aboutsummaryrefslogtreecommitdiff
path: root/ssl.c
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-10-15 08:44:02 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-10-15 08:44:02 +0000
commit8bc93d7ffbc127e0b095c7274a68eb0c175f93ae (patch)
treebe0d71b15492041caeb3deb1ac923123a44ea96e /ssl.c
parentMerged --capath patch (Thomas Noel). (diff)
downloadopenvpn-8bc93d7ffbc127e0b095c7274a68eb0c175f93ae.tar.xz
svn merge -r 618:619 $SO/patches/openvpn-2-0_rc16-mh/openvpn
Merged --multihome patch + aggregated sockflags. Pre-2.1_beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@622 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'ssl.c')
-rw-r--r--ssl.c92
1 files changed, 53 insertions, 39 deletions
diff --git a/ssl.c b/ssl.c
index 60516a8..2d65d82 100644
--- a/ssl.c
+++ b/ssl.c
@@ -374,7 +374,7 @@ extract_x509_field (const char *x509, const char *field_name, char *out, int siz
static void
setenv_untrusted (struct tls_session *session)
{
- setenv_sockaddr (session->opt->es, "untrusted", &session->untrusted_sockaddr, SA_IP_PORT);
+ setenv_link_socket_actual (session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);
}
static void
@@ -1860,7 +1860,7 @@ static void
write_control_auth (struct tls_session *session,
struct key_state *ks,
struct buffer *buf,
- struct sockaddr_in *to_link_addr,
+ struct link_socket_actual **to_link_addr,
int opcode,
int max_ack,
bool prepend_ack)
@@ -1868,7 +1868,7 @@ write_control_auth (struct tls_session *session,
uint8_t *header;
struct buffer null = clear_buf ();
- ASSERT (addr_defined (&ks->remote_addr));
+ ASSERT (link_socket_actual_defined (&ks->remote_addr));
ASSERT (reliable_ack_write
(ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack));
ASSERT (session_id_write_prepend (&session->session_id, buf));
@@ -1880,7 +1880,7 @@ write_control_auth (struct tls_session *session,
openvpn_encrypt (buf, null, &session->tls_auth, NULL);
ASSERT (swap_hmac (buf, &session->tls_auth, false));
}
- *to_link_addr = ks->remote_addr;
+ *to_link_addr = &ks->remote_addr;
}
/*
@@ -1889,7 +1889,7 @@ write_control_auth (struct tls_session *session,
static bool
read_control_auth (struct buffer *buf,
const struct crypto_options *co,
- const struct sockaddr_in *from)
+ const struct link_socket_actual *from)
{
struct gc_arena gc = gc_new ();
@@ -1902,7 +1902,7 @@ read_control_auth (struct buffer *buf,
{
msg (D_TLS_ERRORS,
"TLS Error: cannot locate HMAC in incoming packet from %s",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
gc_free (&gc);
return false;
}
@@ -1914,7 +1914,7 @@ read_control_auth (struct buffer *buf,
{
msg (D_TLS_ERRORS,
"TLS Error: incoming packet authentication failed from %s",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
gc_free (&gc);
return false;
}
@@ -2803,7 +2803,7 @@ static bool
tls_process (struct tls_multi *multi,
struct tls_session *session,
struct buffer *to_link,
- struct sockaddr_in *to_link_addr,
+ struct link_socket_actual **to_link_addr,
struct link_socket_info *to_link_socket_info,
interval_t *wakeup)
{
@@ -3197,7 +3197,7 @@ error:
bool
tls_multi_process (struct tls_multi *multi,
struct buffer *to_link,
- struct sockaddr_in *to_link_addr,
+ struct link_socket_actual **to_link_addr,
struct link_socket_info *to_link_socket_info,
interval_t *wakeup)
{
@@ -3223,7 +3223,7 @@ tls_multi_process (struct tls_multi *multi,
/* set initial remote address */
if (i == TM_ACTIVE && ks->state == S_INITIAL &&
- addr_defined (&to_link_socket_info->lsa->actual))
+ link_socket_actual_defined (&to_link_socket_info->lsa->actual))
ks->remote_addr = to_link_socket_info->lsa->actual;
dmsg (D_TLS_DEBUG,
@@ -3232,17 +3232,30 @@ tls_multi_process (struct tls_multi *multi,
state_name (ks->state),
session_id_print (&session->session_id, &gc),
session_id_print (&ks->session_id_remote, &gc),
- print_sockaddr (&ks->remote_addr, &gc));
+ print_link_socket_actual (&ks->remote_addr, &gc));
- if (ks->state >= S_INITIAL && addr_defined (&ks->remote_addr))
+ if (ks->state >= S_INITIAL && link_socket_actual_defined (&ks->remote_addr))
{
+ struct link_socket_actual *tla = NULL;
+
update_time ();
- if (tls_process (multi, session, to_link, to_link_addr,
+ if (tls_process (multi, session, to_link, &tla,
to_link_socket_info, wakeup))
active = true;
/*
+ * If tls_process produced an outgoing packet,
+ * return the link_socket_actual object (which
+ * contains the outgoing address).
