OpenVPN
forward.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #include "forward.h"
31 #include "init.h"
32 #include "push.h"
33 #include "gremlin.h"
34 #include "mss.h"
35 #include "event.h"
36 #include "occ.h"
37 #include "ping.h"
38 #include "ps.h"
39 #include "dhcp.h"
40 #include "common.h"
41 #include "ssl_verify.h"
42 #include "dco.h"
43 #include "auth_token.h"
44 
45 #include "memdbg.h"
46 
47 #include "mstats.h"
48 
51 
52 /* show event wait debugging info */
53 
54 #ifdef ENABLE_DEBUG
55 
56 static const char *
57 wait_status_string(struct context *c, struct gc_arena *gc)
58 {
59  struct buffer out = alloc_buf_gc(64, gc);
60  buf_printf(&out, "I/O WAIT %s|%s|%s|%s %s",
61  tun_stat(c->c1.tuntap, EVENT_READ, gc),
62  tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
65  tv_string(&c->c2.timeval, gc));
66  return BSTR(&out);
67 }
68 
69 static void
70 show_wait_status(struct context *c)
71 {
72  struct gc_arena gc = gc_new();
73  dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
74  gc_free(&gc);
75 }
76 
77 #endif /* ifdef ENABLE_DEBUG */
78 
79 static void
81 {
82  msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
83  register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
84 }
85 
86 static void
88 {
89  register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
90 }
91 
92 /*
93  * TLS errors are fatal in TCP mode.
94  * Also check for --tls-exit trigger.
95  */
96 static inline void
98 {
99  if (c->c2.tls_multi && c->c2.tls_exit_signal)
100  {
102  {
103  if (c->c2.tls_multi->n_soft_errors)
104  {
106  }
107  }
108  else
109  {
110  if (c->c2.tls_multi->n_hard_errors)
111  {
113  }
114  }
115  }
116 }
117 
118 /*
119  * Set our wakeup to 0 seconds, so we will be rescheduled
120  * immediately.
121  */
122 static inline void
124 {
125  c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
126  c->c2.timeval.tv_usec = 0;
127 }
128 
129 static inline void
130 context_reschedule_sec(struct context *c, int sec)
131 {
132  if (sec < 0)
133  {
134  sec = 0;
135  }
136  if (sec < c->c2.timeval.tv_sec)
137  {
138  c->c2.timeval.tv_sec = sec;
139  c->c2.timeval.tv_usec = 0;
140  }
141 }
142 
143 void
145 {
146  /* DCO context is not yet initialised or enabled */
147  if (!dco_enabled(&c->options))
148  {
149  return;
150  }
151 
152  /* no active peer (p2p tls-server mode) */
153  if (c->c2.tls_multi->dco_peer_id == -1)
154  {
155  return;
156  }
157 
158  if (!dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi))
159  {
160  /* Something bad happened. Kill the connection to
161  * be able to recover. */
162  register_signal(c->sig, SIGUSR1, "dco update keys error");
163  }
164 }
165 
166 /*
167  * In TLS mode, let TLS level respond to any control-channel
168  * packets which were received, or prepare any packets for
169  * transmission.
170  *
171  * tmp_int is purely an optimization that allows us to call
172  * tls_multi_process less frequently when there's not much
173  * traffic on the control-channel.
174  *
175  */
176 static void
177 check_tls(struct context *c)
178 {
179  interval_t wakeup = BIG_TIMEOUT;
180 
181  if (interval_test(&c->c2.tmp_int))
182  {
183  const int tmp_status = tls_multi_process
184  (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
185  get_link_socket_info(c), &wakeup);
186 
187  if (tmp_status == TLSMP_RECONNECT)
188  {
191  }
192 
193  if (tmp_status == TLSMP_ACTIVE || tmp_status == TLSMP_RECONNECT)
194  {
195  update_time();
197  }
198  else if (tmp_status == TLSMP_KILL)
199  {
200  if (c->options.mode == MODE_SERVER)
201  {
203  }
204  else
205  {
206  register_signal(c->sig, SIGTERM, "auth-control-exit");
207  }
208  }
209 
210  interval_future_trigger(&c->c2.tmp_int, wakeup);
211  }
212 
213  interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
214 
215  /*
216  * Our current code has no good hooks in the TLS machinery to update
217  * DCO keys. So we check the key status after the whole TLS machinery
218  * has been completed and potentially update them
219  *
220  * We have a hidden state transition from secondary to primary key based
221  * on ks->auth_deferred_expire that DCO needs to check that the normal
222  * TLS state engine does not check. So we call the \c check_dco_key_status
223  * function even if tmp_status does not indicate that something has changed.
224  */
226 
227  if (wakeup)
228  {
229  context_reschedule_sec(c, wakeup);
230  }
231 }
232 
233 /*
234  * Handle incoming configuration
235  * messages on the control channel.
236  */
237 static void
239 {
240  int len = tls_test_payload_len(c->c2.tls_multi);
241  /* We should only be called with len >0 */
242  ASSERT(len > 0);
243 
244  struct gc_arena gc = gc_new();
245  struct buffer buf = alloc_buf_gc(len, &gc);
246  if (tls_rec_payload(c->c2.tls_multi, &buf))
247  {
248  /* force null termination of message */
249  buf_null_terminate(&buf);
250 
251  /* enforce character class restrictions */
252  string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
253 
254  if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
255  {
256  receive_auth_failed(c, &buf);
257  }
258  else if (buf_string_match_head_str(&buf, "PUSH_"))
259  {
260  incoming_push_message(c, &buf);
261  }
262  else if (buf_string_match_head_str(&buf, "RESTART"))
263  {
264  server_pushed_signal(c, &buf, true, 7);
265  }
266  else if (buf_string_match_head_str(&buf, "HALT"))
267  {
268  server_pushed_signal(c, &buf, false, 4);
269  }
270  else if (buf_string_match_head_str(&buf, "INFO_PRE"))
271  {
272  server_pushed_info(c, &buf, 8);
273  }
274  else if (buf_string_match_head_str(&buf, "INFO"))
275  {
276  server_pushed_info(c, &buf, 4);
277  }
278  else if (buf_string_match_head_str(&buf, "CR_RESPONSE"))
279  {
280  receive_cr_response(c, &buf);
281  }
282  else if (buf_string_match_head_str(&buf, "AUTH_PENDING"))
283  {
284  receive_auth_pending(c, &buf);
285  }
286  else if (buf_string_match_head_str(&buf, "EXIT"))
287  {
289  }
290  else
291  {
292  msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
293  }
294  }
295  else
296  {
297  msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
298  }
299 
300  gc_free(&gc);
301 }
302 
303 /*
304  * Periodically resend PUSH_REQUEST until PUSH message received
305  */
306 static void
308 {
310 
311  /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
313 }
314 
315 /*
316  * Things that need to happen immediately after connection initiation should go here.
317  *
318  * Options like --up-delay need to be triggered by this function which
319  * checks for connection establishment.
320  *
321  * Note: The process_incoming_push_reply currently assumes that this function
322  * only sets up the pull request timer when pull is enabled.
323  */
324 static void
326 {
327  if (connection_established(c))
328  {
329  /* if --pull was specified, send a push request to server */
330  if (c->c2.tls_multi && c->options.pull)
331  {
332 #ifdef ENABLE_MANAGEMENT
333  if (management)
334  {
337  NULL,
338  NULL,
339  NULL,
340  NULL,
341  NULL);
342  }
343 #endif
344  /* fire up push request right away (already 1s delayed) */
345  /* We might receive a AUTH_PENDING request before we armed this
346  * timer. In that case we don't change the value */
347  if (c->c2.push_request_timeout < now)
348  {
350  }
353  }
354  else
355  {
356  if (!do_up(c, false, 0))
357  {
358  register_signal(c->sig, SIGUSR1, "connection initialisation failed");
359  }
360  }
361 
363  }
364 }
365 
366 bool
368  const char *str, int msglevel)
369 {
370  struct gc_arena gc = gc_new();
371  bool stat;
372 
373  ASSERT(session);
374  struct key_state *ks = &session->key[KS_PRIMARY];
375 
376  /* buffered cleartext write onto TLS control channel */
377  stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1);
378 
379  msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
380  session->common_name ? session->common_name : "UNDEF",
381  sanitize_control_message(str, &gc),
382  (int) stat);
383 
384  gc_free(&gc);
385  return stat;
386 }
387 
388 void
390 {
392  context_immediate_reschedule(c); /* ZERO-TIMEOUT */
393 }
394 
395 bool
396 send_control_channel_string(struct context *c, const char *str, int msglevel)
397 {
398  if (c->c2.tls_multi)
399  {
401  bool ret = send_control_channel_string_dowork(session, str, msglevel);
403 
404  return ret;
405  }
406  return true;
407 }
408 /*
409  * Add routes.
410  */
411 
412 static void
413 check_add_routes_action(struct context *c, const bool errors)
414 {
415  bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
416  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
417 
418  int flags = (errors ? ISC_ERRORS : 0);
419  flags |= (!route_status ? ISC_ROUTE_ERRORS : 0);
420 
421  update_time();
424  initialization_sequence_completed(c, flags); /* client/p2p --route-delay was defined */
425 }
426 
427 static void
429 {
430  if (test_routes(c->c1.route_list, c->c1.tuntap))
431  {
432  check_add_routes_action(c, false);
433  }
435  {
436  check_add_routes_action(c, true);
437  }
438  else
439  {
440  msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
441  if (c->c1.tuntap)
442  {
443  if (!tun_standby(c->c1.tuntap))
444  {
445  register_signal(c->sig, SIGHUP, "ip-fail");
447 #ifdef _WIN32
450 #endif
451  }
452  }
453  update_time();
454  if (c->c2.route_wakeup.n != 1)
455  {
457  }
459  }
460 }
461 
462 /*
463  * Should we exit due to inactivity timeout?
464  *
465  * In the non-dco case, the timeout is reset via register_activity()
466  * whenever there is sufficient activity on tun or link, so this function
467  * is only ever called to raise the TERM signal.
468  *
469  * With DCO, OpenVPN does not see incoming or outgoing data packets anymore
470  * and the logic needs to change - we permit the event to trigger and check
471  * kernel DCO counters here, returning and rearming the timer if there was
472  * sufficient traffic.
