GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-09 16:26:59 +08:00
Code Issues Packages Projects Releases Wiki Activity

MTU is now set via the main server

Browse Source
This commit is contained in:
Nikos Mavrogiannopoulos
2013-02-08 22:16:53 +01:00
parent 5f4b8711ef
commit d1946bbb3c
11 changed files with 341 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
doc/design.dia
View File

Binary file not shown.

5
src/Makefile.am
View File

@@ -14,10 +14,11 @@ CCAN_SOURCES = ccan/build_assert/build_assert.h ccan/check_type/check_type.h \
ocserv_SOURCES = main.c main-auth.c worker-vpn.c worker-auth.c tlslib.c \
http-parser/http_parser.c ipc.h cookies.c worker-tun.c \
http-parser/http_parser.c ipc.h cookies.c worker-tun.c main-misc.c \
vpn.h cookies.h tlslib.h http-parser/http_parser.h log.c tun.c tun.h \
config.c pam.c pam.h worker-resume.c worker.h main-resume.c main.h \
main-user.c cookies-gdbm.c cookies-hash.c $(CCAN_SOURCES)
main-user.c cookies-gdbm.c cookies-hash.c worker-misc.c \
$(CCAN_SOURCES)
ocserv_SOURCES += ocserv-args.def ocserv-args.c ocserv-args.h

6
src/ipc.h
View File

@@ -19,6 +19,7 @@ typedef enum {
RESUME_FETCH_REQ,
RESUME_FETCH_REP,
CMD_UDP_FD,
CMD_TUN_MTU,
CMD_TERMINATE,
} cmd_request_t;
@@ -79,4 +80,9 @@ struct __attribute__ ((__packed__)) cmd_resume_fetch_reply_st {
uint8_t session_data[MAX_SESSION_DATA_SIZE];
};
/* TUN_MTU */
struct __attribute__ ((__packed__)) cmd_tun_mtu_st {
uint16_t mtu;
};
#endif