+ */
+ if (tla)
+ {
+ multi->to_link_addr = *tla;
+ *to_link_addr = &multi->to_link_addr;
+ }
+
+ /*
* If tls_process hits an error:
* (1) If the session has an unexpired lame duck key, preserve it.
* (2) Reinitialize the session.
@@ -3361,7 +3374,7 @@ tls_multi_process (struct tls_multi *multi,
bool
tls_pre_decrypt (struct tls_multi *multi,
- struct sockaddr_in *from,
+ const struct link_socket_actual *from,
struct buffer *buf,
struct crypto_options *opt)
{
@@ -3403,7 +3416,7 @@ tls_pre_decrypt (struct tls_multi *multi,
if (DECRYPT_KEY_ENABLED (multi, ks)
&& key_id == ks->key_id
&& ks->authenticated
- && addr_port_match(from, &ks->remote_addr))
+ && link_socket_actual_match (from, &ks->remote_addr))
{
/* return appropriate data channel decrypt key in opt */
opt->key_ctx_bi = &ks->key;
@@ -3416,7 +3429,7 @@ tls_pre_decrypt (struct tls_multi *multi,
ks->n_bytes += buf->len;
dmsg (D_TLS_DEBUG,
"TLS: data channel, key_id=%d, IP=%s",
- key_id, print_sockaddr (from, &gc));
+ key_id, print_link_socket_actual (from, &gc));
gc_free (&gc);
return ret;
}
@@ -3429,14 +3442,14 @@ tls_pre_decrypt (struct tls_multi *multi,
key_id,
ks->key_id,
ks->authenticated,
- addr_port_match (from, &ks->remote_addr));
+ link_socket_actual_match (from, &ks->remote_addr));
}
#endif
}
msg (D_TLS_ERRORS,
"TLS Error: local/remote TLS keys are out of sync: %s [%d]",
- print_sockaddr (from, &gc), key_id);
+ print_link_socket_actual (from, &gc), key_id);
goto error;
}
else /* control channel packet */
@@ -3450,7 +3463,7 @@ tls_pre_decrypt (struct tls_multi *multi,
{
msg (D_TLS_ERRORS,
"TLS Error: unknown opcode received from %s op=%d",
- print_sockaddr (from, &gc), op);
+ print_link_socket_actual (from, &gc), op);
goto error;
}
@@ -3465,7 +3478,7 @@ tls_pre_decrypt (struct tls_multi *multi,
{
msg (D_TLS_ERRORS,
"TLS Error: client->client or server->server connection attempted from %s",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
goto error;
}
}
@@ -3474,7 +3487,7 @@ tls_pre_decrypt (struct tls_multi *multi,
* Authenticate Packet
*/
dmsg (D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
- packet_opcode_name (op), print_sockaddr (from, &gc));
+ packet_opcode_name (op), print_link_socket_actual (from, &gc));
/* get remote session-id */
{
@@ -3484,7 +3497,7 @@ tls_pre_decrypt (struct tls_multi *multi,
{
msg (D_TLS_ERRORS,
"TLS Error: session-id not found in packet from %s",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
goto error;
}
}
@@ -3501,9 +3514,9 @@ tls_pre_decrypt (struct tls_multi *multi,
state_name (ks->state),
session_id_print (&session->session_id, &gc),
session_id_print (&sid, &gc),
- print_sockaddr (from, &gc),
+ print_link_socket_actual (from, &gc),
session_id_print (&ks->session_id_remote, &gc),
- print_sockaddr (&ks->remote_addr, &gc));
+ print_link_socket_actual (&ks->remote_addr, &gc));
if (session_id_equal (&ks->session_id_remote, &sid))
/* found a match */
@@ -3548,7 +3561,7 @@ tls_pre_decrypt (struct tls_multi *multi,
{
msg (D_TLS_ERRORS,
