OpenVPN
forward.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "forward.h"
33 #include "init.h"
34 #include "push.h"
35 #include "gremlin.h"
36 #include "mss.h"
37 #include "event.h"
38 #include "occ.h"
39 #include "pf.h"
40 #include "ping.h"
41 #include "ps.h"
42 #include "dhcp.h"
43 #include "common.h"
44 #include "ssl_verify.h"
45 
46 #include "memdbg.h"
47 
48 #include "mstats.h"
49 
52 
53 /* show event wait debugging info */
54 
55 #ifdef ENABLE_DEBUG
56 
57 const char *
58 wait_status_string(struct context *c, struct gc_arena *gc)
59 {
60  struct buffer out = alloc_buf_gc(64, gc);
61  buf_printf(&out, "I/O WAIT %s|%s|%s|%s %s",
62  tun_stat(c->c1.tuntap, EVENT_READ, gc),
63  tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
66  tv_string(&c->c2.timeval, gc));
67  return BSTR(&out);
68 }
69 
70 void
71 show_wait_status(struct context *c)
72 {
73  struct gc_arena gc = gc_new();
74  dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
75  gc_free(&gc);
76 }
77 
78 #endif /* ifdef ENABLE_DEBUG */
79 
80 /*
81  * Does TLS session need service?
82  */
83 static inline void
84 check_tls(struct context *c)
85 {
86  void check_tls_dowork(struct context *c);
87 
88  if (c->c2.tls_multi)
89  {
91  }
92 }
93 
94 /*
95  * TLS errors are fatal in TCP mode.
96  * Also check for --tls-exit trigger.
97  */
98 static inline void
100 {
101  void check_tls_errors_co(struct context *c);
102 
103  void check_tls_errors_nco(struct context *c);
104 
105  if (c->c2.tls_multi && c->c2.tls_exit_signal)
106  {
108  {
109  if (c->c2.tls_multi->n_soft_errors)
110  {
112  }
113  }
114  else
115  {
116  if (c->c2.tls_multi->n_hard_errors)
117  {
119  }
120  }
121  }
122 }
123 
124 /*
125  * Check for possible incoming configuration
126  * messages on the control channel.
127  */
128 static inline void
130 {
131 #if P2MP
133 
134  if (tls_test_payload_len(c->c2.tls_multi) > 0)
135  {
137  }
138 #endif
139 }
140 
141 /*
142  * Options like --up-delay need to be triggered by this function which
143  * checks for connection establishment.
144  */
145 static inline void
147 {
149 
151  {
153  }
154 }
155 
156 /*
157  * Should we add routes?
158  */
159 static inline void
161 {
162  void check_add_routes_dowork(struct context *c);
163 
165  {
167  }
168 }
169 
170 /*
171  * Should we exit due to inactivity timeout?
172  */
173 static inline void
175 {
177 
180  {
182  }
183 }
184 
185 #if P2MP
186 
187 static inline void
189 {
191 
192  if (c->options.ce.connect_timeout
194  {
196  }
197 }
198 
199 /*
200  * Scheduled exit?
201  */
202 static inline void
204 {
205  void check_scheduled_exit_dowork(struct context *c);
206 
208  {
210  {
212  }
213  }
214 }
215 #endif /* if P2MP */
216 
217 /*
218  * Should we write timer-triggered status file.
219  */
220 static inline void
222 {
223  void check_status_file_dowork(struct context *c);
224 
225  if (c->c1.status_output)
226  {
228  {
230  }
231  }
232 }
233 
234 #ifdef ENABLE_FRAGMENT
235 /*
236  * Should we deliver a datagram fragment to remote?
237  */
238 static inline void
240 {
241  void check_fragment_dowork(struct context *c);
242 
243  if (c->c2.fragment)
244  {
246  }
247 }
248 #endif
249 
250 #if P2MP
251 
252 /*
253  * see if we should send a push_request in response to --pull
254  */
255 static inline void
257 {
258  void check_push_request_dowork(struct context *c);
259 
261  {
263  }
264 }
265 
266 #endif
267 
268 /*
269  * Should we persist our anti-replay packet ID state to disk?
270  */
271 static inline void
273 {
276  {
278  }
279 }
280 
281 /*
282  * Set our wakeup to 0 seconds, so we will be rescheduled
283  * immediately.
284  */
285 static inline void
287 {
288  c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
289  c->c2.timeval.tv_usec = 0;
290 }
291 
292 static inline void
293 context_reschedule_sec(struct context *c, int sec)
294 {
295  if (sec < 0)
296  {
297  sec = 0;
298  }
299  if (sec < c->c2.timeval.tv_sec)
300  {
301  c->c2.timeval.tv_sec = sec;
302  c->c2.timeval.tv_usec = 0;
303  }
304 }
305 
306 /*
307  * In TLS mode, let TLS level respond to any control-channel
308  * packets which were received, or prepare any packets for
309  * transmission.
310  *
311  * tmp_int is purely an optimization that allows us to call
312  * tls_multi_process less frequently when there's not much
313  * traffic on the control-channel.
314  *
315  */
316 void
318 {
319  interval_t wakeup = BIG_TIMEOUT;
320 
321  if (interval_test(&c->c2.tmp_int))
322  {
323  const int tmp_status = tls_multi_process
324  (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
325  get_link_socket_info(c), &wakeup);
326  if (tmp_status == TLSMP_ACTIVE)
327  {
328  update_time();
330  }
331  else if (tmp_status == TLSMP_KILL)
332  {
333  register_signal(c, SIGTERM, "auth-control-exit");
334  }
335 
336  interval_future_trigger(&c->c2.tmp_int, wakeup);
337  }
338 
339  interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
340 
341  if (wakeup)
342  {
343  context_reschedule_sec(c, wakeup);
344  }
345 }
346 
347 void
349 {
350  msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
351  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
352 }
353 
354 void
356 {
357  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
358 }
359 
360 #if P2MP
361 
362 /*
363  * Handle incoming configuration
364  * messages on the control channel.
365  */
366 void
368 {
369  const int len = tls_test_payload_len(c->c2.tls_multi);
370  if (len)
371  {
372  struct gc_arena gc = gc_new();
373  struct buffer buf = alloc_buf_gc(len, &gc);
374  if (tls_rec_payload(c->c2.tls_multi, &buf))
375  {
376  /* force null termination of message */
377  buf_null_terminate(&buf);
378 
379  /* enforce character class restrictions */
380  string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
381 
382  if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
383  {
384  receive_auth_failed(c, &buf);
385  }
386  else if (buf_string_match_head_str(&buf, "PUSH_"))
387  {
388  incoming_push_message(c, &buf);
389  }
390  else if (buf_string_match_head_str(&buf, "RESTART"))
391  {
392  server_pushed_signal(c, &buf, true, 7);
393  }
394  else if (buf_string_match_head_str(&buf, "HALT"))
395  {
396  server_pushed_signal(c, &buf, false, 4);
397  }
398  else
399  {
400  msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
401  }
402  }
403  else
404  {
405  msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
406  }
407 
408  gc_free(&gc);
409  }
410 }
411 
412 /*
413  * Periodically resend PUSH_REQUEST until PUSH message received
414  */
415 void
417 {
419 
420  /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
422 }
423 
424 #endif /* P2MP */
425 
426 /*
427  * Things that need to happen immediately after connection initiation should go here.
428  */
429 void
431 {
433  {
434  if (CONNECTION_ESTABLISHED(c))
435  {
436 #if P2MP
437  /* if --pull was specified, send a push request to server */
438  if (c->c2.tls_multi && c->options.pull)
439  {
440 #ifdef ENABLE_MANAGEMENT
441  if (management)
442  {
445  NULL,
446  NULL,
447  NULL,
448  NULL,
449  NULL);
450  }
451 #endif
452  /* fire up push request right away (already 1s delayed) */
455  }
456  else
457 #endif /* if P2MP */
458  {
459  do_up(c, false, 0);
460  }
461 
463  }
464  }
465 }
466 
467 /*
468  * Send a string to remote over the TLS control channel.
469  * Used for push/pull messages, passing username/password,
470  * etc.
