mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 00:37:00 +08:00
use gnutls cork() and uncork() when available
This commit is contained in:
Nikos Mavrogiannopoulos
@@ -2,7 +2,7 @@
|
||||
*
|
||||
* DO NOT EDIT THIS FILE (ocserv-args.c)
|
||||
*
|
||||
* It has been AutoGen-ed February 7, 2013 at 08:21:00 PM by AutoGen 5.16
|
||||
* It has been AutoGen-ed February 8, 2013 at 10:02:15 AM by AutoGen 5.16
|
||||
* From the definitions ocserv-args.def
|
||||
* and the template file options
|
||||
*
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
*
|
||||
* DO NOT EDIT THIS FILE (ocserv-args.h)
|
||||
*
|
||||
* It has been AutoGen-ed February 7, 2013 at 08:20:59 PM by AutoGen 5.16
|
||||
* It has been AutoGen-ed February 8, 2013 at 10:02:15 AM by AutoGen 5.16
|
||||
* From the definitions ocserv-args.def
|
||||
* and the template file options
|
||||
*
|
||||
|
||||
22
src/tlslib.c
22
src/tlslib.c
@@ -320,3 +320,25 @@ int ret;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void tls_cork(gnutls_session_t session)
|
||||
{
|
||||
#if GNUTLS_VERSION_NUMBER > 0x030107
|
||||
gnutls_record_cork(session);
|
||||
#endif
|
||||
}
|
||||
|
||||
int tls_uncork(gnutls_session_t session)
|
||||
{
|
||||
#if GNUTLS_VERSION_NUMBER > 0x030107
|
||||
int ret;
|
||||
|
||||
do {
|
||||
ret = gnutls_record_cork(session);
|
||||
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
|
||||
|
||||
return ret;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -14,6 +14,9 @@ ssize_t tls_recv(gnutls_session_t session, void *data, size_t data_size);
|
||||
ssize_t tls_send(gnutls_session_t session, const void *data,
|
||||
size_t data_size);
|
||||
|
||||
void tls_cork(gnutls_session_t session);
|
||||
int tls_uncork(gnutls_session_t session);
|
||||
|
||||
void tls_global_init(struct main_server_st* s);
|
||||
int tls_global_init_client(struct worker_st* ws);
|
||||
|
||||
|
||||
@@ -56,14 +56,40 @@ const char login_msg[] = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
|
||||
|
||||
int get_auth_handler(worker_st *ws)
|
||||
{
|
||||
tls_puts(ws->session, "HTTP/1.1 200 OK\r\n");
|
||||
tls_puts(ws->session, "Connection: close\r\n");
|
||||
tls_puts(ws->session, "Content-Type: text/xml\r\n");
|
||||
tls_printf(ws->session, "Content-Length: %u\r\n", (unsigned int)sizeof(login_msg)-1);
|
||||
tls_puts(ws->session, "X-Transcend-Version: 1\r\n");
|
||||
tls_puts(ws->session, "\r\n");
|
||||
int ret;
|
||||
|
||||
tls_send(ws->session, login_msg, sizeof(login_msg)-1);
|
||||
tls_cork(ws->session);
|
||||
ret = tls_puts(ws->session, "HTTP/1.1 200 OK\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "Connection: close\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "Content-Type: text/xml\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_printf(ws->session, "Content-Length: %u\r\n", (unsigned int)sizeof(login_msg)-1);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "X-Transcend-Version: 1\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_send(ws->session, login_msg, sizeof(login_msg)-1);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_uncork(ws->session);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
