6fbf66fa |
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
* |
564a2109 |
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
6fbf66fa |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING included with this
* distribution); if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
|
c110b289 |
#ifdef HAVE_CONFIG_H
#include "config.h"
#elif defined(_MSC_VER)
#include "config-msvc.h"
#endif
|
6fbf66fa |
#include "syshead.h"
#include "socket.h"
#include "fdmisc.h"
#include "misc.h"
#include "gremlin.h"
#include "plugin.h" |
6add6b2f |
#include "ps.h" |
e482a632 |
#include "manage.h" |
8e9666d5 |
#include "misc.h" |
a55b3cdb |
#include "manage.h" |
e719a053 |
#include "openvpn.h" |
f2134b7b |
#include "forward.h" |
6fbf66fa |
#include "memdbg.h"
|
1406db55 |
const int proto_overhead[] = { /* indexed by PROTO_x */ |
8335caf9 |
0,
IPv4_UDP_HEADER_SIZE, /* IPv4 */ |
1406db55 |
IPv4_TCP_HEADER_SIZE,
IPv4_TCP_HEADER_SIZE, |
8335caf9 |
IPv6_UDP_HEADER_SIZE, /* IPv6 */
IPv6_TCP_HEADER_SIZE,
IPv6_TCP_HEADER_SIZE,
IPv6_TCP_HEADER_SIZE, |
1406db55 |
};
|
6fbf66fa |
/* |
8e9666d5 |
* Convert sockflags/getaddr_flags into getaddr_flags
*/
static unsigned int |
86093c1c |
sf2gaf(const unsigned int getaddr_flags, |
8e9666d5 |
const unsigned int sockflags)
{ |
86093c1c |
if (sockflags & SF_HOST_RANDOMIZE)
return getaddr_flags | GETADDR_RANDOMIZE;
else
return getaddr_flags; |
8e9666d5 |
}
/* |
6fbf66fa |
* Functions related to the translation of DNS names to IP addresses.
*/
/*
* Translate IP addr or hostname to in_addr_t.
* If resolve error, try again for
* resolve_retry_seconds seconds.
*/
in_addr_t
getaddr (unsigned int flags, |
f2d6f3bc |
const char *hostname,
int resolve_retry_seconds,
bool *succeeded,
volatile int *signal_received) |
6fbf66fa |
{ |
f2d6f3bc |
struct addrinfo *ai; |
6fbf66fa |
int status; |
076fd3e4 |
status = openvpn_getaddrinfo (flags & ~GETADDR_HOST_ORDER, hostname, NULL,
resolve_retry_seconds, signal_received, AF_INET, &ai); |
f2d6f3bc |
if(status==0) {
struct in_addr ia;
if(succeeded)
*succeeded=true;
ia = ((struct sockaddr_in*)ai->ai_addr)->sin_addr;
freeaddrinfo(ai);
return (flags & GETADDR_HOST_ORDER) ? ntohl (ia.s_addr) : ia.s_addr;
} else {
if(succeeded)
*succeeded =false;
return 0;
} |
6fbf66fa |
}
|
e719a053 |
static inline bool
streqnull (const char* a, const char* b)
{
if (a == NULL && b == NULL)
return true;
else if (a == NULL || b == NULL)
return false;
else
return streq (a, b);
}
/*
get_cached_dns_entry return 0 on success and -1
otherwise. (like getaddrinfo)
*/
static int
get_cached_dns_entry (struct cached_dns_entry* dns_cache,
const char* hostname,
const char* servname,
int ai_family,
int resolve_flags,
struct addrinfo **ai)
{
struct cached_dns_entry *ph;
int flags;
/* Only use flags that are relevant for the structure */
flags = resolve_flags & GETADDR_CACHE_MASK;
for (ph = dns_cache; ph ; ph = ph->next)
{
if (streqnull (ph->hostname, hostname) &&
streqnull (ph->servname, servname) &&
ph->ai_family == ai_family &&
ph->flags == flags)
{
*ai = ph->ai;
return 0;
}
}
return -1;
}
static int
do_preresolve_host (struct context *c,
const char *hostname,
const char *servname,
const int af,
const int flags)
{
struct addrinfo *ai;
int status;
if (get_cached_dns_entry(c->c1.dns_cache,
hostname,
servname,
af,
flags,
&ai) == 0 )
{
/* entry already cached, return success */
return 0;
}
status = openvpn_getaddrinfo (flags, hostname, servname,
c->options.resolve_retry_seconds, NULL,
af, &ai);
if (status == 0)
{
struct cached_dns_entry *ph;
ALLOC_OBJ_CLEAR_GC (ph, struct cached_dns_entry, &c->gc);
ph->ai = ai;
ph->hostname = hostname;
ph->servname = servname;
ph->flags = flags & GETADDR_CACHE_MASK;
if (!c->c1.dns_cache)
c->c1.dns_cache = ph;
else
{
struct cached_dns_entry *prev = c->c1.dns_cache;
while (prev->next)
prev = prev->next;
prev->next = ph;
}
gc_addspecial (ai, &gc_freeaddrinfo_callback, &c->gc);
}
return status;
}
void
do_preresolve (struct context *c)
{
int i;
struct connection_list *l = c->options.connection_list;
const unsigned int preresolve_flags = GETADDR_RESOLVE|
GETADDR_UPDATE_MANAGEMENT_STATE|
GETADDR_MENTION_RESOLVE_RETRY|
GETADDR_FATAL;
for (i = 0; i < l->len; ++i)
{
int status;
const char *remote;
int flags = preresolve_flags;
struct connection_entry* ce = c->options.connection_list->array[i];
if (proto_is_dgram(ce->proto))
flags |= GETADDR_DATAGRAM;
if (c->options.sockflags & SF_HOST_RANDOMIZE)
flags |= GETADDR_RANDOMIZE;
if (c->options.ip_remote_hint)
remote = c->options.ip_remote_hint;
else
remote = ce->remote;
/* HTTP remote hostname does not need to be resolved */
if (! ce->http_proxy_options)
{
status = do_preresolve_host (c, remote, ce->remote_port, ce->af, flags);
if (status != 0)
goto err;
}
/* Preresolve proxy */
if (ce->http_proxy_options)
{
status = do_preresolve_host (c,
ce->http_proxy_options->server,
ce->http_proxy_options->port,
ce->af,
preresolve_flags);
if (status != 0)
goto err;
}
if (ce->socks_proxy_server)
{
status = do_preresolve_host (c,
ce->socks_proxy_server,
ce->socks_proxy_port,
ce->af,
flags);
if (status != 0)
goto err;
}
if (ce->bind_local)
{
flags |= GETADDR_PASSIVE;
flags &= ~GETADDR_RANDOMIZE;
status = do_preresolve_host (c, ce->local, ce->local_port, ce->af, flags);
if (status != 0)
goto err;
}
}
return;
err:
throw_signal_soft (SIGHUP, "Preresolving failed");
} |
f2d6f3bc |
|
ea93a078 |
/* |
f2d6f3bc |
* Translate IPv4/IPv6 addr or hostname into struct addrinfo
* If resolve error, try again for resolve_retry_seconds seconds. |
ea93a078 |
*/ |
f2d6f3bc |
int
openvpn_getaddrinfo (unsigned int flags,
const char *hostname, |
076fd3e4 |
const char *servname, |
f2d6f3bc |
int resolve_retry_seconds,
volatile int *signal_received,
int ai_family,
struct addrinfo **res) |
ea93a078 |
{ |
f2d6f3bc |
struct addrinfo hints; |
ea93a078 |
int status;
int sigrec = 0;
int msglevel = (flags & GETADDR_FATAL) ? M_FATAL : D_RESOLVE_ERRORS;
struct gc_arena gc = gc_new (); |
076fd3e4 |
const char *print_hostname;
const char *print_servname; |
ea93a078 |
|
f2d6f3bc |
ASSERT(res);
|
076fd3e4 |
ASSERT (hostname || servname);
ASSERT (!(flags & GETADDR_HOST_ORDER));
|
23d61c56 |
if (hostname && (flags & GETADDR_RANDOMIZE))
hostname = hostname_randomize(hostname, &gc);
|
076fd3e4 |
if(hostname)
print_hostname = hostname;
else
print_hostname = "undefined";
if(servname)
print_servname = servname;
else
print_servname = "";
|
ea93a078 |
if (flags & GETADDR_MSG_VIRT_OUT)
msglevel |= M_MSG_VIRT_OUT;
if ((flags & (GETADDR_FATAL_ON_SIGNAL|GETADDR_WARN_ON_SIGNAL))
&& !signal_received)
signal_received = &sigrec;
/* try numeric ipv6 addr first */
CLEAR(hints); |
f2d6f3bc |
hints.ai_family = ai_family; |
ea93a078 |
hints.ai_flags = AI_NUMERICHOST; |
97ba084b |
|
076fd3e4 |
if(flags & GETADDR_PASSIVE)
hints.ai_flags |= AI_PASSIVE;
|
23d61c56 |
if(flags & GETADDR_DATAGRAM)
hints.ai_socktype = SOCK_DGRAM;
else
hints.ai_socktype = SOCK_STREAM;
|
076fd3e4 |
status = getaddrinfo(hostname, servname, &hints, res); |
ea93a078 |
|
f2d6f3bc |
if (status != 0) /* parse as numeric address failed? */ |
ea93a078 |
{
const int fail_wait_interval = 5; /* seconds */ |
23d61c56 |
/* Add +4 to cause integer division rounding up (1 + 4) = 5, (0+4)/5=0 */
int resolve_retries = (flags & GETADDR_TRY_ONCE) ? 1 :
((resolve_retry_seconds + 4)/ fail_wait_interval); |
ea93a078 |
const char *fmt;
int level = 0;
|
aa162d44 |
fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s)"; |
ea93a078 |
if ((flags & GETADDR_MENTION_RESOLVE_RETRY) |
f2d6f3bc |
&& !resolve_retry_seconds) |
aa162d44 |
fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s) (I would have retried this name query if you had specified the --resolv-retry option.)"; |
ea93a078 |
if (!(flags & GETADDR_RESOLVE) || status == EAI_FAIL) |
f2d6f3bc |
{ |
aa162d44 |
msg (msglevel, "RESOLVE: Cannot parse IP address: %s:%s (%s)",
print_hostname,print_servname, gai_strerror(status)); |
f2d6f3bc |
goto done;
} |
ea93a078 |
#ifdef ENABLE_MANAGEMENT
if (flags & GETADDR_UPDATE_MANAGEMENT_STATE) |
f2d6f3bc |
{
if (management)
management_set_state (management,
OPENVPN_STATE_RESOLVE,
NULL, |
2191c471 |
NULL,
NULL,
NULL,
NULL); |
f2d6f3bc |
} |
ea93a078 |
#endif
/*
* Resolve hostname
*/
while (true) |
f2d6f3bc |
{ |
288a819a |
#ifndef WIN32
res_init ();
#endif |
f2d6f3bc |
/* try hostname lookup */ |
076fd3e4 |
hints.ai_flags &= ~AI_NUMERICHOST; |
f2d6f3bc |
dmsg (D_SOCKET_DEBUG, "GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d",
flags, hints.ai_family, hints.ai_socktype); |
076fd3e4 |
status = getaddrinfo(hostname, servname, &hints, res); |
6d1b80bd |
|
f2d6f3bc |
if (signal_received)
{
get_signal (signal_received);
if (*signal_received) /* were we interrupted by a signal? */
{
if (*signal_received == SIGUSR1) /* ignore SIGUSR1 */
{
msg (level, "RESOLVE: Ignored SIGUSR1 signal received during DNS resolution attempt");
*signal_received = 0;
}
else |
282788a8 |
{ |
5f6c01ea |
/* turn success into failure (interrupted syscall) */ |
282788a8 |
if (0 == status) {
ASSERT(res);
freeaddrinfo(*res); |
5f6c01ea |
*res = NULL; |
8ceb9619 |
status = EAI_AGAIN; /* = temporary failure */ |
5f6c01ea |
errno = EINTR; |
282788a8 |
}
goto done;
} |
f2d6f3bc |
}
} |
ea93a078 |
|
f2d6f3bc |
/* success? */
if (0 == status)
break; |
ea93a078 |
|
f2d6f3bc |
/* resolve lookup failed, should we
continue or fail? */
level = msglevel;
if (resolve_retries > 0)
level = D_RESOLVE_ERRORS; |
ea93a078 |
|
f2d6f3bc |
msg (level,
fmt, |
076fd3e4 |
print_hostname,
print_servname, |
f2d6f3bc |
gai_strerror(status));
if (--resolve_retries <= 0)
goto done; |
ea93a078 |
|
f2d6f3bc |
openvpn_sleep (fail_wait_interval); |
ea93a078 |
}
|
f2d6f3bc |
ASSERT(res); |
ea93a078 |
/* hostname resolve succeeded */ |
f2d6f3bc |
|
23d61c56 |
/*
* Do not choose an IP Addresse by random or change the order * |
f2d6f3bc |
* of IP addresses, doing so will break RFC 3484 address selection *
*/ |
ea93a078 |
}
else
{
/* IP address parse succeeded */
}
done:
if (signal_received && *signal_received)
{
int level = 0;
if (flags & GETADDR_FATAL_ON_SIGNAL) |
f2d6f3bc |
level = M_FATAL; |
ea93a078 |
else if (flags & GETADDR_WARN_ON_SIGNAL) |
f2d6f3bc |
level = M_WARN; |
ea93a078 |
msg (level, "RESOLVE: signal received during DNS resolution attempt");
}
gc_free (&gc); |
f2d6f3bc |
return status; |
ea93a078 |
}
|
6fbf66fa |
/*
* We do our own inet_aton because the glibc function
* isn't very good about error checking.
*/
int
openvpn_inet_aton (const char *dotted_quad, struct in_addr *addr)
{
unsigned int a, b, c, d;
CLEAR (*addr);
if (sscanf (dotted_quad, "%u.%u.%u.%u", &a, &b, &c, &d) == 4)
{
if (a < 256 && b < 256 && c < 256 && d < 256)
{
addr->s_addr = htonl (a<<24 | b<<16 | c<<8 | d);
return OIA_IP; /* good dotted quad */
}
}
if (string_class (dotted_quad, CC_DIGIT|CC_DOT, 0))
return OIA_ERROR; /* probably a badly formatted dotted quad */
else
return OIA_HOSTNAME; /* probably a hostname */
}
|
b4073a76 |
bool
ip_addr_dotted_quad_safe (const char *dotted_quad)
{
/* verify non-NULL */
if (!dotted_quad)
return false;
/* verify length is within limits */
if (strlen (dotted_quad) > 15)
return false;
/* verify that all chars are either numeric or '.' and that no numeric
substring is greater than 3 chars */
{
int nnum = 0;
const char *p = dotted_quad;
int c;
while ((c = *p++))
{
if (c >= '0' && c <= '9')
{
++nnum;
if (nnum > 3)
return false;
}
else if (c == '.')