471  */
472 bool
473 send_control_channel_string(struct context *c, const char *str, int msglevel)
474 {
475  if (c->c2.tls_multi)
476  {
477  struct gc_arena gc = gc_new();
478  bool stat;
479 
480  /* buffered cleartext write onto TLS control channel */
481  stat = tls_send_payload(c->c2.tls_multi, (uint8_t *) str, strlen(str) + 1);
482 
483  /*
484  * Reschedule tls_multi_process.
485  * NOTE: in multi-client mode, usually the below two statements are
486  * insufficient to reschedule the client instance object unless
487  * multi_schedule_context_wakeup(m, mi) is also called.
488  */
490  context_immediate_reschedule(c); /* ZERO-TIMEOUT */
491 
492  msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
493  tls_common_name(c->c2.tls_multi, false),
494  sanitize_control_message(str, &gc),
495  (int) stat);
496 
497  gc_free(&gc);
498  return stat;
499  }
500  return true;
501 }
502 
503 /*
504  * Add routes.
505  */
506 
507 static void
508 check_add_routes_action(struct context *c, const bool errors)
509 {
511  c->c1.tuntap, c->plugins, c->c2.es);
512  update_time();
515  initialization_sequence_completed(c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */
516 }
517 
518 void
520 {
521  if (test_routes(c->c1.route_list, c->c1.tuntap))
522  {
523  check_add_routes_action(c, false);
524  }
526  {
527  check_add_routes_action(c, true);
528  }
529  else
530  {
531  msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
532  if (c->c1.tuntap)
533  {
534  if (!tun_standby(c->c1.tuntap))
535  {
536  register_signal(c, SIGHUP, "ip-fail");
538 #ifdef _WIN32
541 #endif
542  }
543  }
544  update_time();
545  if (c->c2.route_wakeup.n != 1)
546  {
548  }
550  }
551 }
552 
553 /*
554  * Should we exit due to inactivity timeout?
555  */
556 void
558 {
559  msg(M_INFO, "Inactivity timeout (--inactive), exiting");
560  register_signal(c, SIGTERM, "inactive");
561 }
562 
563 int
564 get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
565 {
566  update_time();
567  int remaining = event_timeout_remaining(server_poll_timeout);
568  return max_int(0, remaining);
569 }
570 #if P2MP
571 
572 void
574 {
576  ASSERT(c->c2.tls_multi);
578  {
579  msg(M_INFO, "Server poll timeout, restarting");
580  register_signal(c, SIGUSR1, "server_poll");
582  }
583 }
584 
585 /*
586  * Schedule a signal n_seconds from now.
587  */
588 void
589 schedule_exit(struct context *c, const int n_seconds, const int signal)
590 {
592  update_time();
594  event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
595  c->c2.scheduled_exit_signal = signal;
596  msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
597 }
598 
599 /*
600  * Scheduled exit?
601  */
602 void
604 {
605  register_signal(c, c->c2.scheduled_exit_signal, "delayed-exit");
606 }
607 
608 #endif /* if P2MP */
609 
610 /*
611  * Should we write timer-triggered status file.
612  */
613 void
615 {
616  if (c->c1.status_output)
617  {
619  }
620 }
621 
622 #ifdef ENABLE_FRAGMENT
623 /*
624  * Should we deliver a datagram fragment to remote?
625  */
626 void
628 {
629  struct link_socket_info *lsi = get_link_socket_info(c);
630 
631  /* OS MTU Hint? */
632  if (lsi->mtu_changed)
633  {
635  c->options.ce.proto);
636  lsi->mtu_changed = false;
637  }
638 
640  {
641  if (!c->c2.to_link.len)
642  {
643  /* encrypt a fragment for output to TCP/UDP port */
645  encrypt_sign(c, false);
646  }
647  }
648 
650 }
651 #endif /* ifdef ENABLE_FRAGMENT */
652 
653 /*
654  * Buffer reallocation, for use with null encryption.
655  */
656 static inline void
657 buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
658 {
659  if (orig_buf == src_stub->data && src_stub->data != storage->data)
660  {
661  buf_assign(storage, src_stub);
662  *dest_stub = *storage;
663  }
664  else
665  {
666  *dest_stub = *src_stub;
667  }
668 }
669 
670 /*
671  * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
672  * Input: c->c2.buf
673  * Output: c->c2.to_link
674  */
675 void
676 encrypt_sign(struct context *c, bool comp_frag)
677 {
678  struct context_buffers *b = c->c2.buffers;
679  const uint8_t *orig_buf = c->c2.buf.data;
680  struct crypto_options *co = NULL;
681 
682 #if P2MP_SERVER
683  /*
684  * Drop non-TLS outgoing packet if client-connect script/plugin
685  * has not yet succeeded.
686  */
687  if (c->c2.context_auth != CAS_SUCCEEDED)
688  {
689  c->c2.buf.len = 0;
690  }
691 #endif
692 
693  if (comp_frag)
694  {
695 #ifdef USE_COMP
696  /* Compress the packet. */
697  if (c->c2.comp_context)
698  {
699  (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
700  }
701 #endif
702 #ifdef ENABLE_FRAGMENT
703  if (c->c2.fragment)
704  {
706  }
707 #endif
708  }
709 
710  /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
712 
713  if (c->c2.tls_multi)
714  {
715  /* Get the key we will use to encrypt the packet. */
716  tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
717  /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
718  * packet before openvpn_encrypt(), so we can authenticate the opcode too.
719  */
720  if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
721  {
723  }
724  }
725  else
726  {
727  co = &c->c2.crypto_options;
728  }
729 
730  /* Encrypt and authenticate the packet */
731  openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
732 
733  /* Do packet administration */
734  if (c->c2.tls_multi)
735  {
736  if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
737  {
739  }
741  }
742 
743  /*
744  * Get the address we will be sending the packet to.
745  */
747  &c->c2.to_link_addr);
748 
749  /* if null encryption, copy result to read_tun_buf */
750  buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
751 }
752 
753 /*
754  * Coarse timers work to 1 second resolution.
755  */
756 static void
758 {
759  /* flush current packet-id to file once per 60
760  * seconds if --replay-persist was specified */
762 
763  /* should we update status file? */
765 
766  /* process connection establishment items */
768 
769 #if P2MP
770  /* see if we should send a push_request in response to --pull */
772 #endif
773 
774 #ifdef PLUGIN_PF
775  pf_check_reload(c);
776 #endif
777 
778  /* process --route options */
779  check_add_routes(c);
780 
781  /* possibly exit due to --inactive */
783  if (c->sig->signal_received)
784  {
785  return;
786  }
787 
788  /* restart if ping not received */
790  if (c->sig->signal_received)
791  {
792  return;
793  }
794 
795 #if P2MP
796  if (c->c2.tls_multi)
797  {
799  if (c->sig->signal_received)
800  {
801  return;
802  }
803 
805  if (c->sig->signal_received)
806  {
807  return;
808  }
809  }
810 #endif
811 
812 #ifdef ENABLE_OCC
813  /* Should we send an OCC_REQUEST message? */
815 
816  /* Should we send an MTU load test? */
818 
819  /* Should we send an OCC_EXIT message to remote? */
821  {
823  }
824 #endif
825 
826  /* Should we ping the remote? */
827  check_ping_send(c);
828 }
829 
830 static void
832 {
833  const struct timeval save = c->c2.timeval;
834  c->c2.timeval.tv_sec = BIG_TIMEOUT;
835  c->c2.timeval.tv_usec = 0;
837  c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
838 
839  dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %"PRIi64" seconds", (int64_t)c->c2.timeval.tv_sec);
840 
841  /* Is the coarse timeout NOT the earliest one? */
842  if (c->c2.timeval.tv_sec > save.tv_sec)
843  {
844  c->c2.timeval = save;
845  }
846 }
847 
848 static inline void
850 {
851  const time_t local_now = now;
852  if (local_now >= c->c2.coarse_timer_wakeup)
853  {
855  }
856  else
857  {
858  context_reschedule_sec(c, c->c2.coarse_timer_wakeup - local_now);
859  }
860 }
861 
862 static void
864 {
865  const int update_interval = 10; /* seconds */
866  c->c2.update_timeout_random_component = now + update_interval;
867  c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
868  c->c2.timeout_random_component.tv_sec = 0;
869 
870  dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec);
871 }
872 
873 static inline void
875 {
877  {
879  }
880  if (c->c2.timeval.tv_sec >= 1)
881  {
883  }
884 }
885 
886 /*
887  * Handle addition and removal of the 10-byte Socks5 header
888  * in UDP packets.
