OpenVPN
ps.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#if PORT_SHARE
30
31#include "event.h"
32#include "socket.h"
33#include "fdmisc.h"
34#include "crypto.h"
35#include "ps.h"
36
37#include "memdbg.h"
38
39struct port_share *port_share = NULL; /* GLOBAL */
40
41/* size of i/o buffers */
42#define PROXY_CONNECTION_BUFFER_SIZE 1500
43
44/* Command codes for foreground -> background communication */
45#define COMMAND_REDIRECT 10
46#define COMMAND_EXIT 11
47
48/* Response codes for background -> foreground communication */
49#define RESPONSE_INIT_SUCCEEDED 20
50#define RESPONSE_INIT_FAILED 21
51
52/*
53 * Return values for proxy_connection_io functions
54 */
55
56#define IOSTAT_EAGAIN_ON_READ 0 /* recv returned EAGAIN */
57#define IOSTAT_EAGAIN_ON_WRITE 1 /* send returned EAGAIN */
58#define IOSTAT_READ_ERROR 2 /* the other end of our read socket (pc) was closed */
59#define IOSTAT_WRITE_ERROR 3 /* the other end of our write socket (pc->counterpart) was closed */
60#define IOSTAT_GOOD 4 /* nothing to report */
61
62/*
63 * A foreign (non-OpenVPN) connection we are proxying,
64 * usually HTTPS
65 */
66struct proxy_connection
67{
68 bool defined;
69 struct proxy_connection *next;
70 struct proxy_connection *counterpart;
71 struct buffer buf;
72 bool buffer_initial;
73 unsigned int rwflags;
74 int sd;
75 char *jfn;
76};
77
78#if 0
79static const char *
80headc(const struct buffer *buf)
81{
82 static char foo[16];
83 strncpy(foo, BSTR(buf), 15);
84 foo[15] = 0;
85 return foo;
86}
87#endif
88
89static inline void
91{
92 if (socket_defined(sd))
93 {
95 }
96}
97
98/*
99 * Close most of parent's fds.
100 * Keep stdin/stdout/stderr, plus one
101 * other fd which is presumed to be
102 * our pipe back to parent.
103 * Admittedly, a bit of a kludge,
104 * but posix doesn't give us a kind
105 * of FD_CLOEXEC which will stop
106 * fds from crossing a fork().
107 */
108static void
110{
112 closelog();
113 for (i = 3; i <= 100; ++i)
114 {
115 if (i != keep)
116 {
118 }
119 }
120}
121
122/*
123 * Usually we ignore signals, because our parent will
124 * deal with them.
125 */
126static void
127set_signals(void)
128{
130
136}
137
138/*
139 * Socket read/write functions.
140 */
141
142static int
144{
145 unsigned char c;
146 const ssize_t size = read(fd, &c, sizeof(c));
147 if (size == sizeof(c))
148 {
149 return c;
150 }
151 else
152 {
153 return -1;
154 }
155}
156
157static int
159{
160 unsigned char c = (unsigned char)code;
161 const ssize_t size = write(fd, &c, sizeof(c));
162 if (size == sizeof(c))
163 {
164 return (int)size;
165 }
166 else
167 {
168 return -1;
169 }
170}
171
172static int
173cmsg_size(void)
174{
175 return CMSG_SPACE(sizeof(socket_descriptor_t));
176}
177
178/*
179 * Send a command (char), data (head), and a file descriptor (sd_send) to a local process
180 * over unix socket sd. Unfortunately, there's no portable way to send file descriptors
181 * to other processes, so this code, as well as its analog (control_message_from_parent below),
182 * is Linux-specific. This function runs in the context of the main process and is used to
183 * send commands, data, and file descriptors to the background process.