{
nnum = 0;
}
else
return false;
}
}
/* verify that string will convert to IP address */
{
struct in_addr a;
return openvpn_inet_aton (dotted_quad, &a) == OIA_IP;
}
}
|
512cda46 |
bool
ipv6_addr_safe (const char *ipv6_text_addr)
{
/* verify non-NULL */
if (!ipv6_text_addr)
return false;
/* verify length is within limits */
if (strlen (ipv6_text_addr) > INET6_ADDRSTRLEN )
return false;
/* verify that string will convert to IPv6 address */
{
struct in6_addr a6;
return inet_pton( AF_INET6, ipv6_text_addr, &a6 ) == 1;
}
}
|
b4b5c311 |
static bool
dns_addr_safe (const char *addr)
{
if (addr)
{
const size_t len = strlen (addr);
return len > 0 && len <= 255 && string_class (addr, CC_ALNUM|CC_DASH|CC_DOT, 0);
}
else
return false;
}
|
0a838de8 |
bool |
b4b5c311 |
ip_or_dns_addr_safe (const char *addr, const bool allow_fqdn) |
0a838de8 |
{ |
b4b5c311 |
if (ip_addr_dotted_quad_safe (addr)) |
0a838de8 |
return true;
else if (allow_fqdn) |
b4b5c311 |
return dns_addr_safe (addr); |
0a838de8 |
else
return false;
}
|
6e2c457d |
bool
mac_addr_safe (const char *mac_addr)
{
/* verify non-NULL */
if (!mac_addr)
return false;
/* verify length is within limits */
if (strlen (mac_addr) > 17)
return false;
/* verify that all chars are either alphanumeric or ':' and that no
alphanumeric substring is greater than 2 chars */
{
int nnum = 0;
const char *p = mac_addr;
int c;
while ((c = *p++))
{
if ( (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') )
{
++nnum;
if (nnum > 2)
return false;
}
else if (c == ':')
{
nnum = 0;
}
else
return false;
}
}
/* error-checking is left to script invoked in lladdr.c */
return true;
}
|
6fbf66fa |
static int
socket_get_sndbuf (int sd)
{
#if defined(HAVE_GETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_SNDBUF)
int val;
socklen_t len;
len = sizeof (val);
if (getsockopt (sd, SOL_SOCKET, SO_SNDBUF, (void *) &val, &len) == 0
&& len == sizeof (val))
return val;
#endif
return 0;
}
static void
socket_set_sndbuf (int sd, int size)
{
#if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_SNDBUF) |
f0b64e5d |
if (setsockopt (sd, SOL_SOCKET, SO_SNDBUF, (void *) &size, sizeof (size)) != 0) |
6fbf66fa |
{ |
f0b64e5d |
msg (M_WARN, "NOTE: setsockopt SO_SNDBUF=%d failed", size); |
6fbf66fa |
}
#endif
}
static int
socket_get_rcvbuf (int sd)
{
#if defined(HAVE_GETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_RCVBUF)
int val;
socklen_t len;
len = sizeof (val);
if (getsockopt (sd, SOL_SOCKET, SO_RCVBUF, (void *) &val, &len) == 0
&& len == sizeof (val))
return val;
#endif
return 0;
}
static bool
socket_set_rcvbuf (int sd, int size)
{
#if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_RCVBUF) |
f0b64e5d |
if (setsockopt (sd, SOL_SOCKET, SO_RCVBUF, (void *) &size, sizeof (size)) != 0) |
6fbf66fa |
{ |
f0b64e5d |
msg (M_WARN, "NOTE: setsockopt SO_RCVBUF=%d failed", size);
return false; |
6fbf66fa |
}
return true;
#endif
}
static void
socket_set_buffers (int fd, const struct socket_buffer_size *sbs)
{
if (sbs)
{
const int sndbuf_old = socket_get_sndbuf (fd);
const int rcvbuf_old = socket_get_rcvbuf (fd);
if (sbs->sndbuf)
socket_set_sndbuf (fd, sbs->sndbuf);
if (sbs->rcvbuf)
socket_set_rcvbuf (fd, sbs->rcvbuf);
msg (D_OSBUF, "Socket Buffers: R=[%d->%d] S=[%d->%d]",
rcvbuf_old,
socket_get_rcvbuf (fd),
sndbuf_old,
socket_get_sndbuf (fd));
}
}
/* |
00d39170 |
* Set other socket options
*/
static bool
socket_set_tcp_nodelay (int sd, int state)
{ |
8db6234d |
#if defined(WIN32) || (defined(HAVE_SETSOCKOPT) && defined(IPPROTO_TCP) && defined(TCP_NODELAY)) |
00d39170 |
if (setsockopt (sd, IPPROTO_TCP, TCP_NODELAY, (void *) &state, sizeof (state)) != 0)
{
msg (M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed", state);
return false;
}
else
{
dmsg (D_OSBUF, "Socket flags: TCP_NODELAY=%d succeeded", state);
return true;
}
#else
msg (M_WARN, "NOTE: setsockopt TCP_NODELAY=%d failed (No kernel support)", state);
return false;
#endif
}
|
032f0045 |
static inline void |
d90428d1 |
socket_set_mark (int sd, int mark)
{ |
51bd56f4 |
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK |
a2466d9e |
if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, (void *) &mark, sizeof (mark)) != 0) |
d90428d1 |
msg (M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark);
#endif
}
|
00d39170 |
static bool
socket_set_flags (int sd, unsigned int sockflags)
{
if (sockflags & SF_TCP_NODELAY)
return socket_set_tcp_nodelay (sd, 1);
else
return true;
}
bool
link_socket_update_flags (struct link_socket *ls, unsigned int sockflags)
{
if (ls && socket_defined (ls->sd))
return socket_set_flags (ls->sd, ls->sockflags = sockflags);
else
return false;
}
void
link_socket_update_buffer_sizes (struct link_socket *ls, int rcvbuf, int sndbuf)
{
if (ls && socket_defined (ls->sd))
{
ls->socket_buffer_sizes.sndbuf = sndbuf;
ls->socket_buffer_sizes.rcvbuf = rcvbuf;
socket_set_buffers (ls->sd, &ls->socket_buffer_sizes);
}
}
/* |
6fbf66fa |
* SOCKET INITALIZATION CODE.
* Create a TCP/UDP socket
*/
socket_descriptor_t |
7dbe04de |
create_socket_tcp (struct addrinfo* addrinfo) |
6fbf66fa |
{
socket_descriptor_t sd;
|
7dbe04de |
ASSERT (addrinfo);
ASSERT (addrinfo->ai_socktype == SOCK_STREAM);
if ((sd = socket (addrinfo->ai_family, addrinfo->ai_socktype, addrinfo->ai_protocol)) < 0) |
910675de |
msg (M_ERR, "Cannot create TCP socket"); |
6fbf66fa |
|
7d770f1e |
#ifndef WIN32 /* using SO_REUSEADDR on Windows will cause bind to succeed on port conflicts! */ |
6fbf66fa |
/* set SO_REUSEADDR on socket */
{
int on = 1;
if (setsockopt (sd, SOL_SOCKET, SO_REUSEADDR,
(void *) &on, sizeof (on)) < 0) |
910675de |
msg (M_ERR, "TCP: Cannot setsockopt SO_REUSEADDR on TCP socket"); |
6fbf66fa |
} |
7d770f1e |
#endif |
6fbf66fa |
return sd;
}
static socket_descriptor_t |
7dbe04de |
create_socket_udp (struct addrinfo* addrinfo, const unsigned int flags) |
6fbf66fa |
{
socket_descriptor_t sd;
|
7dbe04de |
ASSERT (addrinfo);
ASSERT (addrinfo->ai_socktype == SOCK_DGRAM);
if ((sd = socket (addrinfo->ai_family, addrinfo->ai_socktype, addrinfo->ai_protocol)) < 0) |
23d61c56 |
msg (M_ERR, "UDP: Cannot create UDP/UDP6 socket"); |
8bc93d7f |
#if ENABLE_IP_PKTINFO
else if (flags & SF_USE_IP_PKTINFO)
{
int pad = 1; |
7dbe04de |
if(addrinfo->ai_family == AF_INET) |
23d61c56 |
{ |
d3774cdf |
#ifdef IP_PKTINFO |
23d61c56 |
if (setsockopt (sd, SOL_IP, IP_PKTINFO,
(void*)&pad, sizeof(pad)) < 0)
msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO"); |
d3774cdf |
#elif defined(IP_RECVDSTADDR) |
23d61c56 |
if (setsockopt (sd, IPPROTO_IP, IP_RECVDSTADDR,
(void*)&pad, sizeof(pad)) < 0)
msg(M_ERR, "UDP: failed setsockopt for IP_RECVDSTADDR"); |
d3774cdf |
#else
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif |
23d61c56 |
} |
7dbe04de |
else if (addrinfo->ai_family == AF_INET6 ) |
23d61c56 |
{ |
fe8a7f0c |
#ifndef IPV6_RECVPKTINFO /* Some older Darwin platforms require this */ |
23d61c56 |
if (setsockopt (sd, IPPROTO_IPV6, IPV6_PKTINFO,
(void*)&pad, sizeof(pad)) < 0) |
fe8a7f0c |
#else |
23d61c56 |
if (setsockopt (sd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
(void*)&pad, sizeof(pad)) < 0) |
fe8a7f0c |
#endif |
23d61c56 |
msg(M_ERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO");
} |
8335caf9 |
}
#endif
return sd;
}
|
7dbe04de |
static void bind_local (struct link_socket *sock, const sa_family_t ai_family) |
6fbf66fa |
{ |
7dbe04de |
/* bind to local address/port */
if (sock->bind_local)
{
if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
socket_bind (sock->ctrl_sd, sock->info.lsa->bind_local,
ai_family, "SOCKS", false);
else
socket_bind (sock->sd, sock->info.lsa->bind_local,
ai_family,
"TCP/UDP", sock->info.bind_ipv6_only);
}
} |
23d61c56 |
|
7dbe04de |
static void
create_socket (struct link_socket* sock, struct addrinfo* addr)
{ |
891636cb |
if (addr->ai_protocol == IPPROTO_UDP || addr->ai_socktype == SOCK_DGRAM) |
6fbf66fa |
{ |
7dbe04de |
sock->sd = create_socket_udp (addr, sock->sockflags); |
6d1b80bd |
sock->sockflags |= SF_GETADDRINFO_DGRAM; |
6fbf66fa |
|
7dbe04de |
/* Assume that control socket and data socket to the socks proxy
* are using the same IP family */ |
6fbf66fa |
if (sock->socks_proxy) |
7dbe04de |
{
/* Construct a temporary addrinfo to create the socket,
* currently resolve two remote addresses is not supported,
* TODO: Rewrite the whole resolve_remote */
struct addrinfo addrinfo_tmp = *addr;
addrinfo_tmp.ai_socktype = SOCK_STREAM;
addrinfo_tmp.ai_protocol = IPPROTO_TCP;
sock->ctrl_sd = create_socket_tcp (&addrinfo_tmp);
} |
6fbf66fa |
} |
891636cb |
else if (addr->ai_protocol == IPPROTO_TCP || addr->ai_socktype == SOCK_STREAM) |
8335caf9 |
{ |
7dbe04de |
sock->sd = create_socket_tcp (addr); |
8335caf9 |
} |
6fbf66fa |
else
{
ASSERT (0);
} |
23d61c56 |
/* set socket buffers based on --sndbuf and --rcvbuf options */
socket_set_buffers (sock->sd, &sock->socket_buffer_sizes);
/* set socket to --mark packets with given value */
socket_set_mark (sock->sd, sock->mark); |
7dbe04de |
bind_local (sock, addr->ai_family); |
51187871 |
} |
23d61c56 |
|
a55b3cdb |
#ifdef TARGET_ANDROID |
51187871 |
static void protect_fd_nonlocal (int fd, const struct sockaddr* addr)
{ |
a55b3cdb |
/* pass socket FD to management interface to pass on to VPNService API
* as "protected socket" (exempt from being routed into tunnel)
*/ |
51187871 |
if (addr_local (addr)) { |
acd487d0 |
msg(D_SOCKET_DEBUG, "Address is local, not protecting socket fd %d", fd); |
51187871 |
return;
} |
a55b3cdb |
|
acd487d0 |
msg(D_SOCKET_DEBUG, "Protecting socket fd %d", fd); |
51187871 |
management->connection.fdtosend = fd; |
a55b3cdb |
management_android_control (management, "PROTECTFD", __func__); |
6fbf66fa |
} |
51187871 |
#endif |
6fbf66fa |
/*
* Functions used for establishing a TCP stream connection.
*/
static void
socket_do_listen (socket_descriptor_t sd, |
1ba6f427 |
const struct addrinfo *local, |
6fbf66fa |
bool do_listen,
bool do_set_nonblock)
{
struct gc_arena gc = gc_new ();
if (do_listen)
{ |
1ba6f427 |
ASSERT(local); |
6fbf66fa |
msg (M_INFO, "Listening for incoming TCP connection on %s", |
1ba6f427 |
print_sockaddr (local->ai_addr, &gc)); |
6fbf66fa |
if (listen (sd, 1)) |
910675de |
msg (M_ERR, "TCP: listen() failed"); |
6fbf66fa |
}
/* set socket to non-blocking mode */
if (do_set_nonblock)
set_nonblock (sd);
gc_free (&gc);
}
socket_descriptor_t
socket_do_accept (socket_descriptor_t sd, |
8bc93d7f |
struct link_socket_actual *act, |
6fbf66fa |
const bool nowait)
{ |
8335caf9 |
/* af_addr_size WILL return 0 in this case if AFs other than AF_INET
* are compiled because act is empty here.
