x509_crt_free(ctx->ca_chain); if (ctx->ca_chain) free(ctx->ca_chain); - x509_crt_free(ctx->crt_chain); + mbedtls_x509_crt_free(ctx->crt_chain); if (ctx->crt_chain) free(ctx->crt_chain); - dhm_free(ctx->dhm_ctx); + mbedtls_dhm_free(ctx->dhm_ctx); if (ctx->dhm_ctx) free(ctx->dhm_ctx); + mbedtls_x509_crl_free(ctx->crl); + if (ctx->crl) + { + free(ctx->crl); + } + #if defined(ENABLE_PKCS11) if (ctx->priv_key_pkcs11 != NULL) { - pkcs11_priv_key_free(ctx->priv_key_pkcs11); + mbedtls_pkcs11_priv_key_free(ctx->priv_key_pkcs11); free(ctx->priv_key_pkcs11); } #endif @@ -148,6 +155,12 @@ tls_ctx_initialised(struct tls_root_ctx *ctx) } void +key_state_export_keying_material(struct key_state_ssl *ssl, + struct tls_session *session) +{ +} + +void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags) { } @@ -176,7 +189,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { char *tmp_ciphers, *tmp_ciphers_orig, *token; int i, cipher_count; - int ciphers_len = strlen (ciphers); + int ciphers_len; + + if (NULL == ciphers) + return; /* Nothing to do */ + + ciphers_len = strlen (ciphers); ASSERT (NULL != ctx); ASSERT (0 != ciphers_len); @@ -196,7 +214,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) token = strtok (tmp_ciphers, ":"); while(token) { - ctx->allowed_ciphers[i] = ssl_get_ciphersuite_id ( + ctx->allowed_ciphers[i] = mbedtls_ssl_get_ciphersuite_id ( tls_translate_cipher_name (token)); if (0 != ctx->allowed_ciphers[i]) i++; @@ -214,12 +232,12 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) return; /* Nothing to check if there is no certificate */ } - if (x509_time_future (&ctx->crt_chain->valid_from)) + if (mbedtls_x509_time_is_future (&ctx->crt_chain->valid_from)) { msg (M_WARN, "WARNING: Your certificate is not yet valid!"); } - if (x509_time_expired (&ctx->crt_chain->valid_to)) + if (mbedtls_x509_time_is_past (&ctx->crt_chain->valid_to)) { msg (M_WARN, "WARNING: Your certificate has expired!"); } @@ -232,18 +250,27 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, { if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline) { - if (!polar_ok(dhm_parse_dhm(ctx->dhm_ctx, - (const unsigned char *) dh_inline, strlen(dh_inline)))) + if (!mbed_ok(mbedtls_dhm_parse_dhm(ctx->dhm_ctx, + (const unsigned char *) dh_inline, strlen(dh_inline)+1))) msg (M_FATAL, "Cannot read inline DH parameters"); } else { - if (!polar_ok(dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))) + if (!mbed_ok(mbedtls_dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))) msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file); } msg (D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with " counter_format " bit key", - (counter_type) 8 * mpi_size(&ctx->dhm_ctx->P)); + (counter_type) 8 * mbedtls_mpi_size(&ctx->dhm_ctx->P)); +} + +void +tls_ctx_load_ecdh_params (struct tls_root_ctx *ctx, const char *curve_name + ) +{ + if (NULL != curve_name) + msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH " + "curve, using default curves."); } int @@ -252,7 +279,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool load_ca_file ) { - msg(M_FATAL, "PKCS #12 files not yet supported for PolarSSL."); + msg(M_FATAL, "PKCS #12 files not yet supported for mbed TLS."); return 0; } @@ -260,9 +287,9 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) { - msg(M_FATAL, "Windows CryptoAPI not yet supported for PolarSSL."); + msg(M_FATAL, "Windows CryptoAPI not yet supported for mbed TLS."); } -#endif /* WIN32 */ +#endif /* _WIN32 */ void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file, @@ -273,18 +300,18 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file, if (!ctx->crt_chain) { - ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt); + ALLOC_OBJ_CLEAR(ctx->crt_chain, mbedtls_x509_crt); } if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline) { - if (!polar_ok(x509_crt_parse(ctx->crt_chain, - (const unsigned char *) cert_inline, strlen(cert_inline)))) + if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, + (const unsigned char *) cert_inline, strlen(cert_inline)+1))) msg (M_FATAL, "Cannot load inline certificate file"); } else { - if (!polar_ok(x509_crt_parse_file(ctx->crt_chain, cert_file))) + if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->crt_chain, cert_file))) { msg (M_FATAL, "Cannot load certificate file %s", cert_file); } @@ -301,51 +328,51 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, if (!ctx->priv_key) { - ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context); + ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context); } if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_inline) { - status = pk_parse_key(ctx->priv_key, - (const unsigned char *) priv_key_inline, strlen(priv_key_inline), + status = mbedtls_pk_parse_key(ctx->priv_key, + (const unsigned char *) priv_key_inline, strlen(priv_key_inline)+1, NULL, 0); - if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) + if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) { char passbuf[512] = {0}; pem_password_callback(passbuf, 512, 0, NULL); - status = pk_parse_key(ctx->priv_key, - (const unsigned char *) priv_key_inline, strlen(priv_key_inline), - (unsigned char *) passbuf, strlen(passbuf)); + status = mbedtls_pk_parse_key(ctx->priv_key, + (const unsigned char *) priv_key_inline, + strlen(priv_key_inline)+1, (unsigned char *) passbuf, + strlen(passbuf)); } } else { - status = pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL); - if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) + status = mbedtls_pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL); + if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) { char passbuf[512] = {0}; pem_password_callback(passbuf, 512, 0, NULL); - status = pk_parse_keyfile(ctx->priv_key, priv_key_file, passbuf); + status = mbedtls_pk_parse_keyfile(ctx->priv_key, priv_key_file, passbuf); } } - if (!polar_ok(status)) + if (!mbed_ok(status)) { #ifdef ENABLE_MANAGEMENT - if (management && (POLARSSL_ERR_PK_PASSWORD_MISMATCH == status)) + if (management && (MBEDTLS_ERR_PK_PASSWORD_MISMATCH == status)) management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL); #endif msg (M_WARN, "Cannot load private key file %s", priv_key_file); return 1; } - warn_if_group_others_accessible (priv_key_file); + if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key))) + { + msg (M_WARN, "Private key does not match the certificate"); + return 1; + } - /* TODO: Check Private Key */ -#if 0 - if (!SSL_CTX_check_private_key (ctx)) - msg (M_SSLERR, "Private key does not match the certificate"); -#endif return 0; } @@ -357,7 +384,7 @@ struct external_context { }; /** - * external_pkcs1_sign implements a PolarSSL rsa_sign_func callback, that uses + * external_pkcs1_sign implements a mbed TLS rsa_sign_func callback, that uses * the management interface to request an RSA signature for the supplied hash. * * @param ctx_voidptr Management external key context. @@ -366,18 +393,18 @@ struct external_context { * @param mode RSA mode (should be RSA_PRIVATE). * @param md_alg Message digest ('hash') algorithm type. * @param hashlen Length of hash (overridden by length specified by md_alg - * if md_alg != POLARSSL_MD_NONE). + * if md_alg != MBEDTLS_MD_NONE). * @param hash The digest ('hash') to sign. Should have a size - * matching the length of md_alg (if != POLARSSL_MD_NONE), + * matching the length of md_alg (if != MBEDTLS_MD_NONE), * or hashlen otherwise. * @param sig Buffer that returns the signature. Should be at least of * size ctx->signature_length. * - * @return 0 on success, non-zero polarssl error code on failure. + * @return 0 on success, non-zero mbed TLS error code on failure. */ static inline int external_pkcs1_sign( void *ctx_voidptr, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, - md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, + mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ) { struct external_context * const ctx = ctx_voidptr; @@ -389,35 +416,35 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, const char *oid = NULL; if( NULL == ctx ) - return POLARSSL_ERR_RSA_BAD_INPUT_DATA; + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - if( RSA_PRIVATE != mode ) - return POLARSSL_ERR_RSA_BAD_INPUT_DATA; + if( MBEDTLS_RSA_PRIVATE != mode ) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; /* * Support a wide range of hashes. TLSv1.1 and before only need SIG_RSA_RAW, * but TLSv1.2 needs the full suite of hashes. * - * This code has been taken from PolarSSL pkcs11_sign(), under the GPLv2.0+. + * This code has been taken from mbed TLS pkcs11_sign(), under the GPLv2.0+. */ - if( md_alg != POLARSSL_MD_NONE ) + if( md_alg != MBEDTLS_MD_NONE ) { - const md_info_t *md_info = md_info_from_type( md_alg ); + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); if( md_info == NULL ) - return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - if (!polar_ok(oid_get_oid_by_md( md_alg, &oid, &oid_size ))) - return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + if (!mbed_ok(mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ))) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hashlen = md_get_size( md_info ); + hashlen = mbedtls_md_get_size( md_info ); asn_len = 10 + oid_size; } sig_len = ctx->signature_length; if ( (SIZE_MAX - hashlen) < asn_len || (hashlen + asn_len) > sig_len ) - return POLARSSL_ERR_RSA_BAD_INPUT_DATA; + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - if( md_alg != POLARSSL_MD_NONE ) + if( md_alg != MBEDTLS_MD_NONE ) { /* * DigestInfo ::= SEQUENCE { @@ -428,17 +455,17 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, * * Digest ::= OCTET STRING */ - *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED; + *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); - *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED; + *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; *p++ = (unsigned char) ( 0x04 + oid_size ); - *p++ = ASN1_OID; + *p++ = MBEDTLS_ASN1_OID; *p++ = oid_size & 0xFF; memcpy( p, oid, oid_size ); p += oid_size; - *p++ = ASN1_NULL; + *p++ = MBEDTLS_ASN1_NULL; *p++ = 0x00; - *p++ = ASN1_OCTET_STRING; + *p++ = MBEDTLS_ASN1_OCTET_STRING; *p++ = hashlen; /* Determine added ASN length */ @@ -451,7 +478,7 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, /* convert 'from' to base64 */ if (openvpn_base64_encode (sig, asn_len + hashlen, &in_b64) <= 0) { - rv = POLARSSL_ERR_RSA_BAD_INPUT_DATA; + rv = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; goto done; } @@ -460,7 +487,7 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, out_b64 = management_query_rsa_sig (management, in_b64); if (!out_b64) { - rv = POLARSSL_ERR_RSA_PRIVATE_FAILED; + rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto done; } @@ -468,7 +495,7 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, if ( openvpn_base64_decode (out_b64, sig, ctx->signature_length) != ctx->signature_length ) { - rv = POLARSSL_ERR_RSA_PRIVATE_FAILED; + rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto done; } @@ -501,10 +528,10 @@ tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, return 0; ALLOC_OBJ_CLEAR (ctx->external_key, struct external_context); - ctx->external_key->signature_length = pk_get_len(&ctx->crt_chain->pk); + ctx->external_key->signature_length = mbedtls_pk_get_len (&ctx->crt_chain->pk); - ALLOC_OBJ_CLEAR (ctx->priv_key, pk_context); - if (!polar_ok (pk_init_ctx_rsa_alt(ctx->priv_key, ctx->external_key, + ALLOC_OBJ_CLEAR (ctx->priv_key, mbedtls_pk_context); + if (!mbed_ok (mbedtls_pk_setup_rsa_alt (ctx->priv_key, ctx->external_key, NULL, external_pkcs1_sign, external_key_len))) return 0; @@ -513,21 +540,22 @@ tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, #endif void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, - const char *ca_inline, const char *ca_path, bool tls_server) + const char *ca_inline, const char *ca_path, bool tls_server + ) { if (ca_path) - msg(M_FATAL, "ERROR: PolarSSL cannot handle the capath directive"); + msg(M_FATAL, "ERROR: mbed TLS cannot handle the capath directive"); if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline) { - if (!polar_ok(x509_crt_parse(ctx->ca_chain, - (const unsigned char *) ca_inline, strlen(ca_inline)))) + if (!mbed_ok (mbedtls_x509_crt_parse (ctx->ca_chain, + (const unsigned char *) ca_inline, strlen(ca_inline)+1))) msg (M_FATAL, "Cannot load inline CA certificates"); } else { /* Load CA file for verifying peer supplied certificate */ - if (!polar_ok(x509_crt_parse_file(ctx->ca_chain, ca_file))) + if (!mbed_ok (mbedtls_x509_crt_parse_file (ctx->ca_chain, ca_file))) msg (M_FATAL, "Cannot load CA certificate file %s", ca_file); } } @@ -541,19 +569,19 @@ tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file if (!ctx->crt_chain) { - ALLOC_OBJ_CLEAR (ctx->crt_chain, x509_crt); + ALLOC_OBJ_CLEAR (ctx->crt_chain, mbedtls_x509_crt); } if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline) { - if (!polar_ok(x509_crt_parse(ctx->crt_chain, + if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *) extra_certs_inline, - strlen(extra_certs_inline)))) + strlen(extra_certs_inline)+1))) msg (M_FATAL, "Cannot load inline extra-certs file"); } else { - if (!polar_ok(x509_crt_parse_file(ctx->crt_chain, extra_certs_file))) + if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->crt_chain, extra_certs_file))) msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); } } @@ -588,13 +616,12 @@ static void buf_free_entries(endless_buffer *buf) buf->last_block = NULL; } -static int endless_buf_read( void * ctx, unsigned char * out, size_t out_len ) +static int endless_buf_read( endless_buffer *in, unsigned char * out, size_t out_len ) { - endless_buffer *in = (endless_buffer *) ctx; size_t read_len = 0; if (in->first_block == NULL) - return POLARSSL_ERR_NET_WANT_READ; + return MBEDTLS_ERR_SSL_WANT_READ; while (in->first_block != NULL && read_len < out_len) { @@ -627,18 +654,17 @@ static int endless_buf_read( void * ctx, unsigned char * out, size_t out_len ) return read_len; } -static int endless_buf_write( void *ctx, const unsigned char *in, size_t len ) +static int endless_buf_write( endless_buffer *out, const unsigned char *in, size_t len ) { - endless_buffer *out = (endless_buffer *) ctx; buffer_entry *new_block = malloc(sizeof(buffer_entry)); if (NULL == new_block) - return POLARSSL_ERR_NET_SEND_FAILED; + return MBEDTLS_ERR_NET_SEND_FAILED; new_block->data = malloc(len); if (NULL == new_block->data) { free(new_block); - return POLARSSL_ERR_NET_SEND_FAILED; + return MBEDTLS_ERR_NET_SEND_FAILED; } new_block->length = len; @@ -657,10 +683,23 @@ static int endless_buf_write( void *ctx, const unsigned char *in, size_t len ) return len; } -static void my_debug( void *ctx, int level, const char *str ) +static int ssl_bio_read( void *ctx, unsigned char *out, size_t out_len) +{ + bio_ctx *my_ctx = (bio_ctx *) ctx; + return endless_buf_read (&my_ctx->in, out, out_len); +} + +static int ssl_bio_write( void *ctx, const unsigned char *in, size_t in_len) +{ + bio_ctx *my_ctx = (bio_ctx *) ctx; + return endless_buf_write (&my_ctx->out, in, in_len); +} + +static void my_debug( void *ctx, int level, const char *file, int line, + const char *str ) { int my_loglevel = (level < 3) ? D_TLS_DEBUG_MED : D_TLS_DEBUG; - msg (my_loglevel, "PolarSSL msg: %s", str); + msg (my_loglevel, "mbed TLS msg (%s:%d): %s", file, line, str); } /* @@ -670,16 +709,16 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx) { static char old_sha256_hash[32] = {0}; unsigned char sha256_hash[32] = {0}; - ctr_drbg_context *cd_ctx = rand_ctx_get(); + mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get(); if (NULL != ctx->crt_chain) { - x509_crt *cert = ctx->crt_chain; + mbedtls_x509_crt *cert = ctx->crt_chain; - sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false); + mbedtls_sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false); if ( 0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash))) { - ctr_drbg_update(cd_ctx, sha256_hash, 32); + mbedtls_ctr_drbg_update(cd_ctx, sha256_hash, 32); memcpy(old_sha256_hash, sha256_hash, sizeof(old_sha256_hash)); } } @@ -688,9 +727,9 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx) int tls_version_max(void) { -#if defined(SSL_MAJOR_VERSION_3) && defined(SSL_MINOR_VERSION_3) +#if defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_3) return TLS_VER_1_2; -#elif defined(SSL_MAJOR_VERSION_3) && defined(SSL_MINOR_VERSION_2) +#elif defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_2) return TLS_VER_1_1; #else return TLS_VER_1_0; @@ -698,13 +737,13 @@ tls_version_max(void) } /** - * Convert an OpenVPN tls-version variable to PolarSSl format (i.e. a major and + * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and * minor ssl version number). * * @param tls_ver The tls-version variable to convert. - * @param major Returns the TLS major version in polarssl format. + * @param major Returns the TLS major version in mbed TLS format. * Must be a valid pointer. - * @param minor Returns the TLS minor version in polarssl format. + * @param minor Returns the TLS minor version in mbed TLS format. * Must be a valid pointer. */ static void tls_version_to_major_minor(int tls_ver, int *major, int *minor) { @@ -714,16 +753,16 @@ static void tls_version_to_major_minor(int tls_ver, int *major, int *minor) { switch (tls_ver) { case TLS_VER_1_0: - *major = SSL_MAJOR_VERSION_3; - *minor = SSL_MINOR_VERSION_1; + *major = MBEDTLS_SSL_MAJOR_VERSION_3; + *minor = MBEDTLS_SSL_MINOR_VERSION_1; break; case TLS_VER_1_1: - *major = SSL_MAJOR_VERSION_3; - *minor = SSL_MINOR_VERSION_2; + *major = MBEDTLS_SSL_MAJOR_VERSION_3; + *minor = MBEDTLS_SSL_MINOR_VERSION_2; break; case TLS_VER_1_2: - *major = SSL_MAJOR_VERSION_3; - *minor = SSL_MINOR_VERSION_3; + *major = MBEDTLS_SSL_MAJOR_VERSION_3; + *minor = MBEDTLS_SSL_MINOR_VERSION_3; break; default: msg(M_FATAL, "%s: invalid TLS version %d", __func__, tls_ver); @@ -731,6 +770,41 @@ static void tls_version_to_major_minor(int tls_ver, int *major, int *minor) { } } +void +tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, + const char *crl_inline) +{ + ASSERT (crl_file); + + if (ctx->crl == NULL) + { + ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl); + } + mbedtls_x509_crl_free(ctx->crl); + + if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline) + { + if (!mbed_ok(mbedtls_x509_crl_parse(ctx->crl, + (const unsigned char *)crl_inline, strlen(crl_inline)+1))) + { + msg (M_WARN, "CRL: cannot parse inline CRL"); + goto err; + } + } + else + { + if (!mbed_ok(mbedtls_x509_crl_parse_file(ctx->crl, crl_file))) + { + msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); + goto err; + } + } + return; + +err: + mbedtls_x509_crl_free(ctx->crl); +} + void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) { @@ -738,88 +812,92 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl, ASSERT(ks_ssl); CLEAR(*ks_ssl); - ALLOC_OBJ_CLEAR(ks_ssl->ctx, ssl_context); - if (polar_ok(ssl_init(ks_ssl->ctx))) + /* Initialise SSL config */ + mbedtls_ssl_config_init(&ks_ssl->ssl_config); + mbedtls_ssl_config_defaults(&ks_ssl->ssl_config, ssl_ctx->endpoint, + MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); +#ifdef MBEDTLS_DEBUG_C + mbedtls_debug_set_threshold(3); +#endif + mbedtls_ssl_conf_dbg (&ks_ssl->ssl_config, my_debug, NULL); + mbedtls_ssl_conf_rng (&ks_ssl->ssl_config, mbedtls_ctr_drbg_random, + rand_ctx_get()); + + if (ssl_ctx->allowed_ciphers) + mbedtls_ssl_conf_ciphersuites (&ks_ssl->ssl_config, ssl_ctx->allowed_ciphers); + + /* Disable record splitting (for now). OpenVPN assumes records are sent + * unfragmented, and changing that will require thorough review and + * testing. Since OpenVPN is not susceptible to BEAST, we can just + * disable record splitting as a quick fix. */ +#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) + mbedtls_ssl_conf_cbc_record_splitting (&ks_ssl->ssl_config, + MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED); +#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ + + /* Initialise authentication information */ + if (is_server) + mbed_ok (mbedtls_ssl_conf_dh_param_ctx(&ks_ssl->ssl_config, + ssl_ctx->dhm_ctx)); + + mbed_ok (mbedtls_ssl_conf_own_cert(&ks_ssl->ssl_config, ssl_ctx->crt_chain, + ssl_ctx->priv_key)); + + /* Initialise SSL verification */ +#if P2MP_SERVER + if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) { - /* Initialise SSL context */ - debug_set_threshold(3); - ssl_set_dbg (ks_ssl->ctx, my_debug, NULL); - ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint); - - ssl_set_rng (ks_ssl->ctx, ctr_drbg_random, rand_ctx_get()); + mbedtls_ssl_conf_authmode(&ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_OPTIONAL); + } + else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)) +#endif + { + mbedtls_ssl_conf_authmode (&ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_REQUIRED); + } + mbedtls_ssl_conf_verify (&ks_ssl->ssl_config, verify_callback, session); - if (ssl_ctx->allowed_ciphers) - ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers); + /* TODO: mbed TLS does not currently support sending the CA chain to the client */ + mbedtls_ssl_conf_ca_chain (&ks_ssl->ssl_config, ssl_ctx->ca_chain, ssl_ctx->crl); - /* Disable record splitting (for now). OpenVPN assumes records are sent - * unfragmented, and changing that will require thorough review and - * testing. Since OpenVPN is not susceptible to BEAST, we can just - * disable record splitting as a quick fix. */ -#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) - ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED); -#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */ + /* Initialize minimum TLS version */ + { + const int tls_version_min = + (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & + SSLF_TLS_VERSION_MIN_MASK; - /* Initialise