1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 12 * as published by the Free Software Foundation. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program (see the file COPYING included with this 21 * distribution); if not, write to the Free Software Foundation, Inc., 22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 */ 24 25#ifdef HAVE_CONFIG_H 26#include "config.h" 27#elif defined(_MSC_VER) 28#include "config-msvc.h" 29#endif 30 31#include "syshead.h" 32 33#include "forward.h" 34#include "init.h" 35#include "push.h" 36#include "gremlin.h" 37#include "mss.h" 38#include "event.h" 39#include "ps.h" 40#include "dhcp.h" 41#include "common.h" 42 43#include "memdbg.h" 44 45#include "forward-inline.h" 46#include "occ-inline.h" 47#include "ping-inline.h" 48#include "mstats.h" 49 50#include <acosNvramConfig.h> 51 52 53counter_type link_read_bytes_global; /* GLOBAL */ 54counter_type link_write_bytes_global; /* GLOBAL */ 55 56#define IPcountry_lookup "/tmp/IPcountry_lookup" 57#define Route_country_lookup "/tmp/Router_country_lookup" 58 59int 60route_country_lookup(void) 61{ 62 char buff[256],debug[1024]; 63 FILE *fp; 64 65 //sprintf(buff,"/usr/bin/geoiplookup -f /usr/share/GeoIP/GeoIP.dat %s >> /tmp/IPcountry_lookup",IPfrom); 66 sprintf(buff,"wget \"http://www.speedtest.net/api/country\" -O /tmp/Router_country_lookup"); 67 68 sprintf(debug,"echo '##########%s(%d)buff=%s' > /dev/console",__func__,__LINE__,buff); 69 //system(debug); 70 71 system(buff); 72 sleep(5); 73 74 fp = fopen(Route_country_lookup, "r"); 75 if (fp) 76 { 77 fgets(buff, sizeof(buff), fp); 78 if(strcmp(buff,"") == 0){ 79 sprintf(debug,"echo '[OpenVPN]route_country_lookup() failed' > /dev/console"); 80 system(debug); 81 } 82 83 //sprintf(debug,"echo '##########ip_country_lookup() %s' > /dev/console",buff); 84 //system(debug); 85 fclose(fp); 86 }else{ 87 sprintf(debug,"echo '[OpenVPN]route_country_lookup() connection failed' > /dev/console"); 88 system(debug); 89 } 90 91 if(strstr(buff,"US") != 0){ 92 //IP address from US 93 return 1; 94 }else if((strstr(buff,"EU") != 0) || (strstr(buff,"FR") != 0) || (strstr(buff,"GB") != 0) || (strstr(buff,"DE") != 0) || (strstr(buff,"IT") != 0)){ 95 //IP address from Europe,France, UK, Germary 96 return 2; 97 } 98 99 //unlink(Route_country_lookup); 100 101 return 0; 102 103 104 105}//allenwen Foxconn 106 107 108int 109ip_country_lookup(char *IPfrom) 110{ 111 char buff[256],debug[1024]; 112 FILE *fp; 113 114 //sprintf(buff,"/usr/bin/geoiplookup -f /usr/share/GeoIP/GeoIP.dat %s >> /tmp/IPcountry_lookup",IPfrom); 115 sprintf(buff,"wget \"http://www.speedtest.net/api/country?ip=%s\" -O /tmp/IPcountry_lookup",IPfrom); 116 117 sprintf(debug,"echo '##########%s(%d)buff=%s' > /dev/console",__func__,__LINE__,buff); 118 //system(debug); 119 120 system(buff); 121 sleep(5); 122 123 fp = fopen(IPcountry_lookup, "r"); 124 if (fp) 125 { 126 fgets(buff, sizeof(buff), fp); 127 if(strcmp(buff,"") == 0){ 128 sprintf(debug,"echo '[OpenVPN]ip_country_lookup() failed' > /dev/console"); 129 system(debug); 130 } 131 132 //sprintf(debug,"echo '##########ip_country_lookup() %s' > /dev/console",buff); 133 //system(debug); 134 fclose(fp); 135 }else{ 136 sprintf(debug,"echo '[OpenVPN]ip_country_lookup() connection failed' > /dev/console"); 137 system(debug); 138 } 139 140 if((strstr(buff,"US") != 0) || (strstr(buff,"CA") != 0)){ 141 //IP address from US 142 return 1; 143 }else if((strstr(buff,"EU") != 0) || (strstr(buff,"FR") != 0) || (strstr(buff,"GB") != 0) || (strstr(buff,"DE") != 0) || (strstr(buff,"IT") != 0)){ 144 //IP address from Europe,France, UK, Germary 145 return 2; 146 } 147 148 //unlink(IPcountry_lookup); 149 150 return 0; 151 152 153 154}//allenwen Foxconn 155 156 157/* show event wait debugging info */ 158 159#ifdef ENABLE_DEBUG 160 161const char * 162wait_status_string (struct context *c, struct gc_arena *gc) 163{ 164 struct buffer out = alloc_buf_gc (64, gc); 165 buf_printf (&out, "I/O WAIT %s|%s|%s|%s %s", 166 tun_stat (c->c1.tuntap, EVENT_READ, gc), 167 tun_stat (c->c1.tuntap, EVENT_WRITE, gc), 168 socket_stat (c->c2.link_socket, EVENT_READ, gc), 169 socket_stat (c->c2.link_socket, EVENT_WRITE, gc), 170 tv_string (&c->c2.timeval, gc)); 171 return BSTR (&out); 172} 173 174void 175show_wait_status (struct context *c) 176{ 177 struct gc_arena gc = gc_new (); 178 dmsg (D_EVENT_WAIT, "%s", wait_status_string (c, &gc)); 179 gc_free (&gc); 180} 181 182#endif 183 184/* 185 * In TLS mode, let TLS level respond to any control-channel 186 * packets which were received, or prepare any packets for 187 * transmission. 188 * 189 * tmp_int is purely an optimization that allows us to call 190 * tls_multi_process less frequently when there's not much 191 * traffic on the control-channel. 192 * 193 */ 194#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 195void 196check_tls_dowork (struct context *c) 197{ 198 interval_t wakeup = BIG_TIMEOUT; 199 200 if (interval_test (&c->c2.tmp_int)) 201 { 202 const int tmp_status = tls_multi_process 203 (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, 204 get_link_socket_info (c), &wakeup); 205 if (tmp_status == TLSMP_ACTIVE) 206 { 207 update_time (); 208 interval_action (&c->c2.tmp_int); 209 } 210 else if (tmp_status == TLSMP_KILL) 211 { 212 register_signal (c, SIGTERM, "auth-control-exit"); 213 } 214 215 interval_future_trigger (&c->c2.tmp_int, wakeup); 216 } 217 218 interval_schedule_wakeup (&c->c2.tmp_int, &wakeup); 219 220 if (wakeup) 221 context_reschedule_sec (c, wakeup); 222} 223#endif 224 225#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 226 227void 228check_tls_errors_co (struct context *c) 229{ 230 msg (D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting"); 231 register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */ 232} 233 234void 235check_tls_errors_nco (struct context *c) 236{ 237 register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */ 238} 239 240#endif 241 242#if P2MP 243 244/* 245 * Handle incoming configuration 246 * messages on the control channel. 