OpenVPN
mudp.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #if P2MP_SERVER
33 
34 #include "multi.h"
35 #include <inttypes.h>
36 #include "forward.h"
37 
38 #include "memdbg.h"
39 
40 #ifdef HAVE_SYS_INOTIFY_H
41 #include <sys/inotify.h>
42 #endif
43 
44 /*
45  * Get a client instance based on real address. If
46  * the instance doesn't exist, create it while
47  * maintaining real address hash table atomicity.
48  */
49 
50 struct multi_instance *
52 {
53  struct gc_arena gc = gc_new();
54  struct mroute_addr real;
55  struct multi_instance *mi = NULL;
56  struct hash *hash = m->hash;
57 
58  if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true)
59  && m->top.c2.buf.len > 0)
60  {
61  struct hash_element *he;
62  const uint32_t hv = hash_value(hash, &real);
63  struct hash_bucket *bucket = hash_bucket(hash, hv);
64  uint8_t *ptr = BPTR(&m->top.c2.buf);
65  uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
66  bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
67  bool peer_id_disabled = false;
68 
69  /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */
70  if (v2)
71  {
72  uint32_t peer_id = ntohl(*(uint32_t *)ptr) & 0xFFFFFF;
73  peer_id_disabled = (peer_id == MAX_PEER_ID);
74 
75  if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id]))
76  {
77  mi = m->instances[peer_id];
78 
79  *floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from);
80 
81  if (*floated)
82  {
83  /* reset prefix, since here we are not sure peer is the one it claims to be */
85  msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id,
86  mroute_addr_print(&real, &gc));
87  }
88  }
89  }
90  if (!v2 || peer_id_disabled)
91  {
92  he = hash_lookup_fast(hash, bucket, &real, hv);
93  if (he)
94  {
95  mi = (struct multi_instance *) he->value;
96  }
97  }
98  if (!mi)
99  {
100  if (!m->top.c2.tls_auth_standalone
102  {
104  {
105  mi = multi_create_instance(m, &real);
106  if (mi)
107  {
108  int i;
109 
110  hash_add_fast(hash, bucket, &mi->real, hv, mi);
111  mi->did_real_hash = true;
112 
113  /* max_clients must be less then max peer-id value */
115 
116  for (i = 0; i < m->max_clients; ++i)
117  {
118  if (!m->instances[i])
119  {
120  mi->context.c2.tls_multi->peer_id = i;
121  m->instances[i] = mi;
122  break;
123  }
124  }
125 
126  /* should not really end up here, since multi_create_instance returns null
127  * if amount of clients exceeds max_clients */
128  ASSERT(i < m->max_clients);
129  }
130  }
131  else
132  {
134  "MULTI: Connection from %s would exceed new connection frequency limit as controlled by --connect-freq",
135  mroute_addr_print(&real, &gc));
136  }
137  }
138  }
139 
140 #ifdef ENABLE_DEBUG
142  {
143  const char *status = mi ? "[ok]" : "[failed]";
144 
145  dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s",
146  mroute_addr_print(&real, &gc),
147  status);
148  }
149 #endif
150  }
151 
152  gc_free(&gc);
153  ASSERT(!(mi && mi->halt));
154  return mi;
155 }
156 
157 /*
158  * Send a packet to TCP/UDP socket.
159  */
160 static inline void
161 multi_process_outgoing_link(struct multi_context *m, const unsigned int mpp_flags)
162 {
164  if (mi)
165  {
166  multi_process_outgoing_link_dowork(m, mi, mpp_flags);
167  }
168 }
169 
170 /*
171  * Process an I/O event.
172  */
173 static void
175 {
176  const unsigned int status = m->top.c2.event_set_status;
177  const unsigned int mpp_flags = m->top.c2.fast_io
180 
181 #ifdef MULTI_DEBUG_EVENT_LOOP
182  char buf[16];
183  buf[0] = 0;
184  if (status & SOCKET_READ)
185  {
186  strcat(buf, "SR/");
187  }
188  else if (status & SOCKET_WRITE)
189  {
190  strcat(buf, "SW/");
191  }
192  else if (status & TUN_READ)
193  {
194  strcat(buf, "TR/");
195  }
196  else if (status & TUN_WRITE)
197  {
198  strcat(buf, "TW/");
199  }
200 #ifdef ENABLE_ASYNC_PUSH
201  else if (status & FILE_CLOSED)
202  {
203  strcat(buf, "FC/");
204  }
205 #endif
206  printf("IO %s\n", buf);
207 #endif /* ifdef MULTI_DEBUG_EVENT_LOOP */
208 
209 #ifdef ENABLE_MANAGEMENT
210  if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
211  {
214  }
215 #endif
216 
217  /* UDP port ready to accept write */
218  if (status & SOCKET_WRITE)
219  {
220  multi_process_outgoing_link(m, mpp_flags);
221  }
222  /* TUN device ready to accept write */
223  else if (status & TUN_WRITE)
224  {
225  multi_process_outgoing_tun(m, mpp_flags);
226  }
227  /* Incoming data on UDP port */
228  else if (status & SOCKET_READ)
229  {
230  read_incoming_link(&m->top);
231  if (!IS_SIG(&m->top))
232  {
233  multi_process_incoming_link(m, NULL, mpp_flags);
234  }
235  }
236  /* Incoming data on TUN device */
237  else if (status & TUN_READ)
238  {
239  read_incoming_tun(&m->top);
240  if (!IS_SIG(&m->top))
241  {
242  multi_process_incoming_tun(m, mpp_flags);
243  }
244  }
245 #ifdef ENABLE_ASYNC_PUSH
246  /* INOTIFY callback */
247  else if (status & FILE_CLOSED)
248  {
249  multi_process_file_closed(m, mpp_flags);
250  }
251 #endif
252 }
253 
254 /*
255  * Return the io_wait() flags appropriate for
256  * a point-to-multipoint tunnel.