184 */
185static void
186port_share_sendmsg(const socket_descriptor_t sd, const char command, const struct buffer *head,
188{
189 if (socket_defined(sd))
190 {
191 struct msghdr mesg;
192 struct cmsghdr *h;
193 struct iovec iov[2];
195 char cmd;
196 ssize_t status;
197
198 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: sendmsg sd=%d len=%d", (int)sd_send,
199 head ? BLEN(head) : -1);
200
201 CLEAR(mesg);
202
203 cmd = command;
204
205 iov[0].iov_base = &cmd;
206 iov[0].iov_len = sizeof(cmd);
207 mesg.msg_iovlen = 1;
208
209 if (head)
210 {
211 iov[1].iov_base = BPTR(head);
212 iov[1].iov_len = BLEN(head);
213 mesg.msg_iovlen = 2;
214 }
215
216 mesg.msg_iov = iov;
217
218 mesg.msg_controllen = cmsg_size();
219 mesg.msg_control = (char *)malloc(mesg.msg_controllen);
220 check_malloc_return(mesg.msg_control);
221 mesg.msg_flags = 0;
222
223 h = CMSG_FIRSTHDR(&mesg);
224 h->cmsg_level = SOL_SOCKET;
225 h->cmsg_type = SCM_RIGHTS;
226 h->cmsg_len = CMSG_LEN(sizeof(socket_descriptor_t));
227
228 if (socket_defined(sd_send))
229 {
230 memcpy(CMSG_DATA(h), &sd_send, sizeof(sd_send));
231 }
232 else
233 {
234 socketpair(PF_UNIX, SOCK_DGRAM, 0, sd_null);
235 memcpy(CMSG_DATA(h), &sd_null[0], sizeof(sd_null[0]));
236 }
237
238 status = sendmsg(sd, &mesg, MSG_NOSIGNAL);
239 if (status == -1)
240 {
242 "PORT SHARE: sendmsg failed -- unable to communicate with background process (%d,%d,%d,%d)",
243 sd, sd_send, sd_null[0], sd_null[1]);
244 }
245
246 close_socket_if_defined(sd_null[0]);
247 close_socket_if_defined(sd_null[1]);
248 free(mesg.msg_control);
249 }
250}
251
252static void
253proxy_entry_close_sd(struct proxy_connection *pc, struct event_set *es)
254{
255 if (pc->defined && socket_defined(pc->sd))
256 {
257 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: delete sd=%d", (int)pc->sd);
258 if (es)
259 {
260 event_del(es, pc->sd);
261 }
262 openvpn_close_socket(pc->sd);
263 pc->sd = SOCKET_UNDEFINED;
264 }
265}
266
267/*
268 * Mark a proxy entry and its counterpart for close.
269 */
270static void
271proxy_entry_mark_for_close(struct proxy_connection *pc, struct event_set *es)
272{
273 if (pc->defined)
274 {
275 struct proxy_connection *cp = pc->counterpart;
276 proxy_entry_close_sd(pc, es);
277 free_buf(&pc->buf);
278 pc->buffer_initial = false;
279 pc->rwflags = 0;
280 pc->defined = false;
281 if (pc->jfn)
282 {
283 unlink(pc->jfn);
284 free(pc->jfn);
285 pc->jfn = NULL;
286 }
287 if (cp && cp->defined && cp->counterpart == pc)
288 {
289 proxy_entry_mark_for_close(cp, es);
290 }
291 }
292}
293
294/*
295 * Run through the proxy entry list and delete all entries marked
296 * for close.
297 */
298static void
299proxy_list_housekeeping(struct proxy_connection **list)
300{
301 if (list)
302 {
303 struct proxy_connection *prev = NULL;
304 struct proxy_connection *pc = *list;
305
306 while (pc)
307 {
308 struct proxy_connection *next = pc->next;
309 if (!pc->defined)
310 {
311 free(pc);
312 if (prev)
313 {
314 prev->next = next;
315 }
316 else
317 {
318 *list = next;
319 }
320 }
321 else
322 {
323 prev = pc;
324 }
325 pc = next;
326 }
327 }
328}
329
330/*
331 * Record IP/port of client in filesystem, so that server receiving
332 * the proxy can determine true client origin.
