OpenVPN
ps.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#if PORT_SHARE
30
31#include "event.h"
32#include "socket.h"
33#include "fdmisc.h"
34#include "crypto.h"
35#include "ps.h"
36
37#include "memdbg.h"
38
39struct port_share *port_share = NULL; /* GLOBAL */
40
41/* size of i/o buffers */
42#define PROXY_CONNECTION_BUFFER_SIZE 1500
43
44/* Command codes for foreground -> background communication */
45#define COMMAND_REDIRECT 10
46#define COMMAND_EXIT 11
47
48/* Response codes for background -> foreground communication */
49#define RESPONSE_INIT_SUCCEEDED 20
50#define RESPONSE_INIT_FAILED 21
51
52/*
53 * Return values for proxy_connection_io functions
54 */
55
56#define IOSTAT_EAGAIN_ON_READ 0 /* recv returned EAGAIN */
57#define IOSTAT_EAGAIN_ON_WRITE 1 /* send returned EAGAIN */
58#define IOSTAT_READ_ERROR 2 /* the other end of our read socket (pc) was closed */
59#define IOSTAT_WRITE_ERROR 3 /* the other end of our write socket (pc->counterpart) was closed */
60#define IOSTAT_GOOD 4 /* nothing to report */
61
62/*
63 * A foreign (non-OpenVPN) connection we are proxying,
64 * usually HTTPS
65 */
66struct proxy_connection
67{
68 bool defined;
69 struct proxy_connection *next;
70 struct proxy_connection *counterpart;
71 struct buffer buf;
72 bool buffer_initial;
73 unsigned int rwflags;
74 int sd;
75 char *jfn;
76};
77
78#if 0
79static const char *
80headc(const struct buffer *buf)
81{
82 static char foo[16];
83 strncpy(foo, BSTR(buf), 15);
84 foo[15] = 0;
85 return foo;
86}
87#endif
88
89static inline void
90close_socket_if_defined(const socket_descriptor_t sd)
91{
92 if (socket_defined(sd))
93 {
94 openvpn_close_socket(sd);
95 }
96}
97
98/*
99 * Close most of parent's fds.
100 * Keep stdin/stdout/stderr, plus one
101 * other fd which is presumed to be
102 * our pipe back to parent.
103 * Admittedly, a bit of a kludge,
104 * but posix doesn't give us a kind
105 * of FD_CLOEXEC which will stop
106 * fds from crossing a fork().
107 */
108static void
109close_fds_except(int keep)
110{
111 socket_descriptor_t i;
112 closelog();
113 for (i = 3; i <= 100; ++i)
114 {
115 if (i != keep)
116 {
117 openvpn_close_socket(i);
118 }
119 }
120}
121
122/*
123 * Usually we ignore signals, because our parent will
124 * deal with them.
125 */
126static void
127set_signals(void)
128{
129 signal(SIGTERM, SIG_DFL);
130
131 signal(SIGINT, SIG_IGN);
132 signal(SIGHUP, SIG_IGN);
133 signal(SIGUSR1, SIG_IGN);
134 signal(SIGUSR2, SIG_IGN);
135 signal(SIGPIPE, SIG_IGN);
136}
137
138/*
139 * Socket read/write functions.
140 */
141
142static int
143recv_control(const socket_descriptor_t fd)
144{
145 unsigned char c;
146 const ssize_t size = read(fd, &c, sizeof(c));
147 if (size == sizeof(c))
148 {
149 return c;
150 }
151 else
152 {
153 return -1;
154 }
155}
156
157static int
158send_control(const socket_descriptor_t fd, int code)
159{
160 unsigned char c = (unsigned char)code;
161 const ssize_t size = write(fd, &c, sizeof(c));
162 if (size == sizeof(c))
163 {
164 return (int)size;
165 }
166 else
167 {
168 return -1;
169 }
170}
171
172static int
173cmsg_size(void)
174{
175 return CMSG_SPACE(sizeof(socket_descriptor_t));
176}
177
178/*
179 * Send a command (char), data (head), and a file descriptor (sd_send) to a local process
180 * over unix socket sd. Unfortunately, there's no portable way to send file descriptors
181 * to other processes, so this code, as well as its analog (control_message_from_parent below),
182 * is Linux-specific. This function runs in the context of the main process and is used to
183 * send commands, data, and file descriptors to the background process.
