OpenVPN
forward.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "forward.h"
33 #include "init.h"
34 #include "push.h"
35 #include "gremlin.h"
36 #include "mss.h"
37 #include "event.h"
38 #include "ps.h"
39 #include "dhcp.h"
40 #include "common.h"
41 #include "ssl_verify.h"
42 
43 #include "memdbg.h"
44 
45 #include "forward-inline.h"
46 #include "occ-inline.h"
47 #include "ping-inline.h"
48 #include "mstats.h"
49 
52 
53 /* show event wait debugging info */
54 
55 #ifdef ENABLE_DEBUG
56 
57 const char *
58 wait_status_string(struct context *c, struct gc_arena *gc)
59 {
60  struct buffer out = alloc_buf_gc(64, gc);
61  buf_printf(&out, "I/O WAIT %s|%s|%s|%s %s",
62  tun_stat(c->c1.tuntap, EVENT_READ, gc),
63  tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
66  tv_string(&c->c2.timeval, gc));
67  return BSTR(&out);
68 }
69 
70 void
71 show_wait_status(struct context *c)
72 {
73  struct gc_arena gc = gc_new();
74  dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
75  gc_free(&gc);
76 }
77 
78 #endif /* ifdef ENABLE_DEBUG */
79 
80 /*
81  * In TLS mode, let TLS level respond to any control-channel
82  * packets which were received, or prepare any packets for
83  * transmission.
84  *
85  * tmp_int is purely an optimization that allows us to call
86  * tls_multi_process less frequently when there's not much
87  * traffic on the control-channel.
88  *
89  */
90 #ifdef ENABLE_CRYPTO
91 void
93 {
94  interval_t wakeup = BIG_TIMEOUT;
95 
96  if (interval_test(&c->c2.tmp_int))
97  {
98  const int tmp_status = tls_multi_process
99  (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
100  get_link_socket_info(c), &wakeup);
101  if (tmp_status == TLSMP_ACTIVE)
102  {
103  update_time();
105  }
106  else if (tmp_status == TLSMP_KILL)
107  {
108  register_signal(c, SIGTERM, "auth-control-exit");
109  }
110 
111  interval_future_trigger(&c->c2.tmp_int, wakeup);
112  }
113 
114  interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
115 
116  if (wakeup)
117  {
118  context_reschedule_sec(c, wakeup);
119  }
120 }
121 
122 void
124 {
125  msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
126  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
127 }
128 
129 void
131 {
132  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
133 }
134 #endif /* ENABLE_CRYPTO */
135 
136 #if P2MP
137 
138 /*
139  * Handle incoming configuration
140  * messages on the control channel.
141  */
142 void
144 {
145  const int len = tls_test_payload_len(c->c2.tls_multi);
146  if (len)
147  {
148  struct gc_arena gc = gc_new();
149  struct buffer buf = alloc_buf_gc(len, &gc);
150  if (tls_rec_payload(c->c2.tls_multi, &buf))
151  {
152  /* force null termination of message */
153  buf_null_terminate(&buf);
154 
155  /* enforce character class restrictions */
156  string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
157 
158  if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
159  {
160  receive_auth_failed(c, &buf);
161  }
162  else if (buf_string_match_head_str(&buf, "PUSH_"))
163  {
164  incoming_push_message(c, &buf);
165  }
166  else if (buf_string_match_head_str(&buf, "RESTART"))
167  {
168  server_pushed_signal(c, &buf, true, 7);
169  }
170  else if (buf_string_match_head_str(&buf, "HALT"))
171  {
172  server_pushed_signal(c, &buf, false, 4);
173  }
174  else
175  {
176  msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
177  }
178  }
179  else
180  {
181  msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
182  }
183 
184  gc_free(&gc);
185  }
186 }
187 
188 /*
189  * Periodically resend PUSH_REQUEST until PUSH message received
190  */
191 void
193 {
195 
196  /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
198 }
199 
200 #endif /* P2MP */
201 
202 /*
203  * Things that need to happen immediately after connection initiation should go here.
204  */
205 void
207 {
209  {
210  if (CONNECTION_ESTABLISHED(c))
211  {
212 #if P2MP
213  /* if --pull was specified, send a push request to server */
214  if (c->c2.tls_multi && c->options.pull)
215  {
216 #ifdef ENABLE_MANAGEMENT
217  if (management)
218  {
221  NULL,
222  NULL,
223  NULL,
224  NULL,
225  NULL);
226  }
227 #endif
228  /* fire up push request right away (already 1s delayed) */
231  }
232  else
233 #endif /* if P2MP */
234  {
235  do_up(c, false, 0);
236  }
237 
239  }
240  }
241 }
242 
243 /*
244  * Send a string to remote over the TLS control channel.
245  * Used for push/pull messages, passing username/password,
246  * etc.
247  */
248 bool
249 send_control_channel_string(struct context *c, const char *str, int msglevel)
250 {
251 #ifdef ENABLE_CRYPTO
252  if (c->c2.tls_multi)
253  {
254  struct gc_arena gc = gc_new();
255  bool stat;
256 
257  /* buffered cleartext write onto TLS control channel */
258  stat = tls_send_payload(c->c2.tls_multi, (uint8_t *) str, strlen(str) + 1);
259 
260  /*
261  * Reschedule tls_multi_process.
262  * NOTE: in multi-client mode, usually the below two statements are
263  * insufficient to reschedule the client instance object unless
264  * multi_schedule_context_wakeup(m, mi) is also called.
265  */
267  context_immediate_reschedule(c); /* ZERO-TIMEOUT */
268 
269  msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
270  tls_common_name(c->c2.tls_multi, false),
271  sanitize_control_message(str, &gc),
272  (int) stat);
273 
274  gc_free(&gc);
275  return stat;
276  }
277 #endif /* ENABLE_CRYPTO */
278  return true;
279 }
280 
281 /*
282  * Add routes.
283  */
284 
285 static void
286 check_add_routes_action(struct context *c, const bool errors)
287 {
289  c->c1.tuntap, c->plugins, c->c2.es);
290  update_time();
293  initialization_sequence_completed(c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */
294 }
295 
296 void
298 {
299  if (test_routes(c->c1.route_list, c->c1.tuntap))
300  {
301  check_add_routes_action(c, false);
302  }
304  {
305  check_add_routes_action(c, true);
306  }
307  else
308  {
309  msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
310  if (c->c1.tuntap)
311  {
312  if (!tun_standby(c->c1.tuntap))
313  {
314  register_signal(c, SIGHUP, "ip-fail");
316 #ifdef _WIN32
319 #endif
320  }
321  }
322  update_time();
323  if (c->c2.route_wakeup.n != 1)
324  {
326  }
328  }
329 }
330 
331 /*
332  * Should we exit due to inactivity timeout?
333  */
334 void
336 {
337  msg(M_INFO, "Inactivity timeout (--inactive), exiting");
338  register_signal(c, SIGTERM, "inactive");
339 }
340 
341 int
342 get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
343 {
344  update_time();
345  int remaining = event_timeout_remaining(server_poll_timeout);
346  return max_int(0, remaining);
347 }
348 #if P2MP
349 
350 void
352 {
354  ASSERT(c->c2.tls_multi);
356  {
357  msg(M_INFO, "Server poll timeout, restarting");
358  register_signal(c, SIGUSR1, "server_poll");
360  }
361 }
362 
363 /*
364  * Schedule a signal n_seconds from now.
365  */
366 void
367 schedule_exit(struct context *c, const int n_seconds, const int signal)
368 {
370  update_time();
372  event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
373  c->c2.scheduled_exit_signal = signal;
374  msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
375 }
376 
377 /*
378  * Scheduled exit?
