OpenVPN
forward.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "forward.h"
33 #include "init.h"
34 #include "push.h"
35 #include "gremlin.h"
36 #include "mss.h"
37 #include "event.h"
38 #include "occ.h"
39 #include "pf.h"
40 #include "ping.h"
41 #include "ps.h"
42 #include "dhcp.h"
43 #include "common.h"
44 #include "ssl_verify.h"
45 
46 #include "memdbg.h"
47 
48 #include "mstats.h"
49 
52 
53 /* show event wait debugging info */
54 
55 #ifdef ENABLE_DEBUG
56 
57 const char *
58 wait_status_string(struct context *c, struct gc_arena *gc)
59 {
60  struct buffer out = alloc_buf_gc(64, gc);
61  buf_printf(&out, "I/O WAIT %s|%s|%s|%s %s",
62  tun_stat(c->c1.tuntap, EVENT_READ, gc),
63  tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
66  tv_string(&c->c2.timeval, gc));
67  return BSTR(&out);
68 }
69 
70 void
71 show_wait_status(struct context *c)
72 {
73  struct gc_arena gc = gc_new();
74  dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
75  gc_free(&gc);
76 }
77 
78 #endif /* ifdef ENABLE_DEBUG */
79 
80 /*
81  * Does TLS session need service?
82  */
83 static inline void
84 check_tls(struct context *c)
85 {
86  void check_tls_dowork(struct context *c);
87 
88  if (c->c2.tls_multi)
89  {
91  }
92 }
93 
94 /*
95  * TLS errors are fatal in TCP mode.
96  * Also check for --tls-exit trigger.
97  */
98 static inline void
100 {
101  void check_tls_errors_co(struct context *c);
102 
103  void check_tls_errors_nco(struct context *c);
104 
105  if (c->c2.tls_multi && c->c2.tls_exit_signal)
106  {
108  {
109  if (c->c2.tls_multi->n_soft_errors)
110  {
112  }
113  }
114  else
115  {
116  if (c->c2.tls_multi->n_hard_errors)
117  {
119  }
120  }
121  }
122 }
123 
124 /*
125  * Check for possible incoming configuration
126  * messages on the control channel.
127  */
128 static inline void
130 {
131 #if P2MP
133 
134  if (tls_test_payload_len(c->c2.tls_multi) > 0)
135  {
137  }
138 #endif
139 }
140 
141 /*
142  * Options like --up-delay need to be triggered by this function which
143  * checks for connection establishment.
144  */
145 static inline void
147 {
149 
151  {
153  }
154 }
155 
156 /*
157  * Should we add routes?
158  */
159 static inline void
161 {
162  void check_add_routes_dowork(struct context *c);
163 
165  {
167  }
168 }
169 
170 /*
171  * Should we exit due to inactivity timeout?
172  */
173 static inline void
175 {
177 
180  {
182  }
183 }
184 
185 #if P2MP
186 
187 static inline void
189 {
191 
192  if (c->options.ce.connect_timeout
194  {
196  }
197 }
198 
199 /*
200  * Scheduled exit?
201  */
202 static inline void
204 {
205  void check_scheduled_exit_dowork(struct context *c);
206 
208  {
210  {
212  }
213  }
214 }
215 #endif /* if P2MP */
216 
217 /*
218  * Should we write timer-triggered status file.
219  */
220 static inline void
222 {
223  void check_status_file_dowork(struct context *c);
224 
225  if (c->c1.status_output)
226  {
228  {
230  }
231  }
232 }
233 
234 #ifdef ENABLE_FRAGMENT
235 /*
236  * Should we deliver a datagram fragment to remote?
237  */
238 static inline void
240 {
241  void check_fragment_dowork(struct context *c);
242 
243  if (c->c2.fragment)
244  {
246  }
247 }
248 #endif
249 
250 #if P2MP
251 
252 /*
253  * see if we should send a push_request in response to --pull
254  */
255 static inline void
257 {
258  void check_push_request_dowork(struct context *c);
259 
261  {
263  }
264 }
265 
266 #endif
267 
268 /*
269  * Should we persist our anti-replay packet ID state to disk?
270  */
271 static inline void
273 {
276  {
278  }
279 }
280 
281 /*
282  * Set our wakeup to 0 seconds, so we will be rescheduled
283  * immediately.
284  */
285 static inline void
287 {
288  c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
289  c->c2.timeval.tv_usec = 0;
290 }
291 
292 static inline void
293 context_reschedule_sec(struct context *c, int sec)
294 {
295  if (sec < 0)
296  {
297  sec = 0;
298  }
299  if (sec < c->c2.timeval.tv_sec)
300  {
301  c->c2.timeval.tv_sec = sec;
302  c->c2.timeval.tv_usec = 0;
303  }
304 }
305 
306 /*
307  * In TLS mode, let TLS level respond to any control-channel
308  * packets which were received, or prepare any packets for
309  * transmission.
310  *
311  * tmp_int is purely an optimization that allows us to call
312  * tls_multi_process less frequently when there's not much
313  * traffic on the control-channel.
314  *
315  */
316 void
318 {
319  interval_t wakeup = BIG_TIMEOUT;
320 
321  if (interval_test(&c->c2.tmp_int))
322  {
323  const int tmp_status = tls_multi_process
324  (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
325  get_link_socket_info(c), &wakeup);
326  if (tmp_status == TLSMP_ACTIVE)
327  {
328  update_time();
330  }
331  else if (tmp_status == TLSMP_KILL)
332  {
333  register_signal(c, SIGTERM, "auth-control-exit");
334  }
335 
336  interval_future_trigger(&c->c2.tmp_int, wakeup);
337  }
338 
339  interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
340 
341  if (wakeup)
342  {
343  context_reschedule_sec(c, wakeup);
344  }
345 }
346 
347 void
349 {
350  msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
351  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
352 }
353 
354 void
356 {
357  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
358 }
359 
360 #if P2MP
361 
362 /*
363  * Handle incoming configuration
364  * messages on the control channel.
365  */
366 void
368 {
369  const int len = tls_test_payload_len(c->c2.tls_multi);
370  if (len)
371  {
372  struct gc_arena gc = gc_new();
373  struct buffer buf = alloc_buf_gc(len, &gc);
374  if (tls_rec_payload(c->c2.tls_multi, &buf))
375  {
376  /* force null termination of message */
377  buf_null_terminate(&buf);
378 
379  /* enforce character class restrictions */
380  string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
381 
382  if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
383  {
384  receive_auth_failed(c, &buf);
385  }
386  else if (buf_string_match_head_str(&buf, "PUSH_"))
387  {
388  incoming_push_message(c, &buf);
389  }
390  else if (buf_string_match_head_str(&buf, "RESTART"))
391  {
392  server_pushed_signal(c, &buf, true, 7);
393  }
394  else if (buf_string_match_head_str(&buf, "HALT"))
395  {
396  server_pushed_signal(c, &buf, false, 4);
397  }
398  else
399  {
400  msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
401  }
402  }
403  else
404  {
405  msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
406  }
407 
408  gc_free(&gc);
409  }
410 }
411 
412 /*
413  * Periodically resend PUSH_REQUEST until PUSH message received
414  */
415 void
417 {
419 
420  /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
422 }
423 
424 #endif /* P2MP */
425 
426 /*
427  * Things that need to happen immediately after connection initiation should go here.
428  */
429 void
431 {
433  {
434  if (CONNECTION_ESTABLISHED(c))
435  {
436 #if P2MP
437  /* if --pull was specified, send a push request to server */
438  if (c->c2.tls_multi && c->options.pull)
439  {
440 #ifdef ENABLE_MANAGEMENT
441  if (management)
442  {
445  NULL,
446  NULL,
447  NULL,
448  NULL,
449  NULL);
450  }
451 #endif
452  /* fire up push request right away (already 1s delayed) */
455  }
456  else
457 #endif /* if P2MP */
458  {
459  do_up(c, false, 0);
460  }
461 
463  }
464  }
465 }
466 
467 bool
469  const char *str, int msglevel)
470 {
471  struct gc_arena gc = gc_new();
472  bool stat;
473 
474  /* buffered cleartext write onto TLS control channel */
475  stat = tls_send_payload(multi, (uint8_t *) str, strlen(str) + 1);
476 
477  msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
478  tls_common_name(multi, false),
479  sanitize_control_message(str, &gc),
480  (int) stat);
481 
482  gc_free(&gc);
483  return stat;
484 }
485 
486 bool
487 send_control_channel_string(struct context *c, const char *str, int msglevel)
488 {
489  if (c->c2.tls_multi)
490  {
492  str, msglevel);
493  /*
494  * Reschedule tls_multi_process.
495  * NOTE: in multi-client mode, usually the below two statements are
496  * insufficient to reschedule the client instance object unless
497  * multi_schedule_context_wakeup(m, mi) is also called.
498  */
499 
501  context_immediate_reschedule(c); /* ZERO-TIMEOUT */
502  return ret;
503  }
504  return true;
505 }
506 /*
507  * Add routes.
