OpenVPN
forward.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #include "forward.h"
31 #include "init.h"
32 #include "push.h"
33 #include "gremlin.h"
34 #include "mss.h"
35 #include "event.h"
36 #include "occ.h"
37 #include "ping.h"
38 #include "ps.h"
39 #include "dhcp.h"
40 #include "common.h"
41 #include "ssl_verify.h"
42 #include "dco.h"
43 #include "auth_token.h"
44 #include "tun_afunix.h"
45 
46 #include "memdbg.h"
47 
48 #include "mstats.h"
49 
50 counter_type link_read_bytes_global; /* GLOBAL */
51 counter_type link_write_bytes_global; /* GLOBAL */
52 
53 /* show event wait debugging info */
54 
55 #ifdef ENABLE_DEBUG
56 
57 static const char *
58 wait_status_string(struct context *c, struct gc_arena *gc)
59 {
60  struct buffer out = alloc_buf_gc(64, gc);
61 
62  buf_printf(&out, "I/O WAIT %s|%s| %s",
63  tun_stat(c->c1.tuntap, EVENT_READ, gc),
64  tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
65  tv_string(&c->c2.timeval, gc));
66  for (int i = 0; i < c->c1.link_sockets_num; i++)
67  {
68  buf_printf(&out, "\n %s|%s",
69  socket_stat(c->c2.link_sockets[i], EVENT_READ, gc),
70  socket_stat(c->c2.link_sockets[i], EVENT_WRITE, gc));
71  }
72  return BSTR(&out);
73 }
74 
75 static void
76 show_wait_status(struct context *c)
77 {
78  struct gc_arena gc = gc_new();
79  dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
80  gc_free(&gc);
81 }
82 
83 #endif /* ifdef ENABLE_DEBUG */
84 
85 static void
86 check_tls_errors_co(struct context *c)
87 {
88  msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
89  register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
90 }
91 
92 static void
93 check_tls_errors_nco(struct context *c)
94 {
95  register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
96 }
97 
98 /*
99  * TLS errors are fatal in TCP mode.
100  * Also check for --tls-exit trigger.
101  */
102 static inline void
103 check_tls_errors(struct context *c)
104 {
105  if (c->c2.tls_multi && c->c2.tls_exit_signal)
106  {
107  if (link_socket_connection_oriented(c->c2.link_sockets[0]))
108  {
109  if (c->c2.tls_multi->n_soft_errors)
110  {
111  check_tls_errors_co(c);
112  }
113  }
114  else
115  {
116  if (c->c2.tls_multi->n_hard_errors)
117  {
118  check_tls_errors_nco(c);
119  }
120  }
121  }
122 }
123 
124 /*
125  * Set our wakeup to 0 seconds, so we will be rescheduled
126  * immediately.
127  */
128 static inline void
129 context_immediate_reschedule(struct context *c)
130 {
131  c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
132  c->c2.timeval.tv_usec = 0;
133 }
134 
135 static inline void
136 context_reschedule_sec(struct context *c, int sec)
137 {
138  if (sec < 0)
139  {
140  sec = 0;
141  }
142  if (sec < c->c2.timeval.tv_sec)
143  {
144  c->c2.timeval.tv_sec = sec;
145  c->c2.timeval.tv_usec = 0;
146  }
147 }
148 
149 void
150 check_dco_key_status(struct context *c)
151 {
152  /* DCO context is not yet initialised or enabled */
153  if (!dco_enabled(&c->options))
154  {
155  return;
156  }
157 
158  /* no active peer (p2p tls-server mode) */
159  if (c->c2.tls_multi->dco_peer_id == -1)
160  {
161  return;
162  }
163 
164  if (!dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi))
165  {
166  /* Something bad happened. Kill the connection to
167  * be able to recover. */
168  register_signal(c->sig, SIGUSR1, "dco update keys error");
169  }
170 }
171 
172 /*
173  * In TLS mode, let TLS level respond to any control-channel
174  * packets which were received, or prepare any packets for
175  * transmission.
176  *
177  * tmp_int is purely an optimization that allows us to call
178  * tls_multi_process less frequently when there's not much
179  * traffic on the control-channel.