247 */ 248void 249check_incoming_control_channel_dowork (struct context *c) 250{ 251 const int len = tls_test_payload_len (c->c2.tls_multi); 252 if (len) 253 { 254 struct gc_arena gc = gc_new (); 255 struct buffer buf = alloc_buf_gc (len, &gc); 256 if (tls_rec_payload (c->c2.tls_multi, &buf)) 257 { 258 /* force null termination of message */ 259 buf_null_terminate (&buf); 260 261 /* enforce character class restrictions */ 262 string_mod (BSTR (&buf), CC_PRINT, CC_CRLF, 0); 263 264 if (buf_string_match_head_str (&buf, "AUTH_FAILED")) 265 receive_auth_failed (c, &buf); 266 else if (buf_string_match_head_str (&buf, "PUSH_")) 267 incoming_push_message (c, &buf); 268 else if (buf_string_match_head_str (&buf, "RESTART")) 269 server_pushed_signal (c, &buf, true, 7); 270 else if (buf_string_match_head_str (&buf, "HALT")) 271 server_pushed_signal (c, &buf, false, 4); 272 else 273 msg (D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR (&buf)); 274 } 275 else 276 { 277 msg (D_PUSH_ERRORS, "WARNING: Receive control message failed"); 278 } 279 280 gc_free (&gc); 281 } 282} 283 284/* 285 * Periodically resend PUSH_REQUEST until PUSH message received 286 */ 287void 288check_push_request_dowork (struct context *c) 289{ 290 send_push_request (c); 291 292 /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */ 293 event_timeout_modify_wakeup (&c->c2.push_request_interval, PUSH_REQUEST_INTERVAL); 294} 295 296#endif /* P2MP */ 297 298/* 299 * Things that need to happen immediately after connection initiation should go here. 300 */ 301void 302check_connection_established_dowork (struct context *c) 303{ 304 if (event_timeout_trigger (&c->c2.wait_for_connect, &c->c2.timeval, ETT_DEFAULT)) 305 { 306 if (CONNECTION_ESTABLISHED (c)) 307 { 308#if P2MP 309 /* if --pull was specified, send a push request to server */ 310 if (c->c2.tls_multi && c->options.pull) 311 { 312#ifdef ENABLE_MANAGEMENT 313 if (management) 314 { 315 management_set_state (management, 316 OPENVPN_STATE_GET_CONFIG, 317 NULL, 318 0, 319 0); 320 } 321#endif 322 /* send push request in 1 sec */ 323 event_timeout_init (&c->c2.push_request_interval, 1, now); 324 reset_coarse_timers (c); 325 } 326 else 327#endif 328 { 329 do_up (c, false, 0); 330 } 331 332 event_timeout_clear (&c->c2.wait_for_connect); 333 } 334 } 335} 336 337/* 338 * Send a string to remote over the TLS control channel. 339 * Used for push/pull messages, passing username/password, 340 * etc. 341 */ //allenwen Foxconn 342bool 343send_control_channel_string (struct context *c, const char *str, int msglevel) 344{ 345#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 346 if (c->c2.tls_multi) { 347 struct gc_arena gc = gc_new (); 348 bool stat; 349 /* Foxconn modify start, Max Ding, 04/19/2014 OpenVPN: support tun and tap at the same time */ 350 //char command[1024]; 351 char tmp[1024]; 352 int ipfrom, route_country; 353 char lanip[64]; 354 char lannetmask[64]; 355 356 //sprintf(command,"echo '##########send_control_channel_string()1 str=%s' > /dev/console",str); 357 //system(command); 358 359 if(strstr(str,"PUSH_REPLY") != 0){ 360 strcpy(lanip,acosNvramConfig_get("lan_ipaddr")); 361 strcpy(lannetmask,acosNvramConfig_get("lan_netmask")); 362 if(strcmp(acosNvramConfig_get("openvpn_redirectGW"),"auto") == 0){ 363 //memset(str, 0, sizeof(str)); 364 365 route_country = route_country_lookup(); 366 367 ipfrom = ip_country_lookup(inet_ntoa (c->c2.to_link_addr->dest.addr.in4.sin_addr)); 368 369 if((ipfrom != route_country) && (route_country == 2)){//NA to Europe 370 //sprintf(str,"PUSH_REPLY,route %s %s %s,route 57.0.0.0 255.0.0.0 %s,route 90.0.0.0 255.128.0.0 %s,route 78.192.0.0 255.192.0.0 %s,route 92.128.0.0 255.192.0.0 %s,route 86.192.0.0 255.192.0.0 %s,route 176.128.0.0 255.192.0.0 %s,route 25.0.0.0 255.0.0.0 %s,route 51.0.0.0 255.0.0.0 %s,route 86.128.0.0 255.192.0.0 %s,route 53.0.0.0 255.0.0.0 %s,route 84.128.0.0 255.192.0.0 %s,route 93.192.0.0 255.192.0.0 %s,route 176.0.0.0 255.192.0.0 %s,route 151.3.0.0 255.128.0.0 %s,route-gateway dhcp,ping 10,ping-restart 120\0",lanip,lannetmask,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip); 371 sprintf(tmp,",route %s %s %s,route 57.0.0.0 255.0.0.0 %s,route 90.0.0.0 255.128.0.0 %s,route 78.192.0.0 255.192.0.0 %s,route 92.128.0.0 255.192.0.0 %s,route 86.192.0.0 255.192.0.0 %s,route 176.128.0.0 255.192.0.0 %s,route 25.0.0.0 255.0.0.0 %s,route 51.0.0.0 255.0.0.0 %s,route 86.128.0.0 255.192.0.0 %s,route 53.0.0.0 255.0.0.0 %s,route 84.128.0.0 255.192.0.0 %s,route 93.192.0.0 255.192.0.0 %s,route 176.0.0.0 255.192.0.0 %s,route 151.3.0.0 255.128.0.0 %s\0", 372 lanip,lannetmask,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip); 373 strcat(str, tmp); 374 }else if((ipfrom != route_country) && (route_country == 1)){//Europe to NA(north american) 375 //sprintf(str,"PUSH_REPLY,route %s %s %s,route 3.0.0.0 255.0.0.0 %s,route 4.0.0.0 255.0.0.0 %s,route 8.0.0.0 255.0.0.0 %s,route 9.0.0.0 255.0.0.0 %s,route 14.0.0.0 255.0.0.0 %s,route 16.0.0.0 255.0.0.0 %s,route 18.0.0.0 255.0.0.0 %s,route 23.0.0.0 255.0.0.0 %s,route 47.128.0.0 255.128.0.0 %s,route 54.0.0.0 255.0.0.0 %s,route 184.0.0.0 255.0.0.0 %s,route 69.0.0.0 255.0.0.0 %s,route 204.245.0.0 255.255.0.0 %s,route 173.224.0.0 255.255.0.0 %s,route-gateway dhcp,ping 10,ping-restart 120\0",lanip,lannetmask,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip); 376 sprintf(tmp,",route %s %s %s,route 3.0.0.0 255.0.0.0 %s,route 4.0.0.0 255.0.0.0 %s,route 8.0.0.0 255.0.0.0 %s,route 9.0.0.0 255.0.0.0 %s,route 14.0.0.0 255.0.0.0 %s,route 16.0.0.0 255.0.0.0 %s,route 18.0.0.0 255.0.0.0 %s,route 23.0.0.0 255.0.0.0 %s,route 47.128.0.0 255.128.0.0 %s,route 54.0.0.0 255.0.0.0 %s,route 184.0.0.0 255.0.0.0 %s,route 69.0.0.0 255.0.0.0 %s,route 204.245.0.0 255.255.0.0 %s,route 173.224.0.0 255.255.0.0 %s\0", 377 lanip,lannetmask,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip,lanip); 378 strcat(str, tmp); 379 } 380 else{ 381 // sprintf(str,"PUSH_REPLY,route %s %s %s,route-gateway dhcp,ping 10,ping-restart 120\0",lanip,lannetmask,lanip); 382 sprintf(tmp,",route %s %s %s\0", 383 lanip,lannetmask,lanip); 384 strcat(str, tmp); 385 } 386 387#if 0 388 if(ipfrom == 0){ 389 sprintf(command,"echo '##########ipfrom == 0' > /dev/console"); 390 system(command); 391 } 392 393 if(route_country == 0){ 394 sprintf(command,"echo '##########route_country == 0' > /dev/console"); 395 system(command); 396 } 397#endif 398 399 //sprintf(str,"PUSH_REPLY,route 192.168.1.0 255.255.255.0 192.168.1.1,route 88.0.0.0 255.255.255.0 192.168.1.1,route-gateway dhcp,ping 10,ping-restart 120\0"); 400 //sprintf(command,"echo '##########send_control_channel_string() str=%s' > /dev/console",str); 401 //system(command); 402 }//allenwen 403 else if (strcmp(acosNvramConfig_get("openvpn_redirectGW"),"onlylan") == 0){ 404 sprintf(tmp,",route %s %s %s\0", lanip,lannetmask,lanip); 405 strcat(str, tmp); 406 } 407 } 408 /* Foxconn modify end, Max Ding, 04/19/2014 */ 409 410 411 /* buffered cleartext write onto TLS control channel */ 412 stat = tls_send_payload (c->c2.tls_multi, (uint8_t*) str, strlen (str) + 1); 413 414 /* 415 * Reschedule tls_multi_process. 416 * NOTE: in multi-client mode, usually the below two statements are 417 * insufficient to reschedule the client instance object unless 418 * multi_schedule_context_wakeup(m, mi) is also called. 419 */ 420 interval_action (&c->c2.tmp_int); 421 context_immediate_reschedule (c); /* ZERO-TIMEOUT */ 422 423 msg (msglevel, "SENT CONTROL [%s]: '%s' (status=%d)", 424 tls_common_name (c->c2.tls_multi, false), 425 sanitize_control_message (str, &gc), 426 (int) stat); 427 428 gc_free (&gc); 429 return stat; 430 } 431#endif 432 return true; 433} 434 435/* 436 * Add routes. 437 */ 438 439static void 440check_add_routes_action (struct context *c, const bool errors) 441{ 442 do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list, 443 c->c1.tuntap, c->plugins, c->c2.es); 444 update_time (); 445 event_timeout_clear (&c->c2.route_wakeup); 446 event_timeout_clear (&c->c2.route_wakeup_expire); 447 initialization_sequence_completed (c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */ 448} 449 450void 451check_add_routes_dowork (struct context *c) 452{ 453 if (test_routes (c->c1.route_list, c->c1.tuntap)) 454 { 455 check_add_routes_action (c, false); 456 } 457 else if (event_timeout_trigger (&c->c2.route_wakeup_expire, &c->c2.timeval, ETT_DEFAULT)) 458 { 459 check_add_routes_action (c, true); 460 } 461 else 462 { 463 msg (D_ROUTE, "Route: Waiting for TUN/TAP interface to come up..."); 464 if (c->c1.tuntap) 465 { 466 if (!tun_standby (c->c1.tuntap)) 467 { 468 register_signal (c, SIGHUP, "ip-fail"); 469 c->persist.restart_sleep_seconds = 10; 470#ifdef WIN32 471 show_routes (M_INFO|M_NOPREFIX); 472 show_adapters (M_INFO|M_NOPREFIX); 473#endif 474 } 475 } 476 update_time (); 477 if (c->c2.route_wakeup.n != 1) 478 event_timeout_init (&c->c2.route_wakeup, 1, now); 479 event_timeout_reset (&c->c2.ping_rec_interval); 480 } 481} 482 483/* 484 * Should we exit due to inactivity timeout? 485 */ 486void 487check_inactivity_timeout_dowork (struct context *c) 488{ 489 msg (M_INFO, "Inactivity timeout (--inactive), exiting"); 490 register_signal (c, SIGTERM, "inactive"); 491} 492 493#if P2MP 494 495void 496check_server_poll_timeout_dowork (struct context *c) 497{ 498 event_timeout_reset (&c->c2.server_poll_interval); 499 if (!tls_initial_packet_received (c->c2.tls_multi)) 500 { 501 msg (M_INFO, "Server poll timeout, restarting"); 502 register_signal (c, SIGUSR1, "server_poll"); 503 c->persist.restart_sleep_seconds = -1; 504 } 505} 506 507/* 508 * Schedule a signal n_seconds from now. 509 */ 510void 511schedule_exit (struct context *c, const int n_seconds, const int signal) 512{ 513 tls_set_single_session (c->c2.tls_multi); 514 update_time (); 515 reset_coarse_timers (c); 516 event_timeout_init (&c->c2.scheduled_exit, n_seconds, now); 517 c->c2.scheduled_exit_signal = signal; 518 msg (D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); 519} 520 521/* 522 * Scheduled exit? 523 */ 524void 525check_scheduled_exit_dowork (struct context *c) 526{ 527 register_signal (c, c->c2.scheduled_exit_signal, "delayed-exit"); 528} 529 530#endif 531 532/* 533 * Should we write timer-triggered status file. 534 */ 535void 536check_status_file_dowork (struct context *c) 537{ 538 if (c->c1.status_output) 539 print_status (c, c->c1.status_output); 540} 541 542#ifdef ENABLE_FRAGMENT 543/* 544 * Should we deliver a datagram fragment to remote? 545 */ 546void 547check_fragment_dowork (struct context *c) 548{ 549 struct link_socket_info *lsi = get_link_socket_info (c); 550 551 /* OS MTU Hint? */ 552 if (lsi->mtu_changed && c->c2.ipv4_tun) 553 { 554 frame_adjust_path_mtu (&c->c2.frame_fragment, c->c2.link_socket->mtu, 555 c->options.ce.proto); 556 lsi->mtu_changed = false; 557 } 558 559 if (fragment_outgoing_defined (c->c2.fragment)) 560 { 561 if (!c->c2.to_link.len) 562 { 563 /* encrypt a fragment for output to TCP/UDP port */ 564 ASSERT (fragment_ready_to_send (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment)); 565 encrypt_sign (c, false); 566 } 567 } 568 569 fragment_housekeeping (c->c2.fragment, &c->c2.frame_fragment, &c->c2.timeval); 570} 571#endif 572 573/* 574 * Buffer reallocation, for use with null encryption. 575 */ 576static inline void 577buffer_turnover (const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage) 578{ 579 if (orig_buf == src_stub->data && src_stub->data != storage->data) 580 { 581 buf_assign (storage, src_stub); 582 *dest_stub = *storage; 583 } 584 else 585 { 586 *dest_stub = *src_stub; 587 } 588} 589 590/* 591 * Compress, fragment, encrypt and HMAC-sign an outgoing packet. 592 * Input: c->c2.buf 593 * Output: c->c2.to_link 594 */ 595void 596encrypt_sign (struct context *c, bool comp_frag) 597{ 598 struct context_buffers *b = c->c2.buffers; 599 const uint8_t *orig_buf = c->c2.buf.data; 600 601#if P2MP_SERVER 602 /* 603 * Drop non-TLS outgoing packet if client-connect script/plugin 604 * has not yet succeeded. 