2011-11-30 20:47:30 +01:00
|
|
|
#ifndef OPENVPN_SSL_PROTOSTACK_H
|
|
|
|
#define OPENVPN_SSL_PROTOSTACK_H
|
|
|
|
|
2011-12-02 23:00:56 +01:00
|
|
|
#include <deque>
|
|
|
|
|
2011-11-30 20:47:30 +01:00
|
|
|
#include <openvpn/common/exception.hpp>
|
|
|
|
#include <openvpn/common/types.hpp>
|
|
|
|
#include <openvpn/common/usecount.hpp>
|
|
|
|
#include <openvpn/buffer/buffer.hpp>
|
|
|
|
#include <openvpn/time/time.hpp>
|
|
|
|
#include <openvpn/reliable/relrecv.hpp>
|
|
|
|
#include <openvpn/reliable/relsend.hpp>
|
|
|
|
#include <openvpn/reliable/relack.hpp>
|
|
|
|
#include <openvpn/frame/frame.hpp>
|
|
|
|
|
|
|
|
namespace openvpn {
|
|
|
|
|
2011-12-02 23:00:56 +01:00
|
|
|
template <typename SSLCONTEXT>
|
2011-11-30 20:47:30 +01:00
|
|
|
class ProtoStackBase
|
|
|
|
{
|
|
|
|
public:
|
2011-12-02 23:00:56 +01:00
|
|
|
typedef SSLCONTEXT SSLContext;
|
2011-11-30 20:47:30 +01:00
|
|
|
typedef ReliableMessageBase::id_t id_t;
|
|
|
|
|
|
|
|
OPENVPN_SIMPLE_EXCEPTION(proto_stack_invalidated);
|
|
|
|
|
|
|
|
ProtoStackBase(SSLContext& ctx,
|
|
|
|
const FramePtr& frame,
|
2011-12-02 23:00:56 +01:00
|
|
|
const id_t span,
|
|
|
|
const size_t max_ack_list)
|
2011-11-30 20:47:30 +01:00
|
|
|
: ssl_(ctx.ssl()),
|
|
|
|
frame_(frame),
|
|
|
|
rel_recv(span),
|
|
|
|
rel_send(span),
|
2011-12-02 23:00:56 +01:00
|
|
|
xmit_acks(max_ack_list),
|
2011-11-30 20:47:30 +01:00
|
|
|
up_stack_reentry_level(0),
|
2011-12-02 23:00:56 +01:00
|
|
|
invalidate(false),
|
|
|
|
next_retransmit_(Time::infinite())
|
2011-11-30 20:47:30 +01:00
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2011-12-04 02:34:32 +01:00
|
|
|
// Start SSL handshake on underlying SSL connection object
|
2011-12-02 23:00:56 +01:00
|
|
|
void start_handshake()
|
|
|
|
{
|
|
|
|
test_invalidated();
|
|
|
|
ssl_->start_handshake();
|
|
|
|
}
|
|
|
|
|
2011-11-30 20:47:30 +01:00
|
|
|
// Incoming ciphertext packet arriving from network
|
|
|
|
void net_recv(const Time now, BufferPtr& buf)
|
|
|
|
{
|
|
|
|
test_invalidated();
|
|
|
|
up_stack(now, buf);
|
2011-12-02 23:00:56 +01:00
|
|
|
update_retransmit(now);
|
2011-11-30 20:47:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Outgoing application-level cleartext packet ready to send
|
2011-12-04 02:34:32 +01:00
|
|
|
// (will be encrypted via SSL)
|
2011-11-30 20:47:30 +01:00
|
|
|
void app_send(const Time now, BufferPtr& buf)
|
2011-12-02 23:00:56 +01:00
|
|
|
{
|
|
|
|
app_write_queue.push_back(buf);
|
|
|
|
}
|
|
|
|
|
2011-12-04 02:34:32 +01:00
|
|
|
// Outgoing raw packet ready to send (will NOT be encrypted
|
|
|
|
// via SSL, but will still be encapsulated and tracked
|
|
|
|
// via reliability layer).
|
|
|
|
void raw_send(const Time now, BufferPtr& buf)
|
|
|
|
{
|
|
|
|
raw_write_queue.push_back(buf);
|
|
|
|
}
|
|
|
|
|
2011-12-02 23:00:56 +01:00
|
|
|
// Write any pending data to network. Should be called
|
|
|
|
// as a final step after one or more net_recv/app_send calls.
