OpenVPN
forward.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "forward.h"
33 #include "init.h"
34 #include "push.h"
35 #include "gremlin.h"
36 #include "mss.h"
37 #include "event.h"
38 #include "occ.h"
39 #include "pf.h"
40 #include "ping.h"
41 #include "ps.h"
42 #include "dhcp.h"
43 #include "common.h"
44 #include "ssl_verify.h"
45 
46 #include "memdbg.h"
47 
48 #include "mstats.h"
49 
52 
53 /* show event wait debugging info */
54 
55 #ifdef ENABLE_DEBUG
56 
57 const char *
58 wait_status_string(struct context *c, struct gc_arena *gc)
59 {
60  struct buffer out = alloc_buf_gc(64, gc);
61  buf_printf(&out, "I/O WAIT %s|%s|%s|%s %s",
62  tun_stat(c->c1.tuntap, EVENT_READ, gc),
63  tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
66  tv_string(&c->c2.timeval, gc));
67  return BSTR(&out);
68 }
69 
70 void
71 show_wait_status(struct context *c)
72 {
73  struct gc_arena gc = gc_new();
74  dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
75  gc_free(&gc);
76 }
77 
78 #endif /* ifdef ENABLE_DEBUG */
79 
80 /*
81  * Does TLS session need service?
82  */
83 static inline void
84 check_tls(struct context *c)
85 {
86  void check_tls_dowork(struct context *c);
87 
88  if (c->c2.tls_multi)
89  {
91  }
92 }
93 
94 /*
95  * TLS errors are fatal in TCP mode.
96  * Also check for --tls-exit trigger.
97  */
98 static inline void
100 {
101  void check_tls_errors_co(struct context *c);
102 
103  void check_tls_errors_nco(struct context *c);
104 
105  if (c->c2.tls_multi && c->c2.tls_exit_signal)
106  {
108  {
109  if (c->c2.tls_multi->n_soft_errors)
110  {
112  }
113  }
114  else
115  {
116  if (c->c2.tls_multi->n_hard_errors)
117  {
119  }
120  }
121  }
122 }
123 
124 /*
125  * Check for possible incoming configuration
126  * messages on the control channel.
127  */
128 static inline void
130 {
131 #if P2MP
133 
134  if (tls_test_payload_len(c->c2.tls_multi) > 0)
135  {
137  }
138 #endif
139 }
140 
141 /*
142  * Options like --up-delay need to be triggered by this function which
143  * checks for connection establishment.
144  */
145 static inline void
147 {
149 
151  {
153  }
154 }
155 
156 /*
157  * Should we add routes?
158  */
159 static inline void
161 {
162  void check_add_routes_dowork(struct context *c);
163 
165  {
167  }
168 }
169 
170 /*
171  * Should we exit due to inactivity timeout?
172  */
173 static inline void
175 {
177 
180  {
182  }
183 }
184 
185 #if P2MP
186 
187 static inline void
189 {
191 
192  if (c->options.ce.connect_timeout
194  {
196  }
197 }
198 
199 /*
200  * Scheduled exit?
201  */
202 static inline void
204 {
205  void check_scheduled_exit_dowork(struct context *c);
206 
208  {
210  {
212  }
213  }
214 }
215 #endif /* if P2MP */
216 
217 /*
218  * Should we write timer-triggered status file.
219  */
220 static inline void
222 {
223  void check_status_file_dowork(struct context *c);
224 
225  if (c->c1.status_output)
226  {
228  {
230  }
231  }
232 }
233 
234 #ifdef ENABLE_FRAGMENT
235 /*
236  * Should we deliver a datagram fragment to remote?
237  */
238 static inline void
240 {
241  void check_fragment_dowork(struct context *c);
242 
243  if (c->c2.fragment)
244  {
246  }
247 }
248 #endif
249 
250 #if P2MP
251 
252 /*
253  * see if we should send a push_request in response to --pull
254  */
255 static inline void
257 {
258  void check_push_request_dowork(struct context *c);
259 
261  {
263  }
264 }
265 
266 #endif
267 
268 /*
269  * Should we persist our anti-replay packet ID state to disk?
270  */
271 static inline void
273 {
276  {
278  }
279 }
280 
281 /*
282  * Set our wakeup to 0 seconds, so we will be rescheduled
283  * immediately.
284  */
285 static inline void
287 {
288  c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
289  c->c2.timeval.tv_usec = 0;
290 }
291 
292 static inline void
293 context_reschedule_sec(struct context *c, int sec)
294 {
295  if (sec < 0)
296  {
297  sec = 0;
298  }
299  if (sec < c->c2.timeval.tv_sec)
300  {
301  c->c2.timeval.tv_sec = sec;
302  c->c2.timeval.tv_usec = 0;
303  }
304 }
305 
306 /*
307  * In TLS mode, let TLS level respond to any control-channel
308  * packets which were received, or prepare any packets for
309  * transmission.
310  *
311  * tmp_int is purely an optimization that allows us to call
312  * tls_multi_process less frequently when there's not much
313  * traffic on the control-channel.
314  *
315  */
316 void
318 {
319  interval_t wakeup = BIG_TIMEOUT;
320 
321  if (interval_test(&c->c2.tmp_int))
322  {
323  const int tmp_status = tls_multi_process
324  (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
325  get_link_socket_info(c), &wakeup);
326  if (tmp_status == TLSMP_ACTIVE)
327  {
328  update_time();
330  }
331  else if (tmp_status == TLSMP_KILL)
332  {
333  register_signal(c, SIGTERM, "auth-control-exit");
334  }
335 
336  interval_future_trigger(&c->c2.tmp_int, wakeup);
337  }
338 
339  interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
340 
341  if (wakeup)
342  {
343  context_reschedule_sec(c, wakeup);
344  }
345 }
346 
347 void
349 {
350  msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
351  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
352 }
353 
354 void
356 {
357  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
358 }
359 
360 #if P2MP
361 
362 /*
363  * Handle incoming configuration
364  * messages on the control channel.
365  */
366 void
368 {
369  const int len = tls_test_payload_len(c->c2.tls_multi);
370  if (len)
371  {
372  struct gc_arena gc = gc_new();
373  struct buffer buf = alloc_buf_gc(len, &gc);
374  if (tls_rec_payload(c->c2.tls_multi, &buf))
375  {
376  /* force null termination of message */
377  buf_null_terminate(&buf);
378 
379  /* enforce character class restrictions */
380  string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
381 
382  if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
383  {
384  receive_auth_failed(c, &buf);
385  }
386  else if (buf_string_match_head_str(&buf, "PUSH_"))
387  {
388  incoming_push_message(c, &buf);
389  }
390  else if (buf_string_match_head_str(&buf, "RESTART"))
391  {
392  server_pushed_signal(c, &buf, true, 7);
393  }
394  else if (buf_string_match_head_str(&buf, "HALT"))
395  {
396  server_pushed_signal(c, &buf, false, 4);
397  }
398  else
399  {
400  msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
401  }
402  }
403  else
404  {
405  msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
406  }
407 
408  gc_free(&gc);
409  }
410 }
411 
412 /*
413  * Periodically resend PUSH_REQUEST until PUSH message received
414  */
415 void
417 {
419 
420  /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
422 }
423 
424 #endif /* P2MP */
425 
426 /*
427  * Things that need to happen immediately after connection initiation should go here.
428  */
429 void
431 {
433  {
434  if (CONNECTION_ESTABLISHED(c))
435  {
436 #if P2MP
437  /* if --pull was specified, send a push request to server */
438  if (c->c2.tls_multi && c->options.pull)
439  {
440 #ifdef ENABLE_MANAGEMENT
441  if (management)
442  {
445  NULL,
446  NULL,
447  NULL,
448  NULL,
449  NULL);
450  }
451 #endif
452  /* fire up push request right away (already 1s delayed) */
455  }
456  else
457 #endif /* if P2MP */
458  {
459  do_up(c, false, 0);
460  }
461 
463  }
464  }
465 }
466 
467 /*
468  * Send a string to remote over the TLS control channel.
469  * Used for push/pull messages, passing username/password,
470  * etc.
471  */
472 bool
473 send_control_channel_string(struct context *c, const char *str, int msglevel)
474 {
475  if (c->c2.tls_multi)
476  {
477  struct gc_arena gc = gc_new();
478  bool stat;
479 
480  /* buffered cleartext write onto TLS control channel */
481  stat = tls_send_payload(c->c2.tls_multi, (uint8_t *) str, strlen(str) + 1);
482 
483  /*
484  * Reschedule tls_multi_process.
485  * NOTE: in multi-client mode, usually the below two statements are
486  * insufficient to reschedule the client instance object unless
487  * multi_schedule_context_wakeup(m, mi) is also called.
488  */
490  context_immediate_reschedule(c); /* ZERO-TIMEOUT */
491 
492  msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
493  tls_common_name(c->c2.tls_multi, false),
494  sanitize_control_message(str, &gc),
495  (int) stat);
496 
497  gc_free(&gc);
498  return stat;
499  }
500  return true;
501 }
502 
503 /*
504  * Add routes.