* could use getsockname() to support later remote_len check
*/
socklen_t remote_len_af = af_addr_size(act->dest.addr.sa.sa_family);
socklen_t remote_len = sizeof(act->dest.addr); |
6fbf66fa |
socket_descriptor_t new_sd = SOCKET_UNDEFINED;
|
8bc93d7f |
CLEAR (*act);
|
6fbf66fa |
#ifdef HAVE_GETPEERNAME
if (nowait)
{ |
8335caf9 |
new_sd = getpeername (sd, &act->dest.addr.sa, &remote_len); |
6fbf66fa |
if (!socket_defined (new_sd)) |
910675de |
msg (D_LINK_ERRORS | M_ERRNO, "TCP: getpeername() failed"); |
6fbf66fa |
else
new_sd = sd;
}
#else
if (nowait)
msg (M_WARN, "TCP: this OS does not provide the getpeername() function");
#endif
else
{ |
8335caf9 |
new_sd = accept (sd, &act->dest.addr.sa, &remote_len); |
6fbf66fa |
}
|
e8c1720d |
#if 0 /* For debugging only, test the effect of accept() failures */
{
static int foo = 0;
++foo;
if (foo & 1)
new_sd = -1;
}
#endif
|
6fbf66fa |
if (!socket_defined (new_sd))
{ |
910675de |
msg (D_LINK_ERRORS | M_ERRNO, "TCP: accept(%d) failed", sd); |
6fbf66fa |
} |
8335caf9 |
/* only valid if we have remote_len_af!=0 */
else if (remote_len_af && remote_len != remote_len_af) |
6fbf66fa |
{
msg (D_LINK_ERRORS, "TCP: Received strange incoming connection with unknown address length=%d", remote_len);
openvpn_close_socket (new_sd);
new_sd = SOCKET_UNDEFINED;
}
return new_sd;
}
static void |
8bc93d7f |
tcp_connection_established (const struct link_socket_actual *act) |
6fbf66fa |
{
struct gc_arena gc = gc_new ();
msg (M_INFO, "TCP connection established with %s", |
8bc93d7f |
print_link_socket_actual (act, &gc)); |
6fbf66fa |
gc_free (&gc);
}
static int
socket_listen_accept (socket_descriptor_t sd, |
8bc93d7f |
struct link_socket_actual *act, |
6fbf66fa |
const char *remote_dynamic, |
23d61c56 |
const struct addrinfo *local, |
6fbf66fa |
bool do_listen,
bool nowait,
volatile int *signal_received)
{
struct gc_arena gc = gc_new (); |
4e75b2e8 |
/* struct openvpn_sockaddr *remote = &act->dest; */ |
8bc93d7f |
struct openvpn_sockaddr remote_verify = act->dest; |
6fbf66fa |
int new_sd = SOCKET_UNDEFINED;
|
8bc93d7f |
CLEAR (*act); |
1ba6f427 |
socket_do_listen (sd, local, do_listen, true); |
6fbf66fa |
while (true)
{
int status;
fd_set reads;
struct timeval tv;
FD_ZERO (&reads); |
e0b3fd49 |
openvpn_fd_set (sd, &reads); |
6fbf66fa |
tv.tv_sec = 0;
tv.tv_usec = 0;
status = select (sd + 1, &reads, NULL, NULL, &tv);
get_signal (signal_received);
if (*signal_received)
{
gc_free (&gc);
return sd;
}
if (status < 0) |
910675de |
msg (D_LINK_ERRORS | M_ERRNO, "TCP: select() failed"); |
6fbf66fa |
if (status <= 0)
{
openvpn_sleep (1);
continue;
}
|
8bc93d7f |
new_sd = socket_do_accept (sd, act, nowait); |
6fbf66fa |
if (socket_defined (new_sd))
{ |
1ba6f427 |
struct addrinfo* ai = NULL; |
23d61c56 |
if(remote_dynamic)
openvpn_getaddrinfo(0, remote_dynamic, NULL, 1, NULL,
remote_verify.addr.sa.sa_family, &ai);
if(ai && !addrlist_match(&remote_verify, ai))
{
msg (M_WARN,
"TCP NOTE: Rejected connection attempt from %s due to --remote setting",
print_link_socket_actual (act, &gc));
if (openvpn_close_socket (new_sd))
msg (M_ERR, "TCP: close socket failed (new_sd)");
freeaddrinfo(ai);
} |
6fbf66fa |
else |
23d61c56 |
{
if(ai)
freeaddrinfo(ai);
break;
} |
6fbf66fa |
}
openvpn_sleep (1);
}
if (!nowait && openvpn_close_socket (sd)) |
910675de |
msg (M_ERR, "TCP: close socket failed (sd)"); |
6fbf66fa |
|
8bc93d7f |
tcp_connection_established (act); |
6fbf66fa |
gc_free (&gc);
return new_sd;
}
|
188a6515 |
/* older mingw versions and WinXP do not have this define,
* but Vista and up support the functionality - just define it here
*/
#ifdef WIN32
# ifndef IPV6_V6ONLY
# define IPV6_V6ONLY 27
# endif
#endif |
7ef85434 |
void |
04f4b793 |
socket_bind (socket_descriptor_t sd, |
23d61c56 |
struct addrinfo *local,
int ai_family, |
8832c6c4 |
const char *prefix,
bool ipv6only) |
04f4b793 |
{
struct gc_arena gc = gc_new ();
|
23d61c56 |
/* FIXME (schwabe)
* getaddrinfo for the bind address might return multiple AF_INET/AF_INET6
* entries for the requested protocol.
* For example if an address has multiple A records
* What is the correct way to deal with it?
*/
struct addrinfo* cur;
|
8832c6c4 |
ASSERT(local);
|
23d61c56 |
/* find the first addrinfo with correct ai_family */
for (cur = local; cur; cur=cur->ai_next)
{
if(cur->ai_family == ai_family)
break;
}
if (!cur)
msg (M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record",
prefix, addr_family_name(ai_family));
|
8832c6c4 |
if (ai_family == AF_INET6)
{ |
451de0a8 |
int v6only = ipv6only ? 1: 0; /* setsockopt must have an "int" */ |
8832c6c4 |
|
451de0a8 |
msg (M_INFO, "setsockopt(IPV6_V6ONLY=%d)", v6only); |
a2466d9e |
if (setsockopt (sd, IPPROTO_IPV6, IPV6_V6ONLY, (void *) &v6only, sizeof(v6only))) |
8832c6c4 |
{
msg (M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only);
}
} |
23d61c56 |
if (bind (sd, cur->ai_addr, cur->ai_addrlen)) |
04f4b793 |
{ |
910675de |
const int errnum = openvpn_errno (); |
7ef85434 |
msg (M_FATAL, "%s: Socket bind failed on local address %s: %s",
prefix, |
23d61c56 |
print_sockaddr_ex (local->ai_addr, ":", PS_SHOW_PORT, &gc), |
04f4b793 |
strerror_ts (errnum, &gc));
}
gc_free (&gc);
}
|
4f404ad3 |
int |
1ae9d051 |
openvpn_connect (socket_descriptor_t sd, |
23d61c56 |
const struct sockaddr *remote, |
1ae9d051 |
int connect_timeout,
volatile int *signal_received)
{
int status = 0;
|
51187871 |
#ifdef TARGET_ANDROID
protect_fd_nonlocal(sd, remote);
#endif
|
1ae9d051 |
#ifdef CONNECT_NONBLOCK
set_nonblock (sd); |
23d61c56 |
status = connect (sd, remote, af_addr_size(remote->sa_family)); |
1ae9d051 |
if (status) |
910675de |
status = openvpn_errno (); |
9081e0ad |
if (
#ifdef WIN32
status == WSAEWOULDBLOCK
#else
status == EINPROGRESS
#endif
) |
1ae9d051 |
{
while (true)
{ |
007738e9 |
#if POLL
struct pollfd fds[1];
fds[0].fd = sd;
fds[0].events = POLLOUT;
status = poll(fds, 1, 0);
#else |
1ae9d051 |
fd_set writes;
struct timeval tv;
FD_ZERO (&writes); |
e0b3fd49 |
openvpn_fd_set (sd, &writes); |
1ae9d051 |
tv.tv_sec = 0;
tv.tv_usec = 0;
status = select (sd + 1, NULL, &writes, NULL, &tv); |
007738e9 |
#endif |
6add6b2f |
if (signal_received) |
1ae9d051 |
{ |
6add6b2f |
get_signal (signal_received);
if (*signal_received)
{
status = 0;
break;
} |
1ae9d051 |
}
if (status < 0)
{ |
910675de |
status = openvpn_errno (); |
1ae9d051 |
break;
}
if (status <= 0)
{
if (--connect_timeout < 0)
{ |
5f5229e4 |
#ifdef WIN32
status = WSAETIMEDOUT;
#else |
1ae9d051 |
status = ETIMEDOUT; |
5f5229e4 |
#endif |
1ae9d051 |
break;
}
openvpn_sleep (1);
continue;
}
/* got it */
{
int val = 0;
socklen_t len;
len = sizeof (val);
if (getsockopt (sd, SOL_SOCKET, SO_ERROR, (void *) &val, &len) == 0
&& len == sizeof (val))
status = val;
else |
910675de |
status = openvpn_errno (); |
1ae9d051 |
break;
}
}
}
#else |
188a6515 |
status = connect (sd, remote, af_addr_size(remote->sa_family)); |
1ae9d051 |
if (status) |
910675de |
status = openvpn_errno (); |
1ae9d051 |
#endif
return status;
}
|
23d61c56 |
void set_actual_address (struct link_socket_actual* actual, struct addrinfo* ai)
{
CLEAR (*actual);
ASSERT (ai);
if (ai->ai_family == AF_INET)
actual->dest.addr.in4 =
*((struct sockaddr_in*) ai->ai_addr);
else if (ai->ai_family == AF_INET6)
actual->dest.addr.in6 =
*((struct sockaddr_in6*) ai->ai_addr);
else
ASSERT(0);
}
|
4f404ad3 |
void |
7dbe04de |
socket_connect (socket_descriptor_t* sd,
const struct sockaddr* dest, |
23d61c56 |
const int connect_timeout,
struct signal_info* sig_info) |
6fbf66fa |
{
struct gc_arena gc = gc_new (); |
23d61c56 |
int status; |
6fbf66fa |
|
1ae9d051 |
#ifdef CONNECT_NONBLOCK |
23d61c56 |
msg (M_INFO, "Attempting to establish TCP connection with %s [nonblock]",
print_sockaddr (dest, &gc)); |
1ae9d051 |
#else |
23d61c56 |
msg (M_INFO, "Attempting to establish TCP connection with %s",
print_sockaddr (dest, &gc)); |
1ae9d051 |
#endif
|
e482a632 |
#ifdef ENABLE_MANAGEMENT |
23d61c56 |
if (management) |
e482a632 |
management_set_state (management,
OPENVPN_STATE_TCP_CONNECT,
NULL, |
2191c471 |
NULL,
NULL,
NULL,
NULL); |
e482a632 |
#endif
|
23d61c56 |
/* Set the actual address */
status = openvpn_connect (*sd, dest, connect_timeout, &sig_info->signal_received); |
a17f6969 |
|
23d61c56 |
get_signal (&sig_info->signal_received);
if (sig_info->signal_received) |
a17f6969 |
goto done;
|
23d61c56 |
if (status) { |
97549c67 |
|
23d61c56 |
msg (D_LINK_ERRORS,
"TCP: connect to %s failed: %s",
print_sockaddr (dest, &gc),
strerror_ts (status, &gc)); |
6fbf66fa |
|
23d61c56 |
openvpn_close_socket (*sd);
*sd = SOCKET_UNDEFINED;
sig_info->signal_received = SIGUSR1;
sig_info->source = SIG_SOURCE_CONNECTION_FAILED;
} else {
msg (M_INFO, "TCP connection established with %s",
print_sockaddr (dest, &gc));
} |
6fbf66fa |
done:
gc_free (&gc);
}
/* For stream protocols, allocate a buffer to build up packet.
Called after frame has been finalized. */
static void
socket_frame_init (const struct frame *frame, struct link_socket *sock)
{
#ifdef WIN32
overlapped_io_init (&sock->reads, frame, FALSE, false);
overlapped_io_init (&sock->writes, frame, TRUE, false);
sock->rw_handle.read = sock->reads.overlapped.hEvent;
sock->rw_handle.write = sock->writes.overlapped.hEvent;
#endif
if (link_socket_connection_oriented (sock))
{
#ifdef WIN32 |
dc46c067 |
stream_buf_init (&sock->stream_buf,
&sock->reads.buf_init,
sock->sockflags,
sock->info.proto); |
6fbf66fa |
#else
alloc_buf_sock_tun (&sock->stream_buf_data,
frame,
false,
FRAME_HEADROOM_MARKER_READ_STREAM); |
dc46c067 |
stream_buf_init (&sock->stream_buf,
&sock->stream_buf_data,
sock->sockflags,
sock->info.proto); |
6fbf66fa |
#endif
}
}
/*
* Adjust frame structure based on a Path MTU value given
* to us by the OS.