379  */
380 void
382 {
383  register_signal(c, c->c2.scheduled_exit_signal, "delayed-exit");
384 }
385 
386 #endif /* if P2MP */
387 
388 /*
389  * Should we write timer-triggered status file.
390  */
391 void
393 {
394  if (c->c1.status_output)
395  {
397  }
398 }
399 
400 #ifdef ENABLE_FRAGMENT
401 /*
402  * Should we deliver a datagram fragment to remote?
403  */
404 void
406 {
407  struct link_socket_info *lsi = get_link_socket_info(c);
408 
409  /* OS MTU Hint? */
410  if (lsi->mtu_changed)
411  {
413  c->options.ce.proto);
414  lsi->mtu_changed = false;
415  }
416 
418  {
419  if (!c->c2.to_link.len)
420  {
421  /* encrypt a fragment for output to TCP/UDP port */
423  encrypt_sign(c, false);
424  }
425  }
426 
428 }
429 #endif /* ifdef ENABLE_FRAGMENT */
430 
431 /*
432  * Buffer reallocation, for use with null encryption.
433  */
434 static inline void
435 buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
436 {
437  if (orig_buf == src_stub->data && src_stub->data != storage->data)
438  {
439  buf_assign(storage, src_stub);
440  *dest_stub = *storage;
441  }
442  else
443  {
444  *dest_stub = *src_stub;
445  }
446 }
447 
448 /*
449  * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
450  * Input: c->c2.buf
451  * Output: c->c2.to_link
452  */
453 void
454 encrypt_sign(struct context *c, bool comp_frag)
455 {
456  struct context_buffers *b = c->c2.buffers;
457  const uint8_t *orig_buf = c->c2.buf.data;
458  struct crypto_options *co = NULL;
459 
460 #if P2MP_SERVER
461  /*
462  * Drop non-TLS outgoing packet if client-connect script/plugin
463  * has not yet succeeded.
464  */
465  if (c->c2.context_auth != CAS_SUCCEEDED)
466  {
467  c->c2.buf.len = 0;
468  }
469 #endif
470 
471  if (comp_frag)
472  {
473 #ifdef USE_COMP
474  /* Compress the packet. */
475  if (c->c2.comp_context)
476  {
477  (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
478  }
479 #endif
480 #ifdef ENABLE_FRAGMENT
481  if (c->c2.fragment)
482  {
484  }
485 #endif
486  }
487 
488 #ifdef ENABLE_CRYPTO
489  /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
491 
492  if (c->c2.tls_multi)
493  {
494  /* Get the key we will use to encrypt the packet. */
495  tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
496  /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
497  * packet before openvpn_encrypt(), so we can authenticate the opcode too.
498  */
499  if (c->c2.buf.len > 0 && !c->c2.tls_multi->opt.server && c->c2.tls_multi->use_peer_id)
500  {
502  }
503  }
504  else
505  {
506  co = &c->c2.crypto_options;
507  }
508 
509  /* Encrypt and authenticate the packet */
510  openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
511 
512  /* Do packet administration */
513  if (c->c2.tls_multi)
514  {
515  if (c->c2.buf.len > 0 && (c->c2.tls_multi->opt.server || !c->c2.tls_multi->use_peer_id))
516  {
518  }
520  }
521 #endif /* ifdef ENABLE_CRYPTO */
522 
523  /*
524  * Get the address we will be sending the packet to.
525  */
527  &c->c2.to_link_addr);
528 
529  /* if null encryption, copy result to read_tun_buf */
530  buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
531 }
532 
533 /*
534  * Coarse timers work to 1 second resolution.
535  */
536 static void
538 {
539 #ifdef ENABLE_CRYPTO
540  /* flush current packet-id to file once per 60
541  * seconds if --replay-persist was specified */
543 #endif
544 
545  /* should we update status file? */
547 
548  /* process connection establishment items */
550 
551 #if P2MP
552  /* see if we should send a push_request in response to --pull */
554 #endif
555 
556 #ifdef PLUGIN_PF
557  pf_check_reload(c);
558 #endif
559 
560  /* process --route options */
561  check_add_routes(c);
562 
563  /* possibly exit due to --inactive */
565  if (c->sig->signal_received)
566  {
567  return;
568  }
569 
570  /* restart if ping not received */
572  if (c->sig->signal_received)
573  {
574  return;
575  }
576 
577 #if P2MP
578  if (c->c2.tls_multi)
579  {
581  if (c->sig->signal_received)
582  {
583  return;
584  }
585 
587  if (c->sig->signal_received)
588  {
589  return;
590  }
591  }
592 #endif
593 
594 #ifdef ENABLE_OCC
595  /* Should we send an OCC_REQUEST message? */
597 
598  /* Should we send an MTU load test? */
600 
601  /* Should we send an OCC_EXIT message to remote? */
603  {
605  }
606 #endif
607 
608  /* Should we ping the remote? */
609  check_ping_send(c);
610 }
611 
612 static void
614 {
615  const struct timeval save = c->c2.timeval;
616  c->c2.timeval.tv_sec = BIG_TIMEOUT;
617  c->c2.timeval.tv_usec = 0;
619  c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
620 
621  dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %lld seconds", (long long)c->c2.timeval.tv_sec);
622 
623  /* Is the coarse timeout NOT the earliest one? */
624  if (c->c2.timeval.tv_sec > save.tv_sec)
625  {
626  c->c2.timeval = save;
627  }
628 }
629 
630 static inline void
632 {
633  const time_t local_now = now;
634  if (local_now >= c->c2.coarse_timer_wakeup)
635  {
637  }
638  else
639  {
640  context_reschedule_sec(c, c->c2.coarse_timer_wakeup - local_now);
641  }
642 }
643 
644 static void
646 {
647  const int update_interval = 10; /* seconds */
648  c->c2.update_timeout_random_component = now + update_interval;
649  c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
650  c->c2.timeout_random_component.tv_sec = 0;
651 
652  dmsg(D_INTERVAL, "RANDOM USEC=%d", (int) c->c2.timeout_random_component.tv_usec);
653 }
654 
655 static inline void
657 {
659  {
661  }
662  if (c->c2.timeval.tv_sec >= 1)
663  {
665  }
666 }
667 
668 /*
669  * Handle addition and removal of the 10-byte Socks5 header
670  * in UDP packets.
671  */
672 
673 static inline void
675 {
677  {
679  }
680 }
681 
682 static inline void
684  struct link_socket_actual **to_addr,
685  int *size_delta)
686 {
688  {
689  *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
690  *to_addr = &c->c2.link_socket->socks_relay;
691  }
692 }
693 
694 /* undo effect of socks_preprocess_outgoing_link */
695 static inline void
697  int size_delta,
698  struct buffer *buf)
699 {
700  if (size_delta > 0 && *size > size_delta)
701  {
702  *size -= size_delta;
703  if (!buf_advance(buf, size_delta))
704  {
705  *size = 0;
706  }
707  }
708 }
709 
710 /*
711  * Output: c->c2.buf
712  */
713 
714 void
716 {
717  /*
718  * Set up for recvfrom call to read datagram
719  * sent to our TCP/UDP port.
