search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
big svn cleanup
[anytun.git] / src / openvpn / occ.c
blob6b136dc331dc65839eb243a47e8ab33db044d4a8
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #ifdef WIN32
26 #include "config-win32.h"
27 #else
28 #include "config.h"
29 #endif
30
31 #include "syshead.h"
32
33 #ifdef ENABLE_OCC
34
35 #include "occ.h"
36
37 #include "memdbg.h"
38
39 #include "forward-inline.h"
40 #include "occ-inline.h"
41
42 /*
43 * This random string identifies an OpenVPN
44 * Configuration Control packet.
45 * It should be of sufficient length and randomness
46 * so as not to collide with other tunnel data.
47 *
48 * The OCC protocol is as follows:
49 *
50 * occ_magic -- (16 octets)
51 *
52 * type [OCC_REQUEST | OCC_REPLY] (1 octet)
53 * null terminated options string if OCC_REPLY (variable)
54 *
55 * When encryption is used, the OCC packet
56 * is encapsulated within the encrypted
57 * envelope.
58 *
59 * OCC_STRING_SIZE must be set to sizeof (occ_magic)
60 */
61
62 const uint8_t occ_magic[] = {
63 0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81,
64 0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c
65 };
66
67 static const struct mtu_load_test mtu_load_test_sequence[] = {
68
69 {OCC_MTU_LOAD_REQUEST, -1000},
70 {OCC_MTU_LOAD, -1000},
71 {OCC_MTU_LOAD_REQUEST, -1000},
72 {OCC_MTU_LOAD, -1000},
73 {OCC_MTU_LOAD_REQUEST, -1000},
74 {OCC_MTU_LOAD, -1000},
75
76 {OCC_MTU_LOAD_REQUEST, -750},
77 {OCC_MTU_LOAD, -750},
78 {OCC_MTU_LOAD_REQUEST, -750},
79 {OCC_MTU_LOAD, -750},
80 {OCC_MTU_LOAD_REQUEST, -750},
81 {OCC_MTU_LOAD, -750},
82
83 {OCC_MTU_LOAD_REQUEST, -500},
84 {OCC_MTU_LOAD, -500},
85 {OCC_MTU_LOAD_REQUEST, -500},
86 {OCC_MTU_LOAD, -500},
87 {OCC_MTU_LOAD_REQUEST, -500},
88 {OCC_MTU_LOAD, -500},
89
90 {OCC_MTU_LOAD_REQUEST, -400},
91 {OCC_MTU_LOAD, -400},
92 {OCC_MTU_LOAD_REQUEST, -400},
93 {OCC_MTU_LOAD, -400},
94 {OCC_MTU_LOAD_REQUEST, -400},
95 {OCC_MTU_LOAD, -400},
96
97 {OCC_MTU_LOAD_REQUEST, -300},
98 {OCC_MTU_LOAD, -300},
99 {OCC_MTU_LOAD_REQUEST, -300},
100 {OCC_MTU_LOAD, -300},
101 {OCC_MTU_LOAD_REQUEST, -300},
102 {OCC_MTU_LOAD, -300},
103
104 {OCC_MTU_LOAD_REQUEST, -200},
105 {OCC_MTU_LOAD, -200},
106 {OCC_MTU_LOAD_REQUEST, -200},
107 {OCC_MTU_LOAD, -200},
108 {OCC_MTU_LOAD_REQUEST, -200},
109 {OCC_MTU_LOAD, -200},
110
111 {OCC_MTU_LOAD_REQUEST, -150},
112 {OCC_MTU_LOAD, -150},
113 {OCC_MTU_LOAD_REQUEST, -150},
114 {OCC_MTU_LOAD, -150},
115 {OCC_MTU_LOAD_REQUEST, -150},
116 {OCC_MTU_LOAD, -150},
117
118 {OCC_MTU_LOAD_REQUEST, -100},
119 {OCC_MTU_LOAD, -100},
120 {OCC_MTU_LOAD_REQUEST, -100},
121 {OCC_MTU_LOAD, -100},
122 {OCC_MTU_LOAD_REQUEST, -100},
123 {OCC_MTU_LOAD, -100},
124
125 {OCC_MTU_LOAD_REQUEST, -50},
126 {OCC_MTU_LOAD, -50},
127 {OCC_MTU_LOAD_REQUEST, -50},
128 {OCC_MTU_LOAD, -50},
129 {OCC_MTU_LOAD_REQUEST, -50},
130 {OCC_MTU_LOAD, -50},
131
132 {OCC_MTU_LOAD_REQUEST, 0},
133 {OCC_MTU_LOAD, 0},
134 {OCC_MTU_LOAD_REQUEST, 0},
135 {OCC_MTU_LOAD, 0},
136 {OCC_MTU_LOAD_REQUEST, 0},
137 {OCC_MTU_LOAD, 0},
138
139 {OCC_MTU_REQUEST, 0},
140 {OCC_MTU_REQUEST, 0},
141 {OCC_MTU_REQUEST, 0},
142 {OCC_MTU_REQUEST, 0},
143 {OCC_MTU_REQUEST, 0},
144 {OCC_MTU_REQUEST, 0},
145 {OCC_MTU_REQUEST, 0},
146 {OCC_MTU_REQUEST, 0},
147 {OCC_MTU_REQUEST, 0},
148 {OCC_MTU_REQUEST, 0},
149
150 {-1, 0}
151 };
152
153 void
154 check_send_occ_req_dowork (struct context *c)
155 {
156 if (++c->c2.occ_n_tries >= OCC_N_TRIES)
157 {
158 if (c->options.remote_list)
159 /*
160 * No OCC_REPLY from peer after repeated attempts.
