1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29
30 #include "syshead.h"
31
32 #include "occ.h"
33 #include "forward.h"
34 #include "memdbg.h"
35
36
37 /*
38 * This random string identifies an OpenVPN
39 * Configuration Control packet.
40 * It should be of sufficient length and randomness
41 * so as not to collide with other tunnel data.
42 *
43 * The OCC protocol is as follows:
44 *
45 * occ_magic -- (16 octets)
46 *
47 * type [OCC_REQUEST | OCC_REPLY] (1 octet)
48 * null terminated options string if OCC_REPLY (variable)
49 *
50 * When encryption is used, the OCC packet
51 * is encapsulated within the encrypted
52 * envelope.
53 *
54 * OCC_STRING_SIZE must be set to sizeof (occ_magic)
55 */
56
57 const uint8_t occ_magic[] = {
58 0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81,
59 0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c
60 };
61
62 static const struct mtu_load_test mtu_load_test_sequence[] = {
63
64 {OCC_MTU_LOAD_REQUEST, -1000},
65 {OCC_MTU_LOAD, -1000},
66 {OCC_MTU_LOAD_REQUEST, -1000},
67 {OCC_MTU_LOAD, -1000},
68 {OCC_MTU_LOAD_REQUEST, -1000},
69 {OCC_MTU_LOAD, -1000},
70
71 {OCC_MTU_LOAD_REQUEST, -750},
72 {OCC_MTU_LOAD, -750},
73 {OCC_MTU_LOAD_REQUEST, -750},
74 {OCC_MTU_LOAD, -750},
75 {OCC_MTU_LOAD_REQUEST, -750},
76 {OCC_MTU_LOAD, -750},
77
78 {OCC_MTU_LOAD_REQUEST, -500},
79 {OCC_MTU_LOAD, -500},
80 {OCC_MTU_LOAD_REQUEST, -500},
81 {OCC_MTU_LOAD, -500},
82 {OCC_MTU_LOAD_REQUEST, -500},
83 {OCC_MTU_LOAD, -500},
84
85 {OCC_MTU_LOAD_REQUEST, -400},
86 {OCC_MTU_LOAD, -400},
87 {OCC_MTU_LOAD_REQUEST, -400},
88 {OCC_MTU_LOAD, -400},
89 {OCC_MTU_LOAD_REQUEST, -400},
90 {OCC_MTU_LOAD, -400},
91
92 {OCC_MTU_LOAD_REQUEST, -300},
93 {OCC_MTU_LOAD, -300},
94 {OCC_MTU_LOAD_REQUEST, -300},
95 {OCC_MTU_LOAD, -300},
96 {OCC_MTU_LOAD_REQUEST, -300},
97 {OCC_MTU_LOAD, -300},
98
99 {OCC_MTU_LOAD_REQUEST, -200},
100 {OCC_MTU_LOAD, -200},
101 {OCC_MTU_LOAD_REQUEST, -200},
102 {OCC_MTU_LOAD, -200},
103 {OCC_MTU_LOAD_REQUEST, -200},
104 {OCC_MTU_LOAD, -200},
105
106 {OCC_MTU_LOAD_REQUEST, -150},
107 {OCC_MTU_LOAD, -150},
108 {OCC_MTU_LOAD_REQUEST, -150},
109 {OCC_MTU_LOAD, -150},
110 {OCC_MTU_LOAD_REQUEST, -150},
111 {OCC_MTU_LOAD, -150},
112
113 {OCC_MTU_LOAD_REQUEST, -100},
114 {OCC_MTU_LOAD, -100},
115 {OCC_MTU_LOAD_REQUEST, -100},
116 {OCC_MTU_LOAD, -100},
117 {OCC_MTU_LOAD_REQUEST, -100},
118 {OCC_MTU_LOAD, -100},
119
120 {OCC_MTU_LOAD_REQUEST, -50},
121 {OCC_MTU_LOAD, -50},
122 {OCC_MTU_LOAD_REQUEST, -50},
123 {OCC_MTU_LOAD, -50},
124 {OCC_MTU_LOAD_REQUEST, -50},
125 {OCC_MTU_LOAD, -50},
126
127 {OCC_MTU_LOAD_REQUEST, 0},
128 {OCC_MTU_LOAD, 0},
129 {OCC_MTU_LOAD_REQUEST, 0},
130 {OCC_MTU_LOAD, 0},
131 {OCC_MTU_LOAD_REQUEST, 0},
132 {OCC_MTU_LOAD, 0},
133
134 {OCC_MTU_REQUEST, 0},
135 {OCC_MTU_REQUEST, 0},
136 {OCC_MTU_REQUEST, 0},
137 {OCC_MTU_REQUEST, 0},
138 {OCC_MTU_REQUEST, 0},
139 {OCC_MTU_REQUEST, 0},
140 {OCC_MTU_REQUEST, 0},
141 {OCC_MTU_REQUEST, 0},
142 {OCC_MTU_REQUEST, 0},
143 {OCC_MTU_REQUEST, 0},
144
145 {-1, 0}
146 };
147
148 void
check_send_occ_req_dowork(struct context * c)149 check_send_occ_req_dowork(struct context *c)
150 {
151 if (++c->c2.occ_n_tries >= OCC_N_TRIES)
152 {
153 if (c->options.ce.remote)
154 {
155 /*
156 * No OCC_REPLY from peer after repeated attempts.