473  */
474 static void
476 {
477  if (dco_enabled(&c->options) && dco_get_peer_stats(c) == 0)
478  {
479  int64_t tot_bytes = c->c2.tun_read_bytes + c->c2.tun_write_bytes;
480  int64_t new_bytes = tot_bytes - c->c2.inactivity_bytes;
481 
482  if (new_bytes > c->options.inactivity_minimum_bytes)
483  {
484  c->c2.inactivity_bytes = tot_bytes;
486 
487  return;
488  }
489  }
490 
491  msg(M_INFO, "Inactivity timeout (--inactive), exiting");
492  register_signal(c->sig, SIGTERM, "inactive");
493 }
494 
495 int
496 get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
497 {
498  update_time();
499  int remaining = event_timeout_remaining(server_poll_timeout);
500  return max_int(0, remaining);
501 }
502 
503 static void
505 {
507  ASSERT(c->c2.tls_multi);
509  {
510  msg(M_INFO, "Server poll timeout, restarting");
511  register_signal(c->sig, SIGUSR1, "server_poll");
513  }
514 }
515 
516 /*
517  * Schedule a signal n_seconds from now.
518  */
519 void
520 schedule_exit(struct context *c, const int n_seconds, const int signal)
521 {
523  update_time();
525  event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
526  c->c2.scheduled_exit_signal = signal;
527  msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
528 }
529 
530 /*
531  * Scheduled exit?
532  */
533 static void
535 {
536  register_signal(c->sig, c->c2.scheduled_exit_signal, "delayed-exit");
537 }
538 
539 /*
540  * Should we write timer-triggered status file.
541  */
542 static void
544 {
545  if (c->c1.status_output)
546  {
548  }
549 }
550 
551 #ifdef ENABLE_FRAGMENT
552 /*
553  * Should we deliver a datagram fragment to remote?
554  */
555 static void
557 {
558  struct link_socket_info *lsi = get_link_socket_info(c);
559 
560  /* OS MTU Hint? */
561  if (lsi->mtu_changed && lsi->lsa)
562  {
564  lsi->mtu_changed = false;
565  }
566 
568  {
569  if (!c->c2.to_link.len)
570  {
571  /* encrypt a fragment for output to TCP/UDP port */
573  encrypt_sign(c, false);
574  }
575  }
576 
578 }
579 #endif /* ifdef ENABLE_FRAGMENT */
580 
581 /*
582  * Buffer reallocation, for use with null encryption.
583  */
584 static inline void
585 buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
586 {
587  if (orig_buf == src_stub->data && src_stub->data != storage->data)
588  {
589  buf_assign(storage, src_stub);
590  *dest_stub = *storage;
591  }
592  else
593  {
594  *dest_stub = *src_stub;
595  }
596 }
597 
598 /*
599  * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
600  * Input: c->c2.buf
601  * Output: c->c2.to_link
602  */
603 void
604 encrypt_sign(struct context *c, bool comp_frag)
605 {
606  struct context_buffers *b = c->c2.buffers;
607  const uint8_t *orig_buf = c->c2.buf.data;
608  struct crypto_options *co = NULL;
609 
610  if (dco_enabled(&c->options))
611  {
612  msg(M_WARN, "Attempting to send data packet while data channel offload is in use. "
613  "Dropping packet");
614  c->c2.buf.len = 0;
615  }
616 
617  /*
618  * Drop non-TLS outgoing packet if client-connect script/plugin
619  * has not yet succeeded. In non-TLS tls_multi mode is not defined
620  * and we always pass packets.
621  */
623  {
624  c->c2.buf.len = 0;
625  }
626 
627  if (comp_frag)
628  {
629 #ifdef USE_COMP
630  /* Compress the packet. */
631  if (c->c2.comp_context)
632  {
633  (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
634  }
635 #endif
636 #ifdef ENABLE_FRAGMENT
637  if (c->c2.fragment)
638  {
640  }
641 #endif
642  }
643 
644  /* initialize work buffer with buf.headroom bytes of prepend capacity */
646 
647  if (c->c2.tls_multi)
648  {
649  /* Get the key we will use to encrypt the packet. */
650  tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
651  /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
652  * packet before openvpn_encrypt(), so we can authenticate the opcode too.
653  */
654  if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
655  {
657  }
658  }
659  else
660  {
661  co = &c->c2.crypto_options;
662  }
663 
664  /* Encrypt and authenticate the packet */
665  openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
666 
667  /* Do packet administration */
668  if (c->c2.tls_multi)
669  {
670  if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
671  {
673  }
675  }
676 
677  /*
678  * Get the address we will be sending the packet to.
679  */
681  &c->c2.to_link_addr);
682 
683  /* if null encryption, copy result to read_tun_buf */
684  buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
685 }
686 
687 /*
688  * Should we exit due to session timeout?
689  */
690 static void
692 {
693  if (c->options.session_timeout
695  ETT_DEFAULT))
696  {
697  msg(M_INFO, "Session timeout, exiting");
698  register_signal(c->sig, SIGTERM, "session-timeout");
699  }
700 }
701 
702 /*
703  * Coarse timers work to 1 second resolution.
704  */
705 static void
707 {
708  /* flush current packet-id to file once per 60
709  * seconds if --replay-persist was specified */
712  {
714  }
715 
716  /* Should we write timer-triggered status file */
717  if (c->c1.status_output
719  {
721  }
722 
723  /* process connection establishment items */
725  {
727  }
728 
729  /* see if we should send a push_request (option --pull) */
731  {
733  }
734 
735  /* process --route options */
737  {
738  check_add_routes(c);
739  }
740 
741  /* check if we want to refresh the auth-token */
743  {
745  }
746 
747  /* possibly exit due to --inactive */
750  {
752  }
753 
754  if (c->sig->signal_received)
755  {
756  return;
757  }
758 
759  /* kill session if time is over */
761  if (c->sig->signal_received)
762  {
763  return;
764  }
765 
766  /* restart if ping not received */
768  if (c->sig->signal_received)
769  {
770  return;
771  }
772 
773  if (c->c2.tls_multi)
774  {
775  if (c->options.ce.connect_timeout
777  {
779  }
780  if (c->sig->signal_received)
781  {
782  return;
783  }
785  {
787  }
788  if (c->sig->signal_received)
789  {
790  return;
791  }
792  }
793 
794  /* Should we send an OCC_REQUEST message? */
796 
797  /* Should we send an MTU load test? */
799 
800  /* Should we send an OCC_EXIT message to remote? */
802  {
804  }
805 
806  /* Should we ping the remote? */
807  check_ping_send(c);
808 
809 #ifdef ENABLE_MANAGEMENT
810  if (management)
811  {
813  }
814 #endif /* ENABLE_MANAGEMENT */
815 }
816 
817 static void
819 {
820  if (now < c->c2.coarse_timer_wakeup)
821  {
823  return;
824  }
825 
826  const struct timeval save = c->c2.timeval;
827  c->c2.timeval.tv_sec = BIG_TIMEOUT;
828  c->c2.timeval.tv_usec = 0;
830  c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
831 
832  dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
833 
834  /* Is the coarse timeout NOT the earliest one? */
835  if (c->c2.timeval.tv_sec > save.tv_sec)
836  {
837  c->c2.timeval = save;
838  }
839 }
840 
841 static void
843 {
844  const int update_interval = 10; /* seconds */
845  c->c2.update_timeout_random_component = now + update_interval;
846  c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
847  c->c2.timeout_random_component.tv_sec = 0;
848 
849  dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec);
850 }
851 
852 static inline void
854 {
856  {
858  }
859  if (c->c2.timeval.tv_sec >= 1)
860  {
862  }
863 }
864 
865 /*
866  * Handle addition and removal of the 10-byte Socks5 header
867  * in UDP packets.
868  */
869 
870 static inline void
872 {
874  {
876  }
877 }
878 
879 static inline void
881  struct link_socket_actual **to_addr,
882  int *size_delta)
883 {
885  {
886  *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
887  *to_addr = &c->c2.link_socket->socks_relay;
888  }
889 }
890 
891 /* undo effect of socks_preprocess_outgoing_link */
892 static inline void
894  int size_delta,
895  struct buffer *buf)
896 {
897  if (size_delta > 0 && *size > size_delta)
898  {
899  *size -= size_delta;
900  if (!buf_advance(buf, size_delta))
901  {
902  *size = 0;
903  }
904  }
905 }
906 
907 /*
908  * Output: c->c2.buf
909  */
910 
911 void
913 {
914  /*
915  * Set up for recvfrom call to read datagram
916  * sent to our TCP/UDP port.
917  */
918  int status;
919 
920  /*ASSERT (!c->c2.to_tun.len);*/
921 
923 
924  c->c2.buf = c->c2.buffers->read_link_buf;
925  ASSERT(buf_init(&c->c2.buf, c->c2.frame.buf.headroom));
926 
928  &c->c2.buf,
929  &c->c2.from);
930 
932  {
933 #if PORT_SHARE
934  if (port_share && socket_foreign_protocol_detected(c->c2.link_socket))
935  {
936  const struct buffer *fbuf = socket_foreign_protocol_head(c->c2.link_socket);
937  const int sd = socket_foreign_protocol_sd(c->c2.link_socket);
938  port_share_redirect(port_share, fbuf, sd);
939  register_signal(c->sig, SIGTERM, "port-share-redirect");
940  }
941  else
942 #endif
943  {
944  /* received a disconnect from a connection-oriented protocol */
946  {
947  msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
948  management_sleep(1);
949  }
950  else
951  {
952  register_signal(c->sig, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
953  msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
954  }
955  }
956  perf_pop();
957  return;
958  }
959 
960  /* check_status() call below resets last-error code */
961  bool dco_win_timeout = tuntap_is_dco_win_timeout(c->c1.tuntap, status);
962 
963  /* check recvfrom status */
964  check_status(status, "read", c->c2.link_socket, NULL);
965 
966  if (dco_win_timeout)
967  {
969  }
970 
971  /* Remove socks header if applicable */
973 
974  perf_pop();
975 }
976 
977 bool
978 process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
979 {
980  struct gc_arena gc = gc_new();
981  bool decrypt_status = false;
982 
983  if (c->c2.buf.len > 0)
984  {
985  c->c2.link_read_bytes += c->c2.buf.len;
987 #ifdef ENABLE_MEMSTATS
988  if (mmap_stats)
989  {
990  mmap_stats->link_read_bytes = link_read_bytes_global;
991  }
992 #endif
993  c->c2.original_recv_size = c->c2.buf.len;
994 #ifdef ENABLE_MANAGEMENT
995  if (management)
996  {
999  }
1000 #endif
1001  }
1002  else
1003  {
1004  c->c2.original_recv_size = 0;
1005  }
1006 
1007 #ifdef ENABLE_DEBUG
1008  /* take action to corrupt packet if we are in gremlin test mode */
1009  if (c->options.gremlin)
1010  {
1011  if (!ask_gremlin(c->options.gremlin))
1012  {
1013  c->c2.buf.len = 0;
1014  }
1015  corrupt_gremlin(&c->c2.buf, c->options.gremlin);
1016  }
1017 #endif
1018 
1019  /* log incoming packet */
1020 #ifdef LOG_RW
1021  if (c->c2.log_rw && c->c2.buf.len > 0)
1022  {
1023  fprintf(stderr, "R");
1024  }
1025 #endif
1026  msg(D_LINK_RW, "%s READ [%d] from %s: %s",
1027  proto2ascii(lsi->proto, lsi->af, true),
1028  BLEN(&c->c2.buf),
1029  print_link_socket_actual(&c->c2.from, &gc),
1030  PROTO_DUMP(&c->c2.buf, &gc));
1031 
1032  /*
1033  * Good, non-zero length packet received.
