mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
576dc96ca1
Hopefully the last SVN merge we need to do, as these merges are getting more and more difficult. Most of the files had minor changes, but due to the CRLF unification patch (commit6b2883a637
) we got an increased number of conflicts. In addition inclusion of IPv6 support makes the creates a lot of merge issues in route.c and socket.c This merge also reverts commit7c18c63539
which merged add_bypass_address() into add_host_route_if_nonlocal(). However the SVN tree began to use add_bypass_address() another place, where at first glance it did not be appropriate to use add_host_route_if_nonlocal(). This merge has gone through a 'make check' without any errors, but have not been tested more thoroughly yet. Conflicts: ChangeLog INSTALL INSTALL-win32.txt Makefile.am acinclude.m4 base64.c buffer.c buffer.h common.h configure.ac contrib/pull-resolv-conf/client.down contrib/pull-resolv-conf/client.up crypto.c cryptoapi.c easy-rsa/2.0/Makefile easy-rsa/2.0/README easy-rsa/2.0/build-ca easy-rsa/2.0/build-dh easy-rsa/2.0/build-inter easy-rsa/2.0/build-key easy-rsa/2.0/build-key-pass easy-rsa/2.0/build-key-pkcs12 easy-rsa/2.0/build-key-server easy-rsa/2.0/build-req easy-rsa/2.0/build-req-pass easy-rsa/2.0/clean-all easy-rsa/2.0/inherit-inter easy-rsa/2.0/list-crl easy-rsa/2.0/pkitool easy-rsa/2.0/revoke-full easy-rsa/2.0/sign-req easy-rsa/2.0/vars easy-rsa/2.0/whichopensslcnf easy-rsa/Windows/build-ca-pass.bat easy-rsa/Windows/build-key-pass.bat easy-rsa/Windows/build-key-server-pass.bat easy-rsa/Windows/init-config.bat easy-rsa/Windows/vars.bat.sample error.c error.h forward.c helper.c httpdigest.c httpdigest.h ieproxy.c init.c init.h install-win32/Makefile.am install-win32/makeopenvpn install-win32/openssl/openssl097.patch install-win32/openssl/openssl098.patch install-win32/openvpn.nsi list.c list.h manage.c manage.h management/management-notes.txt mbuf.c mbuf.h misc.c misc.h mroute.c mroute.h msvc/autodefs.h.in msvc/config.py msvc/msvc.mak mtcp.c mudp.c multi.c multi.h occ.c openvpn-plugin.h openvpn.8 openvpn.h options.c options.h otime.c otime.h perf.c pf.c ping.c pkcs11.c plugin.c plugin.h plugin/auth-pam/README plugin/auth-pam/auth-pam.c pool.c pool.h proto.h proxy.c ps.c push.c reliable.c route.c route.h sample-config-files/firewall.sh sample-scripts/bridge-start sample-scripts/bridge-stop sample-scripts/openvpn.init sample-scripts/verify-cn schedule.c schedule.h service-win32/openvpnserv.c sig.c socket.c socket.h socks.c socks.h ssl.c ssl.h status.c syshead.h tap-win32/SOURCES.in tap-win32/common.h tap-win32/proto.h tap-win32/tapdrvr.c tap-win32/types.h tun.c tun.h version.m4 win/autodefs.h.in win/build.py win/build_all.py win/build_ddk.py win/build_exe.py win/config.py win/config_all.py win/config_tap.py win/config_ti.py win/js.py win/make_dist.py win/msvc.mak.in win/settings.in win/show.py win/sign.py win/tap_span.py win/wb.py win32.c win32.h Signed-off-by: David Sommerseth <davids@redhat.com> Reviewed-by: Gert Doering <gert@greenie.muc.de> Reviewed-by: James Yonan <james@openvpn.net> Reviewed-by: Adriaan de Jong <dejong@fox-it.com>
1537 lines
38 KiB
C
1537 lines
38 KiB
C
/*
|
|
* OpenVPN -- An application to securely tunnel IP networks
|
|
* over a single TCP/UDP port, with support for SSL/TLS-based
|
|
* session authentication and key exchange,
|
|
* packet encryption, packet authentication, and
|
|
* packet compression.
|
|
*
|
|
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2
|
|
* as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program (see the file COPYING included with this
|
|
* distribution); if not, write to the Free Software Foundation, Inc.,
|
|
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
#include "syshead.h"
|
|
|
|
#include "forward.h"
|
|
#include "init.h"
|
|
#include "push.h"
|
|
#include "gremlin.h"
|
|
#include "mss.h"
|
|
#include "event.h"
|
|
#include "ps.h"
|
|
#include "dhcp.h"
|
|
#include "common.h"
|
|
|
|
#include "memdbg.h"
|
|
|
|
#include "forward-inline.h"
|
|
#include "occ-inline.h"
|
|
#include "ping-inline.h"
|
|
|
|
counter_type link_read_bytes_global; /* GLOBAL */
|
|
counter_type link_write_bytes_global; /* GLOBAL */
|
|
|
|
/* show event wait debugging info */
|
|
|
|
#ifdef ENABLE_DEBUG
|
|
|
|
const char *
|
|
wait_status_string (struct context *c, struct gc_arena *gc)
|
|
{
|
|
struct buffer out = alloc_buf_gc (64, gc);
|
|
buf_printf (&out, "I/O WAIT %s|%s|%s|%s %s",
|
|
tun_stat (c->c1.tuntap, EVENT_READ, gc),
|
|
tun_stat (c->c1.tuntap, EVENT_WRITE, gc),
|
|
socket_stat (c->c2.link_socket, EVENT_READ, gc),
|
|
socket_stat (c->c2.link_socket, EVENT_WRITE, gc),
|
|
tv_string (&c->c2.timeval, gc));
|
|
return BSTR (&out);
|
|
}
|
|
|
|
void
|
|
show_wait_status (struct context *c)
|
|
{
|
|
struct gc_arena gc = gc_new ();
|
|
dmsg (D_EVENT_WAIT, "%s", wait_status_string (c, &gc));
|
|
gc_free (&gc);
|
|
}
|
|
|
|
#endif
|
|
|
|
/*
|
|
* In TLS mode, let TLS level respond to any control-channel
|
|
* packets which were received, or prepare any packets for
|
|
* transmission.
|
|
*
|
|
* tmp_int is purely an optimization that allows us to call
|
|
* tls_multi_process less frequently when there's not much
|
|
* traffic on the control-channel.
|
|
*
|
|
*/
|
|
#if defined(USE_CRYPTO) && defined(USE_SSL)
|
|
void
|
|
check_tls_dowork (struct context *c)
|
|
{
|
|
interval_t wakeup = BIG_TIMEOUT;
|
|
|
|
if (interval_test (&c->c2.tmp_int))
|
|
{
|
|
const int tmp_status = tls_multi_process
|
|
(c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
|
|
get_link_socket_info (c), &wakeup);
|
|
if (tmp_status == TLSMP_ACTIVE)
|
|
{
|
|
update_time ();
|
|
interval_action (&c->c2.tmp_int);
|
|
}
|
|
else if (tmp_status == TLSMP_KILL)
|
|
{
|
|
register_signal (c, SIGTERM, "auth-control-exit");
|
|
}
|
|
|
|
interval_future_trigger (&c->c2.tmp_int, wakeup);
|
|
}
|
|
|
|
interval_schedule_wakeup (&c->c2.tmp_int, &wakeup);
|
|
|
|
if (wakeup)
|
|
context_reschedule_sec (c, wakeup);
|
|
}
|
|
#endif
|
|
|
|
#if defined(USE_CRYPTO) && defined(USE_SSL)
|
|
|
|
void
|
|
check_tls_errors_co (struct context *c)
|
|
{
|
|
msg (D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
|
|
register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
|
|
}
|
|
|
|
void
|
|
check_tls_errors_nco (struct context *c)
|
|
{
|
|
register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
|
|
}
|
|
|
|
#endif
|
|
|
|
#if P2MP
|
|
|
|
/*
|
|
* Handle incoming configuration
|
|
* messages on the control channel.
