1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 12 * as published by the Free Software Foundation. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program (see the file COPYING included with this 21 * distribution); if not, write to the Free Software Foundation, Inc., 22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 */ 24 25#ifdef HAVE_CONFIG_H 26#include "config.h" 27#elif defined(_MSC_VER) 28#include "config-msvc.h" 29#endif 30 31#include "syshead.h" 32 33#if P2MP_SERVER 34 35#include "multi.h" 36#include "forward-inline.h" 37 38#include "memdbg.h" 39 40/* 41 * TCP States 42 */ 43#define TA_UNDEF 0 44#define TA_SOCKET_READ 1 45#define TA_SOCKET_READ_RESIDUAL 2 46#define TA_SOCKET_WRITE 3 47#define TA_SOCKET_WRITE_READY 4 48#define TA_SOCKET_WRITE_DEFERRED 5 49#define TA_TUN_READ 6 50#define TA_TUN_WRITE 7 51#define TA_INITIAL 8 52#define TA_TIMEOUT 9 53#define TA_TUN_WRITE_TIMEOUT 10 54 55/* 56 * Special tags passed to event.[ch] functions 57 */ 58#define MTCP_SOCKET ((void*)1) 59#define MTCP_TUN ((void*)2) 60#define MTCP_SIG ((void*)3) /* Only on Windows */ 61#ifdef ENABLE_MANAGEMENT 62# define MTCP_MANAGEMENT ((void*)4) 63#endif 64 65#define MTCP_N ((void*)16) /* upper bound on MTCP_x */ 66 67struct ta_iow_flags 68{ 69 unsigned int flags; 70 unsigned int ret; 71 unsigned int tun; 72 unsigned int sock; 73}; 74 75static const char * 76pract (int action) 77{ 78 switch (action) 79 { 80 case TA_UNDEF: 81 return "TA_UNDEF"; 82 case TA_SOCKET_READ: 83 return "TA_SOCKET_READ"; 84 case TA_SOCKET_READ_RESIDUAL: 85 return "TA_SOCKET_READ_RESIDUAL"; 86 case TA_SOCKET_WRITE: 87 return "TA_SOCKET_WRITE"; 88 case TA_SOCKET_WRITE_READY: 89 return "TA_SOCKET_WRITE_READY"; 90 case TA_SOCKET_WRITE_DEFERRED: 91 return "TA_SOCKET_WRITE_DEFERRED"; 92 case TA_TUN_READ: 93 return "TA_TUN_READ"; 94 case TA_TUN_WRITE: 95 return "TA_TUN_WRITE"; 96 case TA_INITIAL: 97 return "TA_INITIAL"; 98 case TA_TIMEOUT: 99 return "TA_TIMEOUT"; 100 case TA_TUN_WRITE_TIMEOUT: 101 return "TA_TUN_WRITE_TIMEOUT"; 102 default: 103 return "?"; 104 } 105} 106 107static struct multi_instance * 108multi_create_instance_tcp (struct multi_context *m) 109{ 110 struct gc_arena gc = gc_new (); 111 struct multi_instance *mi = NULL; 112 struct hash *hash = m->hash; 113 114 mi = multi_create_instance (m, NULL); 115 if (mi) 116 { 117 struct hash_element *he; 118 const uint32_t hv = hash_value (hash, &mi->real); 119 struct hash_bucket *bucket = hash_bucket (hash, hv); 120 121 he = hash_lookup_fast (hash, bucket, &mi->real, hv); 122 123 if (he) 124 { 125 struct multi_instance *oldmi = (struct multi_instance *) he->value; 126 msg (D_MULTI_LOW, "MULTI TCP: new incoming client address matches existing client address -- new client takes precedence"); 127 oldmi->did_real_hash = false; 128 multi_close_instance (m, oldmi, false); 129 he->key = &mi->real; 130 he->value = mi; 131 } 132 else 133 hash_add_fast (hash, bucket, &mi->real, hv, mi); 134 135 mi->did_real_hash = true; 136 } 137 138#ifdef ENABLE_DEBUG 139 if (mi) 140 dmsg (D_MULTI_DEBUG, "MULTI TCP: instance added: %s", mroute_addr_print (&mi->real, &gc)); 141 else 142 dmsg (D_MULTI_DEBUG, "MULTI TCP: new client instance failed"); 143#endif 144 145 gc_free (&gc); 146 ASSERT (!