505  */
506 
507 static void
508 check_add_routes_action(struct context *c, const bool errors)
509 {
511  c->c1.tuntap, c->plugins, c->c2.es);
512  update_time();
515  initialization_sequence_completed(c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */
516 }
517 
518 void
520 {
521  if (test_routes(c->c1.route_list, c->c1.tuntap))
522  {
523  check_add_routes_action(c, false);
524  }
526  {
527  check_add_routes_action(c, true);
528  }
529  else
530  {
531  msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
532  if (c->c1.tuntap)
533  {
534  if (!tun_standby(c->c1.tuntap))
535  {
536  register_signal(c, SIGHUP, "ip-fail");
538 #ifdef _WIN32
541 #endif
542  }
543  }
544  update_time();
545  if (c->c2.route_wakeup.n != 1)
546  {
548  }
550  }
551 }
552 
553 /*
554  * Should we exit due to inactivity timeout?
555  */
556 void
558 {
559  msg(M_INFO, "Inactivity timeout (--inactive), exiting");
560  register_signal(c, SIGTERM, "inactive");
561 }
562 
563 int
564 get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
565 {
566  update_time();
567  int remaining = event_timeout_remaining(server_poll_timeout);
568  return max_int(0, remaining);
569 }
570 #if P2MP
571 
572 void
574 {
576  ASSERT(c->c2.tls_multi);
578  {
579  msg(M_INFO, "Server poll timeout, restarting");
580  register_signal(c, SIGUSR1, "server_poll");
582  }
583 }
584 
585 /*
586  * Schedule a signal n_seconds from now.
587  */
588 void
589 schedule_exit(struct context *c, const int n_seconds, const int signal)
590 {
592  update_time();
594  event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
595  c->c2.scheduled_exit_signal = signal;
596  msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
597 }
598 
599 /*
600  * Scheduled exit?
601  */
602 void
604 {
605  register_signal(c, c->c2.scheduled_exit_signal, "delayed-exit");
606 }
607 
608 #endif /* if P2MP */
609 
610 /*
611  * Should we write timer-triggered status file.
612  */
613 void
615 {
616  if (c->c1.status_output)
617  {
619  }
620 }
621 
622 #ifdef ENABLE_FRAGMENT
623 /*
624  * Should we deliver a datagram fragment to remote?
625  */
626 void
628 {
629  struct link_socket_info *lsi = get_link_socket_info(c);
630 
631  /* OS MTU Hint? */
632  if (lsi->mtu_changed)
633  {
635  c->options.ce.proto);
636  lsi->mtu_changed = false;
637  }
638 
640  {
641  if (!c->c2.to_link.len)
642  {
643  /* encrypt a fragment for output to TCP/UDP port */
645  encrypt_sign(c, false);
646  }
647  }
648 
650 }
651 #endif /* ifdef ENABLE_FRAGMENT */
652 
653 /*
654  * Buffer reallocation, for use with null encryption.
655  */
656 static inline void
657 buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
658 {
659  if (orig_buf == src_stub->data && src_stub->data != storage->data)
660  {
661  buf_assign(storage, src_stub);
662  *dest_stub = *storage;
663  }
664  else
665  {
666  *dest_stub = *src_stub;
667  }
668 }
669 
670 /*
671  * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
672  * Input: c->c2.buf
673  * Output: c->c2.to_link
674  */
675 void
676 encrypt_sign(struct context *c, bool comp_frag)
677 {
678  struct context_buffers *b = c->c2.buffers;
679  const uint8_t *orig_buf = c->c2.buf.data;
680  struct crypto_options *co = NULL;
681 
682 #if P2MP_SERVER
683  /*
684  * Drop non-TLS outgoing packet if client-connect script/plugin
685  * has not yet succeeded.
686  */
687  if (c->c2.context_auth != CAS_SUCCEEDED)
688  {
689  c->c2.buf.len = 0;
690  }
691 #endif
692 
693  if (comp_frag)
694  {
695 #ifdef USE_COMP
696  /* Compress the packet. */
697  if (c->c2.comp_context)
698  {
699  (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
700  }
701 #endif
702 #ifdef ENABLE_FRAGMENT
703  if (c->c2.fragment)
704  {
706  }
707 #endif
708  }
709 
710  /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
712 
713  if (c->c2.tls_multi)
714  {
715  /* Get the key we will use to encrypt the packet. */
716  tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
717  /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
718  * packet before openvpn_encrypt(), so we can authenticate the opcode too.
719  */
720  if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
721  {
723  }
724  }
725  else
726  {
727  co = &c->c2.crypto_options;
728  }
729 
730  /* Encrypt and authenticate the packet */
731  openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
732 
733  /* Do packet administration */
734  if (c->c2.tls_multi)
735  {
736  if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
737  {
739  }
741  }
742 
743  /*
744  * Get the address we will be sending the packet to.
745  */
747  &c->c2.to_link_addr);
748 
749  /* if null encryption, copy result to read_tun_buf */
750  buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
751 }
752 
753 /*
754  * Coarse timers work to 1 second resolution.
755  */
756 static void
758 {
759  /* flush current packet-id to file once per 60
760  * seconds if --replay-persist was specified */
762 
763  /* should we update status file? */
765 
766  /* process connection establishment items */
768 
769 #if P2MP
770  /* see if we should send a push_request in response to --pull */
772 #endif
773 
774 #ifdef PLUGIN_PF
775  pf_check_reload(c);
776 #endif
777 
778  /* process --route options */
779  check_add_routes(c);
780 
781  /* possibly exit due to --inactive */
783  if (c->sig->signal_received)
784  {
785  return;
786  }
787 
788  /* restart if ping not received */
790  if (c->sig->signal_received)
791  {
792  return;
793  }
794 
795 #if P2MP
796  if (c->c2.tls_multi)
797  {
799  if (c->sig->signal_received)
800  {
801  return;
802  }
803 
805  if (c->sig->signal_received)
806  {
807  return;
808  }
809  }
810 #endif
811 
812 #ifdef ENABLE_OCC
813  /* Should we send an OCC_REQUEST message? */
815 
816  /* Should we send an MTU load test? */
818 
819  /* Should we send an OCC_EXIT message to remote? */
821  {
823  }
824 #endif
825 
826  /* Should we ping the remote? */
827  check_ping_send(c);
828 }
829 
830 static void
832 {
833  const struct timeval save = c->c2.timeval;
834  c->c2.timeval.tv_sec = BIG_TIMEOUT;
835  c->c2.timeval.tv_usec = 0;
837  c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
838 
839  dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
840 
841  /* Is the coarse timeout NOT the earliest one? */
842  if (c->c2.timeval.tv_sec > save.tv_sec)
843  {
844  c->c2.timeval = save;
845  }
846 }
847 
848 static inline void
850 {
851  const time_t local_now = now;
852  if (local_now >= c->c2.coarse_timer_wakeup)
853  {
855  }
856  else
857  {
858  context_reschedule_sec(c, c->c2.coarse_timer_wakeup - local_now);
859  }
860 }
861 
862 static void
864 {
865  const int update_interval = 10; /* seconds */
866  c->c2.update_timeout_random_component = now + update_interval;
867  c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
868  c->c2.timeout_random_component.tv_sec = 0;
869 
870  dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec);
871 }
872 
873 static inline void
875 {
877  {
879  }
880  if (c->c2.timeval.tv_sec >= 1)
881  {
883  }
884 }
885 
886 /*
887  * Handle addition and removal of the 10-byte Socks5 header
888  * in UDP packets.
889  */
890 
891 static inline void
893 {
895  {
897  }
898 }
899 
900 static inline void
902  struct link_socket_actual **to_addr,
903  int *size_delta)
904 {
906  {
907  *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
908  *to_addr = &c->c2.link_socket->socks_relay;
909  }
910 }
911 
912 /* undo effect of socks_preprocess_outgoing_link */
913 static inline void
915  int size_delta,
916  struct buffer *buf)
917 {
918  if (size_delta > 0 && *size > size_delta)
919  {
920  *size -= size_delta;
921  if (!buf_advance(buf, size_delta))
922  {
923  *size = 0;
924  }
925  }
926 }
927 
928 /*
929  * Output: c->c2.buf
930  */
931 
932 void
934 {
935  /*
936  * Set up for recvfrom call to read datagram
937  * sent to our TCP/UDP port.