|
|
*/
|
|
void
|
|
check_incoming_control_channel_dowork (struct context *c)
|
|
{
|
|
const int len = tls_test_payload_len (c->c2.tls_multi);
|
|
if (len)
|
|
{
|
|
struct gc_arena gc = gc_new ();
|
|
struct buffer buf = alloc_buf_gc (len, &gc);
|
|
if (tls_rec_payload (c->c2.tls_multi, &buf))
|
|
{
|
|
/* force null termination of message */
|
|
buf_null_terminate (&buf);
|
|
|
|
/* enforce character class restrictions */
|
|
string_mod (BSTR (&buf), CC_PRINT, CC_CRLF, 0);
|
|
|
|
if (buf_string_match_head_str (&buf, "AUTH_FAILED"))
|
|
receive_auth_failed (c, &buf);
|
|
else if (buf_string_match_head_str (&buf, "PUSH_"))
|
|
incoming_push_message (c, &buf);
|
|
else if (buf_string_match_head_str (&buf, "RESTART"))
|
|
server_pushed_signal (c, &buf, true, 7);
|
|
else if (buf_string_match_head_str (&buf, "HALT"))
|
|
server_pushed_signal (c, &buf, false, 4);
|
|
else
|
|
msg (D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR (&buf));
|
|
}
|
|
else
|
|
{
|
|
msg (D_PUSH_ERRORS, "WARNING: Receive control message failed");
|
|
}
|
|
|
|
gc_free (&gc);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Periodically resend PUSH_REQUEST until PUSH message received
|
|
*/
|
|
void
|
|
check_push_request_dowork (struct context *c)
|
|
{
|
|
send_push_request (c);
|
|
|
|
/* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
|
|
event_timeout_modify_wakeup (&c->c2.push_request_interval, PUSH_REQUEST_INTERVAL);
|
|
}
|
|
|
|
#endif /* P2MP */
|
|
|
|
/*
|
|
* Things that need to happen immediately after connection initiation should go here.
|
|
*/
|
|
void
|
|
check_connection_established_dowork (struct context *c)
|
|
{
|
|
if (event_timeout_trigger (&c->c2.wait_for_connect, &c->c2.timeval, ETT_DEFAULT))
|
|
{
|
|
if (CONNECTION_ESTABLISHED (c))
|
|
{
|
|
#if P2MP
|
|
/* if --pull was specified, send a push request to server */
|
|
if (c->c2.tls_multi && c->options.pull)
|
|
{
|
|
#ifdef ENABLE_MANAGEMENT
|
|
if (management)
|
|
{
|
|
management_set_state (management,
|
|
OPENVPN_STATE_GET_CONFIG,
|
|
NULL,
|
|
0,
|
|
0);
|
|
}
|
|
#endif
|
|
/* send push request in 1 sec */
|
|
event_timeout_init (&c->c2.push_request_interval, 1, now);
|
|
reset_coarse_timers (c);
|
|
}
|
|
else
|
|
#endif
|
|
{
|
|
do_up (c, false, 0);
|
|
}
|
|
|
|
event_timeout_clear (&c->c2.wait_for_connect);
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Send a string to remote over the TLS control channel.
|
|
* Used for push/pull messages, passing username/password,
|
|
* etc.
|
|
*/
|
|
bool
|
|
send_control_channel_string (struct context *c, const char *str, int msglevel)
|
|
{
|
|
#if defined(USE_CRYPTO) && defined(USE_SSL)
|
|
if (c->c2.tls_multi) {
|
|
struct gc_arena gc = gc_new ();
|
|
bool stat;
|
|
|
|
/* buffered cleartext write onto TLS control channel */
|
|
stat = tls_send_payload (c->c2.tls_multi, (uint8_t*) str, strlen (str) + 1);
|
|
|
|
/*
|
|
* Reschedule tls_multi_process.
|
|
* NOTE: in multi-client mode, usually the below two statements are
|
|
* insufficient to reschedule the client instance object unless
|
|
* multi_schedule_context_wakeup(m, mi) is also called.
|
|
*/
|
|
interval_action (&c->c2.tmp_int);
|
|
context_immediate_reschedule (c); /* ZERO-TIMEOUT */
|
|
|
|
msg (msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
|
|
tls_common_name (c->c2.tls_multi, false),
|
|
sanitize_control_message (str, &gc),
|
|
(int) stat);
|
|
|
|
gc_free (&gc);
|
|
return stat;
|
|
}
|
|
#endif
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Add routes.
|
|
*/
|
|
|
|
static void
|
|
check_add_routes_action (struct context *c, const bool errors)
|
|
{
|
|
do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,
|
|
c->c1.tuntap, c->plugins, c->c2.es);
|
|
update_time ();
|
|
event_timeout_clear (&c->c2.route_wakeup);
|
|
event_timeout_clear (&c->c2.route_wakeup_expire);
|
|
initialization_sequence_completed (c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */
|
|
}
|
|
|
|
void
|
|
check_add_routes_dowork (struct context *c)
|
|
{
|
|
if (test_routes (c->c1.route_list, c->c1.tuntap))
|
|
{
|
|
check_add_routes_action (c, false);
|
|
}
|
|
else if (event_timeout_trigger (&c->c2.route_wakeup_expire, &c->c2.timeval, ETT_DEFAULT))
|
|
{
|
|
check_add_routes_action (c, true);
|
|
}
|
|
else
|
|
{
|
|
msg (D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
|
|
if (c->c1.tuntap)
|
|
{
|
|
if (!tun_standby (c->c1.tuntap))
|
|
{
|
|
register_signal (c, SIGHUP, "ip-fail");
|
|
c->persist.restart_sleep_seconds = 10;
|
|
#ifdef WIN32
|
|
show_routes (M_INFO|M_NOPREFIX);
|
|
show_adapters (M_INFO|M_NOPREFIX);
|
|
#endif
|
|
}
|
|
}
|
|
update_time ();
|
|
if (c->c2.route_wakeup.n != 1)
|
|
event_timeout_init (&c->c2.route_wakeup, 1, now);
|
|
event_timeout_reset (&c->c2.ping_rec_interval);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Should we exit due to inactivity timeout?
|
|
*/
|
|
void
|
|
check_inactivity_timeout_dowork (struct context *c)
|
|
{
|
|
msg (M_INFO, "Inactivity timeout (--inactive), exiting");
|
|
register_signal (c, SIGTERM, "inactive");
|
|
}
|
|
|
|
#if P2MP
|
|
|
|
void
|
|
check_server_poll_timeout_dowork (struct context *c)
|
|
{
|
|
event_timeout_reset (&c->c2.server_poll_interval);
|
|
if (!tls_initial_packet_received (c->c2.tls_multi))
|
|
{
|
|
msg (M_INFO, "Server poll timeout, restarting");
|
|
register_signal (c, SIGUSR1, "server_poll");
|
|
c->persist.restart_sleep_seconds = -1;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Schedule a signal n_seconds from now.
