/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
*
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#elif defined(_MSC_VER)
#include "config-msvc.h"
#endif
#include "syshead.h"
#if P2MP_SERVER
#include "multi.h"
#include <inttypes.h>
#include "forward-inline.h"
#include "memdbg.h"
#ifdef HAVE_SYS_INOTIFY_H
#include <sys/inotify.h>
#endif
/*
* Get a client instance based on real address. If
* the instance doesn't exist, create it while
* maintaining real address hash table atomicity.
*/
struct multi_instance *
multi_get_create_instance_udp(struct multi_context *m, bool *floated)
{
struct gc_arena gc = gc_new();
struct mroute_addr real;
struct multi_instance *mi = NULL;
struct hash *hash = m->hash;
if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true)
&& m->top.c2.buf.len > 0)
{
struct hash_element *he;
const uint32_t hv = hash_value(hash, &real);
struct hash_bucket *bucket = hash_bucket(hash, hv);
uint8_t *ptr = BPTR(&m->top.c2.buf);
uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
bool peer_id_disabled = false;
/* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */
if (v2)
{
uint32_t peer_id = ntohl(*(uint32_t *)ptr) & 0xFFFFFF;
peer_id_disabled = (peer_id == MAX_PEER_ID);
if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id]))
{
mi = m->instances[peer_id];
*floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from);
if (*floated)
{
/* reset prefix, since here we are not sure peer is the one it claims to be */
ungenerate_prefix(mi);
msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id,
mroute_addr_print(&real, &gc));
}
}
}
if (!v2 || peer_id_disabled)
{
he = hash_lookup_fast(hash, bucket, &real, hv);
if (he)
{
mi = (struct multi_instance *) he->value;
}
}
if (!mi)
{
if (!m->top.c2.tls_auth_standalone
|| tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf))
{
if (frequency_limit_event_allowed(m->new_connection_limiter))
{
mi = multi_create_instance(m, &real);
if (mi)
{
int i;
hash_add_fast(hash, bucket, &mi->real, hv, mi);
mi->did_real_hash = true;
/* max_clients must be less then max peer-id value */
ASSERT(m->max_clients < MAX_PEER_ID);
for (i = 0; i < m->max_clients; ++i)
{
if (!m->instances[i])
{
mi->context.c2.tls_multi->peer_id = i;
m->instances[i] = mi;
break;
}
}
/* should not really end up here, since multi_create_instance returns null
* if amount of clients exceeds max_clients */
ASSERT(i < m->max_clients);
}
}
else
{
msg(D_MULTI_ERRORS,
"MULTI: Connection from %s would exceed new connection frequency limit as controlled by --connect-freq",
mroute_addr_print(&real, &gc));
}
}
}
#ifdef ENABLE_DEBUG
if (check_debug_level(D_MULTI_DEBUG))
{
const char *status = mi ? "[ok]" : "[failed]";
dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s",
mroute_addr_print(&real, &gc),
status);
}
#endif
}
gc_free(&gc);
ASSERT(!(mi && mi->halt));
return mi;
}
/*
* Send a packet to TCP/UDP socket.
*/
static inline void
multi_process_outgoing_link(struct multi_context *m, const unsigned int mpp_flags)
{
struct multi_instance *mi = multi_process_outgoing_link_pre(m);
if (mi)
{
multi_process_outgoing_link_dowork(m, mi, mpp_flags);
}
}
/*
* Process an I/O event.