authentication information */ - if (is_server) - polar_ok (ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx)); + /* default to TLS 1.0 */ + int major = MBEDTLS_SSL_MAJOR_VERSION_3; + int minor = MBEDTLS_SSL_MINOR_VERSION_1; - polar_ok (ssl_set_own_cert (ks_ssl->ctx, ssl_ctx->crt_chain, - ssl_ctx->priv_key)); + if (tls_version_min > TLS_VER_UNSPEC) + tls_version_to_major_minor(tls_version_min, &major, &minor); - /* Initialise SSL verification */ -#if P2MP_SERVER - if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) - { - msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " - "--client-cert-not-required may accept clients which do not present " - "a certificate"); - } - else -#endif - { - ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED); - ssl_set_verify (ks_ssl->ctx, verify_callback, session); - } + mbedtls_ssl_conf_min_version(&ks_ssl->ssl_config, major, minor); + } - /* TODO: PolarSSL does not currently support sending the CA chain to the client */ - ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL ); + /* Initialize maximum TLS version */ + { + const int tls_version_max = + (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & + SSLF_TLS_VERSION_MAX_MASK; - /* Initialize minimum TLS version */ + if (tls_version_max > TLS_VER_UNSPEC) { - const int tls_version_min = - (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & - SSLF_TLS_VERSION_MIN_MASK; - - /* default to TLS 1.0 */ - int major = SSL_MAJOR_VERSION_3; - int minor = SSL_MINOR_VERSION_1; - - if (tls_version_min > TLS_VER_UNSPEC) - tls_version_to_major_minor(tls_version_min, &major, &minor); - - ssl_set_min_version(ks_ssl->ctx, major, minor); + int major, minor; + tls_version_to_major_minor(tls_version_max, &major, &minor); + mbedtls_ssl_conf_max_version(&ks_ssl->ssl_config, major, minor); } + } - /* Initialize maximum TLS version */ - { - const int tls_version_max = - (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & - SSLF_TLS_VERSION_MAX_MASK; - - if (tls_version_max > TLS_VER_UNSPEC) - { - int major, minor; - tls_version_to_major_minor(tls_version_max, &major, &minor); - ssl_set_max_version(ks_ssl->ctx, major, minor); - } - } + /* Initialise SSL context */ + ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context); + mbedtls_ssl_init(ks_ssl->ctx); + mbedtls_ssl_setup(ks_ssl->ctx, &ks_ssl->ssl_config); - /* Initialise BIOs */ - ALLOC_OBJ_CLEAR (ks_ssl->ct_in, endless_buffer); - ALLOC_OBJ_CLEAR (ks_ssl->ct_out, endless_buffer); - ssl_set_bio (ks_ssl->ctx, endless_buf_read, ks_ssl->ct_in, - endless_buf_write, ks_ssl->ct_out); - } + /* Initialise BIOs */ + CLEAR (ks_ssl->bio_ctx); + mbedtls_ssl_set_bio (ks_ssl->ctx, &ks_ssl->bio_ctx, ssl_bio_write, + ssl_bio_read, NULL); } void @@ -828,17 +906,12 @@ key_state_ssl_free(struct key_state_ssl *ks_ssl) if (ks_ssl) { if (ks_ssl->ctx) { - ssl_free(ks_ssl->ctx); + mbedtls_ssl_free(ks_ssl->ctx); free(ks_ssl->ctx); } - if (ks_ssl->ct_in) { - buf_free_entries(ks_ssl->ct_in); - free(ks_ssl->ct_in); - } - if (ks_ssl->ct_out) { - buf_free_entries(ks_ssl->ct_out); - free(ks_ssl->ct_out); - } + mbedtls_ssl_config_free(&ks_ssl->ssl_config); + buf_free_entries(&ks_ssl->bio_ctx.in); + buf_free_entries(&ks_ssl->bio_ctx.out); CLEAR(*ks_ssl); } } @@ -847,46 +920,18 @@ int key_state_write_plaintext (struct key_state_ssl *ks, struct buffer *buf) { int retval = 0; - perf_push (PERF_BIO_WRITE_PLAINTEXT); - ASSERT (NULL != ks); ASSERT (buf); - ASSERT (buf->len >= 0); - if (0 == buf->len) - { - perf_pop (); - return 0; - } - - retval = ssl_write(ks->ctx, BPTR(buf), buf->len); - - if (retval < 0) - { - perf_pop (); - if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) - return 0; - msg (D_TLS_ERRORS, "TLS ERROR: write tls_write_plaintext error"); - return -1; - } + retval = key_state_write_plaintext_const(ks, BPTR(buf), BLEN(buf)); - if (retval != buf->len) + if (1 == retval) { - msg (D_TLS_ERRORS, - "TLS ERROR: write tls_write_plaintext incomplete %d/%d", - retval, buf->len); - perf_pop (); - return -1; + memset (BPTR (buf), 0, BLEN (buf)); /* erase data just written */ + buf->len = 0; } - /* successful write */ - dmsg (D_HANDSHAKE_VERBOSE, "write tls_write_plaintext %d bytes", retval); - - memset (BPTR (buf), 0, BLEN (buf)); /* erase data just written */ - buf->len = 0; - - perf_pop (); - return 1; + return retval; } int @@ -906,14 +951,14 @@ key_state_write_plaintext_const (struct key_state_ssl *ks, const uint8_t *data, ASSERT (data); - retval = ssl_write(ks->ctx, data, len); + retval = mbedtls_ssl_write(ks->ctx, data, len); if (retval < 0) { perf_pop (); - if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) + if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) return 0; - polar_log_err (D_TLS_ERRORS, retval, + mbed_log_err (D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_plaintext_const error"); return -1; } @@ -957,15 +1002,15 @@ key_state_read_ciphertext (struct key_state_ssl *ks, struct buffer *buf, if (maxlen < len) len = maxlen; - retval = endless_buf_read(ks->ct_out, BPTR(buf), len); + retval = endless_buf_read(&ks->bio_ctx.out, BPTR(buf), len); /* Error during read, check for retry error */ if (retval < 0) { perf_pop (); - if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) + if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) return 0; - polar_log_err (D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_ciphertext error"); + mbed_log_err (D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_ciphertext error"); buf->len = 0; return -1; } @@ -1000,15 +1045,15 @@ key_state_write_ciphertext (struct key_state_ssl *ks, struct buffer *buf) return 0; } - retval = endless_buf_write(ks->ct_in, BPTR(buf), buf->len); + retval = endless_buf_write(&ks->bio_ctx.in, BPTR(buf), buf->len); if (retval < 0) { perf_pop (); - if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) + if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) return 0; - polar_log_err (D_TLS_ERRORS, retval, + mbed_log_err (D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_ciphertext error"); return -1; } @@ -1054,14 +1099,14 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf, if (maxlen < len) len = maxlen; - retval = ssl_read(ks->ctx, BPTR(buf), len); + retval = mbedtls_ssl_read(ks->ctx, BPTR(buf), len); /* Error during read, check for retry error */ if (retval < 0) { - if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) + if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) return 0; - polar_log_err (D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_plaintext error"); + mbed_log_err (D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_plaintext error"); buf->len = 0; perf_pop (); return -1; @@ -1092,20 +1137,21 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf, void print_details (struct key_state_ssl * ks_ssl, const char *prefix) { - const x509_crt *cert; + const mbedtls_x509_crt *cert; char s1[256]; char s2[256]; s1[0] = s2[0] = 0; openvpn_snprintf (s1, sizeof (s1), "%s %s, cipher %s", prefix, - ssl_get_version (ks_ssl->ctx), - ssl_get_ciphersuite(ks_ssl->ctx)); + mbedtls_ssl_get_version (ks_ssl->ctx), + mbedtls_ssl_get_ciphersuite (ks_ssl->ctx)); - cert = ssl_get_peer_cert(ks_ssl->ctx); + cert = mbedtls_ssl_get_peer_cert (ks_ssl->ctx); if (cert != NULL) { - openvpn_snprintf (s2, sizeof (s2), ", %zu bit key", pk_get_size(&cert->pk)); + openvpn_snprintf (s2, sizeof (s2), ", %u bit key", + (unsigned int) mbedtls_pk_get_bitlen (&cert->pk)); } msg (D_HANDSHAKE, "%s%s", s1, s2); @@ -1115,12 +1161,13 @@ void show_available_tls_ciphers (const char *cipher_list) { struct tls_root_ctx tls_ctx; - const int *ciphers = ssl_list_ciphersuites(); + const int *ciphers = mbedtls_ssl_list_ciphersuites (); - if (cipher_list) { - tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + tls_ctx_server_new(&tls_ctx); + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + + if (tls_ctx.allowed_ciphers) ciphers = tls_ctx.allowed_ciphers; - } #ifndef ENABLE_SMALL printf ("Available TLS Ciphers,\n"); @@ -1129,32 +1176,51 @@ show_available_tls_ciphers (const char *cipher_list) while (*ciphers != 0) { - printf ("%s\n", ssl_get_ciphersuite_name(*ciphers)); + printf ("%s\n", mbedtls_ssl_get_ciphersuite_name (*ciphers)); ciphers++; } printf ("\n" SHOW_TLS_CIPHER_LIST_WARNING); + + tls_ctx_free(&tls_ctx); +} + +void +show_available_curves (void) +{ + const mbedtls_ecp_curve_info *pcurve = mbedtls_ecp_curve_list (); + + if (NULL == pcurve) + msg (M_FATAL, "Cannot retrieve curve list from mbed TLS"); + + /* Print curve list */ + printf ("Available Elliptic curves, listed in order of preference:\n\n"); + while (MBEDTLS_ECP_DP_NONE != pcurve->grp_id) + { + printf("%s\n", pcurve->name); + pcurve++; + } } void get_highest_preference_tls_cipher (char *buf, int size) { const char *cipher_name; - const int *ciphers = ssl_list_ciphersuites(); + const int *ciphers = mbedtls_ssl_list_ciphersuites(); if (*ciphers == 0) msg (M_FATAL, "Cannot retrieve list of supported SSL ciphers."); - cipher_name = ssl_get_ciphersuite_name(*ciphers); + cipher_name = mbedtls_ssl_get_ciphersuite_name(*ciphers); strncpynt (buf, cipher_name, size); } const char * get_ssl_library_version(void) { - static char polar_version[30]; - unsigned int pv = version_get_number(); - sprintf( polar_version, "PolarSSL %d.%d.%d", + static char mbedtls_version[30]; + unsigned int pv = mbedtls_version_get_number(); + sprintf( mbedtls_version, "mbed TLS %d.%d.%d", (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); - return polar_version; + return mbedtls_version; } -#endif /* defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) */ +#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) */ diff --git a/src/openvpn/ssl_polarssl.h b/src/openvpn/ssl_mbedtls.h index b80a509..3edeedc 100644 --- a/src/openvpn/ssl_polarssl.h +++ b/src/openvpn/ssl_mbedtls.h @@ -24,19 +24,19 @@ */ /** - * @file Control Channel PolarSSL Backend + * @file Control Channel mbed TLS Backend */ -#ifndef SSL_POLARSSL_H_ -#define SSL_POLARSSL_H_ +#ifndef SSL_MBEDTLS_H_ +#define SSL_MBEDTLS_H_ #include "syshead.h" -#include <polarssl/ssl.h> -#include <polarssl/x509_crt.h> +#include <mbedtls/ssl.h> +#include <mbedtls/x509_crt.h> #if defined(ENABLE_PKCS11) -#include <polarssl/pkcs11.h> +#include <mbedtls/pkcs11.h> #endif typedef struct _buffer_entry buffer_entry; @@ -53,6 +53,11 @@ typedef struct { buffer_entry *last_block; } endless_buffer; +typedef struct { + endless_buffer in; + endless_buffer out; +} bio_ctx; + /** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. @@ -64,12 +69,13 @@ struct tls_root_ctx { int endpoint; /**< Whether or not this is a server or a client */ - dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */ - x509_crt *crt_chain; /**< Local Certificate chain */ - x509_crt *ca_chain; /**< CA chain for remote verification */ - pk_context *priv_key; /**< Local private key */ + mbedtls_dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */ + mbedtls_x509_crt *crt_chain; /**< Local Certificate chain */ + mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */ + mbedtls_pk_context *priv_key; /**< Local private key */ + mbedtls_x509_crl *crl; /**< Certificate Revocation List */ #if defined(ENABLE_PKCS11) - pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ + mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ #endif #ifdef MANAGMENT_EXTERNAL_KEY struct external_context *external_key; /**< Management external key */ @@ -78,10 +84,10 @@ struct tls_root_ctx { }; struct key_state_ssl { - ssl_context *ctx; - endless_buffer *ct_in; - endless_buffer *ct_out; + mbedtls_ssl_config ssl_config; /**< mbedTLS global ssl config */ + mbedtls_ssl_context *ctx; /**< mbedTLS connection context */ + bio_ctx bio_ctx; }; -#endif /* SSL_POLARSSL_H_ */ +#endif /* SSL_MBEDTLS_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 1dfbb23..51669fc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -35,7 +35,7 @@ #include "syshead.h" -#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL) +#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) #include "errlevel.h" #include "buffer.h" @@ -56,6 +56,9 @@ #include <openssl/pkcs12.h> #include <openssl/x509.h> #include <openssl/crypto.h> +#ifndef OPENSSL_NO_EC +#include <openssl/ec.h> +#endif /* * Allocate space in SSL objects in which to store a struct tls_session @@ -93,62 +96,23 @@ tls_clear_error() ERR_clear_error (); } -/* - * OpenSSL callback to get a temporary RSA key, mostly - * used for export ciphers. - */ -static RSA * -tmp_rsa_cb (SSL * s, int is_export, int keylength) -{ - static RSA *rsa_tmp = NULL; - if (rsa_tmp == NULL) - { - int ret = -1; - BIGNUM *bn = BN_new(); - rsa_tmp = RSA_new(); - - msg (D_HANDSHAKE, "Generating temp (%d bit) RSA key", keylength); - - if(!bn || !BN_set_word(bn, RSA_F4) || - !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) - crypto_msg(M_FATAL, "Failed to generate temp RSA key"); - - if (bn) BN_free( bn ); - } - return (rsa_tmp); -} - void -tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags) +tls_ctx_server_new(struct tls_root_ctx *ctx) { - const int tls_version_max = - (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; - ASSERT(NULL != ctx); - if (tls_version_max == TLS_VER_1_0) - ctx->ctx = SSL_CTX_new (TLSv1_server_method ()); - else - ctx->ctx = SSL_CTX_new (SSLv23_server_method ()); + ctx->ctx = SSL_CTX_new (SSLv23_server_method ()); if (ctx->ctx == NULL) crypto_msg (M_FATAL, "SSL_CTX_new SSLv23_server_method"); - - SSL_CTX_set_tmp_rsa_callback (ctx->ctx, tmp_rsa_cb); } void -tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags) +tls_ctx_client_new(struct tls_root_ctx *ctx) { - const int tls_version_max = - (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; - ASSERT(NULL != ctx); - if (tls_version_max == TLS_VER_1_0) - ctx->ctx = SSL_CTX_new (TLSv1_client_method ()); - else - ctx->ctx = SSL_CTX_new (SSLv23_client_method ()); + ctx->ctx = SSL_CTX_new (SSLv23_client_method ()); if (ctx->ctx == NULL) crypto_msg (M_FATAL, "SSL_CTX_new SSLv23_client_method"); @@ -169,6 +133,38 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx) return NULL != ctx->ctx; } +void +key_state_export_keying_material(struct key_state_ssl *ssl, + struct tls_session *session) +{ + if (session->opt->ekm_size > 0) + { +#if (OPENSSL_VERSION_NUMBER >= 0x10001000) + unsigned int size = session->opt->ekm_size; + struct gc_arena gc = gc_new(); + unsigned char* ekm = (unsigned char*) gc_malloc(size, true, &gc); + + if (SSL_export_keying_material(ssl->ssl, ekm, size, + session->opt->ekm_label, session->opt->ekm_label_size, NULL, 0, 0)) + { + unsigned int len = (size * 2) + 2; + + const char *key = format_hex_ex (ekm, size, len, 0, NULL, &gc); + setenv_str (session->opt->es, "exported_keying_material", key); + + dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", + __func__, key); + } + else + { + msg (M_WARN, "WARNING: Export keying material failed!"); + setenv_del (session->opt->es, "exported_keying_material"); + } + gc_free(&gc); +#endif + } +} + /* * Print debugging information on SSL/TLS session negotiation. */ @@ -217,14 +213,18 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags) { ASSERT(NULL != ctx); + /* default certificate verification flags */ + int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + /* process SSL options including minimum TLS version we will accept from peer */ { long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + int tls_ver_max = TLS_VER_UNSPEC; const int tls_ver_min = (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; - int tls_ver_max = - (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; + tls_ver_max = + (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; if (tls_ver_max <= TLS_VER_UNSPEC) tls_ver_max = tls_version_max(); @@ -245,6 +245,9 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags) SSL_CTX_set_options (ctx->ctx, sslopt); } +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode (ctx->ctx, SSL_MODE_RELEASE_BUFFERS); +#endif SSL_CTX_set_session_cache_mode (ctx->ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_default_passwd_cb (ctx->ctx, pem_password_callback); @@ -252,14 +255,14 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags) #if P2MP_SERVER if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) { - msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " - "--client-cert-not-required may accept clients which do not present " - "a certificate"); + flags = 0; + } + else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) + { + flags = SSL_VERIFY_PEER; } - else #endif - SSL_CTX_set_verify (ctx->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - verify_callback); + SSL_CTX_set_verify (ctx->ctx, flags, verify_callback); SSL_CTX_set_info_callback (ctx->ctx, info_callback); } @@ -275,12 +278,17 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) "DEFAULT" /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */ ":!EXP:!LOW:!MEDIUM" + /* Disable static (EC)DH keys (no forward secrecy) */ + ":!kDH:!kECDH" + /* Disable DSA private keys */ + ":!DSS" /* Disable unsupported TLS modes */ ":!PSK:!SRP:!kRSA")) crypto_msg (M_FATAL, "Failed to set default TLS cipher list."); return; } + /* Parse supplied cipher list and pass on to OpenSSL */ size_t begin_of_cipher, end_of_cipher; const char *current_cipher; @@ -309,8 +317,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) // Issue warning on missing translation // %.*s format specifier expects length of type int, so guarantee // that length is small enough and cast to int. - msg (M_WARN, "No valid translation found for TLS cipher '%.*s'", - (int) MIN(current_cipher_len, 256), current_cipher); + msg (D_LOW, "No valid translation found for TLS cipher '%.*s'", + constrain_int(current_cipher_len, 0, 256), current_cipher); } else { @@ -319,7 +327,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) current_cipher_len = strlen(current_cipher); if (end_of_cipher - begin_of_cipher == current_cipher_len && - 0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher)) + 0 != memcmp (&ciphers[begin_of_cipher], cipher_pair->iana_name, + end_of_cipher - begin_of_cipher)) { // Non-IANA name used, show warning msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name); @@ -436,6 +445,78 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, DH_free (dh); } +void +tls_ctx_load_ecdh_params (struct tls_root_ctx *ctx, const char *curve_name + ) +{ +#ifndef OPENSSL_NO_EC + int nid = NID_undef; + EC_KEY *ecdh = NULL; + const char *sname = NULL; + + /* Generate a new ECDH key for each SSL session (for non-ephemeral ECDH) */ + SSL_CTX_set_options(ctx->ctx, SSL_OP_SINGLE_ECDH_USE); +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter loading */ + if (NULL == curve_name) { + SSL_CTX_set_ecdh_auto(ctx->ctx, 1); + return; + } +#endif + /* For older OpenSSL, we'll have to do the parameter loading on our own */ + if (curve_name != NULL) + { + /* Use user supplied curve if given */ + msg (D_TLS_DEBUG, "Using user specified ECDH curve (%s)", curve_name); + nid = OBJ_sn2nid(curve_name); + } + else + { + /* Extract curve from key */ + EC_KEY *eckey = NULL; + const EC_GROUP *ecgrp = NULL; + EVP_PKEY *pkey = NULL; + + /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */ + SSL ssl; + ssl.cert = ctx->ctx->cert; + pkey = SSL_get_privatekey(&ssl); + + msg (D_TLS_DEBUG, "Extracting ECDH curve from private key"); + + if (pkey != NULL && (eckey = EVP_PKEY_get1_EC_KEY(pkey)) != NULL && + (ecgrp = EC_KEY_get0_group(eckey)) != NULL) + nid = EC_GROUP_get_curve_name(ecgrp); + } + + /* Translate NID back to name , just for kicks */ + sname = OBJ_nid2sn(nid); + if (sname == NULL) sname = "(Unknown)"; + + /* Create new EC key and set as ECDH key */ + if (NID_undef == nid || NULL == (ecdh = EC_KEY_new_by_curve_name(nid))) + { + /* Creating key failed, fall back on sane default */ + ecdh = EC_KEY_new_by_curve_name(NID_secp384r1); + const char *source = (NULL == curve_name) ? + "extract curve from certificate" : "use supplied curve"; + msg (D_TLS_DEBUG_LOW, + "Failed to %s (%s), using secp384r1 instead.", source, sname); + sname = OBJ_nid2sn(NID_secp384r1); + } + + if (!SSL_CTX_set_tmp_ecdh(ctx->ctx, ecdh)) + crypto_msg (M_FATAL, "SSL_CTX_set_tmp_ecdh: cannot add curve"); + + msg (D_TLS_DEBUG_LOW, "ECDH curve %s added", sname); + + EC_KEY_free(ecdh); +#else + msg (M_DEBUG, "Your OpenSSL library was built without elliptic curve support." + " Skipping ECDH parameter loading."); +#endif /* OPENSSL_NO_EC */ +} + int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, const char *pkcs12_file_inline, @@ -501,7 +582,6 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, /* Load Private Key */ if (!SSL_CTX_use_PrivateKey (ctx->ctx, pkey)) crypto_msg (M_FATAL, "Cannot use private key"); - warn_if_group_others_accessible (pkcs12_file); /* Check Private Key */ if (!SSL_CTX_check_private_key (ctx->ctx)) @@ -552,7 +632,7 @@ tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) if (!SSL_CTX_use_CryptoAPI_certificate (ctx->ctx, cryptoapi_cert)) crypto_msg (M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store", cryptoapi_cert); } -#endif /* WIN32 */ +#endif /* ENABLE_CRYPTOAPI */ static void tls_ctx_add_extra_certs (struct tls_root_ctx *ctx, BIO *bio) @@ -645,7 +725,6 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline ) { - int status; SSL_CTX *ssl_ctx = NULL; BIO *in = NULL; EVP_PKEY *pkey = NULL; @@ -678,7 +757,6 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, crypto_msg (M_WARN, "Cannot load private key file %s", priv_key_file); goto end; } - warn_if_group_others_accessible (priv_key_file); /* Check Private Key */ if (!SSL_CTX_check_private_key (ssl_ctx)) @@ -693,6 +771,64 @@ end: return ret; } +void +tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, + const char *crl_inline) +{ + X509_CRL *crl = NULL; + BIO *in = NULL; + + X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx); + if (!store) + crypto_msg (M_FATAL, "Cannot get certificate store"); + + /* Always start with a cleared CRL list, for that we + * we need to manually find the CRL object from the stack + * and remove it */ + for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) + { + X509_OBJECT* obj = sk_X509_OBJECT_value(store->objs, i); + ASSERT(obj); + if (obj->type == X509_LU_CRL) + { + sk_X509_OBJECT_delete(store->objs, i); + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); + } + } + + X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + + if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline) + in = BIO_new_mem_buf ((char *)crl_inline, -1); + else + in = BIO_new_file (crl_file, "r"); + + if (in == NULL) + { + msg (M_WARN, "CRL: cannot read: %s", crl_file); + goto end; + } + + crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); + if (crl == NULL) + { + msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); + goto end; + } + + if (!X509_STORE_add_crl(store, crl)) + { + msg (M_WARN, "CRL: cannot add %s to store", crl_file); + goto end; + } + +end: + X509_CRL_free(crl); + BIO_free(in); +} + + #ifdef MANAGMENT_EXTERNAL_KEY /* encrypt */ @@ -780,10 +916,11 @@ tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, X509 *cert = NULL; ASSERT (NULL != ctx); - ASSERT (NULL != cert); tls_ctx_load_cert_file_and_copy (ctx, cert_file, cert_file_inline, &cert); + ASSERT (NULL != cert); + /* allocate custom RSA method object */ ALLOC_OBJ_CLEAR (rsa_meth, RSA_METHOD); rsa_meth->name = "OpenVPN external private key RSA Method"; @@ -965,11 +1102,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, msg(M_WARN, "WARNING: experimental option --capath %s", ca_path); else crypto_msg (M_FATAL, "Cannot add lookup at --capath %s", ca_path); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); -#else - msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath"); -#endif } } @@ -1385,7 +1518,6 @@ show_available_tls_ciphers (const char *cipher_list) struct tls_root_ctx tls_ctx; SSL *ssl; const char *cipher_name; - const char *print_name; const tls_cipher_name_pair *pair; int priority = 0; @@ -1419,6 +1551,43 @@ show_available_tls_ciphers (const char *cipher_list) SSL_CTX_free (tls_ctx.ctx); } +/* + * Show the Elliptic curves that are available for us to use + * in the OpenSSL library. + */ +void +show_available_curves() +{ +#ifndef OPENSSL_NO_EC + EC_builtin_curve *curves = NULL; + size_t crv_len = 0; + size_t n = 0; + + crv_len = EC_get_builtin_curves(NULL, 0); + ALLOC_ARRAY(curves, EC_builtin_curve, crv_len); + if (EC_get_builtin_curves(curves, crv_len)) + { + printf ("Available Elliptic curves:\n"); + for (n = 0; n < crv_len; n++) + { + const char *sname; + sname = OBJ_nid2sn(curves[n].nid); + if (sname == NULL) sname = ""; + + printf("%s\n", sname); + } + } + else + { + crypto_msg (M_FATAL, "Cannot get list of builtin curves"); + } + free(curves); +#else + msg (M_WARN, "Your OpenSSL library was built without elliptic curve support. " + "No curves available."); +#endif +} + void get_highest_preference_tls_cipher (char *buf, int size) { @@ -1446,4 +1615,4 @@ get_ssl_library_version(void) return SSLeay_version(SSLEAY_VERSION); } -#endif /* defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL) */ +#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index 73a6c49..97dc742 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -35,15 +35,14 @@ /** * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption", * as this is something we do not want nor need, but could potentially be - * used for a future attack. For compatibility reasons, in the 2.3.x - * series, we keep building if the OpenSSL version is too old to support - * this. 2.4 requires it and will fail configure if not present. + * used for a future attack. For compatibility reasons we keep building if the + * OpenSSL version is too old (pre-0.9.8f) to support stateless session + * resumption (and the accompanying SSL_OP_NO_TICKET flag). */ #ifndef SSL_OP_NO_TICKET # define SSL_OP_NO_TICKET 0 #endif - /** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index ca69b41..a099776 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -35,10 +35,12 @@ #include "syshead.h" -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#ifdef ENABLE_CRYPTO #include "misc.h" #include "manage.h" +#include "otime.h" +#include "base64.h" #include "ssl_verify.h" #include "ssl_verify_backend.h" @@ -191,40 +193,25 @@ tls_username (const struct tls_multi *multi, const bool null) } void -cert_hash_remember (struct tls_session *session, const int error_depth, const unsigned char *sha1_hash) +cert_hash_remember (struct tls_session *session, const int error_depth, + const struct buffer *cert_hash) { if (error_depth >= 0 && error_depth < MAX_CERT_DEPTH) { if (!session->cert_hash_set) - ALLOC_OBJ_CLEAR (session->cert_hash_set, struct cert_hash_set); + { + ALLOC_OBJ_CLEAR (session->cert_hash_set, struct cert_hash_set); + } if (!session->cert_hash_set->ch[error_depth]) - ALLOC_OBJ (session->cert_hash_set->ch[error_depth], struct cert_hash); - { - struct cert_hash *ch = session->cert_hash_set->ch[error_depth]; - memcpy (ch->sha1_hash, sha1_hash, SHA_DIGEST_LENGTH); - } - } -} - -#if 0 -static void -cert_hash_print (const struct cert_hash_set *chs, int msglevel) -{ - struct gc_arena gc = gc_new (); - msg (msglevel, "CERT_HASH"); - if (chs) - { - int i; - for (i = 0; i < MAX_CERT_DEPTH; ++i) { - const struct cert_hash *ch = chs->ch[i]; - if (ch) - msg (msglevel, "%d:%s", i, format_hex(ch->sha1_hash, SHA_DIGEST_LENGTH, 0, &gc)); + ALLOC_OBJ (session->cert_hash_set->ch[error_depth], struct cert_hash); } + + struct cert_hash *ch = session->cert_hash_set->ch[error_depth]; + ASSERT (sizeof (ch->sha256_hash) == BLEN (cert_hash)); + memcpy (ch->sha256_hash, BPTR (cert_hash), sizeof (ch->sha256_hash)); } - gc_free (&gc); } -#endif void cert_hash_free (struct cert_hash_set *chs) @@ -238,7 +225,7 @@ cert_hash_free (struct cert_hash_set *chs) } } -static bool +bool cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2) { if (chs1 && chs2) @@ -251,7 +238,8 @@ cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set if (!ch1 && !ch2) continue; - else if (ch1 && ch2 && !memcmp (ch1->sha1_hash, ch2->sha1_hash, SHA_DIGEST_LENGTH)) + else if (ch1 && ch2 && !memcmp (ch1->sha256_hash, ch2->sha256_hash, + sizeof(ch1->sha256_hash))) continue; else return false; @@ -278,7 +266,8 @@ cert_hash_copy (const struct cert_hash_set *chs) if (ch) { ALLOC_OBJ (dest->ch[i], struct cert_hash); - memcpy (dest->ch[i]->sha1_hash, ch->sha1_hash, SHA_DIGEST_LENGTH); + memcpy (dest->ch[i]->sha256_hash, ch->sha256_hash, + sizeof(dest->ch[i]->sha256_hash)); } } } @@ -337,8 +326,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, } } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL - /* verify certificate ku */ if (opt->remote_cert_ku[0] != 0) { @@ -367,8 +354,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, } } -#endif /* OPENSSL_VERSION_NUMBER */ - /* verify X509 name or username against --verify-x509-[user]name */ if (opt->verify_x509_type != VERIFY_X509_NONE) { @@ -397,22 +382,17 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, */ static void verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert_depth, - const char *subject, const char *common_name -#ifdef ENABLE_X509_TRACK - , const struct x509_track *x509_track -#endif - ) + const char *subject, const char *common_name, + const struct x509_track *x509_track) { char envname[64]; char *serial = NULL; struct gc_arena gc = gc_new (); /* Save X509 fields in environment */ -#ifdef ENABLE_X509_TRACK if (x509_track) x509_setenv_track (x509_track, es, cert_depth, peer_cert); else -#endif x509_setenv (es, cert_depth, peer_cert); /* export subject name string as environmental variable */ @@ -425,13 +405,19 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert setenv_str (es, envname, common_name); #endif - /* export X509 cert SHA1 fingerprint */ + /* export X509 cert fingerprints */ { - unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert, &gc); + struct buffer sha1 = x509_get_sha1_fingerprint(peer_cert, &gc); + struct buffer sha256 = x509_get_sha256_fingerprint(peer_cert, &gc); openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth); - setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1, - ":", &gc)); + setenv_str (es, envname, + format_hex_ex(BPTR(&sha1), BLEN(&sha1), 0, 1, ":", &gc)); + + openvpn_snprintf (envname, sizeof(envname), "tls_digest_sha256_%d", + cert_depth); + setenv_str (es, envname, + format_hex_ex(BPTR(&sha256), BLEN(&sha256), 0, 1, ":", &gc)); } /* export serial number as environmental variable */ @@ -530,7 +516,8 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, } } - argv_printf (&argv, "%sc %d %s", verify_command, cert_depth, subject); + argv_parse_cmd (&argv, verify_command); + argv_printf_cat (&argv, "%d %s", cert_depth, subject); argv_msg_prefix (D_TLS_DEBUG, &argv, "TLS: executing verify command"); ret = openvpn_run_script (&argv, es, 0, "--tls-verify script"); @@ -647,8 +634,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep /* verify level 1 cert, i.e. the CA that signed our leaf cert */ if (cert_depth == 1 && opt->verify_hash) { - unsigned char *sha1_hash = x509_get_sha1_hash(cert, &gc); - if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH)) + struct buffer sha1_hash = x509_get_sha1_fingerprint(cert, &gc); + if (memcmp (BPTR (&sha1_hash), opt->verify_hash, BLEN(&sha1_hash))) { msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed"); goto cleanup; @@ -662,11 +649,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep session->verify_maxlevel = max_int (session->verify_maxlevel, cert_depth); /* export certificate values to the environment */ - verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name -#ifdef ENABLE_X509_TRACK - , opt->x509_track -#endif - ); + verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name, + opt->x509_track); /* export current untrusted IP */ setenv_untrusted (session); @@ -688,15 +672,18 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep if (opt->crl_file) { if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR) - { - if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert)) - goto cleanup; - } + { + if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert)) + goto cleanup; + } else - { - if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject)) - goto cleanup; - } + { + if (tls_verify_crl_missing (opt)) + { + msg (D_TLS_ERRORS, "VERIFY ERROR: CRL not loaded"); + goto cleanup; + } + } } msg (D_HANDSHAKE, "VERIFY OK: depth=%d, %s", cert_depth, subject); @@ -1000,7 +987,8 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up setenv_untrusted (session); /* format command line */ - argv_printf (&argv, "%sc %s", session->opt->auth_user_pass_verify_script, tmp_file); + argv_parse_cmd (&argv, session->opt->auth_user_pass_verify_script); + argv_printf_cat (&argv, "%s", tmp_file); /* call command */ ret = openvpn_run_script (&argv, session->opt->es, 0, @@ -1030,7 +1018,9 @@ static int verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up, const char *raw_username) { int retval = OPENVPN_PLUGIN_FUNC_ERROR; +#ifdef PLUGIN_DEF_AUTH struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ +#endif /* Is username defined? */ if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username)) @@ -1154,6 +1144,63 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, string_mod_remap_name (up->username, COMMON_NAME_CHAR_CLASS); string_mod (up->password, CC_PRINT, CC_CRLF, '_'); + /* If server is configured with --auth-gen-token and we have an + * authentication token for this client, this authentication + * round will be done internally using the token instead of + * calling any external authentication modules. + */ + if (session->opt->auth_token_generate && multi->auth_token_sent + && NULL != multi->auth_token) + { + unsigned int ssl_flags = session->opt->ssl_flags; + + /* Ensure that the username has not changed */ + if (!tls_lock_username(multi, up->username)) + { + ks->authenticated = false; + goto done; + } + + /* If auth-token lifetime has been enabled, + * ensure the token has not expired + */ + if (session->opt->auth_token_lifetime > 0 + && (multi->auth_token_tstamp + session->opt->auth_token_lifetime) < now) + { + msg (D_HANDSHAKE, "Auth-token for client expired\n"); + ks->authenticated = false; + goto done; + } + + /* The core authentication of the token itself */ + if (memcmp_constant_time(multi->auth_token, up->password, + strlen(multi->auth_token)) != 0) + { + memset (multi->auth_token, 0, AUTH_TOKEN_SIZE); + free (multi->auth_token); + multi->auth_token = NULL; + multi->auth_token_sent = false; + ks->authenticated = false; + tls_deauthenticate (multi); + + msg (D_TLS_ERRORS, "TLS Auth Error: Auth-token verification " + "failed for username '%s' %s", up->username, + (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); + } + else + { + ks->authenticated = true; + + if (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) + set_common_name (session, up->username); + msg (D_HANDSHAKE, "TLS: Username/auth-token authentication " + "succeeded for username '%s' %s", + up->username, + (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); + } + goto done; + } + /* call plugin(s) and/or script */ #ifdef MANAGEMENT_DEF_AUTH if (man_def_auth == KMDA_DEF) @@ -1191,6 +1238,43 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, if (man_def_auth != KMDA_UNDEF) ks->auth_deferred = true; #endif + + if ((session->opt->auth_token_generate) && (NULL == multi->auth_token)) + { + /* Server is configured with --auth-gen-token but no token has yet + * been generated for this client. Generate one and save it. + */ + uint8_t tok[AUTH_TOKEN_SIZE]; + + if (!rand_bytes(tok, AUTH_TOKEN_SIZE)) + { + msg( M_FATAL, "Failed to get enough randomness for " + "authentication token"); + } + + /* The token should be longer than the input when + * being base64 encoded + */ + if( openvpn_base64_encode(tok, AUTH_TOKEN_SIZE, + &multi->auth_token) < AUTH_TOKEN_SIZE) + { + msg(D_TLS_ERRORS, "BASE64 encoding of token failed. " + "No auth-token will be activated now"); + if (multi->auth_token) + { + memset (multi->auth_token, 0, AUTH_TOKEN_SIZE); + free (multi->auth_token); + multi->auth_token = NULL; + } + } + else + { + multi->auth_token_tstamp = now; + dmsg (D_SHOW_KEYS, "Generated token for client: %s", + multi->auth_token); + } + } + if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)) set_common_name (session, up->username); #ifdef ENABLE_DEF_AUTH @@ -1210,6 +1294,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, msg (D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); } + done: gc_free (&gc); } @@ -1270,4 +1355,4 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) gc_free (&gc); } } -#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) */ +#endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index e0bcba4..98312fd 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -30,17 +30,18 @@ #ifndef SSL_VERIFY_H_ #define SSL_VERIFY_H_ +#ifdef ENABLE_CRYPTO + #include "syshead.h" #include "misc.h" -#include "manage.h" #include "ssl_common.h" /* Include OpenSSL-specific code */ #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_verify_openssl.h" #endif -#ifdef ENABLE_CRYPTO_POLARSSL -#include "ssl_verify_polarssl.h" +#ifdef ENABLE_CRYPTO_MBEDTLS +#include "ssl_verify_mbedtls.h" #endif #include "ssl_verify_backend.h" @@ -54,7 +55,7 @@ /** Structure containing the hash for a single certificate */ struct cert_hash { - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; /**< The SHA1 hash for a certificate */ + unsigned char sha256_hash[256/8]; }; /** Structure containing the hashes for a full certificate chain */ @@ -66,8 +67,6 @@ struct cert_hash_set { #define VERIFY_X509_SUBJECT_DN 1 #define VERIFY_X509_SUBJECT_RDN 2 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3 -#define TLS_REMOTE_SUBJECT_DN 1 + 0x100 -#define TLS_REMOTE_SUBJECT_RDN_PREFIX 3 + 0x100 #define TLS_AUTHENTICATION_SUCCEEDED 0 #define TLS_AUTHENTICATION_FAILED 1 @@ -136,6 +135,14 @@ const char *tls_common_name (const struct tls_multi* multi, const bool null); */ const char *tls_username (const struct tls_multi *multi, const bool null); +/** + * Compares certificates hashes, returns true if hashes are equal. + * + * @param chs1 cert 1 hash set + * @param chs2 cert 2 hash set + */ +bool cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2); + #ifdef ENABLE_PF /** @@ -166,25 +173,6 @@ tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t * #endif /** - * Returns whether or not the server should check for username/password - * - * @param session The current TLS session - * - * @return true if username and password verification is enabled, - * false if not. - * - */ -static inline bool verify_user_pass_enabled(struct tls_session *session) -{ - return (session->opt->auth_user_pass_verify_script - || plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) -#ifdef MANAGEMENT_DEF_AUTH - || management_enable_def_auth (management) -#endif - ); -} - -/** * Verify the given username and password, using either an external script, a * plugin, or the management interface. * @@ -211,8 +199,6 @@ void verify_user_pass(struct user_pass *up, struct tls_multi *multi, */ void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session); -#ifdef ENABLE_X509_TRACK - struct x509_track { const struct x509_track *next; @@ -222,10 +208,6 @@ struct x509_track int nid; }; -void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc); - -#endif - /* * Certificate checking for verify_nsCertType */ @@ -254,5 +236,6 @@ tls_client_reason (struct tls_multi *multi) #endif } -#endif /* SSL_VERIFY_H_ */ +#endif /* ENABLE_CRYPTO */ +#endif /* SSL_VERIFY_H_ */ diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 01e453e..de304b9 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -66,10 +66,10 @@ result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int * * @param session TLS Session associated with this tunnel * @param cert_depth Depth of the current certificate - * @param sha1_hash Hash of the current certificate + * @param cert_hash Hash of the current certificate */ void cert_hash_remember (struct tls_session *session, const int cert_depth, - const unsigned char *sha1_hash); + const struct buffer *cert_hash); /* * Library-specific functions. @@ -87,14 +87,27 @@ void cert_hash_remember (struct tls_session *session, const int cert_depth, */ char *x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc); -/* Retrieve the certificate's SHA1 hash. +/** + * Retrieve the certificate's SHA1 fingerprint. * - * @param cert Certificate to retrieve the hash from. + * @param cert Certificate to retrieve the fingerprint from. * @param gc Garbage collection arena to use when allocating string. * - * @return a string containing the SHA1 hash of the certificate + * @return a string containing the certificate fingerprint */ -unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *gc); +struct buffer x509_get_sha1_fingerprint (openvpn_x509_cert_t *cert, + struct gc_arena *gc); + +/** + * Retrieve the certificate's SHA256 fingerprint. + * + * @param cert Certificate to retrieve the fingerprint from. + * @param gc Garbage collection arena to use when allocating string. + * + * @return a string containing the certificate fingerprint + */ +struct buffer x509_get_sha256_fingerprint (openvpn_x509_cert_t *cert, + struct gc_arena *gc); /* * Retrieve the certificate's username from the specified field. @@ -150,8 +163,6 @@ char *backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, */ void x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert); -#ifdef ENABLE_X509_TRACK - /* * Start tracking the given attribute. * @@ -189,8 +200,6 @@ void x509_track_add (const struct x509_track **ll_head, const char *name, void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509); -#endif - /* * Check X.509 Netscape certificate type field, if available. * @@ -204,8 +213,6 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es, */ result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL - /* * Verify X.509 key usage extension field. * @@ -234,8 +241,6 @@ result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned * const */ result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const expected_oid); -#endif - /* * Store the given certificate in pem format in a temporary file in tmp_dir * @@ -247,18 +252,12 @@ result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const exp */ result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert); -/* - * Check the certificate against a CRL file. - * - * @param crl_file File name of the CRL file - * @param cert Certificate to verify - * @param subject Subject of the given certificate - * - * @return \c SUCCESS if the CRL was not signed by the issuer of the - * certificate or does not contain an entry for it. - * \c FAILURE otherwise. +/** + * Return true iff a CRL is configured, but is not loaded. This can be caused + * by e.g. a CRL parsing error, a missing CRL file or CRL file permission + * errors. (These conditions are checked upon startup, but the CRL might be + * updated and reloaded during runtime.) */ -result_t x509_verify_crl(const char *crl_file, openvpn_x509_cert_t *cert, - const char *subject); +bool tls_verify_crl_missing(const struct tls_options *opt); #endif /* SSL_VERIFY_BACKEND_H_ */ diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c new file mode 100644 index 0000000..332f04b --- /dev/null +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -0,0 +1,511 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/** + * @file Control Channel Verification Module mbed TLS backend + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) + +#include "crypto_mbedtls.h" +#include "ssl_verify.h" +#include <mbedtls/asn1.h> +#include <mbedtls/error.h> +#include <mbedtls/bignum.h> +#include <mbedtls/oid.h> +#include <mbedtls/sha1.h> + +#define MAX_SUBJECT_LENGTH 256 + +int +verify_callback (void *session_obj, mbedtls_x509_crt *cert, int cert_depth, + uint32_t *flags) +{ + struct tls_session *session = (struct tls_session *) session_obj; + struct gc_arena gc = gc_new(); + + ASSERT (cert); + ASSERT (session); + + session->verified = false; + + /* Remember certificate hash */ + struct buffer cert_fingerprint = x509_get_sha256_fingerprint (cert, &gc); + cert_hash_remember (session, cert_depth, &cert_fingerprint); + + /* did peer present cert which was signed by our root cert? */ + if (*flags != 0) + { + int ret = 0; + char errstr[512] = { 0 }; + char *subject = x509_get_subject(cert, &gc); + + ret = mbedtls_x509_crt_verify_info (errstr, sizeof(errstr)-1, "", *flags); + if (ret <= 0 && !openvpn_snprintf(errstr, sizeof(errstr), + "Could not retrieve error string, flags=%"PRIx32, *flags)) + { + errstr[0] = '\0'; + } + else + { + chomp(errstr); + } + + if (subject) + { + msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s: %s", + cert_depth, subject, errstr); + } + else + { + msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, (could not extract X509 " + "subject string from certificate): %s", cert_depth, errstr); + } + + /* Leave flags set to non-zero to indicate that the cert is not ok */ + } + else if (SUCCESS != verify_cert(session, cert, cert_depth)) + { + *flags |= MBEDTLS_X509_BADCERT_OTHER; + } + + gc_free(&gc); + + /* + * PolarSSL/mbed TLS-1.2.0+ expects 0 on anything except fatal errors. + */ + return 0; +} + +#ifdef ENABLE_X509ALTUSERNAME +# warning "X509 alt user name not yet supported for mbed TLS" +#endif + +result_t +backend_x509_get_username (char *cn, int cn_len, + char *x509_username_field, mbedtls_x509_crt *cert) +{ + mbedtls_x509_name *name; + + ASSERT( cn != NULL ); + + name = &cert->subject; + + /* Find common name */ + while( name != NULL ) + { + if (0 == memcmp (name->oid.p, MBEDTLS_OID_AT_CN, + MBEDTLS_OID_SIZE (MBEDTLS_OID_AT_CN))) + break; + + name = name->next; + } + + /* Not found, return an error if this is the peer's certificate */ + if( name == NULL ) + return FAILURE; + + /* Found, extract CN */ + if (cn_len > name->val.len) + { + memcpy( cn, name->val.p, name->val.len ); + cn[name->val.len] = '\0'; + } + else + { + memcpy( cn, name->val.p, cn_len); + cn[cn_len-1] = '\0'; + } + + return SUCCESS; +} + +char * +backend_x509_get_serial (mbedtls_x509_crt *cert, struct gc_arena *gc) +{ + char *buf = NULL; + size_t buflen = 0; + mbedtls_mpi serial_mpi = { 0 }; + + /* Transform asn1 integer serial into mbed TLS MPI */ + mbedtls_mpi_init(&serial_mpi); + if (!mbed_ok(mbedtls_mpi_read_binary(&serial_mpi, cert->serial.p, + cert->serial.len))) + { + msg(M_WARN, "Failed to retrieve serial from certificate."); + goto end; + } + + /* Determine decimal representation length, allocate buffer */ + mbedtls_mpi_write_string(&serial_mpi, 10, NULL, 0, &buflen); + buf = gc_malloc(buflen, true, gc); + + /* Write MPI serial as decimal string into buffer */ + if (!mbed_ok(mbedtls_mpi_write_string(&serial_mpi, 10, buf, buflen, &buflen))) + { + msg(M_WARN, "Failed to write serial to string."); + buf = NULL; + goto end; + } + +end: + mbedtls_mpi_free(&serial_mpi); + return buf; +} + +char * +backend_x509_get_serial_hex (mbedtls_x509_crt *cert, struct gc_arena *gc) +{ + char *buf = NULL; + size_t len = cert->serial.len * 3 + 1; + + buf = gc_malloc(len, true, gc); + + if(mbedtls_x509_serial_gets(buf, len-1, &cert->serial) < 0) + buf = NULL; + + return buf; +} + +static struct buffer +x509_get_fingerprint (const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, + struct gc_arena *gc) +{ + const size_t md_size = mbedtls_md_get_size (md_info); + struct buffer fingerprint = alloc_buf_gc (md_size, gc); + mbedtls_md(md_info, cert->raw.p, cert->tbs.len, BPTR (&fingerprint)); + ASSERT (buf_inc_len(&fingerprint, md_size)); + return fingerprint; +} + +struct buffer +x509_get_sha1_fingerprint (mbedtls_x509_crt *cert, struct gc_arena *gc) +{ + return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), + cert, gc); +} + +struct buffer +x509_get_sha256_fingerprint (mbedtls_x509_crt *cert, struct gc_arena *gc) +{ + return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), + cert, gc); +} + +char * +x509_get_subject(mbedtls_x509_crt *cert, struct gc_arena *gc) +{ + char tmp_subject[MAX_SUBJECT_LENGTH] = {0}; + char *subject = NULL; + + int ret = 0; + + ret = mbedtls_x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject ); + if (ret > 0) + { + /* Allocate the required space for the subject */ + subject = string_alloc(tmp_subject, gc); + } + + return subject; +} + +static void +do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth) +{ + char *name_expand; + size_t name_expand_size; + + string_mod (value, CC_ANY, CC_CRLF, '?'); + msg (D_X509_ATTR, "X509 ATTRIBUTE name='%s' value='%s' depth=%d", name, value, depth); + name_expand_size = 64 + strlen (name); + name_expand = (char *) malloc (name_expand_size); + check_malloc_return (name_expand); + openvpn_snprintf (name_expand, name_expand_size, "X509_%d_%s", depth, name); + setenv_str (es, name_expand, value); + free (name_expand); +} + +static char * +asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) +{ + size_t i; + char *val; + + for (i = 0; i < orig->len; ++i) + if (orig->p[i] == '\0') + return "ERROR: embedded null value"; + val = gc_malloc(orig->len+1, false, gc); + memcpy(val, orig->p, orig->len); + val[orig->len] = '\0'; + return val; +} + +static void +do_setenv_name(struct env_set *es, const struct x509_track *xt, + const mbedtls_x509_crt *cert, int depth, struct gc_arena *gc) +{ + const mbedtls_x509_name *xn; + for (xn = &cert->subject; xn != NULL; xn = xn->next) + { + const char *xn_short_name = NULL; + if (0 == mbedtls_oid_get_attr_short_name (&xn->oid, &xn_short_name) && + 0 == strcmp (xt->name, xn_short_name)) + { + char *val_str = asn1_buf_to_c_string (&xn->val, gc); + do_setenv_x509 (es, xt->name, val_str, depth); + } + } +} + +void +x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) +{ + struct x509_track *xt; + ALLOC_OBJ_CLEAR_GC (xt, struct x509_track, gc); + if (*name == '+') + { + xt->flags |= XT_FULL_CHAIN; + ++name; + } + xt->name = name; + xt->next = *ll_head; + *ll_head = xt; +} + +void +x509_setenv_track (const struct x509_track *xt, struct env_set *es, + const int depth, mbedtls_x509_crt *cert) +{ + struct gc_arena gc = gc_new(); + while (xt) + { + if (depth == 0 || (xt->flags & XT_FULL_CHAIN)) + { + if (0 == strcmp(xt->name, "SHA1") || 0 == strcmp(xt->name, "SHA256")) + { + /* Fingerprint is not part of X509 structure */ + struct buffer cert_hash; + char *fingerprint; + + if (0 == strcmp(xt->name, "SHA1")) + cert_hash = x509_get_sha1_fingerprint(cert, &gc); + else + cert_hash = x509_get_sha256_fingerprint(cert, &gc); + + fingerprint = format_hex_ex(BPTR(&cert_hash), + BLEN(&cert_hash), 0, 1 | FHE_CAPS, ":", &gc); + do_setenv_x509(es, xt->name, fingerprint, depth); + } + else + { + do_setenv_name(es, xt, cert, depth, &gc); + } + } + xt = xt->next; + } + gc_free(&gc); +} + +/* + * Save X509 fields to environment, using the naming convention: + * + * X509_{cert_depth}_{name}={value} + */ +void +x509_setenv (struct env_set *es, int cert_depth, mbedtls_x509_crt *cert) +{ + int i; + unsigned char c; + const mbedtls_x509_name *name; + char s[128]; + + name = &cert->subject; + + memset( s, 0, sizeof( s ) ); + + while( name != NULL ) + { + char name_expand[64+8]; + const char *shortname; + + if( 0 == mbedtls_oid_get_attr_short_name(&name->oid, &shortname) ) + { + openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s", + cert_depth, shortname); + } + else + { + openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", + cert_depth); + } + + for( i = 0; i < name->val.len; i++ ) + { + if( i >= (int) sizeof( s ) - 1 ) + break; + + c = name->val.p[i]; + if( c < 32 || c == 127 || ( c > 128 && c < 160 ) ) + s[i] = '?'; + else s[i] = c; + } + s[i] = '\0'; + + /* Check both strings, set environment variable */ + string_mod (name_expand, CC_PRINT, CC_CRLF, '_'); + string_mod ((char*)s, CC_PRINT, CC_CRLF, '_'); + setenv_str_incr (es, name_expand, (char*)s); + + name = name->next; + } +} + +result_t +x509_verify_ns_cert_type(const mbedtls_x509_crt *cert, const int usage) +{ + if (usage == NS_CERT_CHECK_NONE) + return SUCCESS; + if (usage == NS_CERT_CHECK_CLIENT) + return ((cert->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) + && (cert->ns_cert_type & MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT)) ? + SUCCESS : FAILURE; + if (usage == NS_CERT_CHECK_SERVER) + return ((cert->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) + && (cert->ns_cert_type & MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER)) ? + SUCCESS : FAILURE; + + return FAILURE; +} + +result_t +x509_verify_cert_ku (mbedtls_x509_crt *cert, const unsigned * const expected_ku, + int expected_len) +{ + result_t fFound = FAILURE; + + if(!(cert->ext_types & MBEDTLS_X509_EXT_KEY_USAGE)) + { + msg (D_HANDSHAKE, "Certificate does not have key usage extension"); + } + else + { + int i; + unsigned nku = cert->key_usage; + + msg (D_HANDSHAKE, "Validating certificate key usage"); + for (i=0; SUCCESS != fFound && i<expected_len; i++) + { + if (expected_ku[i] != 0) + { + msg (D_HANDSHAKE, "++ Certificate has key usage %04x, expects " + "%04x", nku, expected_ku[i]); + + if (nku == expected_ku[i]) + { + fFound = SUCCESS; + } + } + } + } + return fFound; +} + +result_t +x509_verify_cert_eku (mbedtls_x509_crt *cert, const char * const expected_oid) +{ + result_t fFound = FAILURE; + + if (!(cert->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE)) + { + msg (D_HANDSHAKE, "Certificate does not have extended key usage extension"); + } + else + { + mbedtls_x509_sequence *oid_seq = &(cert->ext_key_usage); + + msg (D_HANDSHAKE, "Validating certificate extended key usage"); + while (oid_seq != NULL) + { + mbedtls_x509_buf *oid = &oid_seq->buf; + char oid_num_str[1024]; + const char *oid_str; + + if (0 == mbedtls_oid_get_extended_key_usage( oid, &oid_str )) + { + msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", + oid_str, expected_oid); + if (!strcmp (expected_oid, oid_str)) + { + fFound = SUCCESS; + break; + } + } + + if (0 < mbedtls_oid_get_numeric_string( oid_num_str, + sizeof (oid_num_str), oid)) + { + msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", + oid_num_str, expected_oid); + if (!strcmp (expected_oid, oid_num_str)) + { + fFound = SUCCESS; + break; + } + } + oid_seq = oid_seq->next; + } + } + + return fFound; +} + +result_t +x509_write_pem(FILE *peercert_file, mbedtls_x509_crt *peercert) +{ + msg (M_WARN, "mbed TLS does not support writing peer certificate in PEM format"); + return FAILURE; +} + +bool +tls_verify_crl_missing(const struct tls_options *opt) +{ + if (opt->crl_file && !(opt->ssl_flags & SSLF_CRL_VERIFY_DIR) + && (opt->ssl_ctx.crl == NULL || opt->ssl_ctx.crl->version == 0)) + { + return true; + } + return false; +} + +#endif /* #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) */ diff --git a/src/openvpn/ssl_verify_polarssl.h b/src/openvpn/ssl_verify_mbedtls.h index b5157ed..e26d08f 100644 --- a/src/openvpn/ssl_verify_polarssl.h +++ b/src/openvpn/ssl_verify_mbedtls.h @@ -24,20 +24,18 @@ */ /** - * @file Control Channel Verification Module PolarSSL backend + * @file Control Channel Verification Module mbed TLS backend */ -#ifndef SSL_VERIFY_POLARSSL_H_ -#define SSL_VERIFY_POLARSSL_H_ +#ifndef SSL_VERIFY_MBEDTLS_H_ +#define SSL_VERIFY_MBEDTLS_H_ #include "syshead.h" -#include "misc.h" -#include "manage.h" -#include <polarssl/x509_crt.h> +#include <mbedtls/x509_crt.h> #ifndef __OPENVPN_X509_CERT_T_DECLARED #define __OPENVPN_X509_CERT_T_DECLARED -typedef x509_crt openvpn_x509_cert_t; +typedef mbedtls_x509_crt openvpn_x509_cert_t; #endif /** @name Function for authenticating a new connection from a remote OpenVPN peer @@ -52,7 +50,7 @@ typedef x509_crt openvpn_x509_cert_t; * determine whether the remote OpenVPN peer's certificate is allowed to * connect. It is called for once for every certificate in the chain. The * callback functionality is configured in the \c init_ssl() function, which - * calls the PolarSSL library's \c ssl_set_verify_callback() function with \c + * calls the mbed TLS library's \c ssl_set_verify_callback() function with \c * verify_callback() as its callback argument. * * It checks *flags and registers the certificate hash. If these steps succeed, @@ -61,7 +59,7 @@ typedef x509_crt openvpn_x509_cert_t; * * @param session_obj - The OpenVPN \c tls_session associated with this object, * as set during SSL session setup. - * @param cert - The certificate used by PolarSSL. + * @param cert - The certificate used by mbed TLS. * @param cert_depth - The depth of the current certificate in the chain, with * 0 being the actual certificate. * @param flags - Whether the remote OpenVPN peer's certificate @@ -72,9 +70,9 @@ typedef x509_crt openvpn_x509_cert_t; * * @return The return value is 0 unless a fatal error occurred. */ -int verify_callback (void *session_obj, x509_crt *cert, int cert_depth, - int *flags); +int verify_callback (void *session_obj, mbedtls_x509_crt *cert, int cert_depth, + uint32_t *flags); /** @} name Function for authenticating a new connection from a remote OpenVPN peer */ -#endif /* SSL_VERIFY_POLARSSL_H_ */ +#endif /* SSL_VERIFY_MBEDTLS_H_ */ diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 4750f02..3d1c85e 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -35,11 +35,15 @@ #include "syshead.h" -#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL) +#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) +#include "ssl_verify_openssl.h" + +#include "error.h" +#include "ssl_openssl.h" #include "ssl_verify.h" #include "ssl_verify_backend.h" -#include "ssl_openssl.h" + #include <openssl/x509v3.h> #include <openssl/err.h> @@ -57,8 +61,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index); ASSERT (session); - cert_hash_remember (session, ctx->error_depth, - x509_get_sha1_hash(ctx->current_cert, &gc)); + struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc); + cert_hash_remember (session, ctx->error_depth, &cert_hash); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) @@ -66,15 +70,28 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) /* get the X509 name */ char *subject = x509_get_subject(ctx->current_cert, &gc); - if (subject) + if (!subject) + { + subject = "(Failed to retrieve certificate subject)"; + } + + /* Log and ignore missing CRL errors */ + if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) { - /* Remote site specified a certificate, but it's not correct */ - msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", - ctx->error_depth, - X509_verify_cert_error_string (ctx->error), - subject); + msg (D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", + ctx->error_depth, + X509_verify_cert_error_string (ctx->error), + subject); + ret = 1; + goto cleanup; } + /* Remote site specified a certificate, but it's not correct */ + msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", + ctx->error_depth, + X509_verify_cert_error_string (ctx->error), + subject); + ERR_clear_error(); session->verified = false; @@ -134,8 +151,8 @@ bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) } break; default: - msg (D_TLS_ERRORS, "ASN1 ERROR: can not handle field type %i", - name->type); + msg (D_TLS_DEBUG, "%s: ignoring general name field type %i", + __func__, name->type); break; } } @@ -165,8 +182,8 @@ extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int tmp = -1; X509_NAME_ENTRY *x509ne = 0; ASN1_STRING *asn1 = 0; - unsigned char *buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - int nid = OBJ_txt2nid((char *)field_name); + unsigned char *buf = NULL; + int nid = OBJ_txt2nid(field_name); ASSERT (size > 0); *out = '\0'; @@ -244,11 +261,21 @@ backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc); } -unsigned char * -x509_get_sha1_hash (X509 *cert, struct gc_arena *gc) +struct buffer +x509_get_sha1_fingerprint (X509 *cert, struct gc_arena *gc) +{ + struct buffer hash = alloc_buf_gc(sizeof(cert->sha1_hash), gc); + memcpy(BPTR(&hash), cert->sha1_hash, sizeof(cert->sha1_hash)); + ASSERT (buf_inc_len(&hash, sizeof (cert->sha1_hash))); + return hash; +} + +struct buffer +x509_get_sha256_fingerprint (X509 *cert, struct gc_arena *gc) { - unsigned char *hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); - memcpy(hash, cert->sha1_hash, SHA_DIGEST_LENGTH); + struct buffer hash = alloc_buf_gc((EVP_sha256())->md_size, gc); + X509_digest(cert, EVP_sha256(), BPTR(&hash), NULL); + ASSERT (buf_inc_len(&hash, (EVP_sha256())->md_size)); return hash; } @@ -299,7 +326,26 @@ err: } -#ifdef ENABLE_X509_TRACK +/* + * x509-track implementation -- save X509 fields to environment, + * using the naming convention: + * + * X509_{cert_depth}_{name}={value} + * + * This function differs from x509_setenv below in the following ways: + * + * (1) Only explicitly named attributes in xt are saved, per usage + * of "x509-track" program options. + * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN + * flag is set in xt->flags (corresponds with prepending a '+' + * to the name when specified by "x509-track" program option). + * (3) This function supports both X509 subject name fields as + * well as X509 V3 extensions. + * (4) This function can return the SHA1 fingerprint of a cert, e.g. + * x509-track "+SHA1" + * will return the SHA1 fingerprint for each certificate in the + * peer chain. + */ void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) @@ -342,60 +388,82 @@ do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth) void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) { + struct gc_arena gc = gc_new(); X509_NAME *x509_name = X509_get_subject_name (x509); const char nullc = '\0'; - int i; while (xt) { if (depth == 0 || (xt->flags & XT_FULL_CHAIN)) { - i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); - if (i >= 0) - { - X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); - if (ent) - { - ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent); - unsigned char *buf; - buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - if (ASN1_STRING_to_UTF8 (&buf, val) > 0) - { - do_setenv_x509(es, xt->name, (char *)buf, depth); - OPENSSL_free (buf); - } - } - } - else + switch (xt->nid) { - i = X509_get_ext_by_NID(x509, xt->nid, -1); - if (i >= 0) - { - X509_EXTENSION *ext = X509_get_ext(x509, i); - if (ext) - { - BIO *bio = BIO_new(BIO_s_mem()); - if (bio) - { - if (X509V3_EXT_print(bio, ext, 0, 0)) - { - if (BIO_write(bio, &nullc, 1) == 1) - { - char *str; - BIO_get_mem_data(bio, &str); - do_setenv_x509(es, xt->name, str, depth); - } - } - BIO_free(bio); - } - } - } + case NID_sha1: + case NID_sha256: + { + struct buffer fp_buf; + char *fp_str = NULL; + + if (xt->nid == NID_sha1) + fp_buf = x509_get_sha1_fingerprint(x509, &gc); + else + fp_buf = x509_get_sha256_fingerprint(x509, &gc); + + fp_str = format_hex_ex(BPTR(&fp_buf), BLEN(&fp_buf), 0, + 1 | FHE_CAPS, ":", &gc); + do_setenv_x509(es, xt->name, fp_str, depth); + } + break; + default: + { + int i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); + if (i >= 0) + { + X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); + if (ent) + { + ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent); + unsigned char *buf; + buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ + if (ASN1_STRING_to_UTF8 (&buf, val) > 0) + { + do_setenv_x509(es, xt->name, (char *)buf, depth); + OPENSSL_free (buf); + } + } + } + else + { + i = X509_get_ext_by_NID(x509, xt->nid, -1); + if (i >= 0) + { + X509_EXTENSION *ext = X509_get_ext(x509, i); + if (ext) + { + BIO *bio = BIO_new(BIO_s_mem()); + if (bio) + { + if (X509V3_EXT_print(bio, ext, 0, 0)) + { + if (BIO_write(bio, &nullc, 1) == 1) + { + char *str; + BIO_get_mem_data(bio, &str); + do_setenv_x509(es, xt->name, str, depth); + } + } + BIO_free(bio); + } + } + } + } + } } } xt = xt->next; } + gc_free(&gc); } -#endif /* * Save X509 fields to environment, using the naming convention: @@ -444,7 +512,7 @@ x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) objbuf); string_mod (name_expand, CC_PRINT, CC_CRLF, '_'); string_mod ((char*)buf, CC_PRINT, CC_CRLF, '_'); - setenv_str (es, name_expand, (char*)buf); + setenv_str_incr (es, name_expand, (char*)buf); free (name_expand); OPENSSL_free (buf); } @@ -465,8 +533,6 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage) return FAILURE; } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - result_t x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, int expected_len) @@ -572,61 +638,28 @@ x509_write_pem(FILE *peercert_file, X509 *peercert) return SUCCESS; } -#endif /* OPENSSL_VERSION_NUMBER */ - -/* - * check peer cert against CRL - */ -result_t -x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) +bool +tls_verify_crl_missing(const struct tls_options *opt) { - X509_CRL *crl=NULL; - X509_REVOKED *revoked; - BIO *in=NULL; - int n,i; - result_t retval = FAILURE; - struct gc_arena gc = gc_new(); - char *serial; - - in = BIO_new_file (crl_file, "r"); - - if (in == NULL) { - msg (M_WARN, "CRL: cannot read: %s", crl_file); - goto end; - } - crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); - if (crl == NULL) { - msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); - goto end; - } - - if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(peer_cert)) != 0) { - msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " - "certificate %s", crl_file, subject); - retval = SUCCESS; - goto end; - } - - n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); - for (i = 0; i < n; i++) { - revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); - if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert)) == 0) { - serial = backend_x509_get_serial_hex(peer_cert, &gc); - msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE")); - goto end; + if (!opt->crl_file || (opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) + { + return false; } - } - - retval = SUCCESS; - msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); -end: - gc_free(&gc); - BIO_free(in); - if (crl) - X509_CRL_free (crl); + X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx.ctx); + if (!store) + crypto_msg (M_FATAL, "Cannot get certificate store"); - return retval; + for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) + { + X509_OBJECT* obj = sk_X509_OBJECT_value(store->objs, i); + ASSERT(obj); + if (obj->type == X509_LU_CRL) + { + return false; + } + } + return true; } -#endif /* defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL) */ +#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c deleted file mode 100644 index 7ed87d6..0000000 --- a/src/openvpn/ssl_verify_polarssl.c +++ /dev/null @@ -1,397 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -/** - * @file Control Channel Verification Module PolarSSL backend - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#elif defined(_MSC_VER) -#include "config-msvc.h" -#endif - -#include "syshead.h" - -#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) - -#include "ssl_verify.h" -#include <polarssl/bignum.h> -#include <polarssl/error.h> -#include <polarssl/oid.h> -#include <polarssl/sha1.h> - -#define MAX_SUBJECT_LENGTH 256 - -int -verify_callback (void *session_obj, x509_crt *cert, int cert_depth, - int *flags) -{ - struct tls_session *session = (struct tls_session *) session_obj; - struct gc_arena gc = gc_new(); - - ASSERT (cert); - ASSERT (session); - - session->verified = false; - - /* Remember certificate hash */ - cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc)); - - /* did peer present cert which was signed by our root cert? */ - if (*flags != 0) - { - char *subject = x509_get_subject(cert, &gc); - - if (subject) - msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, %s", cert_depth, *flags, subject); - else - msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, could not extract X509 " - "subject string from certificate", *flags, cert_depth); - - /* Leave flags set to non-zero to indicate that the cert is not ok */ - } - else if (SUCCESS != verify_cert(session, cert, cert_depth)) - { - *flags |= BADCERT_OTHER; - } - - gc_free(&gc); - - /* - * PolarSSL-1.2.0+ expects 0 on anything except fatal errors. - */ - return 0; -} - -#ifdef ENABLE_X509ALTUSERNAME -# warning "X509 alt user name not yet supported for PolarSSL" -#endif - -result_t -backend_x509_get_username (char *cn, int cn_len, - char *x509_username_field, x509_crt *cert) -{ - x509_name *name; - - ASSERT( cn != NULL ); - - name = &cert->subject; - - /* Find common name */ - while( name != NULL ) - { - if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0) - break; - - name = name->next; - } - - /* Not found, return an error if this is the peer's certificate */ - if( name == NULL ) - return FAILURE; - - /* Found, extract CN */ - if (cn_len > name->val.len) - memcpy( cn, name->val.p, name->val.len ); - else - { - memcpy( cn, name->val.p, cn_len); - cn[cn_len-1] = '\0'; - } - - return SUCCESS; -} - -char * -backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) -{ - char *buf = NULL; - size_t buflen = 0; - mpi serial_mpi = { 0 }; - - /* Transform asn1 integer serial into PolarSSL MPI */ - mpi_init(&serial_mpi); - if (!polar_ok(mpi_read_binary(&serial_mpi, cert->serial.p, cert->serial.len))) - { - msg(M_WARN, "Failed to retrieve serial from certificate."); - return NULL; - } - - /* Determine decimal representation length, allocate buffer */ - mpi_write_string(&serial_mpi, 10, buf, &buflen); - buf = gc_malloc(buflen, true, gc); - - /* Write MPI serial as decimal string into buffer */ - if (!polar_ok(mpi_write_string(&serial_mpi, 10, buf, &buflen))) - { - msg(M_WARN, "Failed to write serial to string."); - return NULL; - } - - return buf; -} - -char * -backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) -{ - char *buf = NULL; - size_t len = cert->serial.len * 3 + 1; - - buf = gc_malloc(len, true, gc); - - if(x509_serial_gets(buf, len-1, &cert->serial) < 0) - buf = NULL; - - return buf; -} - -unsigned char * -x509_get_sha1_hash (x509_crt *cert, struct gc_arena *gc) -{ - unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); - sha1(cert->tbs.p, cert->tbs.len, sha1_hash); - return sha1_hash; -} - -char * -x509_get_subject(x509_crt *cert, struct gc_arena *gc) -{ - char tmp_subject[MAX_SUBJECT_LENGTH] = {0}; - char *subject = NULL; - - int ret = 0; - - ret = x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject ); - if (ret > 0) - { - /* Allocate the required space for the subject */ - subject = string_alloc(tmp_subject, gc); - } - - return subject; -} - -/* - * Save X509 fields to environment, using the naming convention: - * - * X509_{cert_depth}_{name}={value} - */ -void -x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert) -{ - int i; - unsigned char c; - const x509_name *name; - char s[128]; - - name = &cert->subject; - - memset( s, 0, sizeof( s ) ); - - while( name != NULL ) - { - char name_expand[64+8]; - const char *shortname; - - if( 0 == oid_get_attr_short_name(&name->oid, &shortname) ) - { - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s", - cert_depth, shortname); - } - else - { - openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", - cert_depth); - } - - for( i = 0; i < name->val.len; i++ ) - { - if( i >= (int) sizeof( s ) - 1 ) - break; - - c = name->val.p[i]; - if( c < 32 || c == 127 || ( c > 128 && c < 160 ) ) - s[i] = '?'; - else s[i] = c; - } - s[i] = '\0'; - - /* Check both strings, set environment variable */ - string_mod (name_expand, CC_PRINT, CC_CRLF, '_'); - string_mod ((char*)s, CC_PRINT, CC_CRLF, '_'); - setenv_str (es, name_expand, (char*)s); - - name = name->next; - } -} - -result_t -x509_verify_ns_cert_type(const x509_crt *cert, const int usage) -{ - if (usage == NS_CERT_CHECK_NONE) - return SUCCESS; - if (usage == NS_CERT_CHECK_CLIENT) - return ((cert->ext_types & EXT_NS_CERT_TYPE) - && (cert->ns_cert_type & NS_CERT_TYPE_SSL_CLIENT)) ? SUCCESS : FAILURE; - if (usage == NS_CERT_CHECK_SERVER) - return ((cert->ext_types & EXT_NS_CERT_TYPE) - && (cert->ns_cert_type & NS_CERT_TYPE_SSL_SERVER)) ? SUCCESS : FAILURE; - - return FAILURE; -} - -result_t -x509_verify_cert_ku (x509_crt *cert, const unsigned * const expected_ku, - int expected_len) -{ - result_t fFound = FAILURE; - - if(!(cert->ext_types & EXT_KEY_USAGE)) - { - msg (D_HANDSHAKE, "Certificate does not have key usage extension"); - } - else - { - int i; - unsigned nku = cert->key_usage; - - msg (D_HANDSHAKE, "Validating certificate key usage"); - for (i=0; SUCCESS != fFound && i<expected_len; i++) - { - if (expected_ku[i] != 0) - { - msg (D_HANDSHAKE, "++ Certificate has key usage %04x, expects " - "%04x", nku, expected_ku[i]); - - if (nku == expected_ku[i]) - { - fFound = SUCCESS; - } - } - } - } - return fFound; -} - -result_t -x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid) -{ - result_t fFound = FAILURE; - - if (!(cert->ext_types & EXT_EXTENDED_KEY_USAGE)) - { - msg (D_HANDSHAKE, "Certificate does not have extended key usage extension"); - } - else - { - x509_sequence *oid_seq = &(cert->ext_key_usage); - - msg (D_HANDSHAKE, "Validating certificate extended key usage"); - while (oid_seq != NULL) - { - x509_buf *oid = &oid_seq->buf; - char oid_num_str[1024]; - const char *oid_str; - - if (0 == oid_get_extended_key_usage( oid, &oid_str )) - { - msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", - oid_str, expected_oid); - if (!strcmp (expected_oid, oid_str)) - { - fFound = SUCCESS; - break; - } - } - - if (0 < oid_get_numeric_string( oid_num_str, - sizeof (oid_num_str), oid)) - { - msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", - oid_num_str, expected_oid); - if (!strcmp (expected_oid, oid_num_str)) - { - fFound = SUCCESS; - break; - } - } - oid_seq = oid_seq->next; - } - } - - return fFound; -} - -result_t -x509_write_pem(FILE *peercert_file, x509_crt *peercert) -{ - msg (M_WARN, "PolarSSL does not support writing peer certificate in PEM format"); - return FAILURE; -} - -/* - * check peer cert against CRL - */ -result_t -x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject) -{ - result_t retval = FAILURE; - x509_crl crl = {0}; - struct gc_arena gc = gc_new(); - char *serial; - - if (!polar_ok(x509_crl_parse_file(&crl, crl_file))) - { - msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); - goto end; - } - - if(cert->issuer_raw.len != crl.issuer_raw.len || - memcmp(crl.issuer_raw.p, cert->issuer_raw.p, crl.issuer_raw.len) != 0) - { - msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " - "certificate %s", crl_file, subject); - retval = SUCCESS; - goto end; - } - - if (!polar_ok(x509_crt_revoked(cert, &crl))) - { - serial = backend_x509_get_serial_hex(cert, &gc); - msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE")); - goto end; - } - - retval = SUCCESS; - msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); - -end: - gc_free(&gc); - x509_crl_free(&crl); - return retval; -} - -#endif /* #if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) */ diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 24926ae..8de7d87 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -37,7 +37,7 @@ # define unlikely(x) (x) #endif -#ifdef WIN32 +#ifdef _WIN32 #include <windows.h> #include <winsock2.h> #define sleep(x) Sleep((x)*1000) @@ -64,7 +64,7 @@ # include <sys/wait.h> #endif -#ifndef WIN32 +#ifndef _WIN32 #ifndef WEXITSTATUS # define WEXITSTATUS(stat_val) ((unsigned)(stat_val) >> 8) #endif @@ -217,7 +217,7 @@ #include <net/if_tap.h> #endif -#ifdef TARGET_LINUX +#if defined(TARGET_LINUX) || defined (TARGET_ANDROID) #ifdef HAVE_LINUX_IF_TUN_H #include <linux/if_tun.h> @@ -358,9 +358,14 @@ #endif /* TARGET_DARWIN */ -#ifdef WIN32 -#include <iphlpapi.h> +#ifdef _WIN32 + // Missing declarations for MinGW 32. + // #if !defined(__MINGW64_VERSION_MAJOR) || __MINGW64_VERSION_MAJOR < 2 + typedef int MIB_TCP_STATE; + // #endif +#include <naptypes.h> #include <ntddndis.h> +#include <iphlpapi.h> #include <wininet.h> #include <shellapi.h> /* The following two headers are needed of PF_INET6 */ @@ -379,16 +384,13 @@ * Pedantic mode is meant to accomplish lint-style program checking, * not to build a working executable. */ -#ifdef __STRICT_ANSI__ -# define PEDANTIC 1 +#ifdef PEDANTIC # undef HAVE_CPP_VARARG_MACRO_GCC # undef HAVE_CPP_VARARG_MACRO_ISO # undef EMPTY_ARRAY_SIZE # define EMPTY_ARRAY_SIZE 1 # undef inline # define inline -#else -# define PEDANTIC 0 #endif /* @@ -403,18 +405,11 @@ /* * Do we have nanoseconds gettimeofday? */ -#if defined(HAVE_GETTIMEOFDAY) || defined(WIN32) +#if defined(HAVE_GETTIMEOFDAY) || defined(_WIN32) #define HAVE_GETTIMEOFDAY_NANOSECONDS 1 #endif /* - * do we have the MIN() macro? - */ -#ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) -#endif - -/* * Do we have the capability to report extended socket errors? */ #if defined(HAVE_LINUX_TYPES_H) && defined(HAVE_LINUX_ERRQUEUE_H) && defined(HAVE_SOCK_EXTENDED_ERR) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(IP_RECVERR) && defined(MSG_ERRQUEUE) && defined(SOL_IP) && defined(HAVE_IOVEC) @@ -442,6 +437,13 @@ #endif /* + * Define type sa_family_t if it isn't defined in the socket headers + */ +#ifndef HAVE_SA_FAMILY_T +typedef unsigned short sa_family_t; +#endif + +/* * Disable ESEC */ #if 0 @@ -468,26 +470,16 @@ /* * Directory separation char */ -#ifdef WIN32 +#ifdef _WIN32 #define OS_SPECIFIC_DIRSEP '\\' #else #define OS_SPECIFIC_DIRSEP '/' #endif /* - * Define a boolean value based - * on Win32 status. - */ -#ifdef WIN32 -#define WIN32_0_1 1 -#else -#define WIN32_0_1 0 -#endif - -/* * Our socket descriptor type. */ -#ifdef WIN32 +#ifdef _WIN32 #define SOCKET_UNDEFINED (INVALID_SOCKET) typedef SOCKET socket_descriptor_t; #else @@ -518,7 +510,7 @@ socket_defined (const socket_descriptor_t sd) * Do we have point-to-multipoint capability? */ -#if defined(ENABLE_CLIENT_SERVER) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) && defined(HAVE_GETTIMEOFDAY_NANOSECONDS) +#if defined(ENABLE_CLIENT_SERVER) && defined(ENABLE_CRYPTO) && defined(HAVE_GETTIMEOFDAY_NANOSECONDS) #define P2MP 1 #else #define P2MP 0 @@ -555,14 +547,14 @@ socket_defined (const socket_descriptor_t sd) /* * Enable external private key */ -#if defined(ENABLE_MANAGEMENT) && defined(ENABLE_SSL) +#if defined(ENABLE_MANAGEMENT) && defined(ENABLE_CRYPTO) #define MANAGMENT_EXTERNAL_KEY #endif -/* Enable PolarSSL RNG prediction resistance support */ -#ifdef ENABLE_CRYPTO_POLARSSL +/* Enable mbed TLS RNG prediction resistance support */ +#ifdef ENABLE_CRYPTO_MBEDTLS #define ENABLE_PREDICTION_RESISTANCE -#endif /* ENABLE_CRYPTO_POLARSSL */ +#endif /* ENABLE_CRYPTO_MBEDTLS */ /* * MANAGEMENT_IN_EXTRA allows the management interface to @@ -588,18 +580,13 @@ socket_defined (const socket_descriptor_t sd) /* * Do we support Unix domain sockets? */ -#if defined(PF_UNIX) && !defined(WIN32) +#if defined(PF_UNIX) && !defined(_WIN32) #define UNIX_SOCK_SUPPORT 1 #else #define UNIX_SOCK_SUPPORT 0 #endif /* - * Compile the struct buffer_list code - */ -#define ENABLE_BUFFER_LIST - -/* * Should we include OCC (options consistency check) code? */ #ifndef ENABLE_SMALL @@ -609,7 +596,7 @@ socket_defined (const socket_descriptor_t sd) /* * Should we include NTLM proxy functionality */ -#if defined(ENABLE_CRYPTO) && defined(ENABLE_HTTP_PROXY) +#if defined(ENABLE_CRYPTO) #define NTLM 1 #else #define NTLM 0 @@ -618,34 +605,20 @@ socket_defined (const socket_descriptor_t sd) /* * Should we include proxy digest auth functionality */ -#if defined(ENABLE_CRYPTO) && defined(ENABLE_HTTP_PROXY) +#if defined(ENABLE_CRYPTO) #define PROXY_DIGEST_AUTH 1 #else #define PROXY_DIGEST_AUTH 0 #endif /* - * Should we include code common to all proxy methods? - */ -#if defined(ENABLE_HTTP_PROXY) || defined(ENABLE_SOCKS) -#define GENERAL_PROXY_SUPPORT -#endif - -/* * Do we have CryptoAPI capability? */ -#if defined(WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL) +#if defined(_WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) #define ENABLE_CRYPTOAPI #endif /* - * Enable x509-track feature? - */ -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) && defined (ENABLE_CRYPTO_OPENSSL) -#define ENABLE_X509_TRACK -#endif - -/* * Is poll available on this platform? */ #if defined(HAVE_POLL) && defined(HAVE_SYS_POLL_H) @@ -670,15 +643,6 @@ socket_defined (const socket_descriptor_t sd) #endif /* - * Should we include http proxy override functionality - */ -#if defined(ENABLE_MANAGEMENT) && defined(ENABLE_HTTP_PROXY) -#define HTTP_PROXY_OVERRIDE 1 -#else -#define HTTP_PROXY_OVERRIDE 0 -#endif - -/* * Reduce sensitivity to system clock instability * and backtracks. */ @@ -719,14 +683,17 @@ socket_defined (const socket_descriptor_t sd) /* * Do we support pushing peer info? */ -#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) +#if defined(ENABLE_CRYPTO) #define ENABLE_PUSH_PEER_INFO #endif /* - * Do we support internal client-side NAT? + * Compression support */ -#define ENABLE_CLIENT_NAT +#if defined(ENABLE_LZO) || defined(ENABLE_LZ4) || \ + defined(ENABLE_COMP_STUB) +#define USE_COMP +#endif /* * Enable --memstats option diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c new file mode 100644 index 0000000..d40532e --- /dev/null +++ b/src/openvpn/tls_crypt.c @@ -0,0 +1,254 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2016 Fox Crypto B.V. <openvpn@fox-it.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#ifdef ENABLE_CRYPTO +#include "crypto.h" +#include "session_id.h" + +#include "tls_crypt.h" + +int tls_crypt_buf_overhead(void) +{ + return packet_id_size (true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE; +} + +void +tls_crypt_init_key (struct key_ctx_bi *key, const char *key_file, + const char *key_inline, bool tls_server) { + const int key_direction = tls_server ? + KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; + + struct key_type kt; + kt.cipher = cipher_kt_get ("AES-256-CTR"); + kt.cipher_length = cipher_kt_key_size (kt.cipher); + kt.digest = md_kt_get ("SHA256"); + kt.hmac_length = md_kt_size (kt.digest); + + if (!kt.cipher) + { + msg (M_FATAL, "ERROR: --tls-crypt requires AES-256-CTR support."); + } + if (!kt.digest) + { + msg (M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); + } + + crypto_read_openvpn_key (&kt, key, key_file, key_inline, key_direction, + "Control Channel Encryption", "tls-crypt"); +} + +void +tls_crypt_adjust_frame_parameters(struct frame *frame) +{ + frame_add_to_extra_frame (frame, tls_crypt_buf_overhead()); + + msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for tls-crypt by %i bytes", + __func__, tls_crypt_buf_overhead()); +} + + +bool +tls_crypt_wrap (const struct buffer *src, struct buffer *dst, + struct crypto_options *opt) { + const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; + struct gc_arena gc; + + /* IV, packet-ID and implicit IV required for this mode. */ + ASSERT (ctx->cipher); + ASSERT (ctx->hmac); + ASSERT (packet_id_initialized(&opt->packet_id)); + ASSERT (hmac_ctx_size(ctx->hmac) == 256/8); + + gc_init (&gc); + + dmsg (D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s", + format_hex (BPTR (src), BLEN (src), 80, &gc)); + + /* Get packet ID */ + { + struct packet_id_net pin; + packet_id_alloc_outgoing (&opt->packet_id.send, &pin, true); + packet_id_write (&pin, dst, true, false); + } + + dmsg (D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", + format_hex (BPTR (dst), BLEN (dst), 0, &gc)); + + /* Buffer overflow check */ + if (!buf_safe (dst, BLEN (src) + TLS_CRYPT_BLOCK_SIZE + TLS_CRYPT_TAG_SIZE)) + { + msg (D_CRYPT_ERRORS, "TLS-CRYPT WRAP: buffer size error, " + "sc=%d so=%d sl=%d dc=%d do=%d dl=%d", src->capacity, src->offset, + src->len, dst->capacity, dst->offset, dst->len); + goto err; + } + + /* Calculate auth tag and synthetic IV */ + { + uint8_t *tag = NULL; + hmac_ctx_reset (ctx->hmac); + hmac_ctx_update (ctx->hmac, BPTR (dst), BLEN (dst)); + hmac_ctx_update (ctx->hmac, BPTR (src), BLEN (src)); + + ASSERT (tag = buf_write_alloc (dst, TLS_CRYPT_TAG_SIZE)); + hmac_ctx_final (ctx->hmac, tag); + + dmsg (D_PACKET_CONTENT, "TLS-CRYPT WRAP TAG: %s", + format_hex (tag, TLS_CRYPT_TAG_SIZE, 0, &gc)); + + /* Use the 128 most significant bits of the tag as IV */ + ASSERT (cipher_ctx_reset (ctx->cipher, tag)); + } + + /* Encrypt src */ + { + int outlen = 0; + ASSERT (cipher_ctx_update (ctx->cipher, BEND (dst), &outlen, + BPTR (src), BLEN(src))); + ASSERT (buf_inc_len (dst, outlen)); + ASSERT (cipher_ctx_final (ctx->cipher, BPTR (dst), &outlen)); + ASSERT (buf_inc_len (dst, outlen)); + } + + dmsg (D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s", + format_hex (BPTR (dst), BLEN (dst), 80, &gc)); + + gc_free (&gc); + return true; + +err: + crypto_clear_error(); + dst->len = 0; + gc_free (&gc); + return false; +} + +bool +tls_crypt_unwrap (const struct buffer *src, struct buffer *dst, + struct crypto_options *opt) +{ + static const char error_prefix[] = "tls-crypt unwrap error"; + const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; + struct gc_arena gc; + + gc_init (&gc); + + ASSERT (opt); + ASSERT (src->len > 0); + ASSERT (ctx->cipher); + ASSERT (packet_id_initialized (&opt->packet_id) || + (opt->flags & CO_IGNORE_PACKET_ID)); + + dmsg (D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s", + format_hex (BPTR (src), BLEN (src), 80, &gc)); + + if (buf_len (src) < TLS_CRYPT_OFF_CT) + { + CRYPT_ERROR ("packet too short"); + } + + /* Decrypt cipher text */ + { + int outlen = 0; + + /* Buffer overflow check (should never fail) */ + if (!buf_safe (dst, BLEN (src) - TLS_CRYPT_OFF_CT + TLS_CRYPT_BLOCK_SIZE)) + { + CRYPT_ERROR ("potential buffer overflow"); + } + + if (!cipher_ctx_reset (ctx->cipher, BPTR (src) + TLS_CRYPT_OFF_TAG)) + { + CRYPT_ERROR ("cipher reset failed"); + } + if (!cipher_ctx_update (ctx->cipher, BPTR (dst), &outlen, + BPTR (src) + TLS_CRYPT_OFF_CT, BLEN (src) - TLS_CRYPT_OFF_CT)) + { + CRYPT_ERROR ("cipher update failed"); + } + ASSERT (buf_inc_len (dst, outlen)); + if (!cipher_ctx_final (ctx->cipher, BPTR(dst), &outlen)) + { + CRYPT_ERROR ("cipher final failed"); + } + ASSERT (buf_inc_len (dst, outlen)); + } + + /* Check authentication */ + { + const uint8_t *tag = BPTR (src) + TLS_CRYPT_OFF_TAG; + uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 }; + + dmsg (D_PACKET_CONTENT, "TLS-CRYPT UNWRAP AD: %s", + format_hex (BPTR (src), TLS_CRYPT_OFF_TAG, 0, &gc)); + dmsg (D_PACKET_CONTENT, "TLS-CRYPT UNWRAP TO: %s", + format_hex (BPTR (dst), BLEN (dst), 80, &gc)); + + hmac_ctx_reset (ctx->hmac); + hmac_ctx_update (ctx->hmac, BPTR (src), TLS_CRYPT_OFF_TAG); + hmac_ctx_update (ctx->hmac, BPTR (dst), BLEN (dst)); + hmac_ctx_final (ctx->hmac, tag_check); + + if (memcmp_constant_time (tag, tag_check, sizeof(tag_check))) + { + dmsg (D_CRYPTO_DEBUG, "tag : %s", + format_hex (tag, sizeof(tag_check), 0, &gc)); + dmsg (D_CRYPTO_DEBUG, "tag_check: %s", + format_hex (tag_check, sizeof(tag_check), 0, &gc)); + CRYPT_ERROR ("packet authentication failed"); + } + } + + /* Check replay */ + if (!