~ubuntu-branches/ubuntu/utopic/openvpn/utopic-proposed

Viewing changes to .pc/accommodate_typo.patch/occ.c

Committer: Package Import Robot
Author(s): Stéphane Graber
Date: 2012-02-25 21:08:48 UTC
mfrom: (10.2.18 sid)
Revision ID: package-import@ubuntu.com-20120225210848-s4tqi61yt6pp9rbf

Tags: 2.2.1-5ubuntu1

* Merge from Debian unstable. Remaining changes: (LP: #907828)
  + debian/openvpn.init.d:
    - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
    - Show per-VPN result messages.
    - Add "--script-security 2" by default for backwards compatabliity.
  + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()

files added:
.pc/accommodate_typo.patch

.pc/accommodate_typo.patch/occ.c

.pc/manpage_fixes.patch

.pc/manpage_fixes.patch/openvpn.8

debian/patches/accommodate_typo.patch

debian/patches/manpage_fixes.patch

files modified:
.pc/applied-patches

debian/README.Debian

debian/changelog

debian/control

debian/default

debian/openvpn.init.d

debian/patches/series

debian/po/ca.po

debian/po/cs.po

debian/po/da.po

debian/po/de.po

debian/po/es.po

debian/po/eu.po

debian/po/fi.po

debian/po/fr.po

debian/po/gl.po

debian/po/it.po

debian/po/ja.po

debian/po/nb.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/ru.po

debian/po/sv.po

debian/po/templates.pot

debian/po/vi.po

debian/rules

occ.c

openvpn.8

Show diffs side-by-side

added added

removed removed

.pc/accommodate_typo.patch/occ.c

* OpenVPN -- An application to securely tunnel IP networks

* over a single TCP/UDP port, with support for SSL/TLS-based

* session authentication and key exchange,

* packet encryption, packet authentication, and

* packet compression.

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License version 2

* as published by the Free Software Foundation.

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program (see the file COPYING included with this

* distribution); if not, write to the Free Software Foundation, Inc.,

* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

#include "syshead.h"

#ifdef ENABLE_OCC

#include "occ.h"

#include "memdbg.h"

#include "forward-inline.h"

#include "occ-inline.h"

* This random string identifies an OpenVPN

* Configuration Control packet.

* It should be of sufficient length and randomness

* so as not to collide with other tunnel data.

* The OCC protocol is as follows:

* occ_magic -- (16 octets)

* type [OCC_REQUEST | OCC_REPLY] (1 octet)

* null terminated options string if OCC_REPLY (variable)

* When encryption is used, the OCC packet

* is encapsulated within the encrypted

* envelope.

* OCC_STRING_SIZE must be set to sizeof (occ_magic)

const uint8_t occ_magic[] = {

0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81,

0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c

};