938  */
939  int status;
940 
941  /*ASSERT (!c->c2.to_tun.len);*/
942 
944 
945  c->c2.buf = c->c2.buffers->read_link_buf;
947 
948  status = link_socket_read(c->c2.link_socket,
949  &c->c2.buf,
950  &c->c2.from);
951 
952  if (socket_connection_reset(c->c2.link_socket, status))
953  {
954 #if PORT_SHARE
955  if (port_share && socket_foreign_protocol_detected(c->c2.link_socket))
956  {
957  const struct buffer *fbuf = socket_foreign_protocol_head(c->c2.link_socket);
958  const int sd = socket_foreign_protocol_sd(c->c2.link_socket);
959  port_share_redirect(port_share, fbuf, sd);
960  register_signal(c, SIGTERM, "port-share-redirect");
961  }
962  else
963 #endif
964  {
965  /* received a disconnect from a connection-oriented protocol */
966  if (c->options.inetd)
967  {
968  register_signal(c, SIGTERM, "connection-reset-inetd");
969  msg(D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status);
970  }
971  else
972  {
973 #ifdef ENABLE_OCC
975  {
976  msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
977  management_sleep(1);
978  }
979  else
980 #endif
981  {
982  register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
983  msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
984  }
985  }
986  }
987  perf_pop();
988  return;
989  }
990 
991  /* check recvfrom status */
992  check_status(status, "read", c->c2.link_socket, NULL);
993 
994  /* Remove socks header if applicable */
996 
997  perf_pop();
998 }
999 
1000 bool
1001 process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
1002 {
1003  struct gc_arena gc = gc_new();
1004  bool decrypt_status = false;
1005 
1006  if (c->c2.buf.len > 0)
1007  {
1008  c->c2.link_read_bytes += c->c2.buf.len;
1010 #ifdef ENABLE_MEMSTATS
1011  if (mmap_stats)
1012  {
1013  mmap_stats->link_read_bytes = link_read_bytes_global;
1014  }
1015 #endif
1016  c->c2.original_recv_size = c->c2.buf.len;
1017 #ifdef ENABLE_MANAGEMENT
1018  if (management)
1019  {
1021 #ifdef MANAGEMENT_DEF_AUTH
1022  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1023 #endif
1024  }
1025 #endif
1026  }
1027  else
1028  {
1029  c->c2.original_recv_size = 0;
1030  }
1031 
1032 #ifdef ENABLE_DEBUG
1033  /* take action to corrupt packet if we are in gremlin test mode */
1034  if (c->options.gremlin)
1035  {
1036  if (!ask_gremlin(c->options.gremlin))
1037  {
1038  c->c2.buf.len = 0;
1039  }
1040  corrupt_gremlin(&c->c2.buf, c->options.gremlin);
1041  }
1042 #endif
1043 
1044  /* log incoming packet */
1045 #ifdef LOG_RW
1046  if (c->c2.log_rw && c->c2.buf.len > 0)
1047  {
1048  fprintf(stderr, "R");
1049  }
1050 #endif
1051  msg(D_LINK_RW, "%s READ [%d] from %s: %s",
1052  proto2ascii(lsi->proto, lsi->af, true),
1053  BLEN(&c->c2.buf),
1054  print_link_socket_actual(&c->c2.from, &gc),
1055  PROTO_DUMP(&c->c2.buf, &gc));
1056 
1057  /*
1058  * Good, non-zero length packet received.
1059  * Commence multi-stage processing of packet,
1060  * such as authenticate, decrypt, decompress.
1061  * If any stage fails, it sets buf.len to 0 or -1,
1062  * telling downstream stages to ignore the packet.
1063  */
1064  if (c->c2.buf.len > 0)
1065  {
1066  struct crypto_options *co = NULL;
1067  const uint8_t *ad_start = NULL;
1068  if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
1069  {
1070  link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
1071  }
1072 
1073  if (c->c2.tls_multi)
1074  {
1075  /*
1076  * If tls_pre_decrypt returns true, it means the incoming
1077  * packet was a good TLS control channel packet. If so, TLS code
1078  * will deal with the packet and set buf.len to 0 so downstream
1079  * stages ignore it.
1080  *
1081  * If the packet is a data channel packet, tls_pre_decrypt
1082  * will load crypto_options with the correct encryption key
1083  * and return false.
1084  */
1085  uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
1086  if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
1087  floated, &ad_start))
1088  {
1089  /* Restore pre-NCP frame parameters */
1090  if (is_hard_reset(opcode, c->options.key_method))
1091  {
1092  c->c2.frame = c->c2.frame_initial;
1093  }
1094 
1095  interval_action(&c->c2.tmp_int);
1096 
1097  /* reset packet received timer if TLS packet */
1098  if (c->options.ping_rec_timeout)
1099  {
1101  }
1102  }
1103  }
1104  else
1105  {
1106  co = &c->c2.crypto_options;
1107  }
1108 #if P2MP_SERVER
1109  /*
1110  * Drop non-TLS packet if client-connect script/plugin has not
1111  * yet succeeded.
1112  */
1113  if (c->c2.context_auth != CAS_SUCCEEDED)
1114  {
1115  c->c2.buf.len = 0;
1116  }
1117 #endif
1118 
1119  /* authenticate and decrypt the incoming packet */
1120  decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
1121  co, &c->c2.frame, ad_start);
1122 
1123  if (!decrypt_status && link_socket_connection_oriented(c->c2.link_socket))
1124  {
1125  /* decryption errors are fatal in TCP mode */
1126  register_signal(c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
1127  msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
1128  }
1129  }
1130  else
1131  {
1132  buf_reset(&c->c2.to_tun);
1133  }
1134  gc_free(&gc);
1135 
1136  return decrypt_status;
1137 }
1138 
1139 void
1140 process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
1141 {
1142  if (c->c2.buf.len > 0)
1143  {
1144 #ifdef ENABLE_FRAGMENT
1145  if (c->c2.fragment)
1146  {
1148  }
1149 #endif
1150 
1151 #ifdef USE_COMP
1152  /* decompress the incoming packet */
1153  if (c->c2.comp_context)
1154  {
1155  (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
1156  }
1157 #endif
1158 
1159 #ifdef PACKET_TRUNCATION_CHECK
1160  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1161  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1162  BLEN(&c->c2.buf),
1163  TUNNEL_TYPE(c->c1.tuntap),
1164  "POST_DECRYPT",
1165  &c->c2.n_trunc_post_decrypt);
1166 #endif
1167 
1168  /*
1169  * Set our "official" outgoing address, since
1170  * if buf.len is non-zero, we know the packet
1171  * authenticated. In TLS mode we do nothing
1172  * because TLS mode takes care of source address
1173  * authentication.
1174  *
1175  * Also, update the persisted version of our packet-id.
1176  */
1177  if (!TLS_MODE(c))
1178  {
1179  link_socket_set_outgoing_addr(&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es);
1180  }
1181 
1182  /* reset packet received timer */
1183  if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1184  {
1186  }
1187 
1188  /* increment authenticated receive byte count */
1189  if (c->c2.buf.len > 0)
1190  {
1191  c->c2.link_read_bytes_auth += c->c2.buf.len;
1193  }
1194 
1195  /* Did we just receive an openvpn ping packet? */
1196  if (is_ping_msg(&c->c2.buf))
1197  {
1198  dmsg(D_PING, "RECEIVED PING PACKET");
1199  c->c2.buf.len = 0; /* drop packet */
1200  }
1201 
1202 #ifdef ENABLE_OCC
1203  /* Did we just receive an OCC packet? */
1204  if (is_occ_msg(&c->c2.buf))
1205  {
1207  }
1208 #endif
1209 
1210  buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1211 
1212  /* to_tun defined + unopened tuntap can cause deadlock */
1213  if (!tuntap_defined(c->c1.tuntap))
1214  {
1215  c->c2.to_tun.len = 0;
1216  }
1217  }
1218  else
1219  {
1220  buf_reset(&c->c2.to_tun);
1221  }
1222 }
1223 
1224 static void
1226 {
1228 
1229  struct link_socket_info *lsi = get_link_socket_info(c);
1230  const uint8_t *orig_buf = c->c2.buf.data;
1231 
1232  process_incoming_link_part1(c, lsi, false);
1233  process_incoming_link_part2(c, lsi, orig_buf);
1234 
1235  perf_pop();
1236 }
1237 
1238 /*
1239  * Output: c->c2.buf
1240  */
1241 
1242 void
1244 {
1245  /*
1246  * Setup for read() call on TUN/TAP device.