184 */
185static void
186port_share_sendmsg(const socket_descriptor_t sd, const char command, const struct buffer *head,
187 const socket_descriptor_t sd_send)
188{
189 if (socket_defined(sd))
190 {
191 struct msghdr mesg;
192 struct cmsghdr *h;
193 struct iovec iov[2];
194 socket_descriptor_t sd_null[2] = { SOCKET_UNDEFINED, SOCKET_UNDEFINED };
195 char cmd;
196 ssize_t status;
197
198 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: sendmsg sd=%d len=%d", (int)sd_send,
199 head ? BLEN(head) : -1);
200
201 CLEAR(mesg);
202
203 cmd = command;
204
205 iov[0].iov_base = &cmd;
206 iov[0].iov_len = sizeof(cmd);
207 mesg.msg_iovlen = 1;
208
209 if (head)
210 {
211 iov[1].iov_base = BPTR(head);
212 iov[1].iov_len = BLENZ(head);
213 mesg.msg_iovlen = 2;
214 }
215
216 mesg.msg_iov = iov;
217
218 mesg.msg_controllen = cmsg_size();
219 mesg.msg_control = (char *)malloc(mesg.msg_controllen);
220 check_malloc_return(mesg.msg_control);
221 mesg.msg_flags = 0;
222
223 h = CMSG_FIRSTHDR(&mesg);
224 h->cmsg_level = SOL_SOCKET;
225 h->cmsg_type = SCM_RIGHTS;
226 h->cmsg_len = CMSG_LEN(sizeof(socket_descriptor_t));
227
228 if (socket_defined(sd_send))
229 {
230 memcpy(CMSG_DATA(h), &sd_send, sizeof(sd_send));
231 }
232 else
233 {
234 socketpair(PF_UNIX, SOCK_DGRAM, 0, sd_null);
235 memcpy(CMSG_DATA(h), &sd_null[0], sizeof(sd_null[0]));
236 }
237
238 status = sendmsg(sd, &mesg, MSG_NOSIGNAL);
239 if (status == -1)
240 {
241 msg(M_WARN | M_ERRNO,
242 "PORT SHARE: sendmsg failed -- unable to communicate with background process (%d,%d,%d,%d)",
243 sd, sd_send, sd_null[0], sd_null[1]);
244 }
245
246 close_socket_if_defined(sd_null[0]);
247 close_socket_if_defined(sd_null[1]);
248 free(mesg.msg_control);
249 }
250}
251
252static void
253proxy_entry_close_sd(struct proxy_connection *pc, struct event_set *es)
254{
255 if (pc->defined && socket_defined(pc->sd))
256 {
257 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: delete sd=%d", (int)pc->sd);
258 if (es)
259 {
260 event_del(es, pc->sd);
261 }
262 openvpn_close_socket(pc->sd);
263 pc->sd = SOCKET_UNDEFINED;
264 }
265}
266
267/*
268 * Mark a proxy entry and its counterpart for close.
269 */
270static void
271proxy_entry_mark_for_close(struct proxy_connection *pc, struct event_set *es)
272{
273 if (pc->defined)
274 {
275 struct proxy_connection *cp = pc->counterpart;
276 proxy_entry_close_sd(pc, es);
277 free_buf(&pc->buf);
278 pc->buffer_initial = false;
279 pc->rwflags = 0;
280 pc->defined = false;
281 if (pc->jfn)
282 {
283 unlink(pc->jfn);
284 free(pc->jfn);
285 pc->jfn = NULL;
286 }
287 if (cp && cp->defined && cp->counterpart == pc)
288 {
289 proxy_entry_mark_for_close(cp, es);
290 }
291 }
292}
293
294/*
295 * Run through the proxy entry list and delete all entries marked
296 * for close.
297 */
298static void
299proxy_list_housekeeping(struct proxy_connection **list)
300{
301 if (list)
302 {
303 struct proxy_connection *prev = NULL;
304 struct proxy_connection *pc = *list;
305
306 while (pc)
307 {
308 struct proxy_connection *next = pc->next;
309 if (!pc->defined)
310 {
311 free(pc);
312 if (prev)
313 {
314 prev->next = next;
315 }
316 else
317 {
318 *list = next;
319 }
320 }
321 else
322 {
323 prev = pc;
324 }
325 pc = next;
326 }
327 }
328}
329
330/*
331 * Record IP/port of client in filesystem, so that server receiving
332 * the proxy can determine true client origin.
