« back to all changes in this revision
Viewing changes to openvpn.c
- browse files at revision 1
- compare with another revision
- download diff
- download tarball
- view history from revision 1
- Committer: Bazaar Package Importer
- Author(s): Alberto Gonzalez Iniesta
- Date: 2004-06-10 15:59:39 UTC
- Revision ID: james.westby@ubuntu.com-20040610155939-dcmtiuvcoqnwek62
Tags: upstream-1.6.0
ImportĀ upstreamĀ versionĀ 1.6.0
- files added:
- contrib
- contrib/openvpn-fwmarkroute-1.00
- easy-rsa
- gentoo
- install-win32
- sample-config-files
- sample-keys
- sample-scripts
- service-win32
- suse
- tap-win32
- tap-win32/i386
added
removed
openvpn.c
1
/*
2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
6
* packet compression.
7
*
8
* Copyright (C) 2002-2004 James Yonan <jim@yonan.net>
9
*
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License as published by
12
* the Free Software Foundation; either version 2 of the License, or
13
* (at your option) any later version.
14
*
15
* This program is distributed in the hope that it will be useful,
16
* but WITHOUT ANY WARRANTY; without even the implied warranty of
17
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
* GNU General Public License for more details.
19
*
20
* You should have received a copy of the GNU General Public License
21
* along with this program (see the file COPYING included with this
22
* distribution); if not, write to the Free Software Foundation, Inc.,
23
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24
*/
25
26
#ifdef WIN32
27
#include "config-win32.h"
28
#else
29
#include "config.h"
30
#endif
31
32
#include "syshead.h"
33
34
#include "common.h"
35
#include "error.h"
36
#include "integer.h"
37
#include "options.h"
38
#include "socket.h"
39
#include "buffer.h"
40
#include "crypto.h"
41
#include "ssl.h"
42
#include "misc.h"
43
#include "lzo.h"
44
#include "tun.h"
45
#include "mss.h"
46
#include "gremlin.h"
47
#include "shaper.h"
48
#include "thread.h"
49
#include "interval.h"
50
#include "io.h"
51
#include "fragment.h"
52
#include "proxy.h"
53
#include "socks.h"
54
#include "openvpn.h"
55
#include "win32.h"
56
57
#include "memdbg.h"
58
59
/*
60
* This random string identifies an OpenVPN ping packet.
61
* It should be of sufficient length and randomness
62
* so as not to collide with other tunnel data.
63
*/
64
static const uint8_t ping_string[] = {
65
0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb,
66
0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48
67
};
68
69
/*
70
* This random string identifies an OpenVPN
71
* options consistency check packet.
72
* It should be of sufficient length and randomness
73
* so as not to collide with other tunnel data.
74
*
75
* The OCC protocol is as follows:
76
*
77
* occ_magic -- (16 octets)
78
*
79
* type [OCC_REQUEST | OCC_REPLY] (1 octet)
80
* null terminated options string if OCC_REPLY (variable)
81
*
82
* When encryption is used, the OCC packet
83
* is encapsulated within the encrypted
84
* envelope.
85
*/
86
87
static const uint8_t occ_magic[] = {
88
0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81,
89
0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c
90
};
91
92
/*
93
* OCC protocol opcodes used for options consistency checks.
94
*/
95
96
#define OCC_REQUEST 0 /* request options string from peer */
97
#define OCC_REPLY 1 /* deliver options string to peer */
98
99
/*
100
* Send an OCC_REQUEST once every OCC_INTERVAL
101
* seconds until a reply is received.
102
*
103
* If we haven't received a reply after
104
* OCC_N_TRIES, give up.
105
*/
106
#define OCC_INTERVAL_SECONDS 10
107
#define OCC_N_TRIES 12
108
109
/*
110
* Other OCC protocol opcodes used to estimate the MTU empirically.
111
*/
112
#define OCC_MTU_LOAD_REQUEST 2 /* Ask peer to send a big packet to us */
113
#define OCC_MTU_LOAD 3 /* Send a big packet to peer */
114
#define OCC_MTU_REQUEST 4 /* Ask peer to tell us the largest
115
packet it has received from us so far */
116
#define OCC_MTU_REPLY 5 /* Send largest packet size to peer */
117
118
/*
119
* Process one command from mtu_load_test_sequence
120
* once every n seconds, if --mtu-test is specified.
121
*/
122
#define OCC_MTU_LOAD_INTERVAL_SECONDS 3
123
124
/*
125
* Used to conduct a load test command sequence
126
* of UDP connection for empirical MTU measurement.
127
*/
128
struct mtu_load_test
129
{
130
int op; /* OCC opcode to send to peer */
131
int delta; /* determine packet size to send by using
132
this delta against currently
133
configured MTU */
134
};
135
136
static const struct mtu_load_test mtu_load_test_sequence[] = {
137
138
{ OCC_MTU_LOAD_REQUEST, -1000 },
139
{ OCC_MTU_LOAD, -1000 },
140
{ OCC_MTU_LOAD_REQUEST, -1000 },
141
{ OCC_MTU_LOAD, -1000 },
142
{ OCC_MTU_LOAD_REQUEST, -1000 },
143
{ OCC_MTU_LOAD, -1000 },
144
145
{ OCC_MTU_LOAD_REQUEST, -500 },
146
{ OCC_MTU_LOAD, -500 },
147
{ OCC_MTU_LOAD_REQUEST, -500 },
148
{ OCC_MTU_LOAD, -500 },
149
{ OCC_MTU_LOAD_REQUEST, -500 },
150
{ OCC_MTU_LOAD, -500 },
151
152
{ OCC_MTU_LOAD_REQUEST, -750 },
153
{ OCC_MTU_LOAD, -750 },
154
{ OCC_MTU_LOAD_REQUEST, -750 },
155
{ OCC_MTU_LOAD, -750 },
156
{ OCC_MTU_LOAD_REQUEST, -750 },
157
{ OCC_MTU_LOAD, -750 },
158
159
{ OCC_MTU_LOAD_REQUEST, -400 },
160
{ OCC_MTU_LOAD, -400 },
161
{ OCC_MTU_LOAD_REQUEST, -400 },
162
{ OCC_MTU_LOAD, -400 },
163
{ OCC_MTU_LOAD_REQUEST, -400 },
164
{ OCC_MTU_LOAD, -400 },
165
166
{ OCC_MTU_LOAD_REQUEST, -300 },
167
{ OCC_MTU_LOAD, -300 },
168
{ OCC_MTU_LOAD_REQUEST, -300 },
169
{ OCC_MTU_LOAD, -300 },
170
{ OCC_MTU_LOAD_REQUEST, -300 },
171
{ OCC_MTU_LOAD, -300 },
172
173
{ OCC_MTU_LOAD_REQUEST, -200 },
174
{ OCC_MTU_LOAD, -200 },
175
{ OCC_MTU_LOAD_REQUEST, -200 },
176
{ OCC_MTU_LOAD, -200 },
177
{ OCC_MTU_LOAD_REQUEST, -200 },
178
{ OCC_MTU_LOAD, -200 },
179
180
{ OCC_MTU_LOAD_REQUEST, -150 },
181
{ OCC_MTU_LOAD, -150 },
182
{ OCC_MTU_LOAD_REQUEST, -150 },
183
{ OCC_MTU_LOAD, -150 },
184
{ OCC_MTU_LOAD_REQUEST, -150 },
185
{ OCC_MTU_LOAD, -150 },
186
187
{ OCC_MTU_LOAD_REQUEST, -100 },
188
{ OCC_MTU_LOAD, -100 },
189
{ OCC_MTU_LOAD_REQUEST, -100 },
190
{ OCC_MTU_LOAD, -100 },
191
{ OCC_MTU_LOAD_REQUEST, -100 },
192
{ OCC_MTU_LOAD, -100 },
193
194
{ OCC_MTU_LOAD_REQUEST, -50 },
195
{ OCC_MTU_LOAD, -50 },
196
{ OCC_MTU_LOAD_REQUEST, -50 },
197
{ OCC_MTU_LOAD, -50 },
198
{ OCC_MTU_LOAD_REQUEST, -50 },
199
{ OCC_MTU_LOAD, -50 },
200
201
{ OCC_MTU_LOAD_REQUEST, 0 },
202
{ OCC_MTU_LOAD, 0 },
203
{ OCC_MTU_LOAD_REQUEST, 0 },
204
{ OCC_MTU_LOAD, 0 },
205
{ OCC_MTU_LOAD_REQUEST, 0 },
206
{ OCC_MTU_LOAD, 0 },
207
208
{ OCC_MTU_REQUEST, 0 },
209
{ OCC_MTU_REQUEST, 0 },
210
{ OCC_MTU_REQUEST, 0 },
211
{ OCC_MTU_REQUEST, 0 },
212
{ OCC_MTU_REQUEST, 0 },
213
{ OCC_MTU_REQUEST, 0 },
214
{ OCC_MTU_REQUEST, 0 },
215
{ OCC_MTU_REQUEST, 0 },
216
{ OCC_MTU_REQUEST, 0 },
217
{ OCC_MTU_REQUEST, 0 },
218
219
{ -1, 0 }
220
};
221
222
/*
223
* Should we become a daemon?
224
* level == 0 after parameters have been parsed but before any initialization
225
* level == 1 after initialization but before any SSL/TLS negotiation or
226
* tunnel data is forwarded
227
* first_time is true until first exit of openvpn() function
228
*
229
* Return true if we did it.
230
*/
231
static bool
232
possibly_become_daemon (int level, const struct options* options, const bool first_time)
233
{
234
bool ret = false;
235
if (first_time && options->daemon)
236
{
237
ASSERT (!options->inetd);
238
if (level == DAEMONIZATION_LEVEL)
239
{
240
if (daemon (options->cd_dir != NULL, options->log) < 0)
241
msg (M_ERR, "daemon() failed");
242
ret = true;
243
}
244
}
245
return ret;
246
}
247
248
/*
249
* Initialize the route list, resolving any DNS names in route
250
* options and saving routes in the environment.
251
*/
252
static void
253
do_init_route_list (const struct options *options,
254
struct route_list *route_list,
255
struct link_socket *link_socket,
256
bool fatal)
257
{
258
const char *gw = NULL;
259
int dev = dev_type_enum (options->dev, options->dev_type);
260
261
if (dev == DEV_TYPE_TUN)
262
gw = options->ifconfig_remote_netmask;
263
if (options->route_default_gateway)
264
gw = options->route_default_gateway;
265
266
if (!init_route_list (route_list,
267
&options->routes,
268
gw,
269
link_socket_current_remote (link_socket)))
270
{
271
if (fatal)
272
openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */
273
}
274
else
275
{
276
/* copy routes to environment */
277
setenv_routes (route_list);
278
}
279
}
280
281
/*
282
* Possibly add routes and/or call route-up script
283
* based on options.
284
*/
285
static void
286
do_route (const struct options* options,
287
struct route_list *route_list)
288
{
289
if (!options->route_noexec)
290
add_routes (route_list, false);
291
if (options->route_script)
292
{
293
setenv_str ("script_type", "route-up");
294
system_check (options->route_script, "Route script failed", false);
295
}
296
}
297
298
/*
299
* Open tun/tap device, ifconfig, call up script, etc.
300
*/
301
302
static bool
303
do_open_tun (const struct options *options,
304
struct frame *frame,
305
struct link_socket *link_socket,
306
struct tuntap *tuntap,
307
struct route_list *route_list)
308
{
309
bool ret = false;
310
311
if (!tuntap_defined (tuntap))
312
{
313
/* parse and resolve the route option list */
314
do_init_route_list (options, route_list, link_socket, true);
315
316
/* do ifconfig */
317
if (!options->ifconfig_noexec
318
&& ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
319
{
320
/* guess actual tun/tap unit number that will be returned
321
by open_tun */
322
const char *guess = guess_tuntap_dev (options->dev,
323
options->dev_type,
324
options->dev_node);
325
do_ifconfig (tuntap,
326
guess,
327
TUN_MTU_SIZE (frame));
328
}
329
330
/* open the tun device */
331
open_tun (options->dev, options->dev_type, options->dev_node,
332
options->tun_ipv6, tuntap);
333
334
/* do ifconfig */
335
if (!options->ifconfig_noexec
336
&& ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
337
do_ifconfig (tuntap,
338
tuntap->actual,
339
TUN_MTU_SIZE (frame));
340
341
/* run the up script */
342
run_script (options->up_script,
343
tuntap->actual,
344
TUN_MTU_SIZE (frame),
345
EXPANDED_SIZE (frame),
346
print_in_addr_t (tuntap->local, true),
347
print_in_addr_t (tuntap->remote_netmask, true),
348
"init",
349
NULL,
350
"up");
351
352
/* possibly add routes */
353
if (!options->route_delay_defined)
354
do_route (options, route_list);
355
356
/*
357
* Did tun/tap driver give us an MTU?
358
*/
359
if (tuntap->post_open_mtu)
360
frame_set_mtu_dynamic (
361
frame,
362
tuntap->post_open_mtu,
363
SET_MTU_TUN | SET_MTU_UPPER_BOUND);
364
365
/*
366
* On Windows, it is usually wrong if --tun-mtu != 1500.