(mi && mi->halt)); 147 return mi; 148} 149 150bool 151multi_tcp_instance_specific_init (struct multi_context *m, struct multi_instance *mi) 152{ 153 /* buffer for queued TCP socket output packets */ 154 mi->tcp_link_out_deferred = mbuf_init (m->top.options.n_bcast_buf); 155 156 ASSERT (mi->context.c2.link_socket); 157 ASSERT (mi->context.c2.link_socket->info.lsa); 158 ASSERT (mi->context.c2.link_socket->mode == LS_MODE_TCP_ACCEPT_FROM); 159 ASSERT (mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET 160 || mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6 161 ); 162 if (!mroute_extract_openvpn_sockaddr (&mi->real, &mi->context.c2.link_socket->info.lsa->actual.dest, true)) 163 { 164 msg (D_MULTI_ERRORS, "MULTI TCP: TCP client address is undefined"); 165 return false; 166 } 167 return true; 168} 169 170void 171multi_tcp_instance_specific_free (struct multi_instance *mi) 172{ 173 mbuf_free (mi->tcp_link_out_deferred); 174} 175 176struct multi_tcp * 177multi_tcp_init (int maxevents, int *maxclients) 178{ 179 struct multi_tcp *mtcp; 180 const int extra_events = BASE_N_EVENTS; 181 182 ASSERT (maxevents >= 1); 183 ASSERT (maxclients); 184 185 ALLOC_OBJ_CLEAR (mtcp, struct multi_tcp); 186 mtcp->maxevents = maxevents + extra_events; 187 mtcp->es = event_set_init (&mtcp->maxevents, 0); 188 wait_signal (mtcp->es, MTCP_SIG); 189 ALLOC_ARRAY (mtcp->esr, struct event_set_return, mtcp->maxevents); 190 *maxclients = max_int (min_int (mtcp->maxevents - extra_events, *maxclients), 1); 191 msg (D_MULTI_LOW, "MULTI: TCP INIT maxclients=%d maxevents=%d", *maxclients, mtcp->maxevents); 192 return mtcp; 193} 194 195void 196multi_tcp_delete_event (struct multi_tcp *mtcp, event_t event) 197{ 198 if (mtcp && mtcp->es) 199 event_del (mtcp->es, event); 200} 201 202void 203multi_tcp_free (struct multi_tcp *mtcp) 204{ 205 if (mtcp) 206 { 207 event_free (mtcp->es); 208 if (mtcp->esr) 209 free (mtcp->esr); 210 free (mtcp); 211 } 212} 213 214void 215multi_tcp_dereference_instance (struct multi_tcp *mtcp, struct multi_instance *mi) 216{ 217 struct link_socket *ls = mi->context.c2.link_socket; 218 if (ls && mi->socket_set_called) 219 event_del (mtcp->es, socket_event_handle (ls)); 220 mtcp->n_esr = 0; 221} 222 223static inline void 224multi_tcp_set_global_rw_flags (struct multi_context *m, struct multi_instance *mi) 225{ 226 if (mi) 227 { 228 mi->socket_set_called = true; 229 socket_set (mi->context.c2.link_socket, 230 m->mtcp->es, 231 mbuf_defined (mi->tcp_link_out_deferred) ? EVENT_WRITE : EVENT_READ, 232 mi, 233 &mi->tcp_rwflags); 234 } 235} 236 237static inline int 238multi_tcp_wait (const struct context *c, 239 struct multi_tcp *mtcp) 240{ 241 int status; 242 socket_set_listen_persistent (c->c2.link_socket, mtcp->es, MTCP_SOCKET); 243 tun_set (c->c1.tuntap, mtcp->es, EVENT_READ, MTCP_TUN, &mtcp->tun_rwflags); 244#ifdef ENABLE_MANAGEMENT 245 if (management) 246 management_socket_set (management, mtcp->es, MTCP_MANAGEMENT, &mtcp->management_persist_flags); 247#endif 248 status = event_wait (mtcp->es, &c->c2.timeval, mtcp->esr, mtcp->maxevents); 249 update_time (); 250 mtcp->n_esr = 0; 251 if (status > 0) 252 mtcp->n_esr = status; 253 return status; 254} 255 256static inline struct context * 257multi_tcp_context (struct multi_context *m, struct multi_instance *mi) 258{ 259 if (mi) 260 return &mi->context; 261 else 262 return &m->top; 263} 264 265static bool 266multi_tcp_process_outgoing_link_ready (struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags) 267{ 268 struct mbuf_item item; 269 bool ret = true; 270 ASSERT (mi); 271 272 /* extract from queue */ 273 if (mbuf_extract_item (mi->tcp_link_out_deferred, &item)) /* ciphertext IP packet */ 274 { 275 dmsg (D_MULTI_TCP, "MULTI TCP: transmitting previously deferred packet"); 276 277 ASSERT (mi == item.instance); 278 mi->context.c2.to_link = item.buffer->buf; 279 ret = multi_process_outgoing_link_dowork (m, mi, mpp_flags); 280 if (!ret) 281 mi = NULL; 282 mbuf_free_buf (item.buffer); 283 } 284 return ret; 285} 286 287static bool 288multi_tcp_process_outgoing_link (struct multi_context *m, bool defer, const unsigned int mpp_flags) 289{ 290 struct multi_instance *mi = multi_process_outgoing_link_pre (m); 291 bool ret = true; 292 293 if (mi) 294 { 295 if (defer || mbuf_defined (mi->tcp_link_out_deferred)) 296 { 297 /* save to queue */ 298 struct buffer *buf = &mi->context.c2.to_link; 299 if (BLEN (buf) > 0) 300 { 301 struct mbuf_buffer *mb = mbuf_alloc_buf (buf); 302 struct mbuf_item item; 303 304 set_prefix (mi); 305 dmsg (D_MULTI_TCP, "MULTI TCP: queuing deferred packet"); 306 item.buffer = mb; 307 item.instance = mi; 308 mbuf_add_item (mi->tcp_link_out_deferred, &item); 309 mbuf_free_buf (mb); 310 buf_reset (buf); 311 ret = multi_process_post (m, mi, mpp_flags); 312 if (!ret) 313 mi = NULL; 314 clear_prefix (); 315 } 316 } 317 else 318 { 319 ret = multi_process_outgoing_link_dowork (m, mi, mpp_flags); 320 if (!ret) 321 mi = NULL; 322 } 323 } 324 return ret; 325} 326 327static int 328multi_tcp_wait_lite (struct multi_context *m, struct multi_instance *mi, const int action, bool *tun_input_pending) 329{ 330 struct context *c = multi_tcp_context (m, mi); 331 unsigned int looking_for = 0; 332 333 dmsg (D_MULTI_DEBUG, "MULTI TCP: multi_tcp_wait_lite a=%s mi=" ptr_format, 334 pract(action), 335 (ptr_type)mi); 336 337 tv_clear (&c->c2.timeval); /* ZERO-TIMEOUT */ 338 339 switch (action) 340 { 341 case TA_TUN_READ: 342 looking_for = TUN_READ; 343 tun_input_pending = NULL; 344 io_wait (c, IOW_READ_TUN); 345 break; 346 case TA_SOCKET_READ: 347 looking_for = SOCKET_READ; 348 tun_input_pending = NULL; 349 io_wait (c, IOW_READ_LINK); 350 break; 351 case TA_TUN_WRITE: 352 looking_for = TUN_WRITE; 353 tun_input_pending = NULL; 354 c->c2.timeval.tv_sec = 1; /* For some reason, the Linux 2.2 TUN/TAP driver hits this timeout */ 355 perf_push (PERF_PROC_OUT_TUN_MTCP); 356 io_wait (c, IOW_TO_TUN); 357 perf_pop (); 358 break; 359 case TA_SOCKET_WRITE: 360 looking_for = SOCKET_WRITE; 361 io_wait (c, IOW_TO_LINK|IOW_READ_TUN_FORCE); 