333 */
334static void
335journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_connection *cp)
336{
337 struct openvpn_sockaddr from, to;
338
339 socklen_t slen = sizeof(from.addr);
340 socklen_t dlen = sizeof(to.addr);
341 if (!getpeername(pc->sd, (struct sockaddr *)&from.addr.sa, &slen)
342 && !getsockname(cp->sd, (struct sockaddr *)&to.addr.sa, &dlen))
343 {
344 struct gc_arena gc = gc_new();
345 const char *f = print_openvpn_sockaddr(&from, &gc);
346 const char *t = print_openvpn_sockaddr(&to, &gc);
347 size_t fnlen = strlen(journal_dir) + strlen(t) + 2;
348 char *jfn = (char *)malloc(fnlen);
349 check_malloc_return(jfn);
350 snprintf(jfn, fnlen, "%s/%s", journal_dir, t);
351 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client origin %s -> %s", jfn, f);
352 int fd = platform_open(jfn, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP);
353 if (fd != -1)
354 {
355 ssize_t write_len = strlen(f);
356 if (write(fd, f, write_len) != write_len)
357 {
358 msg(M_WARN, "PORT SHARE: writing to journal file (%s) failed", jfn);
359 }
360 close(fd);
361 cp->jfn = jfn;
362 }
363 else
364 {
365 msg(M_WARN | M_ERRNO, "PORT SHARE: unable to write journal file in %s", jfn);
366 free(jfn);
367 }
368 gc_free(&gc);
369 }
370}
371
372/*
373 * Cleanup function, on proxy process exit.
374 */
375static void
376proxy_list_close(struct proxy_connection **list)
377{
378 if (list)
379 {
380 struct proxy_connection *pc = *list;
381 while (pc)
382 {
383 proxy_entry_mark_for_close(pc, NULL);
384 pc = pc->next;
385 }
386 proxy_list_housekeeping(list);
387 }
388}
389
390static inline void
391proxy_connection_io_requeue(struct proxy_connection *pc, const unsigned int rwflags_new,
392 struct event_set *es)
393{
394 if (socket_defined(pc->sd) && pc->rwflags != rwflags_new)
395 {
396 /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: requeue[%d] rwflags=%u", (int)pc->sd,
397 * rwflags_new);*/
398 event_ctl(es, pc->sd, rwflags_new, (void *)pc);
399 pc->rwflags = rwflags_new;
400 }
401}
402
403/*
404 * Create a new pair of proxy_connection entries, one for each
405 * socket file descriptor involved in the proxy. We are given
406 * the client fd, and we should derive our own server fd by connecting
407 * to the server given by server_addr/server_port. Return true
408 * on success and false on failure to connect to server.
409 */
410static bool
411proxy_entry_new(struct proxy_connection **list, struct event_set *es,
412 const struct openvpn_sockaddr server_addr, const socket_descriptor_t sd_client,
413 struct buffer *initial_data, const char *journal_dir)
414{
415 socket_descriptor_t sd_server;
416 int status;
417 struct proxy_connection *pc;
418 struct proxy_connection *cp;
419
420 /* connect to port share server */
421 if ((sd_server = socket(server_addr.addr.sa.sa_family, SOCK_STREAM, IPPROTO_TCP)) < 0)
422 {
423 msg(M_WARN | M_ERRNO, "PORT SHARE PROXY: cannot create socket");
424 return false;
425 }
426 status = openvpn_connect(sd_server, &server_addr.addr.sa, 5, NULL);
427 if (status)
428 {
429 msg(M_WARN, "PORT SHARE PROXY: connect to port-share server failed");
430 openvpn_close_socket(sd_server);
431 return false;
432 }
433 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: connect to port-share server succeeded");
434
435 set_nonblock(sd_client);
436 set_nonblock(sd_server);
437
438 /* allocate 2 new proxy_connection objects */
439 ALLOC_OBJ_CLEAR(pc, struct proxy_connection);
440 ALLOC_OBJ_CLEAR(cp, struct proxy_connection);
441
442 /* client object */
443 pc->defined = true;
444 pc->next = cp;
445 pc->counterpart = cp;
446 pc->buf = *initial_data;
447 pc->buffer_initial = true;
448 pc->rwflags = EVENT_UNDEF;
449 pc->sd = sd_client;
450
451 /* server object */
452 cp->defined = true;
453 cp->next = *list;
454 cp->counterpart = pc;
455 cp->buf = alloc_buf(PROXY_CONNECTION_BUFFER_SIZE);
456 cp->buffer_initial = false;
457 cp->rwflags = EVENT_UNDEF;
458 cp->sd = sd_server;
459
460 /* add to list */
461 *list = pc;
462
463 /* add journal entry */
464 if (journal_dir)
465 {
466 journal_add(journal_dir, pc, cp);
467 }
468
469 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client,
470 (int)sd_server);
471
472 /* set initial i/o states */
473 proxy_connection_io_requeue(pc, EVENT_READ, es);
474 proxy_connection_io_requeue(cp, EVENT_READ | EVENT_WRITE, es);
475
476 return true;
477}
478
479/*
480 * This function runs in the context of the background proxy process.