1247  */
1248  /*ASSERT (!c->c2.to_link.len);*/
1249 
1251 
1252  c->c2.buf = c->c2.buffers->read_tun_buf;
1253 #ifdef TUN_PASS_BUFFER
1255 #else
1256  ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame)));
1258  c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), MAX_RW_SIZE_TUN(&c->c2.frame));
1259 #endif
1260 
1261 #ifdef PACKET_TRUNCATION_CHECK
1262  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1263  BLEN(&c->c2.buf),
1264  TUNNEL_TYPE(c->c1.tuntap),
1265  "READ_TUN",
1266  &c->c2.n_trunc_tun_read);
1267 #endif
1268 
1269  /* Was TUN/TAP interface stopped? */
1270  if (tuntap_stop(c->c2.buf.len))
1271  {
1272  register_signal(c, SIGTERM, "tun-stop");
1273  msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1274  perf_pop();
1275  return;
1276  }
1277 
1278  /* Was TUN/TAP I/O operation aborted? */
1279  if (tuntap_abort(c->c2.buf.len))
1280  {
1281  register_signal(c, SIGHUP, "tun-abort");
1283  msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1284  perf_pop();
1285  return;
1286  }
1287 
1288  /* Check the status return from read() */
1289  check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1290 
1291  perf_pop();
1292 }
1293 
1302 static void
1304 {
1305  bool drop = false;
1306  struct openvpn_sockaddr tun_sa;
1307  int ip_hdr_offset = 0;
1308 
1309  if (c->c2.to_link_addr == NULL) /* no remote addr known */
1310  {
1311  return;
1312  }
1313 
1314  tun_sa = c->c2.to_link_addr->dest;
1315 
1316  int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1317 
1318  if (proto_ver == 4)
1319  {
1320  const struct openvpn_iphdr *pip;
1321 
1322  /* make sure we got whole IP header */
1323  if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1324  {
1325  return;
1326  }
1327 
1328  /* skip ipv4 packets for ipv6 tun */
1329  if (tun_sa.addr.sa.sa_family != AF_INET)
1330  {
1331  return;
1332  }
1333 
1334  pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
1335 
1336  /* drop packets with same dest addr as gateway */
1337  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
1338  {
1339  drop = true;
1340  }
1341  }
1342  else if (proto_ver == 6)
1343  {
1344  const struct openvpn_ipv6hdr *pip6;
1345 
1346  /* make sure we got whole IPv6 header */
1347  if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1348  {
1349  return;
1350  }
1351 
1352  /* skip ipv6 packets for ipv4 tun */
1353  if (tun_sa.addr.sa.sa_family != AF_INET6)
1354  {
1355  return;
1356  }
1357 
1358  /* drop packets with same dest addr as gateway */
1359  pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
1360  if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1361  {
1362  drop = true;
1363  }
1364  }
1365 
1366  if (drop)
1367  {
1368  struct gc_arena gc = gc_new();
1369 
1370  c->c2.buf.len = 0;
1371 
1372  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1374  gc_free(&gc);
1375  }
1376 }
1377 
1378 /*
1379  * Input: c->c2.buf
1380  * Output: c->c2.to_link
1381  */
1382 
1383 void
1385 {
1386  struct gc_arena gc = gc_new();
1387 
1389 
1390  if (c->c2.buf.len > 0)
1391  {
1392  c->c2.tun_read_bytes += c->c2.buf.len;
1393  }
1394 
1395 #ifdef LOG_RW
1396  if (c->c2.log_rw && c->c2.buf.len > 0)
1397  {
1398  fprintf(stderr, "r");
1399  }
1400 #endif
1401 
1402  /* Show packet content */
1403  dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1404 
1405  if (c->c2.buf.len > 0)
1406  {
1408  {
1410  }
1411  /*
1412  * The --passtos and --mssfix options require
1413  * us to examine the IP header (IPv4 or IPv6).
1414  */
1415  unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
1417  process_ip_header(c, flags, &c->c2.buf);
1418 
1419 #ifdef PACKET_TRUNCATION_CHECK
1420  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1421  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1422  BLEN(&c->c2.buf),
1423  TUNNEL_TYPE(c->c1.tuntap),
1424  "PRE_ENCRYPT",
1425  &c->c2.n_trunc_pre_encrypt);
1426 #endif
1427 
1428  }
1429  if (c->c2.buf.len > 0)
1430  {
1431  encrypt_sign(c, true);
1432  }
1433  else
1434  {
1435  buf_reset(&c->c2.to_link);
1436  }
1437  perf_pop();
1438  gc_free(&gc);
1439 }
1440 
1451 void
1452 ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
1453 {
1454 #define MAX_ICMPV6LEN 1280
1455  struct openvpn_icmp6hdr icmp6out;
1456  CLEAR(icmp6out);
1457 
1458  /*
1459  * Get a buffer to the ip packet, is_ipv6 automatically forwards
1460  * the buffer to the ip packet
1461  */
1462  struct buffer inputipbuf = *buf;
1463 
1464  is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &inputipbuf);
1465 
1466  if (BLEN(&inputipbuf) < (int)sizeof(struct openvpn_ipv6hdr))
1467  {
1468  return;
1469  }
1470 
1471  const struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)BPTR(&inputipbuf);
1472 
1473  /* Copy version, traffic class, flow label from input packet */
1474  struct openvpn_ipv6hdr pip6out = *pip6;
1475 
1476  pip6out.version_prio = pip6->version_prio;
1477  pip6out.daddr = pip6->saddr;
1478 
1479  /*
1480  * Use the IPv6 remote address if we have one, otherwise use a fake one
1481  * using the remote address is preferred since it makes debugging and
1482  * understanding where the ICMPv6 error originates easier
1483  */
1485  {
1486  inet_pton(AF_INET6, c->options.ifconfig_ipv6_remote, &pip6out.saddr);
1487  }
1488  else
1489  {
1490  inet_pton(AF_INET6, "fe80::7", &pip6out.saddr);
1491  }
1492 
1493  pip6out.nexthdr = OPENVPN_IPPROTO_ICMPV6;
1494 
1495  /*
1496  * The ICMPv6 unreachable code worked best in my (arne) tests with Windows,
1497  * Linux and Android. Windows did not like the administratively prohibited
1498  * return code (no fast fail)
1499  */
1502 
1503  int icmpheader_len = sizeof(struct openvpn_ipv6hdr)
1504  + sizeof(struct openvpn_icmp6hdr);
1505  int totalheader_len = icmpheader_len;
1506 
1507  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1508  {
1509  totalheader_len += sizeof(struct openvpn_ethhdr);
1510  }
1511 
1512  /*
1513  * Calculate size for payload, defined in the standard that the resulting
1514  * frame should be <= 1280 and have as much as possible of the original
1515  * packet
1516  */
1517  int max_payload_size = min_int(MAX_ICMPV6LEN,
1518  TUN_MTU_SIZE(&c->c2.frame) - icmpheader_len);
1519  int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
1520 
1521  pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
1522 
1523  /* Construct the packet as outgoing packet back to the client */
1524  struct buffer *outbuf;
1525  if (client)
1526  {
1527  c->c2.to_tun = c->c2.buffers->aux_buf;
1528  outbuf = &(c->c2.to_tun);
1529  }
1530  else
1531  {
1532  c->c2.to_link = c->c2.buffers->aux_buf;
1533  outbuf = &(c->c2.to_link);
1534  }
1535  ASSERT(buf_init(outbuf, totalheader_len));
1536 
1537  /* Fill the end of the buffer with original packet */
1538  ASSERT(buf_safe(outbuf, payload_len));
1539  ASSERT(buf_copy_n(outbuf, &inputipbuf, payload_len));
1540 
1541  /* ICMP Header, copy into buffer to allow checksum calculation */
1542  ASSERT(buf_write_prepend(outbuf, &icmp6out, sizeof(struct openvpn_icmp6hdr)));
1543 
1544  /* Calculate checksum over the packet and write to header */
1545 
1546  uint16_t new_csum = ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf),
1547  (const uint8_t *)&pip6out.saddr,
1548  (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6);
1549  ((struct openvpn_icmp6hdr *) BPTR(outbuf))->icmp6_cksum = htons(new_csum);
1550 
1551 
1552  /* IPv6 Header */
1553  ASSERT(buf_write_prepend(outbuf, &pip6out, sizeof(struct openvpn_ipv6hdr)));
1554 
1555  /*
1556  * Tap mode, we also need to create an Ethernet header.
1557  */
1558  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1559  {
1560  if (BLEN(buf) < (int)sizeof(struct openvpn_ethhdr))
1561  {
1562  return;
1563  }
1564 
1565  const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *) BPTR(buf);
1566 
1567  /* Copy frametype and reverse source/destination for the response */
1568  struct openvpn_ethhdr ethhdr;
1569  memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
1570  memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
1571  ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
1572  ASSERT(buf_write_prepend(outbuf, &ethhdr, sizeof(struct openvpn_ethhdr)));
1573  }
1574 #undef MAX_ICMPV6LEN
1575 }
1576 
1577 void
1578 process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
1579 {
1580  if (!c->options.ce.mssfix)
1581  {
1582  flags &= ~PIP_MSSFIX;
1583  }
1584 #if PASSTOS_CAPABILITY
1585  if (!c->options.passtos)
1586  {
1587  flags &= ~PIPV4_PASSTOS;
1588  }
1589 #endif
1590  if (!c->options.client_nat)
1591  {
1592  flags &= ~PIPV4_CLIENT_NAT;
1593  }
1595  {
1596  flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1597  }
1598  if (!c->options.block_ipv6)
1599  {
1601  }
1602 
1603  if (buf->len > 0)
1604  {
1605  /*
1606  * The --passtos and --mssfix options require
1607  * us to examine the IPv4 header.
