From 8bc93d7ffbc127e0b095c7274a68eb0c175f93ae Mon Sep 17 00:00:00 2001 From: james Date: Sat, 15 Oct 2005 08:44:02 +0000 Subject: svn merge -r 618:619 $SO/patches/openvpn-2-0_rc16-mh/openvpn Merged --multihome patch + aggregated sockflags. Pre-2.1_beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@622 e7ae566f-a301-0410-adde-c780ea21d3b5 --- ssl.c | 92 +++++++++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 53 insertions(+), 39 deletions(-) (limited to 'ssl.c') diff --git a/ssl.c b/ssl.c index 60516a8..2d65d82 100644 --- a/ssl.c +++ b/ssl.c @@ -374,7 +374,7 @@ extract_x509_field (const char *x509, const char *field_name, char *out, int siz static void setenv_untrusted (struct tls_session *session) { - setenv_sockaddr (session->opt->es, "untrusted", &session->untrusted_sockaddr, SA_IP_PORT); + setenv_link_socket_actual (session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT); } static void @@ -1860,7 +1860,7 @@ static void write_control_auth (struct tls_session *session, struct key_state *ks, struct buffer *buf, - struct sockaddr_in *to_link_addr, + struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack) @@ -1868,7 +1868,7 @@ write_control_auth (struct tls_session *session, uint8_t *header; struct buffer null = clear_buf (); - ASSERT (addr_defined (&ks->remote_addr)); + ASSERT (link_socket_actual_defined (&ks->remote_addr)); ASSERT (reliable_ack_write (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack)); ASSERT (session_id_write_prepend (&session->session_id, buf)); @@ -1880,7 +1880,7 @@ write_control_auth (struct tls_session *session, openvpn_encrypt (buf, null, &session->tls_auth, NULL); ASSERT (swap_hmac (buf, &session->tls_auth, false)); } - *to_link_addr = ks->remote_addr; + *to_link_addr = &ks->remote_addr; } /* @@ -1889,7 +1889,7 @@ write_control_auth (struct tls_session *session, static bool read_control_auth (struct buffer *buf, const struct crypto_options *co, - const struct sockaddr_in *from) + const struct link_socket_actual *from) { struct gc_arena gc = gc_new (); @@ -1902,7 +1902,7 @@ read_control_auth (struct buffer *buf, { msg (D_TLS_ERRORS, "TLS Error: cannot locate HMAC in incoming packet from %s", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); gc_free (&gc); return false; } @@ -1914,7 +1914,7 @@ read_control_auth (struct buffer *buf, { msg (D_TLS_ERRORS, "TLS Error: incoming packet authentication failed from %s", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); gc_free (&gc); return false; } @@ -2803,7 +2803,7 @@ static bool tls_process (struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, - struct sockaddr_in *to_link_addr, + struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup) { @@ -3197,7 +3197,7 @@ error: bool tls_multi_process (struct tls_multi *multi, struct buffer *to_link, - struct sockaddr_in *to_link_addr, + struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup) { @@ -3223,7 +3223,7 @@ tls_multi_process (struct tls_multi *multi, /* set initial remote address */ if (i == TM_ACTIVE && ks->state == S_INITIAL && - addr_defined (&to_link_socket_info->lsa->actual)) + link_socket_actual_defined (&to_link_socket_info->lsa->actual)) ks->remote_addr = to_link_socket_info->lsa->actual; dmsg (D_TLS_DEBUG, @@ -3232,16 +3232,29 @@ tls_multi_process (struct tls_multi *multi, state_name (ks->state), session_id_print (&session->session_id, &gc), session_id_print (&ks->session_id_remote, &gc), - print_sockaddr (&ks->remote_addr, &gc)); + print_link_socket_actual (&ks->remote_addr, &gc)); - if (ks->state >= S_INITIAL && addr_defined (&ks->remote_addr)) + if (ks->state >= S_INITIAL && link_socket_actual_defined (&ks->remote_addr)) { + struct link_socket_actual *tla = NULL; + update_time (); - if (tls_process (multi, session, to_link, to_link_addr, + if (tls_process (multi, session, to_link, &tla, to_link_socket_info, wakeup)) active = true; + /* + * If tls_process produced an outgoing packet, + * return the link_socket_actual object (which + * contains the outgoing address). + */ + if (tla) + { + multi->to_link_addr = *tla; + *to_link_addr = &multi->to_link_addr; + } + /* * If tls_process hits an error: * (1) If the session has an unexpired lame duck key, preserve it. @@ -3361,7 +3374,7 @@ tls_multi_process (struct tls_multi *multi, bool tls_pre_decrypt (struct tls_multi *multi, - struct sockaddr_in *from, + const struct link_socket_actual *from, struct buffer *buf, struct crypto_options *opt) { @@ -3403,7 +3416,7 @@ tls_pre_decrypt (struct tls_multi *multi, if (DECRYPT_KEY_ENABLED (multi, ks) && key_id == ks->key_id && ks->authenticated - && addr_port_match(from, &ks->remote_addr)) + && link_socket_actual_match (from, &ks->remote_addr)) { /* return appropriate data channel decrypt key in opt */ opt->key_ctx_bi = &ks->key; @@ -3416,7 +3429,7 @@ tls_pre_decrypt (struct tls_multi *multi, ks->n_bytes += buf->len; dmsg (D_TLS_DEBUG, "TLS: data channel, key_id=%d, IP=%s", - key_id, print_sockaddr (from, &gc)); + key_id, print_link_socket_actual (from, &gc)); gc_free (&gc); return ret; } @@ -3429,14 +3442,14 @@ tls_pre_decrypt (struct tls_multi *multi, key_id, ks->key_id, ks->authenticated, - addr_port_match (from, &ks->remote_addr)); + link_socket_actual_match (from, &ks->remote_addr)); } #endif } msg (D_TLS_ERRORS, "TLS Error: local/remote TLS keys are out of sync: %s [%d]", - print_sockaddr (from, &gc), key_id); + print_link_socket_actual (from, &gc), key_id); goto error; } else /* control channel packet */ @@ -3450,7 +3463,7 @@ tls_pre_decrypt (struct tls_multi *multi, { msg (D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d", - print_sockaddr (from, &gc), op); + print_link_socket_actual (from, &gc), op); goto error; } @@ -3465,7 +3478,7 @@ tls_pre_decrypt (struct tls_multi *multi, { msg (D_TLS_ERRORS, "TLS Error: client->client or server->server connection attempted from %s", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); goto error; } } @@ -3474,7 +3487,7 @@ tls_pre_decrypt (struct tls_multi *multi, * Authenticate Packet */ dmsg (D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", - packet_opcode_name (op), print_sockaddr (from, &gc)); + packet_opcode_name (op), print_link_socket_actual (from, &gc)); /* get remote session-id */ { @@ -3484,7 +3497,7 @@ tls_pre_decrypt (struct tls_multi *multi, { msg (D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); goto error; } } @@ -3501,9 +3514,9 @@ tls_pre_decrypt (struct tls_multi *multi, state_name (ks->state), session_id_print (&session->session_id, &gc), session_id_print (&sid, &gc), - print_sockaddr (from, &gc), + print_link_socket_actual (from, &gc), session_id_print (&ks->session_id_remote, &gc), - print_sockaddr (&ks->remote_addr, &gc)); + print_link_socket_actual (&ks->remote_addr, &gc)); if (session_id_equal (&ks->session_id_remote, &sid)) /* found a match */ @@ -3548,7 +3561,7 @@ tls_pre_decrypt (struct tls_multi *multi, { msg (D_TLS_ERRORS, "TLS Error: Cannot accept new session request from %s due to --single-session [1]", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); goto error; } @@ -3564,13 +3577,13 @@ tls_pre_decrypt (struct tls_multi *multi, msg (D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s", - print_sockaddr (from, &gc), + print_link_socket_actual (from, &gc), session_id_print (&sid, &gc)); do_burst = true; new_link = true; i = TM_ACTIVE; - session->untrusted_sockaddr = *from; + session->untrusted_addr = *from; } } @@ -3590,7 +3603,7 @@ tls_pre_decrypt (struct tls_multi *multi, { msg (D_TLS_ERRORS, "TLS Error: Cannot accept new session request from %s due to --single-session [2]", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); goto error; } @@ -3613,11 +3626,11 @@ tls_pre_decrypt (struct tls_multi *multi, */ msg (D_TLS_DEBUG_LOW, "TLS: new session incoming connection from %s", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); new_link = true; i = TM_UNTRUSTED; - session->untrusted_sockaddr = *from; + session->untrusted_addr = *from; } else { @@ -3631,7 +3644,7 @@ tls_pre_decrypt (struct tls_multi *multi, { msg (D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)", - print_sockaddr (from, &gc), + print_link_socket_actual (from, &gc), i, packet_opcode_name (op)); goto error; @@ -3640,10 +3653,10 @@ tls_pre_decrypt (struct tls_multi *multi, /* * Verify remote IP address */ - if (!new_link && !addr_port_match (&ks->remote_addr, from)) + if (!new_link && !link_socket_actual_match (&ks->remote_addr, from)) { msg (D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); goto error; } @@ -3705,11 +3718,11 @@ tls_pre_decrypt (struct tls_multi *multi, ks->remote_addr = *from; ++multi->n_sessions; } - else if (!addr_port_match (&ks->remote_addr, from)) + else if (!link_socket_actual_match (&ks->remote_addr, from)) { msg (D_TLS_ERRORS, "TLS Error: Existing session control channel packet from unknown IP address: %s", - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); goto error; } @@ -3807,8 +3820,9 @@ tls_pre_decrypt (struct tls_multi *multi, */ bool tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, - const struct sockaddr_in *from, + const struct link_socket_actual *from, const struct buffer *buf) + { struct gc_arena gc = gc_new (); bool ret = false; @@ -3835,7 +3849,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, */ dmsg (D_TLS_STATE_ERRORS, "TLS State Error: No TLS state for client %s, opcode=%d", - print_sockaddr (from, &gc), + print_link_socket_actual (from, &gc), op); goto error; } @@ -3845,7 +3859,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, dmsg (D_TLS_STATE_ERRORS, "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", key_id, - print_sockaddr (from, &gc)); + print_link_socket_actual (from, &gc)); goto error; } @@ -3854,7 +3868,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, dmsg (D_TLS_STATE_ERRORS, "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected", buf->len, - print_sockaddr (from, &gc), + print_link_socket_actual (from, &gc), EXPANDED_SIZE_DYNAMIC (&tas->frame)); goto error; } -- cgit