diff options
Diffstat (limited to 'openvpn/src')
-rw-r--r-- | openvpn/src/openvpn/init.c | 37 | ||||
-rw-r--r-- | openvpn/src/openvpn/manage.c | 2 | ||||
-rw-r--r-- | openvpn/src/openvpn/options.c | 23 | ||||
-rw-r--r-- | openvpn/src/openvpn/options.h | 6 | ||||
-rw-r--r-- | openvpn/src/openvpn/push.c | 3 | ||||
-rw-r--r-- | openvpn/src/openvpn/socket.c | 360 | ||||
-rw-r--r-- | openvpn/src/openvpn/socket.h | 98 | ||||
-rw-r--r-- | openvpn/src/openvpn/ssl_openssl.c | 3 | ||||
-rw-r--r-- | openvpn/src/openvpn/tun.c | 4 |
9 files changed, 319 insertions, 217 deletions
diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c index 1beca959..5979e0bb 100644 --- a/openvpn/src/openvpn/init.c +++ b/openvpn/src/openvpn/init.c @@ -1,4 +1,4 @@ -/* + /* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, @@ -306,9 +306,9 @@ init_connection_list (struct context *c) /* * Clear the remote address list */ -static void clear_remote_addrlist (struct link_socket_addr *lsa) +static void clear_remote_addrlist (struct link_socket_addr *lsa, bool freeaddr) { - if (lsa->remote_list) { + if (lsa->remote_list && freeaddr) { freeaddrinfo(lsa->remote_list); } lsa->remote_list = NULL; @@ -325,7 +325,7 @@ next_connection_entry (struct context *c) bool ce_defined; struct connection_entry *ce; int n_cycles = 0; - + do { ce_defined = true; if (c->options.no_advance && l->current >= 0) @@ -348,19 +348,18 @@ next_connection_entry (struct context *c) * this is broken probably ever since connection lists and multiple * remote existed */ - if (!c->options.persist_remote_ip) - clear_remote_addrlist (&c->c1.link_socket_addr); + clear_remote_addrlist (&c->c1.link_socket_addr, !c->options.resolve_in_advance); else c->c1.link_socket_addr.current_remote = c->c1.link_socket_addr.remote_list; - + /* * Increase the number of connection attempts * If this is connect-retry-max * size(l) * OpenVPN will quit */ - + c->options.unsuccessful_attempts++; if (++l->current >= l->len) @@ -399,7 +398,7 @@ next_connection_entry (struct context *c) } #endif } while (!ce_defined); - + /* Check if this connection attempt would bring us over the limit */ if (c->options.connect_retry_max > 0 && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) @@ -560,6 +559,8 @@ context_init_1 (struct context *c) } #endif + if (c->options.resolve_in_advance) + do_preresolve(c); } void @@ -1254,7 +1255,7 @@ void initialization_sequence_completed (struct context *c, const unsigned int flags) { static const char message[] = "Initialization Sequence Completed"; - + /* Reset the unsuccessful connection counter on complete initialisation */ c->options.unsuccessful_attempts=0; @@ -2686,8 +2687,10 @@ do_init_socket_1 (struct context *c, const int mode) link_socket_init_phase1 (c->c2.link_socket, c->options.ce.local, c->options.ce.local_port, + c->options.ce.preresolved_local, c->options.ce.remote, c->options.ce.remote_port, + c->options.ce.preresolved_remote, c->options.ce.proto, c->options.ce.af, c->options.ce.bind_ipv6_only, @@ -2908,7 +2911,7 @@ do_close_link_socket (struct context *c) || c->options.no_advance)) ))) { - clear_remote_addrlist(&c->c1.link_socket_addr); + clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance); } /* Clear the remote actual address when persist_remote_ip is not in use */ @@ -2916,7 +2919,7 @@ do_close_link_socket (struct context *c) CLEAR (c->c1.link_socket_addr.actual); if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) { - if (c->c1.link_socket_addr.bind_local) + if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance) freeaddrinfo(c->c1.link_socket_addr.bind_local); c->c1.link_socket_addr.bind_local=NULL; } @@ -3359,6 +3362,13 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int goto sig; } + if (c->options.resolve_in_advance) + { + do_preresolve(c); + if (IS_SIG (c)) + goto sig; + } + /* map in current connection entry */ next_connection_entry (c); @@ -3433,7 +3443,7 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int /* allocate our