720  */
721  int status;
722 
723  /*ASSERT (!c->c2.to_tun.len);*/
724 
726 
727  c->c2.buf = c->c2.buffers->read_link_buf;
729 
730  status = link_socket_read(c->c2.link_socket,
731  &c->c2.buf,
732  &c->c2.from);
733 
734  if (socket_connection_reset(c->c2.link_socket, status))
735  {
736 #if PORT_SHARE
737  if (port_share && socket_foreign_protocol_detected(c->c2.link_socket))
738  {
739  const struct buffer *fbuf = socket_foreign_protocol_head(c->c2.link_socket);
740  const int sd = socket_foreign_protocol_sd(c->c2.link_socket);
741  port_share_redirect(port_share, fbuf, sd);
742  register_signal(c, SIGTERM, "port-share-redirect");
743  }
744  else
745 #endif
746  {
747  /* received a disconnect from a connection-oriented protocol */
748  if (c->options.inetd)
749  {
750  register_signal(c, SIGTERM, "connection-reset-inetd");
751  msg(D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status);
752  }
753  else
754  {
755 #ifdef ENABLE_OCC
757  {
758  msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
759  management_sleep(1);
760  }
761  else
762 #endif
763  {
764  register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
765  msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
766  }
767  }
768  }
769  perf_pop();
770  return;
771  }
772 
773  /* check recvfrom status */
774  check_status(status, "read", c->c2.link_socket, NULL);
775 
776  /* Remove socks header if applicable */
778 
779  perf_pop();
780 }
781 
782 bool
783 process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
784 {
785  struct gc_arena gc = gc_new();
786  bool decrypt_status = false;
787 
788  if (c->c2.buf.len > 0)
789  {
790  c->c2.link_read_bytes += c->c2.buf.len;
792 #ifdef ENABLE_MEMSTATS
793  if (mmap_stats)
794  {
795  mmap_stats->link_read_bytes = link_read_bytes_global;
796  }
797 #endif
798  c->c2.original_recv_size = c->c2.buf.len;
799 #ifdef ENABLE_MANAGEMENT
800  if (management)
801  {
803 #ifdef MANAGEMENT_DEF_AUTH
804  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
805 #endif
806  }
807 #endif
808  }
809  else
810  {
811  c->c2.original_recv_size = 0;
812  }
813 
814 #ifdef ENABLE_DEBUG
815  /* take action to corrupt packet if we are in gremlin test mode */
816  if (c->options.gremlin)
817  {
818  if (!ask_gremlin(c->options.gremlin))
819  {
820  c->c2.buf.len = 0;
821  }
822  corrupt_gremlin(&c->c2.buf, c->options.gremlin);
823  }
824 #endif
825 
826  /* log incoming packet */
827 #ifdef LOG_RW
828  if (c->c2.log_rw && c->c2.buf.len > 0)
829  {
830  fprintf(stderr, "R");
831  }
832 #endif
833  msg(D_LINK_RW, "%s READ [%d] from %s: %s",
834  proto2ascii(lsi->proto, lsi->af, true),
835  BLEN(&c->c2.buf),
836  print_link_socket_actual(&c->c2.from, &gc),
837  PROTO_DUMP(&c->c2.buf, &gc));
838 
839  /*
840  * Good, non-zero length packet received.
841  * Commence multi-stage processing of packet,
842  * such as authenticate, decrypt, decompress.
843  * If any stage fails, it sets buf.len to 0 or -1,
844  * telling downstream stages to ignore the packet.
845  */
846  if (c->c2.buf.len > 0)
847  {
848  struct crypto_options *co = NULL;
849  const uint8_t *ad_start = NULL;
850  if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
851  {
852  link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
853  }
854 
855 #ifdef ENABLE_CRYPTO
856  if (c->c2.tls_multi)
857  {
858  /*
859  * If tls_pre_decrypt returns true, it means the incoming
860  * packet was a good TLS control channel packet. If so, TLS code
861  * will deal with the packet and set buf.len to 0 so downstream
862  * stages ignore it.
863  *
864  * If the packet is a data channel packet, tls_pre_decrypt
865  * will load crypto_options with the correct encryption key
866  * and return false.
867  */
868  uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
869  if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
870  floated, &ad_start))
871  {
872  /* Restore pre-NCP frame parameters */
873  if (is_hard_reset(opcode, c->options.key_method))
874  {
875  c->c2.frame = c->c2.frame_initial;
876  }
877 
879 
880  /* reset packet received timer if TLS packet */
881  if (c->options.ping_rec_timeout)
882  {
884  }
885  }
886  }
887  else
888  {
889  co = &c->c2.crypto_options;
890  }
891 #if P2MP_SERVER
892  /*
893  * Drop non-TLS packet if client-connect script/plugin has not
894  * yet succeeded.
895  */
896  if (c->c2.context_auth != CAS_SUCCEEDED)
897  {
898  c->c2.buf.len = 0;
899  }
900 #endif
901 
902  /* authenticate and decrypt the incoming packet */
903  decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
904  co, &c->c2.frame, ad_start);
905 
906  if (!decrypt_status && link_socket_connection_oriented(c->c2.link_socket))
907  {
908  /* decryption errors are fatal in TCP mode */
909  register_signal(c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
910  msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
911  }
912 #else /* ENABLE_CRYPTO */
913  decrypt_status = true;
914 #endif /* ENABLE_CRYPTO */
915  }
916  else
917  {
918  buf_reset(&c->c2.to_tun);
919  }
920  gc_free(&gc);
921 
922  return decrypt_status;
923 }
924 
925 void
926 process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
927 {
928  if (c->c2.buf.len > 0)
929  {
930 #ifdef ENABLE_FRAGMENT
931  if (c->c2.fragment)
932  {
934  }
935 #endif
936 
937 #ifdef USE_COMP
938  /* decompress the incoming packet */
939  if (c->c2.comp_context)
940  {
941  (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
942  }
943 #endif
944 
945 #ifdef PACKET_TRUNCATION_CHECK
946  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
947  ipv4_packet_size_verify(BPTR(&c->c2.buf),
948  BLEN(&c->c2.buf),
949  TUNNEL_TYPE(c->c1.tuntap),
950  "POST_DECRYPT",
951  &c->c2.n_trunc_post_decrypt);
952 #endif
953 
954  /*
955  * Set our "official" outgoing address, since
956  * if buf.len is non-zero, we know the packet
957  * authenticated. In TLS mode we do nothing
958  * because TLS mode takes care of source address
959  * authentication.
960  *
961  * Also, update the persisted version of our packet-id.
962  */
963  if (!TLS_MODE(c))
964  {
965  link_socket_set_outgoing_addr(&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es);
966  }
967 
968  /* reset packet received timer */
969  if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
970  {
972  }
973 
974  /* increment authenticated receive byte count */
975  if (c->c2.buf.len > 0)
976  {
977  c->c2.link_read_bytes_auth += c->c2.buf.len;
979  }
980 
981  /* Did we just receive an openvpn ping packet? */
982  if (is_ping_msg(&c->c2.buf))
983  {
984  dmsg(D_PING, "RECEIVED PING PACKET");
985  c->c2.buf.len = 0; /* drop packet */
986  }
987 
988 #ifdef ENABLE_OCC
989  /* Did we just receive an OCC packet? */
990  if (is_occ_msg(&c->c2.buf))
991  {
993  }
994 #endif
995 
996  buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
997 
998  /* to_tun defined + unopened tuntap can cause deadlock */
999  if (!tuntap_defined(c->c1.tuntap))
1000  {
1001  c->c2.to_tun.len = 0;
1002  }
1003  }
1004  else
1005  {
1006  buf_reset(&c->c2.to_tun);
1007  }
1008 }
1009 
1010 static void
1012 {
1014 
1015  struct link_socket_info *lsi = get_link_socket_info(c);
1016  const uint8_t *orig_buf = c->c2.buf.data;
1017 
1018  process_incoming_link_part1(c, lsi, false);
1019  process_incoming_link_part2(c, lsi, orig_buf);
1020 
1021  perf_pop();
1022 }
1023 
1024 /*
1025  * Output: c->c2.buf
1026  */
1027 
1028 void
1030 {
1031  /*
1032  * Setup for read() call on TUN/TAP device.