|
|
|
|
void flush(const Time now)
|
2011-11-30 20:47:30 +01:00
|
|
|
{
|
|
|
|
test_invalidated();
|
|
|
|
if (!up_stack_reentry_level)
|
2011-12-02 23:00:56 +01:00
|
|
|
{
|
2011-12-04 02:34:32 +01:00
|
|
|
down_stack_raw(now);
|
|
|
|
down_stack_app(now);
|
2011-12-02 23:00:56 +01:00
|
|
|
update_retransmit(now);
|
|
|
|
}
|
2011-11-30 20:47:30 +01:00
|
|
|
}
|
|
|
|
|
2011-12-02 23:00:56 +01:00
|
|
|
// Send pending ACKs back to sender for packets already received
|
|
|
|
void send_pending_acks(const Time now)
|
2011-11-30 20:47:30 +01:00
|
|
|
{
|
2011-12-02 23:00:56 +01:00
|
|
|
test_invalidated();
|
|
|
|
while (!xmit_acks.empty())
|
|
|
|
{
|
|
|
|
if (!ack_send_buf)
|
|
|
|
ack_send_buf.reset(new BufferAllocated());
|
|
|
|
frame_->prepare(Frame::WRITE_ACK_STANDALONE, *ack_send_buf);
|
|
|
|
|
|
|
|
// encapsulate standalone ACK
|
|
|
|
generate_ack(now, *ack_send_buf, xmit_acks);
|
|
|
|
|
|
|
|
// transmit it
|
|
|
|
net_send(now, const_buffer_ref(*ack_send_buf));
|
|
|
|
}
|
2011-11-30 20:47:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Send any pending retransmissions
|
|
|
|
void retransmit(const Time now)
|
|
|
|
{
|
2011-12-02 23:00:56 +01:00
|
|
|
test_invalidated();
|
2011-11-30 20:47:30 +01:00
|
|
|
for (id_t i = rel_send.head_id(); i < rel_send.tail_id(); ++i)
|
|
|
|
{
|
|
|
|
ReliableSend::Message& m = rel_send.ref_by_id(i);
|
|
|
|
if (m.ready_retransmit(now))
|
|
|
|
{
|
2011-12-02 23:00:56 +01:00
|
|
|
net_send(now, const_buffer_ref(*m.buffer));
|
2011-11-30 20:47:30 +01:00
|
|
|
m.reset_retransmit(now);
|
|
|
|
}
|
|
|
|
}
|
2011-12-02 23:00:56 +01:00
|
|
|
update_retransmit(now);
|
2011-11-30 20:47:30 +01:00
|
|
|
}
|
|
|
|
|
2011-12-04 02:34:32 +01:00
|
|
|
// When should we next call retransmit()
|
2011-12-02 23:00:56 +01:00
|
|
|
Time next_retransmit() const { return next_retransmit_; }
|
|
|
|
|
2011-12-04 02:34:32 +01:00
|
|
|
// Was session invalidated by an exception?
|
2011-11-30 20:47:30 +01:00
|
|
|
bool invalidated() const { return invalidate; }
|
|
|
|
|
|
|
|
virtual ~ProtoStackBase() {}
|
|
|
|
|
|
|
|
private:
|
|
|
|
// VIRTUAL METHODS -- derived class must define these virtual methods
|
|
|
|
|
|
|
|
// Encapsulate buffer, use id as sequence number, xmit_acks as ACKs
|
|
|
|
// in reply to sender (if non-NULL), any exceptions thrown will
|
|
|
|
// invalidate session, i.e. this object can no longer be used.
|
2011-12-02 23:00:56 +01:00
|
|
|
virtual void encapsulate(const Time now, id_t id, Buffer& buf, ReliableAck& xmit_acks) = 0;
|
2011-11-30 20:47:30 +01:00
|
|
|
|
2011-12-04 02:34:32 +01:00
|
|
|
// Un-encapsulate buffer, method should return sequence number,
|
|
|
|
// or PacketID::UNDEF if packet should be dropped.
|
2011-12-02 23:00:56 +01:00
|
|
|
// Any ACKs received for messages previously sent should be marked in
|
2011-12-04 02:34:32 +01:00
|
|
|
// rel_send, which can be accomplished by calling ReliableAck::ack().
|
2011-11-30 20:47:30 +01:00
|
|
|
// Exceptions may be thrown here and they will be passed up to
|
|
|
|
// caller of net_recv and will not invalidate the session, however
|
|
|
|
// the packet will be dropped.