605 */ 606 if (c->c2.context_auth != CAS_SUCCEEDED) 607 c->c2.buf.len = 0; 608#endif 609 610 if (comp_frag) 611 { 612#ifdef ENABLE_LZO 613 /* Compress the packet. */ 614 if (lzo_defined (&c->c2.lzo_compwork)) 615 lzo_compress (&c->c2.buf, b->lzo_compress_buf, &c->c2.lzo_compwork, &c->c2.frame); 616#endif 617#ifdef ENABLE_FRAGMENT 618 if (c->c2.fragment) 619 fragment_outgoing (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment); 620#endif 621 } 622 623#ifdef ENABLE_CRYPTO 624#ifdef ENABLE_SSL 625 /* 626 * If TLS mode, get the key we will use to encrypt 627 * the packet. 628 */ 629 if (c->c2.tls_multi) 630 { 631 tls_pre_encrypt (c->c2.tls_multi, &c->c2.buf, &c->c2.crypto_options); 632 } 633#endif 634 635 /* 636 * Encrypt the packet and write an optional 637 * HMAC signature. 638 */ 639 openvpn_encrypt (&c->c2.buf, b->encrypt_buf, &c->c2.crypto_options, &c->c2.frame); 640#endif 641 /* 642 * Get the address we will be sending the packet to. 643 */ 644 link_socket_get_outgoing_addr (&c->c2.buf, get_link_socket_info (c), 645 &c->c2.to_link_addr); 646#ifdef ENABLE_CRYPTO 647#ifdef ENABLE_SSL 648 /* 649 * In TLS mode, prepend the appropriate one-byte opcode 650 * to the packet which identifies it as a data channel 651 * packet and gives the low-permutation version of 652 * the key-id to the recipient so it knows which 653 * decrypt key to use. 654 */ 655 if (c->c2.tls_multi) 656 { 657 tls_post_encrypt (c->c2.tls_multi, &c->c2.buf); 658 } 659#endif 660#endif 661 662 /* if null encryption, copy result to read_tun_buf */ 663 buffer_turnover (orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); 664} 665 666/* 667 * Coarse timers work to 1 second resolution. 668 */ 669static void 670process_coarse_timers (struct context *c) 671{ 672 char foxconn_log[512]; 673 674#ifdef ENABLE_CRYPTO 675 /* flush current packet-id to file once per 60 676 seconds if --replay-persist was specified */ 677 check_packet_id_persist_flush (c); 678#endif 679 680 /* should we update status file? */ 681 check_status_file (c); 682 683 /* process connection establishment items */ 684 check_connection_established (c); 685 686#if P2MP 687 /* see if we should send a push_request in response to --pull */ 688 check_push_request (c); 689#endif 690 691#ifdef PLUGIN_PF 692 pf_check_reload (c); 693#endif 694 695 /* process --route options */ 696 check_add_routes (c); 697 698 /* possibly exit due to --inactive */ 699 check_inactivity_timeout (c); 700 if (c->sig->signal_received) 701 return; 702 703 /* restart if ping not received */ 704 check_ping_restart (c); 705 if(c->sig->signal_received == SIGUSR1){ 706 sprintf(foxconn_log, "[OpenVPN, connection drop]IP address:%s",inet_ntoa (c->c2.to_link_addr->dest.addr.in4.sin_addr)); 707 ambitWriteLog(foxconn_log, sizeof(foxconn_log)); 708 } 709 if (c->sig->signal_received) 710 return; 711 712#if P2MP 713 check_server_poll_timeout (c); 714 if (c->sig->signal_received) 715 return; 716 717 check_scheduled_exit (c); 718 if (c->sig->signal_received) 719 return; 720#endif 721 722#ifdef ENABLE_OCC 723 /* Should we send an OCC_REQUEST message? */ 724 check_send_occ_req (c); 725 726 /* Should we send an MTU load test? */ 727 check_send_occ_load_test (c); 728 729 /* Should we send an OCC_EXIT message to remote? */ 730 if (c->c2.explicit_exit_notification_time_wait) 731 process_explicit_exit_notification_timer_wakeup (c); 732#endif 733 734 /* Should we ping the remote? */ 735 check_ping_send (c); 736} 737 738static void 739check_coarse_timers_dowork (struct context *c) 740{ 741 const struct timeval save = c->c2.timeval; 742 c->c2.timeval.tv_sec = BIG_TIMEOUT; 743 c->c2.timeval.tv_usec = 0; 744 process_coarse_timers (c); 745 c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec; 746 747 dmsg (D_INTERVAL, "TIMER: coarse timer wakeup %d seconds", (int) c->c2.timeval.tv_sec); 748 749 /* Is the coarse timeout NOT the earliest one? */ 750 if (c->c2.timeval.tv_sec > save.tv_sec) 751 c->c2.timeval = save; 752} 753 754static inline void 755check_coarse_timers (struct context *c) 756{ 757 const time_t local_now = now; 758 if (local_now >= c->c2.coarse_timer_wakeup) 759 check_coarse_timers_dowork (c); 760 else 761 context_reschedule_sec (c, c->c2.coarse_timer_wakeup - local_now); 762} 763 764static void 765check_timeout_random_component_dowork (struct context *c) 766{ 767 const int update_interval = 10; /* seconds */ 768 c->c2.update_timeout_random_component = now + update_interval; 769 c->c2.timeout_random_component.tv_usec = (time_t) get_random () & 0x0003FFFF; 770 c->c2.timeout_random_component.tv_sec = 0; 771 772 dmsg (D_INTERVAL, "RANDOM USEC=%d", (int) c->c2.timeout_random_component.tv_usec); 773} 774 775static inline void 776check_timeout_random_component (struct context *c) 777{ 778 if (now >= c->c2.update_timeout_random_component) 779 check_timeout_random_component_dowork (c); 780 if (c->c2.timeval.tv_sec >= 1) 781 tv_add (&c->c2.timeval, &c->c2.timeout_random_component); 782} 783 784#ifdef ENABLE_SOCKS 785 786/* 787 * Handle addition and removal of the 10-byte Socks5 header 788 * in UDP packets. 789 */ 790 791static inline void 792socks_postprocess_incoming_link (struct context *c) 793{ 794 if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4) 795 socks_process_incoming_udp (&c->c2.buf, &c->c2.from); 796} 797 798static inline void 799socks_preprocess_outgoing_link (struct context *c, 800 struct link_socket_actual **to_addr, 801 int *size_delta) 802{ 803 if (c->c2.link_socket->socks_proxy && c->c2.link_socket->info.proto == PROTO_UDPv4) 804 { 805 *size_delta += socks_process_outgoing_udp (&c->c2.to_link, c->c2.to_link_addr); 806 *to_addr = &c->c2.link_socket->socks_relay; 807 } 808} 809 810/* undo effect of socks_preprocess_outgoing_link */ 811static inline void 812link_socket_write_post_size_adjust (int *size, 813 int size_delta, 814 struct buffer *buf) 815{ 816 if (size_delta > 0 && *size > size_delta) 817 { 818 *size -= size_delta; 819 if (!buf_advance (buf, size_delta)) 820 *size = 0; 821 } 822} 823#endif 824 825/* 826 * Output: c->c2.buf 827 */ 828 829void 830read_incoming_link (struct context *c) 831{ 832 /* 833 * Set up for recvfrom call to read datagram 834 * sent to our TCP/UDP port. 835 */ 836 int status; 837 838 /*ASSERT (!c->c2.to_tun.len);*/ 839 840 perf_push (PERF_READ_IN_LINK); 841 842 c->c2.buf = c->c2.buffers->read_link_buf; 843 ASSERT (buf_init (&c->c2.buf, FRAME_HEADROOM_ADJ (&c->c2.frame, FRAME_HEADROOM_MARKER_READ_LINK))); 844 845 status = link_socket_read (c->c2.link_socket, 846 &c->c2.buf, 847 MAX_RW_SIZE_LINK (&c->c2.frame), 848 &c->c2.from); 849 850 if (socket_connection_reset (c->c2.link_socket, status)) 851 { 852#if PORT_SHARE 853 if (port_share && socket_foreign_protocol_detected (c->c2.link_socket)) 854 { 855 const struct buffer *fbuf = socket_foreign_protocol_head (c->c2.link_socket); 856 const int sd = socket_foreign_protocol_sd (c->c2.link_socket); 857 port_share_redirect (port_share, fbuf, sd); 858 register_signal (c, SIGTERM, "port-share-redirect"); 859 } 860 else 861#endif 862 { 863 /* received a disconnect from a connection-oriented protocol */ 864 if (c->options.inetd) 865 { 866 register_signal (c, SIGTERM, "connection-reset-inetd"); 867 msg (D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status); 868 } 869 else 870 { 871#ifdef ENABLE_OCC 872 if (event_timeout_defined(&c->c2.explicit_exit_notification_interval)) 873 { 874 msg (D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status); 875 openvpn_sleep(1); 876 } 877 else 878#endif 879 { 880 register_signal (c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */ 881 msg (D_STREAM_ERRORS, "Connection reset, restarting [%d]", status); 882 } 883 } 884 } 885 perf_pop (); 886 return; 887 } 888 889 /* check recvfrom status */ 890 check_status (status, "read", c->c2.link_socket, NULL); 891 892#ifdef ENABLE_SOCKS 893 /* Remove socks header if applicable */ 894 socks_postprocess_incoming_link (c); 895#endif 896 897 perf_pop (); 898} 899 900/* 901 * Input: c->c2.buf 902 * Output: c->c2.to_tun 903 */ 904 905void 906process_incoming_link (struct context *c) 907{ 908 struct gc_arena gc = gc_new (); 909 bool decrypt_status; 910 struct link_socket_info *lsi = get_link_socket_info (c); 911 const uint8_t *orig_buf = c->c2.buf.data; 912 913 perf_push (PERF_PROC_IN_LINK); 914 915 if (c->c2.buf.len > 0) 916 { 917 c->c2.link_read_bytes += c->c2.buf.len; 918 link_read_bytes_global += c->c2.buf.len; 919#ifdef ENABLE_MEMSTATS 920 if (mmap_stats) 921 mmap_stats->link_read_bytes = link_read_bytes_global; 922#endif 923 c->c2.original_recv_size = c->c2.buf.len; 924#ifdef ENABLE_MANAGEMENT 925 if (management) 926 { 927 management_bytes_in (management, c->c2.buf.len); 928#ifdef MANAGEMENT_DEF_AUTH 929 management_bytes_server (management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context); 930#endif 931 } 932#endif 933 } 934 else 935 c->c2.original_recv_size = 0; 936 937#ifdef ENABLE_DEBUG 938 /* take action to corrupt packet if we are in gremlin test mode */ 939 if (c->options.gremlin) { 940 if (!ask_gremlin (c->options.gremlin)) 941 c->c2.buf.len = 0; 942 corrupt_gremlin (&c->c2.buf, c->options.gremlin); 943 } 944#endif 945 946 /* log incoming packet */ 947#ifdef LOG_RW 948 if (c->c2.log_rw && c->c2.buf.len > 0) 949 fprintf (stderr, "R"); 950#endif 951 msg (D_LINK_RW, "%s READ [%d] from %s: %s", 952 proto2ascii (lsi->proto, true), 953 BLEN (&c->c2.buf), 954 print_link_socket_actual (&c->c2.from, &gc), 955 PROTO_DUMP (&c->c2.buf, &gc)); 956 957 /* 958 * Good, non-zero length packet received. 959 * Commence multi-stage processing of packet, 960 * such as authenticate, decrypt, decompress. 961 * If any stage fails, it sets buf.len to 0 or -1, 962 * telling downstream stages to ignore the packet. 963 */ 964 if (c->c2.buf.len > 0) 965 { 966 if (!link_socket_verify_incoming_addr (&c->c2.buf, lsi, &c->c2.from)) 967 link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from); 968 969#ifdef ENABLE_CRYPTO 970#ifdef ENABLE_SSL 971 if (c->c2.tls_multi) 972 { 973 /* 974 * If tls_pre_decrypt returns true, it means the incoming 975 * packet was a good TLS control channel packet. If so, TLS code 976 * will deal with the packet and set buf.len to 0 so downstream 977 * stages ignore it. 978 * 979 * If the packet is a data channel packet, tls_pre_decrypt 980 * will load crypto_options with the correct encryption key 981 * and return false. 982 */ 983 if (tls_pre_decrypt (c->c2.tls_multi, &c->c2.from, &c->c2.buf, &c->c2.crypto_options)) 984 { 985 interval_action (&c->c2.tmp_int); 986 987 /* reset packet received timer if TLS packet */ 988 if (c->options.ping_rec_timeout) 989 event_timeout_reset (&c->c2.ping_rec_interval); 990 } 991 } 992#if P2MP_SERVER 993 /* 994 * Drop non-TLS packet if client-connect script/plugin has not 995 * yet succeeded. 996 */ 997 if (c->c2.context_auth != CAS_SUCCEEDED) 998 c->c2.buf.len = 0; 999#endif 1000#endif /* ENABLE_SSL */ 1001 1002 /* authenticate and decrypt the incoming packet */ 1003 decrypt_status = openvpn_decrypt (&c->c2.buf, c->c2.buffers->decrypt_buf, &c->c2.crypto_options, &c->c2.frame); 1004 1005 if (!decrypt_status && link_socket_connection_oriented (c->c2.link_socket)) 1006 { 1007 /* decryption errors are fatal in TCP mode */ 1008 register_signal (c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */ 1009 msg (D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting"); 1010 goto done; 1011 } 1012 1013#endif /* ENABLE_CRYPTO */ 1014 1015#ifdef ENABLE_FRAGMENT 1016 if (c->c2.fragment) 1017 fragment_incoming (c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment); 1018#endif 1019 1020#ifdef ENABLE_LZO 1021 /* decompress the incoming packet */ 1022 if (lzo_defined (&c->c2.lzo_compwork)) 1023 lzo_decompress (&c->c2.buf, c->c2.buffers->lzo_decompress_buf, &c->c2.lzo_compwork, &c->c2.frame); 1024#endif 1025 1026#ifdef PACKET_TRUNCATION_CHECK 1027 /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ 1028 ipv4_packet_size_verify (BPTR (&c->c2.buf), 1029 BLEN (&c->c2.buf), 1030 TUNNEL_TYPE (c->c1.tuntap), 1031 "POST_DECRYPT", 1032 &c->c2.n_trunc_post_decrypt); 1033#endif 1034 1035 /* 1036 * Set our "official" outgoing address, since 1037 * if buf.len is non-zero, we know the packet 1038 * authenticated. In TLS mode we do nothing 1039 * because TLS mode takes care of source address 1040 * authentication. 