1033  */
1034  /*ASSERT (!c->c2.to_link.len);*/
1035 
1037 
1038  c->c2.buf = c->c2.buffers->read_tun_buf;
1039 #ifdef TUN_PASS_BUFFER
1041 #else
1042  ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame)));
1044  c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), MAX_RW_SIZE_TUN(&c->c2.frame));
1045 #endif
1046 
1047 #ifdef PACKET_TRUNCATION_CHECK
1048  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1049  BLEN(&c->c2.buf),
1050  TUNNEL_TYPE(c->c1.tuntap),
1051  "READ_TUN",
1052  &c->c2.n_trunc_tun_read);
1053 #endif
1054 
1055  /* Was TUN/TAP interface stopped? */
1056  if (tuntap_stop(c->c2.buf.len))
1057  {
1058  register_signal(c, SIGTERM, "tun-stop");
1059  msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1060  perf_pop();
1061  return;
1062  }
1063 
1064  /* Was TUN/TAP I/O operation aborted? */
1065  if (tuntap_abort(c->c2.buf.len))
1066  {
1067  register_signal(c, SIGHUP, "tun-abort");
1069  msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1070  perf_pop();
1071  return;
1072  }
1073 
1074  /* Check the status return from read() */
1075  check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1076 
1077  perf_pop();
1078 }
1079 
1088 static void
1090 {
1091  bool drop = false;
1092  struct openvpn_sockaddr tun_sa;
1093  int ip_hdr_offset = 0;
1094 
1095  if (c->c2.to_link_addr == NULL) /* no remote addr known */
1096  {
1097  return;
1098  }
1099 
1100  tun_sa = c->c2.to_link_addr->dest;
1101 
1102  int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1103 
1104  if (proto_ver == 4)
1105  {
1106  const struct openvpn_iphdr *pip;
1107 
1108  /* make sure we got whole IP header */
1109  if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1110  {
1111  return;
1112  }
1113 
1114  /* skip ipv4 packets for ipv6 tun */
1115  if (tun_sa.addr.sa.sa_family != AF_INET)
1116  {
1117  return;
1118  }
1119 
1120  pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
1121 
1122  /* drop packets with same dest addr as gateway */
1123  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
1124  {
1125  drop = true;
1126  }
1127  }
1128  else if (proto_ver == 6)
1129  {
1130  const struct openvpn_ipv6hdr *pip6;
1131 
1132  /* make sure we got whole IPv6 header */
1133  if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1134  {
1135  return;
1136  }
1137 
1138  /* skip ipv6 packets for ipv4 tun */
1139  if (tun_sa.addr.sa.sa_family != AF_INET6)
1140  {
1141  return;
1142  }
1143 
1144  /* drop packets with same dest addr as gateway */
1145  pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
1146  if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1147  {
1148  drop = true;
1149  }
1150  }
1151 
1152  if (drop)
1153  {
1154  struct gc_arena gc = gc_new();
1155 
1156  c->c2.buf.len = 0;
1157 
1158  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1160  gc_free(&gc);
1161  }
1162 }
1163 
1164 /*
1165  * Input: c->c2.buf
1166  * Output: c->c2.to_link
1167  */
1168 
1169 void
1171 {
1172  struct gc_arena gc = gc_new();
1173 
1175 
1176  if (c->c2.buf.len > 0)
1177  {
1178  c->c2.tun_read_bytes += c->c2.buf.len;
1179  }
1180 
1181 #ifdef LOG_RW
1182  if (c->c2.log_rw && c->c2.buf.len > 0)
1183  {
1184  fprintf(stderr, "r");
1185  }
1186 #endif
1187 
1188  /* Show packet content */
1189  dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1190 
1191  if (c->c2.buf.len > 0)
1192  {
1194  {
1196  }
1197  /*
1198  * The --passtos and --mssfix options require
1199  * us to examine the IP header (IPv4 or IPv6).
1200  */
1202 
1203 #ifdef PACKET_TRUNCATION_CHECK
1204  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1205  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1206  BLEN(&c->c2.buf),
1207  TUNNEL_TYPE(c->c1.tuntap),
1208  "PRE_ENCRYPT",
1209  &c->c2.n_trunc_pre_encrypt);
1210 #endif
1211 
1212  encrypt_sign(c, true);
1213  }
1214  else
1215  {
1216  buf_reset(&c->c2.to_link);
1217  }
1218  perf_pop();
1219  gc_free(&gc);
1220 }
1221 
1222 void
1223 process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
1224 {
1225  if (!c->options.ce.mssfix)
1226  {
1227  flags &= ~PIP_MSSFIX;
1228  }
1229 #if PASSTOS_CAPABILITY
1230  if (!c->options.passtos)
1231  {
1232  flags &= ~PIPV4_PASSTOS;
1233  }
1234 #endif
1235  if (!c->options.client_nat)
1236  {
1237  flags &= ~PIPV4_CLIENT_NAT;
1238  }
1240  {
1241  flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1242  }
1243 
1244  if (buf->len > 0)
1245  {
1246  /*
1247  * The --passtos and --mssfix options require
1248  * us to examine the IPv4 header.
1249  */
1250 
1251  if (flags & (PIP_MSSFIX
1253  | PIPV4_PASSTOS
1254 #endif
1256  ))
1257  {
1258  struct buffer ipbuf = *buf;
1259  if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1260  {
1261 #if PASSTOS_CAPABILITY
1262  /* extract TOS from IP header */
1263  if (flags & PIPV4_PASSTOS)
1264  {
1265  link_socket_extract_tos(c->c2.link_socket, &ipbuf);
1266  }
1267 #endif
1268 
1269  /* possibly alter the TCP MSS */
1270  if (flags & PIP_MSSFIX)
1271  {
1273  }
1274 
1275  /* possibly do NAT on packet */
1276  if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1277  {
1278  const int direction = (flags & PIPV4_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1279  client_nat_transform(c->options.client_nat, &ipbuf, direction);
1280  }
1281  /* possibly extract a DHCP router message */
1282  if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1283  {
1284  const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
1285  if (dhcp_router)
1286  {
1287  route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1288  }
1289  }
1290  }
1291  else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1292  {
1293  /* possibly alter the TCP MSS */
1294  if (flags & PIP_MSSFIX)
1295  {
1297  }
1298  }
1299  }
1300  }
1301 }
1302 
1303 /*
1304  * Input: c->c2.to_link
1305  */
1306 
1307 void
1309 {
1310  struct gc_arena gc = gc_new();
1311  int error_code = 0;
1312 
1314 
1315  if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame))
1316  {
1317  /*
1318  * Setup for call to send/sendto which will send
1319  * packet to remote over the TCP/UDP port.
1320  */
1321  int size = 0;
1323 
1324 #ifdef ENABLE_DEBUG
1325  /* In gremlin-test mode, we may choose to drop this packet */
1326  if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1327 #endif
1328  {
1329  /*
1330  * Let the traffic shaper know how many bytes
1331  * we wrote.
1332  */
1333 #ifdef ENABLE_FEATURE_SHAPER
1334  if (c->options.shaper)
1335  {
1336  shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link)
1338  }
1339 #endif
1340  /*
1341  * Let the pinger know that we sent a packet.