508  */
509 
510 static void
511 check_add_routes_action(struct context *c, const bool errors)
512 {
514  c->c1.tuntap, c->plugins, c->c2.es);
515  update_time();
518  initialization_sequence_completed(c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */
519 }
520 
521 void
523 {
524  if (test_routes(c->c1.route_list, c->c1.tuntap))
525  {
526  check_add_routes_action(c, false);
527  }
529  {
530  check_add_routes_action(c, true);
531  }
532  else
533  {
534  msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
535  if (c->c1.tuntap)
536  {
537  if (!tun_standby(c->c1.tuntap))
538  {
539  register_signal(c, SIGHUP, "ip-fail");
541 #ifdef _WIN32
544 #endif
545  }
546  }
547  update_time();
548  if (c->c2.route_wakeup.n != 1)
549  {
551  }
553  }
554 }
555 
556 /*
557  * Should we exit due to inactivity timeout?
558  */
559 void
561 {
562  msg(M_INFO, "Inactivity timeout (--inactive), exiting");
563  register_signal(c, SIGTERM, "inactive");
564 }
565 
566 int
567 get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
568 {
569  update_time();
570  int remaining = event_timeout_remaining(server_poll_timeout);
571  return max_int(0, remaining);
572 }
573 #if P2MP
574 
575 void
577 {
579  ASSERT(c->c2.tls_multi);
581  {
582  msg(M_INFO, "Server poll timeout, restarting");
583  register_signal(c, SIGUSR1, "server_poll");
585  }
586 }
587 
588 /*
589  * Schedule a signal n_seconds from now.
590  */
591 void
592 schedule_exit(struct context *c, const int n_seconds, const int signal)
593 {
595  update_time();
597  event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
598  c->c2.scheduled_exit_signal = signal;
599  msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
600 }
601 
602 /*
603  * Scheduled exit?
604  */
605 void
607 {
608  register_signal(c, c->c2.scheduled_exit_signal, "delayed-exit");
609 }
610 
611 #endif /* if P2MP */
612 
613 /*
614  * Should we write timer-triggered status file.
615  */
616 void
618 {
619  if (c->c1.status_output)
620  {
622  }
623 }
624 
625 #ifdef ENABLE_FRAGMENT
626 /*
627  * Should we deliver a datagram fragment to remote?
628  */
629 void
631 {
632  struct link_socket_info *lsi = get_link_socket_info(c);
633 
634  /* OS MTU Hint? */
635  if (lsi->mtu_changed)
636  {
638  c->options.ce.proto);
639  lsi->mtu_changed = false;
640  }
641 
643  {
644  if (!c->c2.to_link.len)
645  {
646  /* encrypt a fragment for output to TCP/UDP port */
648  encrypt_sign(c, false);
649  }
650  }
651 
653 }
654 #endif /* ifdef ENABLE_FRAGMENT */
655 
656 /*
657  * Buffer reallocation, for use with null encryption.
658  */
659 static inline void
660 buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
661 {
662  if (orig_buf == src_stub->data && src_stub->data != storage->data)
663  {
664  buf_assign(storage, src_stub);
665  *dest_stub = *storage;
666  }
667  else
668  {
669  *dest_stub = *src_stub;
670  }
671 }
672 
673 /*
674  * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
675  * Input: c->c2.buf
676  * Output: c->c2.to_link
677  */
678 void
679 encrypt_sign(struct context *c, bool comp_frag)
680 {
681  struct context_buffers *b = c->c2.buffers;
682  const uint8_t *orig_buf = c->c2.buf.data;
683  struct crypto_options *co = NULL;
684 
685 #if P2MP_SERVER
686  /*
687  * Drop non-TLS outgoing packet if client-connect script/plugin
688  * has not yet succeeded.
689  */
690  if (c->c2.context_auth != CAS_SUCCEEDED)
691  {
692  c->c2.buf.len = 0;
693  }
694 #endif
695 
696  if (comp_frag)
697  {
698 #ifdef USE_COMP
699  /* Compress the packet. */
700  if (c->c2.comp_context)
701  {
702  (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
703  }
704 #endif
705 #ifdef ENABLE_FRAGMENT
706  if (c->c2.fragment)
707  {
709  }
710 #endif
711  }
712 
713  /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
715 
716  if (c->c2.tls_multi)
717  {
718  /* Get the key we will use to encrypt the packet. */
719  tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
720  /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
721  * packet before openvpn_encrypt(), so we can authenticate the opcode too.
722  */
723  if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
724  {
726  }
727  }
728  else
729  {
730  co = &c->c2.crypto_options;
731  }
732 
733  /* Encrypt and authenticate the packet */
734  openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
735 
736  /* Do packet administration */
737  if (c->c2.tls_multi)
738  {
739  if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
740  {
742  }
744  }
745 
746  /*
747  * Get the address we will be sending the packet to.
748  */
750  &c->c2.to_link_addr);
751 
752  /* if null encryption, copy result to read_tun_buf */
753  buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
754 }
755 
756 /*
757  * Coarse timers work to 1 second resolution.
758  */
759 static void
761 {
762  /* flush current packet-id to file once per 60
763  * seconds if --replay-persist was specified */
765 
766  /* should we update status file? */
768 
769  /* process connection establishment items */
771 
772 #if P2MP
773  /* see if we should send a push_request in response to --pull */
775 #endif
776 
777 #ifdef PLUGIN_PF
778  pf_check_reload(c);
779 #endif
780 
781  /* process --route options */
782  check_add_routes(c);
783 
784  /* possibly exit due to --inactive */
786  if (c->sig->signal_received)
787  {
788  return;
789  }
790 
791  /* restart if ping not received */
793  if (c->sig->signal_received)
794  {
795  return;
796  }
797 
798 #if P2MP
799  if (c->c2.tls_multi)
800  {
802  if (c->sig->signal_received)
803  {
804  return;
805  }
806 
808  if (c->sig->signal_received)
809  {
810  return;
811  }
812  }
813 #endif
814 
815 #ifdef ENABLE_OCC
816  /* Should we send an OCC_REQUEST message? */
818 
819  /* Should we send an MTU load test? */
821 
822  /* Should we send an OCC_EXIT message to remote? */
824  {
826  }
827 #endif
828 
829  /* Should we ping the remote? */
830  check_ping_send(c);
831 }
832 
833 static void
835 {
836  const struct timeval save = c->c2.timeval;
837  c->c2.timeval.tv_sec = BIG_TIMEOUT;
838  c->c2.timeval.tv_usec = 0;
840  c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
841 
842  dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
843 
844  /* Is the coarse timeout NOT the earliest one? */
845  if (c->c2.timeval.tv_sec > save.tv_sec)
846  {
847  c->c2.timeval = save;
848  }
849 }
850 
851 static inline void
853 {
854  const time_t local_now = now;
855  if (local_now >= c->c2.coarse_timer_wakeup)
856  {
858  }
859  else
860  {
861  context_reschedule_sec(c, c->c2.coarse_timer_wakeup - local_now);
862  }
863 }
864 
865 static void
867 {
868  const int update_interval = 10; /* seconds */
869  c->c2.update_timeout_random_component = now + update_interval;
870  c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
871  c->c2.timeout_random_component.tv_sec = 0;
872 
873  dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec);
874 }
875 
876 static inline void
878 {
880  {
882  }
883  if (c->c2.timeval.tv_sec >= 1)
884  {
886  }
887 }
888 
889 /*
890  * Handle addition and removal of the 10-byte Socks5 header
891  * in UDP packets.
892  */
893 
894 static inline void
896 {
898  {
900  }
901 }
902 
903 static inline void
905  struct link_socket_actual **to_addr,
906  int *size_delta)
907 {
909  {
910  *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
911  *to_addr = &c->c2.link_socket->socks_relay;
912  }
913 }
914 
915 /* undo effect of socks_preprocess_outgoing_link */
916 static inline void
918  int size_delta,
919  struct buffer *buf)
920 {
921  if (size_delta > 0 && *size > size_delta)
922  {
923  *size -= size_delta;
924  if (!buf_advance(buf, size_delta))
925  {
926  *size = 0;
927  }
928  }
929 }
930 
931 /*
932  * Output: c->c2.buf
933  */
934 
935 void
937 {
938  /*
939  * Set up for recvfrom call to read datagram
940  * sent to our TCP/UDP port.