257  */
258 static inline unsigned int
260 {
261  unsigned int flags = IOW_WAIT_SIGNAL;
262  if (m->pending)
263  {
264  if (TUN_OUT(&m->pending->context))
265  {
266  flags |= IOW_TO_TUN;
267  }
268  if (LINK_OUT(&m->pending->context))
269  {
270  flags |= IOW_TO_LINK;
271  }
272  }
273  else if (mbuf_defined(m->mbuf))
274  {
275  flags |= IOW_MBUF;
276  }
277  else
278  {
279  flags |= IOW_READ;
280  }
281 
282  return flags;
283 }
284 
285 
286 /**************************************************************************/
297 static void
299 {
300  struct multi_context multi;
301 
302  top->mode = CM_TOP;
303  context_clear_2(top);
304 
305  /* initialize top-tunnel instance */
307  if (IS_SIG(top))
308  {
309  return;
310  }
311 
312  /* initialize global multi_context object */
313  multi_init(&multi, top, false, MC_SINGLE_THREADED);
314 
315  /* initialize our cloned top object */
316  multi_top_init(&multi, top);
317 
318  /* initialize management interface */
320 
321  /* finished with initialization */
322  initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto udp */
323 
324 #ifdef ENABLE_ASYNC_PUSH
325  multi.top.c2.inotify_fd = inotify_init();
326  if (multi.top.c2.inotify_fd < 0)
327  {
328  msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error");
329  }
330 #endif
331 
332  /* per-packet event loop */
333  while (true)
334  {
336 
337  /* set up and do the io_wait() */
338  multi_get_timeout(&multi, &multi.top.c2.timeval);
339  io_wait(&multi.top, p2mp_iow_flags(&multi));
340  MULTI_CHECK_SIG(&multi);
341 
342  /* check on status of coarse timers */
344 
345  /* timeout? */
346  if (multi.top.c2.event_set_status == ES_TIMEOUT)
347  {
349  }
350  else
351  {
352  /* process I/O */
353  multi_process_io_udp(&multi);
354  MULTI_CHECK_SIG(&multi);
355  }
356 
357  perf_pop();
358  }
359 
360 #ifdef ENABLE_ASYNC_PUSH
361  close(top->c2.inotify_fd);
362 #endif
363 
364  /* shut down management interface */
366 
367  /* save ifconfig-pool */
368  multi_ifconfig_pool_persist(&multi, true);
369 
370  /* tear down tunnel instance (unless --persist-tun) */
371  multi_uninit(&multi);
372  multi_top_free(&multi);
373  close_instance(top);
374 }
375 
376 void
378 {
380 }
381 
382 #endif /* if P2MP_SERVER */
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:140
#define TUN_OUT(c)
Definition: forward.h:38
#define D_MULTI_ERRORS
Definition: errlevel.h:65
#define PERF_EVENT_LOOP
Definition: perf.h:44
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:167
Contains all state information for one tunnel.
Definition: openvpn.h:498
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
Definition: multi.c:295
struct env_set * es
Set of environment variables.