333 */
334static void
335journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_connection *cp)
336{
337 struct openvpn_sockaddr from, to;
338
339 socklen_t slen = sizeof(from.addr);
340 socklen_t dlen = sizeof(to.addr);
341 if (!getpeername(pc->sd, (struct sockaddr *)&from.addr.sa, &slen)
342 && !getsockname(cp->sd, (struct sockaddr *)&to.addr.sa, &dlen))
343 {
344 struct gc_arena gc = gc_new();
345 const char *f = print_openvpn_sockaddr(&from, &gc);
346 const char *t = print_openvpn_sockaddr(&to, &gc);
347 size_t fnlen = strlen(journal_dir) + strlen(t) + 2;
348 char *jfn = (char *)malloc(fnlen);
350 snprintf(jfn, fnlen, "%s/%s", journal_dir, t);
351 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client origin %s -> %s", jfn, f);
352 int fd = platform_open(jfn, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP);
353 if (fd != -1)
354 {
355 if (write(fd, f, strlen(f)) != strlen(f))
356 {
357 msg(M_WARN, "PORT SHARE: writing to journal file (%s) failed", jfn);
358 }
359 close(fd);
360 cp->jfn = jfn;
361 }
362 else
363 {
364 msg(M_WARN | M_ERRNO, "PORT SHARE: unable to write journal file in %s", jfn);
365 free(jfn);
366 }
367 gc_free(&gc);
368 }
369}
370
371/*
372 * Cleanup function, on proxy process exit.
373 */
374static void
375proxy_list_close(struct proxy_connection **list)
376{
377 if (list)
378 {
379 struct proxy_connection *pc = *list;
380 while (pc)
381 {
382 proxy_entry_mark_for_close(pc, NULL);
383 pc = pc->next;
384 }
385 proxy_list_housekeeping(list);
386 }
387}
388
389static inline void
390proxy_connection_io_requeue(struct proxy_connection *pc, const unsigned int rwflags_new,
391 struct event_set *es)
392{
393 if (socket_defined(pc->sd) && pc->rwflags != rwflags_new)
394 {
395 /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: requeue[%d] rwflags=%u", (int)pc->sd,
396 * rwflags_new);*/
397 event_ctl(es, pc->sd, rwflags_new, (void *)pc);
398 pc->rwflags = rwflags_new;
399 }
400}
401
402/*
403 * Create a new pair of proxy_connection entries, one for each
404 * socket file descriptor involved in the proxy. We are given
405 * the client fd, and we should derive our own server fd by connecting
406 * to the server given by server_addr/server_port. Return true
407 * on success and false on failure to connect to server.
408 */
409static bool
410proxy_entry_new(struct proxy_connection **list, struct event_set *es,
411 const struct openvpn_sockaddr server_addr, const socket_descriptor_t sd_client,
412 struct buffer *initial_data, const char *journal_dir)
413{
414 socket_descriptor_t sd_server;
415 int status;
416 struct proxy_connection *pc;
417 struct proxy_connection *cp;
418
419 /* connect to port share server */
420 if ((sd_server = socket(server_addr.addr.sa.sa_family, SOCK_STREAM, IPPROTO_TCP)) < 0)
421 {
422 msg(M_WARN | M_ERRNO, "PORT SHARE PROXY: cannot create socket");
423 return false;
424 }
425 status = openvpn_connect(sd_server, &server_addr.addr.sa, 5, NULL);
426 if (status)
427 {
428 msg(M_WARN, "PORT SHARE PROXY: connect to port-share server failed");
429 openvpn_close_socket(sd_server);
430 return false;
431 }
432 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: connect to port-share server succeeded");
433
434 set_nonblock(sd_client);
435 set_nonblock(sd_server);
436
437 /* allocate 2 new proxy_connection objects */
438 ALLOC_OBJ_CLEAR(pc, struct proxy_connection);
439 ALLOC_OBJ_CLEAR(cp, struct proxy_connection);
440
441 /* client object */
442 pc->defined = true;
443 pc->next = cp;
444 pc->counterpart = cp;
445 pc->buf = *initial_data;
446 pc->buffer_initial = true;
447 pc->rwflags = EVENT_UNDEF;
448 pc->sd = sd_client;
449
450 /* server object */
451 cp->defined = true;
452 cp->next = *list;
453 cp->counterpart = pc;
454 cp->buf = alloc_buf(PROXY_CONNECTION_BUFFER_SIZE);
455 cp->buffer_initial = false;
456 cp->rwflags = EVENT_UNDEF;
457 cp->sd = sd_server;
458
459 /* add to list */
460 *list = pc;
461
462 /* add journal entry */
463 if (journal_dir)
464 {
465 journal_add(journal_dir, pc, cp);
466 }
467
468 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client,
469 (int)sd_server);
470
471 /* set initial i/o states */
472 proxy_connection_io_requeue(pc, EVENT_READ, es);
473 proxy_connection_io_requeue(cp, EVENT_READ | EVENT_WRITE, es);
474
475 return true;
476}
477
478/*
479 * This function runs in the context of the background proxy process.