return 0;
|
||||
|
||||
@@ -377,20 +403,41 @@ struct cmd_auth_req_st areq;
|
||||
}
|
||||
|
||||
/* reply */
|
||||
tls_cork(ws->session);
|
||||
|
||||
tls_puts(ws->session, "HTTP/1.1 200 OK\r\n");
|
||||
tls_puts(ws->session, "Content-Type: text/xml\r\n");
|
||||
tls_printf(ws->session, "Content-Length: %u\r\n", (unsigned)(sizeof(SUCCESS_MSG)-1));
|
||||
tls_puts(ws->session, "X-Transcend-Version: 1\r\n");
|
||||
tls_printf(ws->session, "Set-Cookie: webvpn=%s\r\n", str_cookie);
|
||||
tls_puts(ws->session, "\r\n"SUCCESS_MSG);
|
||||
ret = tls_puts(ws->session, "HTTP/1.1 200 OK\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "Content-Type: text/xml\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_printf(ws->session, "Content-Length: %u\r\n", (unsigned)(sizeof(SUCCESS_MSG)-1));
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "X-Transcend-Version: 1\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_printf(ws->session, "Set-Cookie: webvpn=%s\r\n", str_cookie);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "\r\n"SUCCESS_MSG);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_uncork(ws->session);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
return 0;
|
||||
|
||||
auth_fail:
|
||||
tls_puts(ws->session, "HTTP/1.1 503 Service Unavailable\r\n");
|
||||
tls_printf(ws->session,
|
||||
"X-Reason: %s\r\n\r\n", reason);
|
||||
"HTTP/1.1 503 Service Unavailable\r\nX-Reason: %s\r\n\r\n", reason);
|
||||
tls_fatal_close(ws->session, GNUTLS_A_ACCESS_DENIED);
|
||||
exit(1);
|
||||
}
|
||||
@@ -472,13 +519,36 @@ struct cmd_auth_req_st areq;
|
||||
}
|
||||
|
||||
/* reply */
|
||||
tls_cork(ws->session);
|
||||
|
||||
ret = tls_puts(ws->session, "HTTP/1.1 200 OK\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "Content-Type: text/xml\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_printf(ws->session, "Content-Length: %u\r\n", (unsigned)(sizeof(SUCCESS_MSG)-1));
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "X-Transcend-Version: 1\r\n");
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_printf(ws->session, "Set-Cookie: webvpn=%s\r\n", str_cookie);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_puts(ws->session, "\r\n"SUCCESS_MSG);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
ret = tls_uncork(ws->session);
|
||||
if (ret < 0)
|
||||
return -1;
|
||||
|
||||
tls_puts(ws->session, "HTTP/1.1 200 OK\r\n");
|
||||
tls_puts(ws->session, "Content-Type: text/xml\r\n");
|
||||
tls_printf(ws->session, "Content-Length: %u\r\n", (unsigned)(sizeof(SUCCESS_MSG)-1));
|
||||
tls_puts(ws->session, "X-Transcend-Version: 1\r\n");
|
||||
tls_printf(ws->session, "Set-Cookie: webvpn=%s\r\n", str_cookie);