481 * Receive a control message from the parent (sent by the port_share_sendmsg
482 * function above) and act on it. Return false if the proxy process should
483 * exit, true otherwise.
484 */
485static bool
486control_message_from_parent(const socket_descriptor_t sd_control, struct proxy_connection **list,
487 struct event_set *es, const struct openvpn_sockaddr server_addr,
488 const int max_initial_buf, const char *journal_dir)
489{
490 /* this buffer needs to be large enough to handle the largest buffer
491 * that might be returned by the link_socket_read call in read_incoming_link. */
492 struct buffer buf = alloc_buf(max_initial_buf);
493
494 struct msghdr mesg;
495 struct cmsghdr *h;
496 struct iovec iov[2];
497 char command = 0;
498 ssize_t status;
499 int ret = true;
500
501 CLEAR(mesg);
502
503 iov[0].iov_base = &command;
504 iov[0].iov_len = sizeof(command);
505 iov[1].iov_base = BPTR(&buf);
506 iov[1].iov_len = BCAP(&buf);
507 mesg.msg_iov = iov;
508 mesg.msg_iovlen = 2;
509
510 mesg.msg_controllen = cmsg_size();
511 mesg.msg_control = (char *)malloc(mesg.msg_controllen);
512 check_malloc_return(mesg.msg_control);
513 mesg.msg_flags = 0;
514
515 h = CMSG_FIRSTHDR(&mesg);
516 h->cmsg_len = CMSG_LEN(sizeof(socket_descriptor_t));
517 h->cmsg_level = SOL_SOCKET;
518 h->cmsg_type = SCM_RIGHTS;
519 static const socket_descriptor_t socket_undefined = SOCKET_UNDEFINED;
520 memcpy(CMSG_DATA(h), &socket_undefined, sizeof(socket_undefined));
521
522 status = recvmsg(sd_control, &mesg, MSG_NOSIGNAL);
523 if (status != -1)
524 {
525 if (h == NULL || h->cmsg_len != CMSG_LEN(sizeof(socket_descriptor_t))
526 || h->cmsg_level != SOL_SOCKET || h->cmsg_type != SCM_RIGHTS)
527 {
528 msg(M_WARN, "PORT SHARE PROXY: received unknown message");
529 }
530 else
531 {
532 socket_descriptor_t received_fd;
533 memcpy(&received_fd, CMSG_DATA(h), sizeof(received_fd));
534 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: RECEIVED sd=%d", (int)received_fd);
535
536 if (status >= 2 && command == COMMAND_REDIRECT)
537 {
538 buf.len = (int)status - 1;
539 if (proxy_entry_new(list, es, server_addr, received_fd, &buf, journal_dir))
540 {
541 CLEAR(buf); /* we gave the buffer to proxy_entry_new */
542 }
543 else
544 {
545 openvpn_close_socket(received_fd);
546 }
547 }
548 else if (status >= 1 && command == COMMAND_EXIT)
549 {
550 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: RECEIVED COMMAND_EXIT");
551 openvpn_close_socket(received_fd); /* null socket */
552 ret = false;
553 }
554 }
555 }
556 free(mesg.msg_control);
557 free_buf(&buf);
558 return ret;
559}
560
561static int
562proxy_connection_io_recv(struct proxy_connection *pc)
563{
564 /* recv data from socket */
565 const ssize_t status = recv(pc->sd, BPTR(&pc->buf), BCAP(&pc->buf), MSG_NOSIGNAL);
566 if (status < 0)
567 {
568 return (errno == EAGAIN) ? IOSTAT_EAGAIN_ON_READ : IOSTAT_READ_ERROR;
569 }
570 else
571 {
572 if (!status)
573 {
574 return IOSTAT_READ_ERROR;
575 }
576 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: read[%d] %zd", (int)pc->sd, status);
577 pc->buf.len = (int)status;
578 }
579 return IOSTAT_GOOD;
580}
581
582static int
583proxy_connection_io_send(struct proxy_connection *pc, int *bytes_sent)
584{
585 const socket_descriptor_t sd = pc->counterpart->sd;
586 const ssize_t status = send(sd, BPTR(&pc->buf), BLENZ(&pc->buf), MSG_NOSIGNAL);
587
588 if (status < 0)
589 {
590 const int e = errno;
591 return (e == EAGAIN) ? IOSTAT_EAGAIN_ON_WRITE : IOSTAT_WRITE_ERROR;
592 }
593 else
594 {
595 *bytes_sent += (int)status;
596 if (status != pc->buf.len)
597 {
598 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: partial write[%d], tried=%d got=%zd", (int)sd,
599 pc->buf.len, status);
600 buf_advance(&pc->buf, status);
601 return IOSTAT_EAGAIN_ON_WRITE;
602 }
603 else
604 {
605 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: wrote[%d] %zd", (int)sd, status);
606 pc->buf.len = 0;
607 pc->buf.offset = 0;
608 }
609 }
610
611 /* realloc send buffer after initial send */
612 if (pc->buffer_initial)
613 {
614 free_buf(&pc->buf);
615 pc->buf = alloc_buf(PROXY_CONNECTION_BUFFER_SIZE);
616 pc->buffer_initial = false;
617 }
618 return IOSTAT_GOOD;
619}
620
621/*
622 * Forward data from pc to pc->counterpart.