socket object */ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) do_link_socket_new (c); - + #ifdef ENABLE_FRAGMENT /* initialize internal fragmentation object */ if (options->ce.fragment && (c->mode == CM_P2P || child)) @@ -3795,6 +3805,7 @@ test_crypto_thread (void *arg) ASSERT (options->test_crypto); init_verb_mute (c, IVM_LEVEL_1); context_init_1 (c); + next_connection_entry(c); do_init_crypto_static (c, 0); frame_finalize_options (c, options); diff --git a/openvpn/src/openvpn/manage.c b/openvpn/src/openvpn/manage.c index 8217ead2..352021bd 100644 --- a/openvpn/src/openvpn/manage.c +++ b/openvpn/src/openvpn/manage.c @@ -2611,7 +2611,7 @@ management_post_tunnel_open (struct management *man, const in_addr_t tun_local_i /* listen on our local TUN/TAP IP address */ struct in_addr ia; int ret; - + ia.s_addr = htonl(tun_local_ip); ret = openvpn_getaddrinfo(0, inet_ntoa(ia), NULL, 0, NULL, AF_INET, &man->settings.local); diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index cfbbfb4f..07a9b896 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -780,7 +780,7 @@ init_options (struct options *o, const bool init_gc) o->topology = TOP_NET30; o->ce.proto = PROTO_UDP; o->ce.af = AF_UNSPEC; - o->ce.bind_local=false; + o->ce.bind_ipv6_only = false; o->ce.connect_retry_seconds = 5; o->ce.connect_timeout = 10; o->connect_retry_max = 0; @@ -796,6 +796,7 @@ init_options (struct options *o, const bool init_gc) o->route_delay_window = 30; o->max_routes = MAX_ROUTES_DEFAULT; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; + o->resolve_in_advance = false; o->proto_force = -1; #ifdef ENABLE_OCC o->occ = true; @@ -1369,6 +1370,7 @@ show_connection_entry (const struct connection_entry *o) SHOW_BOOL (remote_float); SHOW_BOOL (bind_defined); SHOW_BOOL (bind_local); + SHOW_BOOL (bind_ipv6_only); SHOW_INT (connect_retry_seconds); SHOW_INT (connect_timeout); @@ -1494,6 +1496,7 @@ show_settings (const struct options *o) #endif SHOW_INT (resolve_retry_seconds); + SHOW_BOOL (resolve_in_advance); SHOW_STR (username); SHOW_STR (groupname); @@ -2038,7 +2041,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne if (ce->socks_proxy_server) msg (M_USAGE, "--socks-proxy cannot be used with --mode server"); #endif - /* <connection> blocks force to have a remote embedded, so we check for the + /* <connection> blocks force to have a remote embedded, so we check for the * --remote and bail out if it is present */ if (options->connection_list->len >1 || options->connection_list->array[0]->remote) @@ -2486,6 +2489,7 @@ options_postprocess_verify (const struct options *o) static void options_postprocess_mutate (struct options *o) { + int i; /* * Process helper-type options which map to other, more complex * sequences of options. @@ -2502,13 +2506,12 @@ options_postprocess_mutate (struct options *o) * Convert remotes into connection list */ const struct remote_list *rl = o->remote_list; - int i; for (i = 0; i < rl->len; ++i) { const struct remote_entry *re = rl->array[i]; struct connection_entry ce = o->ce; struct connection_entry *ace; - + ASSERT (re->remote); connection_entry_load_re (&ce, re); ace = alloc_connection_entry (o, M_USAGE); @@ -2525,10 +2528,9 @@ options_postprocess_mutate (struct options *o) } ASSERT (o->connection_list); - int i; for (i = 0; i < o->connection_list->len; ++i) options_postprocess_mutate_ce (o, o->connection_list->array[i]); - + #if HTTP_PROXY_OVERRIDE if (o->http_proxy_override) options_postprocess_http_proxy_override(o); @@ -4481,6 +4483,15 @@ add_option (struct options *options, else options->resolve_retry_seconds = positive_atoi (p[1]); } + else if (streq (p[0], "preresolve") || streq (p[0], "ip-remote-hint")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->resolve_in_advance = true; + /* Note the ip-remote-hint and the argument p[1] are for + backward compatibility */ + if (p[1]) + options->ip_remote_hint=p[1]; + } else if (streq (p[0], "connect-retry") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h