|
|
*/
|
|
void
|
|
schedule_exit (struct context *c, const int n_seconds, const int signal)
|
|
{
|
|
tls_set_single_session (c->c2.tls_multi);
|
|
update_time ();
|
|
reset_coarse_timers (c);
|
|
event_timeout_init (&c->c2.scheduled_exit, n_seconds, now);
|
|
c->c2.scheduled_exit_signal = signal;
|
|
msg (D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
|
|
}
|
|
|
|
/*
|
|
* Scheduled exit?
|
|
*/
|
|
void
|
|
check_scheduled_exit_dowork (struct context *c)
|
|
{
|
|
register_signal (c, c->c2.scheduled_exit_signal, "delayed-exit");
|
|
}
|
|
|
|
#endif
|
|
|
|
/*
|
|
* Should we write timer-triggered status file.
|
|
*/
|
|
void
|
|
check_status_file_dowork (struct context *c)
|
|
{
|
|
if (c->c1.status_output)
|
|
print_status (c, c->c1.status_output);
|
|
}
|
|
|
|
#ifdef ENABLE_FRAGMENT
|
|
/*
|
|
* Should we deliver a datagram fragment to remote?
|
|
*/
|
|
void
|
|
check_fragment_dowork (struct context *c)
|
|
{
|
|
struct link_socket_info *lsi = get_link_socket_info (c);
|
|
|
|
/* OS MTU Hint? */
|
|
if (lsi->mtu_changed && c->c2.ipv4_tun)
|
|
{
|
|
frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu,
|
|
c->options.ce.proto);
|
|
lsi->mtu_changed = false;
|
|
}
|
|
|
|
if (fragment_outgoing_defined (c->c2.fragment))
|
|
{
|
|
if (!c->c2.to_link.len)
|
|
{
|
|
/* encrypt a fragment for output to TCP/UDP port */
|
|
ASSERT (fragment_ready_to_send (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment));
|
|
encrypt_sign (c, false);
|
|
}
|
|
}
|
|
|
|
fragment_housekeeping (c->c2.fragment, &c->c2.frame_fragment, &c->c2.timeval);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Buffer reallocation, for use with null encryption.
|
|
*/
|
|
static inline void
|
|
buffer_turnover (const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
|
|
{
|
|
if (orig_buf == src_stub->data && src_stub->data != storage->data)
|
|
{
|
|
buf_assign (storage, src_stub);
|
|
*dest_stub = *storage;
|
|
}
|
|
else
|
|
{
|
|
*dest_stub = *src_stub;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Compress, fragment, encrypt and HMAC-sign an outgoing packet.
|
|
* Input: c->c2.buf
|
|
* Output: c->c2.to_link
|
|
*/
|
|
void
|
|
encrypt_sign (struct context *c, bool comp_frag)
|
|
{
|
|
struct context_buffers *b = c->c2.buffers;
|
|
const uint8_t *orig_buf = c->c2.buf.data;
|
|
|
|
#if P2MP_SERVER
|
|
/*
|
|
* Drop non-TLS outgoing packet if client-connect script/plugin
|
|
* has not yet succeeded.
|
|
*/
|
|
if (c->c2.context_auth != CAS_SUCCEEDED)
|
|
c->c2.buf.len = 0;
|
|
#endif
|
|
|
|
if (comp_frag)
|
|
{
|
|
#ifdef USE_LZO
|
|
/* Compress the packet. */
|
|
if (lzo_defined (&c->c2.lzo_compwork))
|
|
lzo_compress (&c->c2.buf, b->lzo_compress_buf, &c->c2.lzo_compwork, &c->c2.frame);
|
|
#endif
|
|
#ifdef ENABLE_FRAGMENT
|
|
if (c->c2.fragment)
|
|
fragment_outgoing (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment);
|
|
#endif
|
|
}
|
|
|
|
#ifdef USE_CRYPTO
|
|
#ifdef USE_SSL
|
|
/*
|
|
* If TLS mode, get the key we will use to encrypt
|
|
* the packet.
|
|
*/
|
|
if (c->c2.tls_multi)
|
|
{
|
|
tls_pre_encrypt (c->c2.tls_multi, &c->c2.buf, &c->c2.crypto_options);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Encrypt the packet and write an optional
|
|
* HMAC signature.
|
|
*/
|
|
openvpn_encrypt (&c->c2.buf, b->encrypt_buf, &c->c2.crypto_options, &c->c2.frame);
|
|
#endif
|
|
/*
|
|
* Get the address we will be sending the packet to.
|
|
*/
|
|
link_socket_get_outgoing_addr (&c->c2.buf, get_link_socket_info (c),
|
|
&c->c2.to_link_addr);
|
|
#ifdef USE_CRYPTO
|
|
#ifdef USE_SSL
|
|
/*
|
|
* In TLS mode, prepend the appropriate one-byte opcode
|
|
* to the packet which identifies it as a data channel
|
|
* packet and gives the low-permutation version of
|
|
* the key-id to the recipient so it knows which
|
|
* decrypt key to use.
|
|
*/
|
|
if (c->c2.tls_multi)
|
|
{
|
|
tls_post_encrypt (c->c2.tls_multi, &c->c2.buf);
|
|
}
|
|
#endif
|
|
#endif
|
|
|
|
/* if null encryption, copy result to read_tun_buf */
|
|
buffer_turnover (orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
|
|
}
|
|
|
|
/*
|
|
* Coarse timers work to 1 second resolution.