|
2011-12-02 23:00:56 +01:00
|
|
|
virtual id_t decapsulate(const Time now, Buffer& recv, ReliableSend& rel_send) = 0;
|
2011-11-30 20:47:30 +01:00
|
|
|
|
|
|
|
// Generate a standalone ACK message in buf (buf is already allocated and framed).
|
2011-12-02 23:00:56 +01:00
|
|
|
virtual void generate_ack(const Time now, Buffer& buf, ReliableAck& xmit_acks) = 0;
|
2011-11-30 20:47:30 +01:00
|
|
|
|
2011-12-04 02:34:32 +01:00
|
|
|
// Transmit encapsulated ciphertext buffer to peer. Method may not modify
|
|
|
|
// or take ownership of net_buf underlying data unless it copies it.
|
2011-12-02 23:00:56 +01:00
|
|
|
virtual void net_send(const Time now, const ConstBuffer& net_buf) = 0;
|
2011-11-30 20:47:30 +01:00
|
|
|
|
|
|
|
// Pass cleartext data up to application. Method may take ownership
|
2011-12-02 23:00:56 +01:00
|
|
|
// of to_app_buf by making private copy of BufferPtr then calling
|
|
|
|
// reset on to_app_buf.
|
2011-11-30 20:47:30 +01:00
|
|
|
virtual void app_recv(const Time now, BufferPtr& to_app_buf) = 0;
|
|
|
|
|
|
|
|
// END of VIRTUAL METHODS
|
|
|
|
|
|
|
|
|
|
|
|
// app data -> SSL -> protocol encapsulation -> reliability layer -> network
|
2011-12-04 02:34:32 +01:00
|
|
|
void down_stack_app(const Time now)
|
2011-11-30 20:47:30 +01:00
|
|
|
{
|
|
|
|
// push app-layer cleartext through SSL object
|
|
|
|
while (!app_write_queue.empty())
|
|
|
|
{
|
2011-12-02 23:00:56 +01:00
|
|
|
BufferPtr& buf = app_write_queue.front();
|
2011-11-30 20:47:30 +01:00
|
|
|
try {
|
2011-12-02 23:00:56 +01:00
|
|
|
const ssize_t size = ssl_->write_cleartext_unbuffered(buf->data(), buf->size());
|
|
|
|
if (size == SSLContext::SSL::SHOULD_RETRY)
|
2011-11-30 20:47:30 +01:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
catch (...)
|
|
|
|
{
|
|
|
|
invalidate = true;
|
|
|
|
throw;
|
|
|
|
}
|
2011-12-02 23:00:56 +01:00
|
|
|
app_write_queue.pop_front();
|
2011-11-30 20:47:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// encapsulate SSL ciphertext packets
|
|
|
|
while (ssl_->read_ciphertext_ready() && rel_send.ready())
|
|
|
|
{
|
|
|
|
ReliableSend::Message& m = rel_send.send(now);
|
|
|
|
m.buffer = ssl_->read_ciphertext();
|
|
|
|
|
|
|
|
// encapsulate buffer
|
|
|
|
try {
|
2011-12-02 23:00:56 +01:00
|
|
|
encapsulate(now, m.id(), *m.buffer, xmit_acks);
|
2011-11-30 20:47:30 +01:00
|
|
|
}
|
|
|
|
catch (...)
|
|
|
|
{
|
|
|
|
invalidate = true;
|
|
|
|
throw;
|
|
|
|
}
|
|
|
|
|
|
|
|
// transmit it
|
2011-12-02 23:00:56 +01:00
|
|
|
net_send(now, const_buffer_ref(*m.buffer));
|
2011-11-30 20:47:30 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-12-04 02:34:32 +01:00
|
|
|
// app data -> protocol encapsulation -> reliability layer -> network
|
|
|
|
void down_stack_raw(const Time now)
|
|
|
|
{
|
|
|
|
while (!raw_write_queue.empty() && rel_send.ready())
|
|
|
|
{
|
|
|
|
ReliableSend::Message& m = rel_send.send(now);
|
|
|
|
m.buffer = raw_write_queue.front();
|
|
|
|
raw_write_queue.pop_front();
|
|
|
|
|
|
|
|
// encapsulate buffer
|
|
|
|
try {
|
|
|
|
encapsulate(now, m.id(), *m.buffer, xmit_acks);
|
|
|
|
}
|
|
|
|
catch (...)