|
||||
tls_puts(ws->session, "\r\n"SUCCESS_MSG);
|
||||
|
||||
return 0;
|
||||
|
||||
@@ -486,9 +556,8 @@ ask_auth:
|
||||
return get_auth_handler(ws);
|
||||
|
||||
auth_fail:
|
||||
tls_puts(ws->session, "HTTP/1.1 503 Service Unavailable\r\n");
|
||||
tls_printf(ws->session,
|
||||
"X-Reason: %s\r\n\r\n", reason);
|
||||
"HTTP/1.1 503 Service Unavailable\r\nX-Reason: %s\r\n\r\n", reason);
|
||||
tls_fatal_close(ws->session, GNUTLS_A_ACCESS_DENIED);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@@ -669,6 +669,7 @@ int c;
|
||||
return;
|
||||
}
|
||||
|
||||
#define SEND_ERR(x) if (x<0) goto send_error
|
||||
static int connect_handler(worker_st *ws)
|
||||
{
|
||||
int ret;
|
||||
@@ -732,10 +733,15 @@ unsigned mtu_overhead, dtls_mtu = 0, tls_mtu = 0;
|
||||
return -1;
|
||||
}
|
||||
|
||||
tls_puts(ws->session, "HTTP/1.1 200 CONNECTED\r\n");
|
||||
tls_cork(ws->session);
|
||||
ret = tls_puts(ws->session, "HTTP/1.1 200 CONNECTED\r\n");
|
||||
SEND_ERR(ret);
|
||||
|
||||
tls_puts(ws->session, "X-CSTP-Version: 1\r\n");
|
||||
tls_puts(ws->session, "X-CSTP-DPD: 60\r\n");
|
||||
ret = tls_puts(ws->session, "X-CSTP-Version: 1\r\n");
|
||||
SEND_ERR(ret);
|
||||
|
||||
ret = tls_puts(ws->session, "X-CSTP-DPD: 60\r\n");
|
||||
SEND_ERR(ret);
|
||||
|
||||
ws->udp_state = UP_DISABLED;
|
||||
if (req->master_secret_set != 0) {
|
||||
@@ -746,37 +752,50 @@ unsigned mtu_overhead, dtls_mtu = 0, tls_mtu = 0;
|
||||
|
||||
if (vinfo.ipv4) {
|
||||
oclog(ws, LOG_DEBUG, "sending IPv4 %s", vinfo.ipv4);
|
||||
tls_printf(ws->session, "X-CSTP-Address: %s\r\n", vinfo.ipv4);
|
||||
ret = tls_printf(ws->session, "X-CSTP-Address: %s\r\n", vinfo.ipv4);
|
||||
SEND_ERR(ret);
|
||||
|
||||
if (vinfo.ipv4_netmask)
|
||||
tls_printf(ws->session, "X-CSTP-Netmask: %s\r\n", vinfo.ipv4_netmask);
|
||||
if (vinfo.ipv4_dns)
|
||||
tls_printf(ws->session, "X-CSTP-DNS: %s\r\n", vinfo.ipv4_dns);
|
||||
if (vinfo.ipv4_netmask) {
|
||||
ret = tls_printf(ws->session, "X-CSTP-Netmask: %s\r\n", vinfo.ipv4_netmask);
|
||||
SEND_ERR(ret);
|
||||
}
|
||||
if (vinfo.ipv4_dns) {
|
||||
ret = tls_printf(ws->session, "X-CSTP-DNS: %s\r\n", vinfo.ipv4_dns);
|
||||
SEND_ERR(ret);
|
||||
}
|
||||
}
|
||||
|
||||
if (vinfo.ipv6) {
|
||||
oclog(ws, LOG_DEBUG, "sending IPv6 %s", vinfo.ipv6);
|
||||
tls_printf(ws->session, "X-CSTP-Address: %s\r\n", vinfo.ipv6);
|
||||
ret = tls_printf(ws->session, "X-CSTP-Address: %s\r\n", vinfo.ipv6);
|
||||
SEND_ERR(ret);
|
||||
|
||||
if (vinfo.ipv6_netmask)
|
||||
tls_printf(ws->session, "X-CSTP-Netmask: %s\r\n", vinfo.ipv6_netmask);
|
||||
if (vinfo.ipv6_dns)
|
||||
tls_printf(ws->session, "X-CSTP-DNS: %s\r\n", vinfo.ipv6_dns);
|
||||
if (vinfo.ipv6_netmask) {
|
||||
ret = tls_printf(ws->session, "X-CSTP-Netmask: %s\r\n", vinfo.ipv6_netmask);
|
||||
SEND_ERR(ret);
|
||||
}
|
||||
if (vinfo.ipv6_dns) {
|
||||
ret = tls_printf(ws->session, "X-CSTP-DNS: %s\r\n", vinfo.ipv6_dns);