941  */
942  int status;
943 
944  /*ASSERT (!c->c2.to_tun.len);*/
945 
947 
948  c->c2.buf = c->c2.buffers->read_link_buf;
950 
951  status = link_socket_read(c->c2.link_socket,
952  &c->c2.buf,
953  &c->c2.from);
954 
955  if (socket_connection_reset(c->c2.link_socket, status))
956  {
957 #if PORT_SHARE
958  if (port_share && socket_foreign_protocol_detected(c->c2.link_socket))
959  {
960  const struct buffer *fbuf = socket_foreign_protocol_head(c->c2.link_socket);
961  const int sd = socket_foreign_protocol_sd(c->c2.link_socket);
962  port_share_redirect(port_share, fbuf, sd);
963  register_signal(c, SIGTERM, "port-share-redirect");
964  }
965  else
966 #endif
967  {
968  /* received a disconnect from a connection-oriented protocol */
969  if (c->options.inetd)
970  {
971  register_signal(c, SIGTERM, "connection-reset-inetd");
972  msg(D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status);
973  }
974  else
975  {
976 #ifdef ENABLE_OCC
978  {
979  msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
980  management_sleep(1);
981  }
982  else
983 #endif
984  {
985  register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
986  msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
987  }
988  }
989  }
990  perf_pop();
991  return;
992  }
993 
994  /* check recvfrom status */
995  check_status(status, "read", c->c2.link_socket, NULL);
996 
997  /* Remove socks header if applicable */
999 
1000  perf_pop();
1001 }
1002 
1003 bool
1004 process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
1005 {
1006  struct gc_arena gc = gc_new();
1007  bool decrypt_status = false;
1008 
1009  if (c->c2.buf.len > 0)
1010  {
1011  c->c2.link_read_bytes += c->c2.buf.len;
1013 #ifdef ENABLE_MEMSTATS
1014  if (mmap_stats)
1015  {
1016  mmap_stats->link_read_bytes = link_read_bytes_global;
1017  }
1018 #endif
1019  c->c2.original_recv_size = c->c2.buf.len;
1020 #ifdef ENABLE_MANAGEMENT
1021  if (management)
1022  {
1024 #ifdef MANAGEMENT_DEF_AUTH
1025  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1026 #endif
1027  }
1028 #endif
1029  }
1030  else
1031  {
1032  c->c2.original_recv_size = 0;
1033  }
1034 
1035 #ifdef ENABLE_DEBUG
1036  /* take action to corrupt packet if we are in gremlin test mode */
1037  if (c->options.gremlin)
1038  {
1039  if (!ask_gremlin(c->options.gremlin))
1040  {
1041  c->c2.buf.len = 0;
1042  }
1043  corrupt_gremlin(&c->c2.buf, c->options.gremlin);
1044  }
1045 #endif
1046 
1047  /* log incoming packet */
1048 #ifdef LOG_RW
1049  if (c->c2.log_rw && c->c2.buf.len > 0)
1050  {
1051  fprintf(stderr, "R");
1052  }
1053 #endif
1054  msg(D_LINK_RW, "%s READ [%d] from %s: %s",
1055  proto2ascii(lsi->proto, lsi->af, true),
1056  BLEN(&c->c2.buf),
1057  print_link_socket_actual(&c->c2.from, &gc),
1058  PROTO_DUMP(&c->c2.buf, &gc));
1059 
1060  /*
1061  * Good, non-zero length packet received.
1062  * Commence multi-stage processing of packet,
1063  * such as authenticate, decrypt, decompress.
1064  * If any stage fails, it sets buf.len to 0 or -1,
1065  * telling downstream stages to ignore the packet.
1066  */
1067  if (c->c2.buf.len > 0)
1068  {
1069  struct crypto_options *co = NULL;
1070  const uint8_t *ad_start = NULL;
1071  if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
1072  {
1073  link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
1074  }
1075 
1076  if (c->c2.tls_multi)
1077  {
1078  /*
1079  * If tls_pre_decrypt returns true, it means the incoming
1080  * packet was a good TLS control channel packet. If so, TLS code
1081  * will deal with the packet and set buf.len to 0 so downstream
1082  * stages ignore it.
1083  *
1084  * If the packet is a data channel packet, tls_pre_decrypt
1085  * will load crypto_options with the correct encryption key
1086  * and return false.
1087  */
1088  uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
1089  if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
1090  floated, &ad_start))
1091  {
1092  /* Restore pre-NCP frame parameters */
1093  if (is_hard_reset(opcode, c->options.key_method))
1094  {
1095  c->c2.frame = c->c2.frame_initial;
1096  }
1097 
1098  interval_action(&c->c2.tmp_int);
1099 
1100  /* reset packet received timer if TLS packet */
1101  if (c->options.ping_rec_timeout)
1102  {
1104  }
1105  }
1106  }
1107  else
1108  {
1109  co = &c->c2.crypto_options;
1110  }
1111 #if P2MP_SERVER
1112  /*
1113  * Drop non-TLS packet if client-connect script/plugin has not
1114  * yet succeeded.
1115  */
1116  if (c->c2.context_auth != CAS_SUCCEEDED)
1117  {
1118  c->c2.buf.len = 0;
1119  }
1120 #endif
1121 
1122  /* authenticate and decrypt the incoming packet */
1123  decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
1124  co, &c->c2.frame, ad_start);
1125 
1126  if (!decrypt_status && link_socket_connection_oriented(c->c2.link_socket))
1127  {
1128  /* decryption errors are fatal in TCP mode */
1129  register_signal(c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
1130  msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
1131  }
1132  }
1133  else
1134  {
1135  buf_reset(&c->c2.to_tun);
1136  }
1137  gc_free(&gc);
1138 
1139  return decrypt_status;
1140 }
1141 
1142 void
1143 process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
1144 {
1145  if (c->c2.buf.len > 0)
1146  {
1147 #ifdef ENABLE_FRAGMENT
1148  if (c->c2.fragment)
1149  {
1151  }
1152 #endif
1153 
1154 #ifdef USE_COMP
1155  /* decompress the incoming packet */
1156  if (c->c2.comp_context)
1157  {
1158  (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
1159  }
1160 #endif
1161 
1162 #ifdef PACKET_TRUNCATION_CHECK
1163  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1164  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1165  BLEN(&c->c2.buf),
1166  TUNNEL_TYPE(c->c1.tuntap),
1167  "POST_DECRYPT",
1168  &c->c2.n_trunc_post_decrypt);
1169 #endif
1170 
1171  /*
1172  * Set our "official" outgoing address, since
1173  * if buf.len is non-zero, we know the packet
1174  * authenticated. In TLS mode we do nothing
1175  * because TLS mode takes care of source address
1176  * authentication.
1177  *
1178  * Also, update the persisted version of our packet-id.
1179  */
1180  if (!TLS_MODE(c))
1181  {
1182  link_socket_set_outgoing_addr(&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es);
1183  }
1184 
1185  /* reset packet received timer */
1186  if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1187  {
1189  }
1190 
1191  /* increment authenticated receive byte count */
1192  if (c->c2.buf.len > 0)
1193  {
1194  c->c2.link_read_bytes_auth += c->c2.buf.len;
1196  }
1197 
1198  /* Did we just receive an openvpn ping packet? */
1199  if (is_ping_msg(&c->c2.buf))
1200  {
1201  dmsg(D_PING, "RECEIVED PING PACKET");
1202  c->c2.buf.len = 0; /* drop packet */
1203  }
1204 
1205 #ifdef ENABLE_OCC
1206  /* Did we just receive an OCC packet? */
1207  if (is_occ_msg(&c->c2.buf))
1208  {
1210  }
1211 #endif
1212 
1213  buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1214 
1215  /* to_tun defined + unopened tuntap can cause deadlock */
1216  if (!tuntap_defined(c->c1.tuntap))
1217  {
1218  c->c2.to_tun.len = 0;
1219  }
1220  }
1221  else
1222  {
1223  buf_reset(&c->c2.to_tun);
1224  }
1225 }
1226 
1227 static void
1229 {
1231 
1232  struct link_socket_info *lsi = get_link_socket_info(c);
1233  const uint8_t *orig_buf = c->c2.buf.data;
1234 
1235  process_incoming_link_part1(c, lsi, false);
1236  process_incoming_link_part2(c, lsi, orig_buf);
1237 
1238  perf_pop();
1239 }
1240 
1241 /*
1242  * Output: c->c2.buf
1243  */
1244 
1245 void
1247 {
1248  /*
1249  * Setup for read() call on TUN/TAP device.