169
src/main-auth.c
View File

@@ -43,8 +43,8 @@
#include <ccan/list/list.h>
#include "pam.h"
static int send_auth_reply(main_server_st* s, struct proc_st* proc,
cmd_auth_reply_t r, struct lease_st* lease)
int send_auth_reply(main_server_st* s, struct proc_st* proc,
cmd_auth_reply_t r, struct lease_st* lease)
{
struct iovec iov[2];
uint8_t cmd[2];
@@ -99,8 +99,8 @@ static int send_auth_reply(main_server_st* s, struct proc_st* proc,
return(sendmsg(proc->fd, &hdr, 0));
}
static int handle_auth_cookie_req(main_server_st* s, struct proc_st* proc,
const struct cmd_auth_cookie_req_st * req, struct lease_st **lease)
int handle_auth_cookie_req(main_server_st* s, struct proc_st* proc,
const struct cmd_auth_cookie_req_st * req, struct lease_st **lease)
{
int ret;
struct stored_cookie_st sc;
@@ -123,7 +123,6 @@ struct stored_cookie_st sc;
return ret;
}
static
int generate_and_store_vals(main_server_st *s, struct proc_st* proc)
{
int ret;
@@ -158,8 +157,8 @@ struct stored_cookie_st *sc;
return 0;
}
static int handle_auth_req(main_server_st *s, struct proc_st* proc,
const struct cmd_auth_req_st * req, struct lease_st **lease)
int handle_auth_req(main_server_st *s, struct proc_st* proc,
const struct cmd_auth_req_st * req, struct lease_st **lease)
{
int ret = -1;
unsigned username_set = 0;
@@ -199,159 +198,3 @@ unsigned username_set = 0;
return ret;
}
int handle_commands(main_server_st *s, struct proc_st* proc)
{
struct iovec iov[2];
char buf[128];
int e;
uint8_t cmd;
struct msghdr hdr;
struct lease_st *lease;
union {
struct cmd_auth_req_st auth;
struct cmd_auth_cookie_req_st cauth;
struct cmd_resume_store_req_st sresume;
struct cmd_resume_fetch_req_st fresume;
} cmd_data;
int ret, cmd_data_len;
const char* peer_ip;
peer_ip = human_addr((void*)&proc->remote_addr, proc->remote_addr_len, buf, sizeof(buf));
memset(&cmd_data, 0, sizeof(cmd_data));
iov[0].iov_base = &cmd;
iov[0].iov_len = 1;
iov[1].iov_base = &cmd_data;
iov[1].iov_len = sizeof(cmd_data);
memset(&hdr, 0, sizeof(hdr));
hdr.msg_iov = iov;
hdr.msg_iovlen = 2;
ret = recvmsg( proc->fd, &hdr, 0);
if (ret == -1) {
e = errno;
mslog(s, proc, LOG_ERR, "Cannot obtain data from command socket (pid: %d, peer: %s): %s", proc->pid, peer_ip, strerror(e));
return -1;
}
if (ret == 0) {
return -1;
}
cmd_data_len = ret - 1;
switch(cmd) {
case RESUME_STORE_REQ:
if (cmd_data_len <= sizeof(cmd_data.sresume)-MAX_SESSION_DATA_SIZE) {
mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
ret = handle_resume_store_req(s, proc, &cmd_data.sresume);
if (ret < 0) {
mslog(s, proc, LOG_DEBUG, "Could not store resumption data (pid: %d, peer: %s).", proc->pid, peer_ip);
}
break;
case RESUME_DELETE_REQ:
if (cmd_data_len != sizeof(cmd_data.fresume)) {
mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
ret = handle_resume_delete_req(s, proc, &cmd_data.fresume);
if (ret < 0) {
mslog(s, proc, LOG_DEBUG, "Could not delete resumption data (pid: %d, peer: %s).", proc->pid, peer_ip);
}
break;
case RESUME_FETCH_REQ: {
struct cmd_resume_fetch_reply_st reply;
if (cmd_data_len != sizeof(cmd_data.fresume)) {
mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
ret = handle_resume_fetch_req(s, proc, &cmd_data.fresume, &reply);
if (ret < 0) {
mslog(s, proc, LOG_DEBUG, "Could not fetch resumption data (pid: %d, peer: %s).", proc->pid, peer_ip);
ret = send_resume_fetch_reply(s, proc, REP_RESUME_FAILED, NULL);
} else
ret = send_resume_fetch_reply(s, proc, REP_RESUME_OK, &reply);
}
if (ret < 0) {
mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
break;
case AUTH_REQ:
case AUTH_COOKIE_REQ:
if (cmd == AUTH_REQ) {
if (cmd_data_len != sizeof(cmd_data.auth)) {
mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
ret = handle_auth_req(s, proc, &cmd_data.auth, &lease);
} else {
if (cmd_data_len != sizeof(cmd_data.cauth)) {
mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
ret = handle_auth_cookie_req(s, proc, &cmd_data.cauth, &lease);
}
if (ret == 0) {
ret = user_connected(s, proc, lease);
if (ret < 0) {
mslog(s, proc, LOG_INFO, "User '%s' disconnected due to script", proc->username);
}
}
if (ret == 0) {
if (cmd == AUTH_REQ) {
/* generate and store cookie */
ret = generate_and_store_vals(s, proc);
if (ret < 0)
return -2;
mslog(s, proc, LOG_INFO, "User '%s' authenticated", proc->username);
} else {
mslog(s, proc, LOG_INFO, "User '%s' re-authenticated (using cookie)", proc->username);
}
ret = send_auth_reply(s, proc, REP_AUTH_OK, lease);
if (ret < 0) {
mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
proc->lease = lease;
proc->lease->in_use = 1;
if (lease->fd >= 0)
close(lease->fd);
lease->fd = -1;
} else {
mslog(s, proc, LOG_INFO, "Failed authentication attempt for user '%s'", proc->username);
ret = send_auth_reply( s, proc, REP_AUTH_FAILED, NULL);
if (ret < 0) {
mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
}
break;
default:
mslog(s, proc, LOG_ERR, "Unknown CMD 0x%x (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip);
return -2;
}
return 0;
}