(opt->flags & CO_IGNORE_PACKET_ID)) + { + struct packet_id_net pin; + struct buffer tmp = *src; + ASSERT (buf_advance (&tmp, TLS_CRYPT_OFF_PID)); + ASSERT (packet_id_read (&pin, &tmp, true)); + if (!crypto_check_replay (opt, &pin, error_prefix, &gc)) + { + CRYPT_ERROR ("packet replay"); + } + } + + gc_free (&gc); + return true; + + error_exit: + crypto_clear_error(); + dst->len = 0; + gc_free (&gc); + return false; +} + +#endif /* EMABLE_CRYPTO */ diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h new file mode 100644 index 0000000..d1962c9 --- /dev/null +++ b/src/openvpn/tls_crypt.h @@ -0,0 +1,144 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2016 Fox Crypto B.V. <openvpn@fox-it.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/** + * @defgroup tls_crypt Control channel encryption (--tls-crypt) + * @ingroup control_tls + * @{ + * + * @par + * Control channel encryption uses a pre-shared static key (like the --tls-auth + * key) to encrypt control channel packets. + * + * @par + * Encrypting control channel packets has three main advantages: + * - It provides more privacy by hiding the certificate used for the TLS + * connection. + * - It is harder to identify OpenVPN traffic as such. + * - It provides "poor-man's" post-quantum security, against attackers who + * will never know the pre-shared key (i.e. no forward secrecy). + * + * @par Specification + * Control channel encryption is based on the SIV construction [0], to achieve + * nonce misuse-resistant authenticated encryption: + * + * @par + * \code{.unparsed} + * msg = control channel plaintext + * header = opcode (1 byte) || session_id (8 bytes) || packet_id (8 bytes) + * Ka = authentication key (256 bits) + * Ke = encryption key (256 bits) + * (Ka and Ke are pre-shared keys, like with --tls-auth) + * + * auth_tag = HMAC-SHA256(Ka, header || msg) + * IV = 128 most-significant bits of auth_tag + * ciph = AES256-CTR(Ke, IV, msg) + * + * output = Header || Tag || Ciph + * \endcode + * + * @par + * This boils down to the following on-the-wire packet format: + * + * @par + * \code{.unparsed} + * - opcode - || - session_id - || - packet_id - || auth_tag || * payload * + * \endcode + * + * @par + * Where + * <tt>- XXX -</tt> means authenticated, and + * <tt>* XXX *</tt> means authenticated and encrypted. + */ + +#ifndef TLSCRYPT_H +#define TLSCRYPT_H + +#include "buffer.h" +#include "crypto.h" +#include "session_id.h" + +#define TLS_CRYPT_TAG_SIZE (256/8) +#define TLS_CRYPT_PID_SIZE (sizeof (packet_id_type) + sizeof (net_time_t)) +#define TLS_CRYPT_BLOCK_SIZE (128/8) + +#define TLS_CRYPT_OFF_PID (1 + SID_SIZE) +#define TLS_CRYPT_OFF_TAG (TLS_CRYPT_OFF_PID + TLS_CRYPT_PID_SIZE) +#define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE) + +/** + * Initialize a key_ctx_bi structure for use with --tls-crypt. + * + * @param key The key context to initialize + * @param key_file The file to read the key from (or the inline tag to + * indicate and inline key). + * @param key_inline Array containing (zero-terminated) inline key, or NULL + * if not used. + * @param tls_server Must be set to true is this is a TLS server instance. + */ +void tls_crypt_init_key (struct key_ctx_bi *key, const char *key_file, + const char *key_inline, bool tls_server); + +/** + * Returns the maximum overhead (in bytes) added to the destination buffer by + * tls_crypt_wrap(). + */ +int tls_crypt_buf_overhead(void); + +/** + * Adjust frame parameters for --tls-crypt overhead. + */ +void tls_crypt_adjust_frame_parameters(struct frame *frame); + +/** + * Wrap a control channel packet (both authenticates and encrypts the data). + * + * @param src Data to authenticate and encrypt. + * @param dst Any data present in this buffer is first authenticated, then + * the wrapped packet id and data from the src buffer are appended. + * Must have at least tls_crypt_buf_overhead()+BLEN(src) headroom. + * @param opt The crypto state for this --tls-crypt instance. + * + * @returns true iff wrapping succeeded. + */ +bool tls_crypt_wrap (const struct buffer *src, struct buffer *dst, + struct crypto_options *opt); + +/** + * Unwrap a control channel packet (decrypts, authenticates and performs + * replay checks). + * + * @param src Data to decrypt and authenticate. + * @param dst Returns the decrypted data, if unwrapping was successful. + * @param opt The crypto state for this --tls-crypt instance. + * + * @returns true iff unwrapping succeeded (data authenticated correctly and was + * no replay). + */ +bool tls_crypt_unwrap (const struct buffer *src, struct buffer *dst, + struct crypto_options *opt); + +/** @} */ + +#endif /* TLSCRYPT_H */ diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index b70410d..77ae72f 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -49,7 +49,13 @@ #include "memdbg.h" -#ifdef WIN32 +#ifdef _WIN32 +#include "openvpn-msg.h" +#endif + +#include <string.h> + +#ifdef _WIN32 /* #define SIMULATE_DHCP_FAILED */ /* simulate bad DHCP negotiation */ @@ -62,12 +68,70 @@ static void netsh_ifconfig (const struct tuntap_options *to, const in_addr_t ip, const in_addr_t netmask, const unsigned int flags); -static void netsh_command (const struct argv *a, int n); +static void netsh_command (const struct argv *a, int n, int msglevel); static const char *netsh_get_id (const char *dev_node, struct gc_arena *gc); static DWORD get_adapter_index_flexible (const char *name); +static bool +do_address_service (const bool add, const short family, const struct tuntap *tt) +{ + DWORD len; + bool ret = false; + ack_message_t ack; + struct gc_arena gc = gc_new (); + HANDLE pipe = tt->options.msg_channel; + + address_message_t addr = { + .header = { + (add ? msg_add_address : msg_del_address), + sizeof (address_message_t), + 0 }, + .family = family, + .iface = { .index = tt->adapter_index, .name = "" } + }; + + if (addr.iface.index == TUN_ADAPTER_INDEX_INVALID) + { + strncpy (addr.iface.name, tt->actual_name, sizeof (addr.iface.name)); + addr.iface.name[sizeof (addr.iface.name) - 1] = '\0'; + } + + if (addr.family == AF_INET) + { + addr.address.ipv4.s_addr = tt->local; + addr.prefix_len = 32; + } + else + { + addr.address.ipv6 = tt->local_ipv6; + addr.prefix_len = tt->netbits_ipv6; + } + + if (!WriteFile (pipe, &addr, sizeof (addr), &len, NULL) || + !ReadFile (pipe, &ack, sizeof (ack), &len, NULL)) + { + msg (M_WARN, "TUN: could not talk to service: %s [%lu]", + strerror_win32 (GetLastError (), &gc), GetLastError ()); + goto out; + } + + if (ack.error_number != NO_ERROR) + { + msg (M_WARN, "TUN: %s address failed using service: %s [status=%u if_index=%lu]", + (add ? "adding" : "deleting"), strerror_win32 (ack.error_number, &gc), + ack.error_number, addr.iface.index); + goto out; + } + + ret = true; + +out: + gc_free (&gc); + return ret; +} + #endif #ifdef TARGET_SOLARIS @@ -134,7 +198,7 @@ guess_tuntap_dev (const char *dev, const char *dev_node, struct gc_arena *gc) { -#ifdef WIN32 +#ifdef _WIN32 const int dt = dev_type_enum (dev, dev_type); if (dt == DEV_TYPE_TUN || dt == DEV_TYPE_TAP) { @@ -357,7 +421,7 @@ tun_stat (const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc) { buf_printf (&out, "T%s", (tt->rwflags_debug & EVENT_READ) ? "R" : "r"); -#ifdef WIN32 +#ifdef _WIN32 buf_printf (&out, "%s", overlapped_io_state_ascii (&tt->reads)); #endif @@ -366,7 +430,7 @@ tun_stat (const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc) { buf_printf (&out, "T%s", (tt->rwflags_debug & EVENT_WRITE) ? "W" : "w"); -#ifdef WIN32 +#ifdef _WIN32 buf_printf (&out, "%s", overlapped_io_state_ascii (&tt->writes)); #endif @@ -455,8 +519,8 @@ init_tun (const char *dev, /* --dev option */ const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 IPv6 */ int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 IPv6 */ - in_addr_t local_public, - in_addr_t remote_public, + struct addrinfo *local_public, + struct addrinfo *remote_public, const bool strict_warn, struct env_set *es) { @@ -507,6 +571,7 @@ init_tun (const char *dev, /* --dev option */ */ if (strict_warn) { + struct addrinfo *curele; ifconfig_sanity_check (tt->type == DEV_TYPE_TUN, tt->remote_netmask, tt->topology); /* @@ -514,17 +579,23 @@ init_tun (const char *dev, /* --dev option */ * make sure they do not clash with our virtual subnet. */ - check_addr_clash ("local", + for(curele=local_public;curele;curele=curele->ai_next) { + if(curele->ai_family == AF_INET) + check_addr_clash ("local", tt->type, - local_public, + ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr, tt->local, tt->remote_netmask); + } - check_addr_clash ("remote", - tt->type, - remote_public, - tt->local, - tt->remote_netmask); + for (curele=remote_public;curele;curele=curele->ai_next) { + if (curele->ai_family == AF_INET) + check_addr_clash ("remote", + tt->type, + ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr, + tt->local, + tt->remote_netmask); + } if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) check_subnet_conflict (tt->local, tt->remote_netmask, "TUN/TAP adapter"); @@ -540,6 +611,21 @@ init_tun (const char *dev, /* --dev option */ tt->broadcast = generate_ifconfig_broadcast_addr (tt->local, tt->remote_netmask); } +#ifdef _WIN32 + /* + * Make sure that both ifconfig addresses are part of the + * same .252 subnet. + */ + if (tun) + { + verify_255_255_255_252 (tt->local, tt->remote_netmask); + tt->adapter_netmask = ~3; + } + else + { + tt->adapter_netmask = tt->remote_netmask; + } +#endif tt->did_ifconfig_setup = true; } @@ -579,7 +665,7 @@ init_tun_post (struct tuntap *tt, const struct tuntap_options *options) { tt->options = *options; -#ifdef WIN32 +#ifdef _WIN32 overlapped_io_init (&tt->reads, frame, FALSE, true); overlapped_io_init (&tt->writes, frame, TRUE, true); tt->rw_handle.read = tt->reads.overlapped.hEvent; @@ -588,7 +674,7 @@ init_tun_post (struct tuntap *tt, #endif } -#if defined(WIN32) || \ +#if defined(_WIN32) || \ defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) /* some of the platforms will auto-add a "network route" pointing @@ -601,12 +687,12 @@ void add_route_connected_v6_net(struct tuntap * tt, { struct route_ipv6 r6; - r6.defined = true; + CLEAR(r6); r6.network = tt->local_ipv6; r6.netbits = tt->netbits_ipv6; r6.gateway = tt->local_ipv6; r6.metric = 0; /* connected route */ - r6.metric_defined = true; + r6.flags = RT_DEFINED | RT_METRIC_DEFINED; add_route_ipv6 (&r6, tt, 0, es); } @@ -615,17 +701,18 @@ void delete_route_connected_v6_net(struct tuntap * tt, { struct route_ipv6 r6; - r6.defined = true; + CLEAR(r6); r6.network = tt->local_ipv6; r6.netbits = tt->netbits_ipv6; r6.gateway = tt->local_ipv6; r6.metric = 0; /* connected route */ - r6.metric_defined = true; + r6.flags = RT_DEFINED | RT_ADDED | RT_METRIC_DEFINED; delete_route_ipv6 (&r6, tt, 0, es); } #endif -#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY) +#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)||\ + defined(TARGET_OPENBSD) /* we can't use true subnet mode on tun on all platforms, as that * conflicts with IPv6 (wants to use ND then, which we don't do), * but the OSes want "a remote address that is different from ours" @@ -635,8 +722,8 @@ void delete_route_connected_v6_net(struct tuntap * tt, * is still point to point and no layer 2 resolution is done... */ -const char * -create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc ) +in_addr_t +create_arbitrary_remote( struct tuntap *tt ) { in_addr_t remote; @@ -644,7 +731,7 @@ create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc ) if ( remote == tt->local ) remote ++; - return print_in_addr_t (remote, 0, gc); + return remote; } #endif @@ -664,14 +751,11 @@ do_ifconfig (struct tuntap *tt, const char *ifconfig_remote_netmask = NULL; const char *ifconfig_broadcast = NULL; const char *ifconfig_ipv6_local = NULL; - const char *ifconfig_ipv6_remote = NULL; bool do_ipv6 = false; - struct argv argv; - - argv_init (&argv); + struct argv argv = argv_new (); - msg( M_INFO, "do_ifconfig, tt->ipv6=%d, tt->did_ifconfig_ipv6_setup=%d", - tt->ipv6, tt->did_ifconfig_ipv6_setup ); + msg( M_DEBUG, "do_ifconfig, tt->did_ifconfig_ipv6_setup=%d", + tt->did_ifconfig_ipv6_setup ); /* * We only handle TUN/TAP devices here, not --dev null devices. @@ -684,10 +768,9 @@ do_ifconfig (struct tuntap *tt, ifconfig_local = print_in_addr_t (tt->local, 0, &gc); ifconfig_remote_netmask = print_in_addr_t (tt->remote_netmask, 0, &gc); - if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup ) + if (tt->did_ifconfig_ipv6_setup ) { ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc); - ifconfig_ipv6_remote = print_in6_addr (tt->remote_ipv6, 0, &gc); do_ipv6 = true; } @@ -703,8 +786,10 @@ do_ifconfig (struct tuntap *tt, management_set_state (management, OPENVPN_STATE_ASSIGN_IP, NULL, - tt->local, - 0); + &tt->local, + &tt->local_ipv6, + NULL, + NULL); } #endif @@ -743,7 +828,7 @@ do_ifconfig (struct tuntap *tt, iproute_path, actual, ifconfig_local, - count_netmask_bits(ifconfig_remote_netmask), + netmask_to_netbits2(tt->remote_netmask), ifconfig_broadcast ); argv_msg (M_INFO, &argv); @@ -799,8 +884,35 @@ do_ifconfig (struct tuntap *tt, tt->did_ifconfig = true; #endif /*ENABLE_IPROUTE*/ -#elif defined(TARGET_SOLARIS) +#elif defined(TARGET_ANDROID) + + if (do_ipv6) { + struct buffer out6 = alloc_buf_gc (64, &gc); + buf_printf (&out6, "%s/%d", ifconfig_ipv6_local,tt->netbits_ipv6); + management_android_control(management, "IFCONFIG6",buf_bptr(&out6)); + } + + struct buffer out = alloc_buf_gc (64, &gc); + + char* top; + switch(tt->topology) { + case TOP_NET30: + top="net30"; + break; + case TOP_P2P: + top="p2p"; + break; + case TOP_SUBNET: + top="subnet"; + break; + default: + top="undef"; + } + + buf_printf (&out, "%s %s %d %s", ifconfig_local, ifconfig_remote_netmask, tun_mtu, top); + management_android_control (management, "IFCONFIG", buf_bptr(&out)); +#elif defined(TARGET_SOLARIS) /* Solaris 2.6 (and 7?) cannot set all parameters in one go... * example: * ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 up @@ -862,6 +974,9 @@ do_ifconfig (struct tuntap *tt, if ( tt->type == DEV_TYPE_TUN ) { + const char *ifconfig_ipv6_remote = + print_in6_addr (tt->remote_ipv6, 0, &gc); + argv_printf (&argv, "%s %s inet6 plumb %s/%d %s up", IFCONFIG_PATH, @@ -916,6 +1031,8 @@ do_ifconfig (struct tuntap *tt, #elif defined(TARGET_OPENBSD) + in_addr_t remote_end; /* for "virtual" subnet topology */ + /* * On OpenBSD, tun interfaces are persistent if created with * "ifconfig tunX create", and auto-destroyed if created by @@ -935,12 +1052,13 @@ do_ifconfig (struct tuntap *tt, else if ( tt->topology == TOP_SUBNET ) { + remote_end = create_arbitrary_remote( tt ); argv_printf (&argv, "%s %s %s %s mtu %d netmask %s up -link0", IFCONFIG_PATH, actual, ifconfig_local, - ifconfig_local, + print_in_addr_t (remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask ); @@ -957,6 +1075,19 @@ do_ifconfig (struct tuntap *tt, ); argv_msg (M_INFO, &argv); openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig failed"); + + /* Add a network route for the local tun interface */ + if (!tun && tt->topology == TOP_SUBNET) + { + struct route_ipv4 r; + CLEAR (r); + r.flags = RT_DEFINED; + r.network = tt->local & tt->remote_netmask; + r.netmask = tt->remote_netmask; + r.gateway = remote_end; + add_route (&r, tt, 0, NULL, es); + } + if ( do_ipv6 ) { argv_printf (&argv, @@ -976,13 +1107,6 @@ do_ifconfig (struct tuntap *tt, #elif defined(TARGET_NETBSD) -/* whether or not NetBSD can do IPv6 can be seen by the availability of - * the TUNSIFHEAD ioctl() - see next TARGET_NETBSD block for more details - */ -#ifdef TUNSIFHEAD -# define NETBSD_MULTI_AF -#endif - if (tun) argv_printf (&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", @@ -1025,7 +1149,6 @@ do_ifconfig (struct tuntap *tt, if ( do_ipv6 ) { -#ifdef NETBSD_MULTI_AF argv_printf (&argv, "%s %s inet6 %s/%d", IFCONFIG_PATH, @@ -1038,10 +1161,6 @@ do_ifconfig (struct tuntap *tt, /* and, hooray, we explicitely need to add a route... */ add_route_connected_v6_net(tt, es); -#else - msg( M_INFO, "no IPv6 support for tun interfaces on NetBSD before 4.0 (if your system is newer, recompile openvpn)" ); - tt->ipv6 = false; -#endif } tt->did_ifconfig = true; @@ -1126,6 +1245,8 @@ do_ifconfig (struct tuntap *tt, #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY) + in_addr_t remote_end; /* for "virtual" subnet topology */ + /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun) argv_printf (&argv, @@ -1138,12 +1259,13 @@ do_ifconfig (struct tuntap *tt, ); else if ( tt->topology == TOP_SUBNET ) { + remote_end = create_arbitrary_remote( tt ); argv_printf (&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, actual, ifconfig_local, - create_arbitrary_remote( tt, &gc ), + print_in_addr_t (remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask ); @@ -1170,7 +1292,7 @@ do_ifconfig (struct tuntap *tt, r.flags = RT_DEFINED; r.network = tt->local & tt->remote_netmask; r.netmask = tt->remote_netmask; - r.gateway = tt->local; + r.gateway = remote_end; add_route (&r, tt, 0, NULL, es); } @@ -1187,21 +1309,46 @@ do_ifconfig (struct tuntap *tt, openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig inet6 failed"); } -#elif defined (WIN32) +#elif defined(TARGET_AIX) { - /* - * Make sure that both ifconfig addresses are part of the - * same .252 subnet. - */ + /* AIX ifconfig will complain if it can't find ODM path in env */ + struct env_set *aix_es = env_set_create (NULL); + env_set_add( aix_es, "ODMDIR=/etc/objrepos" ); + if (tun) + msg(M_FATAL, "no tun support on AIX (canthappen)"); + + /* example: ifconfig tap0 172.30.1.1 netmask 255.255.254.0 up */ + argv_printf (&argv, + "%s %s %s netmask %s mtu %d up", + IFCONFIG_PATH, + actual, + ifconfig_local, + ifconfig_remote_netmask, + tun_mtu + ); + + argv_msg (M_INFO, &argv); + openvpn_execve_check (&argv, aix_es, S_FATAL, "AIX ifconfig failed"); + tt->did_ifconfig = true; + + if ( do_ipv6 ) { - verify_255_255_255_252 (tt->local, tt->remote_netmask); - tt->adapter_netmask = ~3; - } - else - { - tt->adapter_netmask = tt->remote_netmask; + argv_printf (&argv, + "%s %s inet6 %s/%d", + IFCONFIG_PATH, + actual, + ifconfig_ipv6_local, + tt->netbits_ipv6 + ); + argv_msg (M_INFO, &argv); + openvpn_execve_check (&argv, aix_es, S_FATAL, "AIX ifconfig inet6 failed"); } + env_set_destroy (aix_es); + } +#elif defined (_WIN32) + { + ASSERT (actual != NULL); switch (tt->options.ip_win32_type) { @@ -1212,9 +1359,6 @@ do_ifconfig (struct tuntap *tt, print_in_addr_t (tt->adapter_netmask, 0, &gc)); break; case IPW32_SET_NETSH: - if (!strcmp (actual, "NULL")) - msg (M_FATAL, "Error: When using --ip-win32 netsh, if you have more than one TAP-Windows adapter, you must also specify --dev-node"); - netsh_ifconfig (&tt->options, actual, tt->local, @@ -1226,39 +1370,28 @@ do_ifconfig (struct tuntap *tt, tt->did_ifconfig = true; } - /* IPv6 always uses "netsh" interface */ if ( do_ipv6 ) { - char * saved_actual; - char iface[64]; - DWORD idx; - - if (!strcmp (actual, "NULL")) - msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than one TAP-Windows adapter, you must also specify --dev-node"); - - idx = get_adapter_index_flexible(actual); - openvpn_snprintf(iface, sizeof(iface), "interface=%lu", idx); - - /* example: netsh interface ipv6 set address interface=42 2001:608:8003::d store=active */ - argv_printf (&argv, - "%s%sc interface ipv6 set address %s %s store=active", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - win32_version_info() == WIN_XP ? actual : iface, - ifconfig_ipv6_local); - netsh_command (&argv, 4); + if (tt->options.msg_channel) + { + do_address_service (true, AF_INET6, tt); + } + else + { + /* example: netsh interface ipv6 set address interface=42 2001:608:8003::d store=active */ + char iface[64]; + openvpn_snprintf(iface, sizeof(iface), "interface=%lu", tt->adapter_index ); + argv_printf (&argv, + "%s%sc interface ipv6 set address %s %s store=active", + get_win_sys_path(), + NETSH_PATH_SUFFIX, + iface, + ifconfig_ipv6_local ); + netsh_command (&argv, 4, M_FATAL); + } /* explicit route needed */ - /* on windows, OpenVPN does ifconfig first, open_tun later, so - * tt->actual_name might not yet be initialized, but routing code - * needs to know interface name - point to "actual", restore later - */ - saved_actual = tt->actual_name; - tt->actual_name = (char*) actual; - /* we use adapter_index in add_route_ipv6 */ - tt->adapter_index = idx; add_route_connected_v6_net(tt, es); - tt->actual_name = saved_actual; } #else msg (M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script."); @@ -1272,7 +1405,7 @@ static void clear_tuntap (struct tuntap *tuntap) { CLEAR (*tuntap); -#ifdef WIN32 +#ifdef _WIN32 tuntap->hand = NULL; #else tuntap->fd = -1; @@ -1280,7 +1413,6 @@ clear_tuntap (struct tuntap *tuntap) #ifdef TARGET_SOLARIS tuntap->ip_fd = -1; #endif - tuntap->ipv6 = false; } static void @@ -1333,7 +1465,7 @@ write_tun_header (struct tuntap* tt, uint8_t *buf, int len) iph = (struct ip *) buf; - if (tt->ipv6 && iph->ip_v == 6) + if (iph->ip_v == 6) type = htonl (AF_INET6); else type = htonl (AF_INET); @@ -1370,20 +1502,15 @@ read_tun_header (struct tuntap* tt, uint8_t *buf, int len) #endif -#ifndef WIN32 +#if !(defined(_WIN32) || defined(TARGET_LINUX)) static void open_tun_generic (const char *dev, const char *dev_type, const char *dev_node, - bool ipv6_explicitly_supported, bool dynamic, - struct tuntap *tt) + bool dynamic, struct tuntap *tt) { char tunname[256]; char dynamic_name[256]; bool dynamic_opened = false; - - if ( tt->ipv6 && ! ipv6_explicitly_supported ) - msg (M_WARN, "NOTE: explicit support for IPv6 tun devices is not provided for this OS"); - if (tt->type == DEV_TYPE_NULL) { open_null (tt); @@ -1477,7 +1604,9 @@ open_tun_generic (const char *dev, const char *dev_type, const char *dev_node, tt->actual_name = string_alloc (dynamic_opened ? dynamic_name : dev, NULL); } } +#endif /* !_WIN32 && !TARGET_LINUX */ +#if !defined(_WIN32) static void close_tun_generic (struct tuntap *tt) { @@ -1487,12 +1616,83 @@ close_tun_generic (struct tuntap *tt) free (tt->actual_name); clear_tuntap (tt); } +#endif /* !