|
|
*/
|
|
static void
|
|
process_coarse_timers (struct context *c)
|
|
{
|
|
#ifdef USE_CRYPTO
|
|
/* flush current packet-id to file once per 60
|
|
seconds if --replay-persist was specified */
|
|
check_packet_id_persist_flush (c);
|
|
#endif
|
|
|
|
/* should we update status file? */
|
|
check_status_file (c);
|
|
|
|
/* process connection establishment items */
|
|
check_connection_established (c);
|
|
|
|
#if P2MP
|
|
/* see if we should send a push_request in response to --pull */
|
|
check_push_request (c);
|
|
#endif
|
|
|
|
#ifdef PLUGIN_PF
|
|
pf_check_reload (c);
|
|
#endif
|
|
|
|
/* process --route options */
|
|
check_add_routes (c);
|
|
|
|
/* possibly exit due to --inactive */
|
|
check_inactivity_timeout (c);
|
|
if (c->sig->signal_received)
|
|
return;
|
|
|
|
/* restart if ping not received */
|
|
check_ping_restart (c);
|
|
if (c->sig->signal_received)
|
|
return;
|
|
|
|
#if P2MP
|
|
check_server_poll_timeout (c);
|
|
if (c->sig->signal_received)
|
|
return;
|
|
|
|
check_scheduled_exit (c);
|
|
if (c->sig->signal_received)
|
|
return;
|
|
#endif
|
|
|
|
#ifdef ENABLE_OCC
|
|
/* Should we send an OCC_REQUEST message? */
|
|
check_send_occ_req (c);
|
|
|
|
/* Should we send an MTU load test? */
|
|
check_send_occ_load_test (c);
|
|
|
|
/* Should we send an OCC_EXIT message to remote? */
|
|
if (c->c2.explicit_exit_notification_time_wait)
|
|
process_explicit_exit_notification_timer_wakeup (c);
|
|
#endif
|
|
|
|
/* Should we ping the remote? */
|
|
check_ping_send (c);
|
|
}
|
|
|
|
static void
|
|
check_coarse_timers_dowork (struct context *c)
|
|
{
|
|
const struct timeval save = c->c2.timeval;
|
|
c->c2.timeval.tv_sec = BIG_TIMEOUT;
|
|
c->c2.timeval.tv_usec = 0;
|
|
process_coarse_timers (c);
|
|
c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
|
|
|
|
dmsg (D_INTERVAL, "TIMER: coarse timer wakeup %d seconds", (int) c->c2.timeval.tv_sec);
|
|
|
|
/* Is the coarse timeout NOT the earliest one? */
|
|
if (c->c2.timeval.tv_sec > save.tv_sec)
|
|
c->c2.timeval = save;
|
|
}
|
|
|
|
static inline void
|
|
check_coarse_timers (struct context *c)
|
|
{
|
|
const time_t local_now = now;
|
|
if (local_now >= c->c2.coarse_timer_wakeup)
|
|
check_coarse_timers_dowork (c);
|
|
else
|
|
context_reschedule_sec (c, c->c2.coarse_timer_wakeup - local_now);
|
|
}
|
|
|
|
static void
|
|
check_timeout_random_component_dowork (struct context *c)
|
|
{
|
|
const int update_interval = 10; /* seconds */
|
|
c->c2.update_timeout_random_component = now + update_interval;
|
|
c->c2.timeout_random_component.tv_usec = (time_t) get_random () & 0x0003FFFF;
|
|
c->c2.timeout_random_component.tv_sec = 0;
|
|
|
|
dmsg (D_INTERVAL, "RANDOM USEC=%d", (int) c->c2.timeout_random_component.tv_usec);
|
|
}
|
|
|
|
static inline void
|
|
check_timeout_random_component (struct context *c)
|
|
{
|
|
if (now >= c->c2.update_timeout_random_component)
|
|
check_timeout_random_component_dowork (c);
|
|
if (c->c2.timeval.tv_sec >= 1)
|
|
tv_add (&c->c2.timeval, &c->c2.timeout_random_component);
|
|
}
|
|
|
|
#ifdef ENABLE_SOCKS
|
|
|
|
/*
|
|
* Handle addition and removal of the 10-byte Socks5 header
|
|
* in UDP packets.
|
|
*/
|
|
|
|
static inline void
|
|
socks_postprocess_incoming_link (struct context *c)
|
|
{
|
|
if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4)
|
|
socks_process_incoming_udp (&c->c2.buf, &c->c2.from);
|
|
}
|
|
|
|
static inline void
|
|
socks_preprocess_outgoing_link (struct context *c,
|
|
struct link_socket_actual **to_addr,
|
|
int *size_delta)
|
|
{
|
|
if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4)
|
|
{
|
|
*size_delta += socks_process_outgoing_udp (&c->c2.to_link, c->c2.to_link_addr);
|
|
*to_addr = &c->c2.link_socket->socks_relay;
|
|
}
|
|
}
|
|
|
|
/* undo effect of socks_preprocess_outgoing_link */
|
|
static inline void
|
|
link_socket_write_post_size_adjust (int *size,
|
|
int size_delta,
|
|
struct buffer *buf)
|
|
{
|
|
if (size_delta > 0 && *size > size_delta)
|
|
{
|
|
*size -= size_delta;
|
|
if (!buf_advance (buf, size_delta))
|
|
*size = 0;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Output: c->c2.buf
|
|
*/
|
|
|
|
void
|
|
read_incoming_link (struct context *c)
|
|
{
|
|
/*
|
|
* Set up for recvfrom call to read datagram
|
|
* sent to our TCP/UDP port.
|
|
*/
|
|
int status;
|
|
|
|
/*ASSERT (!c->c2.to_tun.len);*/
|
|
|
|
perf_push (PERF_READ_IN_LINK);
|
|
|
|
c->c2.buf = c->c2.buffers->read_link_buf;
|
|
ASSERT (buf_init (&c->c2.buf, FRAME_HEADROOM_ADJ (&c->c2.frame, FRAME_HEADROOM_MARKER_READ_LINK)));
|
|
|
|
status = link_socket_read (c->c2.link_socket,
|
|
&c->c2.buf,
|
|
MAX_RW_SIZE_LINK (&c->c2.frame),
|
|
&c->c2.from);
|
|
|
|
if (socket_connection_reset (c->c2.link_socket, status))
|
|
{
|
|
#if PORT_SHARE
|
|
if (port_share && socket_foreign_protocol_detected (c->c2.link_socket))
|
|
{
|
|
const struct buffer *fbuf = socket_foreign_protocol_head (c->c2.link_socket);
|
|
const int sd = socket_foreign_protocol_sd (c->c2.link_socket);
|
|
port_share_redirect (port_share, fbuf, sd);
|
|
register_signal (c, SIGTERM, "port-share-redirect");
|
|
}
|
|
else
|
|
#endif
|
|
{
|
|
/* received a disconnect from a connection-oriented protocol */
|
|
if (c->options.inetd)
|
|
{
|
|
register_signal (c, SIGTERM, "connection-reset-inetd");
|
|
msg (D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status);
|
|
}
|
|
else
|
|
{
|
|
#ifdef ENABLE_OCC
|
|
if (event_timeout_defined(&c->c2.explicit_exit_notification_interval))
|
|
{
|
|
msg (D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
|
|
openvpn_sleep(1);
|
|
}
|
|
else
|
|
#endif
|
|
{
|
|
register_signal (c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
|
|
msg (D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
|
|
}
|
|
}
|
|
}
|
|
perf_pop ();
|
|
return;
|
|
}
|
|
|
|
/* check recvfrom status */
|
|
check_status (status, "read", c->c2.link_socket, NULL);
|
|
|
|
#ifdef ENABLE_SOCKS
|
|
/* Remove socks header if applicable */
|
|
socks_postprocess_incoming_link (c);
|
|
#endif
|
|
|
|
perf_pop ();
|
|
}
|
|
|
|
/*
|
|
* Input: c->c2.buf
|
|
* Output: c->c2.to_tun
|
|
*/
|
|
|
|
void
|
|
process_incoming_link (struct context *c)
|
|
{
|
|
struct gc_arena gc = gc_new ();
|
|
bool decrypt_status;
|
|
struct link_socket_info *lsi = get_link_socket_info (c);
|
|
const uint8_t *orig_buf = c->c2.buf.data;
|
|
|
|
perf_push (PERF_PROC_IN_LINK);
|
|
|
|
if (c->c2.buf.len > 0)
|
|
{
|
|
c->c2.link_read_bytes += c->c2.buf.len;
|
|
link_read_bytes_global += c->c2.buf.len;
|
|
c->c2.original_recv_size = c->c2.buf.len;
|
|
#ifdef ENABLE_MANAGEMENT
|
|
if (management)
|
|
{
|
|
management_bytes_in (management, c->c2.buf.len);
|
|
#ifdef MANAGEMENT_DEF_AUTH
|
|
management_bytes_server (management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
|
|
#endif
|
|
}
|
|
#endif
|
|
}
|
|
else
|
|
c->c2.original_recv_size = 0;
|
|
|
|
#ifdef ENABLE_DEBUG
|
|
/* take action to corrupt packet if we are in gremlin test mode */
|
|
if (c->options.gremlin) {
|
|
if (!ask_gremlin (c->options.gremlin))
|
|
c->c2.buf.len = 0;
|
|
corrupt_gremlin (&c->c2.buf, c->options.gremlin);
|
|
}
|
|
#endif
|
|
|
|
/* log incoming packet */
|
|
#ifdef LOG_RW
|
|
if (c->c2.log_rw && c->c2.buf.len > 0)
|
|
fprintf (stderr, "R");
|
|
#endif
|
|
msg (D_LINK_RW, "%s READ [%d] from %s: %s",
|
|
proto2ascii (lsi->proto, true),
|
|
BLEN (&c->c2.buf),
|
|
print_link_socket_actual (&c->c2.from, &gc),
|
|
PROTO_DUMP (&c->c2.buf, &gc));
|
|
|
|
/*
|
|
* Good, non-zero length packet received.