889  */
890 
891 static inline void
893 {
895  {
897  }
898 }
899 
900 static inline void
902  struct link_socket_actual **to_addr,
903  int *size_delta)
904 {
906  {
907  *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
908  *to_addr = &c->c2.link_socket->socks_relay;
909  }
910 }
911 
912 /* undo effect of socks_preprocess_outgoing_link */
913 static inline void
915  int size_delta,
916  struct buffer *buf)
917 {
918  if (size_delta > 0 && *size > size_delta)
919  {
920  *size -= size_delta;
921  if (!buf_advance(buf, size_delta))
922  {
923  *size = 0;
924  }
925  }
926 }
927 
928 /*
929  * Output: c->c2.buf
930  */
931 
932 void
934 {
935  /*
936  * Set up for recvfrom call to read datagram
937  * sent to our TCP/UDP port.
938  */
939  int status;
940 
941  /*ASSERT (!c->c2.to_tun.len);*/
942 
944 
945  c->c2.buf = c->c2.buffers->read_link_buf;
947 
948  status = link_socket_read(c->c2.link_socket,
949  &c->c2.buf,
950  &c->c2.from);
951 
952  if (socket_connection_reset(c->c2.link_socket, status))
953  {
954 #if PORT_SHARE
955  if (port_share && socket_foreign_protocol_detected(c->c2.link_socket))
956  {
957  const struct buffer *fbuf = socket_foreign_protocol_head(c->c2.link_socket);
958  const int sd = socket_foreign_protocol_sd(c->c2.link_socket);
959  port_share_redirect(port_share, fbuf, sd);
960  register_signal(c, SIGTERM, "port-share-redirect");
961  }
962  else
963 #endif
964  {
965  /* received a disconnect from a connection-oriented protocol */
966  if (c->options.inetd)
967  {
968  register_signal(c, SIGTERM, "connection-reset-inetd");
969  msg(D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status);
970  }
971  else
972  {
973 #ifdef ENABLE_OCC
975  {
976  msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
977  management_sleep(1);
978  }
979  else
980 #endif
981  {
982  register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
983  msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
984  }
985  }
986  }
987  perf_pop();
988  return;
989  }
990 
991  /* check recvfrom status */
992  check_status(status, "read", c->c2.link_socket, NULL);
993 
994  /* Remove socks header if applicable */
996 
997  perf_pop();
998 }
999 
1000 bool
1001 process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
1002 {
1003  struct gc_arena gc = gc_new();
1004  bool decrypt_status = false;
1005 
1006  if (c->c2.buf.len > 0)
1007  {
1008  c->c2.link_read_bytes += c->c2.buf.len;
1010 #ifdef ENABLE_MEMSTATS
1011  if (mmap_stats)
1012  {
1013  mmap_stats->link_read_bytes = link_read_bytes_global;
1014  }
1015 #endif
1016  c->c2.original_recv_size = c->c2.buf.len;
1017 #ifdef ENABLE_MANAGEMENT
1018  if (management)
1019  {
1021 #ifdef MANAGEMENT_DEF_AUTH
1022  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1023 #endif
1024  }
1025 #endif
1026  }
1027  else
1028  {
1029  c->c2.original_recv_size = 0;
1030  }
1031 
1032 #ifdef ENABLE_DEBUG
1033  /* take action to corrupt packet if we are in gremlin test mode */
1034  if (c->options.gremlin)
1035  {
1036  if (!ask_gremlin(c->options.gremlin))
1037  {
1038  c->c2.buf.len = 0;
1039  }
1040  corrupt_gremlin(&c->c2.buf, c->options.gremlin);
1041  }
1042 #endif
1043 
1044  /* log incoming packet */
1045 #ifdef LOG_RW
1046  if (c->c2.log_rw && c->c2.buf.len > 0)
1047  {
1048  fprintf(stderr, "R");
1049  }
1050 #endif
1051  msg(D_LINK_RW, "%s READ [%d] from %s: %s",
1052  proto2ascii(lsi->proto, lsi->af, true),
1053  BLEN(&c->c2.buf),
1054  print_link_socket_actual(&c->c2.from, &gc),
1055  PROTO_DUMP(&c->c2.buf, &gc));
1056 
1057  /*
1058  * Good, non-zero length packet received.
1059  * Commence multi-stage processing of packet,
1060  * such as authenticate, decrypt, decompress.
1061  * If any stage fails, it sets buf.len to 0 or -1,
1062  * telling downstream stages to ignore the packet.
1063  */
1064  if (c->c2.buf.len > 0)
1065  {
1066  struct crypto_options *co = NULL;
1067  const uint8_t *ad_start = NULL;
1068  if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
1069  {
1070  link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
1071  }
1072 
1073  if (c->c2.tls_multi)
1074  {
1075  /*
1076  * If tls_pre_decrypt returns true, it means the incoming
1077  * packet was a good TLS control channel packet. If so, TLS code
1078  * will deal with the packet and set buf.len to 0 so downstream
1079  * stages ignore it.
1080  *
1081  * If the packet is a data channel packet, tls_pre_decrypt
1082  * will load crypto_options with the correct encryption key
1083  * and return false.
1084  */
1085  uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
1086  if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
1087  floated, &ad_start))
1088  {
1089  /* Restore pre-NCP frame parameters */
1090  if (is_hard_reset(opcode, c->options.key_method))
1091  {
1092  c->c2.frame = c->c2.frame_initial;
1093  }
1094 
1095  interval_action(&c->c2.tmp_int);
1096 
1097  /* reset packet received timer if TLS packet */
1098  if (c->options.ping_rec_timeout)
1099  {
1101  }
1102  }
1103  }
1104  else
1105  {
1106  co = &c->c2.crypto_options;
1107  }
1108 #if P2MP_SERVER
1109  /*
1110  * Drop non-TLS packet if client-connect script/plugin has not
1111  * yet succeeded.
1112  */
1113  if (c->c2.context_auth != CAS_SUCCEEDED)
1114  {
1115  c->c2.buf.len = 0;
1116  }
1117 #endif
1118 
1119  /* authenticate and decrypt the incoming packet */
1120  decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
1121  co, &c->c2.frame, ad_start);
1122 
1123  if (!decrypt_status && link_socket_connection_oriented(c->c2.link_socket))
1124  {
1125  /* decryption errors are fatal in TCP mode */
1126  register_signal(c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
1127  msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
1128  }
1129  }
1130  else
1131  {
1132  buf_reset(&c->c2.to_tun);
1133  }
1134  gc_free(&gc);
1135 
1136  return decrypt_status;
1137 }
1138 
1139 void
1140 process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
1141 {
1142  if (c->c2.buf.len > 0)
1143  {
1144 #ifdef ENABLE_FRAGMENT
1145  if (c->c2.fragment)
1146  {
1148  }
1149 #endif
1150 
1151 #ifdef USE_COMP
1152  /* decompress the incoming packet */
1153  if (c->c2.comp_context)
1154  {
1155  (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
1156  }
1157 #endif
1158 
1159 #ifdef PACKET_TRUNCATION_CHECK
1160  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1161  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1162  BLEN(&c->c2.buf),
1163  TUNNEL_TYPE(c->c1.tuntap),
1164  "POST_DECRYPT",
1165  &c->c2.n_trunc_post_decrypt);
1166 #endif
1167 
1168  /*
1169  * Set our "official" outgoing address, since
1170  * if buf.len is non-zero, we know the packet
1171  * authenticated. In TLS mode we do nothing
1172  * because TLS mode takes care of source address
1173  * authentication.
1174  *
1175  * Also, update the persisted version of our packet-id.