*/
void
frame_adjust_path_mtu (struct frame *frame, int pmtu, int proto)
{
frame_set_mtu_dynamic (frame, pmtu - datagram_overhead (proto), SET_MTU_UPPER_BOUND);
}
static void |
23d61c56 |
resolve_bind_local (struct link_socket *sock, const sa_family_t af) |
6fbf66fa |
{
struct gc_arena gc = gc_new ();
/* resolve local address if undefined */ |
23d61c56 |
if (!sock->info.lsa->bind_local) |
d9c04efc |
{ |
23d61c56 |
int flags = GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL |
GETADDR_FATAL | GETADDR_PASSIVE; |
076fd3e4 |
int status; |
23d61c56 |
if(proto_is_dgram(sock->info.proto))
flags |= GETADDR_DATAGRAM;
/* will return AF_{INET|INET6}from local_host */ |
e719a053 |
status = get_cached_dns_entry (sock->dns_cache,
sock->local_host,
sock->local_port,
af,
flags,
&sock->info.lsa->bind_local);
if (status)
status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, |
23d61c56 |
NULL, af, &sock->info.lsa->bind_local);
if(status !=0) {
msg (M_FATAL, "getaddrinfo() failed for local \"%s:%s\": %s",
sock->local_host, sock->local_port,
gai_strerror(status)); |
076fd3e4 |
} |
6fbf66fa |
} |
076fd3e4 |
|
23d61c56 |
gc_free (&gc);
}
|
6fbf66fa |
static void
resolve_remote (struct link_socket *sock,
int phase,
const char **remote_dynamic,
volatile int *signal_received)
{
struct gc_arena gc = gc_new ();
|
e719a053 |
/* resolve remote address if undefined */
if (!sock->info.lsa->remote_list) |
6fbf66fa |
{ |
e719a053 |
if (sock->remote_host) |
6fbf66fa |
{ |
e719a053 |
unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags);
int retry = 0;
int status = -1;
struct addrinfo* ai;
if (proto_is_dgram(sock->info.proto))
flags |= GETADDR_DATAGRAM;
if (sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) |
6fbf66fa |
{ |
e719a053 |
if (phase == 2)
flags |= (GETADDR_TRY_ONCE | GETADDR_FATAL);
retry = 0;
}
else if (phase == 1)
{
if (sock->resolve_retry_seconds) |
6fbf66fa |
{
retry = 0;
} |
e719a053 |
else |
6fbf66fa |
{ |
e719a053 |
flags |= (GETADDR_FATAL | GETADDR_MENTION_RESOLVE_RETRY);
retry = 0; |
6fbf66fa |
} |
e719a053 |
}
else if (phase == 2)
{
if (sock->resolve_retry_seconds) |
6fbf66fa |
{ |
e719a053 |
flags |= GETADDR_FATAL;
retry = sock->resolve_retry_seconds; |
6fbf66fa |
}
else
{
ASSERT (0);
} |
e719a053 |
}
else
{
ASSERT (0);
} |
6fbf66fa |
|
e719a053 |
status = get_cached_dns_entry (sock->dns_cache,
sock->remote_host,
sock->remote_port,
sock->info.af,
flags, &ai);
if (status)
status = openvpn_getaddrinfo (flags, sock->remote_host, sock->remote_port,
retry, signal_received, sock->info.af, &ai);
if(status == 0) {
sock->info.lsa->remote_list = ai;
sock->info.lsa->current_remote = ai;
dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d",
flags,
phase,
retry,
signal_received ? *signal_received : -1,
status);
}
if (signal_received)
{
if (*signal_received)
goto done;
} |
f2d6f3bc |
if (status!=0) |
ea93a078 |
{
if (signal_received)
*signal_received = SIGUSR1;
goto done;
} |
6fbf66fa |
} |
e719a053 |
} |
6fbf66fa |
|
e719a053 |
/* should we re-use previous active remote address? */
if (link_socket_actual_defined (&sock->info.lsa->actual))
{
msg (M_INFO, "TCP/UDP: Preserving recently used remote address: %s",
print_link_socket_actual (&sock->info.lsa->actual, &gc));
if (remote_dynamic)
*remote_dynamic = NULL;
}
else
{
CLEAR (sock->info.lsa->actual);
if(sock->info.lsa->current_remote) |
8bc93d7f |
{ |
e719a053 |
set_actual_address (&sock->info.lsa->actual,
sock->info.lsa->current_remote); |
8bc93d7f |
} |
6fbf66fa |
}
done:
gc_free (&gc);
}
|
23d61c56 |
|
6fbf66fa |
struct link_socket *
link_socket_new (void)
{
struct link_socket *sock;
ALLOC_OBJ_CLEAR (sock, struct link_socket);
sock->sd = SOCKET_UNDEFINED;
sock->ctrl_sd = SOCKET_UNDEFINED;
return sock;
}
|
48f1d41a |
void |
6fbf66fa |
link_socket_init_phase1 (struct link_socket *sock,
const char *local_host, |
076fd3e4 |
const char *local_port, |
4e9a51d7 |
const char *remote_host, |
076fd3e4 |
const char *remote_port, |
e719a053 |
struct cached_dns_entry *dns_cache, |
6fbf66fa |
int proto, |
30077d1f |
sa_family_t af, |
8832c6c4 |
bool bind_ipv6_only, |
6fbf66fa |
int mode,
const struct link_socket *accept_from,
struct http_proxy_info *http_proxy,
struct socks_proxy_info *socks_proxy,
#ifdef ENABLE_DEBUG
int gremlin,
#endif
bool bind_local,
bool remote_float,
int inetd,
struct link_socket_addr *lsa,
const char *ipchange_command,
const struct plugin_list *plugins,
int resolve_retry_seconds,
int mtu_discover_type,
int rcvbuf, |
00d39170 |
int sndbuf, |
d90428d1 |
int mark, |
f2134b7b |
struct event_timeout* server_poll_timeout, |
00d39170 |
unsigned int sockflags) |
6fbf66fa |
{
ASSERT (sock);
sock->local_host = local_host;
sock->local_port = local_port; |
4e9a51d7 |
sock->remote_host = remote_host;
sock->remote_port = remote_port; |
e719a053 |
sock->dns_cache = dns_cache; |
6fbf66fa |
sock->http_proxy = http_proxy;
sock->socks_proxy = socks_proxy;
sock->bind_local = bind_local;
sock->inetd = inetd;
sock->resolve_retry_seconds = resolve_retry_seconds;
sock->mtu_discover_type = mtu_discover_type;
#ifdef ENABLE_DEBUG
sock->gremlin = gremlin;
#endif
sock->socket_buffer_sizes.rcvbuf = rcvbuf;
sock->socket_buffer_sizes.sndbuf = sndbuf;
|
00d39170 |
sock->sockflags = sockflags; |
23d61c56 |
sock->mark = mark; |
00d39170 |
|
6fbf66fa |
sock->info.proto = proto; |
30077d1f |
sock->info.af = af; |
6fbf66fa |
sock->info.remote_float = remote_float;
sock->info.lsa = lsa; |
8832c6c4 |
sock->info.bind_ipv6_only = bind_ipv6_only; |
6fbf66fa |
sock->info.ipchange_command = ipchange_command;
sock->info.plugins = plugins; |
f2134b7b |
sock->server_poll_timeout = server_poll_timeout; |
6fbf66fa |
sock->mode = mode;
if (mode == LS_MODE_TCP_ACCEPT_FROM)
{
ASSERT (accept_from); |
30077d1f |
ASSERT (sock->info.proto == PROTO_TCP_SERVER); |
6fbf66fa |
ASSERT (!sock->inetd);
sock->sd = accept_from->sd;
}
/* are we running in HTTP proxy mode? */ |
0e3f8940 |
if (sock->http_proxy) |
6fbf66fa |
{ |
500c16f3 |
ASSERT (sock->info.proto == PROTO_TCP_CLIENT); |
6fbf66fa |
ASSERT (!sock->inetd);
/* the proxy server */
sock->remote_host = http_proxy->options.server;
sock->remote_port = http_proxy->options.port;
/* the OpenVPN server we will use the proxy to connect to */
sock->proxy_dest_host = remote_host;
sock->proxy_dest_port = remote_port;
}
/* or in Socks proxy mode? */
else if (sock->socks_proxy)
{
ASSERT (!sock->inetd);
/* the proxy server */
sock->remote_host = socks_proxy->server;
sock->remote_port = socks_proxy->port;
/* the OpenVPN server we will use the proxy to connect to */
sock->proxy_dest_host = remote_host;
sock->proxy_dest_port = remote_port;
}
else
{
sock->remote_host = remote_host;
sock->remote_port = remote_port;
}
/* bind behavior for TCP server vs. client */ |
500c16f3 |
if (sock->info.proto == PROTO_TCP_SERVER) |
6fbf66fa |
{
if (sock->mode == LS_MODE_TCP_ACCEPT_FROM)
sock->bind_local = false;
else
sock->bind_local = true;
}
/* were we started by inetd or xinetd? */
if (sock->inetd)
{ |
30077d1f |
ASSERT (sock->info.proto != PROTO_TCP_CLIENT); |
6fbf66fa |
ASSERT (socket_defined (inetd_socket_descriptor));
sock->sd = inetd_socket_descriptor;
}
else if (mode != LS_MODE_TCP_ACCEPT_FROM)
{ |
7dbe04de |
if (sock->bind_local) {
resolve_bind_local (sock, sock->info.af);
}
resolve_remote (sock, 1, NULL, NULL); |
48f1d41a |
}
}
static
void phase2_inetd (struct link_socket* sock, const struct frame *frame,
const char *remote_dynamic, volatile int *signal_received)
{
bool remote_changed = false;
if (sock->info.proto == PROTO_TCP_SERVER) {
/* AF_INET as default (and fallback) for inetd */
sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET;
#ifdef HAVE_GETSOCKNAME
{
/* inetd: hint family type for dest = local's */
struct openvpn_sockaddr local_addr;
socklen_t addrlen = sizeof(local_addr); |
23d61c56 |
if (getsockname (sock->sd, &local_addr.addr.sa, &addrlen) == 0) { |
48f1d41a |
sock->info.lsa->actual.dest.addr.sa.sa_family = local_addr.addr.sa.sa_family;
dmsg (D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from getsockname(%d)", |
23d61c56 |
proto2ascii(sock->info.proto, sock->info.af, false),
local_addr.addr.sa.sa_family, sock->sd); |
48f1d41a |
} else
msg (M_WARN, "inetd(%s): getsockname(%d) failed, using AF_INET",
proto2ascii(sock->info.proto, sock->info.af, false), sock->sd);
}
#else
msg (M_WARN, "inetd(%s): this OS does not provide the getsockname() "
"function, using AF_INET",
proto2ascii(sock->info.proto, false));
#endif
sock->sd =
socket_listen_accept (sock->sd,
&sock->info.lsa->actual,
remote_dynamic, |
23d61c56 |
sock->info.lsa->bind_local, |
48f1d41a |
false,
sock->inetd == INETD_NOWAIT,
signal_received); |
23d61c56 |
|
48f1d41a |
}
ASSERT (!remote_changed);
} |
2b9b4c8a |
|
48f1d41a |
static void
phase2_set_socket_flags (struct link_socket* sock)
{
/* set misc socket parameters */
socket_set_flags (sock->sd, sock->sockflags);
/* set socket to non-blocking mode */
set_nonblock (sock->sd);
/* set socket file descriptor to not pass across execs, so that
scripts don't have access to it */
set_cloexec (sock->sd);
if (socket_defined (sock->ctrl_sd))
set_cloexec (sock->ctrl_sd);
/* set Path MTU discovery options on the socket */ |
2bed089d |
set_mtu_discover_type (sock->sd, sock->mtu_discover_type, sock->info.af); |
48f1d41a |
#if EXTENDED_SOCKET_ERROR_CAPABILITY
/* if the OS supports it, enable extended error passing on the socket */
set_sock_extended_error_passing (sock->sd);
#endif
} |
2b9b4c8a |
|
d90428d1 |
|
48f1d41a |
static void
linksock_print_addr (struct link_socket *sock)
{
struct gc_arena gc = gc_new ();
const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO;
/* print local address */ |
e719a053 |
if (sock->inetd) |
48f1d41a |
msg (msglevel, "%s link local: [inetd]", proto2ascii (sock->info.proto, sock->info.af, true)); |
e719a053 |
else if (sock->bind_local)
{ |
7dbe04de |
sa_family_t ai_family = sock->info.lsa->actual.dest.addr.sa.sa_family;
/* Socket is always bound on the first matching address,
* For bound sockets with no remote addr this is the element of
* the list */ |
e719a053 |
struct addrinfo *cur;
for (cur = sock->info.lsa->bind_local; cur; cur=cur->ai_next)
{ |
7dbe04de |
if(!ai_family || ai_family == cur->ai_family) |
e719a053 |
break;
}
ASSERT (cur);
msg (msglevel, "%s link local (bound): %s", |
48f1d41a |
proto2ascii (sock->info.proto, sock->info.af, true), |
23d61c56 |
print_sockaddr(cur->ai_addr,&gc)); |
e719a053 |
}
else
msg (msglevel, "%s link local: (not bound)",
proto2ascii (sock->info.proto, sock->info.af, true)); |
48f1d41a |
/* print active remote address */
msg (msglevel, "%s link remote: %s", |
e719a053 |
proto2ascii (sock->info.proto, sock->info.af, true),
print_link_socket_actual_ex (&sock->info.lsa->actual,
":",
PS_SHOW_PORT_IF_DEFINED,
&gc)); |
48f1d41a |
gc_free(&gc);
}
static void |
23d61c56 |
phase2_tcp_server (struct link_socket *sock, const char *remote_dynamic,
volatile int *signal_received) |
48f1d41a |
{
switch (sock->mode)
{
case LS_MODE_DEFAULT:
sock->sd = socket_listen_accept (sock->sd,
&sock->info.lsa->actual,
remote_dynamic, |
23d61c56 |
sock->info.lsa->bind_local, |
48f1d41a |
true,
false,
signal_received);
break;
case LS_MODE_TCP_LISTEN:
socket_do_listen (sock->sd, |
1ba6f427 |
sock->info.lsa->bind_local, |
48f1d41a |
true,
false);
break;
case LS_MODE_TCP_ACCEPT_FROM:
sock->sd = socket_do_accept (sock->sd,
&sock->info.lsa->actual,
false);
if (!socket_defined (sock->sd))
{
*signal_received = SIGTERM;
return;
}
tcp_connection_established (&sock->info.lsa->actual);
break;
default:
ASSERT (0); |
6fbf66fa |
}
}
|
48f1d41a |
static void |
23d61c56 |
phase2_tcp_client (struct link_socket *sock, struct signal_info *sig_info) |
48f1d41a |
{ |
23d61c56 |
bool proxy_retry = false;
do {
socket_connect (&sock->sd, |
7dbe04de |
sock->info.lsa->current_remote->ai_addr, |
f2134b7b |
get_server_poll_remaining_time (sock->server_poll_timeout), |
23d61c56 |
sig_info);
if (sig_info->signal_received)
return;
|
0e3f8940 |
if (sock->http_proxy) |
23d61c56 |
{
proxy_retry = establish_http_proxy_passthru (sock->http_proxy,
sock->sd,
sock->proxy_dest_host,
sock->proxy_dest_port, |
f2134b7b |
sock->server_poll_timeout, |
23d61c56 |
&sock->stream_buf.residual,
&sig_info->signal_received);
}
else if (sock->socks_proxy)
{
establish_socks_proxy_passthru (sock->socks_proxy,
sock->sd,
sock->proxy_dest_host,
sock->proxy_dest_port,
&sig_info->signal_received);
}
if (proxy_retry)
{
openvpn_close_socket (sock->sd); |
7dbe04de |
sock->sd = create_socket_tcp (sock->info.lsa->current_remote); |
23d61c56 |
}
} while (proxy_retry);
|
48f1d41a |
}
static void |
23d61c56 |
phase2_socks_client (struct link_socket *sock, struct signal_info *sig_info) |
48f1d41a |
{
socket_connect (&sock->ctrl_sd, |
7dbe04de |
sock->info.lsa->current_remote->ai_addr, |
f2134b7b |
get_server_poll_remaining_time (sock->server_poll_timeout), |
23d61c56 |
sig_info); |
48f1d41a |
|
23d61c56 |
if (sig_info->signal_received) |
48f1d41a |
return;
establish_socks_proxy_udpassoc (sock->socks_proxy,
sock->ctrl_sd,
sock->sd,
&sock->socks_relay.dest, |
23d61c56 |
&sig_info->signal_received); |
48f1d41a |
|
23d61c56 |
if (sig_info->signal_received) |
48f1d41a |
return;
sock->remote_host = sock->proxy_dest_host;
sock->remote_port = sock->proxy_dest_port;
addr_zero_host(&sock->info.lsa->actual.dest); |
23d61c56 |
if (sock->info.lsa->remote_list)
{ |
6c5db192 |
freeaddrinfo(sock->info.lsa->remote_list); |
23d61c56 |
sock->info.lsa->current_remote = NULL;
sock->info.lsa->remote_list = NULL;
} |
48f1d41a |
|
23d61c56 |
resolve_remote (sock, 1, NULL, &sig_info->signal_received); |
48f1d41a |
}
|
6fbf66fa |
/* finalize socket initialization */
void
link_socket_init_phase2 (struct link_socket *sock,
const struct frame *frame, |
23d61c56 |
struct signal_info *sig_info) |
6fbf66fa |
{
const char *remote_dynamic = NULL; |
76a59eae |
int sig_save = 0; |
6fbf66fa |
ASSERT (sock);
|
23d61c56 |
if (sig_info && sig_info->signal_received) |
76a59eae |
{ |
23d61c56 |
sig_save = sig_info->signal_received;
sig_info->signal_received = 0; |
76a59eae |
}
|
6fbf66fa |
/* initialize buffers */
socket_frame_init (frame, sock);
/*
* Pass a remote name to connect/accept so that
* they can test for dynamic IP address changes
* and throw a SIGUSR1 if appropriate.