1034  * Commence multi-stage processing of packet,
1035  * such as authenticate, decrypt, decompress.
1036  * If any stage fails, it sets buf.len to 0 or -1,
1037  * telling downstream stages to ignore the packet.
1038  */
1039  if (c->c2.buf.len > 0)
1040  {
1041  struct crypto_options *co = NULL;
1042  const uint8_t *ad_start = NULL;
1043  if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
1044  {
1045  link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
1046  }
1047 
1048  if (c->c2.tls_multi)
1049  {
1050  uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
1051 
1052  /*
1053  * If DCO is enabled, the kernel drivers require that the
1054  * other end only sends P_DATA_V2 packets. V1 are unknown
1055  * to kernel and passed to userland, but we cannot handle them
1056  * either because crypto context is missing - so drop the packet.
1057  *
1058  * This can only happen with particular old (2.4.0-2.4.4) servers.
1059  */
1060  if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
1061  {
1063  "Data Channel Offload doesn't support DATA_V1 packets. "
1064  "Upgrade your server to 2.4.5 or newer.");
1065  c->c2.buf.len = 0;
1066  }
1067 
1068  /*
1069  * If tls_pre_decrypt returns true, it means the incoming
1070  * packet was a good TLS control channel packet. If so, TLS code
1071  * will deal with the packet and set buf.len to 0 so downstream
1072  * stages ignore it.
1073  *
1074  * If the packet is a data channel packet, tls_pre_decrypt
1075  * will load crypto_options with the correct encryption key
1076  * and return false.
1077  */
1078  if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
1079  floated, &ad_start))
1080  {
1081  interval_action(&c->c2.tmp_int);
1082 
1083  /* reset packet received timer if TLS packet */
1084  if (c->options.ping_rec_timeout)
1085  {
1087  }
1088  }
1089  }
1090  else
1091  {
1092  co = &c->c2.crypto_options;
1093  }
1094 
1095  /*
1096  * Drop non-TLS packet if client-connect script/plugin and cipher selection
1097  * has not yet succeeded. In non-TLS mode tls_multi is not defined
1098  * and we always pass packets.
1099  */
1101  {
1102  c->c2.buf.len = 0;
1103  }
1104 
1105  /* authenticate and decrypt the incoming packet */
1106  decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
1107  co, &c->c2.frame, ad_start);
1108 
1109  if (!decrypt_status && link_socket_connection_oriented(c->c2.link_socket))
1110  {
1111  /* decryption errors are fatal in TCP mode */
1112  register_signal(c->sig, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
1113  msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
1114  }
1115  }
1116  else
1117  {
1118  buf_reset(&c->c2.to_tun);
1119  }
1120  gc_free(&gc);
1121 
1122  return decrypt_status;
1123 }
1124 
1125 void
1126 process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
1127 {
1128  if (c->c2.buf.len > 0)
1129  {
1130 #ifdef ENABLE_FRAGMENT
1131  if (c->c2.fragment)
1132  {
1134  }
1135 #endif
1136 
1137 #ifdef USE_COMP
1138  /* decompress the incoming packet */
1139  if (c->c2.comp_context)
1140  {
1141  (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
1142  }
1143 #endif
1144 
1145 #ifdef PACKET_TRUNCATION_CHECK
1146  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1147  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1148  BLEN(&c->c2.buf),
1149  TUNNEL_TYPE(c->c1.tuntap),
1150  "POST_DECRYPT",
1151  &c->c2.n_trunc_post_decrypt);
1152 #endif
1153 
1154  /*
1155  * Set our "official" outgoing address, since
1156  * if buf.len is non-zero, we know the packet
1157  * authenticated. In TLS mode we do nothing
1158  * because TLS mode takes care of source address
1159  * authentication.
1160  *
1161  * Also, update the persisted version of our packet-id.
1162  */
1163  if (!TLS_MODE(c) && c->c2.buf.len > 0)
1164  {
1165  link_socket_set_outgoing_addr(lsi, &c->c2.from, NULL, c->c2.es);
1166  }
1167 
1168  /* reset packet received timer */
1169  if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1170  {
1172  }
1173 
1174  /* increment authenticated receive byte count */
1175  if (c->c2.buf.len > 0)
1176  {
1177  c->c2.link_read_bytes_auth += c->c2.buf.len;
1179  }
1180 
1181  /* Did we just receive an openvpn ping packet? */
1182  if (is_ping_msg(&c->c2.buf))
1183  {
1184  dmsg(D_PING, "RECEIVED PING PACKET");
1185  c->c2.buf.len = 0; /* drop packet */
1186  }
1187 
1188  /* Did we just receive an OCC packet? */
1189  if (is_occ_msg(&c->c2.buf))
1190  {
1192  }
1193 
1194  buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1195 
1196  /* to_tun defined + unopened tuntap can cause deadlock */
1197  if (!tuntap_defined(c->c1.tuntap))
1198  {
1199  c->c2.to_tun.len = 0;
1200  }
1201  }
1202  else
1203  {
1204  buf_reset(&c->c2.to_tun);
1205  }
1206 }
1207 
1208 static void
1210 {
1212 
1213  struct link_socket_info *lsi = get_link_socket_info(c);
1214  const uint8_t *orig_buf = c->c2.buf.data;
1215 
1216  process_incoming_link_part1(c, lsi, false);
1217  process_incoming_link_part2(c, lsi, orig_buf);
1218 
1219  perf_pop();
1220 }
1221 
1222 static void
1224 {
1225 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
1226  dco_context_t *dco = &c->c1.tuntap->dco;
1227 
1228  dco_do_read(dco);
1229 
1230  /* FreeBSD currently sends us removal notifcation with the old peer-id in
1231  * p2p mode with the ping timeout reason, so ignore that one to not shoot
1232  * ourselves in the foot and removing the just established session */
1233  if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
1234  {
1235  msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
1236  "expected %d", __func__, dco->dco_message_peer_id,
1237  c->c2.tls_multi->dco_peer_id);
1238  return;
1239  }
1240 
1241  switch (dco->dco_message_type)
1242  {
1243  case OVPN_CMD_DEL_PEER:
1244  if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
1245  {
1246  msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
1247  "%d", __func__, dco->dco_message_peer_id);
1249  return;
1250  }
1251  break;
1252 
1253  case OVPN_CMD_SWAP_KEYS:
1254  msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d",
1255  __func__, dco->dco_message_peer_id);
1257  break;
1258 
1259  default:
1260  msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__,
1261  dco->dco_message_type);
1262  return;
1263  }
1264 
1265 #endif /* if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) */
1266 }
1267 
1268 /*
1269  * Output: c->c2.buf
1270  */
1271 
1272 void
1274 {
1275  /*
1276  * Setup for read() call on TUN/TAP device.
1277  */
1278  /*ASSERT (!c->c2.to_link.len);*/
1279 
1281 
1282  c->c2.buf = c->c2.buffers->read_tun_buf;
1283 
1284 #ifdef _WIN32
1286  {
1287  read_wintun(c->c1.tuntap, &c->c2.buf);
1288  if (c->c2.buf.len == -1)
1289  {
1290  register_signal(c->sig, SIGHUP, "tun-abort");
1292  msg(M_INFO, "Wintun read error, restarting");
1293  perf_pop();
1294  return;
1295  }
1296  }
1297  else
1298  {
1299  sockethandle_t sh = { .is_handle = true, .h = c->c1.tuntap->hand };
1300  sockethandle_finalize(sh, &c->c1.tuntap->reads, &c->c2.buf, NULL);
1301  }
1302 #else /* ifdef _WIN32 */
1303  ASSERT(buf_init(&c->c2.buf, c->c2.frame.buf.headroom));
1305  c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
1306 #endif /* ifdef _WIN32 */
1307 
1308 #ifdef PACKET_TRUNCATION_CHECK
1309  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1310  BLEN(&c->c2.buf),
1311  TUNNEL_TYPE(c->c1.tuntap),
1312  "READ_TUN",
1313  &c->c2.n_trunc_tun_read);
1314 #endif
1315 
1316  /* Was TUN/TAP interface stopped? */
1317  if (tuntap_stop(c->c2.buf.len))
1318  {
1319  register_signal(c->sig, SIGTERM, "tun-stop");
1320  msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1321  perf_pop();
1322  return;
1323  }
1324 
1325  /* Was TUN/TAP I/O operation aborted? */
1326  if (tuntap_abort(c->c2.buf.len))
1327  {
1328  register_signal(c->sig, SIGHUP, "tun-abort");
1330  msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1331  perf_pop();
1332  return;
1333  }
1334 
1335  /* Check the status return from read() */
1336  check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1337 
1338  perf_pop();
1339 }
1340 
1349 static void
1351 {
1352  bool drop = false;
1353  struct openvpn_sockaddr tun_sa;
1354  int ip_hdr_offset = 0;
1355 
1356  if (c->c2.to_link_addr == NULL) /* no remote addr known */
1357  {
1358  return;
1359  }
1360 
1361  tun_sa = c->c2.to_link_addr->dest;
1362 
1363  int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1364 
1365  if (proto_ver == 4)
1366  {
1367  const struct openvpn_iphdr *pip;
1368 
1369  /* make sure we got whole IP header */
1370  if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1371  {
1372  return;
1373  }
1374 
1375  /* skip ipv4 packets for ipv6 tun */
1376  if (tun_sa.addr.sa.sa_family != AF_INET)
1377  {
1378  return;
1379  }
1380 
1381  pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
1382 
1383  /* drop packets with same dest addr as gateway */
1384  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
1385  {
1386  drop = true;
1387  }
1388  }
1389  else if (proto_ver == 6)
1390  {
1391  const struct openvpn_ipv6hdr *pip6;
1392 
1393  /* make sure we got whole IPv6 header */
1394  if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1395  {
1396  return;
1397  }
1398 
1399  /* skip ipv6 packets for ipv4 tun */
1400  if (tun_sa.addr.sa.sa_family != AF_INET6)
1401  {
1402  return;
1403  }
1404 
1405  /* drop packets with same dest addr as gateway */
1406  pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
1407  if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1408  {
1409  drop = true;
1410  }
1411  }
1412 
1413  if (drop)
1414  {
1415  struct gc_arena gc = gc_new();
1416 
1417  c->c2.buf.len = 0;
1418 
1419  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1421  gc_free(&gc);
1422  }
1423 }
1424 
1425 /*
1426  * Input: c->c2.buf
1427  * Output: c->c2.to_link
1428  */
1429 
1430 void
1432 {
1433  struct gc_arena gc = gc_new();
1434 
1436 
1437  if (c->c2.buf.len > 0)
1438  {
1439  c->c2.tun_read_bytes += c->c2.buf.len;
1440  }
1441 
1442 #ifdef LOG_RW
1443  if (c->c2.log_rw && c->c2.buf.len > 0)
1444  {
1445  fprintf(stderr, "r");
1446  }
1447 #endif
1448 
1449  /* Show packet content */
1450  dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1451 
1452  if (c->c2.buf.len > 0)
1453  {
1455  {
1457  }
1458  /*
1459  * The --passtos and --mssfix options require
1460  * us to examine the IP header (IPv4 or IPv6).