1176  */
1177  if (!TLS_MODE(c))
1178  {
1179  link_socket_set_outgoing_addr(&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es);
1180  }
1181 
1182  /* reset packet received timer */
1183  if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1184  {
1186  }
1187 
1188  /* increment authenticated receive byte count */
1189  if (c->c2.buf.len > 0)
1190  {
1191  c->c2.link_read_bytes_auth += c->c2.buf.len;
1193  }
1194 
1195  /* Did we just receive an openvpn ping packet? */
1196  if (is_ping_msg(&c->c2.buf))
1197  {
1198  dmsg(D_PING, "RECEIVED PING PACKET");
1199  c->c2.buf.len = 0; /* drop packet */
1200  }
1201 
1202 #ifdef ENABLE_OCC
1203  /* Did we just receive an OCC packet? */
1204  if (is_occ_msg(&c->c2.buf))
1205  {
1207  }
1208 #endif
1209 
1210  buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1211 
1212  /* to_tun defined + unopened tuntap can cause deadlock */
1213  if (!tuntap_defined(c->c1.tuntap))
1214  {
1215  c->c2.to_tun.len = 0;
1216  }
1217  }
1218  else
1219  {
1220  buf_reset(&c->c2.to_tun);
1221  }
1222 }
1223 
1224 static void
1226 {
1228 
1229  struct link_socket_info *lsi = get_link_socket_info(c);
1230  const uint8_t *orig_buf = c->c2.buf.data;
1231 
1232  process_incoming_link_part1(c, lsi, false);
1233  process_incoming_link_part2(c, lsi, orig_buf);
1234 
1235  perf_pop();
1236 }
1237 
1238 /*
1239  * Output: c->c2.buf
1240  */
1241 
1242 void
1244 {
1245  /*
1246  * Setup for read() call on TUN/TAP device.
1247  */
1248  /*ASSERT (!c->c2.to_link.len);*/
1249 
1251 
1252  c->c2.buf = c->c2.buffers->read_tun_buf;
1253 #ifdef TUN_PASS_BUFFER
1255 #else
1256  ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame)));
1258  c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), MAX_RW_SIZE_TUN(&c->c2.frame));
1259 #endif
1260 
1261 #ifdef PACKET_TRUNCATION_CHECK
1262  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1263  BLEN(&c->c2.buf),
1264  TUNNEL_TYPE(c->c1.tuntap),
1265  "READ_TUN",
1266  &c->c2.n_trunc_tun_read);
1267 #endif
1268 
1269  /* Was TUN/TAP interface stopped? */
1270  if (tuntap_stop(c->c2.buf.len))
1271  {
1272  register_signal(c, SIGTERM, "tun-stop");
1273  msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1274  perf_pop();
1275  return;
1276  }
1277 
1278  /* Was TUN/TAP I/O operation aborted? */
1279  if (tuntap_abort(c->c2.buf.len))
1280  {
1281  register_signal(c, SIGHUP, "tun-abort");
1283  msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1284  perf_pop();
1285  return;
1286  }
1287 
1288  /* Check the status return from read() */
1289  check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1290 
1291  perf_pop();
1292 }
1293 
1302 static void
1304 {
1305  bool drop = false;
1306  struct openvpn_sockaddr tun_sa;
1307  int ip_hdr_offset = 0;
1308 
1309  if (c->c2.to_link_addr == NULL) /* no remote addr known */
1310  {
1311  return;
1312  }
1313 
1314  tun_sa = c->c2.to_link_addr->dest;
1315 
1316  int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1317 
1318  if (proto_ver == 4)
1319  {
1320  const struct openvpn_iphdr *pip;
1321 
1322  /* make sure we got whole IP header */
1323  if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1324  {
1325  return;
1326  }
1327 
1328  /* skip ipv4 packets for ipv6 tun */
1329  if (tun_sa.addr.sa.sa_family != AF_INET)
1330  {
1331  return;
1332  }
1333 
1334  pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
1335 
1336  /* drop packets with same dest addr as gateway */
1337  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
1338  {
1339  drop = true;
1340  }
1341  }
1342  else if (proto_ver == 6)
1343  {
1344  const struct openvpn_ipv6hdr *pip6;
1345 
1346  /* make sure we got whole IPv6 header */
1347  if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1348  {
1349  return;
1350  }
1351 
1352  /* skip ipv6 packets for ipv4 tun */
1353  if (tun_sa.addr.sa.sa_family != AF_INET6)
1354  {
1355  return;
1356  }
1357 
1358  /* drop packets with same dest addr as gateway */
1359  pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
1360  if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1361  {
1362  drop = true;
1363  }
1364  }
1365 
1366  if (drop)
1367  {
1368  struct gc_arena gc = gc_new();
1369 
1370  c->c2.buf.len = 0;
1371 
1372  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1374  gc_free(&gc);
1375  }
1376 }
1377 
1378 /*
1379  * Input: c->c2.buf
1380  * Output: c->c2.to_link
1381  */
1382 
1383 void
1385 {
1386  struct gc_arena gc = gc_new();
1387 
1389 
1390  if (c->c2.buf.len > 0)
1391  {
1392  c->c2.tun_read_bytes += c->c2.buf.len;
1393  }
1394 
1395 #ifdef LOG_RW
1396  if (c->c2.log_rw && c->c2.buf.len > 0)
1397  {
1398  fprintf(stderr, "r");
1399  }
1400 #endif
1401 
1402  /* Show packet content */
1403  dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1404 
1405  if (c->c2.buf.len > 0)
1406  {
1408  {
1410  }
1411  /*
1412  * The --passtos and --mssfix options require
1413  * us to examine the IP header (IPv4 or IPv6).
1414  */
1416 
1417 #ifdef PACKET_TRUNCATION_CHECK
1418  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1419  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1420  BLEN(&c->c2.buf),
1421  TUNNEL_TYPE(c->c1.tuntap),
1422  "PRE_ENCRYPT",
1423  &c->c2.n_trunc_pre_encrypt);
1424 #endif
1425 
1426  encrypt_sign(c, true);
1427  }
1428  else
1429  {
1430  buf_reset(&c->c2.to_link);
1431  }
1432  perf_pop();
1433  gc_free(&gc);
1434 }
1435 
1436 void
1437 process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
1438 {
1439  if (!c->options.ce.mssfix)
1440  {
1441  flags &= ~PIP_MSSFIX;
1442  }
1443 #if PASSTOS_CAPABILITY
1444  if (!c->options.passtos)
1445  {
1446  flags &= ~PIPV4_PASSTOS;
1447  }
1448 #endif
1449  if (!c->options.client_nat)
1450  {
1451  flags &= ~PIPV4_CLIENT_NAT;
1452  }
1454  {
1455  flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1456  }
1457 
1458  if (buf->len > 0)
1459  {
1460  /*
1461  * The --passtos and --mssfix options require
1462  * us to examine the IPv4 header.
1463  */
1464 
1465  if (flags & (PIP_MSSFIX
1467  | PIPV4_PASSTOS
1468 #endif
1470  ))
1471  {
1472  struct buffer ipbuf = *buf;
1473  if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1474  {
1475 #if PASSTOS_CAPABILITY
1476  /* extract TOS from IP header */
1477  if (flags & PIPV4_PASSTOS)
1478  {
1479  link_socket_extract_tos(c->c2.link_socket, &ipbuf);
1480  }
1481 #endif
1482 
1483  /* possibly alter the TCP MSS */
1484  if (flags & PIP_MSSFIX)
1485  {
1487  }
1488 
1489  /* possibly do NAT on packet */
1490  if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1491  {
1492  const int direction = (flags & PIPV4_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1493  client_nat_transform(c->options.client_nat, &ipbuf, direction);
1494  }
1495  /* possibly extract a DHCP router message */
1496  if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1497  {
1498  const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
1499  if (dhcp_router)
1500  {
1501  route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1502  }
1503  }
1504  }
1505  else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1506  {
1507  /* possibly alter the TCP MSS */
1508  if (flags & PIP_MSSFIX)
1509  {
1511  }
1512  }
1513  }
1514  }
1515 }
1516 
1517 /*
1518  * Input: c->c2.to_link
1519  */
1520 
1521 void
1523 {
1524  struct gc_arena gc = gc_new();
1525  int error_code = 0;
1526 
1528 
1529  if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame))
1530  {
1531  /*
1532  * Setup for call to send/sendto which will send
1533  * packet to remote over the TCP/UDP port.