161 * Give up.
162 */
163 msg (D_SHOW_OCC,
164 "NOTE: failed to obtain options consistency info from peer -- "
165 "this could occur if the remote peer is running a version of "
166 PACKAGE_NAME
167 " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent "
168 PACKAGE_NAME
169 " from running (" counter_format " bytes received from peer, " counter_format
170 " bytes authenticated data channel traffic) -- you can disable the options consistency "
171 "check with --disable-occ.",
172 c->c2.link_read_bytes,
173 c->c2.link_read_bytes_auth);
174 event_timeout_clear (&c->c2.occ_interval);
175 }
176 else
177 {
178 c->c2.occ_op = OCC_REQUEST;
179
180 /*
181 * If we don't hear back from peer, send another
182 * OCC_REQUEST in OCC_INTERVAL_SECONDS.
183 */
184 event_timeout_reset (&c->c2.occ_interval);
185 }
186 }
187
188 void
189 check_send_occ_load_test_dowork (struct context *c)
190 {
191 if (CONNECTION_ESTABLISHED (c))
192 {
193 const struct mtu_load_test *entry;
194
195 if (!c->c2.occ_mtu_load_n_tries)
196 msg (M_INFO,
197 "NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.");
198
199 entry = &mtu_load_test_sequence[c->c2.occ_mtu_load_n_tries++];
200 if (entry->op >= 0)
201 {
202 c->c2.occ_op = entry->op;
203 c->c2.occ_mtu_load_size =
204 EXPANDED_SIZE (&c->c2.frame) + entry->delta;
205 }
206 else
207 {
208 msg (M_INFO,
209 "NOTE: failed to empirically measure MTU (requires " PACKAGE_NAME " 1.5 or higher at other end of connection).");
210 event_timeout_clear (&c->c2.occ_mtu_load_test_interval);
211 c->c2.occ_mtu_load_n_tries = 0;
212 }
213 }
214 }
215
216 void
217 check_send_occ_msg_dowork (struct context *c)
218 {
219 bool doit = false;
220
221 c->c2.buf = c->c2.buffers->aux_buf;
222 ASSERT (buf_init (&c->c2.buf, FRAME_HEADROOM (&c->c2.frame)));
223 ASSERT (buf_safe (&c->c2.buf, MAX_RW_SIZE_TUN (&c->c2.frame)));
224 ASSERT (buf_write (&c->c2.buf, occ_magic, OCC_STRING_SIZE));
225
226 switch (c->c2.occ_op)
227 {
228 case OCC_REQUEST:
229 if (!buf_write_u8 (&c->c2.buf, OCC_REQUEST))
230 break;
231 dmsg (D_PACKET_CONTENT, "SENT OCC_REQUEST");
232 doit = true;
233 break;
234
235 case OCC_REPLY:
236 if (!c->c2.options_string_local)
237 break;
238 if (!buf_write_u8 (&c->c2.buf, OCC_REPLY))
239 break;
240 if (!buf_write (&c->c2.buf, c->c2.options_string_local,
241 strlen (c->c2.options_string_local) + 1))
242 break;
243 dmsg (D_PACKET_CONTENT, "SENT OCC_REPLY");
244 doit = true;
245 break;
246
247 case OCC_MTU_REQUEST:
248 if (!buf_write_u8 (&c->c2.buf, OCC_MTU_REQUEST))
249 break;
250 dmsg (D_PACKET_CONTENT, "SENT OCC_MTU_REQUEST");
251 doit = true;
252 break;
253
254 case OCC_MTU_REPLY:
255 if (!buf_write_u8 (&c->c2.buf, OCC_MTU_REPLY))
256 break;
257 if (!buf_write_u16 (&c->c2.buf, c->c2.max_recv_size_local))
258 break;
259 if (!buf_write_u16 (&c->c2.buf, c->c2.max_send_size_local))
260 break;
261 dmsg (D_PACKET_CONTENT, "SENT OCC_MTU_REPLY");
262 doit = true;
263 break;
264
265 case OCC_MTU_LOAD_REQUEST:
266 if (!buf_write_u8 (&c->c2.buf, OCC_MTU_LOAD_REQUEST))
267 break;
268 if (!buf_write_u16 (&c->c2.buf, c->c2.occ_mtu_load_size))
269 break;
270 dmsg (D_PACKET_CONTENT, "SENT OCC_MTU_LOAD_REQUEST");
271 doit = true;
272 break;
273
274 case OCC_MTU_LOAD:
275 {
276 int need_to_add;
277
278 if (!buf_write_u8 (&c->c2.buf, OCC_MTU_LOAD))
279 break;
280 need_to_add = min_int (c->c2.occ_mtu_load_size, EXPANDED_SIZE (&c->c2.frame))
281 - OCC_STRING_SIZE
282 - sizeof (uint8_t)
283 - EXTRA_FRAME (&c->c2.frame);
284
285 while (need_to_add > 0)
286 {
287 /*
288 * Fill the load test packet with pseudo-random bytes.