1461  */
1462  unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
1464  process_ip_header(c, flags, &c->c2.buf);
1465 
1466 #ifdef PACKET_TRUNCATION_CHECK
1467  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1468  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1469  BLEN(&c->c2.buf),
1470  TUNNEL_TYPE(c->c1.tuntap),
1471  "PRE_ENCRYPT",
1472  &c->c2.n_trunc_pre_encrypt);
1473 #endif
1474 
1475  }
1476  if (c->c2.buf.len > 0)
1477  {
1478  encrypt_sign(c, true);
1479  }
1480  else
1481  {
1482  buf_reset(&c->c2.to_link);
1483  }
1484  perf_pop();
1485  gc_free(&gc);
1486 }
1487 
1498 void
1499 ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
1500 {
1501 #define MAX_ICMPV6LEN 1280
1502  struct openvpn_icmp6hdr icmp6out;
1503  CLEAR(icmp6out);
1504 
1505  /*
1506  * Get a buffer to the ip packet, is_ipv6 automatically forwards
1507  * the buffer to the ip packet
1508  */
1509  struct buffer inputipbuf = *buf;
1510 
1511  is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &inputipbuf);
1512 
1513  if (BLEN(&inputipbuf) < (int)sizeof(struct openvpn_ipv6hdr))
1514  {
1515  return;
1516  }
1517 
1518  const struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)BPTR(&inputipbuf);
1519 
1520  /* Copy version, traffic class, flow label from input packet */
1521  struct openvpn_ipv6hdr pip6out = *pip6;
1522 
1523  pip6out.version_prio = pip6->version_prio;
1524  pip6out.daddr = pip6->saddr;
1525 
1526  /*
1527  * Use the IPv6 remote address if we have one, otherwise use a fake one
1528  * using the remote address is preferred since it makes debugging and
1529  * understanding where the ICMPv6 error originates easier
1530  */
1532  {
1533  inet_pton(AF_INET6, c->options.ifconfig_ipv6_remote, &pip6out.saddr);
1534  }
1535  else
1536  {
1537  inet_pton(AF_INET6, "fe80::7", &pip6out.saddr);
1538  }
1539 
1540  pip6out.nexthdr = OPENVPN_IPPROTO_ICMPV6;
1541 
1542  /*
1543  * The ICMPv6 unreachable code worked best in my (arne) tests with Windows,
1544  * Linux and Android. Windows did not like the administratively prohibited
1545  * return code (no fast fail)
1546  */
1549 
1550  int icmpheader_len = sizeof(struct openvpn_ipv6hdr)
1551  + sizeof(struct openvpn_icmp6hdr);
1552  int totalheader_len = icmpheader_len;
1553 
1554  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1555  {
1556  totalheader_len += sizeof(struct openvpn_ethhdr);
1557  }
1558 
1559  /*
1560  * Calculate size for payload, defined in the standard that the resulting
1561  * frame should be <= 1280 and have as much as possible of the original
1562  * packet
1563  */
1564  int max_payload_size = min_int(MAX_ICMPV6LEN,
1565  c->c2.frame.tun_mtu - icmpheader_len);
1566  int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
1567 
1568  pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
1569 
1570  /* Construct the packet as outgoing packet back to the client */
1571  struct buffer *outbuf;
1572  if (client)
1573  {
1574  c->c2.to_tun = c->c2.buffers->aux_buf;
1575  outbuf = &(c->c2.to_tun);
1576  }
1577  else
1578  {
1579  c->c2.to_link = c->c2.buffers->aux_buf;
1580  outbuf = &(c->c2.to_link);
1581  }
1582  ASSERT(buf_init(outbuf, totalheader_len));
1583 
1584  /* Fill the end of the buffer with original packet */
1585  ASSERT(buf_safe(outbuf, payload_len));
1586  ASSERT(buf_copy_n(outbuf, &inputipbuf, payload_len));
1587 
1588  /* ICMP Header, copy into buffer to allow checksum calculation */
1589  ASSERT(buf_write_prepend(outbuf, &icmp6out, sizeof(struct openvpn_icmp6hdr)));
1590 
1591  /* Calculate checksum over the packet and write to header */
1592 
1593  uint16_t new_csum = ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf),
1594  (const uint8_t *)&pip6out.saddr,
1595  (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6);
1596  ((struct openvpn_icmp6hdr *) BPTR(outbuf))->icmp6_cksum = htons(new_csum);
1597 
1598 
1599  /* IPv6 Header */
1600  ASSERT(buf_write_prepend(outbuf, &pip6out, sizeof(struct openvpn_ipv6hdr)));
1601 
1602  /*
1603  * Tap mode, we also need to create an Ethernet header.
1604  */
1605  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1606  {
1607  if (BLEN(buf) < (int)sizeof(struct openvpn_ethhdr))
1608  {
1609  return;
1610  }
1611 
1612  const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *) BPTR(buf);
1613 
1614  /* Copy frametype and reverse source/destination for the response */
1615  struct openvpn_ethhdr ethhdr;
1616  memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
1617  memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
1618  ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
1619  ASSERT(buf_write_prepend(outbuf, &ethhdr, sizeof(struct openvpn_ethhdr)));
1620  }
1621 #undef MAX_ICMPV6LEN
1622 }
1623 
1624 void
1625 process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
1626 {
1627  if (!c->options.ce.mssfix)
1628  {
1629  flags &= ~PIP_MSSFIX;
1630  }
1631 #if PASSTOS_CAPABILITY
1632  if (!c->options.passtos)
1633  {
1634  flags &= ~PIPV4_PASSTOS;
1635  }
1636 #endif
1637  if (!c->options.client_nat)
1638  {
1639  flags &= ~PIPV4_CLIENT_NAT;
1640  }
1642  {
1643  flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1644  }
1645  if (!c->options.block_ipv6)
1646  {
1648  }
1649 
1650  if (buf->len > 0)
1651  {
1652  /*
1653  * The --passtos and --mssfix options require
1654  * us to examine the IPv4 header.
1655  */
1656 
1657  if (flags & (PIP_MSSFIX
1659  | PIPV4_PASSTOS
1660 #endif
1662  ))
1663  {
1664  struct buffer ipbuf = *buf;
1665  if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1666  {
1667 #if PASSTOS_CAPABILITY
1668  /* extract TOS from IP header */
1669  if (flags & PIPV4_PASSTOS)
1670  {
1671  link_socket_extract_tos(c->c2.link_socket, &ipbuf);
1672  }
1673 #endif
1674 
1675  /* possibly alter the TCP MSS */
1676  if (flags & PIP_MSSFIX)
1677  {
1678  mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
1679  }
1680 
1681  /* possibly do NAT on packet */
1682  if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1683  {
1684  const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1685  client_nat_transform(c->options.client_nat, &ipbuf, direction);
1686  }
1687  /* possibly extract a DHCP router message */
1688  if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1689  {
1690  const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
1691  if (dhcp_router)
1692  {
1693  route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1694  }
1695  }
1696  }
1697  else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1698  {
1699  /* possibly alter the TCP MSS */
1700  if (flags & PIP_MSSFIX)
1701  {
1702  mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
1703  }
1704  if (!(flags & PIP_OUTGOING) && (flags
1706  {
1708  (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT));
1709  /* Drop the IPv6 packet */
1710  buf->len = 0;
1711  }
1712 
1713  }
1714  }
1715  }
1716 }
1717 
1718 /*
1719  * Input: c->c2.to_link
1720  */
1721 
1722 void
1724 {
1725  struct gc_arena gc = gc_new();
1726  int error_code = 0;
1727 
1729 
1730  if (c->c2.to_link.len > 0 && c->c2.to_link.len <= c->c2.frame.buf.payload_size)
1731  {
1732  /*
1733  * Setup for call to send/sendto which will send
1734  * packet to remote over the TCP/UDP port.
1735  */
1736  int size = 0;
1738 
1739 #ifdef ENABLE_DEBUG
1740  /* In gremlin-test mode, we may choose to drop this packet */
1741  if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1742 #endif
1743  {
1744  /*
1745  * Let the traffic shaper know how many bytes
1746  * we wrote.
1747  */
1748  if (c->options.shaper)
1749  {
1750  int overhead = datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family,
1751  c->options.ce.proto);
1753  BLEN(&c->c2.to_link) + overhead);
1754  }
1755 
1756  /*
1757  * Let the pinger know that we sent a packet.