index dda9658a..ddeb8b38 100644 --- a/openvpn/src/openvpn/options.h +++ b/openvpn/src/openvpn/options.h @@ -90,9 +90,11 @@ struct connection_entry sa_family_t af; const char* local_port; bool local_port_defined; - const char* remote_port; + const char *remote_port; const char *local; const char *remote; + struct addrinfo *preresolved_remote; + struct addrinfo *preresolved_local; bool remote_float; bool bind_defined; bool bind_ipv6_only; @@ -278,6 +280,8 @@ struct options #endif int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */ + bool resolve_in_advance; + const char *ip_remote_hint; struct tuntap_options tuntap_options; diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c index 994b7ba7..bd08cff7 100644 --- a/openvpn/src/openvpn/push.c +++ b/openvpn/src/openvpn/push.c @@ -49,7 +49,8 @@ void receive_auth_failed (struct context *c, const struct buffer *buffer) { msg (M_VERB0, "AUTH: Received control message: %s", BSTR(buffer)); - c->options.no_advance=true; + c->options.no_advance=true; + if (c->options.pull) { switch (auth_retry_get ()) diff --git a/openvpn/src/openvpn/socket.c b/openvpn/src/openvpn/socket.c index 2605f854..05ae9e91 100644 --- a/openvpn/src/openvpn/socket.c +++ b/openvpn/src/openvpn/socket.c @@ -39,6 +39,7 @@ #include "manage.h" #include "misc.h" #include "manage.h" +#include "openvpn.h" #include "memdbg.h" @@ -118,6 +119,59 @@ getaddr (unsigned int flags, } +void +do_preresolve(struct context *c) +{ + int i; + struct connection_list *l = c->options.connection_list; + + + for (i = 0; i < l->len; ++i) { + int status; + const char *remote; + struct connection_entry* ce = c->options.connection_list->array[i]; + unsigned int flags = GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE| + GETADDR_MENTION_RESOLVE_RETRY|GETADDR_FATAL; + + if (proto_is_dgram(ce->proto)) + flags |= GETADDR_DATAGRAM; + + if (c->options.sockflags & SF_HOST_RANDOMIZE) + flags |= GETADDR_RANDOMIZE; + + if (c->options.ip_remote_hint) + remote = c->options.ip_remote_hint; + else + remote = ce->remote; + + if (! ce->preresolved_remote) + { + status = openvpn_getaddrinfo (flags, remote, ce->remote_port, + c->options.resolve_retry_seconds, NULL, + ce->af, &ce->preresolved_remote); + + if (status != 0) + goto err; + } + + flags |= GETADDR_PASSIVE; + if (ce->bind_local && !ce->preresolved_local) + { + status = openvpn_getaddrinfo (flags, ce->local, ce->local_port, + c->options.resolve_retry_seconds, NULL, + ce->af, &ce->preresolved_local); + + if (status != 0) + goto err; + } + + } + return; + + err: + throw_signal_soft (SIGUSR1, "Preresolving failed"); +} + /* * Translate IPv4/IPv6 addr or hostname into struct addrinfo * If resolve error, try again for resolve_retry_seconds seconds. @@ -275,8 +329,8 @@ openvpn_getaddrinfo (unsigned int flags, /* hostname resolve succeeded */ - /* - * Do not chose an IP Addresse by random or change the order * + /* + * Do not choose an IP Addresse by random or change the order * * of IP addresses, doing so will break RFC 3484 address selection * */ } @@ -627,7 +681,7 @@ create_socket_udp (const int af, const unsigned int flags) else if (flags & SF_USE_IP_PKTINFO) { int pad = 1; - if(af == AF_INET) + if(af == AF_INET) { #ifdef IP_PKTINFO if (setsockopt (sd, SOL_IP, IP_PKTINFO, @@ -640,8 +694,8 @@ create_socket_udp (const int af, const unsigned int flags) #else #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h) #endif - } - else if (af == AF_INET6 ) + } + else if (af == AF_INET6 ) { #ifndef IPV6_RECVPKTINFO /* Some older Darwin platforms require this */ if (setsockopt (sd, IPPROTO_IPV6, IPV6_PKTINFO, @@ -665,7 +719,7 @@ create_socket (struct link_socket *sock) int ai_family = sock->info.lsa->actual.ai_family; ASSERT (sock->info.af == AF_UNSPEC || sock->info.af == ai_family); - + if (ai_proto == IPPROTO_UDP) { sock->sd = create_socket_udp (ai_family, sock->sockflags); @@ -686,10 +740,9 @@ create_socket (struct link_socket *sock) } /* set socket buffers based on --sndbuf and --rcvbuf options */ socket_set_buffers (sock->sd, &sock->socket_buffer_sizes); - + /* set socket to --mark packets with given value */ socket_set_mark (sock->sd, sock->mark); - } #ifdef TARGET_ANDROID @@ -898,13 +951,12 @@ socket_bind (socket_descriptor_t sd, * For example if an address has multiple A records * What is the correct way to deal with it? */ - + struct addrinfo* cur; - int v6only= ipv6only ? 