362 break; 363 default: 364 msg (M_FATAL, "MULTI TCP: multi_tcp_wait_lite, unhandled action=%d", action); 365 } 366 367 if (tun_input_pending && (c->c2.event_set_status & TUN_READ)) 368 *tun_input_pending = true; 369 370 if (c->c2.event_set_status & looking_for) 371 { 372 return action; 373 } 374 else 375 { 376 switch (action) 377 { 378 /* TCP socket output buffer is full */ 379 case TA_SOCKET_WRITE: 380 return TA_SOCKET_WRITE_DEFERRED; 381 382 /* TUN device timed out on accepting write */ 383 case TA_TUN_WRITE: 384 return TA_TUN_WRITE_TIMEOUT; 385 } 386 387 return TA_UNDEF; 388 } 389} 390 391static struct multi_instance * 392multi_tcp_dispatch (struct multi_context *m, struct multi_instance *mi, const int action) 393{ 394 const unsigned int mpp_flags = MPP_PRE_SELECT|MPP_RECORD_TOUCH; 395 struct multi_instance *touched = mi; 396 m->mpp_touched = &touched; 397 398 dmsg (D_MULTI_DEBUG, "MULTI TCP: multi_tcp_dispatch a=%s mi=" ptr_format, 399 pract(action), 400 (ptr_type)mi); 401 402 switch (action) 403 { 404 case TA_TUN_READ: 405 read_incoming_tun (&m->top); 406 if (!IS_SIG (&m->top)) 407 multi_process_incoming_tun (m, mpp_flags); 408 break; 409 case TA_SOCKET_READ: 410 case TA_SOCKET_READ_RESIDUAL: 411 ASSERT (mi); 412 ASSERT (mi->context.c2.link_socket); 413 set_prefix (mi); 414 read_incoming_link (&mi->context); 415 clear_prefix (); 416 if (!IS_SIG (&mi->context)) 417 { 418 multi_process_incoming_link (m, mi, mpp_flags); 419 if (!IS_SIG (&mi->context)) 420 stream_buf_read_setup (mi->context.c2.link_socket); 421 } 422 break; 423 case TA_TIMEOUT: 424 multi_process_timeout (m, mpp_flags); 425 break; 426 case TA_TUN_WRITE: 427 multi_process_outgoing_tun (m, mpp_flags); 428 break; 429 case TA_TUN_WRITE_TIMEOUT: 430 multi_process_drop_outgoing_tun (m, mpp_flags); 431 break; 432 case TA_SOCKET_WRITE_READY: 433 ASSERT (mi); 434 multi_tcp_process_outgoing_link_ready (m, mi, mpp_flags); 435 break; 436 case TA_SOCKET_WRITE: 437 multi_tcp_process_outgoing_link (m, false, mpp_flags); 438 break; 439 case TA_SOCKET_WRITE_DEFERRED: 440 multi_tcp_process_outgoing_link (m, true, mpp_flags); 441 break; 442 case TA_INITIAL: 443 ASSERT (mi); 444 multi_tcp_set_global_rw_flags (m, mi); 445 multi_process_post (m, mi, mpp_flags); 446 break; 447 default: 448 msg (M_FATAL, "MULTI TCP: multi_tcp_dispatch, unhandled action=%d", action); 449 } 450 451 m->mpp_touched = NULL; 452 return touched; 453} 454 455int 456multi_tcp_post (struct multi_context *m, struct multi_instance *mi, const int action) 457{ 458 struct context *c = multi_tcp_context (m, mi); 459 int newaction = TA_UNDEF; 460 461# define MTP_NONE 0 462# define MTP_TUN_OUT (1<<0) 463# define MTP_LINK_OUT (1<<1) 464 unsigned int flags = MTP_NONE; 465 466 if (TUN_OUT(c)) 467 flags |= MTP_TUN_OUT; 468 if (LINK_OUT(c)) 469 flags |= MTP_LINK_OUT; 470 471 switch (flags) 472 { 473 case MTP_TUN_OUT|MTP_LINK_OUT: 474 case MTP_TUN_OUT: 475 newaction = TA_TUN_WRITE; 476 break; 477 case MTP_LINK_OUT: 478 newaction = TA_SOCKET_WRITE; 479 break; 480 case MTP_NONE: 481 if (mi && socket_read_residual (c->c2.link_socket)) 