157 * Give up.
158 */
159 msg(D_SHOW_OCC,
160 "NOTE: failed to obtain options consistency info from peer -- "
161 "this could occur if the remote peer is running a version of "
162 PACKAGE_NAME
163 " before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent "
164 PACKAGE_NAME
165 " from running (" counter_format " bytes received from peer, " counter_format
166 " bytes authenticated data channel traffic) -- you can disable the options consistency "
167 "check with --disable-occ.",
168 c->c2.link_read_bytes,
169 c->c2.link_read_bytes_auth);
170 }
171 event_timeout_clear(&c->c2.occ_interval);
172 }
173 else
174 {
175 c->c2.occ_op = OCC_REQUEST;
176
177 /*
178 * If we don't hear back from peer, send another
179 * OCC_REQUEST in OCC_INTERVAL_SECONDS.
180 */
181 event_timeout_reset(&c->c2.occ_interval);
182 }
183 }
184
185 void
check_send_occ_load_test_dowork(struct context * c)186 check_send_occ_load_test_dowork(struct context *c)
187 {
188 if (CONNECTION_ESTABLISHED(c))
189 {
190 const struct mtu_load_test *entry;
191
192 if (!c->c2.occ_mtu_load_n_tries)
193 {
194 msg(M_INFO,
195 "NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.");
196 }
197
198 entry = &mtu_load_test_sequence[c->c2.occ_mtu_load_n_tries++];
199 if (entry->op >= 0)
200 {
201 c->c2.occ_op = entry->op;
202 c->c2.occ_mtu_load_size =
203 EXPANDED_SIZE(&c->c2.frame) + entry->delta;
204 }
205 else
206 {
207 msg(M_INFO,
208 "NOTE: failed to empirically measure MTU (requires " PACKAGE_NAME " 1.5 or higher at other end of connection).");
209 event_timeout_clear(&c->c2.occ_mtu_load_test_interval);
210 c->c2.occ_mtu_load_n_tries = 0;
211 }
212 }
213 }
214
215 void
check_send_occ_msg_dowork(struct context * c)216 check_send_occ_msg_dowork(struct context *c)
217 {
218 bool doit = false;
219
220 c->c2.buf = c->c2.buffers->aux_buf;
221 ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame)));
222 ASSERT(buf_safe(&c->c2.buf, MAX_RW_SIZE_TUN(&c->c2.frame)));
223 ASSERT(buf_write(&c->c2.buf, occ_magic, OCC_STRING_SIZE));
224
225 switch (c->c2.occ_op)
226 {
227 case OCC_REQUEST:
228 if (!buf_write_u8(&c->c2.buf, OCC_REQUEST))
229 {
230 break;
231 }
232 dmsg(D_PACKET_CONTENT, "SENT OCC_REQUEST");
233 doit = true;
234 break;
235
236 case OCC_REPLY:
237 if (!c->c2.options_string_local)
238 {
239 break;
240 }
241 if (!buf_write_u8(&c->c2.buf, OCC_REPLY))
242 {
243 break;
244 }
245 if (!buf_write(&c->c2.buf, c->c2.options_string_local,
246 strlen(c->c2.options_string_local) + 1))
247 {
248 break;
249 }
250 dmsg(D_PACKET_CONTENT, "SENT OCC_REPLY");
251 doit = true;
252 break;
253
254 case OCC_MTU_REQUEST:
255 if (!buf_write_u8(&c->c2.buf, OCC_MTU_REQUEST))
256 {
257 break;
258 }
259 dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_REQUEST");
260 doit = true;
261 break;
262
263 case OCC_MTU_REPLY:
264 if (!buf_write_u8(&c->c2.buf, OCC_MTU_REPLY))
265 {
266 break;
267 }
268 if (!buf_write_u16(&c->c2.buf, c->c2.max_recv_size_local))
269 {
270 break;
271 }
272 if (!buf_write_u16(&c->c2.buf, c->c2.max_send_size_local))
273 {
274 break;
275 }
276 dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_REPLY");
277 doit = true;
278 break;
279
280 case OCC_MTU_LOAD_REQUEST:
281 if (!buf_write_u8(&c->c2.buf, OCC_MTU_LOAD_REQUEST))
282 {
283 break;
284 }
285 if (!buf_write_u16(&c->c2.buf, c->c2.occ_mtu_load_size))
286 {
287 break;
288 }
289 dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD_REQUEST");
290 doit = true;
291 break;
292
293 case OCC_MTU_LOAD:
294 {
295 int need_to_add;
296
297 if (!buf_write_u8(&c->c2.buf, OCC_MTU_LOAD))
298 {
299 break;
300 }
301 need_to_add = min_int(c->c2.occ_mtu_load_size, EXPANDED_SIZE(&c->c2.frame))
302 - OCC_STRING_SIZE
303 - sizeof(uint8_t)
304 - EXTRA_FRAME(&c->c2.frame);
305
306 while (need_to_add > 0)
307 {
308 /*
309 * Fill the load test packet with pseudo-random bytes.