1534  */
1535  int size = 0;
1537 
1538 #ifdef ENABLE_DEBUG
1539  /* In gremlin-test mode, we may choose to drop this packet */
1540  if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1541 #endif
1542  {
1543  /*
1544  * Let the traffic shaper know how many bytes
1545  * we wrote.
1546  */
1547 #ifdef ENABLE_FEATURE_SHAPER
1548  if (c->options.shaper)
1549  {
1550  shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link)
1552  }
1553 #endif
1554  /*
1555  * Let the pinger know that we sent a packet.
1556  */
1557  if (c->options.ping_send_timeout)
1558  {
1560  }
1561 
1562 #if PASSTOS_CAPABILITY
1563  /* Set TOS */
1564  link_socket_set_tos(c->c2.link_socket);
1565 #endif
1566 
1567  /* Log packet send */
1568 #ifdef LOG_RW
1569  if (c->c2.log_rw)
1570  {
1571  fprintf(stderr, "W");
1572  }
1573 #endif
1574  msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1576  BLEN(&c->c2.to_link),
1578  PROTO_DUMP(&c->c2.to_link, &gc));
1579 
1580  /* Packet send complexified by possible Socks5 usage */
1581  {
1582  struct link_socket_actual *to_addr = c->c2.to_link_addr;
1583  int size_delta = 0;
1584 
1585  /* If Socks5 over UDP, prepend header */
1586  socks_preprocess_outgoing_link(c, &to_addr, &size_delta);
1587 
1588  /* Send packet */
1589  size = link_socket_write(c->c2.link_socket,
1590  &c->c2.to_link,
1591  to_addr);
1592 
1593  /* Undo effect of prepend */
1594  link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1595  }
1596 
1597  if (size > 0)
1598  {
1600  c->c2.link_write_bytes += size;
1601  link_write_bytes_global += size;
1602 #ifdef ENABLE_MEMSTATS
1603  if (mmap_stats)
1604  {
1605  mmap_stats->link_write_bytes = link_write_bytes_global;
1606  }
1607 #endif
1608 #ifdef ENABLE_MANAGEMENT
1609  if (management)
1610  {
1612 #ifdef MANAGEMENT_DEF_AUTH
1613  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1614 #endif
1615  }
1616 #endif
1617  }
1618  }
1619 
1620  /* Check return status */
1621  error_code = openvpn_errno();
1622  check_status(size, "write", c->c2.link_socket, NULL);
1623 
1624  if (size > 0)
1625  {
1626  /* Did we write a different size packet than we intended? */
1627  if (size != BLEN(&c->c2.to_link))
1628  {
1630  "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1632  BLEN(&c->c2.to_link),
1633  size);
1634  }
1635  }
1636 
1637  /* if not a ping/control message, indicate activity regarding --inactive parameter */
1638  if (c->c2.buf.len > 0)
1639  {
1640  register_activity(c, size);
1641  }
1642 
1643  /* for unreachable network and "connecting" state switch to the next host */
1644  if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi
1646  {
1647  msg(M_INFO, "Network unreachable, restarting");
1648  register_signal(c, SIGUSR1, "network-unreachable");
1649  }
1650  }
1651  else
1652  {
1653  if (c->c2.to_link.len > 0)
1654  {
1655  msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1657  c->c2.to_link.len,
1658  EXPANDED_SIZE(&c->c2.frame));
1659  }
1660  }
1661 
1662  buf_reset(&c->c2.to_link);
1663 
1664  perf_pop();
1665  gc_free(&gc);
1666 }
1667 
1668 /*
1669  * Input: c->c2.to_tun
1670  */
1671 
1672 void
1674 {
1675  struct gc_arena gc = gc_new();
1676 
1677  /*
1678  * Set up for write() call to TUN/TAP
1679  * device.
1680  */
1681  if (c->c2.to_tun.len <= 0)
1682  {
1683  return;
1684  }
1685 
1687 
1688  /*
1689  * The --mssfix option requires
1690  * us to examine the IP header (IPv4 or IPv6).
1691  */
1693 
1694  if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN(&c->c2.frame))
1695  {
1696  /*
1697  * Write to TUN/TAP device.
1698  */
1699  int size;
1700 
1701 #ifdef LOG_RW
1702  if (c->c2.log_rw)
1703  {
1704  fprintf(stderr, "w");
1705  }
1706 #endif
1707  dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1708 
1709 #ifdef PACKET_TRUNCATION_CHECK
1710  ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
1711  BLEN(&c->c2.to_tun),
1712  TUNNEL_TYPE(c->c1.tuntap),
1713  "WRITE_TUN",
1714  &c->c2.n_trunc_tun_write);
1715 #endif
1716 
1717 #ifdef TUN_PASS_BUFFER
1718  size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun);
1719 #else
1720  size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1721 #endif
1722 
1723  if (size > 0)
1724  {
1725  c->c2.tun_write_bytes += size;
1726  }
1727  check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1728 
1729  /* check written packet size */
1730  if (size > 0)
1731  {
1732  /* Did we write a different size packet than we intended? */
1733  if (size != BLEN(&c->c2.to_tun))
1734  {
1736  "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1737  c->c1.tuntap->actual_name,
1738  BLEN(&c->c2.to_tun),
1739  size);
1740  }
1741 
1742  /* indicate activity regarding --inactive parameter */
1743  register_activity(c, size);
1744  }
1745  }
1746  else
1747  {
1748  /*
1749  * This should never happen, probably indicates some kind
1750  * of MTU mismatch.
1751  */
1752  msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
1753  c->c2.to_tun.len,
1754  MAX_RW_SIZE_TUN(&c->c2.frame));
1755  }
1756 
1757  buf_reset(&c->c2.to_tun);
1758 
1759  perf_pop();
1760  gc_free(&gc);
1761 }
1762 
1763 void
1765 {
1766  /* make sure current time (now) is updated on function entry */
1767 
1768  /*
1769  * Start with an effectively infinite timeout, then let it
1770  * reduce to a timeout that reflects the component which
1771  * needs the earliest service.
1772  */
1773  c->c2.timeval.tv_sec = BIG_TIMEOUT;
1774  c->c2.timeval.tv_usec = 0;
1775 
1776 #if defined(_WIN32)
1778  {
1779  c->c2.timeval.tv_sec = 1;
1780  if (tuntap_defined(c->c1.tuntap))
1781  {
1782  tun_show_debug(c->c1.tuntap);
1783  }
1784  }
1785 #endif
1786 
1787  /* check coarse timers? */
1789  if (c->sig->signal_received)
1790  {
1791  return;
1792  }
1793 
1794  /* Does TLS need service? */
1795  check_tls(c);
1796 
1797  /* In certain cases, TLS errors will require a restart */
1798  check_tls_errors(c);
1799  if (c->sig->signal_received)
1800  {
1801  return;
1802  }
1803 
1804  /* check for incoming configuration info on the control channel */
1806 
1807 #ifdef ENABLE_OCC
1808  /* Should we send an OCC message? */
1809  check_send_occ_msg(c);
1810 #endif
1811 
1812 #ifdef ENABLE_FRAGMENT
1813  /* Should we deliver a datagram fragment to remote? */
1814  check_fragment(c);
1815 #endif
1816 
1817  /* Update random component of timeout */
1819 }
1820 
1821 /*
1822  * Wait for I/O events. Used for both TCP & UDP sockets
1823  * in point-to-point mode and for UDP sockets in
1824  * point-to-multipoint mode.
1825  */
1826 
1827 void
1828 io_wait_dowork(struct context *c, const unsigned int flags)
1829 {
1830  unsigned int socket = 0;
1831  unsigned int tuntap = 0;
1832  struct event_set_return esr[4];
1833 
1834  /* These shifts all depend on EVENT_READ and EVENT_WRITE */
1835  static int socket_shift = 0; /* depends on SOCKET_READ and SOCKET_WRITE */
1836  static int tun_shift = 2; /* depends on TUN_READ and TUN_WRITE */
1837  static int err_shift = 4; /* depends on ES_ERROR */
1838 #ifdef ENABLE_MANAGEMENT
1839  static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
1840 #endif
1841 #ifdef ENABLE_ASYNC_PUSH
1842  static int file_shift = 8; /* listening inotify events */
1843 #endif
1844 
1845  /*
1846  * Decide what kind of events we want to wait for.