1608  */
1609 
1610  if (flags & (PIP_MSSFIX
1612  | PIPV4_PASSTOS
1613 #endif
1615  ))
1616  {
1617  struct buffer ipbuf = *buf;
1618  if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1619  {
1620 #if PASSTOS_CAPABILITY
1621  /* extract TOS from IP header */
1622  if (flags & PIPV4_PASSTOS)
1623  {
1624  link_socket_extract_tos(c->c2.link_socket, &ipbuf);
1625  }
1626 #endif
1627 
1628  /* possibly alter the TCP MSS */
1629  if (flags & PIP_MSSFIX)
1630  {
1632  }
1633 
1634  /* possibly do NAT on packet */
1635  if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1636  {
1637  const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1638  client_nat_transform(c->options.client_nat, &ipbuf, direction);
1639  }
1640  /* possibly extract a DHCP router message */
1641  if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1642  {
1643  const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
1644  if (dhcp_router)
1645  {
1646  route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1647  }
1648  }
1649  }
1650  else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1651  {
1652  /* possibly alter the TCP MSS */
1653  if (flags & PIP_MSSFIX)
1654  {
1655  mss_fixup_ipv6(&ipbuf,
1657  }
1658  if (!(flags & PIP_OUTGOING) && (flags
1660  {
1662  (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT));
1663  /* Drop the IPv6 packet */
1664  buf->len = 0;
1665  }
1666 
1667  }
1668  }
1669  }
1670 }
1671 
1672 /*
1673  * Input: c->c2.to_link
1674  */
1675 
1676 void
1678 {
1679  struct gc_arena gc = gc_new();
1680  int error_code = 0;
1681 
1683 
1684  if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame))
1685  {
1686  /*
1687  * Setup for call to send/sendto which will send
1688  * packet to remote over the TCP/UDP port.
1689  */
1690  int size = 0;
1692 
1693 #ifdef ENABLE_DEBUG
1694  /* In gremlin-test mode, we may choose to drop this packet */
1695  if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1696 #endif
1697  {
1698  /*
1699  * Let the traffic shaper know how many bytes
1700  * we wrote.
1701  */
1702 #ifdef ENABLE_FEATURE_SHAPER
1703  if (c->options.shaper)
1704  {
1705  shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link)
1707  }
1708 #endif
1709  /*
1710  * Let the pinger know that we sent a packet.
1711  */
1712  if (c->options.ping_send_timeout)
1713  {
1715  }
1716 
1717 #if PASSTOS_CAPABILITY
1718  /* Set TOS */
1719  link_socket_set_tos(c->c2.link_socket);
1720 #endif
1721 
1722  /* Log packet send */
1723 #ifdef LOG_RW
1724  if (c->c2.log_rw)
1725  {
1726  fprintf(stderr, "W");
1727  }
1728 #endif
1729  msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1731  BLEN(&c->c2.to_link),
1733  PROTO_DUMP(&c->c2.to_link, &gc));
1734 
1735  /* Packet send complexified by possible Socks5 usage */
1736  {
1737  struct link_socket_actual *to_addr = c->c2.to_link_addr;
1738  int size_delta = 0;
1739 
1740  /* If Socks5 over UDP, prepend header */
1741  socks_preprocess_outgoing_link(c, &to_addr, &size_delta);
1742 
1743  /* Send packet */
1744  size = link_socket_write(c->c2.link_socket,
1745  &c->c2.to_link,
1746  to_addr);
1747 
1748  /* Undo effect of prepend */
1749  link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1750  }
1751 
1752  if (size > 0)
1753  {
1755  c->c2.link_write_bytes += size;
1756  link_write_bytes_global += size;
1757 #ifdef ENABLE_MEMSTATS
1758  if (mmap_stats)
1759  {
1760  mmap_stats->link_write_bytes = link_write_bytes_global;
1761  }
1762 #endif
1763 #ifdef ENABLE_MANAGEMENT
1764  if (management)
1765  {
1767 #ifdef MANAGEMENT_DEF_AUTH
1768  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1769 #endif
1770  }
1771 #endif
1772  }
1773  }
1774 
1775  /* Check return status */
1776  error_code = openvpn_errno();
1777  check_status(size, "write", c->c2.link_socket, NULL);
1778 
1779  if (size > 0)
1780  {
1781  /* Did we write a different size packet than we intended? */
1782  if (size != BLEN(&c->c2.to_link))
1783  {
1785  "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1787  BLEN(&c->c2.to_link),
1788  size);
1789  }
1790  }
1791 
1792  /* if not a ping/control message, indicate activity regarding --inactive parameter */
1793  if (c->c2.buf.len > 0)
1794  {
1795  register_activity(c, size);
1796  }
1797 
1798  /* for unreachable network and "connecting" state switch to the next host */
1799  if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi
1801  {
1802  msg(M_INFO, "Network unreachable, restarting");
1803  register_signal(c, SIGUSR1, "network-unreachable");
1804  }
1805  }
1806  else
1807  {
1808  if (c->c2.to_link.len > 0)
1809  {
1810  msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1812  c->c2.to_link.len,
1813  EXPANDED_SIZE(&c->c2.frame));
1814  }
1815  }
1816 
1817  buf_reset(&c->c2.to_link);
1818 
1819  perf_pop();
1820  gc_free(&gc);
1821 }
1822 
1823 /*
1824  * Input: c->c2.to_tun
1825  */
1826 
1827 void
1829 {
1830  struct gc_arena gc = gc_new();
1831 
1832  /*
1833  * Set up for write() call to TUN/TAP
1834  * device.
1835  */
1836  if (c->c2.to_tun.len <= 0)
1837  {
1838  return;
1839  }
1840 
1842 
1843  /*
1844  * The --mssfix option requires
1845  * us to examine the IP header (IPv4 or IPv6).
1846  */
1849  &c->c2.to_tun);
1850 
1851  if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN(&c->c2.frame))
1852  {
1853  /*
1854  * Write to TUN/TAP device.
1855  */
1856  int size;
1857 
1858 #ifdef LOG_RW
1859  if (c->c2.log_rw)
1860  {
1861  fprintf(stderr, "w");
1862  }
1863 #endif
1864  dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1865 
1866 #ifdef PACKET_TRUNCATION_CHECK
1867  ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
1868  BLEN(&c->c2.to_tun),
1869  TUNNEL_TYPE(c->c1.tuntap),
1870  "WRITE_TUN",
1871  &c->c2.n_trunc_tun_write);
1872 #endif
1873 
1874 #ifdef TUN_PASS_BUFFER
1875  size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun);
1876 #else
1877  size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1878 #endif
1879 
1880  if (size > 0)
1881  {
1882  c->c2.tun_write_bytes += size;
1883  }
1884  check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1885 
1886  /* check written packet size */
1887  if (size > 0)
1888  {
1889  /* Did we write a different size packet than we intended? */
1890  if (size != BLEN(&c->c2.to_tun))
1891  {
1893  "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1894  c->c1.tuntap->actual_name,
1895  BLEN(&c->c2.to_tun),
1896  size);
1897  }
1898 
1899  /* indicate activity regarding --inactive parameter */
1900  register_activity(c, size);
1901  }
1902  }
1903  else
1904  {
1905  /*
1906  * This should never happen, probably indicates some kind
1907  * of MTU mismatch.
1908  */
1909  msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
1910  c->c2.to_tun.len,
1911  MAX_RW_SIZE_TUN(&c->c2.frame));
1912  }
1913 
1914  buf_reset(&c->c2.to_tun);
1915 
1916  perf_pop();
1917  gc_free(&gc);
1918 }
1919 
1920 void
1922 {
1923  /* make sure current time (now) is updated on function entry */
1924 
1925  /*
1926  * Start with an effectively infinite timeout, then let it
1927  * reduce to a timeout that reflects the component which
1928  * needs the earliest service.
1929  */
1930  c->c2.timeval.tv_sec = BIG_TIMEOUT;
1931  c->c2.timeval.tv_usec = 0;
1932 
1933 #if defined(_WIN32)
1935  {
1936  c->c2.timeval.tv_sec = 1;
1937  if (tuntap_defined(c->c1.tuntap))
1938  {
1939  tun_show_debug(c->c1.tuntap);
1940  }
1941  }
1942 #endif
1943 
1944  /* check coarse timers? */
1946  if (c->sig->signal_received)
1947  {
1948  return;
1949  }
1950 
1951  /* Does TLS need service? */
1952  check_tls(c);
1953 
1954  /* In certain cases, TLS errors will require a restart */
1955  check_tls_errors(c);
1956  if (c->sig->signal_received)
1957  {
1958  return;
1959  }
1960 
1961  /* check for incoming configuration info on the control channel */
1963 
1964 #ifdef ENABLE_OCC
1965  /* Should we send an OCC message? */
1966  check_send_occ_msg(c);
1967 #endif
1968 
1969 #ifdef ENABLE_FRAGMENT
1970  /* Should we deliver a datagram fragment to remote? */
1971  check_fragment(c);
1972 #endif
1973 
1974  /* Update random component of timeout */
1976 }
1977 
1978 /*
1979  * Wait for I/O events. Used for both TCP & UDP sockets
1980  * in point-to-point mode and for UDP sockets in
1981  * point-to-multipoint mode.