1250  */
1251  /*ASSERT (!c->c2.to_link.len);*/
1252 
1254 
1255  c->c2.buf = c->c2.buffers->read_tun_buf;
1256 #ifdef TUN_PASS_BUFFER
1258 #else
1259  ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame)));
1261  c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), MAX_RW_SIZE_TUN(&c->c2.frame));
1262 #endif
1263 
1264 #ifdef PACKET_TRUNCATION_CHECK
1265  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1266  BLEN(&c->c2.buf),
1267  TUNNEL_TYPE(c->c1.tuntap),
1268  "READ_TUN",
1269  &c->c2.n_trunc_tun_read);
1270 #endif
1271 
1272  /* Was TUN/TAP interface stopped? */
1273  if (tuntap_stop(c->c2.buf.len))
1274  {
1275  register_signal(c, SIGTERM, "tun-stop");
1276  msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1277  perf_pop();
1278  return;
1279  }
1280 
1281  /* Was TUN/TAP I/O operation aborted? */
1282  if (tuntap_abort(c->c2.buf.len))
1283  {
1284  register_signal(c, SIGHUP, "tun-abort");
1286  msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1287  perf_pop();
1288  return;
1289  }
1290 
1291  /* Check the status return from read() */
1292  check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1293 
1294  perf_pop();
1295 }
1296 
1305 static void
1307 {
1308  bool drop = false;
1309  struct openvpn_sockaddr tun_sa;
1310  int ip_hdr_offset = 0;
1311 
1312  if (c->c2.to_link_addr == NULL) /* no remote addr known */
1313  {
1314  return;
1315  }
1316 
1317  tun_sa = c->c2.to_link_addr->dest;
1318 
1319  int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1320 
1321  if (proto_ver == 4)
1322  {
1323  const struct openvpn_iphdr *pip;
1324 
1325  /* make sure we got whole IP header */
1326  if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1327  {
1328  return;
1329  }
1330 
1331  /* skip ipv4 packets for ipv6 tun */
1332  if (tun_sa.addr.sa.sa_family != AF_INET)
1333  {
1334  return;
1335  }
1336 
1337  pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
1338 
1339  /* drop packets with same dest addr as gateway */
1340  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
1341  {
1342  drop = true;
1343  }
1344  }
1345  else if (proto_ver == 6)
1346  {
1347  const struct openvpn_ipv6hdr *pip6;
1348 
1349  /* make sure we got whole IPv6 header */
1350  if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1351  {
1352  return;
1353  }
1354 
1355  /* skip ipv6 packets for ipv4 tun */
1356  if (tun_sa.addr.sa.sa_family != AF_INET6)
1357  {
1358  return;
1359  }
1360 
1361  /* drop packets with same dest addr as gateway */
1362  pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
1363  if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1364  {
1365  drop = true;
1366  }
1367  }
1368 
1369  if (drop)
1370  {
1371  struct gc_arena gc = gc_new();
1372 
1373  c->c2.buf.len = 0;
1374 
1375  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1377  gc_free(&gc);
1378  }
1379 }
1380 
1381 /*
1382  * Input: c->c2.buf
1383  * Output: c->c2.to_link
1384  */
1385 
1386 void
1388 {
1389  struct gc_arena gc = gc_new();
1390 
1392 
1393  if (c->c2.buf.len > 0)
1394  {
1395  c->c2.tun_read_bytes += c->c2.buf.len;
1396  }
1397 
1398 #ifdef LOG_RW
1399  if (c->c2.log_rw && c->c2.buf.len > 0)
1400  {
1401  fprintf(stderr, "r");
1402  }
1403 #endif
1404 
1405  /* Show packet content */
1406  dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1407 
1408  if (c->c2.buf.len > 0)
1409  {
1411  {
1413  }
1414  /*
1415  * The --passtos and --mssfix options require
1416  * us to examine the IP header (IPv4 or IPv6).
1417  */
1418  unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
1420  process_ip_header(c, flags, &c->c2.buf);
1421 
1422 #ifdef PACKET_TRUNCATION_CHECK
1423  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1424  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1425  BLEN(&c->c2.buf),
1426  TUNNEL_TYPE(c->c1.tuntap),
1427  "PRE_ENCRYPT",
1428  &c->c2.n_trunc_pre_encrypt);
1429 #endif
1430 
1431  }
1432  if (c->c2.buf.len > 0)
1433  {
1434  encrypt_sign(c, true);
1435  }
1436  else
1437  {
1438  buf_reset(&c->c2.to_link);
1439  }
1440  perf_pop();
1441  gc_free(&gc);
1442 }
1443 
1454 void
1455 ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
1456 {
1457 #define MAX_ICMPV6LEN 1280
1458  struct openvpn_icmp6hdr icmp6out;
1459  CLEAR(icmp6out);
1460 
1461  /*
1462  * Get a buffer to the ip packet, is_ipv6 automatically forwards
1463  * the buffer to the ip packet
1464  */
1465  struct buffer inputipbuf = *buf;
1466 
1467  is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &inputipbuf);
1468 
1469  if (BLEN(&inputipbuf) < (int)sizeof(struct openvpn_ipv6hdr))
1470  {
1471  return;
1472  }
1473 
1474  const struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)BPTR(&inputipbuf);
1475 
1476  /* Copy version, traffic class, flow label from input packet */
1477  struct openvpn_ipv6hdr pip6out = *pip6;
1478 
1479  pip6out.version_prio = pip6->version_prio;
1480  pip6out.daddr = pip6->saddr;
1481 
1482  /*
1483  * Use the IPv6 remote address if we have one, otherwise use a fake one
1484  * using the remote address is preferred since it makes debugging and
1485  * understanding where the ICMPv6 error originates easier
1486  */
1488  {
1489  inet_pton(AF_INET6, c->options.ifconfig_ipv6_remote, &pip6out.saddr);
1490  }
1491  else
1492  {
1493  inet_pton(AF_INET6, "fe80::7", &pip6out.saddr);
1494  }
1495 
1496  pip6out.nexthdr = OPENVPN_IPPROTO_ICMPV6;
1497 
1498  /*
1499  * The ICMPv6 unreachable code worked best in my (arne) tests with Windows,
1500  * Linux and Android. Windows did not like the administratively prohibited
1501  * return code (no fast fail)
1502  */
1505 
1506  int icmpheader_len = sizeof(struct openvpn_ipv6hdr)
1507  + sizeof(struct openvpn_icmp6hdr);
1508  int totalheader_len = icmpheader_len;
1509 
1510  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1511  {
1512  totalheader_len += sizeof(struct openvpn_ethhdr);
1513  }
1514 
1515  /*
1516  * Calculate size for payload, defined in the standard that the resulting
1517  * frame should be <= 1280 and have as much as possible of the original
1518  * packet
1519  */
1520  int max_payload_size = min_int(MAX_ICMPV6LEN,
1521  TUN_MTU_SIZE(&c->c2.frame) - icmpheader_len);
1522  int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
1523 
1524  pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
1525 
1526  /* Construct the packet as outgoing packet back to the client */
1527  struct buffer *outbuf;
1528  if (client)
1529  {
1530  c->c2.to_tun = c->c2.buffers->aux_buf;
1531  outbuf = &(c->c2.to_tun);
1532  }
1533  else
1534  {
1535  c->c2.to_link = c->c2.buffers->aux_buf;
1536  outbuf = &(c->c2.to_link);
1537  }
1538  ASSERT(buf_init(outbuf, totalheader_len));
1539 
1540  /* Fill the end of the buffer with original packet */
1541  ASSERT(buf_safe(outbuf, payload_len));
1542  ASSERT(buf_copy_n(outbuf, &inputipbuf, payload_len));
1543 
1544  /* ICMP Header, copy into buffer to allow checksum calculation */
1545  ASSERT(buf_write_prepend(outbuf, &icmp6out, sizeof(struct openvpn_icmp6hdr)));
1546 
1547  /* Calculate checksum over the packet and write to header */
1548 
1549  uint16_t new_csum = ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf),
1550  (const uint8_t *)&pip6out.saddr,
1551  (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6);
1552  ((struct openvpn_icmp6hdr *) BPTR(outbuf))->icmp6_cksum = htons(new_csum);
1553 
1554 
1555  /* IPv6 Header */
1556  ASSERT(buf_write_prepend(outbuf, &pip6out, sizeof(struct openvpn_ipv6hdr)));
1557 
1558  /*
1559  * Tap mode, we also need to create an Ethernet header.
1560  */
1561  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1562  {
1563  if (BLEN(buf) < (int)sizeof(struct openvpn_ethhdr))
1564  {
1565  return;
1566  }
1567 
1568  const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *) BPTR(buf);
1569 
1570  /* Copy frametype and reverse source/destination for the response */
1571  struct openvpn_ethhdr ethhdr;
1572  memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
1573  memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
1574  ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
1575  ASSERT(buf_write_prepend(outbuf, &ethhdr, sizeof(struct openvpn_ethhdr)));
1576  }
1577 #undef MAX_ICMPV6LEN
1578 }
1579 
1580 void
1581 process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
1582 {
1583  if (!c->options.ce.mssfix)
1584  {
1585  flags &= ~PIP_MSSFIX;
1586  }
1587 #if PASSTOS_CAPABILITY
1588  if (!c->options.passtos)
1589  {
1590  flags &= ~PIPV4_PASSTOS;
1591  }
1592 #endif
1593  if (!c->options.client_nat)
1594  {
1595  flags &= ~PIPV4_CLIENT_NAT;
1596  }
1598  {
1599  flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1600  }
1601  if (!c->options.block_ipv6)
1602  {
1604  }
1605 
1606  if (buf->len > 0)
1607  {
1608  /*
1609  * The --passtos and --mssfix options require
1610  * us to examine the IPv4 header.