623 */
624
625static int
626proxy_connection_io_xfer(struct proxy_connection *pc, const int max_transfer)
627{
628 int transferred = 0;
629 while (transferred < max_transfer)
630 {
631 if (!BLEN(&pc->buf))
632 {
633 const int status = proxy_connection_io_recv(pc);
634 if (status != IOSTAT_GOOD)
635 {
636 return status;
637 }
638 }
639
640 if (BLEN(&pc->buf))
641 {
642 const int status = proxy_connection_io_send(pc, &transferred);
643 if (status != IOSTAT_GOOD)
644 {
645 return status;
646 }
647 }
648 }
649 return IOSTAT_EAGAIN_ON_READ;
650}
651
652/*
653 * Decide how the receipt of an EAGAIN status should affect our next IO queueing.
654 */
655static bool
656proxy_connection_io_status(const int status, unsigned int *rwflags_pc, unsigned int *rwflags_cp)
657{
658 switch (status)
659 {
660 case IOSTAT_EAGAIN_ON_READ:
661 *rwflags_pc |= EVENT_READ;
662 *rwflags_cp &= ~EVENT_WRITE;
663 return true;
664
665 case IOSTAT_EAGAIN_ON_WRITE:
666 *rwflags_pc &= ~EVENT_READ;
667 *rwflags_cp |= EVENT_WRITE;
668 return true;
669
670 case IOSTAT_READ_ERROR:
671 return false;
672
673 case IOSTAT_WRITE_ERROR:
674 return false;
675
676 default:
677 msg(M_FATAL, "PORT SHARE PROXY: unexpected status=%d", status);
678 }
679 return false; /* NOTREACHED */
680}
681
682/*
683 * Dispatch function for forwarding data between the two socket fds involved
684 * in the proxied connection.
685 */
686static int
687proxy_connection_io_dispatch(struct proxy_connection *pc, const unsigned int rwflags,
688 struct event_set *es)
689{
690 const int max_transfer_per_iteration = 10000;
691 struct proxy_connection *cp = pc->counterpart;
692 unsigned int rwflags_pc = pc->rwflags;
693 unsigned int rwflags_cp = cp->rwflags;
694
695 ASSERT(pc->defined && cp->defined && cp->counterpart == pc);
696
697 if (rwflags & EVENT_READ)
698 {
699 const int status = proxy_connection_io_xfer(pc, max_transfer_per_iteration);
700 if (!proxy_connection_io_status(status, &rwflags_pc, &rwflags_cp))
701 {
702 goto bad;
703 }
704 }
705 if (rwflags & EVENT_WRITE)
706 {
707 const int status = proxy_connection_io_xfer(cp, max_transfer_per_iteration);
708 if (!proxy_connection_io_status(status, &rwflags_cp, &rwflags_pc))
709 {
710 goto bad;
711 }
712 }
713 proxy_connection_io_requeue(pc, rwflags_pc, es);
714 proxy_connection_io_requeue(cp, rwflags_cp, es);
715
716 return true;
717
718bad:
719 proxy_entry_mark_for_close(pc, es);
720 return false;
721}
722
723/*
724 * This is the main function for the port share proxy background process.