0: 1; - + ASSERT(local); - - + + /* find the first addrinfo with correct ai_family */ for (cur = local; cur; cur=cur->ai_next) { @@ -917,9 +969,11 @@ socket_bind (socket_descriptor_t sd, if (ai_family == AF_INET6) { + int v6only = ipv6only ? 0: 1; /* setsockopt must have an "int" */ + if (setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, &v6only, sizeof(v6only))) { - msg (M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY failed"); + msg (M_NONFATAL|M_ERRNO, "Setting IPV6_V6ONLY=%d failed", v6only); } } if (bind (sd, cur->ai_addr, cur->ai_addrlen)) @@ -1023,7 +1077,7 @@ void set_actual_address (struct link_socket_actual* actual, struct addrinfo* ai) { CLEAR (*actual); ASSERT (ai); - + if (ai->ai_family == AF_INET) actual->dest.addr.in4 = *((struct sockaddr_in*) ai->ai_addr); @@ -1032,7 +1086,7 @@ void set_actual_address (struct link_socket_actual* actual, struct addrinfo* ai) *((struct sockaddr_in6*) ai->ai_addr); else ASSERT(0); - + /* Copy addrinfo sock parameters for socket creating */ actual->ai_family = ai->ai_family; actual->ai_protocol = ai->ai_protocol; @@ -1047,9 +1101,9 @@ socket_connect (socket_descriptor_t *sd, { struct gc_arena gc = gc_new (); const struct sockaddr *dest = &lsa->actual.dest.addr.sa; - + int status; - + #ifdef CONNECT_NONBLOCK msg (M_INFO, "Attempting to establish TCP connection with %s [nonblock]", print_sockaddr (dest, &gc)); @@ -1057,14 +1111,14 @@ socket_connect (socket_descriptor_t *sd, msg (M_INFO, "Attempting to establish TCP connection with %s", print_sockaddr (dest, &gc)); #endif - + #ifdef ENABLE_MANAGEMENT if (management) management_set_state (management, - OPENVPN_STATE_TCP_CONNECT, - NULL, - (in_addr_t)0, - (in_addr_t)0); + OPENVPN_STATE_TCP_CONNECT, + NULL, + (in_addr_t)0, + (in_addr_t)0); #endif /* Set the actual address */ @@ -1154,7 +1208,13 @@ resolve_bind_local (struct link_socket *sock, const sa_family_t af) flags |= GETADDR_DATAGRAM; /* will return AF_{INET|INET6}from local_host */ - status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, + if (sock->preresolved_local) + { + status=0; + sock->info.lsa->bind_local=sock->preresolved_local; + } + else + status = openvpn_getaddrinfo(flags, sock->local_host, sock->local_port, 0, NULL, af, &sock->info.lsa->bind_local); if(status !=0) { @@ -1192,104 +1252,104 @@ resolve_remote (struct link_socket *sock, { struct gc_arena gc = gc_new (); - if (!sock->did_resolve_remote) + /* resolve remote address if undefined */ + if (!sock->info.lsa->remote_list) { - /* resolve remote address if undefined */ - if (!sock->info.lsa->remote_list) + if (sock->remote_host) { - if (sock->remote_host) + unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); + int retry = 0; + int status = -1; + struct addrinfo* ai; + if (proto_is_dgram(sock->info.proto)) + flags |= GETADDR_DATAGRAM; + + if (sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) + { + if (phase == 2) + flags |= (GETADDR_TRY_ONCE | GETADDR_FATAL); + retry = 0; + } + else if (phase == 1) { - unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags); - int retry = 0; - int status = -1; - struct addrinfo* ai; - if (proto_is_dgram(sock->info.proto)) - flags |= GETADDR_DATAGRAM; - - if (sock->resolve_retry_seconds == RESOLV_RETRY_INFINITE) + if (sock->resolve_retry_seconds) { - if (phase == 2) - flags |= (GETADDR_TRY_ONCE | GETADDR_FATAL); retry = 0; } - else if (phase == 1) + else { - if (sock->resolve_retry_seconds) - { - retry = 0; - } - else - { - flags |= (GETADDR_FATAL | GETADDR_MENTION_RESOLVE_RETRY); - retry = 0; - } + flags |= (GETADDR_FATAL | GETADDR_MENTION_RESOLVE_RETRY); + retry = 0; } - else if (phase == 2) + } + else if (phase == 2) + { + if (sock->resolve_retry_seconds) { - if (sock->resolve_retry_seconds) - { - flags |= GETADDR_FATAL; - retry = sock->resolve_retry_seconds; - } - else - { - ASSERT (0); - } + flags |= GETADDR_FATAL; + retry = sock->resolve_retry_seconds; } else { ASSERT (0); } + } + else + { + ASSERT (0); + } - status = openvpn_getaddrinfo (flags, sock->remote_host, sock->remote_port, - retry, signal_received, sock->info.af, &ai); - - if(status == 0) { - sock->info.lsa->remote_list = ai; - sock->info.lsa->current_remote = ai; - - dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", - flags, - phase, - retry, - signal_received ? *signal_received : -1, - status); - } + if (sock->preresolved_remote) + { + status = 0; + ai = sock->preresolved_remote; + } + else + status = openvpn_getaddrinfo (flags, sock->remote_host, sock->remote_port, + retry, signal_received, sock->info.af, &ai); + + if(status == 0) { + sock->info.lsa->remote_list = ai; + sock->info.lsa->current_remote = ai; + + dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", + flags, + phase, + retry, + signal_received ? *signal_received : -1, + status); + } + if (signal_received) + { + if (*signal_received) + goto done; + } + if (status!=0) + { if (signal_received) - { - if (*signal_received) - goto done; - } - if (status!=0) - { - if (signal_received) - *signal_received = SIGUSR1; - goto done; - } + *signal_received = SIGUSR1; + goto done; } } + } - /* should we re-use previous active remote address? */ - if (link_socket_actual_defined (&sock->info.lsa->actual)) - { - msg (M_INFO, "TCP/UDP: Preserving recently used remote address: %s", - print_link_socket_actual (&sock->info.lsa->actual, &gc)); - if (remote_dynamic) - *remote_dynamic = NULL; - } - /* else, quick hack to fix persistent-remote ....*/ - { - CLEAR (sock->info.lsa->actual); - if(sock->info.lsa->current_remote) - { - set_actual_address (&sock->info.lsa->actual, - sock->info.lsa->current_remote); - } - } - - /* remember that we finished */ - sock->did_resolve_remote = true; + /* should we re-use previous active remote address? */ + if (link_socket_actual_defined (&sock->info.lsa->actual)) + { + msg (M_INFO, "TCP/UDP: Preserving recently used remote address: %s", + print_link_socket_actual (&sock->info.lsa->actual, &gc)); + if (remote_dynamic) + *remote_dynamic = NULL; } + /* else, quick hack to fix persistent-remote ....*/ + { + CLEAR (sock->info.lsa->actual); + if(sock->info.lsa->current_remote) + { + set_actual_address (&sock->info.lsa->actual, + sock->info.lsa->current_remote); + } + } done: gc_free (&gc); @@ -1317,11 +1377,11 @@ create_new_socket (struct link_socket* sock) resolve_bind_local (sock, sock->info.af); } resolve_remote (sock, 1, NULL, NULL); - + /* * In P2P or server mode we must create the socket even when resolving * the remote site fails/is not specified. */ - + if (sock->info.lsa->actual.ai_family==0 && sock->bind_local) { /* Copy sock parameters from bind addr */ @@ -1329,8 +1389,8 @@ create_new_socket (struct link_socket* sock) /* clear destination set by set_actual_address */ CLEAR(sock->info.lsa->actual.dest); } - - /* + + /* * Create the socket early if socket should be bound */ if (sock->bind_local) @@ -1340,6 +1400,7 @@ create_new_socket (struct link_socket* sock) if (sock->bind_local) bind_local(sock); } + } @@ -1348,8 +1409,10 @@ void link_socket_init_phase1 (struct link_socket *sock, const char *local_host, const char *local_port, + struct addrinfo *local_preresolved, const char *remote_host, const char *remote_port, + struct addrinfo *remote_preresolved, int proto, sa_family_t af, bool bind_ipv6_only, @@ -1382,8 +1445,10 @@ link_socket_init_phase1 (struct link_socket *sock, sock->local_host = local_host; sock->local_port = local_port; + sock->preresolved_local = local_preresolved; sock->remote_host = remote_host; sock->remote_port = remote_port; + sock->preresolved_remote = remote_preresolved; #ifdef