1847  */
1848  event_reset(c->c2.event_set);
1849 
1850  /*
1851  * On win32 we use the keyboard or an event object as a source
1852  * of asynchronous signals.
1853  */
1854  if (flags & IOW_WAIT_SIGNAL)
1855  {
1856  wait_signal(c->c2.event_set, (void *)&err_shift);
1857  }
1858 
1859  /*
1860  * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send
1861  * status from TCP/UDP port. Otherwise, wait for incoming data on
1862  * TUN/TAP device.
1863  */
1864  if (flags & IOW_TO_LINK)
1865  {
1866  if (flags & IOW_SHAPER)
1867  {
1868  /*
1869  * If sending this packet would put us over our traffic shaping
1870  * quota, don't send -- instead compute the delay we must wait
1871  * until it will be OK to send the packet.
1872  */
1873 #ifdef ENABLE_FEATURE_SHAPER
1874  int delay = 0;
1875 
1876  /* set traffic shaping delay in microseconds */
1877  if (c->options.shaper)
1878  {
1879  delay = max_int(delay, shaper_delay(&c->c2.shaper));
1880  }
1881 
1882  if (delay < 1000)
1883  {
1884  socket |= EVENT_WRITE;
1885  }
1886  else
1887  {
1888  shaper_soonest_event(&c->c2.timeval, delay);
1889  }
1890 #else /* ENABLE_FEATURE_SHAPER */
1891  socket |= EVENT_WRITE;
1892 #endif /* ENABLE_FEATURE_SHAPER */
1893  }
1894  else
1895  {
1896  socket |= EVENT_WRITE;
1897  }
1898  }
1899  else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
1900  {
1901  if (flags & IOW_READ_TUN)
1902  {
1903  tuntap |= EVENT_READ;
1904  }
1905  }
1906 
1907  /*
1908  * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
1909  * from device. Otherwise, wait for incoming data on TCP/UDP port.
1910  */
1911  if (flags & IOW_TO_TUN)
1912  {
1913  tuntap |= EVENT_WRITE;
1914  }
1915  else
1916  {
1917  if (flags & IOW_READ_LINK)
1918  {
1919  socket |= EVENT_READ;
1920  }
1921  }
1922 
1923  /*
1924  * outgoing bcast buffer waiting to be sent?
1925  */
1926  if (flags & IOW_MBUF)
1927  {
1928  socket |= EVENT_WRITE;
1929  }
1930 
1931  /*
1932  * Force wait on TUN input, even if also waiting on TCP/UDP output
1933  */
1934  if (flags & IOW_READ_TUN_FORCE)
1935  {
1936  tuntap |= EVENT_READ;
1937  }
1938 
1939  /*
1940  * Configure event wait based on socket, tuntap flags.
1941  */
1942  socket_set(c->c2.link_socket, c->c2.event_set, socket, (void *)&socket_shift, NULL);
1943  tun_set(c->c1.tuntap, c->c2.event_set, tuntap, (void *)&tun_shift, NULL);
1944 
1945 #ifdef ENABLE_MANAGEMENT
1946  if (management)
1947  {
1948  management_socket_set(management, c->c2.event_set, (void *)&management_shift, NULL);
1949  }
1950 #endif
1951 
1952 #ifdef ENABLE_ASYNC_PUSH
1953  /* arm inotify watcher */
1954  if (c->options.mode == MODE_SERVER)
1955  {
1956  event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)&file_shift);
1957  }
1958 #endif
1959 
1960  /*
1961  * Possible scenarios:
1962  * (1) tcp/udp port has data available to read
1963  * (2) tcp/udp port is ready to accept more data to write
1964  * (3) tun dev has data available to read
1965  * (4) tun dev is ready to accept more data to write
1966  * (5) we received a signal (handler sets signal_received)
1967  * (6) timeout (tv) expired
1968  */
1969 
1971 
1972  if (!c->sig->signal_received)
1973  {
1974  if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual(c->c2.link_socket))
1975  {
1976  int status;
1977 
1978 #ifdef ENABLE_DEBUG
1980  {
1981  show_wait_status(c);
1982  }
1983 #endif
1984 
1985  /*
1986  * Wait for something to happen.
1987  */
1988  status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
1989 
1990  check_status(status, "event_wait", NULL, NULL);
1991 
1992  if (status > 0)
1993  {
1994  int i;
1995  c->c2.event_set_status = 0;
1996  for (i = 0; i < status; ++i)
1997  {
1998  const struct event_set_return *e = &esr[i];
1999  c->c2.event_set_status |= ((e->rwflags & 3) << *((int *)e->arg));
2000  }
2001  }
2002  else if (status == 0)
2003  {
2005  }
2006  }
2007  else
2008  {
2010  }
2011  }
2012 
2013  /* 'now' should always be a reasonably up-to-date timestamp */
2014  update_time();
2015 
2016  /* set signal_received if a signal was received */
2017  if (c->c2.event_set_status & ES_ERROR)
2018  {
2020  }
2021 
2022  dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2023 }
2024 
2025 void
2027 {
2028  const unsigned int status = c->c2.event_set_status;
2029 
2030 #ifdef ENABLE_MANAGEMENT
2031  if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
2032  {
2033  ASSERT(management);
2035  }
2036 #endif
2037 
2038  /* TCP/UDP port ready to accept write */
2039  if (status & SOCKET_WRITE)
2040  {
2042  }
2043  /* TUN device ready to accept write */
2044  else if (status & TUN_WRITE)
2045  {
2047  }
2048  /* Incoming data on TCP/UDP port */
2049  else if (status & SOCKET_READ)
2050  {
2051  read_incoming_link(c);
2052  if (!IS_SIG(c))
2053  {
2055  }
2056  }
2057  /* Incoming data on TUN device */
2058  else if (status & TUN_READ)
2059  {
2060  read_incoming_tun(c);
2061  if (!IS_SIG(c))
2062  {
2064  }
2065  }
2066 }
struct env_set * es
Definition: openvpn.h:425
static void check_fragment(struct context *c)
Definition: forward.c:239
#define TLSMP_ACTIVE
Definition: ssl.h:228
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition: forward.c:1828
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition: socket.h:962
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:51
#define ES_ERROR
Definition: openvpn.h:238
static void register_activity(struct context *c, const int size)
Definition: forward.h:316
counter_type tun_read_bytes
Definition: openvpn.h:279
void check_server_poll_timeout_dowork(struct context *c)
Definition: forward.c:573
struct buffer to_link
Definition: openvpn.h:382
static void context_reschedule_sec(struct context *c, int sec)
Definition: forward.c:293
#define ETT_DEFAULT
Definition: interval.h:213
Security parameter state for processing data channel packets.
Definition: crypto.h:232
bool log_rw
Definition: openvpn.h:385
uint32_t daddr
Definition: proto.h:105
struct event_timeout route_wakeup
Definition: openvpn.h:388
#define TO_LINK_FRAG(c)
Definition: forward.h:43
Definition: tun.h:131
struct client_nat_option_list * client_nat
Definition: options.h:351
static bool tuntap_abort(int status)
Definition: tun.h:422
struct buffer read_tun_buf
Definition: openvpn.h:109
struct event_timeout ping_rec_interval
Definition: openvpn.h:297
void check_tls_dowork(struct context *c)
Definition: forward.c:317
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:500
#define BIG_TIMEOUT
Definition: common.h:50
struct event_timeout route_wakeup_expire
Definition: openvpn.h:389
#define D_ROUTE
Definition: errlevel.h:80
counter_type link_write_bytes
Definition: openvpn.h:283
struct interval tmp_int
Definition: openvpn.h:349
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:622
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2056
int inetd
Definition: options.h:303
#define M_INFO
Definition: errlevel.h:55
Contains all state information for one tunnel.