|
|
* Commence multi-stage processing of packet,
|
|
* such as authenticate, decrypt, decompress.
|
|
* If any stage fails, it sets buf.len to 0 or -1,
|
|
* telling downstream stages to ignore the packet.
|
|
*/
|
|
if (c->c2.buf.len > 0)
|
|
{
|
|
if (!link_socket_verify_incoming_addr (&c->c2.buf, lsi, &c->c2.from))
|
|
link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from);
|
|
|
|
#ifdef USE_CRYPTO
|
|
#ifdef USE_SSL
|
|
if (c->c2.tls_multi)
|
|
{
|
|
/*
|
|
* If tls_pre_decrypt returns true, it means the incoming
|
|
* packet was a good TLS control channel packet. If so, TLS code
|
|
* will deal with the packet and set buf.len to 0 so downstream
|
|
* stages ignore it.
|
|
*
|
|
* If the packet is a data channel packet, tls_pre_decrypt
|
|
* will load crypto_options with the correct encryption key
|
|
* and return false.
|
|
*/
|
|
if (tls_pre_decrypt (c->c2.tls_multi, &c->c2.from, &c->c2.buf, &c->c2.crypto_options))
|
|
{
|
|
interval_action (&c->c2.tmp_int);
|
|
|
|
/* reset packet received timer if TLS packet */
|
|
if (c->options.ping_rec_timeout)
|
|
event_timeout_reset (&c->c2.ping_rec_interval);
|
|
}
|
|
}
|
|
#if P2MP_SERVER
|
|
/*
|
|
* Drop non-TLS packet if client-connect script/plugin has not
|
|
* yet succeeded.
|
|
*/
|
|
if (c->c2.context_auth != CAS_SUCCEEDED)
|
|
c->c2.buf.len = 0;
|
|
#endif
|
|
#endif /* USE_SSL */
|
|
|
|
/* authenticate and decrypt the incoming packet */
|
|
decrypt_status = openvpn_decrypt (&c->c2.buf, c->c2.buffers->decrypt_buf, &c->c2.crypto_options, &c->c2.frame);
|
|
|
|
if (!decrypt_status && link_socket_connection_oriented (c->c2.link_socket))
|
|
{
|
|
/* decryption errors are fatal in TCP mode */
|
|
register_signal (c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
|
|
msg (D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
|
|
goto done;
|
|
}
|
|
|
|
#endif /* USE_CRYPTO */
|
|
|
|
#ifdef ENABLE_FRAGMENT
|
|
if (c->c2.fragment)
|
|
fragment_incoming (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment);
|
|
#endif
|
|
|
|
#ifdef USE_LZO
|
|
/* decompress the incoming packet */
|
|
if (lzo_defined (&c->c2.lzo_compwork))
|
|
lzo_decompress (&c->c2.buf, c->c2.buffers->lzo_decompress_buf, &c->c2.lzo_compwork, &c->c2.frame);
|
|
#endif
|
|
|
|
#ifdef PACKET_TRUNCATION_CHECK
|
|
/* if (c->c2.buf.len > 1) --c->c2.buf.len; */
|
|
ipv4_packet_size_verify (BPTR (&c->c2.buf),
|
|
BLEN (&c->c2.buf),
|
|
TUNNEL_TYPE (c->c1.tuntap),
|
|
"POST_DECRYPT",
|
|
&c->c2.n_trunc_post_decrypt);
|
|
#endif
|
|
|
|
/*
|
|
* Set our "official" outgoing address, since
|
|
* if buf.len is non-zero, we know the packet
|
|
* authenticated. In TLS mode we do nothing
|
|
* because TLS mode takes care of source address
|
|
* authentication.
|
|
*
|
|
* Also, update the persisted version of our packet-id.
|
|
*/
|
|
if (!TLS_MODE (c))
|
|
link_socket_set_outgoing_addr (&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es);
|
|
|
|
/* reset packet received timer */
|
|
if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
|
|
event_timeout_reset (&c->c2.ping_rec_interval);
|
|
|
|
/* increment authenticated receive byte count */
|
|
if (c->c2.buf.len > 0)
|
|
{
|
|
c->c2.link_read_bytes_auth += c->c2.buf.len;
|
|
c->c2.max_recv_size_local = max_int (c->c2.original_recv_size, c->c2.max_recv_size_local);
|
|
}
|
|
|
|
/* Did we just receive an openvpn ping packet? */
|
|
if (is_ping_msg (&c->c2.buf))
|
|
{
|
|
dmsg (D_PING, "RECEIVED PING PACKET");
|
|
c->c2.buf.len = 0; /* drop packet */
|
|
}
|
|
|
|
#ifdef ENABLE_OCC
|
|
/* Did we just receive an OCC packet? */
|
|
if (is_occ_msg (&c->c2.buf))
|
|
process_received_occ_msg (c);
|
|
#endif
|
|
|
|
buffer_turnover (orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
|
|
|
|
/* to_tun defined + unopened tuntap can cause deadlock */
|
|
if (!tuntap_defined (c->c1.tuntap))
|
|
c->c2.to_tun.len = 0;
|
|
}
|
|
else
|
|
{
|
|
buf_reset (&c->c2.to_tun);
|
|
}
|
|
done:
|
|
perf_pop ();
|
|
gc_free (&gc);
|
|
}
|
|
|
|
/*
|
|
* Output: c->c2.buf
|
|
*/
|
|
|
|
void
|
|
read_incoming_tun (struct context *c)
|
|
{
|
|
/*
|
|
* Setup for read() call on TUN/TAP device.