1342  */
1343  if (c->options.ping_send_timeout)
1344  {
1346  }
1347 
1348 #if PASSTOS_CAPABILITY
1349  /* Set TOS */
1350  link_socket_set_tos(c->c2.link_socket);
1351 #endif
1352 
1353  /* Log packet send */
1354 #ifdef LOG_RW
1355  if (c->c2.log_rw)
1356  {
1357  fprintf(stderr, "W");
1358  }
1359 #endif
1360  msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1362  BLEN(&c->c2.to_link),
1364  PROTO_DUMP(&c->c2.to_link, &gc));
1365 
1366  /* Packet send complexified by possible Socks5 usage */
1367  {
1368  struct link_socket_actual *to_addr = c->c2.to_link_addr;
1369  int size_delta = 0;
1370 
1371  /* If Socks5 over UDP, prepend header */
1372  socks_preprocess_outgoing_link(c, &to_addr, &size_delta);
1373 
1374  /* Send packet */
1375  size = link_socket_write(c->c2.link_socket,
1376  &c->c2.to_link,
1377  to_addr);
1378 
1379  /* Undo effect of prepend */
1380  link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1381  }
1382 
1383  if (size > 0)
1384  {
1386  c->c2.link_write_bytes += size;
1387  link_write_bytes_global += size;
1388 #ifdef ENABLE_MEMSTATS
1389  if (mmap_stats)
1390  {
1391  mmap_stats->link_write_bytes = link_write_bytes_global;
1392  }
1393 #endif
1394 #ifdef ENABLE_MANAGEMENT
1395  if (management)
1396  {
1398 #ifdef MANAGEMENT_DEF_AUTH
1399  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1400 #endif
1401  }
1402 #endif
1403  }
1404  }
1405 
1406  /* Check return status */
1407  error_code = openvpn_errno();
1408  check_status(size, "write", c->c2.link_socket, NULL);
1409 
1410  if (size > 0)
1411  {
1412  /* Did we write a different size packet than we intended? */
1413  if (size != BLEN(&c->c2.to_link))
1414  {
1416  "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1418  BLEN(&c->c2.to_link),
1419  size);
1420  }
1421  }
1422 
1423  /* if not a ping/control message, indicate activity regarding --inactive parameter */
1424  if (c->c2.buf.len > 0)
1425  {
1426  register_activity(c, size);
1427  }
1428 
1429 
1430 #ifdef ENABLE_CRYPTO
1431  /* for unreachable network and "connecting" state switch to the next host */
1432  if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi
1434  {
1435  msg(M_INFO, "Network unreachable, restarting");
1436  register_signal(c, SIGUSR1, "network-unreachable");
1437  }
1438 #endif
1439  }
1440  else
1441  {
1442  if (c->c2.to_link.len > 0)
1443  {
1444  msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1446  c->c2.to_link.len,
1447  EXPANDED_SIZE(&c->c2.frame));
1448  }
1449  }
1450 
1451  buf_reset(&c->c2.to_link);
1452 
1453  perf_pop();
1454  gc_free(&gc);
1455 }
1456 
1457 /*
1458  * Input: c->c2.to_tun
1459  */
1460 
1461 void
1463 {
1464  struct gc_arena gc = gc_new();
1465 
1466  /*
1467  * Set up for write() call to TUN/TAP
1468  * device.
1469  */
1470  if (c->c2.to_tun.len <= 0)
1471  {
1472  return;
1473  }
1474 
1476 
1477  /*
1478  * The --mssfix option requires
1479  * us to examine the IP header (IPv4 or IPv6).
1480  */
1482 
1483  if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN(&c->c2.frame))
1484  {
1485  /*
1486  * Write to TUN/TAP device.
1487  */
1488  int size;
1489 
1490 #ifdef LOG_RW
1491  if (c->c2.log_rw)
1492  {
1493  fprintf(stderr, "w");
1494  }
1495 #endif
1496  dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1497 
1498 #ifdef PACKET_TRUNCATION_CHECK
1499  ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
1500  BLEN(&c->c2.to_tun),
1501  TUNNEL_TYPE(c->c1.tuntap),
1502  "WRITE_TUN",
1503  &c->c2.n_trunc_tun_write);
1504 #endif
1505 
1506 #ifdef TUN_PASS_BUFFER
1507  size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun);
1508 #else
1509  size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1510 #endif
1511 
1512  if (size > 0)
1513  {
1514  c->c2.tun_write_bytes += size;
1515  }
1516  check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1517 
1518  /* check written packet size */
1519  if (size > 0)
1520  {
1521  /* Did we write a different size packet than we intended? */
1522  if (size != BLEN(&c->c2.to_tun))
1523  {
1525  "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1526  c->c1.tuntap->actual_name,
1527  BLEN(&c->c2.to_tun),
1528  size);
1529  }
1530 
1531  /* indicate activity regarding --inactive parameter */
1532  register_activity(c, size);
1533  }
1534  }
1535  else
1536  {
1537  /*
1538  * This should never happen, probably indicates some kind
1539  * of MTU mismatch.
1540  */
1541  msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
1542  c->c2.to_tun.len,
1543  MAX_RW_SIZE_TUN(&c->c2.frame));
1544  }
1545 
1546  buf_reset(&c->c2.to_tun);
1547 
1548  perf_pop();
1549  gc_free(&gc);
1550 }
1551 
1552 void
1554 {
1555  /* make sure current time (now) is updated on function entry */
1556 
1557  /*
1558  * Start with an effectively infinite timeout, then let it
1559  * reduce to a timeout that reflects the component which
1560  * needs the earliest service.
1561  */
1562  c->c2.timeval.tv_sec = BIG_TIMEOUT;
1563  c->c2.timeval.tv_usec = 0;
1564 
1565 #if defined(_WIN32)
1567  {
1568  c->c2.timeval.tv_sec = 1;
1569  if (tuntap_defined(c->c1.tuntap))
1570  {
1571  tun_show_debug(c->c1.tuntap);
1572  }
1573  }
1574 #endif
1575 
1576  /* check coarse timers? */
1578  if (c->sig->signal_received)
1579  {
1580  return;
1581  }
1582 
1583  /* Does TLS need service? */
1584  check_tls(c);
1585 
1586  /* In certain cases, TLS errors will require a restart */
1587  check_tls_errors(c);
1588  if (c->sig->signal_received)
1589  {
1590  return;
1591  }
1592 
1593  /* check for incoming configuration info on the control channel */
1595 
1596 #ifdef ENABLE_OCC
1597  /* Should we send an OCC message? */
1598  check_send_occ_msg(c);
1599 #endif
1600 
1601 #ifdef ENABLE_FRAGMENT
1602  /* Should we deliver a datagram fragment to remote? */
1603  check_fragment(c);
1604 #endif
1605 
1606  /* Update random component of timeout */
1608 }
1609 
1610 /*
1611  * Wait for I/O events. Used for both TCP & UDP sockets
1612  * in point-to-point mode and for UDP sockets in
1613  * point-to-multipoint mode.
1614  */
1615 
1616 void
1617 io_wait_dowork(struct context *c, const unsigned int flags)
1618 {
1619  unsigned int socket = 0;
1620  unsigned int tuntap = 0;
1621  struct event_set_return esr[4];
1622 
1623  /* These shifts all depend on EVENT_READ and EVENT_WRITE */
1624  static int socket_shift = 0; /* depends on SOCKET_READ and SOCKET_WRITE */
1625  static int tun_shift = 2; /* depends on TUN_READ and TUN_WRITE */
1626  static int err_shift = 4; /* depends on ES_ERROR */
1627 #ifdef ENABLE_MANAGEMENT
1628  static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
1629 #endif
1630 #ifdef ENABLE_ASYNC_PUSH
1631  static int file_shift = 8; /* listening inotify events */
1632 #endif
1633 
1634  /*
1635  * Decide what kind of events we want to wait for.
1636  */
1637  event_reset(c->c2.event_set);
1638 
1639  /*
1640  * On win32 we use the keyboard or an event object as a source
1641  * of asynchronous signals.
1642  */
1643  if (flags & IOW_WAIT_SIGNAL)
1644  {
1645  wait_signal(c->c2.event_set, (void *)&err_shift);
1646  }
1647 
1648  /*
1649  * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send
1650  * status from TCP/UDP port. Otherwise, wait for incoming data on
1651  * TUN/TAP device.
1652  */
1653  if (flags & IOW_TO_LINK)
1654  {
1655  if (flags & IOW_SHAPER)
1656  {
1657  /*
1658  * If sending this packet would put us over our traffic shaping
1659  * quota, don't send -- instead compute the delay we must wait
1660  * until it will be OK to send the packet.