1982  */
1983 
1984 void
1985 io_wait_dowork(struct context *c, const unsigned int flags)
1986 {
1987  unsigned int socket = 0;
1988  unsigned int tuntap = 0;
1989  struct event_set_return esr[4];
1990 
1991  /* These shifts all depend on EVENT_READ and EVENT_WRITE */
1992  static int socket_shift = 0; /* depends on SOCKET_READ and SOCKET_WRITE */
1993  static int tun_shift = 2; /* depends on TUN_READ and TUN_WRITE */
1994  static int err_shift = 4; /* depends on ES_ERROR */
1995 #ifdef ENABLE_MANAGEMENT
1996  static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
1997 #endif
1998 #ifdef ENABLE_ASYNC_PUSH
1999  static int file_shift = 8; /* listening inotify events */
2000 #endif
2001 
2002  /*
2003  * Decide what kind of events we want to wait for.
2004  */
2005  event_reset(c->c2.event_set);
2006 
2007  /*
2008  * On win32 we use the keyboard or an event object as a source
2009  * of asynchronous signals.
2010  */
2011  if (flags & IOW_WAIT_SIGNAL)
2012  {
2013  wait_signal(c->c2.event_set, (void *)&err_shift);
2014  }
2015 
2016  /*
2017  * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send
2018  * status from TCP/UDP port. Otherwise, wait for incoming data on
2019  * TUN/TAP device.
2020  */
2021  if (flags & IOW_TO_LINK)
2022  {
2023  if (flags & IOW_SHAPER)
2024  {
2025  /*
2026  * If sending this packet would put us over our traffic shaping
2027  * quota, don't send -- instead compute the delay we must wait
2028  * until it will be OK to send the packet.
2029  */
2030 #ifdef ENABLE_FEATURE_SHAPER
2031  int delay = 0;
2032 
2033  /* set traffic shaping delay in microseconds */
2034  if (c->options.shaper)
2035  {
2036  delay = max_int(delay, shaper_delay(&c->c2.shaper));
2037  }
2038 
2039  if (delay < 1000)
2040  {
2041  socket |= EVENT_WRITE;
2042  }
2043  else
2044  {
2045  shaper_soonest_event(&c->c2.timeval, delay);
2046  }
2047 #else /* ENABLE_FEATURE_SHAPER */
2048  socket |= EVENT_WRITE;
2049 #endif /* ENABLE_FEATURE_SHAPER */
2050  }
2051  else
2052  {
2053  socket |= EVENT_WRITE;
2054  }
2055  }
2056  else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
2057  {
2058  if (flags & IOW_READ_TUN)
2059  {
2060  tuntap |= EVENT_READ;
2061  }
2062  }
2063 
2064  /*
2065  * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
2066  * from device. Otherwise, wait for incoming data on TCP/UDP port.
2067  */
2068  if (flags & IOW_TO_TUN)
2069  {
2070  tuntap |= EVENT_WRITE;
2071  }
2072  else
2073  {
2074  if (flags & IOW_READ_LINK)
2075  {
2076  socket |= EVENT_READ;
2077  }
2078  }
2079 
2080  /*
2081  * outgoing bcast buffer waiting to be sent?
2082  */
2083  if (flags & IOW_MBUF)
2084  {
2085  socket |= EVENT_WRITE;
2086  }
2087 
2088  /*
2089  * Force wait on TUN input, even if also waiting on TCP/UDP output
2090  */
2091  if (flags & IOW_READ_TUN_FORCE)
2092  {
2093  tuntap |= EVENT_READ;
2094  }
2095 
2096  /*
2097  * Configure event wait based on socket, tuntap flags.
2098  */
2099  socket_set(c->c2.link_socket, c->c2.event_set, socket, (void *)&socket_shift, NULL);
2100  tun_set(c->c1.tuntap, c->c2.event_set, tuntap, (void *)&tun_shift, NULL);
2101 
2102 #ifdef ENABLE_MANAGEMENT
2103  if (management)
2104  {
2105  management_socket_set(management, c->c2.event_set, (void *)&management_shift, NULL);
2106  }
2107 #endif
2108 
2109 #ifdef ENABLE_ASYNC_PUSH
2110  /* arm inotify watcher */
2111  if (c->options.mode == MODE_SERVER)
2112  {
2113  event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)&file_shift);
2114  }
2115 #endif
2116 
2117  /*
2118  * Possible scenarios:
2119  * (1) tcp/udp port has data available to read
2120  * (2) tcp/udp port is ready to accept more data to write
2121  * (3) tun dev has data available to read
2122  * (4) tun dev is ready to accept more data to write
2123  * (5) we received a signal (handler sets signal_received)
2124  * (6) timeout (tv) expired
2125  */
2126 
2128 
2129  if (!c->sig->signal_received)
2130  {
2131  if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual(c->c2.link_socket))
2132  {
2133  int status;
2134 
2135 #ifdef ENABLE_DEBUG
2137  {
2138  show_wait_status(c);
2139  }
2140 #endif
2141 
2142  /*
2143  * Wait for something to happen.
2144  */
2145  status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
2146 
2147  check_status(status, "event_wait", NULL, NULL);
2148 
2149  if (status > 0)
2150  {
2151  int i;
2152  c->c2.event_set_status = 0;
2153  for (i = 0; i < status; ++i)
2154  {
2155  const struct event_set_return *e = &esr[i];
2156  c->c2.event_set_status |= ((e->rwflags & 3) << *((int *)e->arg));
2157  }
2158  }
2159  else if (status == 0)
2160  {
2162  }
2163  }
2164  else
2165  {
2167  }
2168  }
2169 
2170  /* 'now' should always be a reasonably up-to-date timestamp */
2171  update_time();
2172 
2173  /* set signal_received if a signal was received */
2174  if (c->c2.event_set_status & ES_ERROR)
2175  {
2177  }
2178 
2179  dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2180 }
2181 
2182 void
2184 {
2185  const unsigned int status = c->c2.event_set_status;
2186 
2187 #ifdef ENABLE_MANAGEMENT
2188  if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
2189  {
2190  ASSERT(management);
2192  }
2193 #endif
2194 
2195  /* TCP/UDP port ready to accept write */
2196  if (status & SOCKET_WRITE)
2197  {
2199  }
2200  /* TUN device ready to accept write */
2201  else if (status & TUN_WRITE)
2202  {
2204  }
2205  /* Incoming data on TCP/UDP port */
2206  else if (status & SOCKET_READ)
2207  {
2208  read_incoming_link(c);
2209  if (!IS_SIG(c))
2210  {
2212  }
2213  }
2214  /* Incoming data on TUN device */
2215  else if (status & TUN_READ)
2216  {
2217  read_incoming_tun(c);
2218  if (!IS_SIG(c))
2219  {
2221  }
2222  }
2223 }
struct env_set * es
Definition: openvpn.h:427
static void check_fragment(struct context *c)
Definition: forward.c:239
#define TLSMP_ACTIVE
Definition: ssl.h:231
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition: forward.c:1985
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition: socket.h:962
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:51
#define ES_ERROR
Definition: openvpn.h:240
static void register_activity(struct context *c, const int size)
Definition: forward.h:320
counter_type tun_read_bytes
Definition: openvpn.h:281
void check_server_poll_timeout_dowork(struct context *c)
Definition: forward.c:573
struct buffer to_link
Definition: openvpn.h:384
static void context_reschedule_sec(struct context *c, int sec)
Definition: forward.c:293
#define ETT_DEFAULT
Definition: interval.h:213
Security parameter state for processing data channel packets.
Definition: crypto.h:232
bool log_rw
Definition: openvpn.h:387
uint32_t daddr
Definition: proto.h:106
struct event_timeout route_wakeup
Definition: openvpn.h:390
#define TO_LINK_FRAG(c)
Definition: forward.h:43
Definition: tun.h:131
struct client_nat_option_list * client_nat
Definition: options.h:358
static bool tuntap_abort(int status)
Definition: tun.h:422
struct buffer read_tun_buf
Definition: openvpn.h:111
struct event_timeout ping_rec_interval
Definition: openvpn.h:299
void check_tls_dowork(struct context *c)
Definition: forward.c:317
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:502
#define BIG_TIMEOUT
Definition: common.h:50
struct event_timeout route_wakeup_expire
Definition: openvpn.h:391
#define OPENVPN_IPPROTO_ICMPV6
Definition: proto.h:101
#define D_ROUTE
Definition: errlevel.h:80
counter_type link_write_bytes
Definition: openvpn.h:285
#define OPENVPN_ETH_P_IPV6
Definition: proto.h:61
struct interval tmp_int
Definition: openvpn.h:351
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2077
int inetd
Definition: options.h:308
#define M_INFO
Definition: errlevel.h:55
Contains all state information for one tunnel.