"TLS Error: Cannot accept new session request from %s due to --single-session [1]",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
goto error;
}
@@ -3564,13 +3577,13 @@ tls_pre_decrypt (struct tls_multi *multi,
msg (D_TLS_DEBUG_LOW,
"TLS: Initial packet from %s, sid=%s",
- print_sockaddr (from, &gc),
+ print_link_socket_actual (from, &gc),
session_id_print (&sid, &gc));
do_burst = true;
new_link = true;
i = TM_ACTIVE;
- session->untrusted_sockaddr = *from;
+ session->untrusted_addr = *from;
}
}
@@ -3590,7 +3603,7 @@ tls_pre_decrypt (struct tls_multi *multi,
{
msg (D_TLS_ERRORS,
"TLS Error: Cannot accept new session request from %s due to --single-session [2]",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
goto error;
}
@@ -3613,11 +3626,11 @@ tls_pre_decrypt (struct tls_multi *multi,
*/
msg (D_TLS_DEBUG_LOW,
"TLS: new session incoming connection from %s",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
new_link = true;
i = TM_UNTRUSTED;
- session->untrusted_sockaddr = *from;
+ session->untrusted_addr = *from;
}
else
{
@@ -3631,7 +3644,7 @@ tls_pre_decrypt (struct tls_multi *multi,
{
msg (D_TLS_ERRORS,
"TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
- print_sockaddr (from, &gc),
+ print_link_socket_actual (from, &gc),
i,
packet_opcode_name (op));
goto error;
@@ -3640,10 +3653,10 @@ tls_pre_decrypt (struct tls_multi *multi,
/*
* Verify remote IP address
*/
- if (!new_link && !addr_port_match (&ks->remote_addr, from))
+ if (!new_link && !link_socket_actual_match (&ks->remote_addr, from))
{
msg (D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
goto error;
}
@@ -3705,11 +3718,11 @@ tls_pre_decrypt (struct tls_multi *multi,
ks->remote_addr = *from;
++multi->n_sessions;
}
- else if (!addr_port_match (&ks->remote_addr, from))
+ else if (!link_socket_actual_match (&ks->remote_addr, from))
{
msg (D_TLS_ERRORS,
"TLS Error: Existing session control channel packet from unknown IP address: %s",
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
goto error;
}
@@ -3807,8 +3820,9 @@ tls_pre_decrypt (struct tls_multi *multi,
*/
bool
tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,
- const struct sockaddr_in *from,
+ const struct link_socket_actual *from,
const struct buffer *buf)
+
{
struct gc_arena gc = gc_new ();
bool ret = false;
@@ -3835,7 +3849,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,
*/
dmsg (D_TLS_STATE_ERRORS,
"TLS State Error: No TLS state for client %s, opcode=%d",
- print_sockaddr (from, &gc),
+ print_link_socket_actual (from, &gc),
op);
goto error;
}
@@ -3845,7 +3859,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,
dmsg (D_TLS_STATE_ERRORS,
"TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
key_id,
- print_sockaddr (from, &gc));
+ print_link_socket_actual (from, &gc));
goto error;
}
@@ -3854,7 +3868,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,
dmsg (D_TLS_STATE_ERRORS,
"TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected",
buf->len,
- print_sockaddr (from, &gc),
+ print_link_socket_actual (from, &gc),
EXPANDED_SIZE_DYNAMIC (&tas->frame));
goto error;
}