static const struct mtu_load_test mtu_load_test_sequence[] = {

{OCC_MTU_LOAD_REQUEST, -1000},

{OCC_MTU_LOAD, -1000},

{OCC_MTU_LOAD_REQUEST, -1000},

{OCC_MTU_LOAD, -1000},

{OCC_MTU_LOAD_REQUEST, -1000},

{OCC_MTU_LOAD, -1000},

{OCC_MTU_LOAD_REQUEST, -750},

{OCC_MTU_LOAD, -750},

{OCC_MTU_LOAD_REQUEST, -750},

{OCC_MTU_LOAD, -750},

{OCC_MTU_LOAD_REQUEST, -750},

{OCC_MTU_LOAD, -750},

{OCC_MTU_LOAD_REQUEST, -500},

{OCC_MTU_LOAD, -500},

{OCC_MTU_LOAD_REQUEST, -500},

{OCC_MTU_LOAD, -500},

{OCC_MTU_LOAD_REQUEST, -500},

{OCC_MTU_LOAD, -500},

{OCC_MTU_LOAD_REQUEST, -400},

{OCC_MTU_LOAD, -400},

{OCC_MTU_LOAD_REQUEST, -400},

{OCC_MTU_LOAD, -400},

{OCC_MTU_LOAD_REQUEST, -400},

{OCC_MTU_LOAD, -400},

{OCC_MTU_LOAD_REQUEST, -300},

{OCC_MTU_LOAD, -300},

{OCC_MTU_LOAD_REQUEST, -300},

{OCC_MTU_LOAD, -300},

{OCC_MTU_LOAD_REQUEST, -300},

{OCC_MTU_LOAD, -300},

{OCC_MTU_LOAD_REQUEST, -200},

{OCC_MTU_LOAD, -200},

100

{OCC_MTU_LOAD_REQUEST, -200},

101

{OCC_MTU_LOAD, -200},

102

{OCC_MTU_LOAD_REQUEST, -200},

103

{OCC_MTU_LOAD, -200},

104

105

{OCC_MTU_LOAD_REQUEST, -150},

106

{OCC_MTU_LOAD, -150},

107

{OCC_MTU_LOAD_REQUEST, -150},

108

{OCC_MTU_LOAD, -150},

109

{OCC_MTU_LOAD_REQUEST, -150},

110

{OCC_MTU_LOAD, -150},

111

112

{OCC_MTU_LOAD_REQUEST, -100},

113

{OCC_MTU_LOAD, -100},

114

{OCC_MTU_LOAD_REQUEST, -100},

115

{OCC_MTU_LOAD, -100},

116

{OCC_MTU_LOAD_REQUEST, -100},

117

{OCC_MTU_LOAD, -100},

118

119

{OCC_MTU_LOAD_REQUEST, -50},

120

{OCC_MTU_LOAD, -50},

121

{OCC_MTU_LOAD_REQUEST, -50},

122

{OCC_MTU_LOAD, -50},

123

{OCC_MTU_LOAD_REQUEST, -50},

124

{OCC_MTU_LOAD, -50},

125

126

{OCC_MTU_LOAD_REQUEST, 0},

127

{OCC_MTU_LOAD, 0},

128

{OCC_MTU_LOAD_REQUEST, 0},

129

{OCC_MTU_LOAD, 0},

130

{OCC_MTU_LOAD_REQUEST, 0},

131

{OCC_MTU_LOAD, 0},

132

133

{OCC_MTU_REQUEST, 0},

134

{OCC_MTU_REQUEST, 0},

135

{OCC_MTU_REQUEST, 0},

136

{OCC_MTU_REQUEST, 0},

137

{OCC_MTU_REQUEST, 0},

138

{OCC_MTU_REQUEST, 0},

139

{OCC_MTU_REQUEST, 0},

140

{OCC_MTU_REQUEST, 0},

141

{OCC_MTU_REQUEST, 0},

142

{OCC_MTU_REQUEST, 0},

143

144

{-1, 0}

145

};

146

147

void

148

check_send_occ_req_dowork (struct context *c)

149

{

150

if (++c->c2.occ_n_tries >= OCC_N_TRIES)

151

{

152

if (c->options.ce.remote)

153

154

* No OCC_REPLY from peer after repeated attempts.

155

* Give up.

156

157

msg (D_SHOW_OCC,

158

"NOTE: failed to obtain options consistency info from peer -- "

159

"this could occur if the remote peer is running a version of "

160

PACKAGE_NAME

161

" before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent "

162

PACKAGE_NAME

163

" from running (" counter_format " bytes received from peer, " counter_format

164

" bytes authenticated data channel traffic) -- you can disable the options consistency "

165

"check with --disable-occ.",

166

c->c2.link_read_bytes,

167

c->c2.link_read_bytes_auth);

168

event_timeout_clear (&c->c2.occ_interval);

169

}

170

else

171

{

172

c->c2.occ_op = OCC_REQUEST;

173

174

175

* If we don't hear back from peer, send another

176

* OCC_REQUEST in OCC_INTERVAL_SECONDS.