*/
static void
multi_process_io_udp(struct multi_context *m)
{
const unsigned int status = m->top.c2.event_set_status;
const unsigned int mpp_flags = m->top.c2.fast_io
? (MPP_CONDITIONAL_PRE_SELECT | MPP_CLOSE_ON_SIGNAL)
: (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL);
#ifdef MULTI_DEBUG_EVENT_LOOP
char buf[16];
buf[0] = 0;
if (status & SOCKET_READ)
{
strcat(buf, "SR/");
}
else if (status & SOCKET_WRITE)
{
strcat(buf, "SW/");
}
else if (status & TUN_READ)
{
strcat(buf, "TR/");
}
else if (status & TUN_WRITE)
{
strcat(buf, "TW/");
}
#ifdef ENABLE_ASYNC_PUSH
else if (status & FILE_CLOSED)
{
strcat(buf, "FC/");
}
#endif
printf("IO %s\n", buf);
#endif /* ifdef MULTI_DEBUG_EVENT_LOOP */
#ifdef ENABLE_MANAGEMENT
if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
{
ASSERT(management);
management_io(management);
}
#endif
/* UDP port ready to accept write */
if (status & SOCKET_WRITE)
{
multi_process_outgoing_link(m, mpp_flags);
}
/* TUN device ready to accept write */
else if (status & TUN_WRITE)
{
multi_process_outgoing_tun(m, mpp_flags);
}
/* Incoming data on UDP port */
else if (status & SOCKET_READ)
{
read_incoming_link(&m->top);
if (!IS_SIG(&m->top))
{
multi_process_incoming_link(m, NULL, mpp_flags);
}
}
/* Incoming data on TUN device */
else if (status & TUN_READ)
{
read_incoming_tun(&m->top);
if (!IS_SIG(&m->top))
{
multi_process_incoming_tun(m, mpp_flags);
}
}
#ifdef ENABLE_ASYNC_PUSH
/* INOTIFY callback */
else if (status & FILE_CLOSED)
{
multi_process_file_closed(m, mpp_flags);
}
#endif
}
/*
* Return the io_wait() flags appropriate for
* a point-to-multipoint tunnel.
*/
static inline unsigned int
p2mp_iow_flags(const struct multi_context *m)
{
unsigned int flags = IOW_WAIT_SIGNAL;
if (m->pending)
{
if (TUN_OUT(&m->pending->context))
{
flags |= IOW_TO_TUN;
}
if (LINK_OUT(&m->pending->context))
{
flags |= IOW_TO_LINK;
}
}
else if (mbuf_defined(m->mbuf))
{
flags |= IOW_MBUF;
}
else
{
flags |= IOW_READ;
}
return flags;
}
/**************************************************************************/
/**
* Main event loop for OpenVPN in UDP server mode.
* @ingroup eventloop
*
* This function implements OpenVPN's main event loop for UDP server mode.
* At this time, OpenVPN does not yet support multithreading. This
* function's name is therefore slightly misleading.
*
* @param top - Top-level context structure.
*/
static void
tunnel_server_udp_single_threaded(struct context *top)
{
struct multi_context multi;
top->mode = CM_TOP;
context_clear_2(top);
/* initialize top-tunnel instance */
init_instance_handle_signals(top, top->es, CC_HARD_USR1_TO_HUP);
if (IS_SIG(top))
{
return;
}
/* initialize global multi_context object */
multi_init(&multi, top, false, MC_SINGLE_THREADED);
/* initialize our cloned top object */
multi_top_init(&multi, top);
/* initialize management interface */
init_management_callback_multi(&multi);
/* finished with initialization */
initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto udp */
#ifdef ENABLE_ASYNC_PUSH
multi.top.c2.inotify_fd = inotify_init();
if (multi.top.c2.inotify_fd < 0)
{
msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error");
}
#endif
/* per-packet event loop */
while (true)
{
perf_push(PERF_EVENT_LOOP);
/* set up and do the io_wait() */
multi_get_timeout(&multi, &multi.top.c2.timeval);
io_wait(&multi.top, p2mp_iow_flags(&multi));
MULTI_CHECK_SIG(&multi);
/* check on status of coarse timers */
multi_process_per_second_timers(&multi);
/* timeout? */
if (multi.top.c2.event_set_status == ES_TIMEOUT)
{
multi_process_timeout(&multi, MPP_PRE_SELECT|MPP_CLOSE_ON_SIGNAL);
}
else
{
/* process I/O */
multi_process_io_udp(&multi);
MULTI_CHECK_SIG(&multi);
}
perf_pop();
}
#ifdef ENABLE_ASYNC_PUSH
close(top->c2.inotify_fd);
#endif
/* shut down management interface */
uninit_management_callback_multi(&multi);
/* save ifconfig-pool */
multi_ifconfig_pool_persist(&multi, true);
/* tear down tunnel instance (unless --persist-tun) */
multi_uninit(&multi);
multi_top_free(&multi);
close_instance(top);
}
void
tunnel_server_udp(struct context *top)
{
tunnel_server_udp_single_threaded(top);
}
#endif /* if P2MP_SERVER */