1611  */
1612 
1613  if (flags & (PIP_MSSFIX
1615  | PIPV4_PASSTOS
1616 #endif
1618  ))
1619  {
1620  struct buffer ipbuf = *buf;
1621  if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1622  {
1623 #if PASSTOS_CAPABILITY
1624  /* extract TOS from IP header */
1625  if (flags & PIPV4_PASSTOS)
1626  {
1627  link_socket_extract_tos(c->c2.link_socket, &ipbuf);
1628  }
1629 #endif
1630 
1631  /* possibly alter the TCP MSS */
1632  if (flags & PIP_MSSFIX)
1633  {
1635  }
1636 
1637  /* possibly do NAT on packet */
1638  if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1639  {
1640  const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1641  client_nat_transform(c->options.client_nat, &ipbuf, direction);
1642  }
1643  /* possibly extract a DHCP router message */
1644  if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1645  {
1646  const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
1647  if (dhcp_router)
1648  {
1649  route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1650  }
1651  }
1652  }
1653  else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1654  {
1655  /* possibly alter the TCP MSS */
1656  if (flags & PIP_MSSFIX)
1657  {
1658  mss_fixup_ipv6(&ipbuf,
1660  }
1661  if (!(flags & PIP_OUTGOING) && (flags
1663  {
1665  (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT));
1666  /* Drop the IPv6 packet */
1667  buf->len = 0;
1668  }
1669 
1670  }
1671  }
1672  }
1673 }
1674 
1675 /*
1676  * Input: c->c2.to_link
1677  */
1678 
1679 void
1681 {
1682  struct gc_arena gc = gc_new();
1683  int error_code = 0;
1684 
1686 
1687  if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame))
1688  {
1689  /*
1690  * Setup for call to send/sendto which will send
1691  * packet to remote over the TCP/UDP port.
1692  */
1693  int size = 0;
1695 
1696 #ifdef ENABLE_DEBUG
1697  /* In gremlin-test mode, we may choose to drop this packet */
1698  if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1699 #endif
1700  {
1701  /*
1702  * Let the traffic shaper know how many bytes
1703  * we wrote.
1704  */
1705 #ifdef ENABLE_FEATURE_SHAPER
1706  if (c->options.shaper)
1707  {
1708  shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link)
1710  }
1711 #endif
1712  /*
1713  * Let the pinger know that we sent a packet.
1714  */
1715  if (c->options.ping_send_timeout)
1716  {
1718  }
1719 
1720 #if PASSTOS_CAPABILITY
1721  /* Set TOS */
1722  link_socket_set_tos(c->c2.link_socket);
1723 #endif
1724 
1725  /* Log packet send */
1726 #ifdef LOG_RW
1727  if (c->c2.log_rw)
1728  {
1729  fprintf(stderr, "W");
1730  }
1731 #endif
1732  msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1734  BLEN(&c->c2.to_link),
1736  PROTO_DUMP(&c->c2.to_link, &gc));
1737 
1738  /* Packet send complexified by possible Socks5 usage */
1739  {
1740  struct link_socket_actual *to_addr = c->c2.to_link_addr;
1741  int size_delta = 0;
1742 
1743  /* If Socks5 over UDP, prepend header */
1744  socks_preprocess_outgoing_link(c, &to_addr, &size_delta);
1745 
1746  /* Send packet */
1747  size = link_socket_write(c->c2.link_socket,
1748  &c->c2.to_link,
1749  to_addr);
1750 
1751  /* Undo effect of prepend */
1752  link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1753  }
1754 
1755  if (size > 0)
1756  {
1758  c->c2.link_write_bytes += size;
1759  link_write_bytes_global += size;
1760 #ifdef ENABLE_MEMSTATS
1761  if (mmap_stats)
1762  {
1763  mmap_stats->link_write_bytes = link_write_bytes_global;
1764  }
1765 #endif
1766 #ifdef ENABLE_MANAGEMENT
1767  if (management)
1768  {
1770 #ifdef MANAGEMENT_DEF_AUTH
1771  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1772 #endif
1773  }
1774 #endif
1775  }
1776  }
1777 
1778  /* Check return status */
1779  error_code = openvpn_errno();
1780  check_status(size, "write", c->c2.link_socket, NULL);
1781 
1782  if (size > 0)
1783  {
1784  /* Did we write a different size packet than we intended? */
1785  if (size != BLEN(&c->c2.to_link))
1786  {
1788  "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1790  BLEN(&c->c2.to_link),
1791  size);
1792  }
1793  }
1794 
1795  /* if not a ping/control message, indicate activity regarding --inactive parameter */
1796  if (c->c2.buf.len > 0)
1797  {
1798  register_activity(c, size);
1799  }
1800 
1801  /* for unreachable network and "connecting" state switch to the next host */
1802  if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi
1804  {
1805  msg(M_INFO, "Network unreachable, restarting");
1806  register_signal(c, SIGUSR1, "network-unreachable");
1807  }
1808  }
1809  else
1810  {
1811  if (c->c2.to_link.len > 0)
1812  {
1813  msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1815  c->c2.to_link.len,
1816  EXPANDED_SIZE(&c->c2.frame));
1817  }
1818  }
1819 
1820  buf_reset(&c->c2.to_link);
1821 
1822  perf_pop();
1823  gc_free(&gc);
1824 }
1825 
1826 /*
1827  * Input: c->c2.to_tun
1828  */
1829 
1830 void
1832 {
1833  struct gc_arena gc = gc_new();
1834 
1835  /*
1836  * Set up for write() call to TUN/TAP
1837  * device.
1838  */
1839  if (c->c2.to_tun.len <= 0)
1840  {
1841  return;
1842  }
1843 
1845 
1846  /*
1847  * The --mssfix option requires
1848  * us to examine the IP header (IPv4 or IPv6).
1849  */
1852  &c->c2.to_tun);
1853 
1854  if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN(&c->c2.frame))
1855  {
1856  /*
1857  * Write to TUN/TAP device.
1858  */
1859  int size;
1860 
1861 #ifdef LOG_RW
1862  if (c->c2.log_rw)
1863  {
1864  fprintf(stderr, "w");
1865  }
1866 #endif
1867  dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1868 
1869 #ifdef PACKET_TRUNCATION_CHECK
1870  ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
1871  BLEN(&c->c2.to_tun),
1872  TUNNEL_TYPE(c->c1.tuntap),
1873  "WRITE_TUN",
1874  &c->c2.n_trunc_tun_write);
1875 #endif
1876 
1877 #ifdef TUN_PASS_BUFFER
1878  size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun);
1879 #else
1880  size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1881 #endif
1882 
1883  if (size > 0)
1884  {
1885  c->c2.tun_write_bytes += size;
1886  }
1887  check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1888 
1889  /* check written packet size */
1890  if (size > 0)
1891  {
1892  /* Did we write a different size packet than we intended? */
1893  if (size != BLEN(&c->c2.to_tun))
1894  {
1896  "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1897  c->c1.tuntap->actual_name,
1898  BLEN(&c->c2.to_tun),
1899  size);
1900  }
1901 
1902  /* indicate activity regarding --inactive parameter */
1903  register_activity(c, size);
1904  }
1905  }
1906  else
1907  {
1908  /*
1909  * This should never happen, probably indicates some kind
1910  * of MTU mismatch.
1911  */
1912  msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
1913  c->c2.to_tun.len,
1914  MAX_RW_SIZE_TUN(&c->c2.frame));
1915  }
1916 
1917  buf_reset(&c->c2.to_tun);
1918 
1919  perf_pop();
1920  gc_free(&gc);
1921 }
1922 
1923 void
1925 {
1926  /* make sure current time (now) is updated on function entry */
1927 
1928  /*
1929  * Start with an effectively infinite timeout, then let it
1930  * reduce to a timeout that reflects the component which
1931  * needs the earliest service.
1932  */
1933  c->c2.timeval.tv_sec = BIG_TIMEOUT;
1934  c->c2.timeval.tv_usec = 0;
1935 
1936 #if defined(_WIN32)
1938  {
1939  c->c2.timeval.tv_sec = 1;
1940  if (tuntap_defined(c->c1.tuntap))
1941  {
1942  tun_show_debug(c->c1.tuntap);
1943  }
1944  }
1945 #endif
1946 
1947  /* check coarse timers? */
1949  if (c->sig->signal_received)
1950  {
1951  return;
1952  }
1953 
1954  /* Does TLS need service? */
1955  check_tls(c);
1956 
1957  /* In certain cases, TLS errors will require a restart */
1958  check_tls_errors(c);
1959  if (c->sig->signal_received)
1960  {
1961  return;
1962  }
1963 
1964  /* check for incoming configuration info on the control channel */
1966 
1967 #ifdef ENABLE_OCC
1968  /* Should we send an OCC message? */
1969  check_send_occ_msg(c);
1970 #endif
1971 
1972 #ifdef ENABLE_FRAGMENT
1973  /* Should we deliver a datagram fragment to remote? */
1974  check_fragment(c);
1975 #endif
1976 
1977  /* Update random component of timeout */
1979 }
1980 
1981 /*
1982  * Wait for I/O events. Used for both TCP & UDP sockets
1983  * in point-to-point mode and for UDP sockets in
1984  * point-to-multipoint mode.