_WIN32 */ -#endif +#if defined (TARGET_ANDROID) +void +open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) +{ +#define ANDROID_TUNNAME "vpnservice-tun" + int i; + struct user_pass up; + struct gc_arena gc = gc_new (); + bool opentun; -#if defined(TARGET_LINUX) + int oldtunfd = tt->fd; + + for (i = 0; i < tt->options.dns_len; ++i) { + management_android_control (management, "DNSSERVER", + print_in_addr_t(tt->options.dns[i], 0, &gc)); + } -#ifdef HAVE_LINUX_IF_TUN_H /* New driver support */ + if(tt->options.domain) + management_android_control (management, "DNSDOMAIN", tt->options.domain); + + int android_method = managment_android_persisttun_action (management); + + /* Android 4.4 workaround */ + if (oldtunfd >=0 && android_method == ANDROID_OPEN_AFTER_CLOSE) + { + close(oldtunfd); + openvpn_sleep(2); + } + + if (oldtunfd >=0 && android_method == ANDROID_KEEP_OLD_TUN) { + /* keep the old fd */ + opentun = true; + } else { + opentun = management_android_control (management, "OPENTUN", dev); + /* Pick up the fd from management interface after calling the + * OPENTUN command */ + tt->fd = management->connection.lastfdreceived; + management->connection.lastfdreceived=-1; + } + + if (oldtunfd>=0 && android_method == ANDROID_OPEN_BEFORE_CLOSE) + close(oldtunfd); + + /* Set the actual name to a dummy name */ + tt->actual_name = string_alloc (ANDROID_TUNNAME, NULL); + + if ((tt->fd < 0) || !opentun) + msg (M_ERR, "ERROR: Cannot open TUN"); + + gc_free (&gc); +} + +void +close_tun (struct tuntap *tt) +{ + if (tt) + { + close_tun_generic (tt); + free (tt); + } +} + +int +write_tun (struct tuntap* tt, uint8_t *buf, int len) +{ + return write (tt->fd, buf, len); +} + +int +read_tun (struct tuntap* tt, uint8_t *buf, int len) +{ + return read (tt->fd, buf, len); +} + +#elif defined(TARGET_LINUX) #ifndef HAVE_LINUX_SOCKIOS_H #error header file linux/sockios.h required @@ -1533,8 +1733,7 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu * Process --tun-ipv6 */ CLEAR (ifr); - if (!tt->ipv6) - ifr.ifr_flags = IFF_NO_PI; + ifr.ifr_flags = IFF_NO_PI; #if defined(IFF_ONE_QUEUE) && defined(SIOCSIFTXQLEN) ifr.ifr_flags |= IFF_ONE_QUEUE; @@ -1615,32 +1814,10 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu ASSERT (0); } -#endif - -#else - -void -open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) -{ - open_tun_generic (dev, dev_type, dev_node, false, true, tt); -} - -#endif /* HAVE_LINUX_IF_TUN_H */ +#endif /* !PENDANTIC */ #ifdef ENABLE_FEATURE_TUN_PERSIST -/* - * This can be removed in future - * when all systems will use newer - * linux-headers - */ -#ifndef TUNSETOWNER -#define TUNSETOWNER _IOW('T', 204, int) -#endif -#ifndef TUNSETGROUP -#define TUNSETGROUP _IOW('T', 206, int) -#endif - void tuncfg (const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options) { @@ -1686,9 +1863,8 @@ close_tun (struct tuntap *tt) { if (tt->type != DEV_TYPE_NULL && tt->did_ifconfig) { - struct argv argv; + struct argv argv = argv_new (); struct gc_arena gc = gc_new (); - argv_init (&argv); #ifdef ENABLE_IPROUTE if (is_tun_p2p (tt)) @@ -1708,7 +1884,7 @@ close_tun (struct tuntap *tt) iproute_path, tt->actual_name, print_in_addr_t (tt->local, 0, &gc), - count_netmask_bits(print_in_addr_t (tt->remote_netmask, 0, &gc)) + netmask_to_netbits2(tt->remote_netmask) ); } #else @@ -1722,7 +1898,7 @@ close_tun (struct tuntap *tt) argv_msg (M_INFO, &argv); openvpn_execve_check (&argv, NULL, 0, "Linux ip addr del failed"); - if (tt->ipv6 && tt->did_ifconfig_ipv6_setup) + if (tt->did_ifconfig_ipv6_setup) { const char * ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc); @@ -1759,53 +1935,13 @@ close_tun (struct tuntap *tt) int write_tun (struct tuntap* tt, uint8_t *buf, int len) { - if (tt->ipv6) - { - struct tun_pi pi; - struct iphdr *iph; - struct iovec vect[2]; - int ret; - - iph = (struct iphdr *)buf; - - pi.flags = 0; - - if(iph->version == 6) - pi.proto = htons(OPENVPN_ETH_P_IPV6); - else - pi.proto = htons(OPENVPN_ETH_P_IPV4); - - vect[0].iov_len = sizeof(pi); - vect[0].iov_base = π - vect[1].iov_len = len; - vect[1].iov_base = buf; - - ret = writev(tt->fd, vect, 2); - return(ret - sizeof(pi)); - } - else - return write (tt->fd, buf, len); + return write (tt->fd, buf, len); } int read_tun (struct tuntap* tt, uint8_t *buf, int len) { - if (tt->ipv6) - { - struct iovec vect[2]; - struct tun_pi pi; - int ret; - - vect[0].iov_len = sizeof(pi); - vect[0].iov_base = π - vect[1].iov_len = len; - vect[1].iov_base = buf; - - ret = readv(tt->fd, vect, 2); - return(ret - sizeof(pi)); - } - else - return read (tt->fd, buf, len); + return read (tt->fd, buf, len); } #elif defined(TARGET_SOLARIS) @@ -2009,10 +2145,9 @@ solaris_close_tun (struct tuntap *tt) if (tt) { /* IPv6 interfaces need to be 'manually' de-configured */ - if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup ) + if ( tt->did_ifconfig_ipv6_setup ) { - struct argv argv; - argv_init (&argv); + struct argv argv = argv_new (); argv_printf( &argv, "%s %s inet6 unplumb", IFCONFIG_PATH, tt->actual_name ); argv_msg (M_INFO, &argv); @@ -2075,8 +2210,7 @@ static void solaris_error_close (struct tuntap *tt, const struct env_set *es, const char *actual, bool unplumb_inet6 ) { - struct argv argv; - argv_init (&argv); + struct argv argv = argv_new (); if (unplumb_inet6) { @@ -2123,7 +2257,7 @@ read_tun (struct tuntap* tt, uint8_t *buf, int len) void open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { - open_tun_generic (dev, dev_type, dev_node, true, true, tt); + open_tun_generic (dev, dev_type, dev_node, true, tt); /* Enable multicast on the interface */ if (tt->fd >= 0) @@ -2168,12 +2302,11 @@ close_tun (struct tuntap* tt) else if (tt) { struct gc_arena gc = gc_new (); - struct argv argv; + struct argv argv = argv_new (); /* setup command, close tun dev (clears tt->actual_name!), run command */ - argv_init (&argv); argv_printf (&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); @@ -2217,11 +2350,7 @@ read_tun (struct tuntap *tt, uint8_t *buf, int len) void open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { -#ifdef NETBSD_MULTI_AF - open_tun_generic (dev, dev_type, dev_node, true, true, tt); -#else - open_tun_generic (dev, dev_type, dev_node, false, true, tt); -#endif + open_tun_generic (dev, dev_type, dev_node, true, tt); if (tt->fd >= 0) { @@ -2230,7 +2359,6 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu i = 0; ioctl (tt->fd, TUNSLMODE, &i); /* link layer mode off */ -#ifdef NETBSD_MULTI_AF if ( tt->type == DEV_TYPE_TUN ) { i = 1; @@ -2239,7 +2367,6 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu msg (M_WARN | M_ERRNO, "ioctl(TUNSIFHEAD): %s", strerror(errno)); } } -#endif } } @@ -2260,12 +2387,11 @@ close_tun (struct tuntap *tt) else if (tt) { struct gc_arena gc = gc_new (); - struct argv argv; + struct argv argv = argv_new (); /* setup command, close tun dev (clears tt->actual_name!), run command */ - argv_init (&argv); argv_printf (&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); @@ -2278,8 +2404,6 @@ close_tun (struct tuntap *tt) } } -#ifdef NETBSD_MULTI_AF - static inline int netbsd_modify_read_write_return (int len) { @@ -2300,7 +2424,7 @@ write_tun (struct tuntap* tt, uint8_t *buf, int len) iph = (struct openvpn_iphdr *) buf; - if (tt->ipv6 && OPENVPN_IPH_GET_VER(iph->version_len) == 6) + if (OPENVPN_IPH_GET_VER(iph->version_len) == 6) type = htonl (AF_INET6); else type = htonl (AF_INET); @@ -2335,21 +2459,6 @@ read_tun (struct tuntap* tt, uint8_t *buf, int len) return read (tt->fd, buf, len); } -#else /* not NETBSD_MULTI_AF -> older code, IPv4 only */ - -int -write_tun (struct tuntap* tt, uint8_t *buf, int len) -{ - return write (tt->fd, buf, len); -} - -int -read_tun (struct tuntap* tt, uint8_t *buf, int len) -{ - return read (tt->fd, buf, len); -} -#endif /* NETBSD_MULTI_AF */ - #elif defined(TARGET_FREEBSD) static inline int @@ -2364,7 +2473,7 @@ freebsd_modify_read_write_return (int len) void open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { - open_tun_generic (dev, dev_type, dev_node, true, true, tt); + open_tun_generic (dev, dev_type, dev_node, true, tt); if (tt->fd >= 0 && tt->type == DEV_TYPE_TUN) { @@ -2397,12 +2506,11 @@ close_tun (struct tuntap *tt) } else if (tt) /* close and destroy */ { - struct argv argv; + struct argv argv = argv_new (); /* setup command, close tun dev (clears tt->actual_name!), run command */ - argv_init (&argv); argv_printf (&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); @@ -2426,7 +2534,7 @@ write_tun (struct tuntap* tt, uint8_t *buf, int len) iph = (struct ip *) buf; - if (tt->ipv6 && iph->ip_v == 6) + if (iph->ip_v == 6) type = htonl (AF_INET6); else type = htonl (AF_INET); @@ -2475,7 +2583,7 @@ dragonfly_modify_read_write_return (int len) void open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { - open_tun_generic (dev, dev_type, dev_node, true, true, tt); + open_tun_generic (dev, dev_type, dev_node, true, tt); if (tt->fd >= 0) { @@ -2509,7 +2617,7 @@ write_tun (struct tuntap* tt, uint8_t *buf, int len) iph = (struct ip *) buf; - if (tt->ipv6 && iph->ip_v == 6) + if (iph->ip_v == 6) type = htonl (AF_INET6); else type = htonl (AF_INET); @@ -2702,7 +2810,7 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu { /* No explicit utun and utun failed, try the generic way) */ msg (M_INFO, "Failed to open utun device. Falling back to /dev/tun device"); - open_tun_generic (dev, dev_type, NULL, true, true, tt); + open_tun_generic (dev, dev_type, NULL, true, tt); } else { @@ -2723,7 +2831,7 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu if (dev_node && strcmp (dev_node, "tun")==0) dev_node=NULL; - open_tun_generic (dev, dev_type, dev_node, true, true, tt); + open_tun_generic (dev, dev_type, dev_node, true, tt); } } @@ -2733,10 +2841,9 @@ close_tun (struct tuntap* tt) if (tt) { struct gc_arena gc = gc_new (); - struct argv argv; - argv_init (&argv); + struct argv argv = argv_new (); - if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup ) + if (tt->did_ifconfig_ipv6_setup ) { const char * ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc); @@ -2776,7 +2883,137 @@ read_tun (struct tuntap* tt, uint8_t *buf, int len) return read (tt->fd, buf, len); } -#elif defined(WIN32) +#elif defined(TARGET_AIX) + +void +open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) +{ + char tunname[256]; + char dynamic_name[20]; + const char *p; + + if (tt->type == DEV_TYPE_NULL) + { + open_null (tt); + return; + } + + if ( tt->type == DEV_TYPE_TUN) + { + msg(M_FATAL, "no support for 'tun' devices on AIX" ); + } + + if ( strncmp( dev, "tap", 3 ) != 0 || dev_node ) + { + msg(M_FATAL, "'--dev %s' and/or '--dev-node' not supported on AIX, use '--dev tap0', 'tap1', etc.", dev ); + } + + if ( strcmp( dev, "tap" ) == 0 ) /* find first free tap dev */ + { /* (= no /dev/tapN node) */ + int i; + for (i=0; i<99; i++ ) + { + openvpn_snprintf (tunname, sizeof (tunname), "/dev/tap%d", i); + if ( access( tunname, F_OK ) < 0 && errno == ENOENT ) + { break; } + } + if ( i >= 99 ) + msg( M_FATAL, "cannot find unused tap device" ); + + openvpn_snprintf( dynamic_name, sizeof(dynamic_name), "tap%d", i ); + dev = dynamic_name; + } + else /* name given, sanity check */ + { + /* ensure that dev name is "tap+<digits>" *only* */ + p = &dev[3]; + while( isdigit(*p) ) p++; + if ( *p != '\0' ) + msg( M_FATAL, "TAP device name must be '--dev tapNNNN'" ); + + openvpn_snprintf (tunname, sizeof (tunname), "/dev/%s", dev); + } + + /* pre-existing device? + */ + if ( access( tunname, F_OK ) < 0 && errno == ENOENT ) + { + + /* tunnel device must be created with 'ifconfig tapN create' + */ + struct argv argv = argv_new (); + struct env_set *es = env_set_create (NULL); + argv_printf (&argv, "%s %s create", IFCONFIG_PATH, dev); + argv_msg (M_INFO, &argv); + env_set_add( es, "ODMDIR=/etc/objrepos" ); + openvpn_execve_check (&argv, es, S_FATAL, "AIX 'create tun interface' failed"); + env_set_destroy (es); + } + else + { + /* we didn't make it, we're not going to break it */ + tt->persistent_if = TRUE; + } + + if ((tt->fd = open (tunname, O_RDWR)) < 0) + { + msg (M_ERR, "Cannot open TAP device '%s'", tunname); + } + + set_nonblock (tt->fd); + set_cloexec (tt->fd); /* don't pass fd to scripts */ + msg (M_INFO, "TUN/TAP device %s opened", tunname); + + /* tt->actual_name is passed to up and down scripts and used as the ifconfig dev name */ + tt->actual_name = string_alloc(dev, NULL); +} + +/* tap devices need to be manually destroyed on AIX + */ +void +close_tun (struct tuntap* tt) +{ + struct gc_arena gc = gc_new (); + struct argv argv = argv_new (); + struct env_set *es = env_set_create (NULL); + + if (!tt) return; + + /* persistent devices need IP address unconfig, others need destroyal + */ + if (tt->persistent_if) + { + argv_printf (&argv, "%s %s 0.0.0.0 down", + IFCONFIG_PATH, tt->actual_name); + } + else + { + argv_printf (&argv, "%s %s destroy", + IFCONFIG_PATH, tt->actual_name); + } + + close_tun_generic (tt); + argv_msg (M_INFO, &argv); + env_set_add( es, "ODMDIR=/etc/objrepos" ); + openvpn_execve_check (&argv, es, 0, "AIX 'destroy tap interface' failed (non-critical)"); + + free(tt); + env_set_destroy (es); +} + +int +write_tun (struct tuntap* tt, uint8_t *buf, int len) +{ + return write (tt->fd, buf, len); +} + +int +read_tun (struct tuntap* tt, uint8_t *buf, int len) +{ + return read (tt->fd, buf, len); +} + +#elif defined(_WIN32) int tun_read_queue (struct tuntap *tt, int maxsize) @@ -4246,7 +4483,7 @@ dhcp_renew (const struct tuntap *tt) */ static void -netsh_command (const struct argv *a, int n) +netsh_command (const struct argv *a, int n, int msglevel) { int i; for (i = 0; i < n; ++i) @@ -4261,21 +4498,19 @@ netsh_command (const struct argv *a, int n) return; openvpn_sleep (4); } - msg (M_FATAL, "NETSH: command failed"); + msg (msglevel, "NETSH: command failed"); } void ipconfig_register_dns (const struct env_set *es) { - struct argv argv; + struct argv argv = argv_new (); bool status; const char err[] = "ERROR: Windows ipconfig command failed"; msg (D_TUNTAP_INFO, "Start net commands..."); netcmd_semaphore_lock (); - argv_init (&argv); - argv_printf (&argv, "%s%sc stop dnscache", get_win_sys_path(), WIN_NET_PATH_SUFFIX); @@ -4411,7 +4646,7 @@ netsh_ifconfig_options (const char *type, NETSH_PATH_SUFFIX, type, flex_name); - netsh_command (&argv, 2); + netsh_command (&argv, 2, M_FATAL); } /* add new DNS/WINS settings to TAP interface */ @@ -4432,7 +4667,7 @@ netsh_ifconfig_options (const char *type, type, flex_name, print_in_addr_t (addr_list[i], 0, &gc)); - netsh_command (&argv, 2); + netsh_command (&argv, 2, M_FATAL); ++count; } @@ -4507,7 +4742,7 @@ netsh_ifconfig (const struct tuntap_options *to, print_in_addr_t (ip, 0, &gc), print_in_addr_t (netmask, 0, &gc)); - netsh_command (&argv, 4); + netsh_command (&argv, 4, M_FATAL); } } @@ -4543,8 +4778,7 @@ static void netsh_enable_dhcp (const struct tuntap_options *to, const char *actual_name) { - struct argv argv; - argv_init (&argv); + struct argv argv = argv_new (); /* example: netsh interface ip set address my-tap dhcp */ argv_printf (&argv, @@ -4553,7 +4787,7 @@ netsh_enable_dhcp (const struct tuntap_options *to, NETSH_PATH_SUFFIX, actual_name); - netsh_command (&argv, 4); + netsh_command (&argv, 4, M_FATAL); argv_reset (&argv); } @@ -4750,10 +4984,43 @@ fork_dhcp_action (struct tuntap *tt) } } +static void +register_dns_service (const struct tuntap *tt) +{ + DWORD len; + HANDLE msg_channel = tt->options.msg_channel; + ack_message_t ack; + struct gc_arena gc = gc_new (); + + message_header_t rdns = { msg_register_dns, sizeof(message_header_t), 0 }; + + if (!WriteFile (msg_channel, &rdns, sizeof (rdns), &len, NULL) || + !ReadFile (msg_channel, &ack, sizeof (ack), &len, NULL)) + { + msg (M_WARN, "Register_dns: could not talk to service: %s [status=0x%lx]", + strerror_win32 (GetLastError (), &gc), GetLastError ()); + } + + else if (ack.error_number != NO_ERROR) + { + msg (M_WARN, "Register_dns failed using service: %s [status=0x%x]", + strerror_win32 (ack.error_number, &gc), ack.error_number); + } + + else + msg (M_INFO, "Register_dns request sent to the service"); + + gc_free (&gc); +} + void fork_register_dns_action (struct tuntap *tt) { - if (tt && tt->options.register_dns) + if (tt && tt->options.register_dns && tt->options.msg_channel) + { + register_dns_service (tt); + } + else if (tt && tt->options.register_dns) { struct gc_arena gc = gc_new (); struct buffer cmd = alloc_buf_gc (256, &gc); @@ -4798,7 +5065,7 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu /*netcmd_semaphore_lock ();*/ - msg( M_INFO, "open_tun, tt->ipv6=%d", tt->ipv6 ); + msg( M_INFO, "open_tun"); if (tt->type == DEV_TYPE_NULL) { @@ -4924,11 +5191,10 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu /* usage of numeric constants is ugly, but this is really tied to * *this* version of the driver */ - if ( tt->ipv6 && tt->type == DEV_TYPE_TUN && + if (tt->type == DEV_TYPE_TUN && info[0] == 9 && info[1] < 8) { - msg( M_INFO, "WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will be disabled. Upgrade to Tap-Win32 9.8 (2.2-beta3 release or later) or use TAP mode to get IPv6", (int) info[0], (int) info[1] ); - tt->ipv6 = false; + msg( M_INFO, "WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will not work. Upgrade your Tap-Win32 driver.", (int) info[0], (int) info[1] ); } /* tap driver 9.8 (2.2.0 and 2.2.1 release) is buggy @@ -4936,7 +5202,7 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu if ( tt->type == DEV_TYPE_TUN && info[0] == 9 && info[1] == 8) { - msg( M_FATAL, "ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade to Tap-Win32 9.9 (2.2.2 release or later) or use TAP mode", (int) info[0], (int) info[1] ); + msg( M_FATAL, "ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade your Tap-Win32 driver.", (int) info[0], (int) info[1] ); } } @@ -5122,13 +5388,35 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu /* flush arp cache */ if (index != TUN_ADAPTER_INDEX_INVALID) { - DWORD status; + DWORD status = -1; + + if (tt->options.msg_channel) + { + ack_message_t ack; + flush_neighbors_message_t msg = { + .header = { + msg_flush_neighbors, + sizeof (flush_neighbors_message_t), + 0 }, + .family = AF_INET, + .iface = { .index = index, .name = "" } + }; + + if (!WriteFile (tt->options.msg_channel, &msg, sizeof (msg), &len, NULL) || + !ReadFile (tt->options.msg_channel, &ack, sizeof (ack), &len, NULL)) + msg (M_WARN, "TUN: could not talk to service: %s [%lu]", + strerror_win32 (GetLastError (), &gc), GetLastError ()); + + status = ack.error_number; + } + else + status = FlushIpNetTable (index); - if ((status = FlushIpNetTable (index)) == NO_ERROR) + if (status == NO_ERROR) msg (M_INFO, "Successful ARP Flush on interface [%u] %s", (unsigned int)index, device_guid); - else + else if (status != -1) msg (D_TUNTAP_INFO, "NOTE: FlushIpNetTable failed on interface [%u] %s (status=%u) : %s", (unsigned int)index, device_guid, @@ -5247,30 +5535,36 @@ close_tun (struct tuntap *tt) if (tt) { - if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup ) + if ( tt->did_ifconfig_ipv6_setup ) { - const char *ifconfig_ipv6_local; - struct argv argv; - argv_init (&argv); - - /* remove route pointing to interface */ - delete_route_connected_v6_net(tt, NULL); - - /* "store=active" is needed in Windows 8(.1) to delete the - * address we added (pointed out by Cedric Tabary). - */ - - /* netsh interface ipv6 delete address \"%s\" %s */ - ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc); - argv_printf (&argv, - "%s%sc interface ipv6 delete address %s %s store=active", - get_win_sys_path(), - NETSH_PATH_SUFFIX, - tt->actual_name, - ifconfig_ipv6_local ); - - netsh_command (&argv, 1); - argv_reset (&argv); + if (tt->options.msg_channel) + { + do_address_service (false, AF_INET6, tt); + } + else + { + const char *ifconfig_ipv6_local; + struct argv argv = argv_new (); + + /* remove route pointing to interface */ + delete_route_connected_v6_net(tt, NULL); + + /* "store=active" is needed in Windows 8(.1) to delete the + * address we added (pointed out by Cedric Tabary). + */ + + /* netsh interface ipv6 delete address \"%s\" %s */ + ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc); + argv_printf (&argv, + "%s%sc interface ipv6 delete address %s %s store=active", + get_win_sys_path(), + NETSH_PATH_SUFFIX, + tt->actual_name, + ifconfig_ipv6_local); + + netsh_command (&argv, 1, M_WARN); + argv_reset (&argv); + } } #if 1 if (tt->ipapi_context_defined) @@ -5377,7 +5671,7 @@ ipset2ascii_all (struct gc_arena *gc) void open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { - open_tun_generic (dev, dev_type, dev_node, false, true, tt); + open_tun_generic (dev, dev_type, dev_node, true, tt); } void diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index 7089f7c..dedd915 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -25,7 +25,7 @@ #ifndef TUN_H #define TUN_H -#ifdef WIN32 +#ifdef _WIN32 #include <winioctl.h> #include <tap-windows.h> #endif @@ -38,7 +38,7 @@ #include "proto.h" #include "misc.h" -#ifdef WIN32 +#if defined(_WIN32) || defined(TARGET_ANDROID) #define TUN_ADAPTER_INDEX_INVALID ((DWORD)-1) @@ -58,6 +58,10 @@ struct tuntap_options { # define IPW32_SET_N 5 int ip_win32_type; +#ifdef _WIN32 + HANDLE msg_channel; +#endif + /* --ip-win32 dynamic options */ bool dhcp_masq_custom_offset; int dhcp_masq_offset; @@ -135,8 +139,6 @@ struct tuntap bool did_ifconfig_ipv6_setup; bool did_ifconfig; - bool ipv6; - bool persistent_if; /* if existed before, keep on program end */ struct tuntap_options options; /* options set on command line */ @@ -155,7 +157,7 @@ struct tuntap struct in6_addr remote_ipv6; int netbits_ipv6; -#ifdef WIN32 +#ifdef _WIN32 HANDLE hand; struct overlapped_io reads; struct overlapped_io writes; @@ -195,7 +197,7 @@ struct tuntap