367
*/
368
#ifdef WIN32
369
if (TUN_MTU_SIZE (frame) != 1500)
370
msg (M_WARN, "WARNING: in general you should use '--tun-mtu 1500 --mssfix 1400' on both sides of the connection if at least one side is running Windows, unless you have explicitly modified the TAP-Win32 driver properties");
371
#endif
372
ret = true;
373
}
374
else
375
{
376
msg (M_INFO, "Preserving previous TUN/TAP instance: %s", tuntap->actual);
377
378
/* run the up script if user specified --up-restart */
379
if (options->up_restart)
380
run_script (options->up_script,
381
tuntap->actual,
382
TUN_MTU_SIZE (frame),
383
EXPANDED_SIZE (frame),
384
print_in_addr_t (tuntap->local, true),
385
print_in_addr_t (tuntap->remote_netmask, true),
386
"restart",
387
NULL,
388
"up");
389
}
390
return ret;
391
}
392
393
/*
394
* Depending on protocol, sleep before restart to prevent
395
* TCP race.
396
*/
397
static void
398
socket_restart_pause (int proto, bool http_proxy, bool socks_proxy)
399
{
400
int sec = 0;
401
switch (proto)
402
{
403
case PROTO_UDPv4:
404
sec = socks_proxy ? 3 : 0;
405
break;
406
case PROTO_TCPv4_SERVER:
407
sec = 1;
408
break;
409
case PROTO_TCPv4_CLIENT:
410
sec = (http_proxy || socks_proxy) ? 10 : 3;
411
break;
412
}
413
if (sec)
414
{
415
msg (D_RESTART, "Restart pause, %d second(s)", sec);
416
sleep (sec);
417
}
418
}
419
420
/* Handle signals */
421
422
static volatile int signal_received = 0;
423
424
static const char *
425
signal_description (int signum, const char *sigtext)
426
{
427
if (sigtext)
428
return sigtext;
429
else
430
{
431
switch (signum) {
432
case SIGUSR1:
433
return "sigusr1";
434
case SIGUSR2:
435
return "sigusr2";
436
case SIGHUP:
437
return "sighup";
438
case SIGTERM:
439
return "sigterm";
440
case SIGINT:
441
return "sigint";
442
default:
443
return "unknown";
444
}
445
}
446
}
447
448
static void
449
print_signal (int signum)
450
{
451
switch (signum)
452
{
453
case SIGINT:
454
msg (M_INFO, "SIGINT received, exiting");
455
break;
456
case SIGTERM:
457
msg (M_INFO, "SIGTERM received, exiting");
458
break;
459
case SIGHUP:
460
msg (M_INFO, "SIGHUP received, restarting");
461
break;
462
case SIGUSR1:
463
msg (M_INFO, "SIGUSR1 received, restarting");
464
break;
465
default:
466
msg (M_INFO, "Unknown signal %d received", signal_received);
467
break;
468
}
469
}
470
471
#ifdef HAVE_SIGNAL_H
472
473
/* normal signal handler, when we are in event loop */
474
static void
475
signal_handler (int signum)
476
{
477
signal_received = signum;
478
signal (signum, signal_handler);
479
}
480
481
/* temporary signal handler, before we are fully initialized */
482
static void
483
signal_handler_exit (int signum)
484
{
485
msg (M_FATAL | M_NOLOCK,
486
"Signal %d (%s) received during initialization, exiting",
487
signum,
488
signal_description (signum, NULL));
489
}
490
491
#endif /* HAVE_SIGNAL_H */
492
493
/*
494
* For debugging, dump a packet in
495
* nominally human-readable form.
496
*/
497
#if defined(USE_CRYPTO) && defined(USE_SSL)
498
#define TLS_MODE (tls_multi != NULL)
499
#define PROTO_DUMP_FLAGS (check_debug_level (D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)
500
#define PROTO_DUMP(buf) protocol_dump(buf, \
501
PROTO_DUMP_FLAGS | \
502
(tls_multi ? PD_TLS : 0) | \
503
(options->tls_auth_file ? ks->key_type.hmac_length : 0) \
504
)
505
#else
506
#define TLS_MODE (false)
507
#define PROTO_DUMP(buf) format_hex (BPTR (buf), BLEN (buf), 80)
508
#endif
509
510
#ifdef USE_CRYPTO
511
#define MD5SUM(buf, len) md5sum(buf, len, 0)
512
#else
513
#define MD5SUM(buf, len) "[unavailable]"
514
#endif
515
516
#if defined(USE_PTHREAD) && defined(USE_CRYPTO)
517
static void *test_crypto_thread (void *arg);
518
#endif
519
520
/*
521
* Our global key schedules, packaged thusly
522
* to facilitate --persist-key.
523
*/
524
525
struct key_schedule
526
{
527
#ifdef USE_CRYPTO
528
/* which cipher, HMAC digest, and key sizes are we using? */
529
struct key_type key_type;
530
531
/* pre-shared static key, read from a file */
532
struct key_ctx_bi static_key;
533
534
#ifdef USE_SSL
535
/* our global SSL context */
536
SSL_CTX *ssl_ctx;
537
538
/* optional authentication HMAC key for TLS control channel */
539
struct key_ctx_bi tls_auth_key;
540
541
#endif /* USE_SSL */
542
#else /* USE_CRYPTO */
543
int dummy;
544
#endif /* USE_CRYPTO */
545
};
546
547
static void
548
key_schedule_free(struct key_schedule* ks)
549
{
550
#ifdef USE_CRYPTO
551
free_key_ctx_bi (&ks->static_key);
552
#ifdef USE_SSL
553
if (ks->ssl_ctx)
554
SSL_CTX_free (ks->ssl_ctx);
555
free_key_ctx_bi (&ks->tls_auth_key);
556
#endif /* USE_SSL */
557
#endif /* USE_CRYPTO */
558
CLEAR (*ks);
559
}
560
561
/*
562
* struct packet_id_persist should be empty if we are not
563
* building with crypto.
564
*/
565
#ifndef PACKET_ID_H
566
struct packet_id_persist { int dummy; };
567
static inline void packet_id_persist_init (struct packet_id_persist *p) {}
568
#endif
569
570
/*
571
* Finalize MTU parameters based on command line or config file options.
572
*/
573
static void
574
frame_finalize_options (struct frame *frame, const struct options *options)
575
{
576
577
frame_finalize (frame,
578
options->link_mtu_defined,
579
options->link_mtu,
580
options->tun_mtu_defined,
581
options->tun_mtu);
582
}
583
584
/*
585
* Do the work. Initialize and enter main event loop.
586
* Called after command line has been parsed.
587
*
588
* first_time is true during our first call -- we may
589
* be called multiple times due to SIGHUP or SIGUSR1.
590
*/
591
static int
592
openvpn (const struct options *options,
593
struct link_socket_addr *link_socket_addr,
594
struct tuntap *tuntap,
595
struct key_schedule *ks,
596
struct packet_id_persist *pid_persist,
597
struct route_list *route_list,
598
struct http_proxy_info *http_proxy,
599
struct socks_proxy_info *socks_proxy,
600
bool first_time)
601
{
602
/*
603
* Initialize garbage collection level.
604
* When we pop the level at the end
605
* of the routine, everything we
606
* allocated with gc_malloc at our level
607
* or recursively lower levels will
608
* automatically be freed.
609
*/
610
const int gc_level = gc_new_level ();
611
612
/* our global wait event */
613
struct event_wait event_wait;
614
615
#if PASSTOS_CAPABILITY
616
/* used to get/set TOS. */
617
uint8_t ptos;
618
bool ptos_defined = false;
619
#endif
620
621
/* declare various buffers */
622
struct buffer to_tun = clear_buf ();
623
struct buffer to_link = clear_buf ();
624
struct buffer buf = clear_buf ();
625
struct buffer aux_buf = clear_buf ();
626
struct buffer nullbuf = clear_buf ();
627
628
/* tells us to free to_link buffer after it has been written to TCP/UDP port */
629
bool free_to_link = false;
630
631
struct link_socket link_socket; /* socket used for TCP/UDP connection to remote */
632
struct sockaddr_in to_link_addr; /* IP address of remote */
633
634
/* MTU frame parameters */
635
struct frame frame;
636
637
#ifdef FRAGMENT_ENABLE
638
/* Object to handle advanced MTU negotiation and datagram fragmentation */
639
struct fragment_master *fragment = NULL;
640
struct frame frame_fragment;
641
struct frame frame_fragment_omit;
642
#endif
643
644
/* Always set to current time. */
645
time_t current;
646
647
#ifdef HAVE_GETTIMEOFDAY
648
/*
649
* Traffic shaper object.
650
*/
651
struct shaper shaper;
652
#endif
653
654
/*
655
* Statistics
656
*/
657
counter_type tun_read_bytes = 0;
658
counter_type tun_write_bytes = 0;
659
counter_type link_read_bytes = 0;
660
counter_type link_read_bytes_auth = 0;
661
counter_type link_write_bytes = 0;
662
663
/*
664
* Timer objects for ping and inactivity
665
* timeout features.
666
*/
667
struct event_timeout wait_for_connect = event_timeout_clear_ret ();
668
struct event_timeout inactivity_interval = event_timeout_clear_ret ();
669
struct event_timeout ping_send_interval = event_timeout_clear_ret ();
670
struct event_timeout ping_rec_interval = event_timeout_clear_ret ();
671
672
/* the option strings must match across peers */
673
char *options_string_local = NULL;
674
char *options_string_remote = NULL;
675
676
int occ_op = -1; /* OCC request code received from remote */
677
int occ_n_tries = 0;
678
struct event_timeout occ_interval = event_timeout_clear_ret ();
679
680
/*
681
* Keep track of maximum packet size received so far
682
* (of authenticated packets).
683
*/
684
int original_recv_size = 0; /* temporary */
685
int max_recv_size_local = 0; /* max packet size received */
686
int max_recv_size_remote = 0; /* max packet size received by remote */
687
int max_send_size_local = 0; /* max packet size sent */
688
int max_send_size_remote = 0; /* max packet size sent by remote */
689
690
/* remote wants us to send back a load test packet of this size */
691
int occ_mtu_load_size = 0;
692
693
struct event_timeout occ_mtu_load_test_interval = event_timeout_clear_ret ();
694
int occ_mtu_load_n_tries = 0;
695
696
#ifdef USE_CRYPTO
697
698
/*
699
* TLS-mode crypto objects.
700
*/
701
#ifdef USE_SSL
702
703
/* master OpenVPN SSL/TLS object */
704
struct tls_multi *tls_multi = NULL;
705
706
#ifdef USE_PTHREAD
707
708
/* object containing TLS thread state */
709
struct thread_parms thread_parms;
710
711
/* object sent to us by TLS thread */
712
struct tt_ret tt_ret;
713
714
/* did we open TLS thread? */
715
bool thread_opened = false;
716
717
#else
718
719
/* used to optimize calls to tls_multi_process
720
in single-threaded mode */
721
struct interval tmp_int;
722
723
#endif
724
#endif
725
726
/* workspace buffers used by crypto routines */
727
struct buffer encrypt_buf = clear_buf ();
728
struct buffer decrypt_buf = clear_buf ();
729
730
/* passed to encrypt or decrypt, contains all
731
crypto-related command line options related
732
to data channel encryption/decryption */
733
struct crypto_options crypto_options;
734
735
/* used to keep track of data channel packet sequence numbers */
736
struct packet_id packet_id;
737
#endif
738
739
/*
740
* LZO compression library objects.
741
*/
742
#ifdef USE_LZO
743
struct buffer lzo_compress_buf = clear_buf ();
744
struct buffer lzo_decompress_buf = clear_buf ();
745
struct lzo_compress_workspace lzo_compwork;
746
#endif
747
748
/*
749
* Buffers used to read from TUN device
750
* and TCP/UDP port.
751
*/
752
struct buffer read_link_buf = clear_buf ();
753
struct buffer read_tun_buf = clear_buf ();
754
755
/*
756
* IPv4 TUN device?
757
*/
758
bool ipv4_tun = (!options->tun_ipv6 && is_dev_type (options->dev, options->dev_type, "tun"));
759
760
/* workspace for get_pid_file/write_pid */
761
struct pid_state pid_state;
762
763
/* workspace for --user/--group */
764
struct user_state user_state;
765
struct group_state group_state;
766
767
/* temporary variable */
768
bool did_we_daemonize = false;
769
770
/* description of signal */
771
const char *signal_text = NULL;
772
773
#ifdef LOG_RW
774
/* should we print R|W|r|w to console on packet transfers? */
775
const bool log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1));
776
#endif
777
778
/* route stuff */
779
struct event_timeout route_wakeup = event_timeout_clear_ret ();
780
781
/* did we open tun/tap dev during this cycle? */
782
bool did_open_tun = false;
783
784
/* ------------- */
785
786
#ifdef HAVE_SIGNAL_H
787
/*
788
* Special handling if signal arrives before
789
* we are properly initialized.