177

178

event_timeout_reset (&c->c2.occ_interval);

179

}

180

}

181

182

void

183

check_send_occ_load_test_dowork (struct context *c)

184

{

185

if (CONNECTION_ESTABLISHED (c))

186

{

187

const struct mtu_load_test *entry;

188

189

if (!c->c2.occ_mtu_load_n_tries)

190

msg (M_INFO,

191

"NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.");

192

193

entry = &mtu_load_test_sequence[c->c2.occ_mtu_load_n_tries++];

194

if (entry->op >= 0)

195

{

196

c->c2.occ_op = entry->op;

197

c->c2.occ_mtu_load_size =

198

EXPANDED_SIZE (&c->c2.frame) + entry->delta;

199

}

200

else

201

{

202

msg (M_INFO,

203

"NOTE: failed to empirically measure MTU (requires " PACKAGE_NAME " 1.5 or higher at other end of connection).");

204

event_timeout_clear (&c->c2.occ_mtu_load_test_interval);

205

c->c2.occ_mtu_load_n_tries = 0;

206

}

207

}

208

}

209

210

void

211

check_send_occ_msg_dowork (struct context *c)

212

{

213

bool doit = false;

214

215

c->c2.buf = c->c2.buffers->aux_buf;

216

ASSERT (buf_init (&c->c2.buf, FRAME_HEADROOM (&c->c2.frame)));

217

ASSERT (buf_safe (&c->c2.buf, MAX_RW_SIZE_TUN (&c->c2.frame)));

218

ASSERT (buf_write (&c->c2.buf, occ_magic, OCC_STRING_SIZE));

219

220

switch (c->c2.occ_op)

221

{

222

case OCC_REQUEST:

223

if (!buf_write_u8 (&c->c2.buf, OCC_REQUEST))

224

break;

225

dmsg (D_PACKET_CONTENT, "SENT OCC_REQUEST");

226

doit = true;

227

break;

228

229

case OCC_REPLY:

230

if (!c->c2.options_string_local)

231

break;

232

if (!buf_write_u8 (&c->c2.buf, OCC_REPLY))

233

break;

234

if (!buf_write (&c->c2.buf, c->c2.options_string_local,

235

strlen (c->c2.options_string_local) + 1))

236

break;

237

dmsg (D_PACKET_CONTENT, "SENT OCC_REPLY");

238

doit = true;

239

break;

240

241

case OCC_MTU_REQUEST:

242

if (!buf_write_u8 (&c->c2.buf, OCC_MTU_REQUEST))

243

break;

244

dmsg (D_PACKET_CONTENT, "SENT OCC_MTU_REQUEST");

245

doit = true;

246

break;

247

248

case OCC_MTU_REPLY:

249

if (!buf_write_u8 (&c->c2.buf, OCC_MTU_REPLY))

250

break;

251

if (!buf_write_u16 (&c->c2.buf, c->c2.max_recv_size_local))

252

break;

253

if (!buf_write_u16 (&c->c2.buf, c->c2.max_send_size_local))

254

break;

255

dmsg (D_PACKET_CONTENT, "SENT OCC_MTU_REPLY");

256

doit = true;

257

break;

258

259

case OCC_MTU_LOAD_REQUEST:

260

if (!buf_write_u8 (&c->c2.buf, OCC_MTU_LOAD_REQUEST))

261

break;

262

if (!buf_write_u16 (&c->c2.buf, c->c2.occ_mtu_load_size))

263

break;

264

dmsg (D_PACKET_CONTENT, "SENT OCC_MTU_LOAD_REQUEST");

265

doit = true;

266

break;

267

268

case OCC_MTU_LOAD:

269

{

270

int need_to_add;

271

272

if (!buf_write_u8 (&c->c2.buf, OCC_MTU_LOAD))

273

break;

274

need_to_add = min_int (c->c2.occ_mtu_load_size, EXPANDED_SIZE (&c->c2.frame))

275

- OCC_STRING_SIZE

276

- sizeof (uint8_t)

277

- EXTRA_FRAME (&c->c2.frame);

278

279

while (need_to_add > 0)

280

{

281

282

* Fill the load test packet with pseudo-random bytes.