Definition: openvpn.h:498
void tun_show_debug(struct tuntap *tt)
Definition: tun.c:6054
static void check_connection_established(struct context *c)
Definition: forward.c:146
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition: dhcp.c:194
#define SIZE(x)
Definition: basic.h:30
static void link_socket_set_outgoing_addr(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:983
static void check_timeout_random_component_dowork(struct context *c)
Definition: forward.c:863
bool tun_standby(struct tuntap *tt)
Definition: tun.c:5289
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2888
static void check_ping_restart(struct context *c)
Definition: ping.h:55
static void gc_free(struct gc_arena *a)
Definition: buffer.h:999
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define D_EVENT_WAIT
Definition: errlevel.h:156
void mss_fixup_ipv6(struct buffer *buf, int maxmss)
Definition: mss.c:86
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:3963
#define MTU_TO_MSS(mtu)
Definition: proto.h:217
#define PERF_PROC_OUT_LINK
Definition: perf.h:55
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:473
#define IOW_READ_LINK
Definition: forward.h:57
union openvpn_sockaddr::@8 addr
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition: buffer.c:173
static void check_timeout_random_component(struct context *c)
Definition: forward.c:874
#define CC_PRINT
Definition: buffer.h:891
struct buffer buf
Definition: openvpn.h:380
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1437
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:524
bool status_trigger_tv(struct status_output *so, struct timeval *tv)
Definition: status.c:150
#define ASSERT(x)
Definition: error.h:221
static int tls_test_payload_len(const struct tls_multi *multi)
Definition: ssl.h:545
#define SIGUSR1
Definition: config-msvc.h:116
static void check_status_file(struct context *c)
Definition: forward.c:221
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.h:1051
struct context_buffers * buffers
Definition: openvpn.h:372
static void check_push_request(struct context *c)
Definition: forward.c:256
struct event_timeout wait_for_connect
Definition: openvpn.h:295
static bool is_occ_msg(const struct buffer *buf)
Definition: occ.h:86
static void check_tls_errors(struct context *c)
Definition: forward.c:99
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
static void perf_pop(void)
Definition: perf.h:82
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:243
void process_received_occ_msg(struct context *c)
Definition: occ.c:353
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:3948
#define PERF_READ_IN_LINK
Definition: perf.h:51
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1609
static void event_timeout_clear(struct event_timeout *et)
Definition: interval.h:150
#define in_addr_t
Definition: config-msvc.h:104
static void process_coarse_timers(struct context *c)
Definition: forward.c:757
#define TUN_READ
Definition: openvpn.h:236
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:523
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition: interval.h:108
#define IOW_SHAPER
Definition: forward.h:58
struct frame frame_initial
Definition: openvpn.h:260
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition: fragment.h:448
void pre_select(struct context *c)
Definition: forward.c:1764
#define SOCKET_READ
Definition: openvpn.h:234
int max_recv_size_local
Definition: openvpn.h:318
#define SIGTERM
Definition: config-msvc.h:118
#define TLS_MODE(c)
Definition: openvpn.h:559
void check_status_file_dowork(struct context *c)
Definition: forward.c:614
static void get_signal(volatile int *sig)
Definition: sig.h:92
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:165
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:125
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2629
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:556
bool allow_recursive_routing
Definition: options.h:614
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition: fragment.c:381
#define IOW_TO_LINK
Definition: forward.h:55
void read_incoming_link(struct context *c)
Read a packet from the external network interface.
Definition: forward.c:933
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.h:934
void * arg
Definition: event.h:80
static bool tuntap_defined(const struct tuntap *tt)
Definition: tun.h:198
static unsigned int tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: tun.h:513
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition: socket.h:618
#define openvpn_errno()
Definition: error.h:74
int ping_rec_timeout
Definition: options.h:260
#define D_LOW
Definition: errlevel.h:97
int context_auth
Definition: openvpn.h:456
static void check_packet_id_persist_flush(struct context *c)
Definition: forward.c:272
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
#define ES_TIMEOUT
Definition: openvpn.h:239
static bool interval_test(struct interval *top)
Definition: interval.h:66
struct in6_addr daddr
Definition: proto.h:120
counter_type link_read_bytes_global
Definition: forward.c:50
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:676
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition: fragment.c:326
bool is_hard_reset(int op, int key_method)
Given a key_method, return true if opcode represents the required form of hard_reset.
Definition: ssl.c:848
#define MODE_SERVER
Definition: options.h:186
bool send_push_request(struct context *c)
Definition: push.c:297
bool use_peer_id
Definition: ssl_common.h:555
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3882
struct event_timeout ping_send_interval
Definition: openvpn.h:296
#define D_PING
Definition: errlevel.h:140
#define D_LINK_RW
Definition: errlevel.h:112
#define PIP_MSSFIX
Definition: forward.h:290
#define FRAME_HEADROOM_ADJ(f, fm)
Definition: mtu.h:188
static void check_send_occ_load_test(struct context *c)
Definition: occ.h:128
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:420
#define PIPV4_CLIENT_NAT
Definition: forward.h:293
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.c:2487
struct context_1 c1
Level 1 context.
Definition: openvpn.h:536
static void tls_set_single_session(struct tls_multi *multi)
Definition: ssl.h:559
#define IOW_TO_TUN
Definition: forward.h:54
#define PIPV4_PASSTOS
Definition: forward.h:289
struct context_persist persist
Persistent context.
Definition: openvpn.h:533
struct buffer decrypt_buf
Definition: openvpn.h:96
struct event_timeout inactivity_interval
Definition: openvpn.h:300
#define D_INTERVAL
Definition: errlevel.h:152
#define BPTR(buf)
Definition: buffer.h:124
struct frame frame_fragment
Definition: openvpn.h:265
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:303
#define PIPV4_OUTGOING
Definition: forward.h:291
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition: fragment.h:475
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3934
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition: otime.c:88
static void event_timeout_reset(struct event_timeout *et)
Definition: interval.h:174
counter_type tun_write_bytes
Definition: openvpn.h:280
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:88
#define IOW_READ_TUN_FORCE
Definition: forward.h:62
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition: clinat.c:195
counter_type link_read_bytes
Definition: openvpn.h:281
static void process_incoming_link(struct context *c)
Definition: forward.c:1225
int mode
Definition: options.h:187
static void check_coarse_timers(struct context *c)
Definition: forward.c:849
#define PROTO_DUMP(buf, gc)
Definition: openvpn.h:561
static struct gc_arena gc_new(void)
Definition: buffer.h:991
void show_wait_status(struct context *c)
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:255
void buf_null_terminate(struct buffer *buf)
Definition: buffer.c:547
static void interval_action(struct interval *top)
Definition: interval.h:124
struct route_list * route_list
List of routing information.
Definition: openvpn.h:170
#define IOW_MBUF
Definition: forward.h:61
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3018
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition: sig.c:348
void check_add_routes_dowork(struct context *c)
Definition: forward.c:519
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition: forward.c:564
static void management_bytes_in(struct management *man, const int size)
Definition: manage.h:565
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
int mssfix
Definition: options.h:118
struct frame frame
Definition: openvpn.h:259
int n_hard_errors
Definition: ssl_common.h:525
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition: ssl.h:528
struct timeval timeval
Definition: openvpn.h:399
struct sockaddr_in in4
Definition: socket.h:69
static void check_inactivity_timeout(struct context *c)
Definition: forward.c:174
static int write_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:466
interval_t n
Definition: interval.h:139
#define D_TAP_WIN_DEBUG
Definition: errlevel.h:114
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:696
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition: forward.c:657
static int link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition: socket.h:1165
#define IOW_FRAG
Definition: forward.h:60
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
static SERVICE_STATUS status
Definition: automatic.c:43
#define D_SCHED_EXIT
Definition: errlevel.h:89
static void event_reset(struct event_set *es)
Definition: event.h:107
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition: proto.h:225
#define EXPANDED_SIZE(f)
Definition: mtu.h:172
#define PERF_PROC_IN_TUN
Definition: perf.h:54
struct event_timeout scheduled_exit
Definition: openvpn.h:468
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:119
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:610
static void check_scheduled_exit(struct context *c)
Definition: forward.c:203
void process_outgoing_link(struct context *c)
Write a packet to the external network interface.