790
*/
791
signal (SIGINT, signal_handler_exit);
792
signal (SIGTERM, signal_handler_exit);
793
signal (SIGHUP, signal_handler_exit);
794
signal (SIGUSR1, signal_handler_exit);
795
signal (SIGUSR2, signal_handler_exit);
796
signal (SIGPIPE, SIG_IGN);
797
#endif /* HAVE_SIGNAL_H */
798
799
if (!first_time)
800
socket_restart_pause (options->proto, options->http_proxy_server != NULL,
801
options->socks_proxy_server != NULL);
802
803
wait_init (&event_wait);
804
link_socket_reset (&link_socket);
805
806
CLEAR (frame);
807
808
#ifdef FRAGMENT_ENABLE
809
CLEAR (frame_fragment_omit);
810
#endif
811
812
/* should we disable paging? */
813
if (first_time && options->mlock)
814
do_mlockall (true);
815
816
/*
817
* Initialize advanced MTU negotiation and datagram fragmentation
818
*/
819
#ifdef FRAGMENT_ENABLE
820
if (options->fragment)
821
fragment = fragment_init (&frame);
822
#endif
823
824
#ifdef USE_CRYPTO
825
/* init PRNG used for IV generation */
826
prng_init ();
827
828
/* load a persisted packet-id for cross-session replay-protection */
829
if (options->packet_id_file)
830
packet_id_persist_load (pid_persist, options->packet_id_file);
831
832
/* Initialize crypto options */
833
834
CLEAR (crypto_options);
835
CLEAR (packet_id);
836
crypto_options.use_iv = options->use_iv;
837
838
if (options->shared_secret_file)
839
{
840
/*
841
* Static Key Mode (using a pre-shared key)
842
*/
843
844
/* Initialize packet ID tracking */
845
if (options->replay)
846
{
847
packet_id_init (&packet_id, options->replay_window, options->replay_time);
848
crypto_options.packet_id = &packet_id;
849
crypto_options.pid_persist = pid_persist;
850
crypto_options.packet_id_long_form = true;
851
packet_id_persist_load_obj (pid_persist, crypto_options.packet_id);
852
}
853
854
if (!key_ctx_bi_defined (&ks->static_key))
855
{
856
struct key2 key2;
857
struct key_direction_state kds;
858
859
/* Get cipher & hash algorithms */
860
init_key_type (&ks->key_type, options->ciphername,
861
options->ciphername_defined, options->authname,
862
options->authname_defined, options->keysize,
863
options->test_crypto, true);
864
865
/* Read cipher and hmac keys from shared secret file */
866
read_key_file (&key2, options->shared_secret_file, true);
867
868
/* Check for and fix highly unlikely key problems */
869
verify_fix_key2 (&key2, &ks->key_type, options->shared_secret_file);
870
871
/* Initialize OpenSSL key objects */
872
key_direction_state_init (&kds, options->key_direction);
873
must_have_n_keys (options->shared_secret_file, "secret", &key2, kds.need_keys);
874
init_key_ctx (&ks->static_key.encrypt, &key2.keys[kds.out_key], &ks->key_type, DO_ENCRYPT, "Static Encrypt");
875
init_key_ctx (&ks->static_key.decrypt, &key2.keys[kds.in_key], &ks->key_type, DO_DECRYPT, "Static Decrypt");
876
877
/* Erase the temporary copy of key */
878
CLEAR (key2);
879
}
880
else
881
{
882
msg (M_INFO, "Re-using pre-shared static key");
883
}
884
885
/* Get key schedule */
886
crypto_options.key_ctx_bi = &ks->static_key;
887
888
/* Compute MTU parameters */
889
crypto_adjust_frame_parameters(&frame,
890
&ks->key_type,
891
options->ciphername_defined,
892
options->use_iv,
893
options->replay,
894
true);
895
896
/* Sanity check on IV, sequence number, and cipher mode options */
897
check_replay_iv_consistency(&ks->key_type, options->replay, options->use_iv);
898
899
/*
900
* Test-crypto is a debugging tool
901
* that basically does a loopback test
902
* on the crypto subsystem.
903
*/
904
if (options->test_crypto)
905
{
906
#ifdef USE_PTHREAD
907
if (first_time)
908
{
909
thread_init();
910
work_thread_create(test_crypto_thread, (void*) options);
911
}
912
#endif
913
frame_finalize_options (&frame, options);
914
915
test_crypto (&crypto_options, &frame);
916
key_schedule_free (ks);
917
signal_received = 0;
918
#ifdef USE_PTHREAD
919
if (first_time)
920
work_thread_join ();
921
#endif
922
goto done;
923
}
924
}
925
#ifdef USE_SSL
926
else if (options->tls_server || options->tls_client)
927
{
928
/*
929
* TLS-based dynamic key exchange mode
930
*/
931
struct tls_options to;
932
bool packet_id_long_form;
933
934
ASSERT (!options->test_crypto);
935
936
/* Make sure we are either a TLS client or server but not both */
937
ASSERT (options->tls_server == !options->tls_client);
938
939
/* Let user specify a script to verify the incoming certificate */
940
tls_set_verify_command (options->tls_verify);
941
942
/* Verify the X509 name of the incoming host */
943
tls_set_verify_x509name (options->tls_remote);
944
945
/* Let user specify a certificate revocation list to
946
check the incoming certificate */
947
tls_set_crl_verify (options->crl_file);
948
949
if (!ks->ssl_ctx)
950
{
951
/*
952
* Initialize the OpenSSL library's global
953
* SSL context.
954
*/
955
ks->ssl_ctx = init_ssl (options->tls_server,
956
options->ca_file,
957
options->dh_file,
958
options->cert_file,
959
options->priv_key_file,
960
options->cipher_list);
961
962
/* Get cipher & hash algorithms */
963
init_key_type (&ks->key_type, options->ciphername,
964
options->ciphername_defined, options->authname,
965
options->authname_defined, options->keysize,
966
true, true);
967
968
/* TLS handshake authentication (--tls-auth) */
969
if (options->tls_auth_file)
970
get_tls_handshake_key (&ks->key_type,
971
&ks->tls_auth_key,
972
options->tls_auth_file,
973
options->key_direction);
974
}
975
else
976
{
977
msg (M_INFO, "Re-using SSL/TLS context");
978
}
979
980
/* Sanity check on IV, sequence number, and cipher mode options */
981
check_replay_iv_consistency(&ks->key_type, options->replay, options->use_iv);
982
983
/* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
984
packet_id_long_form = cfb_ofb_mode (&ks->key_type);
985
986
/* Compute MTU parameters */
987
crypto_adjust_frame_parameters(&frame,
988
&ks->key_type,
989
options->ciphername_defined,
990
options->use_iv,
991
options->replay,
992
packet_id_long_form);
993
tls_adjust_frame_parameters(&frame);
994
995
/* Set all command-line TLS-related options */
996
CLEAR (to);
997
to.ssl_ctx = ks->ssl_ctx;
998
to.key_type = ks->key_type;
999
to.server = options->tls_server;
1000
to.key_method = options->key_method;
1001
to.replay = options->replay;
1002
to.packet_id_long_form = packet_id_long_form;
1003
to.replay_window = options->replay_window;
1004
to.replay_time = options->replay_time;
1005
to.transition_window = options->transition_window;
1006
to.handshake_window = options->handshake_window;
1007
to.packet_timeout = options->tls_timeout;
1008
to.renegotiate_bytes = options->renegotiate_bytes;
1009
to.renegotiate_packets = options->renegotiate_packets;
1010
to.renegotiate_seconds = options->renegotiate_seconds;
1011
to.single_session = options->single_session;
1012
to.disable_occ = !options->occ;
1013
1014
/* TLS handshake authentication (--tls-auth) */
1015
if (options->tls_auth_file)
1016
{
1017
to.tls_auth_key = ks->tls_auth_key;
1018
to.tls_auth.pid_persist = pid_persist;
1019
to.tls_auth.packet_id_long_form = true;
1020
crypto_adjust_frame_parameters(&to.frame,
1021
&ks->key_type,
1022
false,
1023
false,
1024
true,
1025
true);
1026
}
1027
1028
/* If we are running over TCP, allow for
1029
length prefix */
1030
socket_adjust_frame_parameters (&to.frame, options->proto);
1031
1032
/*
1033
* Initialize OpenVPN's master TLS-mode object.
1034
*/
1035
tls_multi = tls_multi_init (&to);
1036
}
1037
#endif
1038
else
1039
{
1040
/*
1041
* No encryption or authentication.
1042
*/
1043
ASSERT (!options->test_crypto);
1044
free_key_ctx_bi (&ks->static_key);
1045
crypto_options.key_ctx_bi = &ks->static_key;
1046
msg (M_WARN,
1047
"******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1048
}
1049
1050
#else /* USE_CRYPTO */
1051
1052
msg (M_WARN,
1053
"******* WARNING *******: " PACKAGE_NAME " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1054
1055
#endif /* USE_CRYPTO */
1056
1057
#ifdef USE_LZO
1058
/*
1059
* Initialize LZO compression library.
1060
*/
1061
if (options->comp_lzo)
1062
{
1063
lzo_compress_init (&lzo_compwork, options->comp_lzo_adaptive);
1064
lzo_adjust_frame_parameters (&frame);
1065
#ifdef FRAGMENT_ENABLE
1066
lzo_adjust_frame_parameters (&frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */
1067
#endif
1068
}
1069
#endif
1070
1071
/*
1072
* Adjust frame size for UDP Socks support.
1073
*/
1074
if (options->socks_proxy_server)
1075
socks_adjust_frame_parameters (&frame, options->proto);
1076
1077
/*
1078
* Adjust frame size based on the --tun-mtu-extra parameter.
1079
*/
1080
if (options->tun_mtu_extra_defined)
1081
tun_adjust_frame_parameters (&frame, options->tun_mtu_extra);
1082
1083
/*
1084
* Adjust frame size based on link socket parameters.
1085
* (Since TCP is a stream protocol, we need to insert
1086
* a packet length uint16_t in the buffer.)
1087
*/
1088
socket_adjust_frame_parameters (&frame, options->proto);
1089
1090
/*
1091
* Fill in the blanks in the frame parameters structure,
1092
* make sure values are rational, etc.
1093
*/
1094
frame_finalize_options (&frame, options);
1095
1096
/*
1097
* Set frame parameter for fragment code. This is necessary because
1098
* the fragmentation code deals with payloads which have already been
1099
* passed through the compression code.
1100
*/
1101
#ifdef FRAGMENT_ENABLE
1102
frame_fragment = frame;
1103
frame_subtract_extra (&frame_fragment, &frame_fragment_omit);
1104
#endif
1105
1106
#if defined(USE_CRYPTO) && defined(USE_SSL)
1107
if (tls_multi)
1108
{
1109
tls_multi_init_finalize (tls_multi, &frame);
1110
ASSERT (EXPANDED_SIZE (&tls_multi->opt.frame) <= EXPANDED_SIZE (&frame));
1111
frame_print (&tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms");
1112
}
1113
#endif
1114
1115
/*
1116
* Now that we know all frame parameters, initialize
1117
* our buffers.
1118
*/
1119
1120
read_link_buf = alloc_buf (BUF_SIZE (&frame));
1121
read_tun_buf = alloc_buf (BUF_SIZE (&frame));
1122
aux_buf = alloc_buf (BUF_SIZE (&frame));
1123
1124
#ifdef USE_CRYPTO
1125
encrypt_buf = alloc_buf (BUF_SIZE (&frame));
1126
decrypt_buf = alloc_buf (BUF_SIZE (&frame));
1127
#endif
1128
1129
#ifdef USE_LZO
1130
if (options->comp_lzo)
1131
{
1132
lzo_compress_buf = alloc_buf (BUF_SIZE (&frame));
1133
lzo_decompress_buf = alloc_buf (BUF_SIZE (&frame));
1134
}
1135
#endif
1136
1137
#ifdef FRAGMENT_ENABLE
1138
/* fragmenting code has buffers to initialize
1139
once frame parameters are known */
1140
if (fragment)
1141
{
1142
ASSERT (options->fragment);
1143
frame_set_mtu_dynamic (
1144
&frame_fragment,
1145
options->fragment,
1146
SET_MTU_UPPER_BOUND
1147
);
1148
fragment_frame_init (fragment, &frame_fragment);
1149
}
1150
#endif
1151
1152
/*
1153
* Set the dynamic MTU parameter, used by the --mssfix
1154
* option. If --mssfix is supplied without a parameter,
1155
* then default to --fragment size. Otherwise default
1156
* to udp_mtu or (on Windows) TAP-Win32 mtu size which
1157
* is set in the adapter advanced properties dialog.