480 * Receive a control message from the parent (sent by the port_share_sendmsg
481 * function above) and act on it. Return false if the proxy process should
482 * exit, true otherwise.
483 */
484static bool
485control_message_from_parent(const socket_descriptor_t sd_control, struct proxy_connection **list,
486 struct event_set *es, const struct openvpn_sockaddr server_addr,
487 const int max_initial_buf, const char *journal_dir)
488{
489 /* this buffer needs to be large enough to handle the largest buffer
490 * that might be returned by the link_socket_read call in read_incoming_link. */
491 struct buffer buf = alloc_buf(max_initial_buf);
492
493 struct msghdr mesg;
494 struct cmsghdr *h;
495 struct iovec iov[2];
496 char command = 0;
497 ssize_t status;
498 int ret = true;
499
500 CLEAR(mesg);
501
502 iov[0].iov_base = &command;
503 iov[0].iov_len = sizeof(command);
504 iov[1].iov_base = BPTR(&buf);
505 iov[1].iov_len = BCAP(&buf);
506 mesg.msg_iov = iov;
507 mesg.msg_iovlen = 2;
508
509 mesg.msg_controllen = cmsg_size();
510 mesg.msg_control = (char *)malloc(mesg.msg_controllen);
511 check_malloc_return(mesg.msg_control);
512 mesg.msg_flags = 0;
513
514 h = CMSG_FIRSTHDR(&mesg);
515 h->cmsg_len = CMSG_LEN(sizeof(socket_descriptor_t));
516 h->cmsg_level = SOL_SOCKET;
517 h->cmsg_type = SCM_RIGHTS;
518 static const socket_descriptor_t socket_undefined = SOCKET_UNDEFINED;
519 memcpy(CMSG_DATA(h), &socket_undefined, sizeof(socket_undefined));
520
521 status = recvmsg(sd_control, &mesg, MSG_NOSIGNAL);
522 if (status != -1)
523 {
524 if (h == NULL || h->cmsg_len != CMSG_LEN(sizeof(socket_descriptor_t))
525 || h->cmsg_level != SOL_SOCKET || h->cmsg_type != SCM_RIGHTS)
526 {
527 msg(M_WARN, "PORT SHARE PROXY: received unknown message");
528 }
529 else
530 {
531 socket_descriptor_t received_fd;
532 memcpy(&received_fd, CMSG_DATA(h), sizeof(received_fd));
533 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: RECEIVED sd=%d", (int)received_fd);
534
535 if (status >= 2 && command == COMMAND_REDIRECT)
536 {
537 buf.len = (int)status - 1;
538 if (proxy_entry_new(list, es, server_addr, received_fd, &buf, journal_dir))
539 {
540 CLEAR(buf); /* we gave the buffer to proxy_entry_new */
541 }
542 else
543 {
544 openvpn_close_socket(received_fd);
545 }
546 }
547 else if (status >= 1 && command == COMMAND_EXIT)
548 {
549 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: RECEIVED COMMAND_EXIT");
550 openvpn_close_socket(received_fd); /* null socket */
551 ret = false;
552 }
553 }
554 }
555 free(mesg.msg_control);
556 free_buf(&buf);
557 return ret;
558}
559
560static int
561proxy_connection_io_recv(struct proxy_connection *pc)
562{
563 /* recv data from socket */
564 const ssize_t status = recv(pc->sd, BPTR(&pc->buf), BCAP(&pc->buf), MSG_NOSIGNAL);
565 if (status < 0)
566 {