289 */
290 if (!buf_write_u8 (&c->c2.buf, get_random () & 0xFF))
291 break;
292 --need_to_add;
293 }
294 dmsg (D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d-%d-%d-%d,%d) size=%d",
295 c->c2.occ_mtu_load_size,
296 OCC_STRING_SIZE,
297 (int) sizeof (uint8_t),
298 EXTRA_FRAME (&c->c2.frame),
299 MAX_RW_SIZE_TUN (&c->c2.frame),
300 BLEN (&c->c2.buf));
301 doit = true;
302 }
303 break;
304
305 case OCC_EXIT:
306 if (!buf_write_u8 (&c->c2.buf, OCC_EXIT))
307 break;
308 dmsg (D_PACKET_CONTENT, "SENT OCC_EXIT");
309 doit = true;
310 break;
311 }
312
313 if (doit)
314 {
315 /*
316 * We will treat the packet like any other outgoing packet,
317 * compress, encrypt, sign, etc.
318 */
319 encrypt_sign (c, true);
320 }
321
322 c->c2.occ_op = -1;
323 }
324
325 void
326 process_received_occ_msg (struct context *c)
327 {
328 ASSERT (buf_advance (&c->c2.buf, OCC_STRING_SIZE));
329 switch (buf_read_u8 (&c->c2.buf))
330 {
331 case OCC_REQUEST:
332 dmsg (D_PACKET_CONTENT, "RECEIVED OCC_REQUEST");
333 c->c2.occ_op = OCC_REPLY;
334 break;
335
336 case OCC_MTU_REQUEST:
337 dmsg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_REQUEST");
338 c->c2.occ_op = OCC_MTU_REPLY;
339 break;
340
341 case OCC_MTU_LOAD_REQUEST:
342 dmsg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_LOAD_REQUEST");
343 c->c2.occ_mtu_load_size = buf_read_u16 (&c->c2.buf);
344 if (c->c2.occ_mtu_load_size >= 0)
345 c->c2.occ_op = OCC_MTU_LOAD;
346 break;
347
348 case OCC_REPLY:
349 dmsg (D_PACKET_CONTENT, "RECEIVED OCC_REPLY");
350 if (c->options.occ && !TLS_MODE (c) && c->c2.options_string_remote)
351 {
352 if (!options_cmp_equal_safe ((char *) BPTR (&c->c2.buf),
353 c->c2.options_string_remote,
354 c->c2.buf.len))
355 {
356 options_warning_safe ((char *) BPTR (&c->c2.buf),
357 c->c2.options_string_remote,
358 c->c2.buf.len);
359 }
360 }
361 event_timeout_clear (&c->c2.occ_interval);
362 break;
363
364 case OCC_MTU_REPLY:
365 dmsg (D_PACKET_CONTENT, "RECEIVED OCC_MTU_REPLY");
366 c->c2.max_recv_size_remote = buf_read_u16 (&c->c2.buf);
367 c->c2.max_send_size_remote = buf_read_u16 (&c->c2.buf);
368 if (c->options.mtu_test
369 && c->c2.max_recv_size_remote > 0
370 && c->c2.max_send_size_remote > 0)
371 {
372 msg (M_INFO, "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]",
373 c->c2.max_send_size_local,
374 c->c2.max_recv_size_remote,
375 c->c2.max_send_size_remote,
376 c->c2.max_recv_size_local);
377 if (!c->options.fragment
378 && c->options.proto == PROTO_UDPv4
379 && c->c2.max_send_size_local > TUN_MTU_MIN
380 && (c->c2.max_recv_size_remote < c->c2.max_send_size_local
381 || c->c2.max_recv_size_local < c->c2.max_send_size_remote))
382 msg (M_INFO, "NOTE: This connection is unable to accomodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.",
383 c->c2.max_send_size_local);
384 }
385 event_timeout_clear (&c->c2.occ_mtu_load_test_interval);
386 break;
387
388 case OCC_EXIT:
389 dmsg (D_PACKET_CONTENT, "RECEIVED OCC_EXIT");
390 c->sig->signal_received = SIGTERM;
391 c->sig->signal_text = "remote-exit";
392 break;
393 }
394 c->c2.buf.len = 0; /* don't pass packet on */
395 }
396
397 #else
398 static void dummy(void) {}
399 #endif
Implementation of SATP