Definition: forward.c:1522
int n_soft_errors
Definition: ssl_common.h:526
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:536
int restart_sleep_seconds
Definition: openvpn.h:117
unsigned int counter_type
Definition: common.h:38
struct link_socket * link_socket
Definition: openvpn.h:250
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition: socket.h:912
void process_io(struct context *c)
Definition: forward.c:2026
#define CN_OUTGOING
Definition: clinat.h:31
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1490
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition: socket.c:2590
void check_fragment_dowork(struct context *c)
Definition: forward.c:627
void reset_coarse_timers(struct context *c)
Definition: init.c:1282
counter_type link_write_bytes_global
Definition: forward.c:51
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
int ping_send_timeout
Definition: options.h:259
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:240
static int read_tun_buffered(struct tuntap *tt, struct buffer *buf, int maxsize)
Definition: tun.h:460
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4022
struct connection_entry ce
Definition: options.h:208
#define D_TUN_RW
Definition: errlevel.h:113
static void check_tls(struct context *c)
Definition: forward.c:84
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:175
struct context_2 c2
Level 2 context.
Definition: openvpn.h:537
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define dmsg
Definition: error.h:174
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1243
#define MANAGEMENT_WRITE
Definition: openvpn.h:242
void print_status(const struct context *c, struct status_output *so)
Definition: sig.c:292
#define TUN_MTU_SIZE_DYNAMIC(f)
Definition: mtu.h:157
void check_push_request_dowork(struct context *c)
Definition: forward.c:416
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:303
#define IOW_WAIT_SIGNAL
Definition: forward.h:63
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:595
#define EVENT_READ
Definition: event.h:36
int inactivity_timeout
Definition: options.h:256
time_t update_timeout_random_component
Definition: openvpn.h:406
#define BLEN(buf)
Definition: buffer.h:127
static void check_send_occ_req(struct context *c)
Definition: occ.h:113
#define ISC_ERRORS
Definition: init.h:116
#define CN_INCOMING
Definition: clinat.h:32
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition: tun.c:516
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition: shaper.c:41
#define P_OPCODE_SHIFT
Definition: ssl.h:51
void show_adapters(int msglev)
Definition: tun.c:4613
struct event_set * event_set
Definition: openvpn.h:229
struct event_timeout packet_id_persist_interval
Definition: openvpn.h:360
struct buffer read_link_buf
Definition: openvpn.h:108
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:672
static int max_int(int x, int y)
Definition: integer.h:34
struct event_timeout push_request_interval
Definition: openvpn.h:459
#define CAS_SUCCEEDED
Definition: openvpn.h:451
__int64 int64_t
Definition: config-msvc.h:124
#define TLSMP_KILL
Definition: ssl.h:229
unsigned __int8 uint8_t
Definition: config-msvc.h:123
static void check_send_occ_msg(struct context *c)
Definition: occ.h:143
#define MODE_POINT_TO_POINT
Definition: options.h:185
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Definition: interval.h:183
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3307
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Definition: buffer.c:1056
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition: forward.c:1303
int scheduled_exit_signal
Definition: openvpn.h:469
#define PERF_READ_IN_TUN
Definition: perf.h:53
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:378
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: socket.c:3927
volatile int signal_received
Definition: sig.h:45
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition: proto.c:96
#define PUSH_REQUEST_INTERVAL
Definition: common.h:89
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition: interval.h:94
void check_scheduled_exit_dowork(struct context *c)
Definition: forward.c:603
static bool is_ping_msg(const struct buffer *buf)
Definition: ping.h:41
#define IN6_ARE_ADDR_EQUAL(a, b)
Definition: win32.h:45
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:460
void check_incoming_control_channel_dowork(struct context *c)
Definition: forward.c:367
#define MANAGEMENT_READ
Definition: openvpn.h:241
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:493
#define M_NOPREFIX
Definition: error.h:102
#define msg
Definition: error.h:173
struct timeval timeout_random_component
Definition: openvpn.h:407
int connect_timeout
Definition: options.h:101
static void check_ping_send(struct context *c)
Definition: ping.h:74
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
void show_routes(int msglev)
Definition: route.c:3145
struct event_timeout explicit_exit_notification_interval
Definition: openvpn.h:421
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:107
void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto)
Definition: socket.c:1666
#define buf_init(buf, offset)
Definition: buffer.h:196
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:3983
struct fragment_master * fragment
Definition: openvpn.h:264
#define IOW_CHECK_RESIDUAL
Definition: forward.h:59
void check_tls_errors_co(struct context *c)
Definition: forward.c:348
struct status_output * status_output
Definition: openvpn.h:178
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:525
struct packet_id_persist pid_persist
Definition: openvpn.h:163
void management_io(struct management *man)
Definition: manage.c:3058
static void management_bytes_out(struct management *man, const int size)
Definition: manage.h:556
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2663
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition: proto.c:91
struct event_timeout server_poll_interval
Definition: openvpn.h:411
static void wait_signal(struct event_set *es, void *arg)
Definition: event.h:144
#define TUN_WRITE
Definition: openvpn.h:237
static void check_add_routes_action(struct context *c, const bool errors)
Definition: forward.c:508
#define FRAME_HEADROOM_MARKER_READ_LINK
Definition: mtu.h:131
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:161
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
#define PERF_PROC_IN_LINK
Definition: perf.h:52
static void check_add_routes(struct context *c)
Definition: forward.c:160
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
#define EVENT_WRITE
Definition: event.h:37
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition: forward.h:292
#define SOCKET_WRITE
Definition: openvpn.h:235
#define TUNNEL_TYPE(tt)
Definition: tun.h:133
static bool socket_read_residual(const struct link_socket *s)
Definition: socket.h:1220
void check_connection_established_dowork(struct context *c)
Definition: forward.c:430
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
#define IOW_READ_TUN
Definition: forward.h:56
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition: packet_id.h:281
int original_recv_size
Definition: openvpn.h:317
int interval_t
Definition: common.h:45
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1140
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing...
Definition: manage.c:3995
#define PERF_PROC_OUT_TUN
Definition: perf.h:56
struct link_socket_actual from
Definition: openvpn.h:256
static void socks_postprocess_incoming_link(struct context *c)
Definition: forward.c:892
#define D_STREAM_ERRORS
Definition: errlevel.h:63
bool pull
Definition: options.h:464
#define BSTR(buf)
Definition: buffer.h:129
long int get_random(void)
Definition: crypto.c:1761
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition: fragment.c:141
static void check_incoming_control_channel(struct context *c)
Definition: forward.c:129
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket_actual **to_addr, int *size_delta)
Definition: forward.c:901
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:1001
static interval_t event_timeout_remaining(struct event_timeout *et)
Definition: interval.h:197
static int datagram_overhead(int proto)
Definition: socket.h:601
void check_inactivity_timeout_dowork(struct context *c)
Definition: forward.c:557
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:482
char * actual_name
Definition: tun.h:146
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3218
struct buffer to_tun
Definition: openvpn.h:381
void check_tls_errors_nco(struct context *c)
Definition: forward.c:355
static void update_time(void)
Definition: otime.h:93
static bool tuntap_stop(int status)
Definition: tun.h:408
#define CC_CRLF
Definition: buffer.h:920
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition: forward.c:914
struct sockaddr sa
Definition: socket.h:68
unsigned int event_set_status
Definition: openvpn.h:248
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:334
void mss_fixup_ipv4(struct buffer *buf, int maxmss)
Definition: mss.c:46
static void context_immediate_reschedule(struct context *c)
Definition: forward.c:286
struct buffer encrypt_buf
Definition: openvpn.h:95
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1384
unsigned int rwflags
Definition: event.h:79
int max_send_size_local
Definition: openvpn.h:320
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:589
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition: error.h:302
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:354
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:793
const char * wait_status_string(struct context *c, struct gc_arena *gc)
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
void process_outgoing_tun(struct context *c)
Write a packet to the virtual tun/tap network interface.
Definition: forward.c:1673
int key_method
Definition: options.h:549
int tls_exit_signal
Definition: openvpn.h:352
#define D_LINK_ERRORS
Definition: errlevel.h:57
time_t coarse_timer_wakeup
Definition: openvpn.h:402
#define PASSTOS_CAPABILITY
Definition: syshead.h:406
static void check_coarse_timers_dowork(struct context *c)
Definition: forward.c:831
bool route_gateway_via_dhcp
Definition: options.h:349
static void check_server_poll_timeout(struct context *c)
Definition: forward.c:188
counter_type link_read_bytes_auth
Definition: openvpn.h:282
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3112
#define D_PUSH_ERRORS
Definition: errlevel.h:67