310 */
311 if (!buf_write_u8(&c->c2.buf, get_random() & 0xFF))
312 {
313 break;
314 }
315 --need_to_add;
316 }
317 dmsg(D_PACKET_CONTENT, "SENT OCC_MTU_LOAD min_int(%d-%d-%d-%d,%d) size=%d",
318 c->c2.occ_mtu_load_size,
319 OCC_STRING_SIZE,
320 (int) sizeof(uint8_t),
321 EXTRA_FRAME(&c->c2.frame),
322 MAX_RW_SIZE_TUN(&c->c2.frame),
323 BLEN(&c->c2.buf));
324 doit = true;
325 }
326 break;
327
328 case OCC_EXIT:
329 if (!buf_write_u8(&c->c2.buf, OCC_EXIT))
330 {
331 break;
332 }
333 dmsg(D_PACKET_CONTENT, "SENT OCC_EXIT");
334 doit = true;
335 break;
336 }
337
338 if (doit)
339 {
340 /*
341 * We will treat the packet like any other outgoing packet,
342 * compress, encrypt, sign, etc.
343 */
344 encrypt_sign(c, true);
345 }
346
347 c->c2.occ_op = -1;
348 }
349
350 void
process_received_occ_msg(struct context * c)351 process_received_occ_msg(struct context *c)
352 {
353 ASSERT(buf_advance(&c->c2.buf, OCC_STRING_SIZE));
354 switch (buf_read_u8(&c->c2.buf))
355 {
356 case OCC_REQUEST:
357 dmsg(D_PACKET_CONTENT, "RECEIVED OCC_REQUEST");
358 c->c2.occ_op = OCC_REPLY;
359 break;
360
361 case OCC_MTU_REQUEST:
362 dmsg(D_PACKET_CONTENT, "RECEIVED OCC_MTU_REQUEST");
363 c->c2.occ_op = OCC_MTU_REPLY;
364 break;
365
366 case OCC_MTU_LOAD_REQUEST:
367 dmsg(D_PACKET_CONTENT, "RECEIVED OCC_MTU_LOAD_REQUEST");
368 c->c2.occ_mtu_load_size = buf_read_u16(&c->c2.buf);
369 if (c->c2.occ_mtu_load_size >= 0)
370 {
371 c->c2.occ_op = OCC_MTU_LOAD;
372 }
373 break;
374
375 case OCC_REPLY:
376 dmsg(D_PACKET_CONTENT, "RECEIVED OCC_REPLY");
377 if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_remote)
378 {
379 if (!options_cmp_equal_safe((char *) BPTR(&c->c2.buf),
380 c->c2.options_string_remote,
381 c->c2.buf.len))
382 {
383 options_warning_safe((char *) BPTR(&c->c2.buf),
384 c->c2.options_string_remote,
385 c->c2.buf.len);
386 }
387 }
388 event_timeout_clear(&c->c2.occ_interval);
389 break;
390
391 case OCC_MTU_REPLY:
392 dmsg(D_PACKET_CONTENT, "RECEIVED OCC_MTU_REPLY");
393 c->c2.max_recv_size_remote = buf_read_u16(&c->c2.buf);
394 c->c2.max_send_size_remote = buf_read_u16(&c->c2.buf);
395 if (c->options.mtu_test
396 && c->c2.max_recv_size_remote > 0
397 && c->c2.max_send_size_remote > 0)
398 {
399 msg(M_INFO, "NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[%d,%d] remote->local=[%d,%d]",
400 c->c2.max_send_size_local,
401 c->c2.max_recv_size_remote,
402 c->c2.max_send_size_remote,
403 c->c2.max_recv_size_local);
404 if (!c->options.ce.fragment
405 && (proto_is_dgram(c->options.ce.proto))
406 && c->c2.max_send_size_local > TUN_MTU_MIN
407 && (c->c2.max_recv_size_remote < c->c2.max_send_size_local
408 || c->c2.max_recv_size_local < c->c2.max_send_size_remote))
409 {
410 msg(M_INFO, "NOTE: This connection is unable to accommodate a UDP packet size of %d. Consider using --fragment or --mssfix options as a workaround.",
411 c->c2.max_send_size_local);
412 }
413 }
414 event_timeout_clear(&c->c2.occ_mtu_load_test_interval);
415 break;
416
417 case OCC_EXIT:
418 dmsg(D_PACKET_CONTENT, "RECEIVED OCC_EXIT");
419 c->sig->signal_received = SIGTERM;
420 c->sig->signal_text = "remote-exit";
421 break;
422 }
423 c->c2.buf.len = 0; /* don't pass packet on */
424 }
425