Definition: openvpn.h:500
void tun_show_debug(struct tuntap *tt)
Definition: tun.c:6054
static void check_connection_established(struct context *c)
Definition: forward.c:146
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition: dhcp.c:151
#define SIZE(x)
Definition: basic.h:30
static void link_socket_set_outgoing_addr(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:983
static void check_timeout_random_component_dowork(struct context *c)
Definition: forward.c:863
bool tun_standby(struct tuntap *tt)
Definition: tun.c:5289
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2892
static void check_ping_restart(struct context *c)
Definition: ping.h:55
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define D_EVENT_WAIT
Definition: errlevel.h:156
void mss_fixup_ipv6(struct buffer *buf, int maxmss)
Definition: mss.c:86
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:4022
#define MTU_TO_MSS(mtu)
Definition: proto.h:236
uint8_t icmp6_type
Definition: proto.h:135
#define PERF_PROC_OUT_LINK
Definition: perf.h:55
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:473
#define IOW_READ_LINK
Definition: forward.h:57
union openvpn_sockaddr::@8 addr
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition: buffer.c:175
static void check_timeout_random_component(struct context *c)
Definition: forward.c:874
#define CC_PRINT
Definition: buffer.h:915
struct buffer buf
Definition: openvpn.h:382
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1578
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:541
bool status_trigger_tv(struct status_output *so, struct timeval *tv)
Definition: status.c:150
#define ASSERT(x)
Definition: error.h:221
static int tls_test_payload_len(const struct tls_multi *multi)
Definition: ssl.h:568
#define SIGUSR1
Definition: config-msvc.h:116
static void check_status_file(struct context *c)
Definition: forward.c:221
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.h:1051
struct context_buffers * buffers
Definition: openvpn.h:374
static void check_push_request(struct context *c)
Definition: forward.c:256
struct event_timeout wait_for_connect
Definition: openvpn.h:297
uint8_t version_prio
Definition: proto.h:114
static bool is_occ_msg(const struct buffer *buf)
Definition: occ.h:86
static void check_tls_errors(struct context *c)
Definition: forward.c:99
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
static void perf_pop(void)
Definition: perf.h:82
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
void process_received_occ_msg(struct context *c)
Definition: occ.c:353
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:4007
#define PERF_READ_IN_LINK
Definition: perf.h:51
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1630
static void event_timeout_clear(struct event_timeout *et)
Definition: interval.h:150
#define CLEAR(x)
Definition: basic.h:33
#define in_addr_t
Definition: config-msvc.h:104
static void process_coarse_timers(struct context *c)
Definition: forward.c:757
#define TUN_READ
Definition: openvpn.h:238
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:525
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition: interval.h:108
#define IOW_SHAPER
Definition: forward.h:58
struct frame frame_initial
Definition: openvpn.h:262
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition: fragment.h:448
void pre_select(struct context *c)
Definition: forward.c:1921
#define SOCKET_READ
Definition: openvpn.h:236
int max_recv_size_local
Definition: openvpn.h:320
#define SIGTERM
Definition: config-msvc.h:118
uint8_t icmp6_code
Definition: proto.h:138
#define TLS_MODE(c)
Definition: openvpn.h:561
void check_status_file_dowork(struct context *c)
Definition: forward.c:614
static void get_signal(volatile int *sig)
Definition: sig.h:92
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:125
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2635
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:556
bool allow_recursive_routing
Definition: options.h:632
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition: fragment.c:381
#define IOW_TO_LINK
Definition: forward.h:55
void read_incoming_link(struct context *c)
Read a packet from the external network interface.
Definition: forward.c:933
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.h:934
void ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
Forges a IPv6 ICMP packet with a no route to host error code from the IPv6 packet in buf and sends it...
Definition: forward.c:1452
uint16_t proto
Definition: proto.h:63
void * arg
Definition: event.h:80
static bool tuntap_defined(const struct tuntap *tt)
Definition: tun.h:198
static unsigned int tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: tun.h:513
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition: socket.h:618
#define openvpn_errno()
Definition: error.h:74
#define MAX_ICMPV6LEN
int ping_rec_timeout
Definition: options.h:265
#define D_LOW
Definition: errlevel.h:97
int context_auth
Definition: openvpn.h:458
static void check_packet_id_persist_flush(struct context *c)
Definition: forward.c:272
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
#define ES_TIMEOUT
Definition: openvpn.h:241
static bool interval_test(struct interval *top)
Definition: interval.h:66
struct in6_addr daddr
Definition: proto.h:121
counter_type link_read_bytes_global
Definition: forward.c:50
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:676
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition: fragment.c:326
bool is_hard_reset(int op, int key_method)
Given a key_method, return true if opcode represents the required form of hard_reset.
Definition: ssl.c:855
#define MODE_SERVER
Definition: options.h:191
bool send_push_request(struct context *c)
Definition: push.c:310
bool use_peer_id
Definition: ssl_common.h:564
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3941
struct event_timeout ping_send_interval
Definition: openvpn.h:298
#define D_PING
Definition: errlevel.h:140
#define D_LINK_RW
Definition: errlevel.h:112
#define PIP_MSSFIX
Definition: forward.h:292
#define FRAME_HEADROOM_ADJ(f, fm)
Definition: mtu.h:188
static void check_send_occ_load_test(struct context *c)
Definition: occ.h:128
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
int inet_pton(int af, const char *src, void *dst)
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:422
#define PIPV4_CLIENT_NAT
Definition: forward.h:295
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.c:2491
struct context_1 c1
Level 1 context.
Definition: openvpn.h:538
static void tls_set_single_session(struct tls_multi *multi)
Definition: ssl.h:582
#define IOW_TO_TUN
Definition: forward.h:54
#define PIPV4_PASSTOS
Definition: forward.h:291
struct context_persist persist
Persistent context.
Definition: openvpn.h:535
struct buffer decrypt_buf
Definition: openvpn.h:98
struct event_timeout inactivity_interval
Definition: openvpn.h:302
#define D_INTERVAL
Definition: errlevel.h:152
#define BPTR(buf)
Definition: buffer.h:124
struct frame frame_fragment
Definition: openvpn.h:267
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:307
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition: fragment.h:475
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3993
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition: otime.c:88
static void event_timeout_reset(struct event_timeout *et)
Definition: interval.h:174
uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, const uint8_t *src_addr, const uint8_t *dest_addr, const int proto)
Calculates an IP or IPv6 checksum with a pseudo header as required by TCP, UDP and ICMPv6...
Definition: proto.c:103
counter_type tun_write_bytes
Definition: openvpn.h:282
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:88
#define IOW_READ_TUN_FORCE
Definition: forward.h:62
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition: clinat.c:195
counter_type link_read_bytes
Definition: openvpn.h:283
static void process_incoming_link(struct context *c)
Definition: forward.c:1225
int mode
Definition: options.h:192
static void check_coarse_timers(struct context *c)
Definition: forward.c:849
#define PROTO_DUMP(buf, gc)
Definition: openvpn.h:563
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
void show_wait_status(struct context *c)
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:257
void buf_null_terminate(struct buffer *buf)
Definition: buffer.c:572
static void interval_action(struct interval *top)
Definition: interval.h:124
struct route_list * route_list
List of routing information.
Definition: openvpn.h:172
#define IOW_MBUF
Definition: forward.h:61
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3018
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition: sig.c:348
void check_add_routes_dowork(struct context *c)
Definition: forward.c:519
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition: forward.c:564
static void management_bytes_in(struct management *man, const int size)
Definition: manage.h:565
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
int mssfix
Definition: options.h:118
struct frame frame
Definition: openvpn.h:261
int n_hard_errors
Definition: ssl_common.h:534
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition: ssl.h:551
struct timeval timeval
Definition: openvpn.h:401
struct sockaddr_in in4
Definition: socket.h:69
static void check_inactivity_timeout(struct context *c)
Definition: forward.c:174
static int write_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:466
interval_t n
Definition: interval.h:139
#define OPENVPN_ICMP6_DU_NOROUTE
Definition: proto.h:136
#define TUN_MTU_SIZE(f)
Definition: mtu.h:156
#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE
Definition: proto.h:128
#define D_TAP_WIN_DEBUG
Definition: errlevel.h:114
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:696
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition: forward.c:657
static int link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition: socket.h:1165
#define IOW_FRAG
Definition: forward.h:60
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
static SERVICE_STATUS status
Definition: automatic.c:43
#define D_SCHED_EXIT
Definition: errlevel.h:89
static void event_reset(struct event_set *es)
Definition: event.h:107
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition: proto.h:244
#define EXPANDED_SIZE(f)
Definition: mtu.h:172
#define PERF_PROC_IN_TUN
Definition: perf.h:54
struct event_timeout scheduled_exit
Definition: openvpn.h:470
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:119
struct in6_addr saddr
Definition: proto.h:120
uint8_t nexthdr
Definition: proto.h:117
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:614
static void check_scheduled_exit(struct context *c)
Definition: forward.c:203
void process_outgoing_link(struct context *c)
Write a packet to the external network interface.