ENABLE_HTTP_PROXY sock->http_proxy = http_proxy; @@ -1425,7 +1490,7 @@ link_socket_init_phase1 (struct link_socket *sock, ASSERT (!sock->inetd); sock->sd = accept_from->sd; } - + if (false) ; #ifdef ENABLE_HTTP_PROXY @@ -1560,39 +1625,35 @@ static void linksock_print_addr (struct link_socket *sock) { struct gc_arena gc = gc_new (); + const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO; - /* print local address */ - { - const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO; - - if (sock->inetd) - msg (msglevel, "%s link local: [inetd]", proto2ascii (sock->info.proto, sock->info.af, true)); - else if (sock->bind_local) - { - /* Socket is always bound on the first matching address */ - struct addrinfo *cur; - for (cur = sock->info.lsa->bind_local; cur; cur=cur->ai_next) - { - if(cur->ai_family == sock->info.lsa->actual.ai_family) - break; - } - ASSERT (cur); - msg (msglevel, "%s link local (bound): %s", + if (sock->inetd) + msg (msglevel, "%s link local: [inetd]", proto2ascii (sock->info.proto, sock->info.af, true)); + else if (sock->bind_local) + { + /* Socket is always bound on the first matching address */ + struct addrinfo *cur; + for (cur = sock->info.lsa->bind_local; cur; cur=cur->ai_next) + { + if(cur->ai_family == sock->info.lsa->actual.ai_family) + break; + } + ASSERT (cur); + msg (msglevel, "%s link local (bound): %s", proto2ascii (sock->info.proto, sock->info.af, true), print_sockaddr(cur->ai_addr,&gc)); - } - else - msg (msglevel, "%s link local: (not bound)", - proto2ascii (sock->info.proto, sock->info.af, true)); - - /* print active remote address */ - msg (msglevel, "%s link remote: %s", - proto2ascii (sock->info.proto, sock->info.af, true), - print_link_socket_actual_ex (&sock->info.lsa->actual, - ":", - PS_SHOW_PORT_IF_DEFINED, - &gc)); - } + } + else + msg (msglevel, "%s link local: (not bound)", + proto2ascii (sock->info.proto, sock->info.af, true)); + + /* print active remote address */ + msg (msglevel, "%s link remote: %s", + proto2ascii (sock->info.proto, sock->info.af, true), + print_link_socket_actual_ex (&sock->info.lsa->actual, + ":", + PS_SHOW_PORT_IF_DEFINED, + &gc)); gc_free(&gc); } @@ -1631,7 +1692,6 @@ phase2_tcp_server (struct link_socket *sock, const char *remote_dynamic, default: ASSERT (0); } - } @@ -1645,9 +1705,9 @@ phase2_tcp_client (struct link_socket *sock, struct signal_info *sig_info) #endif do { socket_connect (&sock->sd, - sock->info.lsa, - sock->connect_timeout, - sig_info); + sock->info.lsa, + sock->connect_timeout, + sig_info); if (sig_info->signal_received) return; @@ -1678,7 +1738,7 @@ phase2_tcp_client (struct link_socket *sock, struct signal_info *sig_info) if (proxy_retry) { /* TODO (schwabe): This code assumes AF_INET for the proxy socket - * when retrying a connection */ + * when retrying a connection */ openvpn_close_socket (sock->sd); sock->sd = create_socket_tcp (AF_INET); } @@ -1698,7 +1758,7 @@ phase2_socks_client (struct link_socket *sock, struct signal_info *sig_info) if (sig_info->signal_received) return; - + establish_socks_proxy_udpassoc (sock->socks_proxy, sock->ctrl_sd, sock->sd, @@ -1710,7 +1770,6 @@ phase2_socks_client (struct link_socket *sock, struct signal_info *sig_info) sock->remote_host = sock->proxy_dest_host; sock->remote_port = sock->proxy_dest_port; - sock->did_resolve_remote = false; addr_zero_host(&sock->info.lsa->actual.dest); if (sock->info.lsa->remote_list) @@ -2482,12 +2541,17 @@ struct proto_names { /* Indexed by PROTO_x */ static const struct proto_names proto_names[] = { {"proto-uninitialized", "proto-NONE", AF_UNSPEC, PROTO_NONE}, + /* try IPv4 and IPv6 (client), bind dual-stack (server) */ {"udp", "UDP", AF_UNSPEC, PROTO_UDP}, - {"udp4", "UDPv4", AF_INET, PROTO_UDP}, - {"tcp-server", "TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER}, - {"tcp-client", "TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT}, + {"tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER}, + {"tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT}, {"tcp", "TCP", AF_UNSPEC, PROTO_TCP}, - {"tcp4", "TCPv4", AF_INET, PROTO_TCP}, + /* force