1158
*/
1159
if (options->mssfix_defined)
1160
{
1161
if (options->mssfix)
1162
{
1163
frame_set_mtu_dynamic (
1164
&frame,
1165
options->mssfix,
1166
SET_MTU_UPPER_BOUND
1167
);
1168
}
1169
#ifdef FRAGMENT_ENABLE
1170
else if (fragment)
1171
{
1172
frame_set_mtu_dynamic (
1173
&frame,
1174
EXPANDED_SIZE_DYNAMIC (&frame_fragment),
1175
SET_MTU_UPPER_BOUND
1176
);
1177
}
1178
#endif
1179
}
1180
1181
#ifdef FRAGMENT_ENABLE
1182
1183
if (options->fragment && options->mtu_test)
1184
msg (M_WARN, "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
1185
1186
if ((options->mssfix || options->fragment) && TUN_MTU_SIZE (&frame_fragment) != ETHERNET_MTU)
1187
msg (M_WARN, "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
1188
ETHERNET_MTU,
1189
TUN_MTU_SIZE (&frame_fragment));
1190
1191
#endif
1192
1193
/* bind the TCP/UDP socket */
1194
1195
link_socket_init_phase1 (&link_socket,
1196
options->local, options->remote,
1197
options->local_port, options->remote_port,
1198
options->proto,
1199
http_proxy->defined ? http_proxy : NULL,
1200
socks_proxy->defined ? socks_proxy : NULL,
1201
options->bind_local,
1202
options->remote_float,
1203
options->inetd,
1204
link_socket_addr,
1205
options->ipchange,
1206
options->resolve_retry_seconds,
1207
options->connect_retry_seconds,
1208
options->mtu_discover_type);
1209
1210
/* initialize tun/tap device object */
1211
1212
init_tun (tuntap,
1213
options->dev,
1214
options->dev_type,
1215
options->ifconfig_local,
1216
options->ifconfig_remote_netmask,
1217
addr_host (&link_socket.lsa->local),
1218
addr_host (&link_socket.lsa->remote),
1219
&frame,
1220
&options->tuntap_options);
1221
1222
/* open tun/tap device, ifconfig, run up script, etc. */
1223
1224
if (!options->up_delay)
1225
did_open_tun = do_open_tun (options, &frame, &link_socket, tuntap, route_list);
1226
1227
/*
1228
* Print MTU INFO
1229
*/
1230
frame_print (&frame, D_MTU_INFO, "Data Channel MTU parms");
1231
#ifdef FRAGMENT_ENABLE
1232
if (fragment)
1233
frame_print (&frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
1234
#endif
1235
1236
/*
1237
* Get local and remote options compatibility strings.
1238
*/
1239
options_string_local = options_string (options, &frame, tuntap, false);
1240
options_string_remote = options_string (options, &frame, tuntap, true);
1241
1242
msg (D_SHOW_OCC, "Local Options String: '%s'", options_string_local);
1243
msg (D_SHOW_OCC, "Expected Remote Options String: '%s'", options_string_remote);
1244
1245
#ifdef USE_CRYPTO
1246
msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'",
1247
options_string_version (options_string_local),
1248
md5sum (options_string_local, strlen(options_string_local), 9));
1249
msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'",
1250
options_string_version (options_string_remote),
1251
md5sum (options_string_remote, strlen (options_string_remote), 9));
1252
#endif
1253
1254
#if defined(USE_CRYPTO) && defined(USE_SSL)
1255
if (tls_multi)
1256
tls_multi_init_set_options(tls_multi,
1257
options_string_local,
1258
options_string_remote);
1259
#endif
1260
1261
#ifdef HAVE_GETTIMEOFDAY
1262
/* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1263
if (options->shaper)
1264
{
1265
shaper_init (&shaper, options->shaper);
1266
shaper_msg (&shaper);
1267
}
1268
#endif
1269
1270
if (first_time)
1271
{
1272
/* get user and/or group that we want to setuid/setgid to */
1273
get_group (options->groupname, &group_state);
1274
get_user (options->username, &user_state);
1275
1276
/* get --writepid file descriptor */
1277
get_pid_file (options->writepid, &pid_state);
1278
1279
/* chroot if requested */
1280
if (options->chroot_dir)
1281
{
1282
#if 0
1283
/* not needed because gethostbyname is now called in
1284
link_socket_init_phase1 even if --resolv-retry is also specified. */
1285
1286
/* do a dummy DNS lookup before entering the chroot jail
1287
to load the resolver libraries */
1288
if (options->remote)
1289
(void) gethostbyname (options->remote);
1290
#endif
1291
do_chroot (options->chroot_dir);
1292
}
1293
}
1294
1295
/* become a daemon if --daemon */
1296
did_we_daemonize = possibly_become_daemon (1, options, first_time);
1297
1298
#ifdef HAVE_SIGNAL_H
1299
/* catch signals */
1300
signal (SIGINT, signal_handler);
1301
signal (SIGTERM, signal_handler);
1302
signal (SIGHUP, signal_handler);
1303
signal (SIGUSR1, signal_handler);
1304
signal (SIGUSR2, signal_handler);
1305
#endif /* HAVE_SIGNAL_H */
1306
1307
if (first_time)
1308
{
1309
/* should we disable paging? */
1310
if (options->mlock && did_we_daemonize)
1311
do_mlockall (true); /* call again in case we daemonized */
1312
1313
/* should we change scheduling priority? */
1314
set_nice (options->nice);
1315
1316
/* set user and/or group that we want to setuid/setgid to */
1317
set_group (&group_state);
1318
set_user (&user_state);
1319
1320
/* save process ID in a file */
1321
write_pid (&pid_state);
1322
1323
/* initialize threading if pthread configure option enabled */
1324
thread_init();
1325
}
1326
1327
/* finalize the TCP/UDP socket */
1328
link_socket_init_phase2 (&link_socket, &frame, &signal_received);
1329
if (signal_received)
1330
{
1331
signal_text = "socket";
1332
print_signal (signal_received);
1333
goto cleanup;
1334
}
1335
1336
/* start the TLS thread */
1337
#if defined(USE_CRYPTO) && defined(USE_SSL) && defined(USE_PTHREAD)
1338
if (tls_multi)
1339
{
1340
tls_thread_create (&thread_parms, tls_multi, &link_socket,
1341
options->nice_work, options->mlock);
1342
thread_opened = true;
1343
}
1344
#endif
1345
1346
/*
1347
* MAIN EVENT LOOP
1348
*
1349
* Pipe TCP/UDP -> tun and tun -> TCP/UDP using nonblocked i/o.
1350
*
1351
* If tls_multi is defined, multiplex a TLS
1352
* control channel over the TCP/UDP connection which
1353
* will be used for secure key exchange with our peer.
1354
*
1355
*/
1356
1357
/* select wants maximum fd + 1 (why doesn't it just figure it out for itself?) */
1358
SOCKET_SETMAXFD(link_socket);
1359
TUNTAP_SETMAXFD(tuntap);
1360
1361
current = time (NULL);
1362
1363
/* initialize connection establishment timer */
1364
event_timeout_init (&wait_for_connect, current, 5);
1365
1366
/* initialize inactivity timeout */
1367
if (options->inactivity_timeout)
1368
event_timeout_init (&inactivity_interval, current, options->inactivity_timeout);
1369
1370
/* initialize pings */
1371
1372
if (options->ping_send_timeout)
1373
event_timeout_init (&ping_send_interval, 0, options->ping_send_timeout);
1374
1375
if (options->ping_rec_timeout)
1376
event_timeout_init (&ping_rec_interval, current, options->ping_rec_timeout);
1377
1378
/* initialize occ timers */
1379
1380
if (options->occ
1381
&& !TLS_MODE
1382
&& options_string_local
1383
&& options_string_remote)
1384
event_timeout_init (&occ_interval, current, OCC_INTERVAL_SECONDS);
1385
1386
if (options->mtu_test)
1387
event_timeout_init (&occ_mtu_load_test_interval, current, OCC_MTU_LOAD_INTERVAL_SECONDS);
1388
1389
#if defined(USE_CRYPTO) && defined(USE_SSL)
1390
#ifdef USE_PTHREAD
1391
TLS_THREAD_SOCKET_SETMAXFD (thread_parms);
1392
#else
1393
/* initialize tmp_int optimization that limits the number of times we call
1394
tls_multi_process in the main event loop */
1395
interval_init (&tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1396
#endif
1397
#endif
1398
1399
/* this flag is true for buffers coming from the TLS background thread */
1400
free_to_link = false;
1401
1402
while (true)
1403
{
1404
int stat = 0;
1405
struct timeval *tv = NULL;
1406
struct timeval timeval;
1407
1408
signal_text = NULL;
1409
1410
/* initialize select() timeout */
1411
timeval.tv_sec = BIG_TIMEOUT;
1412
timeval.tv_usec = 0;
1413
tv = &timeval;
1414
1415
#if defined(WIN32) && defined(TAP_WIN32_DEBUG)
1416
timeval.tv_sec = 1;
1417
if (check_debug_level (D_TAP_WIN32_DEBUG))
1418
tun_show_debug (tuntap);
1419
#endif
1420
1421
#ifdef USE_CRYPTO
1422
/* flush current packet-id to file once per 60
1423
seconds if --replay-persist was specified */
1424
packet_id_persist_flush (pid_persist, current, 60);
1425
#endif
1426
1427
#if defined(USE_CRYPTO) && defined(USE_SSL) && !defined(USE_PTHREAD)
1428
/*
1429
* In TLS mode, let TLS level respond to any control-channel
1430
* packets which were received, or prepare any packets for
1431
* transmission.
1432
*
1433
* tmp_int is purely an optimization that allows us to call
1434
* tls_multi_process less frequently when there's not much
1435
* traffic on the control-channel.
1436
*
1437
*/
1438
if (tls_multi)
1439
{
1440
interval_t wakeup = BIG_TIMEOUT;
1441
1442
if (interval_test (&tmp_int, current))
1443
{
1444
if (tls_multi_process (tls_multi, &to_link, &to_link_addr,
1445
&link_socket, &wakeup, current))
1446
interval_action (&tmp_int, current);
1447
1448
interval_future_trigger (&tmp_int, wakeup, current);
1449
free_to_link = false;
1450
}
1451
1452
interval_schedule_wakeup (&tmp_int, current, &wakeup);
1453
1454
if (wakeup)
1455
{
1456
timeval.tv_sec = wakeup;
1457
timeval.tv_usec = 0;
1458
}
1459
}
1460
#endif
1461
1462
current = time (NULL);
1463
1464
#if defined(USE_CRYPTO) && defined(USE_SSL)
1465
if (tls_multi && link_socket_connection_oriented (&link_socket) && tls_multi->n_errors)
1466
{
1467
/* TLS errors are fatal in TCP mode */
1468
signal_received = SIGUSR1;
1469
msg (D_STREAM_ERRORS, "Fatal decryption error, restarting");
1470
signal_text = "tls-error";
1471
break;
1472
}
1473
#endif
1474
1475
/*
1476
* Things that need to happen immediately after connection initiation should go here.
1477
*/
1478
if (event_timeout_defined (&wait_for_connect))
1479
{
1480
if (event_timeout_trigger (&wait_for_connect, current, &timeval))
1481
{
1482
if (CONNECTION_ESTABLISHED (&link_socket))
1483
{
1484
/* if --up-delay specified, open tun, do ifconfig, and run up script now */
1485
if (options->up_delay)
1486
{
1487
did_open_tun = do_open_tun (options, &frame, &link_socket, tuntap, route_list);
1488
TUNTAP_SETMAXFD(tuntap);
1489
current = time (NULL);
1490
}
1491
1492
if (did_open_tun)
1493
{
1494
/* if --route-delay was specified, start timer */
1495
if (options->route_delay_defined)
1496
event_timeout_init (&route_wakeup, current, options->route_delay);
1497
}
1498
1499
event_timeout_clear (&wait_for_connect);
1500
}
1501
}
1502
}
1503
1504
/*
1505
* Should we add routes?
1506
*/
1507
if (event_timeout_trigger (&route_wakeup, current, &timeval))
1508
{
1509
do_route (options, route_list);
1510
current = time (NULL);
1511
event_timeout_clear (&route_wakeup);
1512
}
1513
1514
/*
1515
* Should we exit due to inactivity timeout?
1516
*/
1517
if (options->inactivity_timeout)
1518
{
1519
if (event_timeout_trigger (&inactivity_interval, current, &timeval))
1520
{
1521
msg (M_INFO, "Inactivity timeout (--inactive), exiting");
1522
signal_received = 0;
1523
signal_text = "inactive";
1524
break;
1525
}
1526
}
1527
1528
/*
1529
* Should we exit or restart due to ping (or other authenticated packet)
1530
* not received in n seconds?
1531
*/
1532
if (options->ping_rec_timeout &&
1533
(!options->ping_timer_remote || addr_defined (&link_socket_addr->actual)))
1534
{
1535
if (event_timeout_trigger (&ping_rec_interval, current, &timeval))
1536
{
1537
switch (options->ping_rec_timeout_action)
1538
{
1539
case PING_EXIT:
1540
msg (M_INFO, "Inactivity timeout (--ping-exit), exiting");
1541
signal_received = 0;
1542
signal_text = "ping-exit";
1543
break;
1544
case PING_RESTART:
1545
msg (M_INFO, "Inactivity timeout (--ping-restart), restarting");
1546
signal_received = SIGUSR1;
1547
signal_text = "ping-restart";
1548
break;
1549
default:
1550
ASSERT (0);
1551
}
1552
break;
1553
}
1554
}
1555
1556
/*
1557
* Should we send an OCC_REQUEST message?
1558
*/
1559
if (event_timeout_defined (&occ_interval)
1560
&& !to_link.len
1561
&& occ_op < 0)
1562
{
1563
if (event_timeout_trigger (&occ_interval, current, &timeval))
1564
{
1565
if (++occ_n_tries >= OCC_N_TRIES)
1566
{
1567
if (options->remote)
1568
/*
1569
* No OCC_REPLY from peer after repeated attempts.
1570
* Give up.