180  *
181  */
182 static void
183 check_tls(struct context *c)
184 {
185  interval_t wakeup = BIG_TIMEOUT;
186 
187  if (interval_test(&c->c2.tmp_int))
188  {
189  const int tmp_status = tls_multi_process
190  (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
191  get_link_socket_info(c), &wakeup);
192 
193  if (tmp_status == TLSMP_RECONNECT)
194  {
195  event_timeout_init(&c->c2.wait_for_connect, 1, now);
196  reset_coarse_timers(c);
197  }
198 
199  if (tmp_status == TLSMP_ACTIVE || tmp_status == TLSMP_RECONNECT)
200  {
201  update_time();
202  interval_action(&c->c2.tmp_int);
203  }
204  else if (tmp_status == TLSMP_KILL)
205  {
206  if (c->options.mode == MODE_SERVER)
207  {
208  send_auth_failed(c, c->c2.tls_multi->client_reason);
209  }
210  else
211  {
212  register_signal(c->sig, SIGTERM, "auth-control-exit");
213  }
214  }
215 
216  interval_future_trigger(&c->c2.tmp_int, wakeup);
217  }
218 
219  interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
220 
221  /*
222  * Our current code has no good hooks in the TLS machinery to update
223  * DCO keys. So we check the key status after the whole TLS machinery
224  * has been completed and potentially update them
225  *
226  * We have a hidden state transition from secondary to primary key based
227  * on ks->auth_deferred_expire that DCO needs to check that the normal
228  * TLS state engine does not check. So we call the \c check_dco_key_status
229  * function even if tmp_status does not indicate that something has changed.
230  */
231  check_dco_key_status(c);
232 
233  if (wakeup)
234  {
235  context_reschedule_sec(c, wakeup);
236  }
237 }
238 
239 static void
240 parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
241 {
242  if (buf_string_match_head_str(buf, "AUTH_FAILED"))
243  {
244  receive_auth_failed(c, buf);
245  }
246  else if (buf_string_match_head_str(buf, "PUSH_"))
247  {
248  incoming_push_message(c, buf);
249  }
250  else if (buf_string_match_head_str(buf, "RESTART"))
251  {
252  server_pushed_signal(c, buf, true, 7);
253  }
254  else if (buf_string_match_head_str(buf, "HALT"))
255  {
256  server_pushed_signal(c, buf, false, 4);
257  }
258  else if (buf_string_match_head_str(buf, "INFO_PRE"))
259  {
260  server_pushed_info(buf, 8);
261  }
262  else if (buf_string_match_head_str(buf, "INFO"))
263  {
264  server_pushed_info(buf, 4);
265  }
266  else if (buf_string_match_head_str(buf, "CR_RESPONSE"))
267  {
268  receive_cr_response(c, buf);
269  }
270  else if (buf_string_match_head_str(buf, "AUTH_PENDING"))
271  {
272  receive_auth_pending(c, buf);
273  }
274  else if (buf_string_match_head_str(buf, "EXIT"))
275  {
276  receive_exit_message(c);
277  }
278  else
279  {
280  msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf));
281  }
282 }
283 
284 /*
285  * Handle incoming configuration
286  * messages on the control channel.
287  */
288 static void
289 check_incoming_control_channel(struct context *c)
290 {
291  int len = tls_test_payload_len(c->c2.tls_multi);
292  /* We should only be called with len >0 */
293  ASSERT(len > 0);
294 
295  struct gc_arena gc = gc_new();
296  struct buffer buf = alloc_buf_gc(len, &gc);
297  if (tls_rec_payload(c->c2.tls_multi, &buf))
298  {
299  while (BLEN(&buf) > 1)
300  {
301  struct buffer cmdbuf = extract_command_buffer(&buf, &gc);
302 
303  if (cmdbuf.len > 0)
304  {
305  parse_incoming_control_channel_command(c, &cmdbuf);
306  }
307  }
308  }
309  else
310  {
311  msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
312  }
313 
314  gc_free(&gc);
315 }
316 
317 /*
318  * Periodically resend PUSH_REQUEST until PUSH message received
319  */
320 static void
321 check_push_request(struct context *c)
322 {
323  send_push_request(c);
324 
325  /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
326  event_timeout_modify_wakeup(&c->c2.push_request_interval, PUSH_REQUEST_INTERVAL);
327 }
328 
329 /*
330  * Things that need to happen immediately after connection initiation should go here.