static inline bool tuntap_defined (const struct tuntap *tt) { -#ifdef WIN32 +#ifdef _WIN32 return tt && tt->hand != NULL; #else return tt && tt->fd >= 0; @@ -232,8 +234,8 @@ struct tuntap *init_tun (const char *dev, /* --dev option */ const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 / IPv6 */ int ifconfig_ipv6_netbits_parm, /* --ifconfig parm 1 / bits */ const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 / IPv6 */ - in_addr_t local_public, - in_addr_t remote_public, + struct addrinfo *local_public, + struct addrinfo *remote_public, const bool strict_warn, struct env_set *es); @@ -296,14 +298,31 @@ ifconfig_order(void) return IFCONFIG_AFTER_TUN_OPEN; #elif defined(TARGET_NETBSD) return IFCONFIG_AFTER_TUN_OPEN; -#elif defined(WIN32) +#elif defined(_WIN32) + return IFCONFIG_AFTER_TUN_OPEN; +#elif defined(TARGET_ANDROID) return IFCONFIG_BEFORE_TUN_OPEN; #else return IFCONFIG_DEFAULT; #endif } -#ifdef WIN32 +#define ROUTE_BEFORE_TUN 0 +#define ROUTE_AFTER_TUN 1 +#define ROUTE_ORDER_DEFAULT ROUTE_AFTER_TUN + +static inline int +route_order(void) +{ +#if defined(TARGET_ANDROID) + return ROUTE_BEFORE_TUN; +#else + return ROUTE_ORDER_DEFAULT; +#endif +} + + +#ifdef _WIN32 #define TUN_PASS_BUFFER @@ -457,7 +476,7 @@ tun_standby (struct tuntap *tt) static inline event_t tun_event_handle (const struct tuntap *tt) { -#ifdef WIN32 +#ifdef _WIN32 return &tt->rw_handle; #else return tt->fd; @@ -480,7 +499,7 @@ tun_set (struct tuntap *tt, if (persistent) *persistent = rwflags; } -#ifdef WIN32 +#ifdef _WIN32 if (rwflags & EVENT_READ) tun_read_queue (tt, 0); #endif diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index e17cca1..00bc7ac 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -35,7 +35,7 @@ #include "syshead.h" -#ifdef WIN32 +#ifdef _WIN32 #include "buffer.h" #include "error.h" @@ -43,34 +43,20 @@ #include "sig.h" #include "win32.h" #include "misc.h" +#include "openvpn-msg.h" #include "memdbg.h" -#include "win32_wfp.h" - #ifdef HAVE_VERSIONHELPERS_H #include <versionhelpers.h> #else #include "compat-versionhelpers.h" #endif -/* WFP function pointers. Initialized in win_wfp_init_funcs() */ -func_ConvertInterfaceIndexToLuid ConvertInterfaceIndexToLuid = NULL; -func_FwpmEngineOpen0 FwpmEngineOpen0 = NULL; -func_FwpmEngineClose0 FwpmEngineClose0 = NULL; -func_FwpmFilterAdd0 FwpmFilterAdd0 = NULL; -func_FwpmSubLayerAdd0 FwpmSubLayerAdd0 = NULL; -func_FwpmSubLayerDeleteByKey0 FwpmSubLayerDeleteByKey0 = NULL; -func_FwpmFreeMemory0 FwpmFreeMemory0 = NULL; -func_FwpmGetAppIdFromFileName0 FwpmGetAppIdFromFileName0 = NULL; - -/* - * WFP firewall name. - */ -WCHAR * FIREWALL_NAME = L"OpenVPN"; /* GLOBAL */ +#include "block_dns.h" /* - * WFP handle and GUID. + * WFP handle */ static HANDLE m_hEngineHandle = NULL; /* GLOBAL */ @@ -119,7 +105,6 @@ init_win32 (void) } window_title_clear (&window_title); win32_signal_clear (&win32_signal); - netcmd_semaphore_init (); } void @@ -598,7 +583,7 @@ win32_signal_get (struct win32_signal *ws) if (ret) { siginfo_static.signal_received = ret; - siginfo_static.hard = true; + siginfo_static.source = SIG_SOURCE_HARD; } } return ret; @@ -765,6 +750,10 @@ void netcmd_semaphore_lock (void) { const int timeout_seconds = 600; + + if (!netcmd_semaphore.hand) + netcmd_semaphore_init (); + if (!semaphore_lock (&netcmd_semaphore, timeout_seconds * 1000)) msg (M_FATAL, "Cannot lock net command semaphore"); } @@ -773,6 +762,8 @@ void netcmd_semaphore_release (void) { semaphore_release (&netcmd_semaphore); + /* netcmd_semaphore has max count of 1 - safe to close after release */ + semaphore_close (&netcmd_semaphore); } /* @@ -1106,211 +1097,109 @@ win_get_tempdir() return tmpdir; } -bool -win_wfp_init_funcs () +static bool +win_block_dns_service (bool add, int index, const HANDLE pipe) { - /* Initialize all WFP-related function pointers */ - HMODULE iphlpapiHandle; - HMODULE fwpuclntHandle; - - iphlpapiHandle = LoadLibrary("iphlpapi.dll"); - if (iphlpapiHandle == NULL) - { - msg (M_NONFATAL, "Can't load iphlpapi.dll"); - return false; - } + DWORD len; + bool ret = false; + ack_message_t ack; + struct gc_arena gc = gc_new (); - fwpuclntHandle = LoadLibrary("fwpuclnt.dll"); - if (fwpuclntHandle == NULL) - { - msg (M_NONFATAL, "Can't load fwpuclnt.dll"); - return false; - } - - ConvertInterfaceIndexToLuid = (func_ConvertInterfaceIndexToLuid)GetProcAddress(iphlpapiHandle, "ConvertInterfaceIndexToLuid"); - FwpmFilterAdd0 = (func_FwpmFilterAdd0)GetProcAddress(fwpuclntHandle, "FwpmFilterAdd0"); - FwpmEngineOpen0 = (func_FwpmEngineOpen0)GetProcAddress(fwpuclntHandle, "FwpmEngineOpen0"); - FwpmEngineClose0 = (func_FwpmEngineClose0)GetProcAddress(fwpuclntHandle, "FwpmEngineClose0"); - FwpmSubLayerAdd0 = (func_FwpmSubLayerAdd0)GetProcAddress(fwpuclntHandle, "FwpmSubLayerAdd0"); - FwpmSubLayerDeleteByKey0 = (func_FwpmSubLayerDeleteByKey0)GetProcAddress(fwpuclntHandle, "FwpmSubLayerDeleteByKey0"); - FwpmFreeMemory0 = (func_FwpmFreeMemory0)GetProcAddress(fwpuclntHandle, "FwpmFreeMemory0"); - FwpmGetAppIdFromFileName0 = (func_FwpmGetAppIdFromFileName0)GetProcAddress(fwpuclntHandle, "FwpmGetAppIdFromFileName0"); - - if (!ConvertInterfaceIndexToLuid || - !FwpmFilterAdd0 || - !FwpmEngineOpen0 || - !FwpmEngineClose0 || - !FwpmSubLayerAdd0 || - !FwpmSubLayerDeleteByKey0 || - !FwpmFreeMemory0 || - !FwpmGetAppIdFromFileName0) - { - msg (M_NONFATAL, "Can't get address for all WFP-related procedures."); - return false; - } + block_dns_message_t data = { + .header = { + (add ? msg_add_block_dns : msg_del_block_dns), + sizeof (block_dns_message_t), + 0 }, + .iface = { .index = index, .name = "" } + }; - return true; -} + if (!WriteFile (pipe, &data, sizeof (data), &len, NULL) || + !ReadFile (pipe, &ack, sizeof (ack), &len, NULL)) + { + msg (M_WARN, "Block_DNS: could not talk to service: %s [%lu]", + strerror_win32 (GetLastError (), &gc), GetLastError ()); + goto out; + } -bool -win_wfp_add_filter (HANDLE engineHandle, - const FWPM_FILTER0 *filter, - PSECURITY_DESCRIPTOR sd, - UINT64 *id) -{ - if (FwpmFilterAdd0(engineHandle, filter, sd, id) != ERROR_SUCCESS) + if (ack.error_number != NO_ERROR) { - msg (M_NONFATAL, "Can't add WFP filter"); - return false; + msg (M_WARN, "Block_DNS: %s block dns filters using service failed: %s [status=0x%x if_index=%d]", + (add ? "adding" : "deleting"), strerror_win32 (ack.error_number, &gc), + ack.error_number, data.iface.index); + goto out; } - return true; + + ret = true; + msg (M_INFO, "%s outside dns using service succeeded.", (add ? "Blocking" : "Unblocking")); +out: + gc_free (&gc); + return ret; } -bool -win_wfp_block_dns (const NET_IFINDEX index) +static void +block_dns_msg_handler (DWORD err, const char *msg) { - FWPM_SESSION0 session = {0}; - FWPM_SUBLAYER0 SubLayer = {0}; - NET_LUID tapluid; - UINT64 filterid; - WCHAR openvpnpath[MAX_PATH]; - FWP_BYTE_BLOB *openvpnblob = NULL; - FWPM_FILTER0 Filter = {0}; - FWPM_FILTER_CONDITION0 Condition[2] = {0}; - - /* Add temporary filters which don't survive reboots or crashes. */ - session.flags = FWPM_SESSION_FLAG_DYNAMIC; - - dmsg (D_LOW, "Opening WFP engine"); + struct gc_arena gc = gc_new (); - if (FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &m_hEngineHandle) != ERROR_SUCCESS) + if (err == 0) { - msg (M_NONFATAL, "Can't open WFP engine"); - return false; + msg (M_INFO, "%s", msg); + } + else + { + msg (M_WARN, "Error in add_block_dns_filters(): %s : %s [status=0x%lx]", + msg, strerror_win32 (err, &gc), err); } - if (UuidCreate(&SubLayer.subLayerKey) != NO_ERROR) - return false; + gc_free (&gc); +} - /* Populate packet filter layer information. */ - SubLayer.displayData.name = FIREWALL_NAME; - SubLayer.displayData.description = FIREWALL_NAME; - SubLayer.flags = 0; - SubLayer.weight = 0x100; +bool +win_wfp_block_dns (const NET_IFINDEX index, const HANDLE msg_channel) +{ + WCHAR openvpnpath[MAX_PATH]; + bool ret = false; + DWORD status; - /* Add packet filter to our interface. */ - dmsg (D_LOW, "Adding WFP sublayer"); - if (FwpmSubLayerAdd0(m_hEngineHandle, &SubLayer, NULL) != ERROR_SUCCESS) + if (msg_channel) { - msg (M_NONFATAL, "Can't add WFP sublayer"); - return false; + dmsg (D_LOW, "Using service to add block dns filters"); + ret = win_block_dns_service (true, index, msg_channel); + goto out; } - dmsg (D_LOW, "Blocking DNS using WFP"); - if (ConvertInterfaceIndexToLuid(index, &tapluid) != NO_ERROR) + status = GetModuleFileNameW (NULL, openvpnpath, sizeof(openvpnpath)); + if (status == 0 || status == sizeof(openvpnpath)) { - msg (M_NONFATAL, "Can't convert interface index to LUID"); - return false; + msg (M_WARN|M_ERRNO, "block_dns: cannot get executable path"); + goto out; } - dmsg (D_LOW, "Tap Luid: %I64d", tapluid.Value); - - /* Get OpenVPN path. */ - GetModuleFileNameW(NULL, openvpnpath, MAX_PATH); - - if (FwpmGetAppIdFromFileName0(openvpnpath, &openvpnblob) != ERROR_SUCCESS) - return false; - - /* Prepare filter. */ - Filter.subLayerKey = SubLayer.subLayerKey; - Filter.displayData.name = FIREWALL_NAME; - Filter.weight.type = FWP_UINT8; - Filter.weight.uint8 = 0xF; - Filter.filterCondition = Condition; - Filter.numFilterConditions = 2; - - /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */ - Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; - Filter.action.type = FWP_ACTION_PERMIT; - - Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT; - Condition[0].matchType = FWP_MATCH_EQUAL; - Condition[0].conditionValue.type = FWP_UINT16; - Condition[0].conditionValue.uint16 = 53; - - Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID; - Condition[1].matchType = FWP_MATCH_EQUAL; - Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE; - Condition[1].conditionValue.byteBlob = openvpnblob; - - /* Add filter condition to our interface. */ - if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) - goto err; - dmsg (D_LOW, "Filter (Permit OpenVPN IPv4 DNS) added with ID=%I64d", filterid); - - /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */ - Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; - - /* Add filter condition to our interface. */ - if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) - goto err; - dmsg (D_LOW, "Filter (Permit OpenVPN IPv6 DNS) added with ID=%I64d", filterid); - - /* Third filter. Block all IPv4 DNS queries. */ - Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; - Filter.action.type = FWP_ACTION_BLOCK; - Filter.weight.type = FWP_EMPTY; - Filter.numFilterConditions = 1; - - if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) - goto err; - dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid); - - /* Forth filter. Block all IPv6 DNS queries. */ - Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; - - if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) - goto err; - dmsg (D_LOW, "Filter (Block IPv6 DNS) added with ID=%I64d", filterid); - - /* Fifth filter. Permit IPv4 DNS queries from TAP. */ - Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; - Filter.action.type = FWP_ACTION_PERMIT; - Filter.numFilterConditions = 2; - - Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE; - Condition[1].matchType = FWP_MATCH_EQUAL; - Condition[1].conditionValue.type = FWP_UINT64; - Condition[1].conditionValue.uint64 = &tapluid.Value; - - /* Add filter condition to our interface. */ - if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) - goto err; - dmsg (D_LOW, "Filter (Permit IPv4 DNS queries from TAP) added with ID=%I64d", filterid); - - /* Sixth filter. Permit IPv6 DNS queries from TAP. */ - Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; - - /* Add filter condition to our interface. */ - if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid)) - goto err; - dmsg (D_LOW, "Filter (Permit IPv6 DNS queries from TAP) added with ID=%I64d", filterid); - - FwpmFreeMemory0((void **)&openvpnblob); - return true; - err: - FwpmFreeMemory0((void **)&openvpnblob); - return false; + status = add_block_dns_filters (&m_hEngineHandle, index, openvpnpath, + block_dns_msg_handler); + ret = (status == 0); + +out: + + return ret; } bool -win_wfp_uninit() +win_wfp_uninit(const HANDLE msg_channel) { dmsg (D_LOW, "Uninitializing WFP"); - if (m_hEngineHandle) { - FwpmEngineClose0(m_hEngineHandle); + + if (msg_channel) + { + msg (D_LOW, "Using service to delete block dns filters"); + win_block_dns_service (false, -1, msg_channel); + } + else + { + delete_block_dns_filters (m_hEngineHandle); m_hEngineHandle = NULL; - } + } + return true; } diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h index 0990182..11e42f4 100644 --- a/src/openvpn/win32.h +++ b/src/openvpn/win32.h @@ -22,7 +22,7 @@ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#ifdef WIN32 +#ifdef _WIN32 #ifndef OPENVPN_WIN32_H #define OPENVPN_WIN32_H @@ -271,9 +271,8 @@ const char *win_get_tempdir(); /* Convert a string from UTF-8 to UCS-2 */ WCHAR *wide_string (const char* utf8, struct gc_arena *gc); -bool win_wfp_init_funcs(); -bool win_wfp_block_dns(const NET_IFINDEX index); -bool win_wfp_uninit(); +bool win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel); +bool win_wfp_uninit(const HANDLE msg_channel); #define WIN_XP 0 #define WIN_VISTA 1 diff --git a/src/openvpn/win32_wfp.h b/src/openvpn/win32_wfp.h deleted file mode 100644 index 7559e5b..0000000 --- a/src/openvpn/win32_wfp.h +++ /dev/null @@ -1,359 +0,0 @@ -/* - This Software is provided under the Zope Public License (ZPL) Version 2.1. - - Copyright (c) 2009, 2010 by the mingw-w64 project - - See the AUTHORS file for the list of contributors to the mingw-w64 project. - - This license has been certified as open source. It has also been designated - as GPL compatible by the Free Software Foundation (FSF). - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions in source code must retain the accompanying copyright - notice, this list of conditions, and the following disclaimer. - 2. Redistributions in binary form must reproduce the accompanying - copyright notice, this list of conditions, and the following disclaimer - in the documentation and/or other materials provided with the - distribution. - 3. Names of the copyright holders must not be used to endorse or promote - products derived from this software without prior written permission - from the copyright holders. - 4. The right to distribute this software or to use it for any purpose does - not give you the right to use Servicemarks (sm) or Trademarks (tm) of - the copyright holders. Use of them is covered by separate agreement - with the copyright holders. - 5. If any files are modified, you must cause the modified files to carry - prominent notices stating that you changed the files and the date of - any change. - - Disclaimer - - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ``AS IS'' AND ANY EXPRESSED - OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO - EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT, INDIRECT, - INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, - OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, - EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -*/ - -/* - * Windows Filtering Platform (WFP) related prototypes, mostly stripped out of - * mingw-w64. - */ - -/* - * WFP-related defines and GUIDs. - */ - -#ifndef WIN32_WFP_H -#define WIN32_WFP_H - -#include <initguid.h> -#include <iphlpapi.h> -#include <rpc.h> -#include <rpcdce.h> - -#ifndef FWPM_SESSION_FLAG_DYNAMIC -#define FWPM_SESSION_FLAG_DYNAMIC 0x00000001 -#endif - -// c38d57d1-05a7-4c33-904f-7fbceee60e82 -DEFINE_GUID( - FWPM_LAYER_ALE_AUTH_CONNECT_V4, - 0xc38d57d1, - 0x05a7, - 0x4c33, - 0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82 -); - -// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4 -DEFINE_GUID( - FWPM_LAYER_ALE_AUTH_CONNECT_V6, - 0x4a72393b, - 0x319f, - 0x44bc, - 0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4 -); - -// d78e1e87-8644-4ea5-9437-d809ecefc971 -DEFINE_GUID( - FWPM_CONDITION_ALE_APP_ID, - 0xd78e1e87, - 0x8644, - 0x4ea5, - 0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71 -); - -// c35a604d-d22b-4e1a-91b4-68f674ee674b -DEFINE_GUID( - FWPM_CONDITION_IP_REMOTE_PORT, - 0xc35a604d, - 0xd22b, - 0x4e1a, - 0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b -); - -// 4cd62a49-59c3-4969-b7f3-bda5d32890a4 -DEFINE_GUID( - FWPM_CONDITION_IP_LOCAL_INTERFACE, - 0x4cd62a49, - 0x59c3, - 0x4969, - 0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4 -); - -/* From fwptypes.h */ - -#define FWP_ACTION_FLAG_TERMINATING (0x00001000) -#define FWP_ACTION_FLAG_NON_TERMINATING (0x00002000) - -#define FWP_ACTION_BLOCK (0x1 | FWP_ACTION_FLAG_TERMINATING) -#define FWP_ACTION_PERMIT (0x2 | FWP_ACTION_FLAG_TERMINATING) - -typedef UINT32 FWP_ACTION_TYPE; - -typedef enum FWP_DATA_TYPE_ { - FWP_EMPTY = 0, - FWP_UINT8 = 1, - FWP_UINT16 = 2, - FWP_UINT32 = 3, - FWP_UINT64 = 4, - FWP_INT8 = 5, - FWP_INT16 = 6, - FWP_INT32 = 7, - FWP_INT64 = 8, - FWP_FLOAT = 9, - FWP_DOUBLE = 10, - FWP_BYTE_ARRAY16_TYPE = 11, - FWP_BYTE_BLOB_TYPE = 12, - FWP_SID = 13, - FWP_SECURITY_DESCRIPTOR_TYPE = 14, - FWP_TOKEN_INFORMATION_TYPE = 15, - FWP_TOKEN_ACCESS_INFORMATION_TYPE = 16, - FWP_UNICODE_STRING_TYPE = 17, - FWP_BYTE_ARRAY6_TYPE = 18, - FWP_SINGLE_DATA_TYPE_MAX = 0xff, - FWP_V4_ADDR_MASK = 0x100, - FWP_V6_ADDR_MASK = 0x101, - FWP_RANGE_TYPE = 0x102, - FWP_DATA_TYPE_MAX = 0x103 -} FWP_DATA_TYPE; - -typedef enum FWP_MATCH_TYPE_ { - FWP_MATCH_EQUAL = 0, - FWP_MATCH_GREATER = 1, - FWP_MATCH_LESS = 2, - FWP_MATCH_GREATER_OR_EQUAL = 3, - FWP_MATCH_LESS_OR_EQUAL = 4, - FWP_MATCH_RANGE = 5, - FWP_MATCH_FLAGS_ALL_SET = 6, - FWP_MATCH_FLAGS_ANY_SET = 7, - FWP_MATCH_FLAGS_NONE_SET = 8, - FWP_MATCH_EQUAL_CASE_INSENSITIVE = 9, - FWP_MATCH_NOT_EQUAL = 10, - FWP_MATCH_TYPE_MAX = 11 -} FWP_MATCH_TYPE; - -typedef struct FWP_BYTE_ARRAY6_ { - UINT8 byteArray6[6]; -} FWP_BYTE_ARRAY6; - -typedef struct FWP_BYTE_ARRAY16_ { - UINT8 byteArray16[16]; -} FWP_BYTE_ARRAY16; - -typedef struct FWP_BYTE_BLOB_ { - UINT32 size; - UINT8 *data; -} FWP_BYTE_BLOB; - -typedef struct FWP_TOKEN_INFORMATION_ { - ULONG sidCount; - PSID_AND_ATTRIBUTES sids; - ULONG restrictedSidCount; - PSID_AND_ATTRIBUTES restrictedSids; -} FWP_TOKEN_INFORMATION; - -typedef struct FWP_VALUE0_ { - FWP_DATA_TYPE type; - union { - UINT8 uint8; - UINT16 uint16; - UINT32 uint32; - UINT64 *uint64; - INT8 int8; - INT16 int16; - INT32 int32; - INT64 *int64; - float float32; - double *double64; - FWP_BYTE_ARRAY16 *byteArray16; - FWP_BYTE_BLOB *byteBlob; - SID *sid; - FWP_BYTE_BLOB *sd; - FWP_TOKEN_INFORMATION *tokenInformation; - FWP_BYTE_BLOB *tokenAccessInformation; - LPWSTR unicodeString; - FWP_BYTE_ARRAY6 *byteArray6; - }; -} FWP_VALUE0; - -typedef struct FWP_V4_ADDR_AND_MASK_ { - UINT32 addr; - UINT32 mask; -} FWP_V4_ADDR_AND_MASK; - -typedef struct FWP_V6_ADDR_AND_MASK_ { - UINT8 addr[16]; - UINT8 prefixLength; -} FWP_V6_ADDR_AND_MASK; - -typedef struct FWP_RANGE0_ { - FWP_VALUE0 valueLow; - FWP_VALUE0 valueHigh; -} FWP_RANGE0; - -typedef struct FWP_CONDITION_VALUE0_ { - FWP_DATA_TYPE type; - union { - UINT8 uint8; - UINT16 uint16; - UINT32 uint32; - UINT64 *uint64; - INT8 int8; - INT16 int16; - INT32 int32; - INT64 *int64; - float float32; - double *double64; - FWP_BYTE_ARRAY16 *byteArray16; - FWP_BYTE_BLOB *byteBlob; - SID *sid; - FWP_BYTE_BLOB *sd; - FWP_TOKEN_INFORMATION *tokenInformation; - FWP_BYTE_BLOB *tokenAccessInformation; - LPWSTR unicodeString; - FWP_BYTE_ARRAY6 *byteArray6; - FWP_V4_ADDR_AND_MASK *v4AddrMask; - FWP_V6_ADDR_AND_MASK *v6AddrMask; - FWP_RANGE0 *rangeValue; - }; -} FWP_CONDITION_VALUE0; - -typedef struct FWPM_DISPLAY_DATA0_ { - wchar_t *name; - wchar_t *description; -} FWPM_DISPLAY_DATA0; - -/* From fwpmtypes.h */ - -typedef struct FWPM_ACTION0_ { - FWP_ACTION_TYPE type; - union { - GUID filterType; - GUID calloutKey; - }; -} FWPM_ACTION0; - -typedef struct FWPM_SESSION0_ { - GUID sessionKey; - FWPM_DISPLAY_DATA0 displayData; - UINT32 flags; - UINT32 txnWaitTimeoutInMSec; - DWORD processId; - SID *sid; - wchar_t *username; - BOOL kernelMode; -} FWPM_SESSION0; - -typedef struct FWPM_SUBLAYER0_ { - GUID subLayerKey; - FWPM_DISPLAY_DATA0 displayData; - UINT16 flags; - GUID *providerKey; - FWP_BYTE_BLOB providerData; - UINT16 weight; -} FWPM_SUBLAYER0; - -typedef struct FWPM_FILTER_CONDITION0_ { - GUID fieldKey; - FWP_MATCH_TYPE matchType; - FWP_CONDITION_VALUE0 conditionValue; -} FWPM_FILTER_CONDITION0; - -typedef struct FWPM_FILTER0_ { - GUID filterKey; - FWPM_DISPLAY_DATA0 displayData; - UINT32 flags; - GUID *providerKey; - FWP_BYTE_BLOB providerData; - GUID layerKey; - GUID subLayerKey; - FWP_VALUE0 weight; - UINT32 numFilterConditions; - FWPM_FILTER_CONDITION0 *filterCondition; - FWPM_ACTION0 action; - union { - UINT64 rawContext; - GUID providerContextKey; - }; - GUID *reserved; - UINT64 filterId; - FWP_VALUE0 effectiveWeight; -} FWPM_FILTER0; - -/* Typedefs of WFP functions */ - -#define NETIO_STATUS DWORD - -typedef NETIO_STATUS *(WINAPI *func_ConvertInterfaceIndexToLuid)( - NET_IFINDEX InterfaceIndex, - PNET_LUID InterfaceLuid -); - -typedef DWORD *(WINAPI *func_FwpmEngineOpen0)( - const wchar_t *serverName, - UINT32 authnService, - SEC_WINNT_AUTH_IDENTITY_W *authIdentity, - const FWPM_SESSION0 *session, - HANDLE *engineHandle -); - -typedef DWORD *(WINAPI *func_FwpmEngineClose0)( - HANDLE engineHandle -); - -typedef DWORD *(WINAPI *func_FwpmFilterAdd0)( - HANDLE engineHandle, - const FWPM_FILTER0 *filter, - PSECURITY_DESCRIPTOR sd, - UINT64 *id -); - -typedef DWORD *(WINAPI *func_FwpmSubLayerAdd0)( - HANDLE engineHandle, - const FWPM_SUBLAYER0 *subLayer, - PSECURITY_DESCRIPTOR sd -); - -typedef DWORD *(WINAPI *func_FwpmSubLayerDeleteByKey0)( - HANDLE engineHandle, - const GUID *key -); - -typedef void *(WINAPI *func_FwpmFreeMemory0)( - void **p -); - -typedef DWORD *(WINAPI *func_FwpmGetAppIdFromFileName0)( - const wchar_t *fileName, - FWP_BYTE_BLOB **appId -); - -#endif |