725 */
726static void
727port_share_proxy(const struct openvpn_sockaddr hostaddr, const socket_descriptor_t sd_control,
728 const int max_initial_buf, const char *journal_dir)
729{
730 if (send_control(sd_control, RESPONSE_INIT_SUCCEEDED) >= 0)
731 {
732 void *sd_control_marker = (void *)1;
733 int maxevents = 256;
734 struct event_set *es;
735 struct event_set_return esr[64];
736 struct proxy_connection *list = NULL;
737 time_t last_housekeeping = 0;
738
739 msg(D_PS_PROXY, "PORT SHARE PROXY: proxy starting");
740
741 es = event_set_init(&maxevents, 0);
742 event_ctl(es, sd_control, EVENT_READ, sd_control_marker);
743 while (true)
744 {
745 int n_events;
746 struct timeval tv;
747 time_t current;
748
749 tv.tv_sec = 10;
750 tv.tv_usec = 0;
751 n_events = event_wait(es, &tv, esr, SIZE(esr));
752 /*dmsg (D_PS_PROXY_DEBUG, "PORT SHARE PROXY: event_wait returned %d", n_events);*/
753 current = time(NULL);
754 if (n_events > 0)
755 {
756 int i;
757 for (i = 0; i < n_events; ++i)
758 {
759 const struct event_set_return *e = &esr[i];
760 if (e->arg == sd_control_marker)
761 {
762 if (!control_message_from_parent(sd_control, &list, es, hostaddr,
763 max_initial_buf, journal_dir))
764 {
765 goto done;
766 }
767 }
768 else
769 {
770 struct proxy_connection *pc = (struct proxy_connection *)e->arg;
771 if (pc->defined)
772 {
773 proxy_connection_io_dispatch(pc, e->rwflags, es);
774 }
775 }
776 }
777 }
778 else if (n_events < 0)
779 {
780 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: event_wait failed");
781 }
782 if (current > last_housekeeping)
783 {
784 proxy_list_housekeeping(&list);
785 last_housekeeping = current;
786 }
787 }
788
789done:
790 proxy_list_close(&list);
791 event_free(es);
792 }
793 msg(M_INFO, "PORT SHARE PROXY: proxy exiting");
794}
795
796/*
797 * Called from the main OpenVPN process to enable the port
798 * share proxy.
799 */
800struct port_share *
801port_share_open(const char *host, const char *port, const int max_initial_buf,
802 const char *journal_dir)
803{
804 socket_descriptor_t fd[2];
805 struct openvpn_sockaddr hostaddr;
806 struct port_share *ps;
807
808 ALLOC_OBJ_CLEAR(ps, struct port_share);
809 ps->foreground_fd = -1;
810 ps->background_pid = -1;
811
812 /*
813 * Get host's IP address
814 */
815 struct addrinfo *ai;
816 int status = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_FATAL, host, port,
817 0, NULL, AF_UNSPEC, &ai);
818 ASSERT(status == 0);
819 ASSERT(sizeof(hostaddr.addr) >= ai->ai_addrlen);
820 memcpy(&hostaddr.addr.sa, ai->ai_addr, ai->ai_addrlen);
821 freeaddrinfo(ai);
822
823 if (msg_test(D_PS_PROXY_DEBUG))
824 {
825 struct gc_arena gc = gc_new();
826 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: receiver will be %s",
827 print_openvpn_sockaddr(&hostaddr, &gc));
828 gc_free(&gc);
829 }
830
831 /*
832 * Make a socket for foreground and background processes
833 * to communicate.
834 */
835 if (socketpair(PF_UNIX, SOCK_DGRAM, 0, fd) == -1)
836 {
837 msg(M_WARN | M_ERRNO, "PORT SHARE: socketpair call failed");
838 goto error;
839 }
840
841 /*
842 * Fork off background proxy process.