331  *
332  * Options like --up-delay need to be triggered by this function which
333  * checks for connection establishment.
334  *
335  * Note: The process_incoming_push_reply currently assumes that this function
336  * only sets up the pull request timer when pull is enabled.
337  */
338 static void
339 check_connection_established(struct context *c)
340 {
341  if (connection_established(c))
342  {
343  /* if --pull was specified, send a push request to server */
344  if (c->c2.tls_multi && c->options.pull)
345  {
346 #ifdef ENABLE_MANAGEMENT
347  if (management)
348  {
349  management_set_state(management,
350  OPENVPN_STATE_GET_CONFIG,
351  NULL,
352  NULL,
353  NULL,
354  NULL,
355  NULL);
356  }
357 #endif
358  /* fire up push request right away (already 1s delayed) */
359  /* We might receive a AUTH_PENDING request before we armed this
360  * timer. In that case we don't change the value */
361  if (c->c2.push_request_timeout < now)
362  {
363  c->c2.push_request_timeout = now + c->options.handshake_window;
364  }
365  event_timeout_init(&c->c2.push_request_interval, 0, now);
366  reset_coarse_timers(c);
367  }
368  else
369  {
370  if (!do_up(c, false, 0))
371  {
372  register_signal(c->sig, SIGUSR1, "connection initialisation failed");
373  }
374  }
375 
376  event_timeout_clear(&c->c2.wait_for_connect);
377  }
378 }
379 
380 bool
381 send_control_channel_string_dowork(struct tls_session *session,
382  const char *str, int msglevel)
383 {
384  struct gc_arena gc = gc_new();
385  bool stat;
386 
387  ASSERT(session);
388  struct key_state *ks = &session->key[KS_PRIMARY];
389 
390  /* buffered cleartext write onto TLS control channel */
391  stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1);
392 
393  msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
394  session->common_name ? session->common_name : "UNDEF",
395  sanitize_control_message(str, &gc),
396  (int) stat);
397 
398  gc_free(&gc);
399  return stat;
400 }
401 
402 void
403 reschedule_multi_process(struct context *c)
404 {
405  interval_action(&c->c2.tmp_int);
406  context_immediate_reschedule(c); /* ZERO-TIMEOUT */
407 }
408 
409 bool
410 send_control_channel_string(struct context *c, const char *str, int msglevel)
411 {
412  if (c->c2.tls_multi)
413  {
414  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
415  bool ret = send_control_channel_string_dowork(session, str, msglevel);
416  reschedule_multi_process(c);
417 
418  return ret;
419  }
420  return true;
421 }
422 /*
423  * Add routes.
424  */
425 
426 static void
427 check_add_routes_action(struct context *c, const bool errors)
428 {
429  bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
430  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
431 
432  int flags = (errors ? ISC_ERRORS : 0);
433  flags |= (!route_status ? ISC_ROUTE_ERRORS : 0);
434 
435  update_time();
436  event_timeout_clear(&c->c2.route_wakeup);
437  event_timeout_clear(&c->c2.route_wakeup_expire);
438  initialization_sequence_completed(c, flags); /* client/p2p --route-delay was defined */
439 }
440 
441 static void
442 check_add_routes(struct context *c)
443 {
444  if (test_routes(c->c1.route_list, c->c1.tuntap))
445  {
446  check_add_routes_action(c, false);
447  }
448  else if (event_timeout_trigger(&c->c2.route_wakeup_expire, &c->c2.timeval, ETT_DEFAULT))
449  {
450  check_add_routes_action(c, true);
451  }
452  else
453  {
454  msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
455  if (c->c1.tuntap)
456  {
457  if (!tun_standby(c->c1.tuntap))
458  {
459  register_signal(c->sig, SIGHUP, "ip-fail");
460  c->persist.restart_sleep_seconds = 10;
461 #ifdef _WIN32
462  show_routes(M_INFO|M_NOPREFIX);
463  show_adapters(M_INFO|M_NOPREFIX);
464 #endif
465  }
466  }
467  update_time();
468  if (c->c2.route_wakeup.n != 1)
469  {
470  event_timeout_init(&c->c2.route_wakeup, 1, now);
471  }
472  event_timeout_reset(&c->c2.ping_rec_interval);
473  }
474 }
475 
476 /*
477  * Should we exit due to inactivity timeout?