1041 * 1042 * Also, update the persisted version of our packet-id. 1043 */ 1044 if (!TLS_MODE (c)) 1045 link_socket_set_outgoing_addr (&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es); 1046 1047 /* reset packet received timer */ 1048 if (c->options.ping_rec_timeout && c->c2.buf.len > 0) 1049 event_timeout_reset (&c->c2.ping_rec_interval); 1050 1051 /* increment authenticated receive byte count */ 1052 if (c->c2.buf.len > 0) 1053 { 1054 c->c2.link_read_bytes_auth += c->c2.buf.len; 1055 c->c2.max_recv_size_local = max_int (c->c2.original_recv_size, c->c2.max_recv_size_local); 1056 } 1057 1058 /* Did we just receive an openvpn ping packet? */ 1059 if (is_ping_msg (&c->c2.buf)) 1060 { 1061 dmsg (D_PING, "RECEIVED PING PACKET"); 1062 c->c2.buf.len = 0; /* drop packet */ 1063 } 1064 1065#ifdef ENABLE_OCC 1066 /* Did we just receive an OCC packet? */ 1067 if (is_occ_msg (&c->c2.buf)) 1068 process_received_occ_msg (c); 1069#endif 1070 1071 buffer_turnover (orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf); 1072 1073 /* to_tun defined + unopened tuntap can cause deadlock */ 1074 if (!tuntap_defined (c->c1.tuntap)) 1075 c->c2.to_tun.len = 0; 1076 } 1077 else 1078 { 1079 buf_reset (&c->c2.to_tun); 1080 } 1081 done: 1082 perf_pop (); 1083 gc_free (&gc); 1084} 1085 1086/* 1087 * Output: c->c2.buf 1088 */ 1089 1090void 1091read_incoming_tun (struct context *c) 1092{ 1093 /* 1094 * Setup for read() call on TUN/TAP device. 1095 */ 1096 /*ASSERT (!c->c2.to_link.len);*/ 1097 1098 perf_push (PERF_READ_IN_TUN); 1099 1100 c->c2.buf = c->c2.buffers->read_tun_buf; 1101#ifdef TUN_PASS_BUFFER 1102 read_tun_buffered (c->c1.tuntap, &c->c2.buf, MAX_RW_SIZE_TUN (&c->c2.frame)); 1103#else 1104 ASSERT (buf_init (&c->c2.buf, FRAME_HEADROOM (&c->c2.frame))); 1105 ASSERT (buf_safe (&c->c2.buf, MAX_RW_SIZE_TUN (&c->c2.frame))); 1106 c->c2.buf.len = read_tun (c->c1.tuntap, BPTR (&c->c2.buf), MAX_RW_SIZE_TUN (&c->c2.frame)); 1107#endif 1108 1109#ifdef PACKET_TRUNCATION_CHECK 1110 ipv4_packet_size_verify (BPTR (&c->c2.buf), 1111 BLEN (&c->c2.buf), 1112 TUNNEL_TYPE (c->c1.tuntap), 1113 "READ_TUN", 1114 &c->c2.n_trunc_tun_read); 1115#endif 1116 1117 /* Was TUN/TAP interface stopped? */ 1118 if (tuntap_stop (c->c2.buf.len)) 1119 { 1120 register_signal (c, SIGTERM, "tun-stop"); 1121 msg (M_INFO, "TUN/TAP interface has been stopped, exiting"); 1122 perf_pop (); 1123 return; 1124 } 1125 1126 /* Check the status return from read() */ 1127 check_status (c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap); 1128 1129 perf_pop (); 1130} 1131 1132/* 1133 * Input: c->c2.buf 1134 * Output: c->c2.to_link 1135 */ 1136 1137void 1138process_incoming_tun (struct context *c) 1139{ 1140 struct gc_arena gc = gc_new (); 1141 1142 perf_push (PERF_PROC_IN_TUN); 1143 1144 if (c->c2.buf.len > 0) 1145 c->c2.tun_read_bytes += c->c2.buf.len; 1146 1147#ifdef LOG_RW 1148 if (c->c2.log_rw && c->c2.buf.len > 0) 1149 fprintf (stderr, "r"); 1150#endif 1151 1152 /* Show packet content */ 1153 dmsg (D_TUN_RW, "TUN READ [%d]", BLEN (&c->c2.buf)); 1154 1155 if (c->c2.buf.len > 0) 1156 { 1157 /* 1158 * The --passtos and --mssfix options require 1159 * us to examine the IP header (IPv4 or IPv6). 1160 */ 1161 process_ip_header (c, PIPV4_PASSTOS|PIP_MSSFIX|PIPV4_CLIENT_NAT, &c->c2.buf); 1162 1163#ifdef PACKET_TRUNCATION_CHECK 1164 /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ 1165 ipv4_packet_size_verify (BPTR (&c->c2.buf), 1166 BLEN (&c->c2.buf), 1167 TUNNEL_TYPE (c->c1.tuntap), 1168 "PRE_ENCRYPT", 1169 &c->c2.n_trunc_pre_encrypt); 1170#endif 1171 1172 encrypt_sign (c, true); 1173 } 1174 else 1175 { 1176 buf_reset (&c->c2.to_link); 1177 } 1178 perf_pop (); 1179 gc_free (&gc); 1180} 1181 1182void 1183process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) 1184{ 1185 if (!c->options.ce.mssfix) 1186 flags &= ~PIP_MSSFIX; 1187#if PASSTOS_CAPABILITY 1188 if (!c->options.passtos) 1189 flags &= ~PIPV4_PASSTOS; 1190#endif 1191 if (!c->options.route_gateway_via_dhcp) 1192 flags &= ~PIPV4_EXTRACT_DHCP_ROUTER; 1193 1194 if (buf->len > 0) 1195 { 1196 /* 1197 * The --passtos and --mssfix options require 1198 * us to examine the IPv4 header. 1199 */ 1200#if PASSTOS_CAPABILITY 1201 if (flags & (PIPV4_PASSTOS|PIP_MSSFIX)) 1202#else 1203 if (flags & PIP_MSSFIX) 1204#endif 1205 { 1206 struct buffer ipbuf = *buf; 1207 if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf)) 1208 { 1209#if PASSTOS_CAPABILITY 1210 /* extract TOS from IP header */ 1211 if (flags & PIPV4_PASSTOS) 1212 link_socket_extract_tos (c->c2.link_socket, &ipbuf); 1213#endif 1214 1215 /* possibly alter the TCP MSS */ 1216 if (flags & PIP_MSSFIX) 1217 mss_fixup_ipv4 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); 1218 1219#ifdef ENABLE_CLIENT_NAT 1220 /* possibly do NAT on packet */ 1221 if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) 1222 { 1223 const int direction = (flags & PIPV4_OUTGOING) ? CN_INCOMING : CN_OUTGOING; 1224 client_nat_transform (c->options.client_nat, &ipbuf, direction); 1225 } 1226#endif 1227 /* possibly extract a DHCP router message */ 1228 if (flags & PIPV4_EXTRACT_DHCP_ROUTER) 1229 { 1230 const in_addr_t dhcp_router = dhcp_extract_router_msg (&ipbuf); 1231 if (dhcp_router) 1232 route_list_add_vpn_gateway (c->c1.route_list, c->c2.es, dhcp_router); 1233 } 1234 } 1235 else if (is_ipv6 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf)) 1236 { 1237 /* possibly alter the TCP MSS */ 1238 if (flags & PIP_MSSFIX) 1239 mss_fixup_ipv6 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); 1240 } 1241 } 1242 } 1243} 1244 1245/* 1246 * Input: c->c2.to_link 1247 */ 1248 1249void 1250process_outgoing_link (struct context *c) 1251{ 1252 struct gc_arena gc = gc_new (); 1253 1254 perf_push (PERF_PROC_OUT_LINK); 1255 1256 if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE (&c->c2.frame)) 1257 { 1258 /* 1259 * Setup for call to send/sendto which will send 1260 * packet to remote over the TCP/UDP port. 1261 */ 1262 int size = 0; 1263 ASSERT (link_socket_actual_defined (c->c2.to_link_addr)); 1264 1265#ifdef ENABLE_DEBUG 1266 /* In gremlin-test mode, we may choose to drop this packet */ 1267 if (!c->options.gremlin || ask_gremlin (c->options.gremlin)) 1268#endif 1269 { 1270 /* 1271 * Let the traffic shaper know how many bytes 1272 * we wrote. 