482 newaction = TA_SOCKET_READ_RESIDUAL; 483 else 484 multi_tcp_set_global_rw_flags (m, mi); 485 break; 486 default: 487 { 488 struct gc_arena gc = gc_new (); 489 msg (M_FATAL, "MULTI TCP: multi_tcp_post bad state, mi=%s flags=%d", 490 multi_instance_string (mi, false, &gc), 491 flags); 492 gc_free (&gc); 493 break; 494 } 495 } 496 497 dmsg (D_MULTI_DEBUG, "MULTI TCP: multi_tcp_post %s -> %s", 498 pract(action), 499 pract(newaction)); 500 501 return newaction; 502} 503 504static void 505multi_tcp_action (struct multi_context *m, struct multi_instance *mi, int action, bool poll) 506{ 507 bool tun_input_pending = false; 508 509 do { 510 dmsg (D_MULTI_DEBUG, "MULTI TCP: multi_tcp_action a=%s p=%d", 511 pract(action), 512 poll); 513 514 /* 515 * If TA_SOCKET_READ_RESIDUAL, it means we still have pending 516 * input packets which were read by a prior TCP recv. 517 * 518 * Otherwise do a "lite" wait, which means we wait with 0 timeout 519 * on I/O events only related to the current instance, not 520 * the big list of events. 521 * 522 * On our first pass, poll will be false because we already know 523 * that input is available, and to call io_wait would be redundant. 524 */ 525 if (poll && action != TA_SOCKET_READ_RESIDUAL) 526 { 527 const int orig_action = action; 528 action = multi_tcp_wait_lite (m, mi, action, &tun_input_pending); 529 if (action == TA_UNDEF) 530 msg (M_FATAL, "MULTI TCP: I/O wait required blocking in multi_tcp_action, action=%d", orig_action); 531 } 532 533 /* 534 * Dispatch the action 535 */ 536 { 537 struct multi_instance *touched = multi_tcp_dispatch (m, mi, action); 538 539 /* 540 * Signal received or TCP connection 541 * reset by peer? 542 */ 543 if (touched && IS_SIG (&touched->context)) 544 { 545 if (mi == touched) 546 mi = NULL; 547 multi_close_instance_on_signal (m, touched); 548 } 549 } 550 551 /* 552 * If dispatch produced any pending output 553 * for a particular instance, point to 554 * that instance. 555 */ 556 if (m->pending) 557 mi = m->pending; 558 559 /* 560 * Based on the effects of the action, 561 * such as generating pending output, 562 * possibly transition to a new action state. 563 */ 564 action = multi_tcp_post (m, mi, action); 565 566 /* 567 * If we are finished processing the original action, 568 * check if we have any TUN input. If so, transition 569 * our action state to processing this input. 570 */ 571 if (tun_input_pending && action == TA_UNDEF) 572 { 573 action = TA_TUN_READ; 574 mi = NULL; 575 tun_input_pending = false; 576 poll = false; 577 } 578 else 579 poll = true; 580 581 } while (action != TA_UNDEF); 582} 583 584static void 585multi_tcp_process_io (struct multi_context *m) 586{ 587 struct multi_tcp *mtcp = m->mtcp; 588 int i; 589 590 for (i = 0; i < mtcp->n_esr; ++i) 591 { 592 struct event_set_return *e = &mtcp->esr[i]; 593 594 /* incoming data for instance? */ 595 if (e->arg >= MTCP_N) 596 { 597 struct multi_instance *mi = (struct multi_instance *) e->arg; 598 if (mi) 599 { 600 if (e->rwflags & EVENT_WRITE) 601 multi_tcp_action (m, mi, TA_SOCKET_WRITE_READY, false); 602 else if (e->rwflags & EVENT_READ) 603 multi_tcp_action (m, mi, TA_SOCKET_READ, false); 604 } 605 } 606 else 607 { 608#ifdef ENABLE_MANAGEMENT 609 if (e->arg == MTCP_MANAGEMENT) 610 { 611 ASSERT (management); 612 management_io (management); 613 } 614 else 615#endif 616 /* incoming data on TUN? */ 617 if (e->arg == MTCP_TUN) 618 { 619 if (e->rwflags & EVENT_WRITE) 620 multi_tcp_action (m, NULL, TA_TUN_WRITE, false); 621 else if (e->rwflags & EVENT_READ) 622 multi_tcp_action (m, NULL, TA_TUN_READ, false); 623 } 624 /* new incoming TCP client attempting to connect? */ 625 else if (e->arg == MTCP_SOCKET) 626 { 627 struct multi_instance *mi; 628 ASSERT (m->top.c2.link_socket); 629 socket_reset_listen_persistent (m->top.c2.link_socket); 630 mi = multi_create_instance_tcp (m); 631 if (mi) 632 multi_tcp_action (m, mi, TA_INITIAL, false); 633 } 634 /* signal received? */ 635 else if (e->arg == MTCP_SIG) 636 { 637 get_signal (&m->top.sig->signal_received); 638 } 639 } 640 if (IS_SIG (&m->top)) 641 break; 642 } 643 mtcp->n_esr = 0; 644 645 /* 646 * Process queued mbuf packets destined for TCP socket 647 */ 648 { 649 struct multi_instance *mi; 650 while (!IS_SIG (&m->top) && (mi = mbuf_peek (m->mbuf)) != NULL) 651 { 652 multi_tcp_action (m, mi, TA_SOCKET_WRITE, true); 653 } 654 } 655} 656 657/* 658 * Top level event loop for single-threaded operation. 659 * TCP mode. 660 */ 661void 662tunnel_server_tcp (struct context *top) 663{ 664 struct multi_context multi; 665 int status; 666 667 top->mode = CM_TOP; 668 context_clear_2 (top); 669 670 /* initialize top-tunnel instance */ 671 init_instance_handle_signals (top, top->es, CC_HARD_USR1_TO_HUP); 672 if (IS_SIG (top)) 673 return; 674 675 /* initialize global multi_context object */ 676 multi_init (&multi, top, true, MC_SINGLE_THREADED); 677 678 /* initialize our cloned top object */ 679 multi_top_init (&multi, top, true); 680 681 /* initialize management interface */ 682 init_management_callback_multi (&multi); 683 684 /* finished with initialization */ 685 initialization_sequence_completed (top, ISC_SERVER); /* --mode server --proto tcp-server */ 686 687 /* per-packet event loop */ 688 while (true) 689 { 690 perf_push (PERF_EVENT_LOOP); 691 692 /* wait on tun/socket list */ 693 multi_get_timeout (&multi, &multi.top.c2.timeval); 694 status = multi_tcp_wait (&multi.top, multi.mtcp); 695 MULTI_CHECK_SIG (&multi); 696 697 /* check on status of coarse timers */ 698 multi_process_per_second_timers (&multi); 699 700 /* timeout? */ 701 if (status > 0) 702 { 703 /* process the I/O which triggered select */ 704 multi_tcp_process_io (&multi); 705 MULTI_CHECK_SIG (&multi); 706 } 707 else if (status == 0) 708 { 709 multi_tcp_action (&multi, NULL, TA_TIMEOUT, false); 710 } 711 712 perf_pop (); 713 } 714 715 /* shut down management interface */ 716 uninit_management_callback_multi (&multi); 717 718 /* save ifconfig-pool */ 719 multi_ifconfig_pool_persist (&multi, true); 720 721 /* tear down tunnel instance (unless --persist-tun) */ 722 multi_uninit (&multi); 723 multi_top_free (&multi); 724 close_instance (top); 725} 726 727#endif 728