*/
if (sock->resolve_retry_seconds)
remote_dynamic = sock->remote_host;
/* were we started by inetd or xinetd? */
if (sock->inetd)
{ |
23d61c56 |
phase2_inetd (sock, frame, remote_dynamic, &sig_info->signal_received);
if (sig_info && sig_info->signal_received) |
6fbf66fa |
goto done; |
48f1d41a |
|
6fbf66fa |
}
else
{ |
23d61c56 |
/* Second chance to resolv/create socket */
resolve_remote (sock, 2, &remote_dynamic, &sig_info->signal_received); |
6fbf66fa |
|
7dbe04de |
/* If a valid remote has been found, create the socket with its addrinfo */
if (sock->info.lsa->current_remote)
create_socket (sock, sock->info.lsa->current_remote);
|
23d61c56 |
/* If socket has not already been created create it now */
if (sock->sd == SOCKET_UNDEFINED)
{ |
7dbe04de |
/* If we have no --remote and have still not figured out the
* protocol family to use we will use the first of the bind */ |
45184804 |
|
7dbe04de |
if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local) |
23d61c56 |
{ |
7dbe04de |
/* Warn if this is because neither v4 or v6 was specified
* and we should not connect a remote */
if (sock->info.af == AF_UNSPEC) |
ed5d0fe5 |
{
msg (M_WARN, "Could not determine IPv4/IPv6 protocol. Using %s", |
7dbe04de |
addr_family_name(sock->info.lsa->bind_local->ai_family)); |
ed5d0fe5 |
sock->info.af = sock->info.lsa->bind_local->ai_family;
} |
7dbe04de |
create_socket (sock, sock->info.lsa->bind_local); |
23d61c56 |
} |
7dbe04de |
} |
23d61c56 |
|
7dbe04de |
/* Socket still undefined, give a warning and abort connection */
if (sock->sd == SOCKET_UNDEFINED)
{
msg (M_WARN, "Could not determine IPv4/IPv6 protocol");
sig_info->signal_received = SIGUSR1;
goto done; |
23d61c56 |
}
if (sig_info && sig_info->signal_received) |
6fbf66fa |
goto done;
|
30077d1f |
if (sock->info.proto == PROTO_TCP_SERVER) |
6fbf66fa |
{ |
23d61c56 |
phase2_tcp_server (sock, remote_dynamic,
&sig_info->signal_received); |
6fbf66fa |
} |
30077d1f |
else if (sock->info.proto == PROTO_TCP_CLIENT) |
6fbf66fa |
{ |
23d61c56 |
phase2_tcp_client (sock, sig_info); |
f214bb21 |
|
6fbf66fa |
} |
23d61c56 |
else if (sock->info.proto == PROTO_UDP && sock->socks_proxy) |
6fbf66fa |
{ |
23d61c56 |
phase2_socks_client (sock, sig_info); |
48f1d41a |
} |
51187871 |
#ifdef TARGET_ANDROID
if (sock->sd != -1)
protect_fd_nonlocal (sock->sd, &sock->info.lsa->actual.dest.addr.sa);
#endif |
23d61c56 |
if (sig_info && sig_info->signal_received) |
6fbf66fa |
goto done;
}
|
48f1d41a |
phase2_set_socket_flags(sock);
linksock_print_addr(sock); |
6fbf66fa |
done: |
23d61c56 |
if (sig_save && sig_info) |
76a59eae |
{ |
23d61c56 |
if (!sig_info->signal_received)
sig_info->signal_received = sig_save; |
76a59eae |
} |
6fbf66fa |
}
void
link_socket_close (struct link_socket *sock)
{
if (sock)
{
#ifdef ENABLE_DEBUG
const int gremlin = GREMLIN_CONNECTION_FLOOD_LEVEL (sock->gremlin);
#else
const int gremlin = 0;
#endif
if (socket_defined (sock->sd))
{
#ifdef WIN32
close_net_event_win32 (&sock->listen_handle, sock->sd, 0);
#endif
if (!gremlin)
{ |
9df9e13f |
msg (D_LOW, "TCP/UDP: Closing socket"); |
6fbf66fa |
if (openvpn_close_socket (sock->sd)) |
910675de |
msg (M_WARN | M_ERRNO, "TCP/UDP: Close Socket failed"); |
6fbf66fa |
}
sock->sd = SOCKET_UNDEFINED;
#ifdef WIN32
if (!gremlin)
{
overlapped_io_close (&sock->reads);
overlapped_io_close (&sock->writes);
}
#endif
}
if (socket_defined (sock->ctrl_sd))
{
if (openvpn_close_socket (sock->ctrl_sd)) |
910675de |
msg (M_WARN | M_ERRNO, "TCP/UDP: Close Socket (ctrl_sd) failed"); |
6fbf66fa |
sock->ctrl_sd = SOCKET_UNDEFINED;
}
stream_buf_close (&sock->stream_buf);
free_buf (&sock->stream_buf_data);
if (!gremlin)
free (sock);
}
}
/* for stream protocols, allow for packet length prefix */
void
socket_adjust_frame_parameters (struct frame *frame, int proto)
{
if (link_socket_proto_connection_oriented (proto))
frame_add_to_extra_frame (frame, sizeof (packet_size_type));
}
void
setenv_trusted (struct env_set *es, const struct link_socket_info *info)
{ |
8bc93d7f |
setenv_link_socket_actual (es, "trusted", &info->lsa->actual, SA_IP_PORT); |
6fbf66fa |
}
|
5a2e9a25 |
static void
ipchange_fmt (const bool include_cmd, struct argv *argv, const struct link_socket_info *info, struct gc_arena *gc)
{ |
d3310d2e |
const char *host = print_sockaddr_ex (&info->lsa->actual.dest.addr.sa, " ", PS_SHOW_PORT , gc); |
5a2e9a25 |
if (include_cmd) |
d3310d2e |
argv_printf (argv, "%sc %s", |
5a2e9a25 |
info->ipchange_command, |
d3310d2e |
host); |
5a2e9a25 |
else |
d3310d2e |
argv_printf (argv, "%s", host);
|
5a2e9a25 |
}
|
6fbf66fa |
void
link_socket_connection_initiated (const struct buffer *buf,
struct link_socket_info *info, |
8bc93d7f |
const struct link_socket_actual *act, |
6fbf66fa |
const char *common_name,
struct env_set *es)
{
struct gc_arena gc = gc_new ();
|
8bc93d7f |
info->lsa->actual = *act; /* Note: skip this line for --force-dest */ |
6fbf66fa |
setenv_trusted (es, info);
info->connection_established = true;
/* Print connection initiated message, with common name if available */
{
struct buffer out = alloc_buf_gc (256, &gc);
if (common_name)
buf_printf (&out, "[%s] ", common_name); |
8bc93d7f |
buf_printf (&out, "Peer Connection Initiated with %s", print_link_socket_actual (&info->lsa->actual, &gc)); |
6fbf66fa |
msg (M_INFO, "%s", BSTR (&out));
}
/* set environmental vars */
setenv_str (es, "common_name", common_name);
/* Process --ipchange plugin */
if (plugin_defined (info->plugins, OPENVPN_PLUGIN_IPCHANGE))
{ |
5a2e9a25 |
struct argv argv = argv_new ();
ipchange_fmt (false, &argv, info, &gc); |
1876ccd0 |
if (plugin_call (info->plugins, OPENVPN_PLUGIN_IPCHANGE, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) |
6fbf66fa |
msg (M_WARN, "WARNING: ipchange plugin call failed"); |
5a2e9a25 |
argv_reset (&argv); |
6fbf66fa |
}
/* Process --ipchange option */
if (info->ipchange_command)
{ |
5a2e9a25 |
struct argv argv = argv_new (); |
6fbf66fa |
setenv_str (es, "script_type", "ipchange"); |
5a2e9a25 |
ipchange_fmt (true, &argv, info, &gc); |
c2533d18 |
openvpn_run_script (&argv, es, 0, "--ipchange"); |
5a2e9a25 |
argv_reset (&argv); |
6fbf66fa |
}
gc_free (&gc);
}
void
link_socket_bad_incoming_addr (struct buffer *buf,
const struct link_socket_info *info, |
8bc93d7f |
const struct link_socket_actual *from_addr) |
6fbf66fa |
{
struct gc_arena gc = gc_new (); |
23d61c56 |
struct addrinfo* ai; |
6fbf66fa |
|
8335caf9 |
switch(from_addr->dest.addr.sa.sa_family) |
d9c04efc |
{ |
8335caf9 |
case AF_INET:
case AF_INET6:
msg (D_LINK_ERRORS, |
d9c04efc |
"TCP/UDP: Incoming packet rejected from %s[%d], expected peer address: %s (allow this incoming source address/port by removing --remote or adding --float)",
print_link_socket_actual (from_addr, &gc),
(int)from_addr->dest.addr.sa.sa_family, |
23d61c56 |
print_sockaddr_ex (info->lsa->remote_list->ai_addr,":" ,PS_SHOW_PORT, &gc));
/* print additional remote addresses */
for(ai=info->lsa->remote_list->ai_next;ai;ai=ai->ai_next) {
msg(D_LINK_ERRORS,"or from peer address: %s",
print_sockaddr_ex(ai->ai_addr,":",PS_SHOW_PORT, &gc));
} |
8335caf9 |
break; |
d9c04efc |
} |
6fbf66fa |
buf->len = 0;
gc_free (&gc);
}
void
link_socket_bad_outgoing_addr (void)
{
dmsg (D_READ_WRITE, "TCP/UDP: No outgoing address to send packet");
}
in_addr_t
link_socket_current_remote (const struct link_socket_info *info)
{
const struct link_socket_addr *lsa = info->lsa;
|
8335caf9 |
/*
* This logic supports "redirect-gateway" semantic, which
* makes sense only for PF_INET routes over PF_INET endpoints
*
* Maybe in the future consider PF_INET6 endpoints also ...
* by now just ignore it
* |
23d61c56 |
* For --remote entries with multiple addresses this
* only return the actual endpoint we have sucessfully connected to |
8335caf9 |
*/ |
1ad6fc29 |
if (lsa->actual.dest.addr.sa.sa_family != AF_INET) |
9d4c64b5 |
return IPV4_INVALID_ADDR; |
8335caf9 |
|
8bc93d7f |
if (link_socket_actual_defined (&lsa->actual)) |
8335caf9 |
return ntohl (lsa->actual.dest.addr.in4.sin_addr.s_addr); |
23d61c56 |
else if (lsa->current_remote)
return ntohl (((struct sockaddr_in*)lsa->current_remote->ai_addr)
->sin_addr.s_addr); |
6fbf66fa |
else
return 0;
}
|
3ddb5643 |
const struct in6_addr *
link_socket_current_remote_ipv6 (const struct link_socket_info *info)
{
const struct link_socket_addr *lsa = info->lsa;
/* This logic supports "redirect-gateway" semantic,
* for PF_INET6 routes over PF_INET6 endpoints
*
* For --remote entries with multiple addresses this
* only return the actual endpoint we have sucessfully connected to
*/
if (lsa->actual.dest.addr.sa.sa_family != AF_INET6)
return NULL;
if (link_socket_actual_defined (&lsa->actual))
return &(lsa->actual.dest.addr.in6.sin6_addr);
else if (lsa->current_remote)
return &(((struct sockaddr_in6*)lsa->current_remote->ai_addr) ->sin6_addr);
else
return NULL;
}
|
6fbf66fa |
/*
* Return a status string describing socket state.
*/
const char *
socket_stat (const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc (64, gc);
if (s)
{
if (rwflags & EVENT_READ)
{
buf_printf (&out, "S%s",
(s->rwflags_debug & EVENT_READ) ? "R" : "r");
#ifdef WIN32
buf_printf (&out, "%s",
overlapped_io_state_ascii (&s->reads));
#endif
}
if (rwflags & EVENT_WRITE)
{
buf_printf (&out, "S%s",
(s->rwflags_debug & EVENT_WRITE) ? "W" : "w");
#ifdef WIN32
buf_printf (&out, "%s",
overlapped_io_state_ascii (&s->writes));
#endif
}
}
else
{
buf_printf (&out, "S?");
}
return BSTR (&out);
}
/*
* Stream buffer functions, used to packetize a TCP
* stream connection.