567 return (errno == EAGAIN) ? IOSTAT_EAGAIN_ON_READ : IOSTAT_READ_ERROR;
568 }
569 else
570 {
571 if (!status)
572 {
573 return IOSTAT_READ_ERROR;
574 }
575 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: read[%d] %zd", (int)pc->sd, status);
576 pc->buf.len = (int)status;
577 }
578 return IOSTAT_GOOD;
579}
580
581static int
582proxy_connection_io_send(struct proxy_connection *pc, int *bytes_sent)
583{
584 const socket_descriptor_t sd = pc->counterpart->sd;
585 const ssize_t status = send(sd, BPTR(&pc->buf), BLEN(&pc->buf), MSG_NOSIGNAL);
586
587 if (status < 0)
588 {
589 const int e = errno;
590 return (e == EAGAIN) ? IOSTAT_EAGAIN_ON_WRITE : IOSTAT_WRITE_ERROR;
591 }
592 else
593 {
594 *bytes_sent += (int)status;
595 if (status != pc->buf.len)
596 {
597 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: partial write[%d], tried=%d got=%zd", (int)sd,
598 pc->buf.len, status);
599 buf_advance(&pc->buf, (int)status);
600 return IOSTAT_EAGAIN_ON_WRITE;
601 }
602 else
603 {
604 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: wrote[%d] %zd", (int)sd, status);
605 pc->buf.len = 0;
606 pc->buf.offset = 0;
607 }
608 }
609
610 /* realloc send buffer after initial send */
611 if (pc->buffer_initial)
612 {
613 free_buf(&pc->buf);
614 pc->buf = alloc_buf(PROXY_CONNECTION_BUFFER_SIZE);
615 pc->buffer_initial = false;
616 }
617 return IOSTAT_GOOD;
618}
619
620/*
621 * Forward data from pc to pc->counterpart.
622 */
623
624static int
625proxy_connection_io_xfer(struct proxy_connection *pc, const int max_transfer)
626{
627 int transferred = 0;
628 while (transferred < max_transfer)
629 {
630 if (!BLEN(&pc->buf))
631 {
632 const int status = proxy_connection_io_recv(pc);
633 if (status != IOSTAT_GOOD)
634 {
635 return status;
636 }
637 }
638
639 if (BLEN(&pc->buf))
640 {
641 const int status = proxy_connection_io_send(pc, &transferred);
642 if (status != IOSTAT_GOOD)
643 {
644 return status;
645 }
646 }
647 }
648 return IOSTAT_EAGAIN_ON_READ;
649}
650
651/*
652 * Decide how the receipt of an EAGAIN status should affect our next IO queueing.
653 */
654static bool
655proxy_connection_io_status(const int status, unsigned int *rwflags_pc, unsigned int *rwflags_cp)
656{
657 switch (status)
658 {
659 case IOSTAT_EAGAIN_ON_READ:
660 *rwflags_pc |= EVENT_READ;
661 *rwflags_cp &= ~EVENT_WRITE;
662 return true;
663
664 case IOSTAT_EAGAIN_ON_WRITE:
665 *rwflags_pc &= ~EVENT_READ;
666 *rwflags_cp |= EVENT_WRITE;
667 return true;
668
669 case IOSTAT_READ_ERROR:
670 return false;
671
672 case IOSTAT_WRITE_ERROR:
673 return false;
674
675 default:
676 msg(M_FATAL, "PORT SHARE PROXY: unexpected status=%d", status);
677 }
678 return false; /* NOTREACHED */
679}
680
681/*
682 * Dispatch function for forwarding data between the two socket fds involved
683 * in the proxied connection.