1273 */ 1274#ifdef ENABLE_FEATURE_SHAPER 1275 if (c->options.shaper) 1276 shaper_wrote_bytes (&c->c2.shaper, BLEN (&c->c2.to_link) 1277 + datagram_overhead (c->options.ce.proto)); 1278#endif 1279 /* 1280 * Let the pinger know that we sent a packet. 1281 */ 1282 if (c->options.ping_send_timeout) 1283 event_timeout_reset (&c->c2.ping_send_interval); 1284 1285#if PASSTOS_CAPABILITY 1286 /* Set TOS */ 1287 link_socket_set_tos (c->c2.link_socket); 1288#endif 1289 1290 /* Log packet send */ 1291#ifdef LOG_RW 1292 if (c->c2.log_rw) 1293 fprintf (stderr, "W"); 1294#endif 1295 msg (D_LINK_RW, "%s WRITE [%d] to %s: %s", 1296 proto2ascii (c->c2.link_socket->info.proto, true), 1297 BLEN (&c->c2.to_link), 1298 print_link_socket_actual (c->c2.to_link_addr, &gc), 1299 PROTO_DUMP (&c->c2.to_link, &gc)); 1300 1301 /* Packet send complexified by possible Socks5 usage */ 1302 { 1303 struct link_socket_actual *to_addr = c->c2.to_link_addr; 1304#ifdef ENABLE_SOCKS 1305 int size_delta = 0; 1306#endif 1307 1308#ifdef ENABLE_SOCKS 1309 /* If Socks5 over UDP, prepend header */ 1310 socks_preprocess_outgoing_link (c, &to_addr, &size_delta); 1311#endif 1312 /* Send packet */ 1313 size = link_socket_write (c->c2.link_socket, 1314 &c->c2.to_link, 1315 to_addr); 1316 1317#ifdef ENABLE_SOCKS 1318 /* Undo effect of prepend */ 1319 link_socket_write_post_size_adjust (&size, size_delta, &c->c2.to_link); 1320#endif 1321 } 1322 1323 if (size > 0) 1324 { 1325 c->c2.max_send_size_local = max_int (size, c->c2.max_send_size_local); 1326 c->c2.link_write_bytes += size; 1327 link_write_bytes_global += size; 1328#ifdef ENABLE_MEMSTATS 1329 if (mmap_stats) 1330 mmap_stats->link_write_bytes = link_write_bytes_global; 1331#endif 1332#ifdef ENABLE_MANAGEMENT 1333 if (management) 1334 { 1335 management_bytes_out (management, size); 1336#ifdef MANAGEMENT_DEF_AUTH 1337 management_bytes_server (management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context); 1338#endif 1339 } 1340#endif 1341 } 1342 } 1343 1344 /* Check return status */ 1345 check_status (size, "write", c->c2.link_socket, NULL); 1346 1347 if (size > 0) 1348 { 1349 /* Did we write a different size packet than we intended? */ 1350 if (size != BLEN (&c->c2.to_link)) 1351 msg (D_LINK_ERRORS, 1352 "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)", 1353 print_link_socket_actual (c->c2.to_link_addr, &gc), 1354 BLEN (&c->c2.to_link), 1355 size); 1356 } 1357 1358 /* if not a ping/control message, indicate activity regarding --inactive parameter */ 1359 if (c->c2.buf.len > 0 ) 1360 register_activity (c, size); 1361 } 1362 else 1363 { 1364 if (c->c2.to_link.len > 0) 1365 msg (D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)", 1366 print_link_socket_actual (c->c2.to_link_addr, &gc), 1367 c->c2.to_link.len, 1368 EXPANDED_SIZE (&c->c2.frame)); 1369 } 1370 1371 buf_reset (&c->c2.to_link); 1372 1373 perf_pop (); 1374 gc_free (&gc); 1375} 1376 1377/* 1378 * Input: c->c2.to_tun 1379 */ 1380 1381void 1382process_outgoing_tun (struct context *c) 1383{ 1384 struct gc_arena gc = gc_new (); 1385 1386 /* 1387 * Set up for write() call to TUN/TAP 1388 * device. 1389 */ 1390 if (c->c2.to_tun.len <= 0) 1391 return; 1392 1393 perf_push (PERF_PROC_OUT_TUN); 1394 1395 /* 1396 * The --mssfix option requires 1397 * us to examine the IP header (IPv4 or IPv6). 1398 */ 1399 process_ip_header (c, PIP_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIPV4_OUTGOING, &c->c2.to_tun); 1400 1401 if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN (&c->c2.frame)) 1402 { 1403 /* 1404 * Write to TUN/TAP device. 1405 */ 1406 int size; 1407 1408#ifdef LOG_RW 1409 if (c->c2.log_rw) 1410 fprintf (stderr, "w"); 1411#endif 1412 dmsg (D_TUN_RW, "TUN WRITE [%d]", BLEN (&c->c2.to_tun)); 1413 1414#ifdef PACKET_TRUNCATION_CHECK 1415 ipv4_packet_size_verify (BPTR (&c->c2.to_tun), 1416 BLEN (&c->c2.to_tun), 1417 TUNNEL_TYPE (c->c1.tuntap), 1418 "WRITE_TUN", 1419 &c->c2.n_trunc_tun_write); 1420#endif 1421 1422#ifdef TUN_PASS_BUFFER 1423 size = write_tun_buffered (c->c1.tuntap, &c->c2.to_tun); 1424#else 1425 size = write_tun (c->c1.tuntap, BPTR (&c->c2.to_tun), BLEN (&c->c2.to_tun)); 1426#endif 1427 1428 if (size > 0) 1429 c->c2.tun_write_bytes += size; 1430 check_status (size, "write to TUN/TAP", NULL, c->c1.tuntap); 1431 1432 /* check written packet size */ 1433 if (size > 0) 1434 { 1435 /* Did we write a different size packet than we intended? */ 1436 if (size != BLEN (&c->c2.to_tun)) 1437 msg (D_LINK_ERRORS, 1438 "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)", 1439 c->c1.tuntap->actual_name, 1440 BLEN (&c->c2.to_tun), 1441 size); 1442 1443 /* indicate activity regarding --inactive parameter */ 1444 register_activity (c, size); 1445 } 1446 } 1447 else 1448 { 1449 /* 1450 * This should never happen, probably indicates some kind 1451 * of MTU mismatch. 1452 */ 1453 msg (D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", 1454 c->c2.to_tun.len, 1455 MAX_RW_SIZE_TUN (&c->c2.frame)); 1456 } 1457 1458 buf_reset (&c->c2.to_tun); 1459 1460 perf_pop (); 1461 gc_free (&gc); 1462} 1463 1464void 1465pre_select (struct context *c) 1466{ 1467 /* make sure current time (now) is updated on function entry */ 1468 1469 /* 1470 * Start with an effectively infinite timeout, then let it 1471 * reduce to a timeout that reflects the component which 1472 * needs the earliest service. 