843 */
844 pid_t pid = fork();
845
846 if (pid < 0)
847 {
848 msg(M_WARN | M_ERRNO, "PORT SHARE: fork failed");
849 goto error;
850 }
851 else if (pid)
852 {
853 /*
854 * Foreground Process
855 */
856
857 ps->background_pid = pid;
858
859 /* close our copy of child's socket */
860 openvpn_close_socket(fd[1]);
861
862 /* don't let future subprocesses inherit child socket */
863 set_cloexec(fd[0]);
864
865 /* wait for background child process to initialize */
866 int status = recv_control(fd[0]);
867 if (status == RESPONSE_INIT_SUCCEEDED)
868 {
869 /* note that this will cause possible EAGAIN when writing to
870 * control socket if proxy process is backlogged */
871 set_nonblock(fd[0]);
872
873 ps->foreground_fd = fd[0];
874 return ps;
875 }
876 else
877 {
878 msg(M_ERR, "PORT SHARE: unexpected init recv_control status=%d", status);
879 }
880 }
881 else
882 {
883 /*
884 * Background Process
885 */
886
887 /* Ignore most signals (the parent will receive them) */
888 set_signals();
889
890 /* Let msg know that we forked */
891 msg_forked();
892
893#ifdef ENABLE_MANAGEMENT
894 /* Don't interact with management interface */
895 management = NULL;
896#endif
897
898 /* close all parent fds except our socket back to parent */
899 close_fds_except(fd[1]);
900
901 /* no blocking on control channel back to parent */
902 set_nonblock(fd[1]);
903
904 /* execute the event loop */
905 port_share_proxy(hostaddr, fd[1], max_initial_buf, journal_dir);
906
907 openvpn_close_socket(fd[1]);
908
909 exit(0);
910 return NULL; /* NOTREACHED */
911 }
912
913error:
914 port_share_close(ps);
915 return NULL;
916}
917
918void
919port_share_close(struct port_share *ps)
920{
921 if (ps)
922 {
923 if (ps->foreground_fd >= 0)
924 {
925 /* tell background process to exit */
926 port_share_sendmsg(ps->foreground_fd, COMMAND_EXIT, NULL, SOCKET_UNDEFINED);
927
928 /* wait for background process to exit */
929 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: waiting for background process to exit");
930 if (ps->background_pid > 0)
931 {
932 waitpid(ps->background_pid, NULL, 0);
933 }
934 dmsg(D_PS_PROXY_DEBUG, "PORT SHARE: background process exited");
935
936 openvpn_close_socket(ps->foreground_fd);
937 ps->foreground_fd = -1;
938 }
939
940 free(ps);
941 }
942}
943
944void
945port_share_abort(struct port_share *ps)
946{
947 if (ps)
948 {
949 /* tell background process to exit */
950 if (ps->foreground_fd >= 0)
951 {
952 send_control(ps->foreground_fd, COMMAND_EXIT);
953 openvpn_close_socket(ps->foreground_fd);
954 ps->foreground_fd = -1;
955 }
956 }
957}
958
959/*
960 * Given either the first 2 or 3 bytes of an initial client -> server
961 * data payload, return true if the protocol is that of an OpenVPN
962 * client attempting to connect with an OpenVPN server.
963 */
964bool
965is_openvpn_protocol(const struct buffer *buf)
966{
967 const unsigned char *p = (const unsigned char *)BSTR(buf);
968 const int len = BLEN(buf);
969 if (len >= 3)
970 {
971 int plen = (p[0] << 8) | p[1];
972
973 if (p[2] == (P_CONTROL_HARD_RESET_CLIENT_V3 << P_OPCODE_SHIFT))
974 {
975 /* WKc is at least 290 byte (not including metadata):
976 *
977 * 16 bit len + 256 bit HMAC + 2048 bit Kc = 2320 bit
978 *
979 * This is increased by the normal length of client handshake +
980 * tls-crypt overhead (32)
981 *
982 * For metadata tls-crypt-v2.txt does not explicitly specify
983 * an upper limit but we also have TLS_CRYPT_V2_MAX_WKC_LEN
984 * as 1024 bytes. We err on the safe side with 255 extra overhead
985 *
986 * We don't do the 2 byte check for tls-crypt-v2 because it is very
987 * unrealistic to have only 2 bytes available.
988 */
989 return (plen >= 336 && plen < (1024 + 255));
990 }
991 else
992 {
993 /* For non tls-crypt2 we assume the packet length to valid between
994 * 14 and 255 */
995 return plen >= 14 && plen <= 255
996 && (p[2] == (P_CONTROL_HARD_RESET_CLIENT_V2 << P_OPCODE_SHIFT));
997 }
998 }
999 else if (len >= 2)
1000 {
1001 int plen = (p[0] << 8) | p[1];
1002 return plen >= 14 && plen <= 255;
1003 }
1004 else
1005 {
1006 return true;
1007 }
1008}
1009
1010/*
1011 * Called from the foreground process. Send a message to the background process that it
1012 * should proxy the TCP client on sd to the host/port defined in the initial port_share_open
1013 * call.