684 */
685static int
686proxy_connection_io_dispatch(struct proxy_connection *pc, const unsigned int rwflags,
687 struct event_set *es)
688{
689 const int max_transfer_per_iteration = 10000;
690 struct proxy_connection *cp = pc->counterpart;
691 unsigned int rwflags_pc = pc->rwflags;
692 unsigned int rwflags_cp = cp->rwflags;
693
694 ASSERT(pc->defined && cp->defined && cp->counterpart == pc);
695
696 if (rwflags & EVENT_READ)
697 {
698 const int status = proxy_connection_io_xfer(pc, max_transfer_per_iteration);
699 if (!proxy_connection_io_status(status, &rwflags_pc, &rwflags_cp))
700 {
701 goto bad;
702 }
703 }
704 if (rwflags & EVENT_WRITE)
705 {
706 const int status = proxy_connection_io_xfer(cp, max_transfer_per_iteration);
707 if (!proxy_connection_io_status(status, &rwflags_cp, &rwflags_pc))
708 {
709 goto bad;
710 }
711 }
712 proxy_connection_io_requeue(pc, rwflags_pc, es);
713 proxy_connection_io_requeue(cp, rwflags_cp, es);
714
715 return true;
716
717bad:
718 proxy_entry_mark_for_close(pc, es);
719 return false;
720}
721
722/*
723 * This is the main function for the port share proxy background process.
724 */
725static void
726port_share_proxy(const struct openvpn_sockaddr hostaddr, const socket_descriptor_t sd_control,
727 const int max_initial_buf, const char *journal_dir)
728{
729 if (send_control(sd_control, RESPONSE_INIT_SUCCEEDED) >= 0)
730 {
731 void *sd_control_marker = (void *)1;
732 int maxevents = 256;
733 struct event_set *es;
734 struct event_set_return esr[64];
735 struct proxy_connection *list = NULL;
736 time_t last_housekeeping = 0;
737
738 msg(D_PS_PROXY, "PORT SHARE PROXY: proxy starting");
739
740 es = event_set_init(&maxevents, 0);
741 event_ctl(es, sd_control, EVENT_READ, sd_control_marker);
742 while (true)
743 {
744 int n_events;
745 struct timeval tv;
746 time_t current;
747
748 tv.tv_sec = 10;
749 tv.tv_usec = 0;
750 n_events = event_wait(es, &tv, esr, SIZE(esr));
751 /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: event_wait returned %d", n_events);*/
752 current = time(NULL);
753 if (n_events > 0)
754 {
755 int i;
756 for (i = 0; i < n_events; ++i)
757 {
758 const struct event_set_return *e = &esr[i];
759 if (e->arg == sd_control_marker)
760 {
761 if (!control_message_from_parent(sd_control, &list, es, hostaddr,
762 max_initial_buf, journal_dir))
763 {
764 goto done;
765 }
766 }
767 else
768 {
769 struct proxy_connection *pc = (struct proxy_connection *)e->arg;
770 if (pc->defined)
771 {
772 proxy_connection_io_dispatch(pc, e->rwflags, es);
773 }
774 }
775 }
776 }
777 else if (n_events < 0)
778 {
779 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: event_wait failed");
780 }
781 if (current > last_housekeeping)
782 {
783 proxy_list_housekeeping(&list);
784 last_housekeeping = current;
785 }
786 }
787
788done:
789 proxy_list_close(&list);
790 event_free(es);
791 }
792 msg(M_INFO, "PORT SHARE PROXY: proxy exiting");
793}
794
795/*
796 * Called from the main OpenVPN process to enable the port
797 * share proxy.
798 */
799struct port_share *
800port_share_open(const char *host, const char *port, const int max_initial_buf,
801 const char *journal_dir)
802{
803 pid_t pid;
805 struct openvpn_sockaddr hostaddr;
806 struct port_share *ps;
807 int status;
808 struct addrinfo *ai;
809
810 ALLOC_OBJ_CLEAR(ps, struct port_share);
811 ps->foreground_fd = -1;
812 ps->background_pid = -1;
813
814 /*
815 * Get host's IP address
816 */
817
818 status =
819 openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_FATAL, host, port, 0, NULL, AF_UNSPEC, &ai);
820 ASSERT(status == 0);
821 ASSERT(sizeof(hostaddr.addr) >= ai->ai_addrlen);
822 memcpy(&hostaddr.addr.sa, ai->ai_addr, ai->ai_addrlen);
823 freeaddrinfo(ai);
824
826 {
827 struct gc_arena gc = gc_new();
828 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: receiver will be %s",
829 print_openvpn_sockaddr(&hostaddr, &gc));
830 gc_free(&gc);
831 }
832
833 /*
834 * Make a socket for foreground and background processes
835 * to communicate.