|
|
*/
|
|
/*ASSERT (!c->c2.to_link.len);*/
|
|
|
|
perf_push (PERF_READ_IN_TUN);
|
|
|
|
c->c2.buf = c->c2.buffers->read_tun_buf;
|
|
#ifdef TUN_PASS_BUFFER
|
|
read_tun_buffered (c->c1.tuntap, &c->c2.buf, MAX_RW_SIZE_TUN (&c->c2.frame));
|
|
#else
|
|
ASSERT (buf_init (&c->c2.buf, FRAME_HEADROOM (&c->c2.frame)));
|
|
ASSERT (buf_safe (&c->c2.buf, MAX_RW_SIZE_TUN (&c->c2.frame)));
|
|
c->c2.buf.len = read_tun (c->c1.tuntap, BPTR (&c->c2.buf), MAX_RW_SIZE_TUN (&c->c2.frame));
|
|
#endif
|
|
|
|
#ifdef PACKET_TRUNCATION_CHECK
|
|
ipv4_packet_size_verify (BPTR (&c->c2.buf),
|
|
BLEN (&c->c2.buf),
|
|
TUNNEL_TYPE (c->c1.tuntap),
|
|
"READ_TUN",
|
|
&c->c2.n_trunc_tun_read);
|
|
#endif
|
|
|
|
/* Was TUN/TAP interface stopped? */
|
|
if (tuntap_stop (c->c2.buf.len))
|
|
{
|
|
register_signal (c, SIGTERM, "tun-stop");
|
|
msg (M_INFO, "TUN/TAP interface has been stopped, exiting");
|
|
perf_pop ();
|
|
return;
|
|
}
|
|
|
|
/* Check the status return from read() */
|
|
check_status (c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
|
|
|
|
perf_pop ();
|
|
}
|
|
|
|
/*
|
|
* Input: c->c2.buf
|
|
* Output: c->c2.to_link
|
|
*/
|
|
|
|
void
|
|
process_incoming_tun (struct context *c)
|
|
{
|
|
struct gc_arena gc = gc_new ();
|
|
|
|
perf_push (PERF_PROC_IN_TUN);
|
|
|
|
if (c->c2.buf.len > 0)
|
|
c->c2.tun_read_bytes += c->c2.buf.len;
|
|
|
|
#ifdef LOG_RW
|
|
if (c->c2.log_rw && c->c2.buf.len > 0)
|
|
fprintf (stderr, "r");
|
|
#endif
|
|
|
|
/* Show packet content */
|
|
dmsg (D_TUN_RW, "TUN READ [%d]", BLEN (&c->c2.buf));
|
|
|
|
if (c->c2.buf.len > 0)
|
|
{
|
|
/*
|
|
* The --passtos and --mssfix options require
|
|
* us to examine the IPv4 header.
|
|
*/
|
|
process_ipv4_header (c, PIPV4_PASSTOS|PIPV4_MSSFIX|PIPV4_CLIENT_NAT, &c->c2.buf);
|
|
|
|
#ifdef PACKET_TRUNCATION_CHECK
|
|
/* if (c->c2.buf.len > 1) --c->c2.buf.len; */
|
|
ipv4_packet_size_verify (BPTR (&c->c2.buf),
|
|
BLEN (&c->c2.buf),
|
|
TUNNEL_TYPE (c->c1.tuntap),
|
|
"PRE_ENCRYPT",
|
|
&c->c2.n_trunc_pre_encrypt);
|
|
#endif
|
|
|
|
encrypt_sign (c, true);
|
|
}
|
|
else
|
|
{
|
|
buf_reset (&c->c2.to_link);
|
|
}
|
|
perf_pop ();
|
|
gc_free (&gc);
|
|
}
|
|
|
|
void
|
|
process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf)
|
|
{
|
|
if (!c->options.mssfix)
|
|
flags &= ~PIPV4_MSSFIX;
|
|
#if PASSTOS_CAPABILITY
|
|
if (!c->options.passtos)
|
|
flags &= ~PIPV4_PASSTOS;
|
|
#endif
|
|
if (!c->options.route_gateway_via_dhcp || !route_list_vpn_gateway_needed (c->c1.route_list))
|
|
flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
|
|
|
|
if (buf->len > 0)
|
|
{
|
|
/*
|
|
* The --passtos and --mssfix options require
|
|
* us to examine the IPv4 header.
|
|
*/
|
|
#if PASSTOS_CAPABILITY
|
|
if (flags & (PIPV4_PASSTOS|PIPV4_MSSFIX))
|
|
#else
|
|
if (flags & PIPV4_MSSFIX)
|
|
#endif
|
|
{
|
|
struct buffer ipbuf = *buf;
|
|
if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf))
|
|
{
|
|
#if PASSTOS_CAPABILITY
|
|
/* extract TOS from IP header */
|
|
if (flags & PIPV4_PASSTOS)
|
|
link_socket_extract_tos (c->c2.link_socket, &ipbuf);
|
|
#endif
|
|
|
|
/* possibly alter the TCP MSS */
|
|
if (flags & PIPV4_MSSFIX)
|
|
mss_fixup (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame)));
|
|
|
|
#ifdef ENABLE_CLIENT_NAT
|
|
/* possibly do NAT on packet */
|
|
if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
|
|
{
|
|
const int direction = (flags & PIPV4_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
|
|
client_nat_transform (c->options.client_nat, &ipbuf, direction);
|
|
}
|
|
#endif
|
|
/* possibly extract a DHCP router message */
|
|
if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
|
|
{
|
|
const in_addr_t dhcp_router = dhcp_extract_router_msg (&ipbuf);
|
|
if (dhcp_router)
|
|
route_list_add_vpn_gateway (c->c1.route_list, c->c2.es, dhcp_router);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Input: c->c2.to_link
|
|
*/
|
|
|
|
void
|
|
process_outgoing_link (struct context *c)
|
|
{
|
|
struct gc_arena gc = gc_new ();
|
|
|
|
perf_push (PERF_PROC_OUT_LINK);
|
|
|
|
if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE (&c->c2.frame))
|
|
{
|
|
/*
|
|
* Setup for call to send/sendto which will send
|
|
* packet to remote over the TCP/UDP port.
|
|
*/
|
|
int size = 0;
|
|
ASSERT (link_socket_actual_defined (c->c2.to_link_addr));
|
|
|
|
#ifdef ENABLE_DEBUG
|
|
/* In gremlin-test mode, we may choose to drop this packet */
|
|
if (!c->options.gremlin || ask_gremlin (c->options.gremlin))
|
|
#endif
|
|
{
|
|
/*
|
|
* Let the traffic shaper know how many bytes
|
|
* we wrote.
|
|
*/
|
|
#ifdef HAVE_GETTIMEOFDAY
|
|
if (c->options.shaper)
|
|
shaper_wrote_bytes (&c->c2.shaper, BLEN (&c->c2.to_link)
|
|
+ datagram_overhead (c->options.ce.proto));
|
|
#endif
|
|
/*
|
|
* Let the pinger know that we sent a packet.