1985  */
1986 
1987 void
1988 io_wait_dowork(struct context *c, const unsigned int flags)
1989 {
1990  unsigned int socket = 0;
1991  unsigned int tuntap = 0;
1992  struct event_set_return esr[4];
1993 
1994  /* These shifts all depend on EVENT_READ and EVENT_WRITE */
1995  static int socket_shift = 0; /* depends on SOCKET_READ and SOCKET_WRITE */
1996  static int tun_shift = 2; /* depends on TUN_READ and TUN_WRITE */
1997  static int err_shift = 4; /* depends on ES_ERROR */
1998 #ifdef ENABLE_MANAGEMENT
1999  static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
2000 #endif
2001 #ifdef ENABLE_ASYNC_PUSH
2002  static int file_shift = 8; /* listening inotify events */
2003 #endif
2004 
2005  /*
2006  * Decide what kind of events we want to wait for.
2007  */
2008  event_reset(c->c2.event_set);
2009 
2010  /*
2011  * On win32 we use the keyboard or an event object as a source
2012  * of asynchronous signals.
2013  */
2014  if (flags & IOW_WAIT_SIGNAL)
2015  {
2016  wait_signal(c->c2.event_set, (void *)&err_shift);
2017  }
2018 
2019  /*
2020  * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send
2021  * status from TCP/UDP port. Otherwise, wait for incoming data on
2022  * TUN/TAP device.
2023  */
2024  if (flags & IOW_TO_LINK)
2025  {
2026  if (flags & IOW_SHAPER)
2027  {
2028  /*
2029  * If sending this packet would put us over our traffic shaping
2030  * quota, don't send -- instead compute the delay we must wait
2031  * until it will be OK to send the packet.
2032  */
2033 #ifdef ENABLE_FEATURE_SHAPER
2034  int delay = 0;
2035 
2036  /* set traffic shaping delay in microseconds */
2037  if (c->options.shaper)
2038  {
2039  delay = max_int(delay, shaper_delay(&c->c2.shaper));
2040  }
2041 
2042  if (delay < 1000)
2043  {
2044  socket |= EVENT_WRITE;
2045  }
2046  else
2047  {
2048  shaper_soonest_event(&c->c2.timeval, delay);
2049  }
2050 #else /* ENABLE_FEATURE_SHAPER */
2051  socket |= EVENT_WRITE;
2052 #endif /* ENABLE_FEATURE_SHAPER */
2053  }
2054  else
2055  {
2056  socket |= EVENT_WRITE;
2057  }
2058  }
2059  else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
2060  {
2061  if (flags & IOW_READ_TUN)
2062  {
2063  tuntap |= EVENT_READ;
2064  }
2065  }
2066 
2067  /*
2068  * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
2069  * from device. Otherwise, wait for incoming data on TCP/UDP port.
2070  */
2071  if (flags & IOW_TO_TUN)
2072  {
2073  tuntap |= EVENT_WRITE;
2074  }
2075  else
2076  {
2077  if (flags & IOW_READ_LINK)
2078  {
2079  socket |= EVENT_READ;
2080  }
2081  }
2082 
2083  /*
2084  * outgoing bcast buffer waiting to be sent?
2085  */
2086  if (flags & IOW_MBUF)
2087  {
2088  socket |= EVENT_WRITE;
2089  }
2090 
2091  /*
2092  * Force wait on TUN input, even if also waiting on TCP/UDP output
2093  */
2094  if (flags & IOW_READ_TUN_FORCE)
2095  {
2096  tuntap |= EVENT_READ;
2097  }
2098 
2099  /*
2100  * Configure event wait based on socket, tuntap flags.
2101  */
2102  socket_set(c->c2.link_socket, c->c2.event_set, socket, (void *)&socket_shift, NULL);
2103  tun_set(c->c1.tuntap, c->c2.event_set, tuntap, (void *)&tun_shift, NULL);
2104 
2105 #ifdef ENABLE_MANAGEMENT
2106  if (management)
2107  {
2108  management_socket_set(management, c->c2.event_set, (void *)&management_shift, NULL);
2109  }
2110 #endif
2111 
2112 #ifdef ENABLE_ASYNC_PUSH
2113  /* arm inotify watcher */
2114  if (c->options.mode == MODE_SERVER)
2115  {
2116  event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)&file_shift);
2117  }
2118 #endif
2119 
2120  /*
2121  * Possible scenarios:
2122  * (1) tcp/udp port has data available to read
2123  * (2) tcp/udp port is ready to accept more data to write
2124  * (3) tun dev has data available to read
2125  * (4) tun dev is ready to accept more data to write
2126  * (5) we received a signal (handler sets signal_received)
2127  * (6) timeout (tv) expired
2128  */
2129 
2131 
2132  if (!c->sig->signal_received)
2133  {
2134  if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual(c->c2.link_socket))
2135  {
2136  int status;
2137 
2138 #ifdef ENABLE_DEBUG
2140  {
2141  show_wait_status(c);
2142  }
2143 #endif
2144 
2145  /*
2146  * Wait for something to happen.
2147  */
2148  status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
2149 
2150  check_status(status, "event_wait", NULL, NULL);
2151 
2152  if (status > 0)
2153  {
2154  int i;
2155  c->c2.event_set_status = 0;
2156  for (i = 0; i < status; ++i)
2157  {
2158  const struct event_set_return *e = &esr[i];
2159  c->c2.event_set_status |= ((e->rwflags & 3) << *((int *)e->arg));
2160  }
2161  }
2162  else if (status == 0)
2163  {
2165  }
2166  }
2167  else
2168  {
2170  }
2171  }
2172 
2173  /* 'now' should always be a reasonably up-to-date timestamp */
2174  update_time();
2175 
2176  /* set signal_received if a signal was received */
2177  if (c->c2.event_set_status & ES_ERROR)
2178  {
2180  }
2181 
2182  dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2183 }
2184 
2185 void
2187 {
2188  const unsigned int status = c->c2.event_set_status;
2189 
2190 #ifdef ENABLE_MANAGEMENT
2191  if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
2192  {
2193  ASSERT(management);
2195  }
2196 #endif
2197 
2198  /* TCP/UDP port ready to accept write */
2199  if (status & SOCKET_WRITE)
2200  {
2202  }
2203  /* TUN device ready to accept write */
2204  else if (status & TUN_WRITE)
2205  {
2207  }
2208  /* Incoming data on TCP/UDP port */
2209  else if (status & SOCKET_READ)
2210  {
2211  read_incoming_link(c);
2212  if (!IS_SIG(c))
2213  {
2215  }
2216  }
2217  /* Incoming data on TUN device */
2218  else if (status & TUN_READ)
2219  {
2220  read_incoming_tun(c);
2221  if (!IS_SIG(c))
2222  {
2224  }
2225  }
2226 }
struct env_set * es
Definition: openvpn.h:427
static void check_fragment(struct context *c)
Definition: forward.c:239
#define TLSMP_ACTIVE
Definition: ssl.h:231
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition: forward.c:1988
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition: socket.h:962
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:51
#define ES_ERROR
Definition: openvpn.h:240
static void register_activity(struct context *c, const int size)
Definition: forward.h:349
counter_type tun_read_bytes
Definition: openvpn.h:281
void check_server_poll_timeout_dowork(struct context *c)
Definition: forward.c:576
struct buffer to_link
Definition: openvpn.h:384
static void context_reschedule_sec(struct context *c, int sec)
Definition: forward.c:293
#define ETT_DEFAULT
Definition: interval.h:213
Security parameter state for processing data channel packets.
Definition: crypto.h:232
bool log_rw
Definition: openvpn.h:387
uint32_t daddr
Definition: proto.h:106
struct event_timeout route_wakeup
Definition: openvpn.h:390
#define TO_LINK_FRAG(c)
Definition: forward.h:43
Definition: tun.h:131
struct client_nat_option_list * client_nat
Definition: options.h:358
static bool tuntap_abort(int status)
Definition: tun.h:422
struct buffer read_tun_buf
Definition: openvpn.h:111
#define M_NOPREFIX
Definition: error.h:102
struct event_timeout ping_rec_interval
Definition: openvpn.h:299
void check_tls_dowork(struct context *c)
Definition: forward.c:317
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:502
#define BIG_TIMEOUT
Definition: common.h:50
struct event_timeout route_wakeup_expire
Definition: openvpn.h:391
#define OPENVPN_IPPROTO_ICMPV6
Definition: proto.h:101
#define D_ROUTE
Definition: errlevel.h:80
counter_type link_write_bytes
Definition: openvpn.h:285
#define OPENVPN_ETH_P_IPV6
Definition: proto.h:61
#define openvpn_errno()
Definition: error.h:74
struct interval tmp_int
Definition: openvpn.h:351
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2077
int inetd
Definition: options.h:308
#define M_INFO
Definition: errlevel.h:55
Contains all state information for one tunnel.