Definition: forward.c:1677
int n_soft_errors
Definition: ssl_common.h:535
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:531
int restart_sleep_seconds
Definition: openvpn.h:119
unsigned int counter_type
Definition: common.h:38
struct link_socket * link_socket
Definition: openvpn.h:252
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition: socket.h:912
void process_io(struct context *c)
Definition: forward.c:2183
#define CN_OUTGOING
Definition: clinat.h:31
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1511
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition: socket.c:2594
void check_fragment_dowork(struct context *c)
Definition: forward.c:627
void reset_coarse_timers(struct context *c)
Definition: init.c:1305
counter_type link_write_bytes_global
Definition: forward.c:51
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
int ping_send_timeout
Definition: options.h:264
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:253
static int read_tun_buffered(struct tuntap *tt, struct buffer *buf, int maxsize)
Definition: tun.h:460
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4081
struct connection_entry ce
Definition: options.h:213
#define D_TUN_RW
Definition: errlevel.h:113
static void check_tls(struct context *c)
Definition: forward.c:84
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:177
struct context_2 c2
Level 2 context.
Definition: openvpn.h:539
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define dmsg
Definition: error.h:174
#define PIP_OUTGOING
Definition: forward.h:293
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1243
const char * ifconfig_ipv6_remote
Definition: options.h:239
#define MANAGEMENT_WRITE
Definition: openvpn.h:244
void print_status(const struct context *c, struct status_output *so)
Definition: sig.c:292
#define TUN_MTU_SIZE_DYNAMIC(f)
Definition: mtu.h:157
void check_push_request_dowork(struct context *c)
Definition: forward.c:416
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:303
#define IOW_WAIT_SIGNAL
Definition: forward.h:63
uint8_t source[OPENVPN_ETH_ALEN]
Definition: proto.h:58
#define PIPV6_IMCP_NOHOST_CLIENT
Definition: forward.h:296
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:595
#define EVENT_READ
Definition: event.h:36
uint8_t dest[OPENVPN_ETH_ALEN]
Definition: proto.h:57
int inactivity_timeout
Definition: options.h:261
time_t update_timeout_random_component
Definition: openvpn.h:408
#define BLEN(buf)
Definition: buffer.h:127
static void check_send_occ_req(struct context *c)
Definition: occ.h:113
#define ISC_ERRORS
Definition: init.h:116
#define CN_INCOMING
Definition: clinat.h:32
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition: tun.c:516
struct buffer aux_buf
Definition: openvpn.h:94
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition: shaper.c:41
#define P_OPCODE_SHIFT
Definition: ssl.h:51
void show_adapters(int msglev)
Definition: tun.c:4613
struct event_set * event_set
Definition: openvpn.h:231
struct event_timeout packet_id_persist_interval
Definition: openvpn.h:362
struct buffer read_link_buf
Definition: openvpn.h:110
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:672
static int max_int(int x, int y)
Definition: integer.h:44
struct event_timeout push_request_interval
Definition: openvpn.h:461
#define CAS_SUCCEEDED
Definition: openvpn.h:453
__int64 int64_t
Definition: config-msvc.h:124
#define TLSMP_KILL
Definition: ssl.h:232
unsigned __int8 uint8_t
Definition: config-msvc.h:123
static void check_send_occ_msg(struct context *c)
Definition: occ.h:143
#define MODE_POINT_TO_POINT
Definition: options.h:190
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Definition: interval.h:183
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3356
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Definition: buffer.c:1081
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition: forward.c:1303
int scheduled_exit_signal
Definition: openvpn.h:471
#define PERF_READ_IN_TUN
Definition: perf.h:53
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:382
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: socket.c:3931
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition: buffer.h:740
volatile int signal_received
Definition: sig.h:45
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition: proto.c:96
#define PUSH_REQUEST_INTERVAL
Definition: common.h:89
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition: interval.h:94
void check_scheduled_exit_dowork(struct context *c)
Definition: forward.c:603
static bool is_ping_msg(const struct buffer *buf)
Definition: ping.h:41
#define IN6_ARE_ADDR_EQUAL(a, b)
Definition: win32.h:46
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:460
void check_incoming_control_channel_dowork(struct context *c)
Definition: forward.c:367
#define MANAGEMENT_READ
Definition: openvpn.h:243
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:493
uint16_t icmp6_cksum
Definition: proto.h:139
#define M_NOPREFIX
Definition: error.h:102
#define msg
Definition: error.h:173
struct timeval timeout_random_component
Definition: openvpn.h:409
int connect_timeout
Definition: options.h:101
static void check_ping_send(struct context *c)
Definition: ping.h:74
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
void show_routes(int msglev)
Definition: route.c:3151
struct event_timeout explicit_exit_notification_interval
Definition: openvpn.h:423
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:120
void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto)
Definition: socket.c:1670
#define buf_init(buf, offset)
Definition: buffer.h:196
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:4042
struct fragment_master * fragment
Definition: openvpn.h:266
#define IOW_CHECK_RESIDUAL
Definition: forward.h:59
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:701
void check_tls_errors_co(struct context *c)
Definition: forward.c:348
struct status_output * status_output
Definition: openvpn.h:180
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:297
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:527
struct packet_id_persist pid_persist
Definition: openvpn.h:165
void management_io(struct management *man)
Definition: manage.c:3058
static void management_bytes_out(struct management *man, const int size)
Definition: manage.h:556
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2663
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition: proto.c:91
struct event_timeout server_poll_interval
Definition: openvpn.h:413
static void wait_signal(struct event_set *es, void *arg)
Definition: event.h:144
#define TUN_WRITE
Definition: openvpn.h:239
static void check_add_routes_action(struct context *c, const bool errors)
Definition: forward.c:508
#define FRAME_HEADROOM_MARKER_READ_LINK
Definition: mtu.h:131
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:147
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
static void check_add_routes(struct context *c)
Definition: forward.c:160
static int min_int(int x, int y)
Definition: integer.h:57
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
unsigned __int16 uint16_t
Definition: config-msvc.h:122
#define EVENT_WRITE
Definition: event.h:37
#define OPENVPN_ETH_ALEN
Definition: proto.h:54
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition: forward.h:294
#define SOCKET_WRITE
Definition: openvpn.h:237
#define TUNNEL_TYPE(tt)
Definition: tun.h:133
static bool socket_read_residual(const struct link_socket *s)
Definition: socket.h:1220
void check_connection_established_dowork(struct context *c)
Definition: forward.c:430
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
#define IOW_READ_TUN
Definition: forward.h:56
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition: packet_id.h:281
int original_recv_size
Definition: openvpn.h:319
int interval_t
Definition: common.h:45
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1140
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing...
Definition: manage.c:3995
#define PERF_PROC_OUT_TUN
Definition: perf.h:56
struct link_socket_actual from
Definition: openvpn.h:258
static void socks_postprocess_incoming_link(struct context *c)
Definition: forward.c:892
#define D_STREAM_ERRORS
Definition: errlevel.h:63
bool pull
Definition: options.h:471
#define BSTR(buf)
Definition: buffer.h:129
long int get_random(void)
Definition: crypto.c:1767
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition: fragment.c:141
static void check_incoming_control_channel(struct context *c)
Definition: forward.c:129
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket_actual **to_addr, int *size_delta)
Definition: forward.c:901
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:1001
static interval_t event_timeout_remaining(struct event_timeout *et)
Definition: interval.h:197
static int datagram_overhead(int proto)
Definition: socket.h:601
void check_inactivity_timeout_dowork(struct context *c)
Definition: forward.c:557
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:482
char * actual_name
Definition: tun.h:146
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3222
struct buffer to_tun
Definition: openvpn.h:383
void check_tls_errors_nco(struct context *c)
Definition: forward.c:355
static void update_time(void)
Definition: otime.h:93
static bool tuntap_stop(int status)
Definition: tun.h:408
#define CC_CRLF
Definition: buffer.h:944
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition: forward.c:914
bool block_ipv6
Definition: options.h:354
struct sockaddr sa
Definition: socket.h:68
unsigned int event_set_status
Definition: openvpn.h:250
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:336
void mss_fixup_ipv4(struct buffer *buf, int maxmss)
Definition: mss.c:46
static void context_immediate_reschedule(struct context *c)
Definition: forward.c:286
struct buffer encrypt_buf
Definition: openvpn.h:97
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1384
unsigned int rwflags
Definition: event.h:79
int max_send_size_local
Definition: openvpn.h:322
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:589
uint16_t payload_len
Definition: proto.h:116
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition: error.h:302
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:356
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:818
const char * wait_status_string(struct context *c, struct gc_arena *gc)
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
void process_outgoing_tun(struct context *c)
Write a packet to the virtual tun/tap network interface.
Definition: forward.c:1828
int key_method
Definition: options.h:556
int tls_exit_signal
Definition: openvpn.h:354
#define D_LINK_ERRORS
Definition: errlevel.h:57
time_t coarse_timer_wakeup
Definition: openvpn.h:404
#define PASSTOS_CAPABILITY
Definition: syshead.h:406
static void check_coarse_timers_dowork(struct context *c)
Definition: forward.c:831
#define DEV_TYPE_TAP
Definition: proto.h:38
bool route_gateway_via_dhcp
Definition: options.h:356
static void check_server_poll_timeout(struct context *c)
Definition: forward.c:188
counter_type link_read_bytes_auth
Definition: openvpn.h:284
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3161
#define D_PUSH_ERRORS
Definition: errlevel.h:67