|
|
|
|
{
|
|
|
|
invalidate = true;
|
|
|
|
throw;
|
|
|
|
}
|
|
|
|
|
|
|
|
// transmit it
|
|
|
|
net_send(now, const_buffer_ref(*m.buffer));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-11-30 20:47:30 +01:00
|
|
|
// network -> reliability layer -> protocol decapsulation -> SSL -> app
|
|
|
|
void up_stack(const Time now, BufferPtr& recv)
|
|
|
|
{
|
|
|
|
UseCount use_count(up_stack_reentry_level);
|
|
|
|
|
|
|
|
{
|
|
|
|
// decapsulate buffer
|
2011-12-02 23:00:56 +01:00
|
|
|
const id_t id = decapsulate(now, *recv, rel_send);
|
|
|
|
if (id != PacketID::UNDEF)
|
2011-11-30 20:47:30 +01:00
|
|
|
{
|
|
|
|
const bool should_ack = rel_recv.receive(recv, id);
|
|
|
|
if (should_ack)
|
|
|
|
xmit_acks.push_back(id);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// is sequenced receive packet available?
|
|
|
|
while (rel_recv.ready())
|
|
|
|
{
|
|
|
|
ReliableRecv::Message& m = rel_recv.next_sequenced();
|
|
|
|
ssl_->write_ciphertext(m.buffer);
|
|
|
|
rel_recv.advance();
|
|
|
|
}
|
|
|
|
|
|
|
|
// read cleartext data from SSL object
|
|
|
|
while (true)
|
|
|
|
{
|
|
|
|
ssize_t size;
|
|
|
|
if (!to_app_buf)
|
|
|
|
to_app_buf.reset(new BufferAllocated());
|
|
|
|
frame_->prepare(Frame::READ_SSL_CLEARTEXT, *to_app_buf);
|
|
|
|
try {
|
|
|
|
size = ssl_->read_cleartext(to_app_buf->data(), to_app_buf->max_size());
|
|
|
|
}
|
|
|
|
catch (...)
|
|
|
|
{
|
|
|
|
// SSL fatal errors will invalidate the session
|
|
|
|
invalidate = true;
|
|
|
|
throw;
|
|
|
|
}
|
|
|
|
if (size == SSLContext::SSL::SHOULD_RETRY)
|
|
|
|
break;
|
|
|
|
to_app_buf->set_size(size);
|
|
|
|
|
|
|
|
// pass cleartext data to app
|
2011-12-02 23:00:56 +01:00
|
|
|
app_recv(now, to_app_buf);
|
2011-11-30 20:47:30 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void test_invalidated() const
|
|
|
|
{
|
|
|
|
if (invalidate)
|
|
|
|
throw proto_stack_invalidated();
|
|
|
|
}
|
|
|
|
|
2011-12-02 23:00:56 +01:00
|
|
|
void update_retransmit(const Time now)
|
|
|
|
{
|
|
|
|
const Time::Duration d = rel_send.until_retransmit(now);
|
|
|
|
if (d.is_infinite())
|
|
|
|
next_retransmit_ = Time::infinite();
|
|
|
|
else
|
|
|
|
next_retransmit_ = now + d;
|
|
|
|
}
|
|
|
|
|
2011-11-30 20:47:30 +01:00
|
|
|
typename SSLContext::SSLPtr ssl_;
|
|
|
|
FramePtr frame_;
|
|
|
|
|
|
|
|
ReliableRecv rel_recv;
|
|
|
|
ReliableSend rel_send;
|
2011-12-02 23:00:56 +01:00
|
|
|
ReliableAck xmit_acks;
|
2011-11-30 20:47:30 +01:00
|
|
|
|
|
|
|
int up_stack_reentry_level;
|
|
|
|
bool invalidate;
|
|
|
|
|
2011-12-02 23:00:56 +01:00
|
|
|
Time next_retransmit_;
|
|
|
|
|
2011-11-30 20:47:30 +01:00
|
|
|
BufferPtr to_app_buf; // cleartext data decrypted by SSL that is to be passed to app via app_recv method
|
|
|
|
BufferPtr ack_send_buf; // only used for standalone ACKs to be sent to peer
|
|
|
|
|
2011-12-02 23:00:56 +01:00
|
|
|
std::deque<BufferPtr> app_write_queue;
|
2011-12-04 02:34:32 +01:00
|
|
|
std::deque<BufferPtr> raw_write_queue;
|
2011-11-30 20:47:30 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
} // namespace openvpn
|
|
|
|
|
|
|
|
#endif // OPENVPN_SSL_PROTOSTACK_H
|