1661  */
1662 #ifdef ENABLE_FEATURE_SHAPER
1663  int delay = 0;
1664 
1665  /* set traffic shaping delay in microseconds */
1666  if (c->options.shaper)
1667  {
1668  delay = max_int(delay, shaper_delay(&c->c2.shaper));
1669  }
1670 
1671  if (delay < 1000)
1672  {
1673  socket |= EVENT_WRITE;
1674  }
1675  else
1676  {
1677  shaper_soonest_event(&c->c2.timeval, delay);
1678  }
1679 #else /* ENABLE_FEATURE_SHAPER */
1680  socket |= EVENT_WRITE;
1681 #endif /* ENABLE_FEATURE_SHAPER */
1682  }
1683  else
1684  {
1685  socket |= EVENT_WRITE;
1686  }
1687  }
1688  else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
1689  {
1690  if (flags & IOW_READ_TUN)
1691  {
1692  tuntap |= EVENT_READ;
1693  }
1694  }
1695 
1696  /*
1697  * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
1698  * from device. Otherwise, wait for incoming data on TCP/UDP port.
1699  */
1700  if (flags & IOW_TO_TUN)
1701  {
1702  tuntap |= EVENT_WRITE;
1703  }
1704  else
1705  {
1706  if (flags & IOW_READ_LINK)
1707  {
1708  socket |= EVENT_READ;
1709  }
1710  }
1711 
1712  /*
1713  * outgoing bcast buffer waiting to be sent?
1714  */
1715  if (flags & IOW_MBUF)
1716  {
1717  socket |= EVENT_WRITE;
1718  }
1719 
1720  /*
1721  * Force wait on TUN input, even if also waiting on TCP/UDP output
1722  */
1723  if (flags & IOW_READ_TUN_FORCE)
1724  {
1725  tuntap |= EVENT_READ;
1726  }
1727 
1728  /*
1729  * Configure event wait based on socket, tuntap flags.
1730  */
1731  socket_set(c->c2.link_socket, c->c2.event_set, socket, (void *)&socket_shift, NULL);
1732  tun_set(c->c1.tuntap, c->c2.event_set, tuntap, (void *)&tun_shift, NULL);
1733 
1734 #ifdef ENABLE_MANAGEMENT
1735  if (management)
1736  {
1737  management_socket_set(management, c->c2.event_set, (void *)&management_shift, NULL);
1738  }
1739 #endif
1740 
1741 #ifdef ENABLE_ASYNC_PUSH
1742  /* arm inotify watcher */
1743  if (c->options.mode == MODE_SERVER)
1744  {
1745  event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)&file_shift);
1746  }
1747 #endif
1748 
1749  /*
1750  * Possible scenarios:
1751  * (1) tcp/udp port has data available to read
1752  * (2) tcp/udp port is ready to accept more data to write
1753  * (3) tun dev has data available to read
1754  * (4) tun dev is ready to accept more data to write
1755  * (5) we received a signal (handler sets signal_received)
1756  * (6) timeout (tv) expired
1757  */
1758 
1760 
1761  if (!c->sig->signal_received)
1762  {
1763  if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual(c->c2.link_socket))
1764  {
1765  int status;
1766 
1767 #ifdef ENABLE_DEBUG
1769  {
1770  show_wait_status(c);
1771  }
1772 #endif
1773 
1774  /*
1775  * Wait for something to happen.
1776  */
1777  status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
1778 
1779  check_status(status, "event_wait", NULL, NULL);
1780 
1781  if (status > 0)
1782  {
1783  int i;
1784  c->c2.event_set_status = 0;
1785  for (i = 0; i < status; ++i)
1786  {
1787  const struct event_set_return *e = &esr[i];
1788  c->c2.event_set_status |= ((e->rwflags & 3) << *((int *)e->arg));
1789  }
1790  }
1791  else if (status == 0)
1792  {
1794  }
1795  }
1796  else
1797  {
1799  }
1800  }
1801 
1802  /* 'now' should always be a reasonably up-to-date timestamp */
1803  update_time();
1804 
1805  /* set signal_received if a signal was received */
1806  if (c->c2.event_set_status & ES_ERROR)
1807  {
1809  }
1810 
1811  dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
1812 }
1813 
1814 void
1816 {
1817  const unsigned int status = c->c2.event_set_status;
1818 
1819 #ifdef ENABLE_MANAGEMENT
1820  if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
1821  {
1822  ASSERT(management);
1824  }
1825 #endif
1826 
1827  /* TCP/UDP port ready to accept write */
1828  if (status & SOCKET_WRITE)
1829  {
1831  }
1832  /* TUN device ready to accept write */
1833  else if (status & TUN_WRITE)
1834  {
1836  }
1837  /* Incoming data on TCP/UDP port */
1838  else if (status & SOCKET_READ)
1839  {
1840  read_incoming_link(c);
1841  if (!IS_SIG(c))
1842  {
1844  }
1845  }
1846  /* Incoming data on TUN device */
1847  else if (status & TUN_READ)
1848  {
1849  read_incoming_tun(c);
1850  if (!IS_SIG(c))
1851  {
1853  }
1854  }
1855 }
struct env_set * es
Definition: openvpn.h:435
#define TLSMP_ACTIVE
Definition: ssl.h:230
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition: forward.c:1617
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition: socket.h:950
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:51
#define ES_ERROR
Definition: openvpn.h:244
counter_type tun_read_bytes
Definition: openvpn.h:285
void check_server_poll_timeout_dowork(struct context *c)
Definition: forward.c:351
struct buffer to_link
Definition: openvpn.h:392
#define ETT_DEFAULT
Definition: interval.h:213
Security parameter state for processing data channel packets.
Definition: crypto.h:234
union openvpn_sockaddr::@6 addr
bool log_rw
Definition: openvpn.h:395
uint32_t daddr
Definition: proto.h:105
struct event_timeout route_wakeup
Definition: openvpn.h:398
#define TO_LINK_FRAG(c)
Definition: forward.h:43
Definition: tun.h:131
struct client_nat_option_list * client_nat
Definition: options.h:346
static bool tuntap_abort(int status)
Definition: tun.h:417
struct buffer read_tun_buf
Definition: openvpn.h:115
struct event_timeout ping_rec_interval
Definition: openvpn.h:303
void check_tls_dowork(struct context *c)
Definition: forward.c:92
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:510
#define BIG_TIMEOUT
Definition: common.h:50
struct event_timeout route_wakeup_expire
Definition: openvpn.h:399
#define D_ROUTE
Definition: errlevel.h:80
counter_type link_write_bytes
Definition: openvpn.h:289
struct interval tmp_int
Definition: openvpn.h:357
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:613
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2038
int inetd
Definition: options.h:298
#define M_INFO
Definition: errlevel.h:55
Contains all state information for one tunnel.