244
src/main-misc.c Normal file
View File

@@ -0,0 +1,244 @@
/*
* Copyright (C) 2013 Nikos Mavrogiannopoulos
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/select.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <signal.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
#include <tlslib.h>
#include "ipc.h"
#include <vpn.h>
#include <cookies.h>
#include <tun.h>
#include <main.h>
#include <ccan/list/list.h>
#include "pam.h"
int set_tun_mtu(main_server_st* s, struct proc_st * proc, unsigned mtu)
{
int fd, ret, e;
struct ifreq ifr;
const char* name;
if (proc->lease == NULL)
return -1;
name = proc->lease->name;
mslog(s, proc, LOG_DEBUG, "setting %s MTU to %u", name, mtu);
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd == -1)
return -1;
memset(&ifr, 0, sizeof(ifr));
snprintf(ifr.ifr_name, IFNAMSIZ, "%s", name);
ifr.ifr_mtu = mtu;
ret = ioctl(fd, SIOCSIFMTU, &ifr);
if (ret != 0) {
e = errno;
mslog(s, proc, LOG_INFO, "ioctl SIOCSIFMTU error: %s", strerror(e));
ret = -1;
goto fail;
}
ret = 0;
fail:
close(fd);
return ret;
}
int handle_commands(main_server_st *s, struct proc_st* proc)
{
struct iovec iov[2];
char buf[128];
int e;
uint8_t cmd;
struct msghdr hdr;
struct lease_st *lease;
union {
struct cmd_auth_req_st auth;
struct cmd_auth_cookie_req_st cauth;
struct cmd_resume_store_req_st sresume;
struct cmd_resume_fetch_req_st fresume;
struct cmd_tun_mtu_st tmtu;
} cmd_data;
int ret, cmd_data_len;
const char* peer_ip;
peer_ip = human_addr((void*)&proc->remote_addr, proc->remote_addr_len, buf, sizeof(buf));
memset(&cmd_data, 0, sizeof(cmd_data));
iov[0].iov_base = &cmd;
iov[0].iov_len = 1;
iov[1].iov_base = &cmd_data;
iov[1].iov_len = sizeof(cmd_data);
memset(&hdr, 0, sizeof(hdr));
hdr.msg_iov = iov;
hdr.msg_iovlen = 2;
ret = recvmsg( proc->fd, &hdr, 0);
if (ret == -1) {
e = errno;
mslog(s, proc, LOG_ERR, "Cannot obtain data from command socket (pid: %d, peer: %s): %s", proc->pid, peer_ip, strerror(e));
return -1;
}
if (ret == 0) {
return -1;
}
cmd_data_len = ret - 1;
switch(cmd) {
case CMD_TUN_MTU:
if (cmd_data_len != sizeof(cmd_data.tmtu)) {
mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip);
return -2;
}
set_tun_mtu(s, proc, cmd_data.tmtu.mtu);
break;
case RESUME_STORE_REQ:
if (cmd_data_len <= sizeof(cmd_data.sresume)-MAX_SESSION_DATA_SIZE) {
mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip);
return -2;
}
ret = handle_resume_store_req(s, proc, &cmd_data.sresume);
if (ret < 0) {
mslog(s, proc, LOG_DEBUG, "Could not store resumption data (pid: %d, peer: %s).", proc->pid, peer_ip);
}
break;
case RESUME_DELETE_REQ:
if (cmd_data_len != sizeof(cmd_data.fresume)) {
mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip);
return -2;
}
ret = handle_resume_delete_req(s, proc, &cmd_data.fresume);
if (ret < 0) {
mslog(s, proc, LOG_DEBUG, "Could not delete resumption data (pid: %d, peer: %s).", proc->pid, peer_ip);
}
break;
case RESUME_FETCH_REQ: {
struct cmd_resume_fetch_reply_st reply;
if (cmd_data_len != sizeof(cmd_data.fresume)) {
mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip);
return -2;
}
ret = handle_resume_fetch_req(s, proc, &cmd_data.fresume, &reply);
if (ret < 0) {
mslog(s, proc, LOG_DEBUG, "Could not fetch resumption data (pid: %d, peer: %s).", proc->pid, peer_ip);
ret = send_resume_fetch_reply(s, proc, REP_RESUME_FAILED, NULL);
} else
ret = send_resume_fetch_reply(s, proc, REP_RESUME_OK, &reply);
}
if (ret < 0) {
mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
break;
case AUTH_REQ:
case AUTH_COOKIE_REQ:
if (cmd == AUTH_REQ) {
if (cmd_data_len != sizeof(cmd_data.auth)) {
mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip);
return -2;
}
ret = handle_auth_req(s, proc, &cmd_data.auth, &lease);
} else {
if (cmd_data_len != sizeof(cmd_data.cauth)) {
mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip);
return -2;
}
ret = handle_auth_cookie_req(s, proc, &cmd_data.cauth, &lease);
}
if (ret == 0) {
ret = user_connected(s, proc, lease);
if (ret < 0) {
mslog(s, proc, LOG_INFO, "User '%s' disconnected due to script", proc->username);
}
}
if (ret == 0) {
if (cmd == AUTH_REQ) {
/* generate and store cookie */
ret = generate_and_store_vals(s, proc);
if (ret < 0)
return -2;
mslog(s, proc, LOG_INFO, "User '%s' authenticated", proc->username);
} else {
mslog(s, proc, LOG_INFO, "User '%s' re-authenticated (using cookie)", proc->username);
}
ret = send_auth_reply(s, proc, REP_AUTH_OK, lease);
if (ret < 0) {
mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
proc->lease = lease;
proc->lease->in_use = 1;
if (lease->fd >= 0)
close(lease->fd);
lease->fd = -1;
} else {
mslog(s, proc, LOG_INFO, "Failed authentication attempt for user '%s'", proc->username);
ret = send_auth_reply( s, proc, REP_AUTH_FAILED, NULL);
if (ret < 0) {
mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip);
return -2;
}
}
break;
default:
mslog(s, proc, LOG_ERR, "Unknown CMD 0x%x (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip);
return -2;
}
return 0;
}