1571
*/
1572
msg (D_SHOW_OCC, "NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of " PACKAGE_NAME " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent " PACKAGE_NAME " from running (%u bytes received from peer, %u bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.", (unsigned int) link_read_bytes, (unsigned int) link_read_bytes_auth);
1573
event_timeout_clear (&occ_interval);
1574
}
1575
else
1576
{
1577
occ_op = OCC_REQUEST;
1578
1579
/*
1580
* If we don't hear back from peer, send another
1581
* OCC_REQUEST in OCC_INTERVAL_SECONDS.
1582
*/
1583
event_timeout_reset (&occ_interval, current);
1584
}
1585
}
1586
}
1587
1588
/*
1589
* Should we send an MTU load test?
1590
*/
1591
if (event_timeout_defined (&occ_mtu_load_test_interval)
1592
&& !to_link.len
1593
&& occ_op < 0)
1594
{
1595
if (event_timeout_trigger (&occ_mtu_load_test_interval, current, &timeval))
1596
{
1597
if (CONNECTION_ESTABLISHED (&link_socket))
1598
{
1599
const struct mtu_load_test *entry;
1600
1601
if (!occ_mtu_load_n_tries)
1602
msg (M_INFO, "NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.");
1603
1604
entry = &mtu_load_test_sequence[occ_mtu_load_n_tries++];
1605
if (entry->op >= 0)
1606
{
1607
occ_op = entry->op;
1608
occ_mtu_load_size = EXPANDED_SIZE (&frame) + entry->delta;
1609
}
1610
else
1611
{
1612
msg (M_INFO, "NOTE: failed to empirically measure MTU (requires 1.5-beta8 or higher at other end of connection).");
1613
event_timeout_clear (&occ_mtu_load_test_interval);
1614
occ_mtu_load_n_tries = 0;
1615
}
1616
}
1617
}
1618
}
1619
1620
/*
1621
* Should we send an OCC message?
1622
*/
1623
if (occ_op >= 0 && !to_link.len
1624
#ifdef FRAGMENT_ENABLE
1625
&& (!fragment || !fragment_outgoing_defined (fragment))
1626
#endif
1627
)
1628
{
1629
bool doit = false;
1630
1631
buf = aux_buf;
1632
ASSERT (buf_init (&buf, FRAME_HEADROOM (&frame)));
1633
ASSERT (buf_safe (&buf, MAX_RW_SIZE_TUN (&frame)));
1634
ASSERT (buf_write (&buf, occ_magic, sizeof (occ_magic)));
1635
1636
switch (occ_op)
1637
{
1638
case OCC_REQUEST:
1639
if (!buf_write_u8 (&buf, OCC_REQUEST))
1640
break;
1641
msg (D_PACKET_CONTENT, "SENT OCC_REQUEST");
1642
doit = true;
1643
break;
1644
1645
case OCC_REPLY:
1646
if (!options_string_local)
1647
break;
1648
if (!buf_write_u8 (&buf, OCC_REPLY))
1649
break;
1650
if (!buf_write (&buf, options_string_local,
1651
strlen (options_string_local) + 1))
1652
break;
1653
msg (D_PACKET_CONTENT, "SENT OCC_REPLY");
1654
doit = true;
1655
break;
1656
1657
case OCC_MTU_REQUEST:
1658
if (!buf_write_u8 (&buf, OCC_MTU_REQUEST))
1659
break;
1660
msg (D_PACKET_CONTENT, "SENT OCC_MTU_REQUEST");
1661
doit = true;
1662
break;
1663
1664
case OCC_MTU_REPLY:
1665
if (!buf_write_u8 (&buf, OCC_MTU_REPLY))
1666
break;
1667
if (!buf_write_u16 (&buf, max_recv_size_local))
1668
break;
1669
if (!buf_write_u16 (&buf, max_send_size_local))
1670
break;
1671
msg (D_PACKET_CONTENT, "SENT OCC_MTU_REPLY");
1672
doit = true;
1673
break;
1674
1675
case OCC_MTU_LOAD_REQUEST:
1676
if (!buf_write_u8 (&buf, OCC_MTU_LOAD_REQUEST))
1677
break;
1678
if (!buf_write_u16 (&buf, occ_mtu_load_size))
1679
break;
1680
msg (D_PACKET_CONTENT, "SENT OCC_MTU_LOAD_REQUEST");
1681
doit = true;
1682
break;
1683
1684
case OCC_MTU_LOAD:
1685
{
1686
int need_to_add;
1687
1688
if (!buf_write_u8 (&buf, OCC_MTU_LOAD))
1689
break;
1690
need_to_add = min_int (
1691
occ_mtu_load_size
1692
- sizeof (occ_magic)
1693
- sizeof (uint8_t)
1694
- EXTRA_FRAME (&frame),
1695
EXPANDED_SIZE (&frame));
1696
while (need_to_add > 0)
1697
{
1698
/*
1699
* Fill the load test packet with pseudo-random bytes.
1700
*/
1701
if (!buf_write_u8 (&buf, get_random() & 0xFF))
1702
break;
1703
--need_to_add;
1704
}
1705
msg (D_PACKET_CONTENT, "SENT OCC_MTU_LOAD %d", occ_mtu_load_size);
1706
doit = true;
1707
}
1708
break;
1709
}
1710
1711
if (doit)
1712
{
1713
/*
1714
* We will treat the packet like any other outgoing packet,
1715
* compress, encrypt, sign, etc.
1716
*/
1717
# include "encrypt_sign.h"
1718
}
1719
1720
occ_op = -1;
1721
}
1722
1723
#ifdef FRAGMENT_ENABLE
1724
/*
1725
* Should we deliver a datagram fragment to remote?
1726
*/
1727
if (fragment)
1728
{
1729
/* OS MTU Hint? */
1730
if (link_socket.mtu_changed && ipv4_tun)
1731
{
1732
frame_adjust_path_mtu (&frame_fragment, link_socket.mtu, options->proto);
1733
link_socket.mtu_changed = false;
1734
}
1735
if (!to_link.len
1736
&& fragment_outgoing_defined (fragment)
1737
&& fragment_ready_to_send (fragment, &buf, &frame_fragment))
1738
{
1739
# define NO_COMP_FRAG
1740
# include "encrypt_sign.h"
1741
}
1742
fragment_housekeeping (fragment, &frame_fragment, current, &timeval);
1743
tv = &timeval;
1744
}
1745
#endif /* FRAGMENT_ENABLE */
1746
1747
/*
1748
* Should we ping the remote?
1749
*/
1750
if (options->ping_send_timeout)
1751
{
1752
if (!to_link.len)
1753
{
1754
if (event_timeout_trigger (&ping_send_interval, current, &timeval))
1755
{
1756
buf = aux_buf;
1757
ASSERT (buf_init (&buf, FRAME_HEADROOM (&frame)));
1758
ASSERT (buf_safe (&buf, MAX_RW_SIZE_TUN (&frame)));
1759
ASSERT (buf_write (&buf, ping_string, sizeof (ping_string)));
1760
1761
/*
1762
* We will treat the ping like any other outgoing packet,
1763
* encrypt, sign, etc.
1764
*/
1765
# include "encrypt_sign.h"
1766
msg (D_PACKET_CONTENT, "SENT PING");
1767
}
1768
}
1769
}
1770
1771
/* do a quick garbage collect */
1772
gc_collect (gc_level);
1773
1774
/*
1775
* Set up for select call.
1776
*
1777
* Decide what kind of events we want to wait for.
1778
*/
1779
wait_reset (&event_wait);
1780
1781
/*
1782
* On win32 we use the keyboard or an event object as a source
1783
* of asynchronous signals.
1784
*/
1785
WAIT_SIGNAL (&event_wait);
1786
1787
/*
1788
* If outgoing data (for TCP/UDP port) pending, wait for ready-to-send
1789
* status from TCP/UDP port. Otherwise, wait for incoming data on
1790
* TUN/TAP device.
1791
*/
1792
if (to_link.len > 0)
1793
{
1794
/*
1795
* If sending this packet would put us over our traffic shaping
1796
* quota, don't send -- instead compute the delay we must wait
1797
* until it will be OK to send the packet.
1798
*/
1799
1800
#ifdef HAVE_GETTIMEOFDAY
1801
int delay = 0;
1802
1803
/* set traffic shaping delay in microseconds */
1804
if (options->shaper)
1805
delay = max_int (delay, shaper_delay (&shaper));
1806
1807
if (delay < 1000)
1808
{
1809
SOCKET_SET_WRITE (link_socket);
1810
}
1811
else
1812
{
1813
shaper_soonest_event (&timeval, delay);
1814
tv = &timeval;
1815
}
1816
#else /* HAVE_GETTIMEOFDAY */
1817
SOCKET_SET_WRITE (link_socket);
1818
#endif /* HAVE_GETTIMEOFDAY */
1819
}
1820
#ifdef FRAGMENT_ENABLE
1821
else if (!fragment || !fragment_outgoing_defined (fragment))
1822
#else
1823
else
1824
#endif
1825
{
1826
TUNTAP_SET_READ (tuntap);
1827
#if defined(USE_CRYPTO) && defined(USE_SSL) && defined(USE_PTHREAD)
1828
TLS_THREAD_SOCKET_SET (thread_parms, reads);
1829
#endif
1830
}
1831
1832
/*
1833
* If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
1834
* from device. Otherwise, wait for incoming data on TCP/UDP port.
1835
*/
1836
if (to_tun.len > 0)
1837
{
1838
TUNTAP_SET_WRITE (tuntap);
1839
}
1840
else
1841
{
1842
SOCKET_SET_READ (link_socket);
1843
}
1844
1845
/*
1846
* Possible scenarios:
1847
* (1) tcp/udp port has data available to read
1848
* (2) tcp/udp port is ready to accept more data to write
1849
* (3) tun dev has data available to read
1850
* (4) tun dev is ready to accept more data to write
1851
* (5) tls background thread has data available to forward to
1852
* tcp/udp port
1853
* (6) we received a signal (handler sets signal_received)
1854
* (7) timeout (tv) expired (from TLS, shaper, inactivity
1855
* timeout, or ping timeout)
1856
*/
1857
1858
/*
1859
* Wait for something to happen.
1860
*/
1861
stat = 1; /* this will be our return "status" if select doesn't get called */
1862
if (!signal_received && !SOCKET_READ_RESIDUAL (link_socket)) {
1863
msg (D_SELECT, "SELECT %s|%s|%s|%s %d/%d",
1864
TUNTAP_READ_STAT (tuntap),
1865
TUNTAP_WRITE_STAT (tuntap),
1866
SOCKET_READ_STAT (link_socket),
1867
SOCKET_WRITE_STAT (link_socket),
1868
tv ? (int)tv->tv_sec : -1,
1869
tv ? (int)tv->tv_usec : -1
1870
);
1871
1872
stat = SELECT ();
1873
check_status (stat, "select", NULL, NULL);
1874
}
1875
1876
/* current should always be a reasonably up-to-date timestamp */
1877
current = time (NULL);
1878
1879
/* set signal_received if a signal was received */
1880
SELECT_SIGNAL_RECEIVED ();
1881
1882
/*
1883
* Did we get a signal before or while we were waiting
1884
* in select() ?
1885
*/
1886
if (signal_received)
1887
{
1888
if (signal_received == SIGUSR2)
1889
{
1890
msg (M_INFO, "Current " PACKAGE_NAME " Statistics:");
1891
msg (M_INFO, " TUN/TAP read bytes: " counter_format, tun_read_bytes);
1892
msg (M_INFO, " TUN/TAP write bytes: " counter_format, tun_write_bytes);
1893
msg (M_INFO, " TCP/UDP read bytes: " counter_format, link_read_bytes);
1894
msg (M_INFO, " TCP/UDP write bytes: " counter_format, link_write_bytes);
1895
msg (M_INFO, " Auth read bytes: " counter_format, link_read_bytes_auth);
1896
#ifdef USE_LZO
1897
if (options->comp_lzo)
1898
lzo_print_stats (&lzo_compwork);
1899
#endif
1900
#ifdef WIN32
1901
msg (M_INFO, " TAP-WIN32 driver status: %s", tap_win32_getinfo (tuntap));
1902
#endif
1903
signal_received = 0;
1904
continue;
1905
}
1906
1907
print_signal (signal_received);
1908
1909
/* for all other signals (INT, TERM, HUP, USR1) we break */
1910
break;
1911
}
1912
1913
if (!stat) /* timeout? */
1914
continue;
1915
1916
if (stat > 0)
1917
{
1918
/* Incoming data on TCP/UDP port */
1919
if (SOCKET_READ_RESIDUAL (link_socket) || SOCKET_ISSET (link_socket, reads))
1920
{
1921
/*
1922
* Set up for recvfrom call to read datagram
1923
* sent to our TCP/UDP port.