*/
static inline void
stream_buf_reset (struct stream_buf *sb)
{
dmsg (D_STREAM_DEBUG, "STREAM: RESET");
sb->residual_fully_formed = false;
sb->buf = sb->buf_init;
buf_reset (&sb->next);
sb->len = -1;
}
void
stream_buf_init (struct stream_buf *sb, |
dc46c067 |
struct buffer *buf,
const unsigned int sockflags,
const int proto) |
6fbf66fa |
{
sb->buf_init = *buf;
sb->maxlen = sb->buf_init.len;
sb->buf_init.len = 0;
sb->residual = alloc_buf (sb->maxlen);
sb->error = false; |
6add6b2f |
#if PORT_SHARE |
30077d1f |
sb->port_share_state = ((sockflags & SF_PORT_SHARE) && (proto == PROTO_TCP_SERVER)) |
dc46c067 |
? PS_ENABLED
: PS_DISABLED; |
6add6b2f |
#endif |
6fbf66fa |
stream_buf_reset (sb);
dmsg (D_STREAM_DEBUG, "STREAM: INIT maxlen=%d", sb->maxlen);
}
static inline void
stream_buf_set_next (struct stream_buf *sb)
{
/* set up 'next' for next i/o read */
sb->next = sb->buf;
sb->next.offset = sb->buf.offset + sb->buf.len;
sb->next.len = (sb->len >= 0 ? sb->len : sb->maxlen) - sb->buf.len;
dmsg (D_STREAM_DEBUG, "STREAM: SET NEXT, buf=[%d,%d] next=[%d,%d] len=%d maxlen=%d",
sb->buf.offset, sb->buf.len,
sb->next.offset, sb->next.len,
sb->len, sb->maxlen);
ASSERT (sb->next.len > 0);
ASSERT (buf_safe (&sb->buf, sb->next.len));
}
static inline void
stream_buf_get_final (struct stream_buf *sb, struct buffer *buf)
{
dmsg (D_STREAM_DEBUG, "STREAM: GET FINAL len=%d",
buf_defined (&sb->buf) ? sb->buf.len : -1);
ASSERT (buf_defined (&sb->buf));
*buf = sb->buf;
}
static inline void
stream_buf_get_next (struct stream_buf *sb, struct buffer *buf)
{
dmsg (D_STREAM_DEBUG, "STREAM: GET NEXT len=%d",
buf_defined (&sb->next) ? sb->next.len : -1);
ASSERT (buf_defined (&sb->next));
*buf = sb->next;
}
bool
stream_buf_read_setup_dowork (struct link_socket* sock)
{
if (sock->stream_buf.residual.len && !sock->stream_buf.residual_fully_formed)
{
ASSERT (buf_copy (&sock->stream_buf.buf, &sock->stream_buf.residual));
ASSERT (buf_init (&sock->stream_buf.residual, 0));
sock->stream_buf.residual_fully_formed = stream_buf_added (&sock->stream_buf, 0);
dmsg (D_STREAM_DEBUG, "STREAM: RESIDUAL FULLY FORMED [%s], len=%d",
sock->stream_buf.residual_fully_formed ? "YES" : "NO",
sock->stream_buf.residual.len);
}
if (!sock->stream_buf.residual_fully_formed)
stream_buf_set_next (&sock->stream_buf);
return !sock->stream_buf.residual_fully_formed;
}
bool
stream_buf_added (struct stream_buf *sb,
int length_added)
{
dmsg (D_STREAM_DEBUG, "STREAM: ADD length_added=%d", length_added);
if (length_added > 0)
sb->buf.len += length_added;
/* if length unknown, see if we can get the length prefix from
the head of the buffer */
if (sb->len < 0 && sb->buf.len >= (int) sizeof (packet_size_type))
{
packet_size_type net_size; |
6add6b2f |
#if PORT_SHARE
if (sb->port_share_state == PS_ENABLED)
{
if (!is_openvpn_protocol (&sb->buf))
{ |
dc46c067 |
msg (D_STREAM_ERRORS, "Non-OpenVPN client protocol detected"); |
6add6b2f |
sb->port_share_state = PS_FOREIGN;
sb->error = true;
return false;
}
else
sb->port_share_state = PS_DISABLED;
}
#endif
|
6fbf66fa |
ASSERT (buf_read (&sb->buf, &net_size, sizeof (net_size)));
sb->len = ntohps (net_size);
if (sb->len < 1 || sb->len > sb->maxlen)
{ |
afa7ddf0 |
msg (M_WARN, "WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]", sb->len, sb->maxlen); |
6fbf66fa |
stream_buf_reset (sb);
sb->error = true;
return false;
}
}
/* is our incoming packet fully read? */
if (sb->len > 0 && sb->buf.len >= sb->len)
{
/* save any residual data that's part of the next packet */
ASSERT (buf_init (&sb->residual, 0));
if (sb->buf.len > sb->len)
ASSERT (buf_copy_excess (&sb->residual, &sb->buf, sb->len));
dmsg (D_STREAM_DEBUG, "STREAM: ADD returned TRUE, buf_len=%d, residual_len=%d",
BLEN (&sb->buf),
BLEN (&sb->residual));
return true;
}
else
{
dmsg (D_STREAM_DEBUG, "STREAM: ADD returned FALSE (have=%d need=%d)", sb->buf.len, sb->len);
stream_buf_set_next (sb);
return false;
}
}
void
stream_buf_close (struct stream_buf* sb)
{
free_buf (&sb->residual);
}
/*
* The listen event is a special event whose sole purpose is
* to tell us that there's a new incoming connection on a
* TCP socket, for use in server mode.
*/
event_t
socket_listen_event_handle (struct link_socket *s)
{
#ifdef WIN32
if (!defined_net_event_win32 (&s->listen_handle))
init_net_event_win32 (&s->listen_handle, FD_ACCEPT, s->sd, 0);
return &s->listen_handle;
#else
return s->sd;
#endif
}
/*
* Format IP addresses in ascii
*/
const char * |
d3310d2e |
print_sockaddr_ex (const struct sockaddr *sa,
const char* separator,
const unsigned int flags,
struct gc_arena *gc) |
6fbf66fa |
{ |
fc9a44e2 |
struct buffer out = alloc_buf_gc (128, gc); |
5ead2ae0 |
bool addr_is_defined = false; |
d3310d2e |
char hostaddr[NI_MAXHOST] = "";
char servname[NI_MAXSERV] = "";
int status;
|
5ead2ae0 |
socklen_t salen = 0; |
d3310d2e |
switch(sa->sa_family) |
d9c04efc |
{ |
8335caf9 |
case AF_INET: |
2191c471 |
if (!(flags & PS_DONT_SHOW_FAMILY))
buf_puts (&out, "[AF_INET]"); |
d3310d2e |
salen = sizeof (struct sockaddr_in);
addr_is_defined = ((struct sockaddr_in*) sa)->sin_addr.s_addr != 0; |
d9c04efc |
break; |
8335caf9 |
case AF_INET6: |
2191c471 |
if (!(flags & PS_DONT_SHOW_FAMILY))
buf_puts (&out, "[AF_INET6]"); |
d3310d2e |
salen = sizeof (struct sockaddr_in6);
addr_is_defined = !IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6*) sa)->sin6_addr); |
8335caf9 |
break; |
d3310d2e |
case AF_UNSPEC: |
2191c471 |
if (!(flags & PS_DONT_SHOW_FAMILY))
return "[AF_UNSPEC]";
else
return ""; |
fc9a44e2 |
default:
ASSERT(0); |
d9c04efc |
} |
d3310d2e |
status = getnameinfo(sa, salen, hostaddr, sizeof (hostaddr),
servname, sizeof(servname), NI_NUMERICHOST | NI_NUMERICSERV);
if(status!=0) {
buf_printf(&out,"[nameinfo() err: %s]",gai_strerror(status));
return BSTR(&out);
}
if (!(flags & PS_DONT_SHOW_ADDR))
{
if (addr_is_defined)
buf_puts (&out, hostaddr);
else
buf_puts (&out, "[undef]");
}
if ((flags & PS_SHOW_PORT) || (flags & PS_SHOW_PORT_IF_DEFINED))
{
if (separator)
buf_puts (&out, separator);
buf_puts (&out, servname);
}
|
8335caf9 |
return BSTR (&out); |
8bc93d7f |
}
const char *
print_link_socket_actual (const struct link_socket_actual *act, struct gc_arena *gc)
{
return print_link_socket_actual_ex (act, ":", PS_SHOW_PORT|PS_SHOW_PKTINFO, gc);
}
|
6dbf82a9 |
#ifndef IF_NAMESIZE
#define IF_NAMESIZE 16
#endif
|
8bc93d7f |
const char *
print_link_socket_actual_ex (const struct link_socket_actual *act,
const char *separator,
const unsigned int flags,
struct gc_arena *gc)
{
if (act)
{ |
5d6dbb03 |
char ifname[IF_NAMESIZE] = "[undef]"; |
8bc93d7f |
struct buffer out = alloc_buf_gc (128, gc); |
d3310d2e |
buf_printf (&out, "%s", print_sockaddr_ex (&act->dest.addr.sa, separator, flags, gc)); |
8bc93d7f |
#if ENABLE_IP_PKTINFO |
8335caf9 |
if ((flags & PS_SHOW_PKTINFO) && addr_defined_ipi(act)) |
8bc93d7f |
{ |
8335caf9 |
switch(act->dest.addr.sa.sa_family)
{ |
d9c04efc |
case AF_INET:
{
struct openvpn_sockaddr sa;
CLEAR (sa); |
830038fc |
sa.addr.in4.sin_family = AF_INET; |
d3774cdf |
#ifdef IP_PKTINFO |
d9c04efc |
sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst; |
5d6dbb03 |
if_indextoname(act->pi.in4.ipi_ifindex, ifname); |
d3774cdf |
#elif defined(IP_RECVDSTADDR)
sa.addr.in4.sin_addr = act->pi.in4;
ifname[0]=0;
#else
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif |
5d6dbb03 |
buf_printf (&out, " (via %s%%%s)", |
d3310d2e |
print_sockaddr_ex (&sa.addr.sa, separator, 0, gc), |
5d6dbb03 |
ifname); |
d9c04efc |
} |
51afc8b8 |
break; |
d9c04efc |
case AF_INET6:
{
struct sockaddr_in6 sin6;
char buf[INET6_ADDRSTRLEN] = "[undef]"; |
1ad6fc29 |
CLEAR(sin6); |
d9c04efc |
sin6.sin6_family = AF_INET6;
sin6.sin6_addr = act->pi.in6.ipi6_addr; |
5d6dbb03 |
if_indextoname(act->pi.in6.ipi6_ifindex, ifname);
if (getnameinfo((struct sockaddr *)&sin6, sizeof (struct sockaddr_in6),
buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) == 0)
buf_printf (&out, " (via %s%%%s)", buf, ifname);
else
buf_printf (&out, " (via [getnameinfo() err]%%%s)", ifname); |
d9c04efc |
}
break;
} |
8bc93d7f |
}
#endif
return BSTR (&out);
}
else
return "[NULL]"; |
6fbf66fa |
}
/*
* Convert an in_addr_t in host byte order
* to an ascii dotted quad.
*/
const char *
print_in_addr_t (in_addr_t addr, unsigned int flags, struct gc_arena *gc)
{
struct in_addr ia;
struct buffer out = alloc_buf_gc (64, gc);
if (addr || !(flags & IA_EMPTY_IF_UNDEF))
{
CLEAR (ia);
ia.s_addr = (flags & IA_NET_ORDER) ? addr : htonl (addr);
buf_printf (&out, "%s", inet_ntoa (ia));
}
return BSTR (&out);
}
|
512cda46 |
/*
* Convert an in6_addr in host byte order
* to an ascii representation of an IPv6 address
*/
const char *
print_in6_addr (struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc (64, gc);
char tmp_out_buf[64]; /* inet_ntop wants pointer to buffer */
if ( memcmp(&a6, &in6addr_any, sizeof(a6)) != 0 ||
!(flags & IA_EMPTY_IF_UNDEF))
{
inet_ntop (AF_INET6, &a6, tmp_out_buf, sizeof(tmp_out_buf)-1);
buf_printf (&out, "%s", tmp_out_buf );
}
return BSTR (&out);
}
|
1ffdb2c9 |
#ifndef UINT8_MAX
# define UINT8_MAX 0xff
#endif
|
512cda46 |
/* add some offset to an ipv6 address |
1ffdb2c9 |
* (add in steps of 8 bits, taking overflow into next round) |
512cda46 |
*/
struct in6_addr add_in6_addr( struct in6_addr base, uint32_t add )
{
int i;
|
1ffdb2c9 |
for( i=15; i>=0 && add > 0 ; i-- ) |
512cda46 |
{ |
1ffdb2c9 |
register int carry;
register uint32_t h;
h = (unsigned char) base.s6_addr[i];
base.s6_addr[i] = (h+add) & UINT8_MAX;
/* using explicit carry for the 8-bit additions will catch
* 8-bit and(!) 32-bit overruns nicely |
512cda46 |
*/ |
1ffdb2c9 |
carry = ((h & 0xff) + (add & 0xff)) >> 8;
add = (add>>8) + carry; |
512cda46 |
}
return base;
}
|
6fbf66fa |
/* set environmental variables for ip/port in *addr */
void |
5cfe3d4c |
setenv_sockaddr (struct env_set *es, const char *name_prefix, const struct openvpn_sockaddr *addr, const unsigned int flags) |
6fbf66fa |
{
char name_buf[256];
|
4d3df224 |
char buf[128]; |
d9c04efc |
switch(addr->addr.sa.sa_family)
{ |
8335caf9 |
case AF_INET:
if (flags & SA_IP_PORT)
openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip", name_prefix);
else
openvpn_snprintf (name_buf, sizeof (name_buf), "%s", name_prefix); |
6fbf66fa |
|
8335caf9 |
setenv_str (es, name_buf, inet_ntoa (addr->addr.in4.sin_addr));
if ((flags & SA_IP_PORT) && addr->addr.in4.sin_port) |
d9c04efc |
{
openvpn_snprintf (name_buf, sizeof (name_buf), "%s_port", name_prefix);
setenv_int (es, name_buf, ntohs (addr->addr.in4.sin_port));
}
break; |
8335caf9 |
case AF_INET6: |
0b1a68ff |
if ( IN6_IS_ADDR_V4MAPPED( &addr->addr.in6.sin6_addr ))
{
struct in_addr ia;
ia.s_addr = *(in_addr_t *)&addr->addr.in6.sin6_addr.s6_addr[12] ;
openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip", name_prefix);
openvpn_snprintf (buf, sizeof(buf), "%s", inet_ntoa(ia) );
}
else
{
openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip6", name_prefix);
getnameinfo(&addr->addr.sa, sizeof (struct sockaddr_in6),
buf, sizeof(buf), NULL, 0, NI_NUMERICHOST);
} |
8335caf9 |
setenv_str (es, name_buf, buf); |
6fbf66fa |
|
86093c1c |
if ((flags & SA_IP_PORT) && addr->addr.in6.sin6_port)
{
openvpn_snprintf (name_buf, sizeof (name_buf), "%s_port", name_prefix);
setenv_int (es, name_buf, ntohs (addr->addr.in6.sin6_port));
} |
8335caf9 |
break; |
d9c04efc |
} |
6fbf66fa |
}
void |
5cfe3d4c |
setenv_in_addr_t (struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags) |
6fbf66fa |
{
if (addr || !(flags & SA_SET_IF_NONZERO))
{ |
8bc93d7f |
struct openvpn_sockaddr si; |
6fbf66fa |
CLEAR (si); |
8335caf9 |
si.addr.in4.sin_family = AF_INET;
si.addr.in4.sin_addr.s_addr = htonl (addr); |
6fbf66fa |
setenv_sockaddr (es, name_prefix, &si, flags);
}
}
|
8bc93d7f |
void |
a8f8b926 |
setenv_in6_addr (struct env_set *es,
const char *name_prefix,
const struct in6_addr *addr,
const unsigned int flags)
{
if (!IN6_IS_ADDR_UNSPECIFIED (addr) || !(flags & SA_SET_IF_NONZERO))
{
struct openvpn_sockaddr si;
CLEAR (si);
si.addr.in6.sin6_family = AF_INET6;
si.addr.in6.sin6_addr = *addr;
setenv_sockaddr (es, name_prefix, &si, flags);
}
}
void |
8bc93d7f |
setenv_link_socket_actual (struct env_set *es,
const char *name_prefix,
const struct link_socket_actual *act, |
5cfe3d4c |
const unsigned int flags) |
8bc93d7f |
{
setenv_sockaddr (es, name_prefix, &act->dest, flags);
}
|
6fbf66fa |
/*
* Convert protocol names between index and ascii form.