Definition: openvpn.h:508
void tun_show_debug(struct tuntap *tt)
Definition: tun.c:6151
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition: dhcp.c:194
static void check_send_occ_load_test(struct context *c)
Definition: occ-inline.h:60
#define SIZE(x)
Definition: basic.h:30
static void link_socket_set_outgoing_addr(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:971
static void check_timeout_random_component_dowork(struct context *c)
Definition: forward.c:645
bool tun_standby(struct tuntap *tt)
Definition: tun.c:5399
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2755
static void gc_free(struct gc_arena *a)
Definition: buffer.h:990
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define D_EVENT_WAIT
Definition: errlevel.h:157
void mss_fixup_ipv6(struct buffer *buf, int maxmss)
Definition: mss.c:86
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:3961
#define MTU_TO_MSS(mtu)
Definition: proto.h:217
#define PERF_PROC_OUT_LINK
Definition: perf.h:55
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:249
#define IOW_READ_LINK
Definition: forward.h:53
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition: buffer.c:173
static void context_reschedule_sec(struct context *c, int sec)
static void check_timeout_random_component(struct context *c)
Definition: forward.c:656
#define CC_PRINT
Definition: buffer.h:882
struct buffer buf
Definition: openvpn.h:390
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1223
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:515
#define ASSERT(x)
Definition: error.h:221
static int tls_test_payload_len(const struct tls_multi *multi)
Definition: ssl.h:547
#define SIGUSR1
Definition: config-msvc.h:116
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.h:1054
struct context_buffers * buffers
Definition: openvpn.h:382
struct event_timeout wait_for_connect
Definition: openvpn.h:301
static void check_send_occ_req(struct context *c)
Definition: occ-inline.h:43
static bool is_occ_msg(const struct buffer *buf)
Definition: occ.h:86
static void check_ping_send(struct context *c)
Definition: ping-inline.h:51
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
static void perf_pop(void)
Definition: perf.h:82
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:223
void process_received_occ_msg(struct context *c)
Definition: occ.c:355
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:3946
#define PERF_READ_IN_LINK
Definition: perf.h:51
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1597
static void event_timeout_clear(struct event_timeout *et)
Definition: interval.h:150
#define in_addr_t
Definition: config-msvc.h:104
static void process_coarse_timers(struct context *c)
Definition: forward.c:537
#define TUN_READ
Definition: openvpn.h:242
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:533
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition: interval.h:108
#define IOW_SHAPER
Definition: forward.h:54
struct frame frame_initial
Definition: openvpn.h:266
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition: fragment.h:448
void pre_select(struct context *c)
Definition: forward.c:1553
#define SOCKET_READ
Definition: openvpn.h:240
int max_recv_size_local
Definition: openvpn.h:324
static void check_packet_id_persist_flush(struct context *c)
#define SIGTERM
Definition: config-msvc.h:118
#define TLS_MODE(c)
Definition: openvpn.h:570
void check_status_file_dowork(struct context *c)
Definition: forward.c:392
static void get_signal(volatile int *sig)
Definition: sig.h:92
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:171
static void check_scheduled_exit(struct context *c)
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:125
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2629
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:556
bool allow_recursive_routing
Definition: options.h:610
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition: fragment.c:380
#define IOW_TO_LINK
Definition: forward.h:51
void read_incoming_link(struct context *c)
Read a packet from the external network interface.
Definition: forward.c:715
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.h:922
void * arg
Definition: event.h:80
static bool tuntap_defined(const struct tuntap *tt)
Definition: tun.h:199
static unsigned int tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: tun.h:508
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition: socket.h:606
#define openvpn_errno()
Definition: error.h:74
int ping_rec_timeout
Definition: options.h:255
#define D_LOW
Definition: errlevel.h:97
int context_auth
Definition: openvpn.h:466
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
#define ES_TIMEOUT
Definition: openvpn.h:245
static bool interval_test(struct interval *top)
Definition: interval.h:66
struct in6_addr daddr
Definition: proto.h:120
counter_type link_read_bytes_global
Definition: forward.c:50
static void check_incoming_control_channel(struct context *c)
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:454
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition: fragment.c:325
bool is_hard_reset(int op, int key_method)
Given a key_method, return true if opcode represents the required form of hard_reset.
Definition: ssl.c:847
#define MODE_SERVER
Definition: options.h:179
bool send_push_request(struct context *c)
Definition: push.c:297
bool use_peer_id
Definition: ssl_common.h:557
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3880
struct event_timeout ping_send_interval
Definition: openvpn.h:302
#define D_PING
Definition: errlevel.h:140
#define D_LINK_RW
Definition: errlevel.h:112
#define PIP_MSSFIX
Definition: forward.h:253
#define FRAME_HEADROOM_ADJ(f, fm)
Definition: mtu.h:188
struct sockaddr_in6 in6
Definition: socket.h:70
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
static void check_send_occ_msg(struct context *c)
Definition: occ-inline.h:77
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:430
#define PIPV4_CLIENT_NAT
Definition: forward.h:256
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.c:2354
struct context_1 c1
Level 1 context.
Definition: openvpn.h:546
static void tls_set_single_session(struct tls_multi *multi)
Definition: ssl.h:561
#define IOW_TO_TUN
Definition: forward.h:50
#define PIPV4_PASSTOS
Definition: forward.h:252
struct context_persist persist
Persistent context.
Definition: openvpn.h:543
struct buffer decrypt_buf
Definition: openvpn.h:101
#define D_INTERVAL
Definition: errlevel.h:153
#define BPTR(buf)
Definition: buffer.h:124
struct frame frame_fragment
Definition: openvpn.h:271
#define PIPV4_OUTGOING
Definition: forward.h:254
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition: fragment.h:475
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3932
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition: otime.c:88
static void event_timeout_reset(struct event_timeout *et)
Definition: interval.h:174
counter_type tun_write_bytes
Definition: openvpn.h:286
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:90
#define IOW_READ_TUN_FORCE
Definition: forward.h:58
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition: clinat.c:195
counter_type link_read_bytes
Definition: openvpn.h:287
static void process_incoming_link(struct context *c)
Definition: forward.c:1011
int mode
Definition: options.h:180
static void check_coarse_timers(struct context *c)
Definition: forward.c:631
#define PROTO_DUMP(buf, gc)
Definition: openvpn.h:572
static struct gc_arena gc_new(void)
Definition: buffer.h:982
void show_wait_status(struct context *c)
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:261
void buf_null_terminate(struct buffer *buf)
Definition: buffer.c:510
static void interval_action(struct interval *top)
Definition: interval.h:124
struct route_list * route_list
List of routing information.
Definition: openvpn.h:176
#define IOW_MBUF
Definition: forward.h:57
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3022
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition: sig.c:348
void check_add_routes_dowork(struct context *c)
Definition: forward.c:297
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition: forward.c:342
static void management_bytes_in(struct management *man, const int size)
Definition: manage.h:576
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
int mssfix
Definition: options.h:120
struct frame frame
Definition: openvpn.h:265
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition: ssl.h:530
struct timeval timeval
Definition: openvpn.h:409
struct sockaddr_in in4
Definition: socket.h:69
static int write_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:461
interval_t n
Definition: interval.h:139
#define D_TAP_WIN_DEBUG
Definition: errlevel.h:114
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:684
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition: forward.c:435
static void check_add_routes(struct context *c)
static void check_inactivity_timeout(struct context *c)
static int link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition: socket.h:1167
#define IOW_FRAG
Definition: forward.h:56
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
static SERVICE_STATUS status
Definition: automatic.c:47
#define D_SCHED_EXIT
Definition: errlevel.h:89
static void register_activity(struct context *c, const int size)
static void event_reset(struct event_set *es)
Definition: event.h:107
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition: proto.h:225
#define EXPANDED_SIZE(f)
Definition: mtu.h:172
#define PERF_PROC_IN_TUN
Definition: perf.h:54
struct event_timeout scheduled_exit
Definition: openvpn.h:478
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:119
struct tls_options opt
Definition: ssl_common.h:502
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:1467
void process_outgoing_link(struct context *c)
Write a packet to the external network interface.
Definition: forward.c:1308
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:536
int restart_sleep_seconds
Definition: openvpn.h:123
unsigned int counter_type
Definition: common.h:38
struct link_socket * link_socket
Definition: openvpn.h:256
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition: socket.h:900
void process_io(struct context *c)
Definition: forward.c:1815
#define CN_OUTGOING
Definition: clinat.h:31
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1476
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition: socket.c:2457
void check_fragment_dowork(struct context *c)
Definition: forward.c:405
void reset_coarse_timers(struct context *c)
Definition: init.c:1266
counter_type link_write_bytes_global
Definition: forward.c:51
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
static void check_status_file(struct context *c)
int ping_send_timeout
Definition: options.h:254
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:240
static int read_tun_buffered(struct tuntap *tt, struct buffer *buf, int maxsize)
Definition: tun.h:455
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4020
struct connection_entry ce
Definition: options.h:203
#define D_TUN_RW
Definition: errlevel.h:113
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:181
struct context_2 c2
Level 2 context.