478  *
479  * In the non-dco case, the timeout is reset via register_activity()
480  * whenever there is sufficient activity on tun or link, so this function
481  * is only ever called to raise the TERM signal.
482  *
483  * With DCO, OpenVPN does not see incoming or outgoing data packets anymore
484  * and the logic needs to change - we permit the event to trigger and check
485  * kernel DCO counters here, returning and rearming the timer if there was
486  * sufficient traffic.
487  */
488 static void
489 check_inactivity_timeout(struct context *c)
490 {
491  if (dco_enabled(&c->options) && dco_get_peer_stats(c, true) == 0)
492  {
493  int64_t tot_bytes = c->c2.tun_read_bytes + c->c2.tun_write_bytes;
494  int64_t new_bytes = tot_bytes - c->c2.inactivity_bytes;
495 
496  if (new_bytes > c->options.inactivity_minimum_bytes)
497  {
498  c->c2.inactivity_bytes = tot_bytes;
499  event_timeout_reset(&c->c2.inactivity_interval);
500  return;
501  }
502  }
503 
504  msg(M_INFO, "Inactivity timeout (--inactive), exiting");
505  register_signal(c->sig, SIGTERM, "inactive");
506 }
507 
508 int
509 get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
510 {
511  update_time();
512  int remaining = event_timeout_remaining(server_poll_timeout);
513  return max_int(0, remaining);
514 }
515 
516 static void
517 check_server_poll_timeout(struct context *c)
518 {
519  event_timeout_reset(&c->c2.server_poll_interval);
520  ASSERT(c->c2.tls_multi);
521  if (!tls_initial_packet_received(c->c2.tls_multi))
522  {
523  msg(M_INFO, "Server poll timeout, restarting");
524  register_signal(c->sig, SIGUSR1, "server_poll");
525  c->persist.restart_sleep_seconds = -1;
526  }
527 }
528 
529 /*
530  * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
531  */
532 bool
533 schedule_exit(struct context *c)
534 {
535  const int n_seconds = c->options.scheduled_exit_interval;
536  /* don't reschedule if already scheduled. */
537  if (event_timeout_defined(&c->c2.scheduled_exit))
538  {
539  return false;
540  }
541  tls_set_single_session(c->c2.tls_multi);
542  update_time();
543  reset_coarse_timers(c);
544  event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
545  c->c2.scheduled_exit_signal = SIGTERM;
546  msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
547  return true;
548 }
549 
550 /*
551  * Scheduled exit?
552  */
553 static void
554 check_scheduled_exit(struct context *c)
555 {
556  register_signal(c->sig, c->c2.scheduled_exit_signal, "delayed-exit");
557 }
558 
559 /*
560  * Should we write timer-triggered status file.
561  */
562 static void
563 check_status_file(struct context *c)
564 {
565  if (c->c1.status_output)
566  {
567  print_status(c, c->c1.status_output);
568  }
569 }
570 
571 #ifdef ENABLE_FRAGMENT
572 /*
573  * Should we deliver a datagram fragment to remote?
574  * c is expected to be a single-link context (p2p or child)
575  */
576 static void
577 check_fragment(struct context *c)
578 {
579  struct link_socket_info *lsi = get_link_socket_info(c);
580 
581  /* OS MTU Hint? */
582  if (lsi->mtu_changed && lsi->lsa)
583  {
584  frame_adjust_path_mtu(c);
585  lsi->mtu_changed = false;
586  }
587 
588  if (fragment_outgoing_defined(c->c2.fragment))
589  {
590  if (!c->c2.to_link.len)
591  {
592  /* encrypt a fragment for output to TCP/UDP port */
593  ASSERT(fragment_ready_to_send(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment));
594  encrypt_sign(c, false);
595  }
596  }
597 
598  fragment_housekeeping(c->c2.fragment, &c->c2.frame_fragment, &c->c2.timeval);
599 }
600 #endif /* ifdef ENABLE_FRAGMENT */
601 
602 /*
603  * Buffer reallocation, for use with null encryption.