1758  */
1759  if (c->options.ping_send_timeout)
1760  {
1762  }
1763 
1764 #if PASSTOS_CAPABILITY
1765  /* Set TOS */
1766  link_socket_set_tos(c->c2.link_socket);
1767 #endif
1768 
1769  /* Log packet send */
1770 #ifdef LOG_RW
1771  if (c->c2.log_rw)
1772  {
1773  fprintf(stderr, "W");
1774  }
1775 #endif
1776  msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1778  BLEN(&c->c2.to_link),
1780  PROTO_DUMP(&c->c2.to_link, &gc));
1781 
1782  /* Packet send complexified by possible Socks5 usage */
1783  {
1784  struct link_socket_actual *to_addr = c->c2.to_link_addr;
1785  int size_delta = 0;
1786 
1787  /* If Socks5 over UDP, prepend header */
1788  socks_preprocess_outgoing_link(c, &to_addr, &size_delta);
1789 
1790  /* Send packet */
1791  size = link_socket_write(c->c2.link_socket, &c->c2.to_link, to_addr);
1792 
1793  /* Undo effect of prepend */
1794  link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1795  }
1796 
1797  if (size > 0)
1798  {
1800  c->c2.link_write_bytes += size;
1801  link_write_bytes_global += size;
1802 #ifdef ENABLE_MEMSTATS
1803  if (mmap_stats)
1804  {
1805  mmap_stats->link_write_bytes = link_write_bytes_global;
1806  }
1807 #endif
1808 #ifdef ENABLE_MANAGEMENT
1809  if (management)
1810  {
1813  }
1814 #endif
1815  }
1816  }
1817 
1818  /* Check return status */
1819  error_code = openvpn_errno();
1820  check_status(size, "write", c->c2.link_socket, NULL);
1821 
1822  if (size > 0)
1823  {
1824  /* Did we write a different size packet than we intended? */
1825  if (size != BLEN(&c->c2.to_link))
1826  {
1828  "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1830  BLEN(&c->c2.to_link),
1831  size);
1832  }
1833  }
1834 
1835  /* if not a ping/control message, indicate activity regarding --inactive parameter */
1836  if (c->c2.buf.len > 0)
1837  {
1838  register_activity(c, size);
1839  }
1840 
1841  /* for unreachable network and "connecting" state switch to the next host */
1842 
1843  bool unreachable = error_code ==
1844 #ifdef _WIN32
1845  WSAENETUNREACH;
1846 #else
1847  ENETUNREACH;
1848 #endif
1849  if (size < 0 && unreachable && c->c2.tls_multi
1851  {
1852  msg(M_INFO, "Network unreachable, restarting");
1853  register_signal(c->sig, SIGUSR1, "network-unreachable");
1854  }
1855  }
1856  else
1857  {
1858  if (c->c2.to_link.len > 0)
1859  {
1860  msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1862  c->c2.to_link.len,
1863  c->c2.frame.buf.payload_size);
1864  }
1865  }
1866 
1867  buf_reset(&c->c2.to_link);
1868 
1869  perf_pop();
1870  gc_free(&gc);
1871 }
1872 
1873 /*
1874  * Input: c->c2.to_tun
1875  */
1876 
1877 void
1879 {
1880  /*
1881  * Set up for write() call to TUN/TAP
1882  * device.
1883  */
1884  if (c->c2.to_tun.len <= 0)
1885  {
1886  return;
1887  }
1888 
1890 
1891  /*
1892  * The --mssfix option requires
1893  * us to examine the IP header (IPv4 or IPv6).
1894  */
1897  &c->c2.to_tun);
1898 
1899  if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size)
1900  {
1901  /*
1902  * Write to TUN/TAP device.
1903  */
1904  int size;
1905 
1906 #ifdef LOG_RW
1907  if (c->c2.log_rw)
1908  {
1909  fprintf(stderr, "w");
1910  }
1911 #endif
1912  dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1913 
1914 #ifdef PACKET_TRUNCATION_CHECK
1915  ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
1916  BLEN(&c->c2.to_tun),
1917  TUNNEL_TYPE(c->c1.tuntap),
1918  "WRITE_TUN",
1919  &c->c2.n_trunc_tun_write);
1920 #endif
1921 
1922 #ifdef _WIN32
1923  size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun);
1924 #else
1925  size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1926 #endif
1927 
1928  if (size > 0)
1929  {
1930  c->c2.tun_write_bytes += size;
1931  }
1932  check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1933 
1934  /* check written packet size */
1935  if (size > 0)
1936  {
1937  /* Did we write a different size packet than we intended? */
1938  if (size != BLEN(&c->c2.to_tun))
1939  {
1941  "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1942  c->c1.tuntap->actual_name,
1943  BLEN(&c->c2.to_tun),
1944  size);
1945  }
1946 
1947  /* indicate activity regarding --inactive parameter */
1948  register_activity(c, size);
1949  }
1950  }
1951  else
1952  {
1953  /*
1954  * This should never happen, probably indicates some kind
1955  * of MTU mismatch.
1956  */
1957  msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
1958  c->c2.to_tun.len,
1959  c->c2.frame.buf.payload_size);
1960  }
1961 
1962  buf_reset(&c->c2.to_tun);
1963 
1964  perf_pop();
1965 }
1966 
1967 void
1969 {
1970  /* make sure current time (now) is updated on function entry */
1971 
1972  /*
1973  * Start with an effectively infinite timeout, then let it
1974  * reduce to a timeout that reflects the component which
1975  * needs the earliest service.
1976  */
1977  c->c2.timeval.tv_sec = BIG_TIMEOUT;
1978  c->c2.timeval.tv_usec = 0;
1979 
1980 #if defined(_WIN32)
1982  {
1983  c->c2.timeval.tv_sec = 1;
1984  if (tuntap_defined(c->c1.tuntap))
1985  {
1986  tun_show_debug(c->c1.tuntap);
1987  }
1988  }
1989 #endif
1990 
1991  /* check coarse timers? */
1993  if (c->sig->signal_received)
1994  {
1995  return;
1996  }
1997 
1998  /* If tls is enabled, do tls control channel packet processing. */
1999  if (c->c2.tls_multi)
2000  {
2001  check_tls(c);
2002  }
2003 
2004  /* In certain cases, TLS errors will require a restart */
2005  check_tls_errors(c);
2006  if (c->sig->signal_received)
2007  {
2008  return;
2009  }
2010 
2011  /* check for incoming control messages on the control channel like
2012  * push request/reply, or authentication failure and 2FA messages */
2013  if (tls_test_payload_len(c->c2.tls_multi) > 0)
2014  {
2016  }
2017 
2018  /* Should we send an OCC message? */
2019  check_send_occ_msg(c);
2020 
2021 #ifdef ENABLE_FRAGMENT
2022  /* Should we deliver a datagram fragment to remote? */
2023  if (c->c2.fragment)
2024  {
2025  check_fragment(c);
2026  }
2027 #endif
2028 
2029  /* Update random component of timeout */
2031 }
2032 
2033 /*
2034  * Wait for I/O events. Used for both TCP & UDP sockets
2035  * in point-to-point mode and for UDP sockets in
2036  * point-to-multipoint mode.
2037  */
2038 
2039 void
2040 io_wait_dowork(struct context *c, const unsigned int flags)
2041 {
2042  unsigned int socket = 0;
2043  unsigned int tuntap = 0;
2044  struct event_set_return esr[4];
2045 
2046  /* These shifts all depend on EVENT_READ (=1) and EVENT_WRITE (=2)
2047  * and are added to the shift. Check openvpn.h for more details.
2048  */
2049  static int socket_shift = SOCKET_SHIFT;
2050  static int tun_shift = TUN_SHIFT;
2051  static int err_shift = ERR_SHIFT;
2052 #ifdef ENABLE_MANAGEMENT
2053  static int management_shift = MANAGEMENT_SHIFT;
2054 #endif
2055 #ifdef ENABLE_ASYNC_PUSH
2056  static int file_shift = FILE_SHIFT;
2057 #endif
2058 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2059  static int dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */
2060 #endif
2061 
2062  /*
2063  * Decide what kind of events we want to wait for.
2064  */
2065  event_reset(c->c2.event_set);
2066 
2067  /*
2068  * On win32 we use the keyboard or an event object as a source
2069  * of asynchronous signals.
2070  */
2071  if (flags & IOW_WAIT_SIGNAL)
2072  {
2073  wait_signal(c->c2.event_set, (void *)&err_shift);
2074  }
2075 
2076  /*
2077  * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send
2078  * status from TCP/UDP port. Otherwise, wait for incoming data on
2079  * TUN/TAP device.
2080  */
2081  if (flags & IOW_TO_LINK)
2082  {
2083  if (flags & IOW_SHAPER)
2084  {
2085  /*
2086  * If sending this packet would put us over our traffic shaping
2087  * quota, don't send -- instead compute the delay we must wait
2088  * until it will be OK to send the packet.
2089  */
2090  int delay = 0;
2091 
2092  /* set traffic shaping delay in microseconds */
2093  if (c->options.shaper)
2094  {
2095  delay = max_int(delay, shaper_delay(&c->c2.shaper));
2096  }
2097 
2098  if (delay < 1000)
2099  {
2100  socket |= EVENT_WRITE;
2101  }
2102  else
2103  {
2104  shaper_soonest_event(&c->c2.timeval, delay);
2105  }
2106  }
2107  else
2108  {
2109  socket |= EVENT_WRITE;
2110  }
2111  }
2112  else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
2113  {
2114  if (flags & IOW_READ_TUN)
2115  {
2116  tuntap |= EVENT_READ;
2117  }
2118  }
2119 
2120  /*
2121  * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
2122  * from device. Otherwise, wait for incoming data on TCP/UDP port.
2123  */
2124  if (flags & IOW_TO_TUN)
2125  {
2126  tuntap |= EVENT_WRITE;
2127  }
2128  else
2129  {
2130  if (flags & IOW_READ_LINK)
2131  {
2132  socket |= EVENT_READ;
2133  }
2134  }
2135 
2136  /*
2137  * outgoing bcast buffer waiting to be sent?
2138  */
2139  if (flags & IOW_MBUF)
2140  {
2141  socket |= EVENT_WRITE;
2142  }
2143 
2144  /*
2145  * Force wait on TUN input, even if also waiting on TCP/UDP output
2146  */
2147  if (flags & IOW_READ_TUN_FORCE)
2148  {
2149  tuntap |= EVENT_READ;
2150  }
2151 
2152 #ifdef _WIN32
2153  if (tuntap_is_wintun(c->c1.tuntap))
2154  {
2155  /*
2156  * With wintun we are only interested in read event. Ring buffer is
2157  * always ready for write, so we don't do wait.
2158  */
2159  tuntap = EVENT_READ;
2160  }
2161 #endif
2162 
2163  /*
2164  * Configure event wait based on socket, tuntap flags.