|
|
*/
|
|
if (c->options.ping_send_timeout)
|
|
event_timeout_reset (&c->c2.ping_send_interval);
|
|
|
|
#if PASSTOS_CAPABILITY
|
|
/* Set TOS */
|
|
link_socket_set_tos (c->c2.link_socket);
|
|
#endif
|
|
|
|
/* Log packet send */
|
|
#ifdef LOG_RW
|
|
if (c->c2.log_rw)
|
|
fprintf (stderr, "W");
|
|
#endif
|
|
msg (D_LINK_RW, "%s WRITE [%d] to %s: %s",
|
|
proto2ascii (c->c2.link_socket->info.proto, true),
|
|
BLEN (&c->c2.to_link),
|
|
print_link_socket_actual (c->c2.to_link_addr, &gc),
|
|
PROTO_DUMP (&c->c2.to_link, &gc));
|
|
|
|
/* Packet send complexified by possible Socks5 usage */
|
|
{
|
|
struct link_socket_actual *to_addr = c->c2.to_link_addr;
|
|
#ifdef ENABLE_SOCKS
|
|
int size_delta = 0;
|
|
#endif
|
|
|
|
#ifdef ENABLE_SOCKS
|
|
/* If Socks5 over UDP, prepend header */
|
|
socks_preprocess_outgoing_link (c, &to_addr, &size_delta);
|
|
#endif
|
|
/* Send packet */
|
|
size = link_socket_write (c->c2.link_socket,
|
|
&c->c2.to_link,
|
|
to_addr);
|
|
|
|
#ifdef ENABLE_SOCKS
|
|
/* Undo effect of prepend */
|
|
link_socket_write_post_size_adjust (&size, size_delta, &c->c2.to_link);
|
|
#endif
|
|
}
|
|
|
|
if (size > 0)
|
|
{
|
|
c->c2.max_send_size_local = max_int (size, c->c2.max_send_size_local);
|
|
c->c2.link_write_bytes += size;
|
|
link_write_bytes_global += size;
|
|
#ifdef ENABLE_MANAGEMENT
|
|
if (management)
|
|
{
|
|
management_bytes_out (management, size);
|
|
#ifdef MANAGEMENT_DEF_AUTH
|
|
management_bytes_server (management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
|
|
#endif
|
|
}
|
|
#endif
|
|
}
|
|
}
|
|
|
|
/* Check return status */
|
|
check_status (size, "write", c->c2.link_socket, NULL);
|
|
|
|
if (size > 0)
|
|
{
|
|
/* Did we write a different size packet than we intended? */
|
|
if (size != BLEN (&c->c2.to_link))
|
|
msg (D_LINK_ERRORS,
|
|
"TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
|
|
print_link_socket_actual (c->c2.to_link_addr, &gc),
|
|
BLEN (&c->c2.to_link),
|
|
size);
|
|
}
|
|
|
|
/* if not a ping/control message, indicate activity regarding --inactive parameter */
|
|
if (c->c2.buf.len > 0 )
|
|
register_activity (c, size);
|
|
}
|
|
else
|
|
{
|
|
if (c->c2.to_link.len > 0)
|
|
msg (D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
|
|
print_link_socket_actual (c->c2.to_link_addr, &gc),
|
|
c->c2.to_link.len,
|
|
EXPANDED_SIZE (&c->c2.frame));
|
|
}
|
|
|
|
buf_reset (&c->c2.to_link);
|
|
|
|
perf_pop ();
|
|
gc_free (&gc);
|
|
}
|
|
|
|
/*
|
|
* Input: c->c2.to_tun
|
|
*/
|
|
|
|
void
|
|
process_outgoing_tun (struct context *c)
|
|
{
|
|
struct gc_arena gc = gc_new ();
|
|
|
|
/*
|
|
* Set up for write() call to TUN/TAP
|
|
* device.
|
|
*/
|
|
if (c->c2.to_tun.len <= 0)
|
|
return;
|
|
|
|
perf_push (PERF_PROC_OUT_TUN);
|
|
|
|
/*
|
|
* The --mssfix option requires
|
|
* us to examine the IPv4 header.
|
|
*/
|
|
process_ipv4_header (c, PIPV4_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIPV4_OUTGOING, &c->c2.to_tun);
|
|
|
|
if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN (&c->c2.frame))
|
|
{
|
|
/*
|
|
* Write to TUN/TAP device.
|
|
*/
|
|
int size;
|
|
|
|
#ifdef LOG_RW
|
|
if (c->c2.log_rw)
|
|
fprintf (stderr, "w");
|
|
#endif
|
|
dmsg (D_TUN_RW, "TUN WRITE [%d]", BLEN (&c->c2.to_tun));
|
|
|
|
#ifdef PACKET_TRUNCATION_CHECK
|
|
ipv4_packet_size_verify (BPTR (&c->c2.to_tun),
|
|
BLEN (&c->c2.to_tun),
|
|
TUNNEL_TYPE (c->c1.tuntap),
|
|
"WRITE_TUN",
|
|
&c->c2.n_trunc_tun_write);
|
|
#endif
|
|
|
|
#ifdef TUN_PASS_BUFFER
|
|
size = write_tun_buffered (c->c1.tuntap, &c->c2.to_tun);
|
|
#else
|
|
size = write_tun (c->c1.tuntap, BPTR (&c->c2.to_tun), BLEN (&c->c2.to_tun));
|
|
#endif
|
|
|
|
if (size > 0)
|
|
c->c2.tun_write_bytes += size;
|
|
check_status (size, "write to TUN/TAP", NULL, c->c1.tuntap);
|
|
|
|
/* check written packet size */
|
|
if (size > 0)
|
|
{
|
|
/* Did we write a different size packet than we intended? */
|
|
if (size != BLEN (&c->c2.to_tun))
|
|
msg (D_LINK_ERRORS,
|
|
"TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
|
|
c->c1.tuntap->actual_name,
|
|
BLEN (&c->c2.to_tun),
|
|
size);
|
|
|
|
/* indicate activity regarding --inactive parameter */
|
|
register_activity (c, size);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
/*
|
|
* This should never happen, probably indicates some kind
|
|
* of MTU mismatch.
|
|
*/
|
|
msg (D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
|
|
c->c2.to_tun.len,
|
|
MAX_RW_SIZE_TUN (&c->c2.frame));
|
|
}
|
|
|
|
buf_reset (&c->c2.to_tun);
|
|
|
|
perf_pop ();
|
|
gc_free (&gc);
|
|
}
|
|
|
|
void
|
|
pre_select (struct context *c)
|
|
{
|
|
/* make sure current time (now) is updated on function entry */
|
|
|
|
/*
|
|
* Start with an effectively infinite timeout, then let it
|
|
* reduce to a timeout that reflects the component which
|
|
* needs the earliest service.
|
|
*/
|
|
c->c2.timeval.tv_sec = BIG_TIMEOUT;
|
|
c->c2.timeval.tv_usec = 0;
|
|
|
|
#if defined(WIN32)
|
|
if (check_debug_level (D_TAP_WIN32_DEBUG))
|
|
{
|
|
c->c2.timeval.tv_sec = 1;
|
|
if (tuntap_defined (c->c1.tuntap))
|
|
tun_show_debug (c->c1.tuntap);
|
|
}
|
|
#endif
|
|
|
|
/* check coarse timers? */
|
|
check_coarse_timers (c);
|
|
if (c->sig->signal_received)
|
|
return;
|
|
|
|
/* Does TLS need service? */
|
|
check_tls (c);
|
|
|
|
/* In certain cases, TLS errors will require a restart */
|
|
check_tls_errors (c);
|
|
if (c->sig->signal_received)
|
|
return;
|
|
|
|
/* check for incoming configuration info on the control channel */
|
|
check_incoming_control_channel (c);
|
|
|
|
#ifdef ENABLE_OCC
|
|
/* Should we send an OCC message? */
|
|
check_send_occ_msg (c);
|
|
#endif
|
|
|
|
#ifdef ENABLE_FRAGMENT
|
|
/* Should we deliver a datagram fragment to remote? */
|
|
check_fragment (c);
|
|
#endif
|
|
|
|
/* Update random component of timeout */
|
|
check_timeout_random_component (c);
|
|
}
|
|
|
|
/*
|
|
* Wait for I/O events. Used for both TCP & UDP sockets
|
|
* in point-to-point mode and for UDP sockets in
|
|
* point-to-multipoint mode.