Definition: openvpn.h:500
void tun_show_debug(struct tuntap *tt)
Definition: tun.c:6055
static void check_connection_established(struct context *c)
Definition: forward.c:146
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition: dhcp.c:151
static void link_socket_set_outgoing_addr(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:983
static void check_timeout_random_component_dowork(struct context *c)
Definition: forward.c:866
bool tun_standby(struct tuntap *tt)
Definition: tun.c:5290
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2892
static void check_ping_restart(struct context *c)
Definition: ping.h:55
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
#define D_EVENT_WAIT
Definition: errlevel.h:156
void mss_fixup_ipv6(struct buffer *buf, int maxmss)
Definition: mss.c:86
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:4022
#define MTU_TO_MSS(mtu)
Definition: proto.h:236
#define dmsg
Definition: error.h:174
uint8_t icmp6_type
Definition: proto.h:135
#define PERF_PROC_OUT_LINK
Definition: perf.h:55
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:487
#define IOW_READ_LINK
Definition: forward.h:57
union openvpn_sockaddr::@8 addr
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:503
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition: buffer.c:175
static void check_timeout_random_component(struct context *c)
Definition: forward.c:877
#define CC_PRINT
Definition: buffer.h:915
struct buffer buf
Definition: openvpn.h:382
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1581
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:541
bool status_trigger_tv(struct status_output *so, struct timeval *tv)
Definition: status.c:150
static int tls_test_payload_len(const struct tls_multi *multi)
Definition: ssl.h:568
#define SIGUSR1
Definition: config-msvc.h:116
static void check_status_file(struct context *c)
Definition: forward.c:221
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.h:1051
struct context_buffers * buffers
Definition: openvpn.h:374
static void check_push_request(struct context *c)
Definition: forward.c:256
struct event_timeout wait_for_connect
Definition: openvpn.h:297
uint8_t version_prio
Definition: proto.h:114
static bool is_occ_msg(const struct buffer *buf)
Definition: occ.h:86
static void check_tls_errors(struct context *c)
Definition: forward.c:99
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
static void perf_pop(void)
Definition: perf.h:82
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
void process_received_occ_msg(struct context *c)
Definition: occ.c:353
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:4007
#define PERF_READ_IN_LINK
Definition: perf.h:51
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1630
static void event_timeout_clear(struct event_timeout *et)
Definition: interval.h:150
#define SIZE(x)
Definition: basic.h:30
#define in_addr_t
Definition: config-msvc.h:104
static void process_coarse_timers(struct context *c)
Definition: forward.c:760
#define TUN_READ
Definition: openvpn.h:238
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:525
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition: interval.h:108
#define IOW_SHAPER
Definition: forward.h:58
struct frame frame_initial
Definition: openvpn.h:262
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition: fragment.h:448
void pre_select(struct context *c)
Definition: forward.c:1924
#define SOCKET_READ
Definition: openvpn.h:236
int max_recv_size_local
Definition: openvpn.h:320
#define SIGTERM
Definition: config-msvc.h:118
uint8_t icmp6_code
Definition: proto.h:138
#define TLS_MODE(c)
Definition: openvpn.h:561
void check_status_file_dowork(struct context *c)
Definition: forward.c:617
static void get_signal(volatile int *sig)
Definition: sig.h:92
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:125
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2635
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:556
#define ASSERT(x)
Definition: error.h:221
bool allow_recursive_routing
Definition: options.h:632
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition: fragment.c:381
#define IOW_TO_LINK
Definition: forward.h:55
static bool check_debug_level(unsigned int level)
Definition: error.h:245
void read_incoming_link(struct context *c)
Read a packet from the external network interface.
Definition: forward.c:936
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.h:934
void ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
Forges a IPv6 ICMP packet with a no route to host error code from the IPv6 packet in buf and sends it...
Definition: forward.c:1455
uint16_t proto
Definition: proto.h:63
void * arg
Definition: event.h:80
static bool tuntap_defined(const struct tuntap *tt)
Definition: tun.h:198
static unsigned int tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: tun.h:513
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition: socket.h:618
#define MAX_ICMPV6LEN
int ping_rec_timeout
Definition: options.h:265
#define D_LOW
Definition: errlevel.h:97
int context_auth
Definition: openvpn.h:458
static void check_packet_id_persist_flush(struct context *c)
Definition: forward.c:272
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
#define ES_TIMEOUT
Definition: openvpn.h:241
static bool interval_test(struct interval *top)
Definition: interval.h:66
struct in6_addr daddr
Definition: proto.h:121
counter_type link_read_bytes_global
Definition: forward.c:50
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:679
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition: fragment.c:326
bool is_hard_reset(int op, int key_method)
Given a key_method, return true if opcode represents the required form of hard_reset.
Definition: ssl.c:855
#define MODE_SERVER
Definition: options.h:191
bool send_push_request(struct context *c)
Definition: push.c:310
bool use_peer_id
Definition: ssl_common.h:564
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3941
struct event_timeout ping_send_interval
Definition: openvpn.h:298
#define D_PING
Definition: errlevel.h:140
#define D_LINK_RW
Definition: errlevel.h:112
#define PIP_MSSFIX
Definition: forward.h:321
#define FRAME_HEADROOM_ADJ(f, fm)
Definition: mtu.h:188
static void check_send_occ_load_test(struct context *c)
Definition: occ.h:128
bool send_control_channel_string_dowork(struct tls_multi *multi, const char *str, int msglevel)
Definition: forward.c:468
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
int inet_pton(int af, const char *src, void *dst)
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:422
#define PIPV4_CLIENT_NAT
Definition: forward.h:324
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.c:2491
struct context_1 c1
Level 1 context.
Definition: openvpn.h:538
static void tls_set_single_session(struct tls_multi *multi)
Definition: ssl.h:582
#define IOW_TO_TUN
Definition: forward.h:54
#define PIPV4_PASSTOS
Definition: forward.h:320
struct context_persist persist
Persistent context.
Definition: openvpn.h:535
struct buffer decrypt_buf
Definition: openvpn.h:98
struct event_timeout inactivity_interval
Definition: openvpn.h:302
#define D_INTERVAL
Definition: errlevel.h:152
#define CLEAR(x)
Definition: basic.h:33
#define BPTR(buf)
Definition: buffer.h:124
struct frame frame_fragment
Definition: openvpn.h:267
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:336
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition: fragment.h:475
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3993
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition: otime.c:88
static void event_timeout_reset(struct event_timeout *et)
Definition: interval.h:174
uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, const uint8_t *src_addr, const uint8_t *dest_addr, const int proto)
Calculates an IP or IPv6 checksum with a pseudo header as required by TCP, UDP and ICMPv6...
Definition: proto.c:103
counter_type tun_write_bytes
Definition: openvpn.h:282
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:88
#define IOW_READ_TUN_FORCE
Definition: forward.h:62
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition: clinat.c:195
counter_type link_read_bytes
Definition: openvpn.h:283
static void process_incoming_link(struct context *c)
Definition: forward.c:1228
int mode
Definition: options.h:192
static void check_coarse_timers(struct context *c)
Definition: forward.c:852
#define PROTO_DUMP(buf, gc)
Definition: openvpn.h:563
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
void show_wait_status(struct context *c)
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:257
void buf_null_terminate(struct buffer *buf)
Definition: buffer.c:572
static void interval_action(struct interval *top)
Definition: interval.h:124
struct route_list * route_list
List of routing information.
Definition: openvpn.h:172
#define IOW_MBUF
Definition: forward.h:61
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3018
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition: sig.c:348
void check_add_routes_dowork(struct context *c)
Definition: forward.c:522
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition: forward.c:567
static void management_bytes_in(struct management *man, const int size)
Definition: manage.h:565
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
int mssfix
Definition: options.h:118
struct frame frame
Definition: openvpn.h:261
int n_hard_errors
Definition: ssl_common.h:534
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition: ssl.h:551
struct timeval timeval
Definition: openvpn.h:401
struct sockaddr_in in4
Definition: socket.h:69
static void check_inactivity_timeout(struct context *c)
Definition: forward.c:174
static int write_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:466
interval_t n
Definition: interval.h:139
#define OPENVPN_ICMP6_DU_NOROUTE
Definition: proto.h:136
#define TUN_MTU_SIZE(f)
Definition: mtu.h:156
#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE
Definition: proto.h:128
#define D_TAP_WIN_DEBUG
Definition: errlevel.h:114
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:696
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition: forward.c:660
static int link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition: socket.h:1165
#define IOW_FRAG
Definition: forward.h:60
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
static SERVICE_STATUS status
Definition: automatic.c:43
#define D_SCHED_EXIT
Definition: errlevel.h:89
static void event_reset(struct event_set *es)
Definition: event.h:107
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition: proto.h:244
#define EXPANDED_SIZE(f)
Definition: mtu.h:172
#define PERF_PROC_IN_TUN
Definition: perf.h:54
struct event_timeout scheduled_exit
Definition: openvpn.h:470
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:119
struct in6_addr saddr
Definition: proto.h:120
uint8_t nexthdr
Definition: proto.h:117
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:614
static void check_scheduled_exit(struct context *c)
Definition: forward.c:203
void process_outgoing_link(struct context *c)
Write a packet to the external network interface.