2165  */
2166  socket_set(c->c2.link_socket, c->c2.event_set, socket, (void *)&socket_shift, NULL);
2167  tun_set(c->c1.tuntap, c->c2.event_set, tuntap, (void *)&tun_shift, NULL);
2168 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2169  if (socket & EVENT_READ && c->c2.did_open_tun)
2170  {
2171  dco_event_set(&c->c1.tuntap->dco, c->c2.event_set, (void *)&dco_shift);
2172  }
2173 #endif
2174 
2175 #ifdef ENABLE_MANAGEMENT
2176  if (management)
2177  {
2178  management_socket_set(management, c->c2.event_set, (void *)&management_shift, NULL);
2179  }
2180 #endif
2181 
2182 #ifdef ENABLE_ASYNC_PUSH
2183  /* arm inotify watcher */
2184  if (c->options.mode == MODE_SERVER)
2185  {
2186  event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)&file_shift);
2187  }
2188 #endif
2189 
2190  /*
2191  * Possible scenarios:
2192  * (1) tcp/udp port has data available to read
2193  * (2) tcp/udp port is ready to accept more data to write
2194  * (3) tun dev has data available to read
2195  * (4) tun dev is ready to accept more data to write
2196  * (5) we received a signal (handler sets signal_received)
2197  * (6) timeout (tv) expired
2198  */
2199 
2201 
2202  if (!c->sig->signal_received)
2203  {
2204  if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual(c->c2.link_socket))
2205  {
2206  int status;
2207 
2208 #ifdef ENABLE_DEBUG
2210  {
2211  show_wait_status(c);
2212  }
2213 #endif
2214 
2215  /*
2216  * Wait for something to happen.
2217  */
2218  status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
2219 
2220  check_status(status, "event_wait", NULL, NULL);
2221 
2222  if (status > 0)
2223  {
2224  int i;
2225  c->c2.event_set_status = 0;
2226  for (i = 0; i < status; ++i)
2227  {
2228  const struct event_set_return *e = &esr[i];
2229  c->c2.event_set_status |= ((e->rwflags & 3) << *((int *)e->arg));
2230  }
2231  }
2232  else if (status == 0)
2233  {
2235  }
2236  }
2237  else
2238  {
2240  }
2241  }
2242 
2243  /* 'now' should always be a reasonably up-to-date timestamp */
2244  update_time();
2245 
2246  /* set signal_received if a signal was received */
2247  if (c->c2.event_set_status & ES_ERROR)
2248  {
2250  }
2251 
2252  dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2253 }
2254 
2255 void
2257 {
2258  const unsigned int status = c->c2.event_set_status;
2259 
2260 #ifdef ENABLE_MANAGEMENT
2262  {
2263  ASSERT(management);
2265  }
2266 #endif
2267 
2268  /* TCP/UDP port ready to accept write */
2269  if (status & SOCKET_WRITE)
2270  {
2272  }
2273  /* TUN device ready to accept write */
2274  else if (status & TUN_WRITE)
2275  {
2277  }
2278  /* Incoming data on TCP/UDP port */
2279  else if (status & SOCKET_READ)
2280  {
2281  read_incoming_link(c);
2282  if (!IS_SIG(c))
2283  {
2285  }
2286  }
2287  /* Incoming data on TUN device */
2288  else if (status & TUN_READ)
2289  {
2290  read_incoming_tun(c);
2291  if (!IS_SIG(c))
2292  {
2294  }
2295  }
2296  else if (status & DCO_READ)
2297  {
2298  if (!IS_SIG(c))
2299  {
2301  }
2302  }
2303 }
check_timeout_random_component
static void check_timeout_random_component(struct context *c)
Definition: forward.c:853
context_2::max_send_size_local
int max_send_size_local
Definition: openvpn.h:313
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition: buffer.h:538
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:386
process_incoming_dco
static void process_incoming_dco(struct context *c)
Definition: forward.c:1223
TLSMP_ACTIVE
#define TLSMP_ACTIVE
Definition: ssl.h:222
context_2::event_set_status
unsigned int event_set_status
Definition: openvpn.h:238
tuntap::reads
struct overlapped_io reads
Definition: tun.h:198
read_tun
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
check_status_file
static void check_status_file(struct context *c)
Definition: forward.c:543
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2737
link_socket_read
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.h:1068
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
@OVPN_CMD_DEL_PEER: Remove peer from internal table
Definition: ovpn_dco_linux.h:40
signal_info::signal_received
volatile int signal_received
Definition: sig.h:43
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition: errlevel.h:118
openvpn_sockaddr::addr
union openvpn_sockaddr::@14 addr
openvpn_icmp6hdr::icmp6_type
uint8_t icmp6_type
Definition: proto.h:157
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:135
IN6_ARE_ADDR_EQUAL
#define IN6_ARE_ADDR_EQUAL(a, b)
Definition: win32.h:50
io_wait_dowork
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition: forward.c:2040
check_connection_established
static void check_connection_established(struct context *c)
Definition: forward.c:325
MANAGEMENT_SHIFT
#define MANAGEMENT_SHIFT
Definition: event.h:70
TUN_READ
#define TUN_READ
Definition: event.h:65
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1031
ES_ERROR
#define ES_ERROR
Definition: event.h:68
check_session_timeout
static void check_session_timeout(struct context *c)
Definition: forward.c:691
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1126
check_timeout_random_component_dowork
static void check_timeout_random_component_dowork(struct context *c)
Definition: forward.c:842
auth_token.h
context_2::to_link
struct buffer to_link
Definition: openvpn.h:380
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:326
forward.h
process_coarse_timers
static void process_coarse_timers(struct context *c)
Definition: forward.c:706
openvpn_ipv6hdr::payload_len
uint16_t payload_len
Definition: proto.h:138
openvpn_icmp6hdr::icmp6_code
uint8_t icmp6_code
Definition: proto.h:160
gremlin.h
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition: options.h:423
D_TAP_WIN_DEBUG
#define D_TAP_WIN_DEBUG
Definition: errlevel.h:115
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:513
IOW_READ_LINK
#define IOW_READ_LINK
Definition: forward.h:57
management_socket_set
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3115
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
context_2::buf
struct buffer buf
Definition: openvpn.h:378
buf_reset
static void buf_reset(struct buffer *buf)
Definition: buffer.h:303
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition: errlevel.h:57
tls_test_payload_len
static int tls_test_payload_len(const struct tls_multi *multi)
Definition: ssl.h:494
status_output::et
struct event_timeout et
Definition: status.h:61
tuntap::windows_driver
enum windows_driver_type windows_driver
Definition: tun.h:213
ERR_SHIFT
#define ERR_SHIFT
Definition: event.h:67
socks_process_outgoing_udp
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:597
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:170
tuntap_is_wintun
static bool tuntap_is_wintun(struct tuntap *tt)
Definition: tun.h:249
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3125
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition: options.h:331
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:539
context_2::max_recv_size_local
int max_recv_size_local
Definition: openvpn.h:311
interval_t
int interval_t
Definition: common.h:36
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:445
context_2::link_write_bytes
counter_type link_write_bytes
Definition: openvpn.h:272
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition: manage.c:4114
packet_id_persist_enabled
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition: packet_id.h:276
check_status
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition: error.h:283
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:209
context
Contains all state information for one tunnel.
Definition: openvpn.h:476
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
interval_action
static void interval_action(struct interval *top)
Definition: interval.h:124
receive_auth_pending
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition: push.c:336
ipv6_send_icmp_unreachable
void ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
Forges a IPv6 ICMP packet with a no route to host error code from the IPv6 packet in buf and sends it...
Definition: forward.c:1499
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:672
PASSTOS_CAPABILITY
#define PASSTOS_CAPABILITY
Definition: syshead.h:351
context_2::auth_token_renewal_interval
struct event_timeout auth_token_renewal_interval
Definition: openvpn.h:296
BSTR
#define BSTR(buf)
Definition: buffer.h:129
context_2::tun_read_bytes
counter_type tun_read_bytes
Definition: openvpn.h:267
get_random
long int get_random(void)
Definition: crypto.c:1611
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:347
check_fragment
static void check_fragment(struct context *c)
Definition: forward.c:556
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:505
PERF_PROC_OUT_TUN
#define PERF_PROC_OUT_TUN
Definition: perf.h:56
PERF_PROC_IN_TUN
#define PERF_PROC_IN_TUN
Definition: perf.h:54
context_2::log_rw
bool log_rw
Definition: openvpn.h:383
register_activity
static void register_activity(struct context *c, const int size)
Definition: forward.h:321
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
buf_null_terminate
void buf_null_terminate(struct buffer *buf)
Definition: buffer.c:577
context_2::es
struct env_set * es
Definition: openvpn.h:423
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:112
tuntap_abort
static bool tuntap_abort(int status)
Definition: tun.h:487
CC_CRLF
#define CC_CRLF
carriage return or newline
Definition: buffer.h:938
check_send_occ_req
static void check_send_occ_req(struct context *c)
Definition: occ.h:110
interval_schedule_wakeup
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition: interval.h:94
session::key
char key[48]
Definition: keyingmaterialexporter.c:58
options::mode
int mode
Definition: options.h:247
options::session_timeout
int session_timeout
Definition: options.h:333
BIG_TIMEOUT
#define BIG_TIMEOUT
Definition: common.h:41
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition: init.c:1332
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:290
TUN_SHIFT
#define TUN_SHIFT
Definition: event.h:64
is_ipv6
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition: proto.c:116
pre_select
void pre_select(struct context *c)
Definition: forward.c:1968
TO_LINK_FRAG
#define TO_LINK_FRAG(c)
Definition: forward.h:43
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1625
dmsg
#define dmsg(flags,...)
Definition: error.h:154
options::ce
struct connection_entry ce
Definition: options.h:275
MANAGEMENT_READ
#define MANAGEMENT_READ
Definition: event.h:71
openvpn_sockaddr
Definition: socket.h:65
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:370
link_socket_verify_incoming_addr
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.h:938
dco_get_peer_stats
int dco_get_peer_stats(struct context *c)
Definition: dco_win.c:433
D_LOW
#define D_LOW
Definition: errlevel.h:97
tls_multi::n_soft_errors
int n_soft_errors
Definition: ssl_common.h:615
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:390
tls_multi_process
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3083
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:103
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:387
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:101
check_send_auth_token
void check_send_auth_token(struct context *c)
Checks if the timer to resend the auth-token has expired and if a new auth-token should be send to th...
Definition: auth_token.c:424
EVENT_READ
#define EVENT_READ
Definition: event.h:39
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition: ssl_pkt.h:39
options::shaper
int shaper
Definition: options.h:315
FILE_SHIFT
#define FILE_SHIFT
Definition: event.h:73
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2367
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
dco_do_read
int dco_do_read(dco_context_t *dco)
Definition: dco_win.c:418
openvpn_ipv6hdr::version_prio
uint8_t version_prio
Definition: proto.h:136
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition: openvpn.h:247
link_socket_connection_oriented
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition: socket.h:635
event_timeout_modify_wakeup
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Sets the interval n of a timeout.