1924
*/
1925
struct sockaddr_in from;
1926
int status;
1927
1928
ASSERT (!to_tun.len);
1929
buf = read_link_buf;
1930
ASSERT (buf_init (&buf, FRAME_HEADROOM (&frame)));
1931
1932
status = link_socket_read (&link_socket, &buf, MAX_RW_SIZE_LINK (&frame), &from);
1933
1934
if (socket_connection_reset (&link_socket, status))
1935
{
1936
/* received a disconnect from a connection-oriented protocol */
1937
if (options->inetd)
1938
{
1939
signal_received = SIGTERM;
1940
msg (D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status);
1941
}
1942
else
1943
{
1944
signal_received = SIGUSR1;
1945
msg (D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
1946
}
1947
signal_text = "connection-reset";
1948
break;
1949
}
1950
1951
if (buf.len > 0)
1952
{
1953
link_read_bytes += buf.len;
1954
original_recv_size = buf.len;
1955
}
1956
else
1957
original_recv_size = 0;
1958
1959
/* check recvfrom status */
1960
check_status (status, "read", &link_socket, NULL);
1961
1962
/* take action to corrupt packet if we are in gremlin test mode */
1963
if (options->gremlin) {
1964
if (!ask_gremlin())
1965
buf.len = 0;
1966
corrupt_gremlin(&buf);
1967
}
1968
1969
/* log incoming packet */
1970
#ifdef LOG_RW
1971
if (log_rw)
1972
fprintf (stderr, "R");
1973
#endif
1974
msg (D_LINK_RW, "%s READ [%d] from %s: %s",
1975
proto2ascii (link_socket.proto, true),
1976
BLEN (&buf),
1977
print_sockaddr (&from),
1978
PROTO_DUMP (&buf));
1979
1980
/*
1981
* Good, non-zero length packet received.
1982
* Commence multi-stage processing of packet,
1983
* such as authenticate, decrypt, decompress.
1984
* If any stage fails, it sets buf.len to 0 or -1,
1985
* telling downstream stages to ignore the packet.
1986
*/
1987
if (buf.len > 0)
1988
{
1989
link_socket_incoming_addr (&buf, &link_socket, &from);
1990
#ifdef USE_CRYPTO
1991
#ifdef USE_SSL
1992
mutex_lock (L_TLS);
1993
if (tls_multi)
1994
{
1995
/*
1996
* If tls_pre_decrypt returns true, it means the incoming
1997
* packet was a good TLS control channel packet. If so, TLS code
1998
* will deal with the packet and set buf.len to 0 so downstream
1999
* stages ignore it.
2000
*
2001
* If the packet is a data channel packet, tls_pre_decrypt
2002
* will load crypto_options with the correct encryption key
2003
* and return false.
2004
*/
2005
if (tls_pre_decrypt (tls_multi, &from, &buf, &crypto_options, current))
2006
{
2007
#ifdef USE_PTHREAD
2008
/* tell TLS thread a packet is waiting */
2009
if (tls_thread_process (&thread_parms) == -1)
2010
{
2011
msg (M_WARN, "TLS thread is not responding, exiting (1)");
2012
signal_received = 0;
2013
signal_text = "error";
2014
mutex_unlock (L_TLS);
2015
break;
2016
}
2017
#else
2018
interval_action (&tmp_int, current);
2019
#endif /* USE_PTHREAD */
2020
/* reset packet received timer if TLS packet */
2021
if (options->ping_rec_timeout)
2022
event_timeout_reset (&ping_rec_interval, current);
2023
}
2024
}
2025
#endif /* USE_SSL */
2026
/* authenticate and decrypt the incoming packet */
2027
if (!openvpn_decrypt (&buf, decrypt_buf, &crypto_options, &frame, current))
2028
{
2029
if (link_socket_connection_oriented (&link_socket))
2030
{
2031
/* decryption errors are fatal in TCP mode */
2032
signal_received = SIGUSR1;
2033
msg (D_STREAM_ERRORS, "Fatal decryption error, restarting");
2034
signal_text = "decryption-error";
2035
mutex_unlock (L_TLS);
2036
break;
2037
}
2038
}
2039
#ifdef USE_SSL
2040
mutex_unlock (L_TLS);
2041
#endif /* USE_SSL */
2042
#endif /* USE_CRYPTO */
2043
#ifdef FRAGMENT_ENABLE
2044
if (fragment)
2045
fragment_incoming (fragment, &buf, &frame_fragment, current);
2046
#endif
2047
#ifdef USE_LZO
2048
/* decompress the incoming packet */
2049
if (options->comp_lzo)
2050
lzo_decompress (&buf, lzo_decompress_buf, &lzo_compwork, &frame);
2051
#endif
2052
/*
2053
* Set our "official" outgoing address, since
2054
* if buf.len is non-zero, we know the packet
2055
* authenticated. In TLS mode we do nothing
2056
* because TLS mode takes care of source address
2057
* authentication.
2058
*
2059
* Also, update the persisted version of our packet-id.
2060
*/
2061
if (!TLS_MODE)
2062
link_socket_set_outgoing_addr (&buf, &link_socket, &from);
2063
2064
/* reset packet received timer */
2065
if (options->ping_rec_timeout && buf.len > 0)
2066
event_timeout_reset (&ping_rec_interval, current);
2067
2068
/* increment authenticated receive byte count */
2069
if (buf.len > 0)
2070
{
2071
link_read_bytes_auth += buf.len;
2072
max_recv_size_local = max_int (original_recv_size, max_recv_size_local);
2073
}
2074
2075
/* Did we just receive an openvpn ping packet? */
2076
if (buf_string_match (&buf, ping_string, sizeof (ping_string)))
2077
{
2078
msg (D_PACKET_CONTENT, "RECEIVED PING PACKET");
2079
buf.len = 0; /* drop packet */
2080
}
2081
2082
/* Did we just receive an OCC packet? */
2083
if (buf_string_match_head (&buf, occ_magic, sizeof (occ_magic)))
2084
{
2085
ASSERT (buf_advance (&buf, sizeof (occ_magic)));
2086
switch (buf_read_u8 (&buf))
2087
{
2088
case OCC_REQUEST:
2089
msg (D_PACKET_CONTENT, "RECEIVED OCC_REQUEST");
2090
occ_op = OCC_REPLY;
2091
break;
2092
2093
case OCC_MTU_REQUEST:
2094
msg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_REQUEST");
2095
occ_op = OCC_MTU_REPLY;
2096
break;
2097
2098
case OCC_MTU_LOAD_REQUEST:
2099
msg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_LOAD_REQUEST");
2100
occ_mtu_load_size = buf_read_u16 (&buf);
2101
if (occ_mtu_load_size >= 0)
2102
occ_op = OCC_MTU_LOAD;
2103
break;
2104
2105
case OCC_REPLY:
2106
msg (D_PACKET_CONTENT, "RECEIVED OCC_REPLY");
2107
if (options->occ && !TLS_MODE && options_string_remote)
2108
{
2109
if (!options_cmp_equal (BPTR (&buf),
2110
options_string_remote,
2111
buf.len))
2112
{
2113
options_warning (BPTR (&buf),
2114
options_string_remote,
2115
buf.len);
2116
}
2117
}
2118
event_timeout_clear (&occ_interval);
2119
break;
2120
2121
case OCC_MTU_REPLY:
2122
msg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_REPLY");
2123
max_recv_size_remote = buf_read_u16 (&buf);
2124
max_send_size_remote = buf_read_u16 (&buf);
2125
if (options->mtu_test
2126
&& max_recv_size_remote > 0
2127
&& max_send_size_remote > 0)
2128
{
2129
msg (M_INFO, "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]",
2130
max_send_size_local,
2131
max_recv_size_remote,
2132
max_send_size_remote,
2133
max_recv_size_local);
2134
if (!options->mssfix_defined
2135
#ifdef FRAGMENT_ENABLE
2136
&& !options->fragment
2137
#endif
2138
&& options->proto == PROTO_UDPv4
2139
&& max_send_size_local > TUN_MTU_MIN
2140
&& (max_recv_size_remote < max_send_size_local
2141
|| max_recv_size_local < max_send_size_remote))
2142
msg (M_INFO, "NOTE: This connection is unable to accomodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.",
2143
max_send_size_local);
2144
}
2145
event_timeout_clear (&occ_mtu_load_test_interval);
2146
break;
2147
}
2148
buf.len = 0; /* don't pass packet on */
2149
}
2150
2151
to_tun = buf;
2152
}
2153
else
2154
{
2155
to_tun = nullbuf;
2156
}
2157
}
2158
2159
#if defined(USE_CRYPTO) && defined(USE_SSL) && defined(USE_PTHREAD)
2160
/* Incoming data from TLS background thread */
2161
else if (TLS_THREAD_SOCKET_ISSET (thread_parms, reads))
2162
{
2163
int s;
2164
ASSERT (!to_link.len);
2165
2166
s = tls_thread_rec_buf (&thread_parms, &tt_ret, true);
2167
if (s == 1)
2168
{
2169
/*
2170
* TLS background thread has a control channel
2171
* packet to send to remote.
2172
*/
2173
to_link = tt_ret.to_link;
2174
to_link_addr = tt_ret.to_link_addr;
2175
2176
/* tell TCP/UDP packet writer to free buffer after write */
2177
free_to_link = true;
2178
}
2179
2180
/* remote died? */
2181
else if (s == -1)
2182
{
2183
msg (M_WARN, "TLS thread is not responding, exiting (2)");
2184
signal_received = 0;
2185
signal_text = "error";
2186
break;
2187
}
2188
}
2189
#endif
2190
2191
/* Incoming data on TUN device */
2192
else if (TUNTAP_ISSET (tuntap, reads))
2193
{
2194
/*
2195
* Setup for read() call on TUN/TAP device.
2196
*/
2197
ASSERT (!to_link.len);
2198
buf = read_tun_buf;
2199
2200
#ifdef TUN_PASS_BUFFER
2201
read_tun_buffered (tuntap, &buf, MAX_RW_SIZE_TUN (&frame));
2202
#else
2203
ASSERT (buf_init (&buf, FRAME_HEADROOM (&frame)));
2204
ASSERT (buf_safe (&buf, MAX_RW_SIZE_TUN (&frame)));
2205
buf.len = read_tun (tuntap, BPTR (&buf), MAX_RW_SIZE_TUN (&frame));
2206
#endif
2207
2208
if (buf.len > 0)
2209
tun_read_bytes += buf.len;
2210
2211
/* Was TUN/TAP interface stopped? */
2212
if (tuntap_stop (buf.len))
2213
{
2214
signal_received = SIGTERM;
2215
signal_text = "tun-stop";
2216
msg (M_INFO, "TUN/TAP interface has been stopped, exiting");
2217
break;
2218
}
2219
2220
/* Check the status return from read() */
2221
check_status (buf.len, "read from TUN/TAP", NULL, tuntap);
2222
2223
#ifdef LOG_RW
2224
if (log_rw)
2225
fprintf (stderr, "r");
2226
#endif
2227
2228
/* Show packet content */
2229
msg (D_TUN_RW, "TUN READ [%d]: %s md5=%s",
2230
BLEN (&buf),
2231
format_hex (BPTR (&buf), BLEN (&buf), 80),
2232
MD5SUM (BPTR (&buf), BLEN (&buf)));
2233
2234
if (buf.len > 0)
2235
{
2236
/*
2237
* The --passtos and --mssfix options require
2238
* us to examine the IPv4 header.
2239
*/
2240
if (options->mssfix_defined
2241
#if PASSTOS_CAPABILITY
2242
|| options->passtos
2243
#endif
2244
)
2245
{
2246
struct buffer ipbuf = buf;
2247
if (is_ipv4 (tuntap->type, &ipbuf))
2248
{
2249
#if PASSTOS_CAPABILITY
2250
/* extract TOS from IP header */
2251
if (options->passtos)
2252
{
2253
struct openvpn_iphdr *iph =
2254
(struct openvpn_iphdr *) BPTR (&ipbuf);
2255
ptos = iph->tos;
2256
ptos_defined = true;
2257
}
2258
#endif
2259
2260
/* possibly alter the TCP MSS */
2261
if (options->mssfix_defined)
2262
mss_fixup (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&frame)));
2263
}
2264
}
2265
# include "encrypt_sign.h"
2266
}
2267
else
2268
{
2269
to_link = nullbuf;
2270
free_to_link = false;
2271
}
2272
}
2273
2274
/* TUN device ready to accept write */
2275
else if (TUNTAP_ISSET (tuntap, writes))
2276
{
2277
/*
2278
* Set up for write() call to TUN/TAP
2279
* device.
2280
*/
2281
ASSERT (to_tun.len > 0);
2282
2283
/*
2284
* The --mssfix option requires
2285
* us to examine the IPv4 header.
2286
*/
2287
if (options->mssfix_defined)
2288
{
2289
struct buffer ipbuf = to_tun;
2290
2291
if (is_ipv4 (tuntap->type, &ipbuf))
2292
{
2293
/* possibly alter the TCP MSS */
2294
if (options->mssfix_defined)
2295
mss_fixup (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&frame)));
2296
}
2297
}
2298
2299
if (to_tun.len <= MAX_RW_SIZE_TUN(&frame))
2300
{
2301
/*
2302
* Write to TUN/TAP device.