*/
struct proto_names {
const char *short_form;
const char *display_form; |
30077d1f |
sa_family_t proto_af;
int proto; |
6fbf66fa |
};
/* Indexed by PROTO_x */ |
30077d1f |
static const struct proto_names proto_names[] = {
{"proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE}, |
23d61c56 |
/* try IPv4 and IPv6 (client), bind dual-stack (server) */
{"udp", "UDP", AF_UNSPEC, PROTO_UDP},
{"tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER},
{"tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT},
{"tcp", "TCP", AF_UNSPEC, PROTO_TCP},
/* force IPv4 */
{"udp4", "UDPv4", AF_INET, PROTO_UDP},
{"tcp4-server","TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER},
{"tcp4-client","TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT},
{"tcp4", "TCPv4", AF_INET, PROTO_TCP},
/* force IPv6 */ |
30077d1f |
{"udp6" ,"UDPv6", AF_INET6, PROTO_UDP},
{"tcp6-server","TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER},
{"tcp6-client","TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT},
{"tcp6" ,"TCPv6", AF_INET6, PROTO_TCP}, |
6fbf66fa |
};
|
8335caf9 |
bool
proto_is_net(int proto)
{
if (proto < 0 || proto >= PROTO_N)
ASSERT(0); |
30077d1f |
return proto != PROTO_NONE; |
8335caf9 |
}
bool
proto_is_dgram(int proto)
{ |
30077d1f |
return proto_is_udp(proto); |
8335caf9 |
} |
30077d1f |
|
8335caf9 |
bool
proto_is_udp(int proto)
{
if (proto < 0 || proto >= PROTO_N)
ASSERT(0); |
30077d1f |
return proto == PROTO_UDP; |
8335caf9 |
} |
30077d1f |
|
8335caf9 |
bool
proto_is_tcp(int proto)
{
if (proto < 0 || proto >= PROTO_N)
ASSERT(0); |
d0ce829f |
return proto == PROTO_TCP_CLIENT || proto == PROTO_TCP_SERVER; |
8335caf9 |
}
|
6fbf66fa |
int
ascii2proto (const char* proto_name)
{
int i; |
30077d1f |
for (i = 0; i < SIZE (proto_names); ++i) |
6fbf66fa |
if (!strcmp (proto_name, proto_names[i].short_form)) |
30077d1f |
return proto_names[i].proto; |
6fbf66fa |
return -1;
}
|
30077d1f |
sa_family_t
ascii2af (const char* proto_name)
{
int i;
for (i = 0; i < SIZE (proto_names); ++i)
if (!strcmp (proto_name, proto_names[i].short_form))
return proto_names[i].proto_af;
return 0;
}
|
6fbf66fa |
const char * |
30077d1f |
proto2ascii (int proto, sa_family_t af, bool display_form) |
6fbf66fa |
{ |
30077d1f |
unsigned int i;
for (i = 0; i < SIZE (proto_names); ++i)
{
if(proto_names[i].proto_af == af && proto_names[i].proto == proto)
{
if(display_form)
return proto_names[i].display_form;
else
return proto_names[i].short_form;
}
}
return "[unknown protocol]"; |
6fbf66fa |
}
const char *
proto2ascii_all (struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc (256, gc);
int i;
|
30077d1f |
for (i = 0; i < SIZE (proto_names); ++i) |
6fbf66fa |
{
if (i)
buf_printf(&out, " "); |
30077d1f |
buf_printf(&out, "[%s]", proto_names[i].short_form); |
6fbf66fa |
}
return BSTR (&out);
}
|
8335caf9 |
const char *
addr_family_name (int af)
{ |
51afc8b8 |
switch (af)
{
case AF_INET: return "AF_INET"; |
8335caf9 |
case AF_INET6: return "AF_INET6"; |
51afc8b8 |
} |
8335caf9 |
return "AF_UNSPEC";
}
|
6fbf66fa |
/*
* Given a local proto, return local proto
* if !remote, or compatible remote proto
* if remote.
*
* This is used for options compatibility
* checking. |
38727e09 |
*
* IPv6 and IPv4 protocols are comptabile but OpenVPN
* has always sent UDPv4, TCPv4 over the wire. Keep these
* strings for backward compatbility |
6fbf66fa |
*/ |
34136dd8 |
const char* |
6fbf66fa |
proto_remote (int proto, bool remote)
{
ASSERT (proto >= 0 && proto < PROTO_N); |
34136dd8 |
if (proto == PROTO_UDP)
return "UDPv4";
if ( (remote && proto == PROTO_TCP_CLIENT) ||
(!remote && proto == PROTO_TCP_SERVER))
return "TCPv4_SERVER";
if ( (remote && proto == PROTO_TCP_SERVER) ||
(!remote && proto == PROTO_TCP_CLIENT))
return "TCPv4_CLIENT";
ASSERT (0); |
7dbe04de |
return ""; /* Make the compiler happy */ |
6fbf66fa |
}
/*
* Bad incoming address lengths that differ from what
* we expect are considered to be fatal errors.
*/
void
bad_address_length (int actual, int expected)
{
msg (M_FATAL, "ERROR: received strange incoming packet with an address length of %d -- we only accept address lengths of %d.",
actual,
expected);
}
/*
* Socket Read Routines
*/
int
link_socket_read_tcp (struct link_socket *sock,
struct buffer *buf)
{
int len = 0;
if (!sock->stream_buf.residual_fully_formed)
{
#ifdef WIN32
len = socket_finalize (sock->sd, &sock->reads, buf, NULL);
#else
struct buffer frag;
stream_buf_get_next (&sock->stream_buf, &frag);
len = recv (sock->sd, BPTR (&frag), BLEN (&frag), MSG_NOSIGNAL);
#endif
if (!len)
sock->stream_reset = true;
if (len <= 0)
return buf->len = len;
}
if (sock->stream_buf.residual_fully_formed
|| stream_buf_added (&sock->stream_buf, len)) /* packet complete? */
{
stream_buf_get_final (&sock->stream_buf, buf);
stream_buf_reset (&sock->stream_buf);
return buf->len;
}
else
return buf->len = 0; /* no error, but packet is still incomplete */
}
#ifndef WIN32
|
8bc93d7f |
#if ENABLE_IP_PKTINFO
|
1bda73a7 |
#pragma pack(1) /* needed to keep structure size consistent for 32 vs. 64-bit architectures */ |
8335caf9 |
struct openvpn_in4_pktinfo |
8bc93d7f |
{
struct cmsghdr cmsghdr; |
d3774cdf |
#ifdef HAVE_IN_PKTINFO |
830038fc |
struct in_pktinfo pi4; |
c02a8405 |
#elif defined(IP_RECVDSTADDR) |
d3774cdf |
struct in_addr pi4;
#endif |
8335caf9 |
};
struct openvpn_in6_pktinfo
{
struct cmsghdr cmsghdr;
struct in6_pktinfo pi6;
};
union openvpn_pktinfo { |
830038fc |
struct openvpn_in4_pktinfo msgpi4;
struct openvpn_in6_pktinfo msgpi6; |
8bc93d7f |
}; |
1bda73a7 |
#pragma pack() |
8bc93d7f |
static socklen_t
link_socket_read_udp_posix_recvmsg (struct link_socket *sock,
struct buffer *buf,
struct link_socket_actual *from)
{
struct iovec iov; |
8335caf9 |
union openvpn_pktinfo opi; |
8bc93d7f |
struct msghdr mesg; |
8335caf9 |
socklen_t fromlen = sizeof (from->dest.addr); |
8bc93d7f |
iov.iov_base = BPTR (buf); |
3c1b19e0 |
iov.iov_len = buf_forward_capacity_total (buf); |
8bc93d7f |
mesg.msg_iov = &iov;
mesg.msg_iovlen = 1; |
8335caf9 |
mesg.msg_name = &from->dest.addr; |
8bc93d7f |
mesg.msg_namelen = fromlen;
mesg.msg_control = &opi; |
830038fc |
mesg.msg_controllen = sizeof opi; |
8bc93d7f |
buf->len = recvmsg (sock->sd, &mesg, 0);
if (buf->len >= 0)
{
struct cmsghdr *cmsg;
fromlen = mesg.msg_namelen;
cmsg = CMSG_FIRSTHDR (&mesg);
if (cmsg != NULL
&& CMSG_NXTHDR (&mesg, cmsg) == NULL |
d3774cdf |
#ifdef IP_PKTINFO |
8bc93d7f |
&& cmsg->cmsg_level == SOL_IP
&& cmsg->cmsg_type == IP_PKTINFO |
d3774cdf |
#elif defined(IP_RECVDSTADDR)
&& cmsg->cmsg_level == IPPROTO_IP
&& cmsg->cmsg_type == IP_RECVDSTADDR
#else
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif |
830038fc |
&& cmsg->cmsg_len >= sizeof (struct openvpn_in4_pktinfo)) |
8bc93d7f |
{ |
d3774cdf |
#ifdef IP_PKTINFO |
8bc93d7f |
struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA (cmsg); |
8335caf9 |
from->pi.in4.ipi_ifindex = pkti->ipi_ifindex;
from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst; |
d3774cdf |
#elif defined(IP_RECVDSTADDR)
from->pi.in4 = *(struct in_addr*) CMSG_DATA (cmsg);
#else
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif |
8bc93d7f |
} |
8335caf9 |
else if (cmsg != NULL
&& CMSG_NXTHDR (&mesg, cmsg) == NULL
&& cmsg->cmsg_level == IPPROTO_IPV6
&& cmsg->cmsg_type == IPV6_PKTINFO
&& cmsg->cmsg_len >= sizeof (struct openvpn_in6_pktinfo))
{
struct in6_pktinfo *pkti6 = (struct in6_pktinfo *) CMSG_DATA (cmsg);
from->pi.in6.ipi6_ifindex = pkti6->ipi6_ifindex;
from->pi.in6.ipi6_addr = pkti6->ipi6_addr;
} |
7dbe04de |
else if (cmsg != NULL)
{
msg(M_WARN, "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)", (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len );
} |
8bc93d7f |
} |
7dbe04de |
|
8bc93d7f |
return fromlen;
}
#endif
|
6fbf66fa |
int
link_socket_read_udp_posix (struct link_socket *sock,
struct buffer *buf, |
8bc93d7f |
struct link_socket_actual *from) |
6fbf66fa |
{ |
8335caf9 |
socklen_t fromlen = sizeof (from->dest.addr); |
30077d1f |
socklen_t expectedlen = af_addr_size(sock->info.af); |
8335caf9 |
addr_zero_host(&from->dest); |
8bc93d7f |
#if ENABLE_IP_PKTINFO |
8335caf9 |
/* Both PROTO_UDPv4 and PROTO_UDPv6 */ |
30077d1f |
if (sock->info.proto == PROTO_UDP && sock->sockflags & SF_USE_IP_PKTINFO) |
3c1b19e0 |
fromlen = link_socket_read_udp_posix_recvmsg (sock, buf, from); |
8bc93d7f |
else
#endif |
3c1b19e0 |
buf->len = recvfrom (sock->sd, BPTR (buf), buf_forward_capacity(buf), 0, |
8335caf9 |
&from->dest.addr.sa, &fromlen); |
78b8fc72 |
/* FIXME: won't do anything when sock->info.af == AF_UNSPEC */ |
8335caf9 |
if (buf->len >= 0 && expectedlen && fromlen != expectedlen)
bad_address_length (fromlen, expectedlen); |
6fbf66fa |
return buf->len;
}
#endif
/*
* Socket Write Routines
*/
int
link_socket_write_tcp (struct link_socket *sock,
struct buffer *buf, |
8bc93d7f |
struct link_socket_actual *to) |
6fbf66fa |
{
packet_size_type len = BLEN (buf);
dmsg (D_STREAM_DEBUG, "STREAM: WRITE %d offset=%d", (int)len, buf->offset);
ASSERT (len <= sock->stream_buf.maxlen);
len = htonps (len);
ASSERT (buf_write_prepend (buf, &len, sizeof (len)));
#ifdef WIN32
return link_socket_write_win32 (sock, buf, to);
#else
return link_socket_write_tcp_posix (sock, buf, to);
#endif
}
|
8bc93d7f |
#if ENABLE_IP_PKTINFO
|
23d61c56 |
size_t |
8bc93d7f |
link_socket_write_udp_posix_sendmsg (struct link_socket *sock,
struct buffer *buf,
struct link_socket_actual *to)
{
struct iovec iov;
struct msghdr mesg;
struct cmsghdr *cmsg; |
8c431f96 |
union openvpn_pktinfo opi; |
8bc93d7f |
iov.iov_base = BPTR (buf);
iov.iov_len = BLEN (buf);
mesg.msg_iov = &iov;
mesg.msg_iovlen = 1; |
7dbe04de |
switch (to->dest.addr.sa.sa_family) |
d9c04efc |
{
case AF_INET:
{
mesg.msg_name = &to->dest.addr.sa;
mesg.msg_namelen = sizeof (struct sockaddr_in); |
8c431f96 |
mesg.msg_control = &opi; |
d9c04efc |
mesg.msg_flags = 0; |
661d914c |
#ifdef HAVE_IN_PKTINFO
mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo); |
d9c04efc |
cmsg = CMSG_FIRSTHDR (&mesg); |
830038fc |
cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo); |
d9c04efc |
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_PKTINFO; |
d3774cdf |
{
struct in_pktinfo *pkti; |
d9c04efc |
pkti = (struct in_pktinfo *) CMSG_DATA (cmsg);
pkti->ipi_ifindex = to->pi.in4.ipi_ifindex;
pkti->ipi_spec_dst = to->pi.in4.ipi_spec_dst;
pkti->ipi_addr.s_addr = 0; |
d3774cdf |
}
#elif defined(IP_RECVDSTADDR) |
661d914c |
ASSERT( CMSG_SPACE(sizeof (struct in_addr)) <= sizeof(opi) );
mesg.msg_controllen = CMSG_SPACE(sizeof (struct in_addr));
cmsg = CMSG_FIRSTHDR (&mesg);
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); |
d3774cdf |
cmsg->cmsg_level = IPPROTO_IP;
cmsg->cmsg_type = IP_RECVDSTADDR;
*(struct in_addr *) CMSG_DATA (cmsg) = to->pi.in4;
#else
#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif |
d9c04efc |
break;
}
case AF_INET6:
{
struct in6_pktinfo *pkti6;
mesg.msg_name = &to->dest.addr.sa;
mesg.msg_namelen = sizeof (struct sockaddr_in6); |
8c431f96 |
mesg.msg_control = &opi;
mesg.msg_controllen = sizeof (struct openvpn_in6_pktinfo); |
d9c04efc |
mesg.msg_flags = 0;
cmsg = CMSG_FIRSTHDR (&mesg); |
830038fc |
cmsg->cmsg_len = sizeof (struct openvpn_in6_pktinfo); |
d9c04efc |
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_PKTINFO;
pkti6 = (struct in6_pktinfo *) CMSG_DATA (cmsg);
pkti6->ipi6_ifindex = to->pi.in6.ipi6_ifindex;
pkti6->ipi6_addr = to->pi.in6.ipi6_addr;
break;
} |
8335caf9 |
default: ASSERT(0); |
d9c04efc |
} |
8bc93d7f |
return sendmsg (sock->sd, &mesg, 0);
}
#endif
|
6fbf66fa |
/*
* Win32 overlapped socket I/O functions.