1014 */
1015void
1016port_share_redirect(struct port_share *ps, const struct buffer *head, socket_descriptor_t sd)
1017{
1018 if (ps)
1019 {
1020 port_share_sendmsg(ps->foreground_fd, COMMAND_REDIRECT, head, sd);
1021 }
1022}
1023
1024#endif /* if PORT_SHARE */
set_signals
static void set_signals(void)
Definition auth-pam.c:271
RESPONSE_INIT_SUCCEEDED
#define RESPONSE_INIT_SUCCEEDED
Definition auth-pam.c:61
recv_control
static int recv_control(int fd)
Definition auth-pam.c:141
COMMAND_EXIT
#define COMMAND_EXIT
Definition auth-pam.c:58
send_control
static int send_control(int fd, int code)
Definition auth-pam.c:157
close_fds_except
static void close_fds_except(int keep)
Definition auth-pam.c:253
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:184
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
BSTR
#define BSTR(buf)
Definition buffer.h:129
BPTR
#define BPTR(buf)
Definition buffer.h:123
buf_advance
static bool buf_advance(struct buffer *buf, ssize_t size)
Definition buffer.h:617
BLEN
#define BLEN(buf)
Definition buffer.h:126
BCAP
#define BCAP(buf)
Definition buffer.h:130
BLENZ
#define BLENZ(buf)
Definition buffer.h:127
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1131
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1088
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1041
crypto.h
Data Channel Cryptography Module.
D_PS_PROXY
#define D_PS_PROXY
Definition errlevel.h:91
M_INFO
#define M_INFO
Definition errlevel.h:54
D_PS_PROXY_DEBUG
#define D_PS_PROXY_DEBUG
Definition errlevel.h:144
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1187
event_free
static void event_free(struct event_set *es)
Definition event.h:159
event_del
static void event_del(struct event_set *es, event_t event)
Definition event.h:174
EVENT_UNDEF
#define EVENT_UNDEF
Definition event.h:36
event_wait
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition event.h:186
EVENT_WRITE
#define EVENT_WRITE
Definition event.h:38
EVENT_READ
#define EVENT_READ
Definition event.h:37
event_ctl
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:180
set_nonblock
void set_nonblock(socket_descriptor_t fd)
Definition fdmisc.c:68
set_cloexec
void set_cloexec(socket_descriptor_t fd)
Definition fdmisc.c:78
status
static SERVICE_STATUS status
Definition interactive.c:51
write
@ write
Definition interactive.c:213
read
@ read
Definition interactive.c:212
CLEAR
#define CLEAR(x)
Definition basic.h:32
SIZE
#define SIZE(x)
Definition basic.h:29
msg_forked
void msg_forked(void)
Definition error.c:95
msg_test
static bool msg_test(msglvl_t flags)
Return true if flags represent an enabled, not muted log level.
Definition error.h:258
M_FATAL
#define M_FATAL
Definition error.h:90
dmsg
#define dmsg(flags,...)
Definition error.h:172
M_ERR
#define M_ERR
Definition error.h:106
msg
#define msg(flags,...)
Definition error.h:152
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
platform_open
int platform_open(const char *path, int flags, int mode)
Definition platform.c:513
openvpn_connect
int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received)
Definition socket.c:967
MSG_NOSIGNAL
#define MSG_NOSIGNAL
Definition socket.h:261
openvpn_close_socket
#define openvpn_close_socket(s)
Definition socket.h:266
openvpn_getaddrinfo
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
Definition socket_util.c:537
print_openvpn_sockaddr
static const char * print_openvpn_sockaddr(const struct openvpn_sockaddr *addr, struct gc_arena *gc)
Definition socket_util.h:71
GETADDR_FATAL
#define GETADDR_FATAL
Definition socket_util.h:118
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket_util.h:117
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:51
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:55
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
event_set_return
Definition event.h:122
event_set_return::rwflags
unsigned int rwflags
Definition event.h:123
event_set_return::arg
void * arg
Definition event.h:124
event_set
Definition event.h:128
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
gc_arena::list
struct gc_entry * list
First element of the linked list of gc_entry structures.
Definition buffer.h:117
openvpn_sockaddr
Definition socket_util.h:38
openvpn_sockaddr::addr
union openvpn_sockaddr::@27 addr
openvpn_sockaddr::sa
struct sockaddr sa
Definition socket_util.h:42
SIGHUP
#define SIGHUP
Definition syshead.h:55
SOCKET_UNDEFINED
#define SOCKET_UNDEFINED
Definition syshead.h:443
SIGINT
#define SIGINT
Definition syshead.h:56
SIGTERM
#define SIGTERM
Definition syshead.h:59
socket_descriptor_t
SOCKET socket_descriptor_t
Definition syshead.h:445
SIGUSR1
#define SIGUSR1
Definition syshead.h:57
socket_defined
static int socket_defined(const socket_descriptor_t sd)
Definition syshead.h:453
SIGUSR2
#define SIGUSR2
Definition syshead.h:58
es
struct env_set * es
Definition test_pkcs11.c:138
gc
struct gc_arena gc
Definition test_ssl.c:131
Generated by doxygen 1.9.8