836 */
837 if (socketpair(PF_UNIX, SOCK_DGRAM, 0, fd) == -1)
838 {
839 msg(M_WARN, "PORT SHARE: socketpair call failed");
840 goto error;
841 }
842
843 /*
844 * Fork off background proxy process.
845 */
846 pid = fork();
847
848 if (pid)
849 {
850 int status;
851
852 /*
853 * Foreground Process
854 */
855
856 ps->background_pid = pid;
857
858 /* close our copy of child's socket */
860
861 /* don't let future subprocesses inherit child socket */
862 set_cloexec(fd[0]);
863
864 /* wait for background child process to initialize */
865 status = recv_control(fd[0]);
867 {
868 /* note that this will cause possible EAGAIN when writing to
869 * control socket if proxy process is backlogged */
870 set_nonblock(fd[0]);
871
872 ps->foreground_fd = fd[0];
873 return ps;
874 }
875 else
876 {
877 msg(M_ERR, "PORT SHARE: unexpected init recv_control status=%d", status);
878 }
879 }
880 else
881 {
882 /*
883 * Background Process
884 */
885
886 /* Ignore most signals (the parent will receive them) */
887 set_signals();
888
889 /* Let msg know that we forked */
890 msg_forked();
891
892#ifdef ENABLE_MANAGEMENT
893 /* Don't interact with management interface */
894 management = NULL;
895#endif
896
897 /* close all parent fds except our socket back to parent */
898 close_fds_except(fd[1]);
899
900 /* no blocking on control channel back to parent */
901 set_nonblock(fd[1]);
902
903 /* execute the event loop */
904 port_share_proxy(hostaddr, fd[1], max_initial_buf, journal_dir);
905
907
908 exit(0);
909 return NULL; /* NOTREACHED */
910 }
911
912error:
913 port_share_close(ps);
914 return NULL;
915}
916
917void
918port_share_close(struct port_share *ps)
919{
920 if (ps)
921 {
922 if (ps->foreground_fd >= 0)
923 {
924 /* tell background process to exit */
925 port_share_sendmsg(ps->foreground_fd, COMMAND_EXIT, NULL, SOCKET_UNDEFINED);
926
927 /* wait for background process to exit */
928 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: waiting for background process to exit");
929 if (ps->background_pid > 0)
930 {
931 waitpid(ps->background_pid, NULL, 0);
932 }
933 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: background process exited");
934
935 openvpn_close_socket(ps->foreground_fd);
936 ps->foreground_fd = -1;
937 }
938
939 free(ps);
940 }
941}
942
943void
944port_share_abort(struct port_share *ps)
945{
946 if (ps)
947 {
948 /* tell background process to exit */
949 if (ps->foreground_fd >= 0)
950 {
951 send_control(ps->foreground_fd, COMMAND_EXIT);
952 openvpn_close_socket(ps->foreground_fd);
953 ps->foreground_fd = -1;
954 }
955 }
956}
957
958/*
959 * Given either the first 2 or 3 bytes of an initial client -> server
960 * data payload, return true if the protocol is that of an OpenVPN
961 * client attempting to connect with an OpenVPN server.
962 */
963bool
964is_openvpn_protocol(const struct buffer *buf)
965{
966 const unsigned char *p = (const unsigned char *)BSTR(buf);
967 const int len = BLEN(buf);
968 if (len >= 3)
969 {
970 int plen = (p[0] << 8) | p[1];
971
973 {
974 /* WKc is at least 290 byte (not including metadata):
975 *
976 * 16 bit len + 256 bit HMAC + 2048 bit Kc = 2320 bit
977 *
978 * This is increased by the normal length of client handshake +
979 * tls-crypt overhead (32)
980 *
981 * For metadata tls-crypt-v2.txt does not explicitly specify
982 * an upper limit but we also have TLS_CRYPT_V2_MAX_WKC_LEN
983 * as 1024 bytes. We err on the safe side with 255 extra overhead
984 *
985 * We don't do the 2 byte check for tls-crypt-v2 because it is very
986 * unrealistic to have only 2 bytes available.