*/
#ifdef WIN32
int
socket_recv_queue (struct link_socket *sock, int maxsize)
{
if (sock->reads.iostate == IOSTATE_INITIAL)
{
WSABUF wsabuf[1];
int status;
/* reset buf to its initial state */ |
1ad6fc29 |
if (proto_is_udp(sock->info.proto)) |
6fbf66fa |
{
sock->reads.buf = sock->reads.buf_init;
} |
1ad6fc29 |
else if (proto_is_tcp(sock->info.proto)) |
6fbf66fa |
{
stream_buf_get_next (&sock->stream_buf, &sock->reads.buf);
}
else
{
ASSERT (0);
}
/* Win32 docs say it's okay to allocate the wsabuf on the stack */
wsabuf[0].buf = BPTR (&sock->reads.buf);
wsabuf[0].len = maxsize ? maxsize : BLEN (&sock->reads.buf);
/* check for buffer overflow */
ASSERT (wsabuf[0].len <= BLEN (&sock->reads.buf));
/* the overlapped read will signal this event on I/O completion */
ASSERT (ResetEvent (sock->reads.overlapped.hEvent));
sock->reads.flags = 0;
|
1ad6fc29 |
if (proto_is_udp(sock->info.proto)) |
6fbf66fa |
{
sock->reads.addr_defined = true; |
78b8fc72 |
sock->reads.addrlen = sizeof (sock->reads.addr6); |
6fbf66fa |
status = WSARecvFrom(
sock->sd,
wsabuf,
1,
&sock->reads.size,
&sock->reads.flags,
(struct sockaddr *) &sock->reads.addr,
&sock->reads.addrlen,
&sock->reads.overlapped,
NULL);
} |
1ad6fc29 |
else if (proto_is_tcp(sock->info.proto)) |
6fbf66fa |
{
sock->reads.addr_defined = false;
status = WSARecv(
sock->sd,
wsabuf,
1,
&sock->reads.size,
&sock->reads.flags,
&sock->reads.overlapped,
NULL);
}
else
{
status = 0;
ASSERT (0);
}
if (!status) /* operation completed immediately? */
{ |
78b8fc72 |
/* FIXME: won't do anything when sock->info.af == AF_UNSPEC */
int af_len = af_addr_size (sock->info.af);
if (sock->reads.addr_defined && af_len && sock->reads.addrlen != af_len)
bad_address_length (sock->reads.addrlen, af_len); |
6fbf66fa |
sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN;
/* since we got an immediate return, we must signal the event object ourselves */
ASSERT (SetEvent (sock->reads.overlapped.hEvent));
sock->reads.status = 0;
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Receive immediate return [%d,%d]",
(int) wsabuf[0].len,
(int) sock->reads.size);
}
else
{
status = WSAGetLastError ();
if (status == WSA_IO_PENDING) /* operation queued? */
{
sock->reads.iostate = IOSTATE_QUEUED;
sock->reads.status = status;
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Receive queued [%d]",
(int) wsabuf[0].len);
}
else /* error occurred */
{
struct gc_arena gc = gc_new ();
ASSERT (SetEvent (sock->reads.overlapped.hEvent));
sock->reads.iostate = IOSTATE_IMMEDIATE_RETURN;
sock->reads.status = status;
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Receive error [%d]: %s",
(int) wsabuf[0].len,
strerror_win32 (status, &gc));
gc_free (&gc);
}
}
}
return sock->reads.iostate;
}
int |
8bc93d7f |
socket_send_queue (struct link_socket *sock, struct buffer *buf, const struct link_socket_actual *to) |
6fbf66fa |
{
if (sock->writes.iostate == IOSTATE_INITIAL)
{
WSABUF wsabuf[1];
int status;
/* make a private copy of buf */
sock->writes.buf = sock->writes.buf_init;
sock->writes.buf.len = 0;
ASSERT (buf_copy (&sock->writes.buf, buf));
/* Win32 docs say it's okay to allocate the wsabuf on the stack */
wsabuf[0].buf = BPTR (&sock->writes.buf);
wsabuf[0].len = BLEN (&sock->writes.buf);
/* the overlapped write will signal this event on I/O completion */
ASSERT (ResetEvent (sock->writes.overlapped.hEvent));
sock->writes.flags = 0;
|
1ad6fc29 |
if (proto_is_udp(sock->info.proto)) |
6fbf66fa |
{
/* set destination address for UDP writes */
sock->writes.addr_defined = true; |
78b8fc72 |
if (to->dest.addr.sa.sa_family == AF_INET6) |
b7f203c8 |
{
sock->writes.addr6 = to->dest.addr.in6;
sock->writes.addrlen = sizeof (sock->writes.addr6);
}
else
{
sock->writes.addr = to->dest.addr.in4;
sock->writes.addrlen = sizeof (sock->writes.addr);
} |
6fbf66fa |
status = WSASendTo(
sock->sd,
wsabuf,
1,
&sock->writes.size,
sock->writes.flags,
(struct sockaddr *) &sock->writes.addr,
sock->writes.addrlen,
&sock->writes.overlapped,
NULL);
} |
1ad6fc29 |
else if (proto_is_tcp(sock->info.proto)) |
6fbf66fa |
{
/* destination address for TCP writes was established on connection initiation */
sock->writes.addr_defined = false;
status = WSASend(
sock->sd,
wsabuf,
1,
&sock->writes.size,
sock->writes.flags,
&sock->writes.overlapped,
NULL);
}
else
{
status = 0;
ASSERT (0);
}
if (!status) /* operation completed immediately? */
{
sock->writes.iostate = IOSTATE_IMMEDIATE_RETURN;
/* since we got an immediate return, we must signal the event object ourselves */
ASSERT (SetEvent (sock->writes.overlapped.hEvent));
sock->writes.status = 0;
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Send immediate return [%d,%d]",
(int) wsabuf[0].len,
(int) sock->writes.size);
}
else
{
status = WSAGetLastError ();
if (status == WSA_IO_PENDING) /* operation queued? */
{
sock->writes.iostate = IOSTATE_QUEUED;
sock->writes.status = status;
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Send queued [%d]",
(int) wsabuf[0].len);
}
else /* error occurred */
{
struct gc_arena gc = gc_new ();
ASSERT (SetEvent (sock->writes.overlapped.hEvent));
sock->writes.iostate = IOSTATE_IMMEDIATE_RETURN;
sock->writes.status = status;
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Send error [%d]: %s",
(int) wsabuf[0].len,
strerror_win32 (status, &gc));
gc_free (&gc);
}
}
}
return sock->writes.iostate;
}
int |
8bc93d7f |
socket_finalize (SOCKET s, |
6fbf66fa |
struct overlapped_io *io,
struct buffer *buf, |
8bc93d7f |
struct link_socket_actual *from) |
6fbf66fa |
{
int ret = -1;
BOOL status;
switch (io->iostate)
{
case IOSTATE_QUEUED:
status = WSAGetOverlappedResult(
s,
&io->overlapped,
&io->size,
FALSE,
&io->flags
);
if (status)
{
/* successful return for a queued operation */
if (buf)
*buf = io->buf;
ret = io->size;
io->iostate = IOSTATE_INITIAL;
ASSERT (ResetEvent (io->overlapped.hEvent));
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Completion success [%d]", ret);
}
else
{
/* error during a queued operation */
ret = -1;
if (WSAGetLastError() != WSA_IO_INCOMPLETE)
{
/* if no error (i.e. just not finished yet), then DON'T execute this code */
io->iostate = IOSTATE_INITIAL;
ASSERT (ResetEvent (io->overlapped.hEvent)); |
910675de |
msg (D_WIN32_IO | M_ERRNO, "WIN32 I/O: Socket Completion error"); |
6fbf66fa |
}
}
break;
case IOSTATE_IMMEDIATE_RETURN:
io->iostate = IOSTATE_INITIAL;
ASSERT (ResetEvent (io->overlapped.hEvent));
if (io->status)
{
/* error return for a non-queued operation */
WSASetLastError (io->status);
ret = -1; |
910675de |
msg (D_WIN32_IO | M_ERRNO, "WIN32 I/O: Socket Completion non-queued error"); |
6fbf66fa |
}
else
{
/* successful return for a non-queued operation */
if (buf)
*buf = io->buf;
ret = io->size;
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Completion non-queued success [%d]", ret);
}
break;
case IOSTATE_INITIAL: /* were we called without proper queueing? */
WSASetLastError (WSAEINVAL);
ret = -1;
dmsg (D_WIN32_IO, "WIN32 I/O: Socket Completion BAD STATE");
break;
default:
ASSERT (0);
}
/* return from address if requested */
if (from)
{
if (ret >= 0 && io->addr_defined) |
b7f203c8 |
{
/* TODO(jjo): streamline this mess */
/* in this func we dont have relevant info about the PF_ of this
* endpoint, as link_socket_actual will be zero for the 1st received packet
*
* Test for inets PF_ possible sizes
*/
switch (io->addrlen)
{
case sizeof(struct sockaddr_in):
case sizeof(struct sockaddr_in6): |
eb230891 |
/* TODO(jjo): for some reason (?) I'm getting 24,28 for AF_INET6
* under WIN32*/ |
b7f203c8 |
case sizeof(struct sockaddr_in6)-4:
break;
default:
bad_address_length (io->addrlen, af_addr_size(io->addr.sin_family));
}
switch (io->addr.sin_family)
{
case AF_INET:
from->dest.addr.in4 = io->addr;
break;
case AF_INET6:
from->dest.addr.in6 = io->addr6;
break;
}
} |
6fbf66fa |
else |
4d3df224 |
CLEAR (from->dest.addr); |
6fbf66fa |
}
if (buf)
buf->len = ret;
return ret;
}
#endif /* WIN32 */
/*
* Socket event notification
*/
unsigned int
socket_set (struct link_socket *s,
struct event_set *es,
unsigned int rwflags,
void *arg,
unsigned int *persistent)
{
if (s)
{
if ((rwflags & EVENT_READ) && !stream_buf_read_setup (s))
{
ASSERT (!persistent);
rwflags &= ~EVENT_READ;
}
#ifdef WIN32
if (rwflags & EVENT_READ)
socket_recv_queue (s, 0);
#endif
/* if persistent is defined, call event_ctl only if rwflags has changed since last call */
if (!persistent || *persistent != rwflags)
{
event_ctl (es, socket_event_handle (s), rwflags, arg);
if (persistent)
*persistent = rwflags;
}
s->rwflags_debug = rwflags;
}
return rwflags;
} |
bb564a59 |
void
sd_close (socket_descriptor_t *sd)
{
if (sd && socket_defined (*sd))
{
openvpn_close_socket (*sd);
*sd = SOCKET_UNDEFINED;
}
}
#if UNIX_SOCK_SUPPORT
/*
* code for unix domain sockets
*/
const char *
sockaddr_unix_name (const struct sockaddr_un *local, const char *null)
{
if (local && local->sun_family == PF_UNIX)
return local->sun_path;
else
return null;
}
socket_descriptor_t
create_socket_unix (void)
{
socket_descriptor_t sd;
if ((sd = socket (PF_UNIX, SOCK_STREAM, 0)) < 0) |
910675de |
msg (M_ERR, "Cannot create unix domain socket"); |
bb564a59 |
return sd;
}
void
socket_bind_unix (socket_descriptor_t sd,
struct sockaddr_un *local,
const char *prefix)
{
struct gc_arena gc = gc_new ();
#ifdef HAVE_UMASK
const mode_t orig_umask = umask (0);
#endif
if (bind (sd, (struct sockaddr *) local, sizeof (struct sockaddr_un)))
{ |
910675de |
const int errnum = openvpn_errno (); |
bb564a59 |
msg (M_FATAL, "%s: Socket bind[%d] failed on unix domain socket %s: %s",
prefix,
(int)sd,
sockaddr_unix_name (local, "NULL"),
strerror_ts (errnum, &gc));
}
#ifdef HAVE_UMASK
umask (orig_umask);
#endif
gc_free (&gc);
}
socket_descriptor_t
socket_accept_unix (socket_descriptor_t sd,
struct sockaddr_un *remote)
{
socklen_t remote_len = sizeof (struct sockaddr_un);
socket_descriptor_t ret;
CLEAR (*remote);
ret = accept (sd, (struct sockaddr *) remote, &remote_len);
return ret;
}
|
86f5c7c9 |
int
socket_connect_unix (socket_descriptor_t sd,
struct sockaddr_un *remote)
{
int status = connect (sd, (struct sockaddr *) remote, sizeof (struct sockaddr_un));
if (status) |
910675de |
status = openvpn_errno (); |
86f5c7c9 |
return status;
}
|
bb564a59 |
void
sockaddr_unix_init (struct sockaddr_un *local, const char *path)
{
local->sun_family = PF_UNIX;
strncpynt (local->sun_path, path, sizeof (local->sun_path));
}
void
socket_delete_unix (const struct sockaddr_un *local)
{
const char *name = sockaddr_unix_name (local, NULL);
#ifdef HAVE_UNLINK
if (name && strlen (name))
unlink (name);
#endif
}
bool
unix_socket_get_peer_uid_gid (const socket_descriptor_t sd, int *uid, int *gid)
{
#ifdef HAVE_GETPEEREID
uid_t u;
gid_t g;
if (getpeereid (sd, &u, &g) == -1)
return false;
if (uid)
*uid = u;
if (gid)
*gid = g;
return true;
#elif defined(SO_PEERCRED)
struct ucred peercred;
socklen_t so_len = sizeof(peercred);
if (getsockopt(sd, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len) == -1)
return false;
if (uid)
*uid = peercred.uid;
if (gid)
*gid = peercred.gid;
return true;
#else
return false;
#endif
}
#endif |