9
src/main.h
View File

@@ -99,5 +99,14 @@ __attribute__ ((format(printf, 4, 5)))
int priority, const char *fmt, ...);
int open_tun(main_server_st* s, struct lease_st** l);
int set_tun_mtu(main_server_st* s, struct proc_st * proc, unsigned mtu);
int send_auth_reply(main_server_st* s, struct proc_st* proc,
cmd_auth_reply_t r, struct lease_st* lease);
int handle_auth_cookie_req(main_server_st* s, struct proc_st* proc,
const struct cmd_auth_cookie_req_st * req, struct lease_st **lease);
int generate_and_store_vals(main_server_st *s, struct proc_st* proc);
int handle_auth_req(main_server_st *s, struct proc_st* proc,
const struct cmd_auth_req_st * req, struct lease_st **lease);
#endif

1
src/worker-auth.c
View File

@@ -1,5 +1,4 @@
/*
* Copyright (C) 2012, 2013 David Woodhouse
* Copyright (C) 2013 Nikos Mavrogiannopoulos
*
* This program is free software; you can redistribute it and/or modify

63
src/worker-misc.c Normal file
View File

@@ -0,0 +1,63 @@
/*
* Copyright (C) 2013 Nikos Mavrogiannopoulos
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include <config.h>
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
#include <gnutls/x509.h>
#include <errno.h>
#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <limits.h>
#include <vpn.h>
#include "ipc.h"
#include <worker.h>
#include <cookies.h>
#include <tlslib.h>
int send_tun_mtu(worker_st *ws, unsigned int mtu)
{
struct iovec iov[2];
uint8_t cmd;
struct msghdr hdr;
struct cmd_tun_mtu_st data;
memset(&hdr, 0, sizeof(hdr));
cmd = CMD_TUN_MTU;
data.mtu = mtu;
iov[0].iov_base = &cmd;
iov[0].iov_len = 1;
iov[1].iov_base = (void*)&data;
iov[1].iov_len = sizeof(data);
hdr.msg_iov = iov;
hdr.msg_iovlen = 2;
return(sendmsg(ws->cmd_fd, &hdr, 0));
}