987 */
988 return (plen >= 336 && plen < (1024 + 255));
989 }
990 else
991 {
992 /* For non tls-crypt2 we assume the packet length to valid between
993 * 14 and 255 */
994 return plen >= 14 && plen <= 255
996 }
997 }
998 else if (len >= 2)
999 {
1000 int plen = (p[0] << 8) | p[1];
1001 return plen >= 14 && plen <= 255;
1002 }
1003 else
1004 {
1005 return true;
1006 }
1007}
1008
1009/*
1010 * Called from the foreground process. Send a message to the background process that it
1011 * should proxy the TCP client on sd to the host/port defined in the initial port_share_open
1012 * call.
1013 */
1014void
1015port_share_redirect(struct port_share *ps, const struct buffer *head, socket_descriptor_t sd)
1016{
1017 if (ps)
1018 {
1019 port_share_sendmsg(ps->foreground_fd, COMMAND_REDIRECT, head, sd);
1020 }
1021}
1022
1023#endif /* if PORT_SHARE */
static void set_signals(void)
Definition auth-pam.c:271
#define RESPONSE_INIT_SUCCEEDED
Definition auth-pam.c:61
static int recv_control(int fd)
Definition auth-pam.c:141
#define COMMAND_EXIT
Definition auth-pam.c:58
static int send_control(int fd, int code)
Definition auth-pam.c:157
static void close_fds_except(int keep)
Definition auth-pam.c:253
void free_buf(struct buffer *buf)
Definition buffer.c:184
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
#define BSTR(buf)
Definition buffer.h:128
#define BPTR(buf)
Definition buffer.h:123
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:616
#define BLEN(buf)
Definition buffer.h:126
#define BCAP(buf)
Definition buffer.h:129
static void check_malloc_return(void *p)
Definition buffer.h:1085
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
static struct gc_arena gc_new(void)
Definition buffer.h:1007
Data Channel Cryptography Module.
#define D_PS_PROXY
Definition errlevel.h:91
#define M_INFO
Definition errlevel.h:54
#define D_PS_PROXY_DEBUG
Definition errlevel.h:144
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1177
static void event_free(struct event_set *es)
Definition event.h:162
static void event_del(struct event_set *es, event_t event)
Definition event.h:177
#define EVENT_UNDEF
Definition event.h:37
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition event.h:189
#define EVENT_WRITE
Definition event.h:39
#define EVENT_READ
Definition event.h:38
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:183
void set_nonblock(socket_descriptor_t fd)
Definition fdmisc.c:68
void set_cloexec(socket_descriptor_t fd)
Definition fdmisc.c:78
static SERVICE_STATUS status
Definition interactive.c:51
@ write
@ read
#define CLEAR(x)
Definition basic.h:32
#define SIZE(x)
Definition basic.h:29
void msg_forked(void)
Definition error.c:98
static bool msg_test(msglvl_t flags)
Return true if flags represent an enabled, not muted log level.
Definition error.h:266
#define M_FATAL
Definition error.h:90
#define dmsg(flags,...)
Definition error.h:172
#define M_ERR
Definition error.h:106
#define msg(flags,...)
Definition error.h:152
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
#define M_ERRNO
Definition error.h:95
int platform_open(const char *path, int flags, int mode)
Definition platform.c:517
int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received)
Definition socket.c:991
#define MSG_NOSIGNAL
Definition socket.h:242
#define openvpn_close_socket(s)
Definition socket.h:247
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
static const char * print_openvpn_sockaddr(const struct openvpn_sockaddr *addr, struct gc_arena *gc)
Definition socket_util.h:71
#define GETADDR_FATAL
#define GETADDR_RESOLVE
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:51
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:55
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
unsigned int rwflags
Definition event.h:126
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
struct gc_entry * list
First element of the linked list of gc_entry structures.
Definition buffer.h:117
union openvpn_sockaddr::@27 addr
struct sockaddr sa
Definition socket_util.h:42
#define SOCKET_UNDEFINED
Definition syshead.h:438
SOCKET socket_descriptor_t
Definition syshead.h:440
static int socket_defined(const socket_descriptor_t sd)
Definition syshead.h:448
struct env_set * es
struct gc_arena gc
Definition test_ssl.c:131