283

284

if (!buf_write_u8 (&c->c2.buf, get_random () & 0xFF))

285

break;

286

--need_to_add;

287

}

288

dmsg (D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d-%d-%d-%d,%d) size=%d",

289

c->c2.occ_mtu_load_size,

290

OCC_STRING_SIZE,

291

(int) sizeof (uint8_t),

292

EXTRA_FRAME (&c->c2.frame),

293

MAX_RW_SIZE_TUN (&c->c2.frame),

294

BLEN (&c->c2.buf));

295

doit = true;

296

}

297

break;

298

299

case OCC_EXIT:

300

if (!buf_write_u8 (&c->c2.buf, OCC_EXIT))

301

break;

302

dmsg (D_PACKET_CONTENT, "SENT OCC_EXIT");

303

doit = true;

304

break;

305

}

306

307

if (doit)

308

{

309

310

* We will treat the packet like any other outgoing packet,

311

* compress, encrypt, sign, etc.

312

313

encrypt_sign (c, true);

314

}

315

316

c->c2.occ_op = -1;

317

}

318

319

void

320

process_received_occ_msg (struct context *c)

321

{

322

ASSERT (buf_advance (&c->c2.buf, OCC_STRING_SIZE));

323

switch (buf_read_u8 (&c->c2.buf))

324

{

325

case OCC_REQUEST:

326

dmsg (D_PACKET_CONTENT, "RECEIVED OCC_REQUEST");

327

c->c2.occ_op = OCC_REPLY;

328

break;

329

330

case OCC_MTU_REQUEST:

331

dmsg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_REQUEST");

332

c->c2.occ_op = OCC_MTU_REPLY;

333

break;

334

335

case OCC_MTU_LOAD_REQUEST:

336

dmsg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_LOAD_REQUEST");

337

c->c2.occ_mtu_load_size = buf_read_u16 (&c->c2.buf);

338

if (c->c2.occ_mtu_load_size >= 0)

339

c->c2.occ_op = OCC_MTU_LOAD;

340

break;

341

342

case OCC_REPLY:

343

dmsg (D_PACKET_CONTENT, "RECEIVED OCC_REPLY");

344

if (c->options.occ && !TLS_MODE (c) && c->c2.options_string_remote)

345

{

346

if (!options_cmp_equal_safe ((char *) BPTR (&c->c2.buf),

347

c->c2.options_string_remote,

348

c->c2.buf.len))

349

{

350

options_warning_safe ((char *) BPTR (&c->c2.buf),

351

c->c2.options_string_remote,

352

c->c2.buf.len);

353

}

354

}

355

event_timeout_clear (&c->c2.occ_interval);

356

break;

357

358

case OCC_MTU_REPLY:

359

dmsg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_REPLY");

360

c->c2.max_recv_size_remote = buf_read_u16 (&c->c2.buf);

361

c->c2.max_send_size_remote = buf_read_u16 (&c->c2.buf);

362

if (c->options.mtu_test

363

&& c->c2.max_recv_size_remote > 0

364

&& c->c2.max_send_size_remote > 0)

365

{

366

msg (M_INFO, "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]",

367

c->c2.max_send_size_local,

368

c->c2.max_recv_size_remote,

369

c->c2.max_send_size_remote,

370

c->c2.max_recv_size_local);

371

if (!c->options.fragment

372

&& (proto_is_dgram(c->options.ce.proto))

373

&& c->c2.max_send_size_local > TUN_MTU_MIN

374

&& (c->c2.max_recv_size_remote < c->c2.max_send_size_local

375

|| c->c2.max_recv_size_local < c->c2.max_send_size_remote))

376

msg (M_INFO, "NOTE: This connection is unable to accomodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.",

377

c->c2.max_send_size_local);

378

}

379

event_timeout_clear (&c->c2.occ_mtu_load_test_interval);

380

break;

381

382

case OCC_EXIT:

383

dmsg (D_PACKET_CONTENT, "RECEIVED OCC_EXIT");

384

c->sig->signal_received = SIGTERM;

385

c->sig->signal_text = "remote-exit";

386

break;

387

}

388

c->c2.buf.len = 0; /* don't pass packet on */

389

}

390

391

#else

392

static void dummy(void) {}

393

#endif

Older »