|
||||
SEND_ERR(ret);
|
||||
}
|
||||
}
|
||||
|
||||
for (i=0;i<vinfo.routes_size;i++) {
|
||||
oclog(ws, LOG_DEBUG, "adding route %s", vinfo.routes[i]);
|
||||
tls_printf(ws->session,
|
||||
ret = tls_printf(ws->session,
|
||||
"X-CSTP-Split-Include: %s\r\n", vinfo.routes[i]);
|
||||
SEND_ERR(ret);
|
||||
}
|
||||
tls_printf(ws->session, "X-CSTP-Keepalive: %u\r\n", ws->config->keepalive);
|
||||
ret = tls_printf(ws->session, "X-CSTP-Keepalive: %u\r\n", ws->config->keepalive);
|
||||
SEND_ERR(ret);
|
||||
|
||||
tls_mtu = vinfo.mtu - 8;
|
||||
if (req->cstp_mtu > 0)
|
||||
tls_mtu = MIN(tls_mtu, req->cstp_mtu);
|
||||
tls_mtu = MIN(sizeof(buffer)-8, tls_mtu);
|
||||
|
||||
tls_printf(ws->session, "X-CSTP-MTU: %u\r\n", tls_mtu);
|
||||
ret = tls_printf(ws->session, "X-CSTP-MTU: %u\r\n", tls_mtu);
|
||||
SEND_ERR(ret);
|
||||
|
||||
if (ws->udp_state != UP_DISABLED) {
|
||||
p = (char*)buffer;
|
||||
@@ -784,12 +803,20 @@ unsigned mtu_overhead, dtls_mtu = 0, tls_mtu = 0;
|
||||
sprintf(p, "%.2x", (unsigned int)ws->session_id[i]);
|
||||
p+=2;
|
||||
}
|
||||
tls_printf(ws->session, "X-DTLS-Session-ID: %s\r\n", buffer);
|
||||
ret = tls_printf(ws->session, "X-DTLS-Session-ID: %s\r\n", buffer);
|
||||
SEND_ERR(ret);
|
||||
|
||||
tls_printf(ws->session, "X-DTLS-Port: %u\r\n", ws->config->udp_port);
|
||||
tls_puts(ws->session, "X-DTLS-ReKey-Time: 86400\r\n");
|
||||
tls_printf(ws->session, "X-DTLS-Keepalive: %u\r\n", ws->config->keepalive);
|
||||
tls_puts(ws->session, "X-DTLS-CipherSuite: "OPENSSL_CIPHERSUITE"\r\n");
|
||||
ret = tls_printf(ws->session, "X-DTLS-Port: %u\r\n", ws->config->udp_port);
|
||||
SEND_ERR(ret);
|
||||
|
||||
ret = tls_puts(ws->session, "X-DTLS-ReKey-Time: 86400\r\n");
|
||||
SEND_ERR(ret);
|
||||
|
||||
ret = tls_printf(ws->session, "X-DTLS-Keepalive: %u\r\n", ws->config->keepalive);
|
||||
SEND_ERR(ret);
|
||||
|
||||
ret = tls_puts(ws->session, "X-DTLS-CipherSuite: "OPENSSL_CIPHERSUITE"\r\n");
|
||||
SEND_ERR(ret);
|
||||
|
||||
/* assume that if IPv6 is used over TCP then the same would be used over UDP */
|
||||
if (ws->proto == AF_INET)
|
||||
@@ -807,9 +834,14 @@ unsigned mtu_overhead, dtls_mtu = 0, tls_mtu = 0;
|
||||
tls_printf(ws->session, "X-DTLS-MTU: %u\r\n", dtls_mtu);
|
||||
}
|
||||
|
||||
tls_puts(ws->session, "X-CSTP-Banner: Welcome\r\n");
|
||||
tls_puts(ws->session, "\r\n");
|
||||
|
||||
ret = tls_puts(ws->session, "X-CSTP-Banner: Welcome\r\n");
|
||||
SEND_ERR(ret);
|
||||
|
||||
ret = tls_puts(ws->session, "\r\n");
|
||||
SEND_ERR(ret);
|
||||
|
||||
ret = tls_uncork(ws->session);
|
||||
SEND_ERR(ret);
|
||||
|
||||
for(;;) {
|
||||
FD_ZERO(&rfds);
|
||||
@@ -1005,6 +1037,10 @@ hsk_restart:
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
send_error:
|
||||
oclog(ws, LOG_DEBUG, "Error sending data\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
static
|
||||
|
||||
Reference in New Issue
Block a user