IPv4 */ + {"udp4", "UDPv4", AF_INET, PROTO_UDP}, + {"tcp4-server","TCPv4_SERVER", AF_INET, PROTO_TCP_SERVER}, + {"tcp4-client","TCPv4_CLIENT", AF_INET, PROTO_TCP_CLIENT}, + {"tcp4", "TCPv4", AF_INET, PROTO_TCP}, + /* force IPv6 */ {"udp6" ,"UDPv6", AF_INET6, PROTO_UDP}, {"tcp6-server","TCPv6_SERVER", AF_INET6, PROTO_TCP_SERVER}, {"tcp6-client","TCPv6_CLIENT", AF_INET6, PROTO_TCP_CLIENT}, diff --git a/openvpn/src/openvpn/socket.h b/openvpn/src/openvpn/socket.h index 3f8318f5..8a118cd1 100644 --- a/openvpn/src/openvpn/socket.h +++ b/openvpn/src/openvpn/socket.h @@ -85,7 +85,7 @@ struct link_socket_actual int ai_socktype; /* SOCK_xxx */ int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ - + struct openvpn_sockaddr dest; #if ENABLE_IP_PKTINFO union { @@ -104,7 +104,7 @@ struct link_socket_addr { struct addrinfo* bind_local; struct addrinfo* remote_list; /* complete remote list */ - struct addrinfo* current_remote; /* remote used in the + struct addrinfo* current_remote; /* remote used in the current connection attempt */ struct link_socket_actual actual; /* reply to this address */ }; @@ -186,8 +186,10 @@ struct link_socket const char *remote_host; const char *remote_port; + struct addrinfo *preresolved_remote; const char *local_host; const char *local_port; + struct addrinfo *preresolved_local; bool bind_local; # define INETD_NONE 0 @@ -208,8 +210,6 @@ struct link_socket int mtu; /* OS discovered MTU, or 0 if unknown */ - bool did_resolve_remote; - # define SF_USE_IP_PKTINFO (1<<0) # define SF_TCP_NODELAY (1<<1) # define SF_PORT_SHARE (1<<2) @@ -298,6 +298,8 @@ int openvpn_connect (socket_descriptor_t sd, int connect_timeout, volatile int *signal_received); + + /* * Initialize link_socket object. */ @@ -306,8 +308,10 @@ void link_socket_init_phase1 (struct link_socket *sock, const char *local_host, const char *local_port, + struct addrinfo *local_preresolved, const char *remote_host, const char *remote_port, + struct addrinfo *remote_preresolved, int proto, sa_family_t af, bool bind_ipv6_only, @@ -340,6 +344,8 @@ void link_socket_init_phase2 (struct link_socket *sock, const struct frame *frame, struct signal_info *sig_info); +void do_preresolve(struct context *c); + void socket_adjust_frame_parameters (struct frame *frame, int proto); void frame_adjust_path_mtu (struct frame *frame, int pmtu, int proto); @@ -644,35 +650,36 @@ link_socket_actual_defined (const struct link_socket_actual *act) static inline bool addr_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { - switch(a1->addr.sa.sa_family) { - case AF_INET: - return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr; - case AF_INET6: - return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr); - } - ASSERT(0); - return false; + switch(a1->addr.sa.sa_family) { + case AF_INET: + return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr; + case AF_INET6: + return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr); + } + ASSERT(0); + return false; } static inline bool addrlist_match (const struct openvpn_sockaddr *a1, const struct addrinfo *addrlist) { const struct addrinfo *curele; - for (curele = addrlist; curele; curele=curele->ai_next) { - - switch(a1->addr.sa.sa_family) { - case AF_INET: - if (a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr) - return true; - break; - case AF_INET6: - if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6*) curele->ai_addr)->sin6_addr)) - return true; - break; - default: - ASSERT(0); + for (curele = addrlist; curele; curele=curele->ai_next) + { + switch(a1->addr.sa.sa_family) + { + case AF_INET: + if (a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr) + return true; + break; + case AF_INET6: + if (IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6*) curele->ai_addr)->sin6_addr)) + return true; + break; + default: + ASSERT(0); + } } - } return false; } @@ -693,26 +700,28 @@ addr_host (const struct openvpn_sockaddr *addr) static inline bool addrlist_port_match (const struct openvpn_sockaddr *a1, const struct addrinfo *a2) { - const struct addrinfo *curele; - for(curele=a2;curele;curele = curele->ai_next) { - switch(a1->addr.sa.sa_family) { - case AF_INET: + const struct addrinfo *curele; + for(curele=a2;curele;curele = curele->ai_next) + { + switch(a1->addr.sa.sa_family) + { + case AF_INET: if (curele->ai_family == AF_INET && a1->addr.in4.sin_addr.s_addr == ((struct sockaddr_in*)curele->ai_addr)->sin_addr.s_addr && a1->addr.in4.sin_port == ((struct sockaddr_in*)curele->ai_addr)->sin_port) return true; break; - case AF_INET6: + case AF_INET6: if (curele->ai_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &((struct sockaddr_in6*) curele->ai_addr)->sin6_addr) && a1->addr.in6.sin6_port == ((struct sockaddr_in6*) curele->ai_addr)->sin6_port) return true; break; - default: + default: ASSERT(0); } } - return false; + return false; } @@ -725,7 +734,7 @@ addr_port_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockadd return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr && a1->addr.in4.sin_port == a2->addr.in4.sin_port; case AF_INET6: - return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr) + return IN6_ARE_ADDR_EQUAL(&a1->addr.in6.sin6_addr, &a2->addr.in6.sin6_addr) && a1->addr.in6.sin6_port == a2->addr.in6.sin6_port; } ASSERT(0); @@ -734,10 +743,10 @@ addr_port_match (const struct openvpn_sockaddr *a1, const struct openvpn_sockadd static inline bool addr_match_proto (const struct openvpn_sockaddr *a1, - const struct openvpn_sockaddr *a2, - const int proto) + const struct openvpn_sockaddr *a2, + const int proto) { - return link_socket_proto_connection_oriented (proto) + return link_socket_proto_connection_oriented (proto) ? addr_match (a1, a2) : addr_port_match (a1, a2); } @@ -745,8 +754,8 @@ addr_match_proto (const struct openvpn_sockaddr *a1, static inline bool addrlist_match_proto (const struct openvpn_sockaddr *a1, - struct addrinfo *addr_list, - const int proto) + struct addrinfo *addr_list, + const int proto) { return link_socket_proto_connection_oriented (proto) ? addrlist_match (a1, addr_list) @@ -895,14 +904,15 @@ link_socket_set_outgoing_addr (const struct buffer *buf, { struct link_socket_addr *lsa = info->lsa; if ( - ( /* new or changed address? */ (!info->connection_established - || !addr_match_proto (&act->dest, &lsa->actual.dest, info->proto)) + || !addr_match_proto (&act->dest, &lsa->actual.dest, info->proto) + ) + && /* address undef or address == remote or --float */ - && (info->remote_float - || !lsa->remote_list)) - || addrlist_match_proto (&act->dest, lsa->remote_list, info->proto) + (info->remote_float || + (!lsa->remote_list || addrlist_match_proto (&act->dest, lsa->remote_list, info->proto)) + ) ) { link_socket_connection_initiated (buf, info, act, common_name, es); diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c index 120aa666..f41bb711 100644 --- a/openvpn/src/openvpn/ssl_openssl.c +++ b/openvpn/src/openvpn/ssl_openssl.c @@ -682,10 +682,11 @@ tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, X509 *cert = NULL; ASSERT (NULL != ctx); - ASSERT (NULL != cert); tls_ctx_load_cert_file_and_copy (ctx, cert_file, cert_file_inline, &cert); + ASSERT (NULL != cert); + /* allocate custom RSA method object */ ALLOC_OBJ_CLEAR (rsa_meth, RSA_METHOD); rsa_meth->name = "OpenVPN external private key RSA Method"; diff --git a/openvpn/src/openvpn/tun.c b/openvpn/src/openvpn/tun.c index c1dcc5e2..9e3e8b9e 100644 --- a/openvpn/src/openvpn/tun.c +++ b/openvpn/src/openvpn/tun.c @@ -473,8 +473,8 @@ init_tun (const char *dev, /* --dev option */ * If local_public or remote_public addresses are defined, * make sure they do not clash with our virtual subnet. */ - - for(curele=remote_public;curele;curele=curele->ai_next) { + + for(curele=local_public;curele;curele=curele->ai_next) { if(curele->ai_family == AF_INET) check_addr_clash ("local", tt->type, |