Definition: interval.h:206
PIP_MSSFIX
#define PIP_MSSFIX
Definition: forward.h:296
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:71
management_check_bytecount
void management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval)
Definition: manage.c:4138
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:195
openvpn_iphdr::daddr
uint32_t daddr
Definition: proto.h:128
options::allow_recursive_routing
bool allow_recursive_routing
Definition: options.h:702
context_2::link_read_bytes
counter_type link_read_bytes
Definition: openvpn.h:269
SOCKET_SHIFT
#define SOCKET_SHIFT
Definition: event.h:61
IOW_MBUF
#define IOW_MBUF
Definition: forward.h:61
IOW_SHAPER
#define IOW_SHAPER
Definition: forward.h:58
process_outgoing_tun
void process_outgoing_tun(struct context *c)
Write a packet to the virtual tun/tap network interface.
Definition: forward.c:1878
context_1::route_list
struct route_list * route_list
List of routing information.
Definition: openvpn.h:175
CN_INCOMING
#define CN_INCOMING
Definition: clinat.h:32
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:285
tuntap::actual_name
char * actual_name
Definition: tun.h:186
get_server_poll_remaining_time
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition: forward.c:496
CLEAR
#define CLEAR(x)
Definition: basic.h:33
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:609
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition: tun.h:173
tls_set_single_session
static void tls_set_single_session(struct tls_multi *multi)
Definition: ssl.h:508
IOW_TO_LINK
#define IOW_TO_LINK
Definition: forward.h:55
event_ctl
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:160
check_push_request
static void check_push_request(struct context *c)
Definition: forward.c:307
test_routes
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2586
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:517
openvpn_ipv6hdr::daddr
struct in6_addr daddr
Definition: proto.h:143
tuntap_defined
static bool tuntap_defined(const struct tuntap *tt)
Definition: tun.h:238
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:526
tuntap::hand
HANDLE hand
Definition: tun.h:197
MAX_ICMPV6LEN
#define MAX_ICMPV6LEN
ssl_verify.h
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:713
check_tls_errors
static void check_tls_errors(struct context *c)
Definition: forward.c:97
ASSERT
#define ASSERT(x)
Definition: error.h:201
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition: ssl.c:1760
D_STREAM_ERRORS
#define D_STREAM_ERRORS
Definition: errlevel.h:63
send_auth_failed
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:392
buffer_turnover
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition: forward.c:585
link_read_bytes_global
counter_type link_read_bytes_global
Definition: forward.c:49
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:636
options::client_nat
struct client_nat_option_list * client_nat
Definition: options.h:425
counter_type
uint64_t counter_type
Definition: common.h:30
openvpn_icmp6hdr::icmp6_cksum
uint16_t icmp6_cksum
Definition: proto.h:161
ping.h
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:335
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:480
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:604
check_coarse_timers
static void check_coarse_timers(struct context *c)
Definition: forward.c:818
openvpn_sockaddr::sa
struct sockaddr sa
Definition: socket.h:69
BLEN
#define BLEN(buf)
Definition: buffer.h:127
PIPV4_CLIENT_NAT
#define PIPV4_CLIENT_NAT
Definition: forward.h:299
PERF_PROC_OUT_LINK
#define PERF_PROC_OUT_LINK
Definition: perf.h:55
process_explicit_exit_notification_timer_wakeup
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition: sig.c:564
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition: forward.h:295
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:698
event_set_return::arg
void * arg
Definition: event.h:121
IOW_TO_TUN
#define IOW_TO_TUN
Definition: forward.h:54
send_push_request
bool send_push_request(struct context *c)
Definition: push.c:549
buf_assign
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition: buffer.c:173
mss_fixup_ipv6
void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss)
Definition: mss.c:87
shaper_soonest_event
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition: shaper.c:37
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:102
CC_PRINT
#define CC_PRINT
printable (>= 32, != 127)
Definition: buffer.h:909
shaper_wrote_bytes
static void shaper_wrote_bytes(struct shaper *s, int nbytes)
Definition: shaper.h:128
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
update_time
static void update_time(void)
Definition: otime.h:77
context_buffers
Definition: openvpn.h:94
server_pushed_signal
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:131
D_PING
#define D_PING
Definition: errlevel.h:144
string_mod
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Modifies a string in place by replacing certain classes of characters of it with a specified characte...
Definition: buffer.c:1085
is_occ_msg
static bool is_occ_msg(const struct buffer *buf)
Definition: occ.h:83
init.h
socks_process_incoming_udp
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:558
process_received_occ_msg
void process_received_occ_msg(struct context *c)
Definition: occ.c:363
event_timeout::n
interval_t n
periodic interval for periodic timeouts
Definition: interval.h:139
context_2::shaper
struct shaper shaper
Definition: openvpn.h:262
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:389
M_WARN
#define M_WARN
Definition: error.h:97
openvpn_encrypt
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:295
perf_pop
static void perf_pop(void)
Definition: perf.h:82
tun_standby
bool tun_standby(struct tuntap *tt)
Definition: tun.c:5823
WINDOWS_DRIVER_WINTUN
@ WINDOWS_DRIVER_WINTUN
Definition: tun.h:52
is_ping_msg
static bool is_ping_msg(const struct buffer *buf)
Definition: ping.h:41
check_ping_send
static void check_ping_send(struct context *c)
Definition: ping.h:77
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:478
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:180
tls_multi::n_hard_errors
int n_hard_errors
Definition: ssl_common.h:614
tls_send_payload
bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
Definition: ssl.c:3929
dco_event_set
void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition: dco_win.c:462
route_list_add_vpn_gateway
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:554
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:286
IOW_FRAG
#define IOW_FRAG
Definition: forward.h:60
process_incoming_link
static void process_incoming_link(struct context *c)
Definition: forward.c:1209
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition: ssl_common.h:687
read_incoming_tun
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1273
SOCKET_WRITE
#define SOCKET_WRITE
Definition: event.h:63
dhcp_extract_router_msg
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition: dhcp.c:149
interval_test
static bool interval_test(struct interval *top)
Definition: interval.h:66
DCO_READ
#define DCO_READ
Definition: event.h:76
tls_prepend_opcode_v2
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:3894
dco_context_t
void * dco_context_t
Definition: dco.h:254
openvpn_decrypt
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:645
context_2::explicit_exit_notification_time_wait
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:419
fragment_outgoing
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition: fragment.c:321
check_ping_restart
static void check_ping_restart(struct context *c)
Definition: ping.h:60
D_TUN_RW
#define D_TUN_RW
Definition: errlevel.h:114
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:256
TUN_WRITE
#define TUN_WRITE
Definition: event.h:66
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:38
context_2::tun_write_bytes
counter_type tun_write_bytes
Definition: openvpn.h:268
PERF_READ_IN_TUN
#define PERF_READ_IN_TUN
Definition: perf.h:53
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:336
fragment_housekeeping
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition: fragment.h:467
check_send_occ_load_test
static void check_send_occ_load_test(struct context *c)
Definition: occ.h:125
link_socket_write
static int link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition: socket.h:1185
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:308
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
PIP_OUTGOING
#define PIP_OUTGOING
Definition: forward.h:297
openvpn_ethhdr::proto
uint16_t proto
Definition: proto.h:64
check_tls_errors_nco
static void check_tls_errors_nco(struct context *c)
Definition: forward.c:87
trigger_ping_timeout_signal
void trigger_ping_timeout_signal(struct context *c)
Trigger the correct signal on a –ping timeout depending if –ping-exit is set (SIGTERM) or not (SIGUSR...
Definition: ping.c:48
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition: perf.h:52
context_2::push_request_timeout
time_t push_request_timeout
Definition: openvpn.h:443
openvpn_ethhdr::source
uint8_t source[OPENVPN_ETH_ALEN]
Definition: proto.h:58
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
D_EVENT_WAIT
#define D_EVENT_WAIT
Definition: errlevel.h:162
context_2::scheduled_exit_signal
int scheduled_exit_signal
Definition: openvpn.h:451
event_reset
static void event_reset(struct event_set *es)
Definition: event.h:148
IOW_READ_TUN_FORCE
#define IOW_READ_TUN_FORCE
Definition: forward.h:62
IOW_WAIT_SIGNAL
#define IOW_WAIT_SIGNAL
Definition: forward.h:63
event.h
openvpn_ethhdr::dest
uint8_t dest[OPENVPN_ETH_ALEN]
Definition: proto.h:57
PROTO_DUMP
#define PROTO_DUMP(buf, gc)
Definition: openvpn.h:541
options::handshake_window
int handshake_window
Definition: options.h:634
ps.h
context_2::event_set
struct event_set * event_set
Definition: openvpn.h:233
link_socket_set_outgoing_addr
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:987
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition: ovpn_dco_linux.h:73
context_buffers::read_link_buf
struct buffer read_link_buf
Definition: openvpn.h:113
check_scheduled_exit
static void check_scheduled_exit(struct context *c)
Definition: forward.c:534
context_buffers::aux_buf
struct buffer aux_buf
Definition: openvpn.h:97
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:468
context_2::timeout_random_component
struct timeval timeout_random_component
Definition: openvpn.h:407
OPENVPN_STATE_GET_CONFIG
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:482
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition: openvpn.h:399
options::block_ipv6
bool block_ipv6
Definition: options.h:421
show_adapters
void show_adapters(int msglev)
Definition: tun.c:5095
sockethandle_finalize
int sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.c:3749
context_2::explicit_exit_notification_interval
struct event_timeout explicit_exit_notification_interval
Definition: openvpn.h:420
context_2::scheduled_exit
struct event_timeout scheduled_exit
Definition: openvpn.h:450
frame::buf
struct frame::@6 buf
context_2::frame
struct frame frame
Definition: openvpn.h:251
context_2::link_socket
struct link_socket * link_socket
Definition: openvpn.h:240
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:570
link_socket_bad_incoming_addr
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.c:2419
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
fragment_ready_to_send
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition: fragment.c:376
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition: openvpn.h:122
process_io
void process_io(struct context *c)
Definition: forward.c:2256
dhcp.h
management_bytes_server
static void management_bytes_server(struct management *man, const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac)
Definition: manage.h:541
show_routes
void show_routes(int msglev)
Definition: route.c:3203
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
check_inactivity_timeout
static void check_inactivity_timeout(struct context *c)
Definition: forward.c:475
TLSMP_KILL
#define TLSMP_KILL
Definition: ssl.h:223
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
check_tls
static void check_tls(struct context *c)
Definition: forward.c:177
occ.h
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:503
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition: options.h:245
send_control_channel_string_dowork
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
Definition: forward.c:367
check_dco_key_status
void check_dco_key_status(struct context *c)
Definition: forward.c:144
openvpn_ipv6hdr
Definition: proto.h:135
tls_initial_packet_received
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition: ssl.h:488
openvpn_ipv6hdr::nexthdr
uint8_t nexthdr
Definition: proto.h:139
sockethandle_t
Definition: socket.h:267
client_nat_transform
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition: clinat.c:193
mss_fixup_ipv4
void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss)
Definition: mss.c:47
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:908
dco.h
common.h
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:226
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:664
tls_multi::client_reason
char * client_reason
Definition: ssl_common.h:634
tuntap_is_dco_win_timeout
static bool tuntap_is_dco_win_timeout(struct tuntap *tt, int status)
Definition: tun.h:662
context_2::update_timeout_random_component
time_t update_timeout_random_component
Definition: openvpn.h:406
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:224
buf_string_match_head_str
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:822
context_2::packet_id_persist_interval
struct event_timeout packet_id_persist_interval
Definition: openvpn.h:358
openvpn_ipv6hdr::saddr
struct in6_addr saddr
Definition: proto.h:142
management_bytes_client
static void management_bytes_client(struct management *man, const int size_in, const int size_out)
Definition: manage.h:524
openvpn_ethhdr
Definition: proto.h:55
OPENVPN_IPPROTO_ICMPV6
#define OPENVPN_IPPROTO_ICMPV6
Definition: proto.h:123
context_2::inactivity_bytes
int64_t inactivity_bytes
Definition: openvpn.h:291
IOW_CHECK_RESIDUAL
#define IOW_CHECK_RESIDUAL
Definition: forward.h:59
tls_prepend_opcode_v1
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3880
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:456
mstats.h
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition: interval.c:43
context_2::to_tun
struct buffer to_tun
Definition: openvpn.h:379
frame::mss_fix
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition: mtu.h:118
IS_SIG
#define IS_SIG(c)
Definition: sig.h:48
link_write_bytes_global
counter_type link_write_bytes_global
Definition: forward.c:50
dco_update_keys
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
Definition: dco.h:324
DCO_SHIFT
#define DCO_SHIFT
Definition: event.h:75
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:255
ES_TIMEOUT
#define ES_TIMEOUT
Definition: event.h:69
max_int
static int max_int(int x, int y)
Definition: integer.h:76
socket_set
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: socket.c:3875
drop_if_recursive_routing
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition: forward.c:1350
PUSH_REQUEST_INTERVAL
#define PUSH_REQUEST_INTERVAL
Definition: common.h:93
D_LINK_RW
#define D_LINK_RW
Definition: errlevel.h:113
OPENVPN_ETH_ALEN
#define OPENVPN_ETH_ALEN
Definition: proto.h:54
tls_rec_payload
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:3963
tuntap::dco
dco_context_t dco
Definition: tun.h:234
read_wintun
static void read_wintun(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:514
receive_exit_message
void receive_exit_message(struct context *c)
Definition: push.c:191
get_tun_ip_ver
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition: proto.h:255
status
static SERVICE_STATUS status
Definition: interactive.c:52
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1695
read_incoming_link
void read_incoming_link(struct context *c)
Read a packet from the external network interface.