2303
*/
2304
int size;
2305
2306
#ifdef LOG_RW
2307
if (log_rw)
2308
fprintf (stderr, "w");
2309
#endif
2310
msg (D_TUN_RW, "TUN WRITE [%d]: %s md5=%s",
2311
BLEN (&to_tun),
2312
format_hex (BPTR (&to_tun), BLEN (&to_tun), 80),
2313
MD5SUM (BPTR (&to_tun), BLEN (&to_tun)));
2314
2315
#ifdef TUN_PASS_BUFFER
2316
size = write_tun_buffered (tuntap, &to_tun);
2317
#else
2318
size = write_tun (tuntap, BPTR (&to_tun), BLEN (&to_tun));
2319
#endif
2320
2321
if (size > 0)
2322
tun_write_bytes += size;
2323
check_status (size, "write to TUN/TAP", NULL, tuntap);
2324
2325
/* check written packet size */
2326
if (size > 0)
2327
{
2328
/* Did we write a different size packet than we intended? */
2329
if (size != BLEN (&to_tun))
2330
msg (D_LINK_ERRORS,
2331
"TUN/TAP packet was fragmented on write to %s (tried=%d,actual=%d)",
2332
tuntap->actual,
2333
BLEN (&to_tun),
2334
size);
2335
}
2336
}
2337
else
2338
{
2339
/*
2340
* This should never happen, probably indicates some kind
2341
* of MTU mismatch.
2342
*/
2343
msg (D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
2344
to_tun.len,
2345
MAX_RW_SIZE_TUN (&frame));
2346
}
2347
2348
/*
2349
* Putting the --inactive timeout reset here, ensures that we will timeout
2350
* if the remote goes away, even if we are trying to send data to the
2351
* remote and failing.
2352
*/
2353
if (options->inactivity_timeout)
2354
event_timeout_reset (&inactivity_interval, current);
2355
2356
to_tun = nullbuf;
2357
}
2358
2359
/* TCP/UDP port ready to accept write */
2360
else if (SOCKET_ISSET (link_socket, writes))
2361
{
2362
if (to_link.len > 0 && to_link.len <= EXPANDED_SIZE (&frame))
2363
{
2364
/*
2365
* Setup for call to send/sendto which will send
2366
* packet to remote over the TCP/UDP port.
2367
*/
2368
int size;
2369
ASSERT (addr_defined (&to_link_addr));
2370
2371
/* In gremlin-test mode, we may choose to drop this packet */
2372
if (!options->gremlin || ask_gremlin())
2373
{
2374
/*
2375
* Let the traffic shaper know how many bytes
2376
* we wrote.
2377
*/
2378
#ifdef HAVE_GETTIMEOFDAY
2379
if (options->shaper)
2380
shaper_wrote_bytes (&shaper, BLEN (&to_link)
2381
+ datagram_overhead (options->proto));
2382
#endif
2383
/*
2384
* Let the pinger know that we sent a packet.
2385
*/
2386
if (options->ping_send_timeout)
2387
event_timeout_reset (&ping_send_interval, current);
2388
2389
#if PASSTOS_CAPABILITY
2390
/* Set TOS */
2391
if (ptos_defined)
2392
setsockopt(link_socket.sd, IPPROTO_IP, IP_TOS, &ptos, sizeof(ptos));
2393
#endif
2394
2395
/* Log packet send */
2396
#ifdef LOG_RW
2397
if (log_rw)
2398
fprintf (stderr, "W");
2399
#endif
2400
msg (D_LINK_RW, "%s WRITE [%d] to %s: %s",
2401
proto2ascii (link_socket.proto, true),
2402
BLEN (&to_link),
2403
print_sockaddr (&to_link_addr),
2404
PROTO_DUMP (&to_link));
2405
2406
/* Send packet */
2407
size = link_socket_write (&link_socket, &to_link, &to_link_addr);
2408
2409
if (size > 0)
2410
{
2411
max_send_size_local = max_int (size, max_send_size_local);
2412
link_write_bytes += size;
2413
}
2414
}
2415
else
2416
size = 0;
2417
2418
/* Check return status */
2419
check_status (size, "write", &link_socket, NULL);
2420
2421
if (size > 0)
2422
{
2423
/* Did we write a different size packet than we intended? */
2424
if (size != BLEN (&to_link))
2425
msg (D_LINK_ERRORS,
2426
"TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
2427
print_sockaddr (&to_link_addr),
2428
BLEN (&to_link),
2429
size);
2430
}
2431
}
2432
else
2433
{
2434
msg (D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
2435
print_sockaddr (&to_link_addr),
2436
to_link.len,
2437
EXPANDED_SIZE (&frame));
2438
}
2439
2440
/*
2441
* The free_to_link flag means that we should free the packet buffer
2442
* after send. This flag is usually set when the TLS background
2443
* thread generated the packet buffer.
2444
*/
2445
if (free_to_link)
2446
{
2447
free_to_link = false;
2448
free_buf (&to_link);
2449
}
2450
to_link = nullbuf;
2451
}
2452
}
2453
}
2454
2455
/*
2456
* Do Cleanup
2457
*/
2458
2459
cleanup:
2460
2461
/*
2462
* If xinetd/inetd mode, don't allow restart.
2463
*/
2464
if (options->inetd && (signal_received == SIGHUP || signal_received == SIGUSR1))
2465
{
2466
signal_received = SIGTERM;
2467
msg (M_INFO, PACKAGE_NAME " started by inetd/xinetd cannot restart... Exiting.");
2468
}
2469
2470
if (free_to_link)
2471
free_buf (&to_link);
2472
2473
#if defined(USE_CRYPTO) && defined(USE_SSL) && defined(USE_PTHREAD)
2474
if (thread_opened)
2475
tls_thread_close (&thread_parms);
2476
#endif
2477
2478
free_buf (&read_link_buf);
2479
free_buf (&read_tun_buf);
2480
free_buf (&aux_buf);
2481
2482
#ifdef USE_LZO
2483
if (options->comp_lzo)
2484
{
2485
lzo_compress_uninit (&lzo_compwork);
2486
free_buf (&lzo_compress_buf);
2487
free_buf (&lzo_decompress_buf);
2488
}
2489
#endif
2490
2491
#ifdef USE_CRYPTO
2492
2493
packet_id_free (&packet_id);
2494
2495
free_buf (&encrypt_buf);
2496
free_buf (&decrypt_buf);
2497
2498
#ifdef USE_SSL
2499
if (tls_multi)
2500
tls_multi_free (tls_multi, true);
2501
2502
/* free options compatibility strings */
2503
if (options_string_local)
2504
free (options_string_local);
2505
if (options_string_remote)
2506
free (options_string_remote);
2507
2508
#endif
2509
#endif /* USE_CRYPTO */
2510
2511
/*
2512
* Free key schedules
2513
*/
2514
if ( !(signal_received == SIGUSR1 && options->persist_key) )
2515
key_schedule_free (ks);
2516
2517
/*
2518
* Close TCP/UDP connection
2519
*/
2520
link_socket_close (&link_socket);
2521
if ( !(signal_received == SIGUSR1 && options->persist_remote_ip) )
2522
{
2523
CLEAR (link_socket_addr->remote);
2524
CLEAR (link_socket_addr->actual);
2525
}
2526
if ( !(signal_received == SIGUSR1 && options->persist_local_ip) )
2527
CLEAR (link_socket_addr->local);
2528
2529
/*
2530
* Close TUN/TAP device
2531
*/
2532
if (tuntap_defined (tuntap))
2533
{
2534
if ( !(signal_received == SIGUSR1 && options->persist_tun) )
2535
{
2536
char* tuntap_actual = (char *) gc_malloc (sizeof (tuntap->actual));
2537
strcpy (tuntap_actual, tuntap->actual);
2538
2539
/* delete any routes we added */
2540
delete_routes (route_list);
2541
2542
msg (D_CLOSE, "Closing TUN/TAP device");
2543
close_tun (tuntap);
2544
2545
/* Run the down script -- note that it will run at reduced
2546
privilege if, for example, "--user nobody" was used. */
2547
run_script (options->down_script,
2548
tuntap_actual,
2549
TUN_MTU_SIZE (&frame),
2550
EXPANDED_SIZE (&frame),
2551
print_in_addr_t (tuntap->local, true),
2552
print_in_addr_t (tuntap->remote_netmask, true),
2553
"init",
2554
signal_description (signal_received, signal_text),
2555
"down");
2556
}
2557
else
2558
{
2559
/* run the down script on this restart if --up-restart was specified */
2560
if (options->up_restart)
2561
run_script (options->down_script,
2562
tuntap->actual,
2563
TUN_MTU_SIZE (&frame),
2564
EXPANDED_SIZE (&frame),
2565
print_in_addr_t (tuntap->local, true),
2566
print_in_addr_t (tuntap->remote_netmask, true),
2567
"restart",
2568
signal_description (signal_received, signal_text),
2569
"down");
2570
}
2571
}
2572
2573
/* remove non-parameter environmental vars except for signal */
2574
del_env_nonparm (
2575
#if defined(USE_CRYPTO) && defined(USE_SSL)
2576
get_max_tls_verify_id ()
2577
#else
2578
0
2579
#endif
2580
);
2581
2582
#ifdef USE_CRYPTO
2583
/*
2584
* Close packet-id persistance file
2585
*/
2586
packet_id_persist_save (pid_persist);
2587
if ( !(signal_received == SIGUSR1) )
2588
packet_id_persist_close (pid_persist);
2589
#endif
2590
2591
/*
2592
* Close fragmentation handler.
2593
*/
2594
#ifdef FRAGMENT_ENABLE
2595
if (fragment)
2596
fragment_free (fragment);
2597
#endif
2598
2599
done:
2600
/* pop our garbage collection level */
2601
gc_free_level (gc_level);
2602
2603
/* return the signal that brought us here */
2604
{
2605
const int s = signal_received;
2606
signal_received = 0;
2607
return s;
2608
}
2609
}
2610
2611
int
2612
main (int argc, char *argv[])
2613
{
2614
const int gc_level = gc_new_level ();
2615
bool first_time = true;
2616
int sig;
2617
2618
init_random_seed(); /* init random() function, only used as
2619
source for weak random numbers */
2620
error_reset (); /* initialize error.c */
2621
reset_check_status (); /* initialize status check code in socket.c */
2622
2623
#ifdef PID_TEST
2624
packet_id_interactive_test(); /* test the sequence number code */
2625
goto exit;
2626
#endif
2627
2628
#ifdef WIN32
2629
init_win32 ();
2630
#endif
2631
2632
#ifdef OPENVPN_DEBUG_COMMAND_LINE
2633
{
2634
int i;
2635
for (i = 0; i < argc; ++i)
2636
msg (M_INFO, "argv[%d] = '%s'", i, argv[i]);
2637
}
2638
#endif
2639
2640
del_env_nonparm (0);
2641
2642
/*
2643
* This loop is initially executed on startup and then
2644
* once per SIGHUP.
2645
*/
2646
do {
2647
struct options options;
2648
struct options defaults;
2649
int dev = DEV_TYPE_UNDEF;
2650
2651
init_options (&options);
2652
init_options (&defaults);
2653
2654
/*
2655
* Parse command line options,
2656
* and read configuration file.
2657
*/
2658
parse_argv (&options, argc, argv);
2659
2660
/* set verbosity and mute levels */
2661
set_check_status (D_LINK_ERRORS, D_READ_WRITE);
2662
set_debug_level (options.verbosity);
2663
set_mute_cutoff (options.mute);
2664
2665
/*
2666
* Possibly set --dev based on --dev-node.
2667
* For example, if --dev-node /tmp/foo/tun, and --dev undefined,
2668
* set --dev to tun.
2669
*/
2670
if (!options.dev)
2671
options.dev = dev_component_in_dev_node (options.dev_node);
2672
2673
/*
2674
* OpenSSL info print mode?
2675
*/
2676
#ifdef USE_CRYPTO
2677
if (options.show_ciphers || options.show_digests
2678
#ifdef USE_SSL
2679
|| options.show_tls_ciphers
2680
#endif
2681
)
2682
{
2683
if (first_time)
2684
init_ssl_lib ();
2685
if (options.show_ciphers)
2686
show_available_ciphers ();
2687
if (options.show_digests)
2688
show_available_digests ();
2689
#ifdef USE_SSL
2690
if (options.show_tls_ciphers)
2691
show_available_tls_ciphers ();
2692
#endif
2693
free_ssl_lib ();
2694
goto exit;
2695
}
2696
2697
/*
2698
* Static pre-shared key generation mode?
2699
*/
2700
if (options.genkey)
2701
{
2702
int nbits_written;
2703
2704
notnull (options.shared_secret_file,
2705
"shared secret output file (--secret)");
2706
2707
if (options.mlock) /* should we disable paging? */
2708
do_mlockall(true);
2709
2710
nbits_written = write_key_file (2, options.shared_secret_file);
2711
2712
msg (D_GENKEY|M_NOPREFIX, "Randomly generated %d bit key written to %s",
2713
nbits_written,
2714
options.shared_secret_file);
2715
goto exit;
2716
}
2717
#endif /* USE_CRYPTO */
2718
2719
/*
2720
* Persistent TUN/TAP device management mode?