29
src/worker-tun.c
View File

@@ -1,5 +1,4 @@
/*
* Copyright (C) 2012, 2013 David Woodhouse
* Copyright (C) 2013 Nikos Mavrogiannopoulos
*
* This program is free software; you can redistribute it and/or modify
@@ -47,34 +46,6 @@
#include <http-parser/http_parser.h>
int set_tun_mtu(struct worker_st* ws, unsigned mtu)
{
int fd, ret, e;
struct ifreq ifr;
oclog(ws, LOG_DEBUG, "setting tun MTU to %u", mtu);
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd == -1)
return -1;
memset(&ifr, 0, sizeof(ifr));
snprintf(ifr.ifr_name, IFNAMSIZ, "%s", ws->tun_name);
ifr.ifr_mtu = mtu;
ret = ioctl(fd, SIOCSIFMTU, &ifr);
if (ret != 0) {
e = errno;
oclog(ws, LOG_INFO, "ioctl SIOCSIFMTU error: %s", strerror(e));
ret = -1;
goto fail;
}
ret = 0;
fail:
close(fd);
return ret;
}
/* if local is non zero it returns the local, otherwise the remote */
static
int get_ip(struct worker_st* ws, int fd, int family, unsigned int local,

14
src/worker-vpn.c
View File

@@ -461,7 +461,7 @@ int mtu_not_ok(worker_st* ws, unsigned *mtu)
oclog(ws, LOG_DEBUG, "MTU %u is too large, switching to %u", ws->last_bad_mtu, *mtu);
set_tun_mtu(ws, *mtu);
send_tun_mtu(ws, *mtu);
return 0;
}
@@ -487,7 +487,7 @@ int c;
*mtu = c;
gnutls_dtls_set_data_mtu (ws->dtls_session, c);
set_tun_mtu(ws, c);
send_tun_mtu(ws, c);
return;
}
@@ -663,9 +663,9 @@ unsigned mtu_overhead, dtls_mtu = 0, tls_mtu = 0;
}
if (dtls_mtu == 0)
set_tun_mtu(ws, tls_mtu);
send_tun_mtu(ws, tls_mtu);
else
set_tun_mtu(ws, MIN(dtls_mtu, tls_mtu));
send_tun_mtu(ws, MIN(dtls_mtu, tls_mtu));
ret = tls_puts(ws->session, "X-CSTP-Banner: Welcome\r\n");
SEND_ERR(ret);
@@ -1018,8 +1018,10 @@ int ret, e;
break;
case AC_PKT_DPD_OUT:
oclog(ws, LOG_DEBUG, "received DPD; sending response");
ret =
tls_send(ts, "STF\x01\x00\x00\x04\x00", 8);
if (ws->session == ts)
ret = tls_send(ts, "STF\x01\x00\x00\x04\x00", 8);
else
ret = tls_send(ts, "\x04", 1);
if (ret < 0) {
oclog(ws, LOG_ERR, "could not send TLS data: %s", gnutls_strerror(ret));
return -1;

3
src/worker.h
View File

@@ -89,9 +89,10 @@ struct req_data_st {
void __attribute__ ((format(printf, 3, 4)))
oclog(const worker_st * server, int priority, const char *fmt, ...);
int set_tun_mtu(struct worker_st* ws, unsigned mtu);
int get_rt_vpn_info(worker_st * ws,
struct vpn_st* vinfo, char* buffer, size_t buffer_size);
ssize_t tun_write(int sockfd, const void *buf, size_t len);
int send_tun_mtu(worker_st *ws, unsigned int mtu);
#endif