|
|
*/
|
|
|
|
void
|
|
io_wait_dowork (struct context *c, const unsigned int flags)
|
|
{
|
|
unsigned int socket = 0;
|
|
unsigned int tuntap = 0;
|
|
struct event_set_return esr[4];
|
|
|
|
/* These shifts all depend on EVENT_READ and EVENT_WRITE */
|
|
static int socket_shift = 0; /* depends on SOCKET_READ and SOCKET_WRITE */
|
|
static int tun_shift = 2; /* depends on TUN_READ and TUN_WRITE */
|
|
static int err_shift = 4; /* depends on ES_ERROR */
|
|
#ifdef ENABLE_MANAGEMENT
|
|
static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
|
|
#endif
|
|
|
|
/*
|
|
* Decide what kind of events we want to wait for.
|
|
*/
|
|
event_reset (c->c2.event_set);
|
|
|
|
/*
|
|
* On win32 we use the keyboard or an event object as a source
|
|
* of asynchronous signals.
|
|
*/
|
|
if (flags & IOW_WAIT_SIGNAL)
|
|
wait_signal (c->c2.event_set, (void*)&err_shift);
|
|
|
|
/*
|
|
* If outgoing data (for TCP/UDP port) pending, wait for ready-to-send
|
|
* status from TCP/UDP port. Otherwise, wait for incoming data on
|
|
* TUN/TAP device.
|
|
*/
|
|
if (flags & IOW_TO_LINK)
|
|
{
|
|
if (flags & IOW_SHAPER)
|
|
{
|
|
/*
|
|
* If sending this packet would put us over our traffic shaping
|
|
* quota, don't send -- instead compute the delay we must wait
|
|
* until it will be OK to send the packet.
|
|
*/
|
|
#ifdef HAVE_GETTIMEOFDAY
|
|
int delay = 0;
|
|
|
|
/* set traffic shaping delay in microseconds */
|
|
if (c->options.shaper)
|
|
delay = max_int (delay, shaper_delay (&c->c2.shaper));
|
|
|
|
if (delay < 1000)
|
|
{
|
|
socket |= EVENT_WRITE;
|
|
}
|
|
else
|
|
{
|
|
shaper_soonest_event (&c->c2.timeval, delay);
|
|
}
|
|
#else /* HAVE_GETTIMEOFDAY */
|
|
socket |= EVENT_WRITE;
|
|
#endif /* HAVE_GETTIMEOFDAY */
|
|
}
|
|
else
|
|
{
|
|
socket |= EVENT_WRITE;
|
|
}
|
|
}
|
|
else if (!((flags & IOW_FRAG) && TO_LINK_FRAG (c)))
|
|
{
|
|
if (flags & IOW_READ_TUN)
|
|
tuntap |= EVENT_READ;
|
|
}
|
|
|
|
/*
|
|
* If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
|
|
* from device. Otherwise, wait for incoming data on TCP/UDP port.
|
|
*/
|
|
if (flags & IOW_TO_TUN)
|
|
{
|
|
tuntap |= EVENT_WRITE;
|
|
}
|
|
else
|
|
{
|
|
if (flags & IOW_READ_LINK)
|
|
socket |= EVENT_READ;
|
|
}
|
|
|
|
/*
|
|
* outgoing bcast buffer waiting to be sent?
|
|
*/
|
|
if (flags & IOW_MBUF)
|
|
socket |= EVENT_WRITE;
|
|
|
|
/*
|
|
* Force wait on TUN input, even if also waiting on TCP/UDP output
|
|
*/
|
|
if (flags & IOW_READ_TUN_FORCE)
|
|
tuntap |= EVENT_READ;
|
|
|
|
/*
|
|
* Configure event wait based on socket, tuntap flags.
|
|
*/
|
|
socket_set (c->c2.link_socket, c->c2.event_set, socket, (void*)&socket_shift, NULL);
|
|
tun_set (c->c1.tuntap, c->c2.event_set, tuntap, (void*)&tun_shift, NULL);
|
|
|
|
#ifdef ENABLE_MANAGEMENT
|
|
if (management)
|
|
management_socket_set (management, c->c2.event_set, (void*)&management_shift, NULL);
|
|
#endif
|
|
|
|
/*
|
|
* Possible scenarios:
|
|
* (1) tcp/udp port has data available to read
|
|
* (2) tcp/udp port is ready to accept more data to write
|
|
* (3) tun dev has data available to read
|
|
* (4) tun dev is ready to accept more data to write
|
|
* (5) we received a signal (handler sets signal_received)
|
|
* (6) timeout (tv) expired
|
|
*/
|
|
|
|
c->c2.event_set_status = ES_ERROR;
|
|
|
|
if (!c->sig->signal_received)
|
|
{
|
|
if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual (c->c2.link_socket))
|
|
{
|
|
int status;
|
|
|
|
#ifdef ENABLE_DEBUG
|
|
if (check_debug_level (D_EVENT_WAIT))
|
|
show_wait_status (c);
|
|
#endif
|
|
|
|
/*
|
|
* Wait for something to happen.
|
|
*/
|
|
status = event_wait (c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
|
|
|
|
check_status (status, "event_wait", NULL, NULL);
|
|
|
|
if (status > 0)
|
|
{
|
|
int i;
|
|
c->c2.event_set_status = 0;
|
|
for (i = 0; i < status; ++i)
|
|
{
|
|
const struct event_set_return *e = &esr[i];
|
|
c->c2.event_set_status |= ((e->rwflags & 3) << *((int*)e->arg));
|
|
}
|
|
}
|
|
else if (status == 0)
|
|
{
|
|
c->c2.event_set_status = ES_TIMEOUT;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
c->c2.event_set_status = SOCKET_READ;
|
|
}
|
|
}
|
|
|
|
/* 'now' should always be a reasonably up-to-date timestamp */
|
|
update_time ();
|
|
|
|
/* set signal_received if a signal was received */
|
|
if (c->c2.event_set_status & ES_ERROR)
|
|
get_signal (&c->sig->signal_received);
|
|
|
|
dmsg (D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
|
|
}
|
|
|
|
void
|
|
process_io (struct context *c)
|
|
{
|
|
const unsigned int status = c->c2.event_set_status;
|
|
|
|
#ifdef ENABLE_MANAGEMENT
|
|
if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
|
|
{
|
|
ASSERT (management);
|
|
management_io (management);
|
|
}
|
|
#endif
|
|
|
|
/* TCP/UDP port ready to accept write */
|
|
if (status & SOCKET_WRITE)
|
|
{
|
|
process_outgoing_link (c);
|
|
}
|
|
/* TUN device ready to accept write */
|
|
else if (status & TUN_WRITE)
|
|
{
|
|
process_outgoing_tun (c);
|
|
}
|
|
/* Incoming data on TCP/UDP port */
|
|
else if (status & SOCKET_READ)
|
|
{
|
|
read_incoming_link (c);
|
|
if (!IS_SIG (c))
|
|
process_incoming_link (c);
|
|
}
|
|
/* Incoming data on TUN device */
|
|
else if (status & TUN_READ)
|
|
{
|
|
read_incoming_tun (c);
|
|
if (!IS_SIG (c))
|
|
process_incoming_tun (c);
|
|
}
|
|
}
|