Definition: forward.c:912
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2820
management
Definition: manage.h:335
min_int
static int min_int(int x, int y)
Definition: integer.h:89
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1039
server_pushed_info
void server_pushed_info(struct context *c, const struct buffer *buffer, const int adv)
Definition: push.c:223
check_tls_errors_co
static void check_tls_errors_co(struct context *c)
Definition: forward.c:80
event_set_return
Definition: event.h:118
socket_connection_reset
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition: socket.h:915
PIPV6_IMCP_NOHOST_CLIENT
#define PIPV6_IMCP_NOHOST_CLIENT
Definition: forward.h:300
mss.h
PIPV4_EXTRACT_DHCP_ROUTER
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition: forward.h:298
tuntap
Definition: tun.h:171
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:352
IOW_READ_TUN
#define IOW_READ_TUN
Definition: forward.h:56
schedule_exit
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:520
openvpn_icmp6hdr
Definition: proto.h:149
now
time_t now
Definition: otime.c:34
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition: openvpn.h:100
tun_stat
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition: tun.c:703
wait_signal
static void wait_signal(struct event_set *es, void *arg)
Definition: event.h:185
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:183
config.h
socket_read_residual
static bool socket_read_residual(const struct link_socket *s)
Definition: socket.h:1241
socks_postprocess_incoming_link
static void socks_postprocess_incoming_link(struct context *c)
Definition: forward.c:871
check_server_poll_timeout
static void check_server_poll_timeout(struct context *c)
Definition: forward.c:504
context_2::from
struct link_socket_actual from
Definition: openvpn.h:248
event_timeout
Definition: interval.h:136
socks_preprocess_outgoing_link
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket_actual **to_addr, int *size_delta)
Definition: forward.c:880
context_1::pid_persist
struct packet_id_persist pid_persist
Definition: openvpn.h:168
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition: init.h:116
context_2::tls_exit_signal
int tls_exit_signal
Definition: openvpn.h:350
EVENT_WRITE
#define EVENT_WRITE
Definition: event.h:40
connection_entry::proto
int proto
Definition: options.h:99
context_2::link_read_bytes_auth
counter_type link_read_bytes_auth
Definition: openvpn.h:271
sanitize_control_message
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:654
D_INTERVAL
#define D_INTERVAL
Definition: errlevel.h:158
tls_post_encrypt
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:3909
context_2::push_request_interval
struct event_timeout push_request_interval
Definition: openvpn.h:442
context_2::server_poll_interval
struct event_timeout server_poll_interval
Definition: openvpn.h:411
get_signal
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition: sig.h:110
print_status
void print_status(struct context *c, struct status_output *so)
Definition: sig.c:484
context_reschedule_sec
static void context_reschedule_sec(struct context *c, int sec)
Definition: forward.c:130
shaper_delay
static int shaper_delay(struct shaper *s)
Definition: shaper.h:103
OPENVPN_ICMP6_DESTINATION_UNREACHABLE
#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE
Definition: proto.h:150
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition: ovpn_dco_linux.h:44
MANAGEMENT_WRITE
#define MANAGEMENT_WRITE
Definition: event.h:72
tls_pre_encrypt
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3847
openvpn_errno
#define openvpn_errno()
Definition: error.h:78
tun_show_debug
void tun_show_debug(struct tuntap *tt)
Definition: tun.c:6877
session
Definition: keyingmaterialexporter.c:56
receive_auth_failed
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:50
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:978
datagram_overhead
static int datagram_overhead(sa_family_t af, int proto)
Definition: socket.h:616
receive_cr_response
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition: push.c:261
link_socket_write_post_size_adjust
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition: forward.c:893
context_2::session_interval
struct event_timeout session_interval
Definition: openvpn.h:293
event_timeout_defined
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
is_ipv4
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition: proto.c:111
openvpn_iphdr
Definition: proto.h:106
event_set_return::rwflags
unsigned int rwflags
Definition: event.h:120
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition: interval.h:155
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition: sig.c:231
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:114
OPENVPN_ICMP6_DU_NOROUTE
#define OPENVPN_ICMP6_DU_NOROUTE
Definition: proto.h:158
memdbg.h
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:287
context_2::original_recv_size
int original_recv_size
Definition: openvpn.h:310
process_incoming_tun
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1431
incoming_push_message
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:504
fragment_incoming
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition: fragment.c:136
options::inactivity_timeout
int inactivity_timeout
Definition: options.h:330
context_2::coarse_timer_wakeup
time_t coarse_timer_wakeup
Definition: openvpn.h:402
tun_set
static void tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: tun.h:725
interval_future_trigger
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition: interval.h:108
SOCKET_READ
#define SOCKET_READ
Definition: event.h:62
TLSMP_RECONNECT
#define TLSMP_RECONNECT
Definition: ssl.h:224
frame_adjust_path_mtu
void frame_adjust_path_mtu(struct context *c)
Checks and adjusts the fragment and mssfix value according to the discovered path mtu value.
Definition: mss.c:355
link_socket_get_outgoing_addr
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition: socket.h:966
CN_OUTGOING
#define CN_OUTGOING
Definition: clinat.h:31
event_timeout_reset
static void event_timeout_reset(struct event_timeout *et)
Resets a timer.
Definition: interval.h:189
msg
#define msg(flags,...)
Definition: error.h:150
P_DATA_V1
#define P_DATA_V1
Definition: ssl_pkt.h:47
check_incoming_control_channel
static void check_incoming_control_channel(struct context *c)
Definition: forward.c:238
PIPV6_IMCP_NOHOST_SERVER
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:301
socket_stat
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition: socket.c:2522
tuntap_stop
static bool tuntap_stop(int status)
Definition: tun.h:473
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition: mtu.h:131
ISC_ERRORS
#define ISC_ERRORS
Definition: init.h:114
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition: options.h:312
process_outgoing_link
void process_outgoing_link(struct context *c)
Write a packet to the external network interface.
Definition: forward.c:1723
perf_push
static void perf_push(int type)
Definition: perf.h:78
check_send_occ_msg
static void check_send_occ_msg(struct context *c)
Definition: occ.h:140
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
PERF_READ_IN_LINK
#define PERF_READ_IN_LINK
Definition: perf.h:51
management_io
void management_io(struct management *man)
Definition: manage.c:3155
sockethandle_t::is_handle
bool is_handle
Definition: socket.h:272
ip_checksum
uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, const uint8_t *src_addr, const uint8_t *dest_addr, const int proto)
Calculates an IP or IPv6 checksum with a pseudo header as required by TCP, UDP and ICMPv6.
Definition: proto.c:123
tv_string
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition: otime.c:82
check_add_routes_action
static void check_add_routes_action(struct context *c, const bool errors)
Definition: forward.c:413
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1580
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition: mtu.h:108
check_add_routes
static void check_add_routes(struct context *c)
Definition: forward.c:428
buf_copy_n
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition: buffer.h:736
D_SCHED_EXIT
#define D_SCHED_EXIT
Definition: errlevel.h:89
options::pull
bool pull
Definition: options.h:540
event_timeout_remaining
static interval_t event_timeout_remaining(struct event_timeout *et)
Returns the time until the timeout should triggered, from now.
Definition: interval.h:219
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:230
write_tun
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
event_wait
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:166
PROTO_UDP
@ PROTO_UDP
Definition: socket.h:555
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:516
connection_established
static bool connection_established(struct context *c)
Definition: forward.h:416
context_immediate_reschedule
static void context_immediate_reschedule(struct context *c)
Definition: forward.c:123
write_tun_buffered
static int write_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:643
OPENVPN_ETH_P_IPV6
#define OPENVPN_ETH_P_IPV6
Definition: proto.h:61
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:396
fragment_outgoing_defined
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition: fragment.h:440
tls_pre_decrypt
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3455
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:501