Definition: openvpn.h:521
static void gc_free(struct gc_arena *a)
Definition: buffer.h:999
static void multi_process_outgoing_link(struct multi_context *m, const unsigned int mpp_flags)
Definition: mudp.c:161
static bool check_debug_level(unsigned int level)
Definition: error.h:245
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:508
static struct multi_instance * multi_process_outgoing_link_pre(struct multi_context *m)
Definition: multi.h:387
struct buffer buf
Definition: openvpn.h:380
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:337
bool frequency_limit_event_allowed(struct frequency_limit *f)
Definition: otime.c:170
void close_instance(struct context *c)
Definition: init.c:4288
#define ASSERT(x)
Definition: error.h:221
void multi_top_free(struct multi_context *m)
Definition: multi.c:3033
static void perf_pop(void)
Definition: perf.h:82
static void perf_push(int type)
Definition: perf.h:78
#define TUN_READ
Definition: openvpn.h:236
#define MAX_PEER_ID
Definition: openvpn.h:570
#define SOCKET_READ
Definition: openvpn.h:234
#define IOW_TO_LINK
Definition: forward.h:55
bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl.c:3785
void read_incoming_link(struct context *c)
Read a packet from the external network interface.
Definition: forward.c:933
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:2734
#define ES_TIMEOUT
Definition: openvpn.h:239
bool did_real_hash
Definition: multi.h:102
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:258
#define D_MULTI_MEDIUM
Definition: errlevel.h:103
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3950
static bool multi_process_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Send a packet over the virtual tun/tap network interface to its locally reachable destination...
Definition: multi.h:613
void multi_uninit(struct multi_context *m)
Definition: multi.c:712
#define IOW_TO_TUN
Definition: forward.h:54
#define BPTR(buf)
Definition: buffer.h:124
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3026
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:3347
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:166
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:424
static bool multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags)
Definition: multi.h:634
static struct gc_arena gc_new(void)
Definition: buffer.h:991
#define IOW_MBUF
Definition: forward.h:61
#define MPP_PRE_SELECT
Definition: multi.h:256
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:768
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:312
struct timeval timeval
Definition: openvpn.h:399
#define D_MULTI_DEBUG
Definition: errlevel.h:123
unsigned __int32 uint32_t
Definition: config-msvc.h:121
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:112
#define MULTI_CHECK_SIG(m)
Definition: multi.h:647
struct multi_instance * pending
Definition: multi.h:172
#define MC_SINGLE_THREADED
Definition: multi.h:133
#define LINK_OUT(c)
Definition: forward.h:39
static SERVICE_STATUS status
Definition: automatic.c:43
int max_clients
Definition: multi.h:162
static void io_wait(struct context *c, const unsigned int flags)
Definition: forward.h:353
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1490
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
struct context_2 c2
Level 2 context.
Definition: openvpn.h:537
#define dmsg
Definition: error.h:174
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1243
#define MANAGEMENT_WRITE
Definition: openvpn.h:242
static void tunnel_server_udp_single_threaded(struct context *top)
Main event loop for OpenVPN in UDP server mode.
Definition: mudp.c:298
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:151
#define IOW_WAIT_SIGNAL
Definition: forward.h:63
static void multi_process_io_udp(struct multi_context *m)
Definition: mudp.c:174
#define P_OPCODE_SHIFT
Definition: ssl.h:51
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:143
static void multi_get_timeout(struct multi_context *m, struct timeval *dest)
Definition: multi.h:570
bool halt
Definition: multi.h:80
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:125
void uninit_management_callback_multi(struct multi_context *m)
Definition: multi.c:3376
unsigned __int8 uint8_t
Definition: config-msvc.h:123
#define CM_TOP
Definition: openvpn.h:508
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:88
Main OpenVPN server state structure.
Definition: multi.h:131
#define MANAGEMENT_READ
Definition: openvpn.h:241
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:512
#define msg
Definition: error.h:173
static bool mbuf_defined(const struct mbuf_set *ms)
Definition: mbuf.h:82
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:86
void management_io(struct management *man)
Definition: manage.c:3058
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:143
#define TUN_WRITE
Definition: openvpn.h:237
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:2494
void context_clear_2(struct context *c)
Definition: init.c:82
uint32_t peer_id
Definition: ssl_common.h:554
#define ISC_SERVER
Definition: init.h:117
struct frequency_limit * new_connection_limiter
Definition: multi.h:157
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:178
bool fast_io
Definition: openvpn.h:429
void * value
Definition: list.h:49
#define SOCKET_WRITE
Definition: openvpn.h:235
void tunnel_server_udp(struct context *top)
Main event loop wrapper function for OpenVPN in UDP server mode.
Definition: mudp.c:377
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition: socket.h:883
struct link_socket_actual from
Definition: openvpn.h:256
#define M_ERRNO
Definition: error.h:99
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:51
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:76
Definition: list.h:60
unsigned int event_set_status
Definition: openvpn.h:248
static unsigned int p2mp_iow_flags(const struct multi_context *m)
Definition: mudp.c:259
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:334
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:257
#define P_DATA_V2
Definition: ssl.h:60
static void multi_process_per_second_timers(struct multi_context *m)
Definition: multi.h:552
#define CC_HARD_USR1_TO_HUP
Definition: init.h:107
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2886
#define IOW_READ
Definition: forward.h:65