diff --git a/doc/design.dia b/doc/design.dia index e6860d14..7640c6c4 100644 Binary files a/doc/design.dia and b/doc/design.dia differ diff --git a/src/Makefile.am b/src/Makefile.am index cf6e32a5..83779214 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -14,10 +14,11 @@ CCAN_SOURCES = ccan/build_assert/build_assert.h ccan/check_type/check_type.h \ ocserv_SOURCES = main.c main-auth.c worker-vpn.c worker-auth.c tlslib.c \ - http-parser/http_parser.c ipc.h cookies.c worker-tun.c \ + http-parser/http_parser.c ipc.h cookies.c worker-tun.c main-misc.c \ vpn.h cookies.h tlslib.h http-parser/http_parser.h log.c tun.c tun.h \ config.c pam.c pam.h worker-resume.c worker.h main-resume.c main.h \ - main-user.c cookies-gdbm.c cookies-hash.c $(CCAN_SOURCES) + main-user.c cookies-gdbm.c cookies-hash.c worker-misc.c \ + $(CCAN_SOURCES) ocserv_SOURCES += ocserv-args.def ocserv-args.c ocserv-args.h diff --git a/src/ipc.h b/src/ipc.h index 73c81345..fb5aae6d 100644 --- a/src/ipc.h +++ b/src/ipc.h @@ -19,6 +19,7 @@ typedef enum { RESUME_FETCH_REQ, RESUME_FETCH_REP, CMD_UDP_FD, + CMD_TUN_MTU, CMD_TERMINATE, } cmd_request_t; @@ -79,4 +80,9 @@ struct __attribute__ ((__packed__)) cmd_resume_fetch_reply_st { uint8_t session_data[MAX_SESSION_DATA_SIZE]; }; +/* TUN_MTU */ +struct __attribute__ ((__packed__)) cmd_tun_mtu_st { + uint16_t mtu; +}; + #endif diff --git a/src/main-auth.c b/src/main-auth.c index f9cb8c83..b35c4796 100644 --- a/src/main-auth.c +++ b/src/main-auth.c @@ -43,8 +43,8 @@ #include #include "pam.h" -static int send_auth_reply(main_server_st* s, struct proc_st* proc, - cmd_auth_reply_t r, struct lease_st* lease) +int send_auth_reply(main_server_st* s, struct proc_st* proc, + cmd_auth_reply_t r, struct lease_st* lease) { struct iovec iov[2]; uint8_t cmd[2]; @@ -99,8 +99,8 @@ static int send_auth_reply(main_server_st* s, struct proc_st* proc, return(sendmsg(proc->fd, &hdr, 0)); } -static int handle_auth_cookie_req(main_server_st* s, struct proc_st* proc, - const struct cmd_auth_cookie_req_st * req, struct lease_st **lease) +int handle_auth_cookie_req(main_server_st* s, struct proc_st* proc, + const struct cmd_auth_cookie_req_st * req, struct lease_st **lease) { int ret; struct stored_cookie_st sc; @@ -123,7 +123,6 @@ struct stored_cookie_st sc; return ret; } -static int generate_and_store_vals(main_server_st *s, struct proc_st* proc) { int ret; @@ -158,8 +157,8 @@ struct stored_cookie_st *sc; return 0; } -static int handle_auth_req(main_server_st *s, struct proc_st* proc, - const struct cmd_auth_req_st * req, struct lease_st **lease) +int handle_auth_req(main_server_st *s, struct proc_st* proc, + const struct cmd_auth_req_st * req, struct lease_st **lease) { int ret = -1; unsigned username_set = 0; @@ -199,159 +198,3 @@ unsigned username_set = 0; return ret; } - -int handle_commands(main_server_st *s, struct proc_st* proc) -{ - struct iovec iov[2]; - char buf[128]; - int e; - uint8_t cmd; - struct msghdr hdr; - struct lease_st *lease; - union { - struct cmd_auth_req_st auth; - struct cmd_auth_cookie_req_st cauth; - struct cmd_resume_store_req_st sresume; - struct cmd_resume_fetch_req_st fresume; - } cmd_data; - int ret, cmd_data_len; - const char* peer_ip; - - peer_ip = human_addr((void*)&proc->remote_addr, proc->remote_addr_len, buf, sizeof(buf)); - - memset(&cmd_data, 0, sizeof(cmd_data)); - - iov[0].iov_base = &cmd; - iov[0].iov_len = 1; - - iov[1].iov_base = &cmd_data; - iov[1].iov_len = sizeof(cmd_data); - - memset(&hdr, 0, sizeof(hdr)); - hdr.msg_iov = iov; - hdr.msg_iovlen = 2; - - ret = recvmsg( proc->fd, &hdr, 0); - if (ret == -1) { - e = errno; - mslog(s, proc, LOG_ERR, "Cannot obtain data from command socket (pid: %d, peer: %s): %s", proc->pid, peer_ip, strerror(e)); - return -1; - } - - if (ret == 0) { - return -1; - } - - cmd_data_len = ret - 1; - - switch(cmd) { - case RESUME_STORE_REQ: - if (cmd_data_len <= sizeof(cmd_data.sresume)-MAX_SESSION_DATA_SIZE) { - mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip); - return -2; - } - ret = handle_resume_store_req(s, proc, &cmd_data.sresume); - if (ret < 0) { - mslog(s, proc, LOG_DEBUG, "Could not store resumption data (pid: %d, peer: %s).", proc->pid, peer_ip); - } - - break; - - case RESUME_DELETE_REQ: - if (cmd_data_len != sizeof(cmd_data.fresume)) { - mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip); - return -2; - } - ret = handle_resume_delete_req(s, proc, &cmd_data.fresume); - if (ret < 0) { - mslog(s, proc, LOG_DEBUG, "Could not delete resumption data (pid: %d, peer: %s).", proc->pid, peer_ip); - } - - break; - case RESUME_FETCH_REQ: { - struct cmd_resume_fetch_reply_st reply; - - if (cmd_data_len != sizeof(cmd_data.fresume)) { - mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip); - return -2; - } - ret = handle_resume_fetch_req(s, proc, &cmd_data.fresume, &reply); - if (ret < 0) { - mslog(s, proc, LOG_DEBUG, "Could not fetch resumption data (pid: %d, peer: %s).", proc->pid, peer_ip); - ret = send_resume_fetch_reply(s, proc, REP_RESUME_FAILED, NULL); - } else - ret = send_resume_fetch_reply(s, proc, REP_RESUME_OK, &reply); - } - - if (ret < 0) { - mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip); - return -2; - } - - break; - - case AUTH_REQ: - case AUTH_COOKIE_REQ: - - if (cmd == AUTH_REQ) { - if (cmd_data_len != sizeof(cmd_data.auth)) { - mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip); - return -2; - } - - ret = handle_auth_req(s, proc, &cmd_data.auth, &lease); - } else { - if (cmd_data_len != sizeof(cmd_data.cauth)) { - mslog(s, proc, LOG_ERR, "Error in received message length (pid: %d, peer: %s).", proc->pid, peer_ip); - return -2; - } - - ret = handle_auth_cookie_req(s, proc, &cmd_data.cauth, &lease); - } - - if (ret == 0) { - ret = user_connected(s, proc, lease); - if (ret < 0) { - mslog(s, proc, LOG_INFO, "User '%s' disconnected due to script", proc->username); - } - } - - if (ret == 0) { - if (cmd == AUTH_REQ) { - /* generate and store cookie */ - ret = generate_and_store_vals(s, proc); - if (ret < 0) - return -2; - mslog(s, proc, LOG_INFO, "User '%s' authenticated", proc->username); - } else { - mslog(s, proc, LOG_INFO, "User '%s' re-authenticated (using cookie)", proc->username); - } - - ret = send_auth_reply(s, proc, REP_AUTH_OK, lease); - if (ret < 0) { - mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip); - return -2; - } - - proc->lease = lease; - proc->lease->in_use = 1; - if (lease->fd >= 0) - close(lease->fd); - lease->fd = -1; - } else { - mslog(s, proc, LOG_INFO, "Failed authentication attempt for user '%s'", proc->username); - ret = send_auth_reply( s, proc, REP_AUTH_FAILED, NULL); - if (ret < 0) { - mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip); - return -2; - } - } - - break; - default: - mslog(s, proc, LOG_ERR, "Unknown CMD 0x%x (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip); - return -2; - } - - return 0; -} diff --git a/src/main-misc.c b/src/main-misc.c new file mode 100644 index 00000000..c9219521 --- /dev/null +++ b/src/main-misc.c @@ -0,0 +1,244 @@ +/* + * Copyright (C) 2013 Nikos Mavrogiannopoulos + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "ipc.h" + +#include +#include +#include +#include +#include +#include "pam.h" + +int set_tun_mtu(main_server_st* s, struct proc_st * proc, unsigned mtu) +{ +int fd, ret, e; +struct ifreq ifr; +const char* name; + + if (proc->lease == NULL) + return -1; + + name = proc->lease->name; + + mslog(s, proc, LOG_DEBUG, "setting %s MTU to %u", name, mtu); + fd = socket(AF_INET, SOCK_STREAM, 0); + if (fd == -1) + return -1; + + memset(&ifr, 0, sizeof(ifr)); + snprintf(ifr.ifr_name, IFNAMSIZ, "%s", name); + ifr.ifr_mtu = mtu; + + ret = ioctl(fd, SIOCSIFMTU, &ifr); + if (ret != 0) { + e = errno; + mslog(s, proc, LOG_INFO, "ioctl SIOCSIFMTU error: %s", strerror(e)); + ret = -1; + goto fail; + } + + ret = 0; +fail: + close(fd); + return ret; +} + +int handle_commands(main_server_st *s, struct proc_st* proc) +{ + struct iovec iov[2]; + char buf[128]; + int e; + uint8_t cmd; + struct msghdr hdr; + struct lease_st *lease; + union { + struct cmd_auth_req_st auth; + struct cmd_auth_cookie_req_st cauth; + struct cmd_resume_store_req_st sresume; + struct cmd_resume_fetch_req_st fresume; + struct cmd_tun_mtu_st tmtu; + } cmd_data; + int ret, cmd_data_len; + const char* peer_ip; + + peer_ip = human_addr((void*)&proc->remote_addr, proc->remote_addr_len, buf, sizeof(buf)); + + memset(&cmd_data, 0, sizeof(cmd_data)); + + iov[0].iov_base = &cmd; + iov[0].iov_len = 1; + + iov[1].iov_base = &cmd_data; + iov[1].iov_len = sizeof(cmd_data); + + memset(&hdr, 0, sizeof(hdr)); + hdr.msg_iov = iov; + hdr.msg_iovlen = 2; + + ret = recvmsg( proc->fd, &hdr, 0); + if (ret == -1) { + e = errno; + mslog(s, proc, LOG_ERR, "Cannot obtain data from command socket (pid: %d, peer: %s): %s", proc->pid, peer_ip, strerror(e)); + return -1; + } + + if (ret == 0) { + return -1; + } + + cmd_data_len = ret - 1; + + switch(cmd) { + case CMD_TUN_MTU: + if (cmd_data_len != sizeof(cmd_data.tmtu)) { + mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip); + return -2; + } + + set_tun_mtu(s, proc, cmd_data.tmtu.mtu); + break; + + case RESUME_STORE_REQ: + if (cmd_data_len <= sizeof(cmd_data.sresume)-MAX_SESSION_DATA_SIZE) { + mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip); + return -2; + } + ret = handle_resume_store_req(s, proc, &cmd_data.sresume); + if (ret < 0) { + mslog(s, proc, LOG_DEBUG, "Could not store resumption data (pid: %d, peer: %s).", proc->pid, peer_ip); + } + + break; + + case RESUME_DELETE_REQ: + if (cmd_data_len != sizeof(cmd_data.fresume)) { + mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip); + return -2; + } + ret = handle_resume_delete_req(s, proc, &cmd_data.fresume); + if (ret < 0) { + mslog(s, proc, LOG_DEBUG, "Could not delete resumption data (pid: %d, peer: %s).", proc->pid, peer_ip); + } + + break; + case RESUME_FETCH_REQ: { + struct cmd_resume_fetch_reply_st reply; + + if (cmd_data_len != sizeof(cmd_data.fresume)) { + mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip); + return -2; + } + ret = handle_resume_fetch_req(s, proc, &cmd_data.fresume, &reply); + if (ret < 0) { + mslog(s, proc, LOG_DEBUG, "Could not fetch resumption data (pid: %d, peer: %s).", proc->pid, peer_ip); + ret = send_resume_fetch_reply(s, proc, REP_RESUME_FAILED, NULL); + } else + ret = send_resume_fetch_reply(s, proc, REP_RESUME_OK, &reply); + } + + if (ret < 0) { + mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip); + return -2; + } + + break; + + case AUTH_REQ: + case AUTH_COOKIE_REQ: + + if (cmd == AUTH_REQ) { + if (cmd_data_len != sizeof(cmd_data.auth)) { + mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip); + return -2; + } + + ret = handle_auth_req(s, proc, &cmd_data.auth, &lease); + } else { + if (cmd_data_len != sizeof(cmd_data.cauth)) { + mslog(s, proc, LOG_ERR, "Error in received message (%u) length (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip); + return -2; + } + + ret = handle_auth_cookie_req(s, proc, &cmd_data.cauth, &lease); + } + + if (ret == 0) { + ret = user_connected(s, proc, lease); + if (ret < 0) { + mslog(s, proc, LOG_INFO, "User '%s' disconnected due to script", proc->username); + } + } + + if (ret == 0) { + if (cmd == AUTH_REQ) { + /* generate and store cookie */ + ret = generate_and_store_vals(s, proc); + if (ret < 0) + return -2; + mslog(s, proc, LOG_INFO, "User '%s' authenticated", proc->username); + } else { + mslog(s, proc, LOG_INFO, "User '%s' re-authenticated (using cookie)", proc->username); + } + + ret = send_auth_reply(s, proc, REP_AUTH_OK, lease); + if (ret < 0) { + mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip); + return -2; + } + + proc->lease = lease; + proc->lease->in_use = 1; + if (lease->fd >= 0) + close(lease->fd); + lease->fd = -1; + } else { + mslog(s, proc, LOG_INFO, "Failed authentication attempt for user '%s'", proc->username); + ret = send_auth_reply( s, proc, REP_AUTH_FAILED, NULL); + if (ret < 0) { + mslog(s, proc, LOG_ERR, "Could not send reply cmd (pid: %d, peer: %s).", proc->pid, peer_ip); + return -2; + } + } + + break; + default: + mslog(s, proc, LOG_ERR, "Unknown CMD 0x%x (pid: %d, peer: %s).", (unsigned)cmd, proc->pid, peer_ip); + return -2; + } + + return 0; +} diff --git a/src/main.h b/src/main.h index 7940b944..10f077f7 100644 --- a/src/main.h +++ b/src/main.h @@ -99,5 +99,14 @@ __attribute__ ((format(printf, 4, 5))) int priority, const char *fmt, ...); int open_tun(main_server_st* s, struct lease_st** l); +int set_tun_mtu(main_server_st* s, struct proc_st * proc, unsigned mtu); + +int send_auth_reply(main_server_st* s, struct proc_st* proc, + cmd_auth_reply_t r, struct lease_st* lease); +int handle_auth_cookie_req(main_server_st* s, struct proc_st* proc, + const struct cmd_auth_cookie_req_st * req, struct lease_st **lease); +int generate_and_store_vals(main_server_st *s, struct proc_st* proc); +int handle_auth_req(main_server_st *s, struct proc_st* proc, + const struct cmd_auth_req_st * req, struct lease_st **lease); #endif diff --git a/src/worker-auth.c b/src/worker-auth.c index 35d1eb8b..5c7630fb 100644 --- a/src/worker-auth.c +++ b/src/worker-auth.c @@ -1,5 +1,4 @@ /* - * Copyright (C) 2012, 2013 David Woodhouse * Copyright (C) 2013 Nikos Mavrogiannopoulos * * This program is free software; you can redistribute it and/or modify diff --git a/src/worker-misc.c b/src/worker-misc.c new file mode 100644 index 00000000..853a059b --- /dev/null +++ b/src/worker-misc.c @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2013 Nikos Mavrogiannopoulos + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include "ipc.h" +#include +#include +#include + +int send_tun_mtu(worker_st *ws, unsigned int mtu) +{ + struct iovec iov[2]; + uint8_t cmd; + struct msghdr hdr; + struct cmd_tun_mtu_st data; + + memset(&hdr, 0, sizeof(hdr)); + + cmd = CMD_TUN_MTU; + data.mtu = mtu; + + iov[0].iov_base = &cmd; + iov[0].iov_len = 1; + + iov[1].iov_base = (void*)&data; + iov[1].iov_len = sizeof(data); + + hdr.msg_iov = iov; + hdr.msg_iovlen = 2; + + return(sendmsg(ws->cmd_fd, &hdr, 0)); +} diff --git a/src/worker-tun.c b/src/worker-tun.c index 413f73bd..b2a8679d 100644 --- a/src/worker-tun.c +++ b/src/worker-tun.c @@ -1,5 +1,4 @@ /* - * Copyright (C) 2012, 2013 David Woodhouse * Copyright (C) 2013 Nikos Mavrogiannopoulos * * This program is free software; you can redistribute it and/or modify @@ -47,34 +46,6 @@ #include -int set_tun_mtu(struct worker_st* ws, unsigned mtu) -{ -int fd, ret, e; -struct ifreq ifr; - - oclog(ws, LOG_DEBUG, "setting tun MTU to %u", mtu); - fd = socket(AF_INET, SOCK_STREAM, 0); - if (fd == -1) - return -1; - - memset(&ifr, 0, sizeof(ifr)); - snprintf(ifr.ifr_name, IFNAMSIZ, "%s", ws->tun_name); - ifr.ifr_mtu = mtu; - - ret = ioctl(fd, SIOCSIFMTU, &ifr); - if (ret != 0) { - e = errno; - oclog(ws, LOG_INFO, "ioctl SIOCSIFMTU error: %s", strerror(e)); - ret = -1; - goto fail; - } - - ret = 0; -fail: - close(fd); - return ret; -} - /* if local is non zero it returns the local, otherwise the remote */ static int get_ip(struct worker_st* ws, int fd, int family, unsigned int local, diff --git a/src/worker-vpn.c b/src/worker-vpn.c index 34c63144..da0b0e00 100644 --- a/src/worker-vpn.c +++ b/src/worker-vpn.c @@ -461,7 +461,7 @@ int mtu_not_ok(worker_st* ws, unsigned *mtu) oclog(ws, LOG_DEBUG, "MTU %u is too large, switching to %u", ws->last_bad_mtu, *mtu); - set_tun_mtu(ws, *mtu); + send_tun_mtu(ws, *mtu); return 0; } @@ -487,7 +487,7 @@ int c; *mtu = c; gnutls_dtls_set_data_mtu (ws->dtls_session, c); - set_tun_mtu(ws, c); + send_tun_mtu(ws, c); return; } @@ -663,9 +663,9 @@ unsigned mtu_overhead, dtls_mtu = 0, tls_mtu = 0; } if (dtls_mtu == 0) - set_tun_mtu(ws, tls_mtu); + send_tun_mtu(ws, tls_mtu); else - set_tun_mtu(ws, MIN(dtls_mtu, tls_mtu)); + send_tun_mtu(ws, MIN(dtls_mtu, tls_mtu)); ret = tls_puts(ws->session, "X-CSTP-Banner: Welcome\r\n"); SEND_ERR(ret); @@ -1018,8 +1018,10 @@ int ret, e; break; case AC_PKT_DPD_OUT: oclog(ws, LOG_DEBUG, "received DPD; sending response"); - ret = - tls_send(ts, "STF\x01\x00\x00\x04\x00", 8); + if (ws->session == ts) + ret = tls_send(ts, "STF\x01\x00\x00\x04\x00", 8); + else + ret = tls_send(ts, "\x04", 1); if (ret < 0) { oclog(ws, LOG_ERR, "could not send TLS data: %s", gnutls_strerror(ret)); return -1; diff --git a/src/worker.h b/src/worker.h index 53d4c40e..7096cf0b 100644 --- a/src/worker.h +++ b/src/worker.h @@ -89,9 +89,10 @@ struct req_data_st { void __attribute__ ((format(printf, 3, 4))) oclog(const worker_st * server, int priority, const char *fmt, ...); -int set_tun_mtu(struct worker_st* ws, unsigned mtu); int get_rt_vpn_info(worker_st * ws, struct vpn_st* vinfo, char* buffer, size_t buffer_size); ssize_t tun_write(int sockfd, const void *buf, size_t len); +int send_tun_mtu(worker_st *ws, unsigned int mtu); + #endif