2721
*/
2722
#ifdef TUNSETPERSIST
2723
if (options.persist_config)
2724
{
2725
/* sanity check on options for --mktun or --rmtun */
2726
notnull (options.dev, "TUN/TAP device (--dev)");
2727
if (options.remote || options.ifconfig_local || options.ifconfig_remote_netmask
2728
#ifdef USE_CRYPTO
2729
|| options.shared_secret_file
2730
#ifdef USE_SSL
2731
|| options.tls_server || options.tls_client
2732
#endif
2733
#endif
2734
)
2735
msg (M_FATAL, "Options error: options --mktun or --rmtun should only be used together with --dev");
2736
tuncfg (options.dev, options.dev_type, options.dev_node,
2737
options.tun_ipv6, options.persist_mode);
2738
goto exit;
2739
}
2740
#endif
2741
2742
/*
2743
* Main OpenVPN block -- tunnel generation mode
2744
*/
2745
{
2746
#ifdef USE_CRYPTO
2747
if (options.test_crypto)
2748
{
2749
notnull (options.shared_secret_file, "key file (--secret)");
2750
}
2751
else
2752
#endif
2753
notnull (options.dev, "TUN/TAP device (--dev)");
2754
2755
/*
2756
* Get tun/tap/null device type
2757
*/
2758
dev = dev_type_enum (options.dev, options.dev_type);
2759
2760
/*
2761
* Sanity check on daemon/inetd modes
2762
*/
2763
2764
if (options.daemon && options.inetd)
2765
msg (M_USAGE, "Options error: only one of --daemon or --inetd may be specified");
2766
2767
if (options.inetd && (options.local || options.remote))
2768
msg (M_USAGE, "Options error: --local or --remote cannot be used with --inetd");
2769
2770
if (options.inetd && options.proto == PROTO_TCPv4_CLIENT)
2771
msg (M_USAGE, "Options error: --proto tcp-client cannot be used with --inetd");
2772
2773
if (options.inetd == INETD_NOWAIT && options.proto != PROTO_TCPv4_SERVER)
2774
msg (M_USAGE, "Options error: --inetd nowait can only be used with --proto tcp-server");
2775
2776
if (options.inetd == INETD_NOWAIT
2777
#if defined(USE_CRYPTO) && defined(USE_SSL)
2778
&& !(options.tls_server || options.tls_client)
2779
#endif
2780
)
2781
msg (M_USAGE, "Options error: --inetd nowait can only be used in TLS mode");
2782
2783
if (options.inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
2784
msg (M_USAGE, "Options error: --inetd nowait only makes sense in --dev tap mode");
2785
2786
/*
2787
* In forking TCP server mode, you don't need to ifconfig
2788
* the tap device (the assumption is that it will be bridged).
2789
*/
2790
if (options.inetd == INETD_NOWAIT)
2791
options.ifconfig_noexec = true;
2792
2793
/*
2794
* Sanity check on TCP mode options
2795
*/
2796
2797
if (options.connect_retry_defined && options.proto != PROTO_TCPv4_CLIENT)
2798
msg (M_USAGE, "Options error: --connect-retry doesn't make sense unless also used with --proto tcp-client");
2799
2800
/*
2801
* Sanity check on MTU parameters
2802
*/
2803
if (options.tun_mtu_defined && options.link_mtu_defined)
2804
msg (M_USAGE, "Options error: only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
2805
2806
if (options.proto != PROTO_UDPv4 && options.mtu_test)
2807
msg (M_USAGE, "Options error: --mtu-test only makes sense with --proto udp");
2808
2809
/*
2810
* Set MTU defaults
2811
*/
2812
{
2813
if (!options.tun_mtu_defined && !options.link_mtu_defined)
2814
{
2815
if ((dev == DEV_TYPE_TAP) || WIN32_0_1)
2816
{
2817
options.tun_mtu_defined = true;
2818
options.tun_mtu = TAP_MTU_DEFAULT;
2819
}
2820
else
2821
{
2822
if (options.ifconfig_local || options.ifconfig_remote_netmask)
2823
options.link_mtu_defined = true;
2824
else
2825
options.tun_mtu_defined = true;
2826
}
2827
}
2828
if ((dev == DEV_TYPE_TAP) && !options.tun_mtu_extra_defined)
2829
{
2830
options.tun_mtu_extra_defined = true;
2831
options.tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
2832
}
2833
}
2834
2835
/*
2836
* Sanity check on --local, --remote, and ifconfig
2837
*/
2838
if (string_defined_equal (options.local, options.remote)
2839
&& options.local_port == options.remote_port)
2840
msg (M_USAGE, "Options error: --remote and --local addresses are the same");
2841
2842
if (string_defined_equal (options.local, options.ifconfig_local)
2843
|| string_defined_equal (options.local, options.ifconfig_remote_netmask)
2844
|| string_defined_equal (options.remote, options.ifconfig_local)
2845
|| string_defined_equal (options.remote, options.ifconfig_remote_netmask))
2846
msg (M_USAGE, "Options error: --local and --remote addresses must be distinct from --ifconfig addresses");
2847
2848
if (string_defined_equal (options.ifconfig_local, options.ifconfig_remote_netmask))
2849
msg (M_USAGE, "Options error: local and remote/netmask --ifconfig addresses must be different");
2850
2851
#ifdef WIN32
2852
if (dev == DEV_TYPE_TUN && !(options.ifconfig_local && options.ifconfig_remote_netmask))
2853
msg (M_USAGE, "Options error: On Windows, --ifconfig is required when --dev tun is used");
2854
2855
if ((options.tuntap_options.ip_win32_defined)
2856
&& !(options.ifconfig_local && options.ifconfig_remote_netmask))
2857
msg (M_USAGE, "Options error: On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2858
2859
if (options.tuntap_options.dhcp_options &&
2860
options.tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ)
2861
msg (M_USAGE, "Options error: --dhcp-options requires --ip-win32 dynamic");
2862
2863
if (options.tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
2864
&& !options.route_delay_defined)
2865
{
2866
options.route_delay_defined = true;
2867
options.route_delay = 10;
2868
}
2869
2870
if (options.ifconfig_noexec)
2871
{
2872
options.tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
2873
options.ifconfig_noexec = false;
2874
}
2875
#endif
2876
2877
/*
2878
* Check that protocol options make sense.
2879
*/
2880
2881
#ifdef FRAGMENT_ENABLE
2882
if (options.proto != PROTO_UDPv4 && options.fragment)
2883
msg (M_USAGE, "Options error: --fragment can only be used with --proto udp");
2884
#endif
2885
if (!options.remote && options.proto == PROTO_TCPv4_CLIENT)
2886
msg (M_USAGE, "Options error: --remote MUST be used in TCP Client mode");
2887
2888
if (options.http_proxy_server && options.proto != PROTO_TCPv4_CLIENT)
2889
msg (M_USAGE, "Options error: --http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
2890
2891
if (options.http_proxy_server && options.socks_proxy_server)
2892
msg (M_USAGE, "Options error: --http-proxy can not be used together with --socks-proxy");
2893
2894
if (options.socks_proxy_server && options.proto == PROTO_TCPv4_SERVER)
2895
msg (M_USAGE, "Options error: --socks-proxy can not be used in TCP Server mode");
2896
2897
#ifdef USE_CRYPTO
2898
2899
if (first_time)
2900
init_ssl_lib ();
2901
2902
/*
2903
* Check consistency of replay options
2904
*/
2905
if ((options.proto != PROTO_UDPv4)
2906
&& (options.replay_window != defaults.replay_window
2907
|| options.replay_time != defaults.replay_time))
2908
msg (M_USAGE, "Options error: --replay-window only makes sense with --proto udp");
2909
2910
if (!options.replay
2911
&& (options.replay_window != defaults.replay_window
2912
|| options.replay_time != defaults.replay_time))
2913
msg (M_USAGE, "Options error: --replay-window doesn't make sense when replay protection is disabled with --no-replay");
2914
2915
/* Don't use replay window for TCP mode (i.e. require that packets
2916
be strictly in sequence). */
2917
if (link_socket_proto_connection_oriented (options.proto))
2918
options.replay_window = options.replay_time = 0;
2919
2920
#ifdef USE_SSL
2921
if (options.tls_server + options.tls_client +
2922
(options.shared_secret_file != NULL) > 1)
2923
msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2924
2925
if (options.tls_server)
2926
{
2927
notnull (options.dh_file, "DH file (--dh)");
2928
}
2929
if (options.tls_server || options.tls_client)
2930
{
2931
notnull (options.ca_file, "CA file (--ca)");
2932
notnull (options.cert_file, "certificate file (--cert)");
2933
notnull (options.priv_key_file, "private key file (--key)");
2934
if (first_time && options.askpass)
2935
pem_password_callback (NULL, 0, 0, NULL);
2936
}
2937
else
2938
{
2939
/*
2940
* Make sure user doesn't specify any TLS options
2941
* when in non-TLS mode.
2942
*/
2943
2944
#define MUST_BE_UNDEF(parm) if (options.parm != defaults.parm) msg (M_USAGE, err, #parm);
2945
2946
const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2947
2948
MUST_BE_UNDEF (ca_file);
2949
MUST_BE_UNDEF (dh_file);
2950
MUST_BE_UNDEF (cert_file);
2951
MUST_BE_UNDEF (priv_key_file);
2952
MUST_BE_UNDEF (cipher_list);
2953
MUST_BE_UNDEF (tls_verify);
2954
MUST_BE_UNDEF (tls_remote);
2955
MUST_BE_UNDEF (tls_timeout);
2956
MUST_BE_UNDEF (renegotiate_bytes);
2957
MUST_BE_UNDEF (renegotiate_packets);
2958
MUST_BE_UNDEF (renegotiate_seconds);
2959
MUST_BE_UNDEF (handshake_window);
2960
MUST_BE_UNDEF (transition_window);
2961
MUST_BE_UNDEF (tls_auth_file);
2962
MUST_BE_UNDEF (single_session);
2963
MUST_BE_UNDEF (crl_file);
2964
MUST_BE_UNDEF (key_method);
2965
}
2966
#undef MUST_BE_UNDEF
2967
#endif /* USE_CRYPTO */
2968
#endif /* USE_SSL */
2969
2970
/* Become a daemon if requested */
2971
possibly_become_daemon (0, &options, first_time);
2972
2973
/* show all option settings */
2974
show_settings (&options);
2975
2976
/* set certain options as environmental variables */
2977
setenv_settings (&options);
2978
2979
#ifdef WIN32
2980
/* put a title on the top window bar */
2981
generate_window_title (options.config ? options.config : "");
2982
#endif
2983
2984
/* Do Work */
2985
{
2986
/* these objects are potentially persistent across SIGUSR1 resets */
2987
struct link_socket_addr usa;
2988
struct key_schedule ks;
2989
struct tuntap tuntap;
2990
struct packet_id_persist pid_persist;
2991
struct route_list route_list;
2992
struct http_proxy_info http_proxy;
2993
struct socks_proxy_info socks_proxy;
2994
2995
/* print version number */
2996
msg (M_INFO, "%s", title_string);
2997
2998
CLEAR (usa);
2999
CLEAR (ks);
3000
clear_tuntap (&tuntap);
3001
packet_id_persist_init (&pid_persist);
3002
clear_route_list (&route_list);
3003
CLEAR (http_proxy);
3004
CLEAR (socks_proxy);
3005
if (options.http_proxy_server)
3006
{
3007
init_http_proxy (&http_proxy,
3008
options.http_proxy_server,
3009
options.http_proxy_port,
3010
options.http_proxy_retry,
3011
options.http_proxy_auth_method,
3012
options.http_proxy_auth_file);
3013
}
3014
3015
if (options.socks_proxy_server)
3016
{
3017
init_socks_proxy (&socks_proxy,
3018
options.socks_proxy_server,
3019
options.socks_proxy_port,
3020
options.socks_proxy_retry);
3021
}
3022
3023
do {
3024
sig = openvpn (&options, &usa, &tuntap, &ks, &pid_persist, &route_list, &http_proxy, &socks_proxy, first_time);
3025
first_time = false;
3026
} while (sig == SIGUSR1);
3027
}
3028
}
3029
gc_collect (gc_level);
3030
close_syslog ();
3031
} while (sig == SIGHUP);
3032
3033
thread_cleanup();
3034
3035
#ifdef USE_CRYPTO
3036
free_ssl_lib ();
3037
#endif
3038
3039
exit:
3040
3041
#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL)
3042
show_tls_performance_stats();
3043
#endif
3044
3045
/* pop our garbage collection level */
3046
gc_free_level (gc_level);
3047
3048
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
3049
return 0; /* NOTREACHED */
3050
}
3051
3052
/*
3053
* Basic threading test.
3054
*/
3055
#if defined(USE_PTHREAD) && defined(USE_CRYPTO)
3056
static void*
3057
test_crypto_thread (void *arg)
3058
{
3059
struct link_socket_addr usa;
3060
struct tuntap tuntap;
3061
struct key_schedule ks;
3062
struct packet_id_persist pid_persist;
3063
struct route_list route_list;
3064
struct http_proxy_info http_proxy;
3065
struct socks_proxy_info socks_proxy;
3066
const struct options *opt = (struct options*) arg;
3067
3068
/* print version number */
3069
msg (M_INFO, "%s", title_string);
3070
3071
set_nice (opt->nice_work);
3072
CLEAR (usa);
3073
CLEAR (ks);
3074
clear_tuntap (&tuntap);
3075
packet_id_persist_init (&pid_persist);
3076
clear_route_list (&route_list);
3077
CLEAR (http_proxy);
3078
CLEAR (socks_proxy);
3079
openvpn (opt, &usa, &tuntap, &ks, &pid_persist, &route_list, &http_proxy, &socks_proxy, false);
3080
return NULL;
3081
}
3082
#endif
Loggerhead is a web-based interface for Breezy
Version: 2.0.1