Definition: forward.c:1680
int n_soft_errors
Definition: ssl_common.h:535
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:531
int restart_sleep_seconds
Definition: openvpn.h:119
unsigned int counter_type
Definition: common.h:38
struct link_socket * link_socket
Definition: openvpn.h:252
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition: socket.h:912
void process_io(struct context *c)
Definition: forward.c:2186
#define CN_OUTGOING
Definition: clinat.h:31
#define msg
Definition: error.h:173
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1511
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition: socket.c:2594
void check_fragment_dowork(struct context *c)
Definition: forward.c:630
void reset_coarse_timers(struct context *c)
Definition: init.c:1305
counter_type link_write_bytes_global
Definition: forward.c:51
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
int ping_send_timeout
Definition: options.h:264
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:253
static int read_tun_buffered(struct tuntap *tt, struct buffer *buf, int maxsize)
Definition: tun.h:460
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4081
struct connection_entry ce
Definition: options.h:213
#define D_TUN_RW
Definition: errlevel.h:113
static void check_tls(struct context *c)
Definition: forward.c:84
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:177
struct context_2 c2
Level 2 context.
Definition: openvpn.h:539
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define PIP_OUTGOING
Definition: forward.h:322
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1246
const char * ifconfig_ipv6_remote
Definition: options.h:239
#define MANAGEMENT_WRITE
Definition: openvpn.h:244
void print_status(const struct context *c, struct status_output *so)
Definition: sig.c:292
#define TUN_MTU_SIZE_DYNAMIC(f)
Definition: mtu.h:157
void check_push_request_dowork(struct context *c)
Definition: forward.c:416
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:303
#define IOW_WAIT_SIGNAL
Definition: forward.h:63
uint8_t source[OPENVPN_ETH_ALEN]
Definition: proto.h:58
#define PIPV6_IMCP_NOHOST_CLIENT
Definition: forward.h:325
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:595
#define EVENT_READ
Definition: event.h:36
uint8_t dest[OPENVPN_ETH_ALEN]
Definition: proto.h:57
int inactivity_timeout
Definition: options.h:261
time_t update_timeout_random_component
Definition: openvpn.h:408
#define BLEN(buf)
Definition: buffer.h:127
static void check_send_occ_req(struct context *c)
Definition: occ.h:113
#define ISC_ERRORS
Definition: init.h:116
#define CN_INCOMING
Definition: clinat.h:32
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition: tun.c:516
struct buffer aux_buf
Definition: openvpn.h:94
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition: shaper.c:41
#define P_OPCODE_SHIFT
Definition: ssl.h:51
void show_adapters(int msglev)
Definition: tun.c:4614
struct event_set * event_set
Definition: openvpn.h:231
struct event_timeout packet_id_persist_interval
Definition: openvpn.h:362
struct buffer read_link_buf
Definition: openvpn.h:110
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:672
static int max_int(int x, int y)
Definition: integer.h:44
struct event_timeout push_request_interval
Definition: openvpn.h:461
#define CAS_SUCCEEDED
Definition: openvpn.h:453
__int64 int64_t
Definition: config-msvc.h:124
#define TLSMP_KILL
Definition: ssl.h:232
unsigned __int8 uint8_t
Definition: config-msvc.h:123
static void check_send_occ_msg(struct context *c)
Definition: occ.h:143
#define MODE_POINT_TO_POINT
Definition: options.h:190
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Definition: interval.h:183
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3356
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Definition: buffer.c:1081
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition: forward.c:1306
int scheduled_exit_signal
Definition: openvpn.h:471
#define PERF_READ_IN_TUN
Definition: perf.h:53
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:411
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: socket.c:3931
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition: buffer.h:740
volatile int signal_received
Definition: sig.h:45
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition: proto.c:96
#define PUSH_REQUEST_INTERVAL
Definition: common.h:89
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition: interval.h:94
void check_scheduled_exit_dowork(struct context *c)
Definition: forward.c:606
static bool is_ping_msg(const struct buffer *buf)
Definition: ping.h:41
#define IN6_ARE_ADDR_EQUAL(a, b)
Definition: win32.h:46
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:460
void check_incoming_control_channel_dowork(struct context *c)
Definition: forward.c:367
#define MANAGEMENT_READ
Definition: openvpn.h:243
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:493
uint16_t icmp6_cksum
Definition: proto.h:139
struct timeval timeout_random_component
Definition: openvpn.h:409
int connect_timeout
Definition: options.h:101
static void check_ping_send(struct context *c)
Definition: ping.h:74
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition: error.h:302
void show_routes(int msglev)
Definition: route.c:3151
struct event_timeout explicit_exit_notification_interval
Definition: openvpn.h:423
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:120
void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto)
Definition: socket.c:1670
#define buf_init(buf, offset)
Definition: buffer.h:196
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:4042
struct fragment_master * fragment
Definition: openvpn.h:266
#define IOW_CHECK_RESIDUAL
Definition: forward.h:59
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:701
void check_tls_errors_co(struct context *c)
Definition: forward.c:348
struct status_output * status_output
Definition: openvpn.h:180
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:326
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:527
struct packet_id_persist pid_persist
Definition: openvpn.h:165
void management_io(struct management *man)
Definition: manage.c:3058
static void management_bytes_out(struct management *man, const int size)
Definition: manage.h:556
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2663
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition: proto.c:91
struct event_timeout server_poll_interval
Definition: openvpn.h:413
static void wait_signal(struct event_set *es, void *arg)
Definition: event.h:144
#define TUN_WRITE
Definition: openvpn.h:239
static void check_add_routes_action(struct context *c, const bool errors)
Definition: forward.c:511
#define FRAME_HEADROOM_MARKER_READ_LINK
Definition: mtu.h:131
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:147
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
static void check_add_routes(struct context *c)
Definition: forward.c:160
static int min_int(int x, int y)
Definition: integer.h:57
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
unsigned __int16 uint16_t
Definition: config-msvc.h:122
#define EVENT_WRITE
Definition: event.h:37
#define OPENVPN_ETH_ALEN
Definition: proto.h:54
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition: forward.h:323
#define SOCKET_WRITE
Definition: openvpn.h:237
#define TUNNEL_TYPE(tt)
Definition: tun.h:133
static bool socket_read_residual(const struct link_socket *s)
Definition: socket.h:1220
void check_connection_established_dowork(struct context *c)
Definition: forward.c:430
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
#define IOW_READ_TUN
Definition: forward.h:56
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition: packet_id.h:281
int original_recv_size
Definition: openvpn.h:319
int interval_t
Definition: common.h:45
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1143
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing...
Definition: manage.c:3995
#define PERF_PROC_OUT_TUN
Definition: perf.h:56
struct link_socket_actual from
Definition: openvpn.h:258
static void socks_postprocess_incoming_link(struct context *c)
Definition: forward.c:895
#define D_STREAM_ERRORS
Definition: errlevel.h:63
bool pull
Definition: options.h:471
#define BSTR(buf)
Definition: buffer.h:129
long int get_random(void)
Definition: crypto.c:1767
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition: fragment.c:141
static void check_incoming_control_channel(struct context *c)
Definition: forward.c:129
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket_actual **to_addr, int *size_delta)
Definition: forward.c:904
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:1004
static interval_t event_timeout_remaining(struct event_timeout *et)
Definition: interval.h:197
static int datagram_overhead(int proto)
Definition: socket.h:601
void check_inactivity_timeout_dowork(struct context *c)
Definition: forward.c:560
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:482
char * actual_name
Definition: tun.h:146
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3222
struct buffer to_tun
Definition: openvpn.h:383
void check_tls_errors_nco(struct context *c)
Definition: forward.c:355
static void update_time(void)
Definition: otime.h:93
static bool tuntap_stop(int status)
Definition: tun.h:408
#define CC_CRLF
Definition: buffer.h:944
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition: forward.c:917
bool block_ipv6
Definition: options.h:354
struct sockaddr sa
Definition: socket.h:68
unsigned int event_set_status
Definition: openvpn.h:250
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:336
void mss_fixup_ipv4(struct buffer *buf, int maxmss)
Definition: mss.c:46
static void context_immediate_reschedule(struct context *c)
Definition: forward.c:286
struct buffer encrypt_buf
Definition: openvpn.h:97
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1387
unsigned int rwflags
Definition: event.h:79
int max_send_size_local
Definition: openvpn.h:322
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:592
uint16_t payload_len
Definition: proto.h:116
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:356
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:818
const char * wait_status_string(struct context *c, struct gc_arena *gc)
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
void process_outgoing_tun(struct context *c)
Write a packet to the virtual tun/tap network interface.
Definition: forward.c:1831
int key_method
Definition: options.h:556
int tls_exit_signal
Definition: openvpn.h:354
#define D_LINK_ERRORS
Definition: errlevel.h:57
time_t coarse_timer_wakeup
Definition: openvpn.h:404
#define PASSTOS_CAPABILITY
Definition: syshead.h:406
static void check_coarse_timers_dowork(struct context *c)
Definition: forward.c:834
#define DEV_TYPE_TAP
Definition: proto.h:38
bool route_gateway_via_dhcp
Definition: options.h:356
static void check_server_poll_timeout(struct context *c)
Definition: forward.c:188
counter_type link_read_bytes_auth
Definition: openvpn.h:284
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3161
#define D_PUSH_ERRORS
Definition: errlevel.h:67