1473 */ 1474 c->c2.timeval.tv_sec = BIG_TIMEOUT; 1475 c->c2.timeval.tv_usec = 0; 1476 1477#if defined(WIN32) 1478 if (check_debug_level (D_TAP_WIN_DEBUG)) 1479 { 1480 c->c2.timeval.tv_sec = 1; 1481 if (tuntap_defined (c->c1.tuntap)) 1482 tun_show_debug (c->c1.tuntap); 1483 } 1484#endif 1485 1486 /* check coarse timers? */ 1487 check_coarse_timers (c); 1488 if (c->sig->signal_received) 1489 return; 1490 1491 /* Does TLS need service? */ 1492 check_tls (c); 1493 1494 /* In certain cases, TLS errors will require a restart */ 1495 check_tls_errors (c); 1496 if (c->sig->signal_received) 1497 return; 1498 1499 /* check for incoming configuration info on the control channel */ 1500 check_incoming_control_channel (c); 1501 1502#ifdef ENABLE_OCC 1503 /* Should we send an OCC message? */ 1504 check_send_occ_msg (c); 1505#endif 1506 1507#ifdef ENABLE_FRAGMENT 1508 /* Should we deliver a datagram fragment to remote? */ 1509 check_fragment (c); 1510#endif 1511 1512 /* Update random component of timeout */ 1513 check_timeout_random_component (c); 1514} 1515 1516/* 1517 * Wait for I/O events. Used for both TCP & UDP sockets 1518 * in point-to-point mode and for UDP sockets in 1519 * point-to-multipoint mode. 1520 */ 1521 1522void 1523io_wait_dowork (struct context *c, const unsigned int flags) 1524{ 1525 unsigned int socket = 0; 1526 unsigned int tuntap = 0; 1527 struct event_set_return esr[4]; 1528 1529 /* These shifts all depend on EVENT_READ and EVENT_WRITE */ 1530 static int socket_shift = 0; /* depends on SOCKET_READ and SOCKET_WRITE */ 1531 static int tun_shift = 2; /* depends on TUN_READ and TUN_WRITE */ 1532 static int err_shift = 4; /* depends on ES_ERROR */ 1533#ifdef ENABLE_MANAGEMENT 1534 static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */ 1535#endif 1536 1537 /* 1538 * Decide what kind of events we want to wait for. 1539 */ 1540 event_reset (c->c2.event_set); 1541 1542 /* 1543 * On win32 we use the keyboard or an event object as a source 1544 * of asynchronous signals. 1545 */ 1546 if (flags & IOW_WAIT_SIGNAL) 1547 wait_signal (c->c2.event_set, (void*)&err_shift); 1548 1549 /* 1550 * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send 1551 * status from TCP/UDP port. Otherwise, wait for incoming data on 1552 * TUN/TAP device. 1553 */ 1554 if (flags & IOW_TO_LINK) 1555 { 1556 if (flags & IOW_SHAPER) 1557 { 1558 /* 1559 * If sending this packet would put us over our traffic shaping 1560 * quota, don't send -- instead compute the delay we must wait 1561 * until it will be OK to send the packet. 1562 */ 1563#ifdef ENABLE_FEATURE_SHAPER 1564 int delay = 0; 1565 1566 /* set traffic shaping delay in microseconds */ 1567 if (c->options.shaper) 1568 delay = max_int (delay, shaper_delay (&c->c2.shaper)); 1569 1570 if (delay < 1000) 1571 { 1572 socket |= EVENT_WRITE; 1573 } 1574 else 1575 { 1576 shaper_soonest_event (&c->c2.timeval, delay); 1577 } 1578#else /* ENABLE_FEATURE_SHAPER */ 1579 socket |= EVENT_WRITE; 1580#endif /* ENABLE_FEATURE_SHAPER */ 1581 } 1582 else 1583 { 1584 socket |= EVENT_WRITE; 1585 } 1586 } 1587 else if (!((flags & IOW_FRAG) && TO_LINK_FRAG (c))) 1588 { 1589 if (flags & IOW_READ_TUN) 1590 tuntap |= EVENT_READ; 1591 } 1592 1593 /* 1594 * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status 1595 * from device. Otherwise, wait for incoming data on TCP/UDP port. 1596 */ 1597 if (flags & IOW_TO_TUN) 1598 { 1599 tuntap |= EVENT_WRITE; 1600 } 1601 else 1602 { 1603 if (flags & IOW_READ_LINK) 1604 socket |= EVENT_READ; 1605 } 1606 1607 /* 1608 * outgoing bcast buffer waiting to be sent? 1609 */ 1610 if (flags & IOW_MBUF) 1611 socket |= EVENT_WRITE; 1612 1613 /* 1614 * Force wait on TUN input, even if also waiting on TCP/UDP output 1615 */ 1616 if (flags & IOW_READ_TUN_FORCE) 1617 tuntap |= EVENT_READ; 1618 1619 /* 1620 * Configure event wait based on socket, tuntap flags. 1621 */ 1622 socket_set (c->c2.link_socket, c->c2.event_set, socket, (void*)&socket_shift, NULL); 1623 tun_set (c->c1.tuntap, c->c2.event_set, tuntap, (void*)&tun_shift, NULL); 1624 1625#ifdef ENABLE_MANAGEMENT 1626 if (management) 1627 management_socket_set (management, c->c2.event_set, (void*)&management_shift, NULL); 1628#endif 1629 1630 /* 1631 * Possible scenarios: 1632 * (1) tcp/udp port has data available to read 1633 * (2) tcp/udp port is ready to accept more data to write 1634 * (3) tun dev has data available to read 1635 * (4) tun dev is ready to accept more data to write 1636 * (5) we received a signal (handler sets signal_received) 1637 * (6) timeout (tv) expired 1638 */ 1639 1640 c->c2.event_set_status = ES_ERROR; 1641 1642 if (!c->sig->signal_received) 1643 { 1644 if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual (c->c2.link_socket)) 1645 { 1646 int status; 1647 1648#ifdef ENABLE_DEBUG 1649 if (check_debug_level (D_EVENT_WAIT)) 1650 show_wait_status (c); 1651#endif 1652 1653 /* 1654 * Wait for something to happen. 1655 */ 1656 status = event_wait (c->c2.event_set, &c->c2.timeval, esr, SIZE(esr)); 1657 1658 check_status (status, "event_wait", NULL, NULL); 1659 1660 if (status > 0) 1661 { 1662 int i; 1663 c->c2.event_set_status = 0; 1664 for (i = 0; i < status; ++i) 1665 { 1666 const struct event_set_return *e = &esr[i]; 1667 c->c2.event_set_status |= ((e->rwflags & 3) << *((int*)e->arg)); 1668 } 1669 } 1670 else if (status == 0) 1671 { 1672 c->c2.event_set_status = ES_TIMEOUT; 1673 } 1674 } 1675 else 1676 { 1677 c->c2.event_set_status = SOCKET_READ; 1678 } 1679 } 1680 1681 /* 'now' should always be a reasonably up-to-date timestamp */ 1682 update_time (); 1683 1684 /* set signal_received if a signal was received */ 1685 if (c->c2.event_set_status & ES_ERROR) 1686 get_signal (&c->sig->signal_received); 1687 1688 dmsg (D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status); 1689} 1690 1691void 1692process_io (struct context *c) 1693{ 1694 const unsigned int status = c->c2.event_set_status; 1695 1696#ifdef ENABLE_MANAGEMENT 1697 if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE)) 1698 { 1699 ASSERT (management); 1700 management_io (management); 1701 } 1702#endif 1703 1704 /* TCP/UDP port ready to accept write */ 1705 if (status & SOCKET_WRITE) 1706 { 1707 process_outgoing_link (c); 1708 } 1709 /* TUN device ready to accept write */ 1710 else if (status & TUN_WRITE) 1711 { 1712 process_outgoing_tun (c); 1713 } 1714 /* Incoming data on TCP/UDP port */ 1715 else if (status & SOCKET_READ) 1716 { 1717 read_incoming_link (c); 1718 if (!IS_SIG (c)) 1719 process_incoming_link (c); 1720 } 1721 /* Incoming data on TUN device */ 1722 else if (status & TUN_READ) 1723 { 1724 read_incoming_tun (c); 1725 if (!IS_SIG (c)) 1726 process_incoming_tun (c); 1727 } 1728} 1729