Definition: openvpn.h:547
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define dmsg
Definition: error.h:174
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1029
#define MANAGEMENT_WRITE
Definition: openvpn.h:248
void print_status(const struct context *c, struct status_output *so)
Definition: sig.c:292
#define TUN_MTU_SIZE_DYNAMIC(f)
Definition: mtu.h:157
void check_push_request_dowork(struct context *c)
Definition: forward.c:192
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:305
#define IOW_WAIT_SIGNAL
Definition: forward.h:59
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:595
#define EVENT_READ
Definition: event.h:36
time_t update_timeout_random_component
Definition: openvpn.h:416
#define BLEN(buf)
Definition: buffer.h:127
#define ISC_ERRORS
Definition: init.h:116
#define CN_INCOMING
Definition: clinat.h:32
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition: tun.c:523
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition: shaper.c:41
#define P_OPCODE_SHIFT
Definition: ssl.h:53
void show_adapters(int msglev)
Definition: tun.c:4763
struct event_set * event_set
Definition: openvpn.h:235
struct buffer read_link_buf
Definition: openvpn.h:114
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:674
static int max_int(int x, int y)
Definition: integer.h:34
struct event_timeout push_request_interval
Definition: openvpn.h:469
#define CAS_SUCCEEDED
Definition: openvpn.h:461
#define TLSMP_KILL
Definition: ssl.h:231
unsigned __int8 uint8_t
Definition: config-msvc.h:123
static void check_tls_errors(struct context *c)
#define MODE_POINT_TO_POINT
Definition: options.h:178
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Definition: interval.h:183
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3305
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Definition: buffer.c:1019
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition: forward.c:1089
int scheduled_exit_signal
Definition: openvpn.h:479
#define PERF_READ_IN_TUN
Definition: perf.h:53
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: socket.c:3794
volatile int signal_received
Definition: sig.h:45
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition: proto.c:96
#define PUSH_REQUEST_INTERVAL
Definition: common.h:89
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition: interval.h:94
void check_scheduled_exit_dowork(struct context *c)
Definition: forward.c:381
static bool is_ping_msg(const struct buffer *buf)
Definition: ping.h:41
#define IN6_ARE_ADDR_EQUAL(a, b)
Definition: win32.h:44
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:460
void check_incoming_control_channel_dowork(struct context *c)
Definition: forward.c:143
#define MANAGEMENT_READ
Definition: openvpn.h:247
static void check_ping_restart(struct context *c)
Definition: ping-inline.h:32
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:504
#define M_NOPREFIX
Definition: error.h:102
#define msg
Definition: error.h:173
struct timeval timeout_random_component
Definition: openvpn.h:417
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
void show_routes(int msglev)
Definition: route.c:3146
struct event_timeout explicit_exit_notification_interval
Definition: openvpn.h:431
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:107
static void check_push_request(struct context *c)
void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto)
Definition: socket.c:1533
static void check_fragment(struct context *c)
#define buf_init(buf, offset)
Definition: buffer.h:198
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:3981
struct fragment_master * fragment
Definition: openvpn.h:270
#define IOW_CHECK_RESIDUAL
Definition: forward.h:55
void check_tls_errors_co(struct context *c)
Definition: forward.c:123
struct status_output * status_output
Definition: openvpn.h:184
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:535
void management_io(struct management *man)
Definition: manage.c:3062
static void management_bytes_out(struct management *man, const int size)
Definition: manage.h:567
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2667
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition: proto.c:91
struct event_timeout server_poll_interval
Definition: openvpn.h:421
static void context_immediate_reschedule(struct context *c)
static void wait_signal(struct event_set *es, void *arg)
Definition: event.h:144
#define TUN_WRITE
Definition: openvpn.h:243
static void check_add_routes_action(struct context *c, const bool errors)
Definition: forward.c:286
#define FRAME_HEADROOM_MARKER_READ_LINK
Definition: mtu.h:131
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:163
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
#define PERF_PROC_IN_LINK
Definition: perf.h:52
static void buf_reset(struct buffer *buf)
Definition: buffer.h:285
#define EVENT_WRITE
Definition: event.h:37
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition: forward.h:255
#define SOCKET_WRITE
Definition: openvpn.h:241
#define TUNNEL_TYPE(tt)
Definition: tun.h:133
static bool socket_read_residual(const struct link_socket *s)
Definition: socket.h:1222
void check_connection_established_dowork(struct context *c)
Definition: forward.c:206
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
#define IOW_READ_TUN
Definition: forward.h:52
int original_recv_size
Definition: openvpn.h:323
int interval_t
Definition: common.h:45
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:926
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing...
Definition: manage.c:4003
#define PERF_PROC_OUT_TUN
Definition: perf.h:56
struct link_socket_actual from
Definition: openvpn.h:262
static void socks_postprocess_incoming_link(struct context *c)
Definition: forward.c:674
#define D_STREAM_ERRORS
Definition: errlevel.h:63
bool pull
Definition: options.h:458
#define BSTR(buf)
Definition: buffer.h:129
long int get_random(void)
Definition: crypto.c:1788
static void check_connection_established(struct context *c)
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition: fragment.c:140
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket_actual **to_addr, int *size_delta)
Definition: forward.c:683
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:783
static interval_t event_timeout_remaining(struct event_timeout *et)
Definition: interval.h:197
static int datagram_overhead(int proto)
Definition: socket.h:589
void check_inactivity_timeout_dowork(struct context *c)
Definition: forward.c:335
char * actual_name
Definition: tun.h:147
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3085
struct buffer to_tun
Definition: openvpn.h:391
void check_tls_errors_nco(struct context *c)
Definition: forward.c:130
static void update_time(void)
Definition: otime.h:93
static bool tuntap_stop(int status)
Definition: tun.h:403
#define CC_CRLF
Definition: buffer.h:911
static void check_tls(struct context *c)
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition: forward.c:696
struct sockaddr sa
Definition: socket.h:68
unsigned int event_set_status
Definition: openvpn.h:254
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:342
void mss_fixup_ipv4(struct buffer *buf, int maxmss)
Definition: mss.c:46
struct buffer encrypt_buf
Definition: openvpn.h:100
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1170
unsigned int rwflags
Definition: event.h:79
int max_send_size_local
Definition: openvpn.h:326
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:367
static void check_server_poll_timeout(struct context *c)
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition: error.h:302
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:362
#define CONNECTION_ESTABLISHED(c)
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:756
const char * wait_status_string(struct context *c, struct gc_arena *gc)
static struct link_socket_info * get_link_socket_info(struct context *c)
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
void process_outgoing_tun(struct context *c)
Write a packet to the virtual tun/tap network interface.
Definition: forward.c:1462
int key_method
Definition: options.h:542
int tls_exit_signal
Definition: openvpn.h:360
#define D_LINK_ERRORS
Definition: errlevel.h:57
time_t coarse_timer_wakeup
Definition: openvpn.h:412
#define PASSTOS_CAPABILITY
Definition: syshead.h:405
static void check_coarse_timers_dowork(struct context *c)
Definition: forward.c:613
bool route_gateway_via_dhcp
Definition: options.h:344
counter_type link_read_bytes_auth
Definition: openvpn.h:288
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3110
#define D_PUSH_ERRORS
Definition: errlevel.h:67