604  */
605 static inline void
606 buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
607 {
608  if (orig_buf == src_stub->data && src_stub->data != storage->data)
609  {
610  buf_assign(storage, src_stub);
611  *dest_stub = *storage;
612  }
613  else
614  {
615  *dest_stub = *src_stub;
616  }
617 }
618 
619 /*
620  * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
621  * Input: c->c2.buf
622  * Output: c->c2.to_link
623  */
624 void
625 encrypt_sign(struct context *c, bool comp_frag)
626 {
627  struct context_buffers *b = c->c2.buffers;
628  const uint8_t *orig_buf = c->c2.buf.data;
629  struct crypto_options *co = NULL;
630 
631  if (dco_enabled(&c->options))
632  {
633  msg(M_WARN, "Attempting to send data packet while data channel offload is in use. "
634  "Dropping packet");
635  c->c2.buf.len = 0;
636  }
637 
638  /*
639  * Drop non-TLS outgoing packet if client-connect script/plugin
640  * has not yet succeeded. In non-TLS tls_multi mode is not defined
641  * and we always pass packets.
642  */
643  if (c->c2.tls_multi && c->c2.tls_multi->multi_state < CAS_CONNECT_DONE)
644  {
645  c->c2.buf.len = 0;
646  }
647 
648  if (comp_frag)
649  {
650 #ifdef USE_COMP
651  /* Compress the packet. */
652  if (c->c2.comp_context)
653  {
654  (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
655  }
656 #endif
657 #ifdef ENABLE_FRAGMENT
658  if (c->c2.fragment)
659  {
660  fragment_outgoing(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment);
661  }
662 #endif
663  }
664 
665  /* initialize work buffer with buf.headroom bytes of prepend capacity */
666  ASSERT(buf_init(&b->encrypt_buf, c->c2.frame.buf.headroom));
667 
668  if (c->c2.tls_multi)
669  {
670  /* Get the key we will use to encrypt the packet. */
671  tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
672  /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
673  * packet before openvpn_encrypt(), so we can authenticate the opcode too.
674  */
675  if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
676  {
677  tls_prepend_opcode_v2(c->c2.tls_multi, &b->encrypt_buf);
678  }
679  }
680  else
681  {
682  co = &c->c2.crypto_options;
683  }
684 
685  /* Encrypt and authenticate the packet */
686  openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
687 
688  /* Do packet administration */
689  if (c->c2.tls_multi)
690  {
691  if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
692  {
693  tls_prepend_opcode_v1(c->c2.tls_multi, &c->c2.buf);
694  }
695  tls_post_encrypt(c->c2.tls_multi, &c->c2.buf);
696  }
697 
698  /*
699  * Get the address we will be sending the packet to.
700  */
701  link_socket_get_outgoing_addr(&c->c2.buf, get_link_socket_info(c),
702  &c->c2.to_link_addr);
703 
704  /* if null encryption, copy result to read_tun_buf */
705  buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
706 }
707 
708 /*
709  * Should we exit due to session timeout?
710  */
711 static void
712 check_session_timeout(struct context *c)
713 {
714  if (c->options.session_timeout
715  && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval,
716  ETT_DEFAULT))
717  {
718  msg(M_INFO, "Session timeout, exiting");
719  register_signal(c->sig, SIGTERM, "session-timeout");
720  }
721 }
722 
723 /*
724  * Coarse timers work to 1 second resolution.
725  */
726 static void
727 process_coarse_timers(struct context *c)
728 {
729  /* flush current packet-id to file once per 60
730  * seconds if --replay-persist was specified */
731  if (packet_id_persist_enabled(&c->c1.pid_persist)
732  && event_timeout_trigger(&c->c2.packet_id_persist_interval, &c->c2.timeval, ETT_DEFAULT))
733  {
734  packet_id_persist_save(&c->c1.pid_persist);
735  }
736 
737  /* Should we write timer-triggered status file */
738  if (c->c1.status_output
739  && event_timeout_trigger(&c->c1.status_output->et, &c->c2.timeval, ETT_DEFAULT))
740  {
741  check_status_file(c);
742  }
743 
744  /* process connection establishment items */
745  if (event_timeout_trigger(&c->c2.wait_for_connect, &c->c2.timeval, ETT_DEFAULT))
746  {
747  check_connection_established(c);
748  }
749 
750  /* see if we should send a push_request (option --pull) */
751  if (event_timeout_trigger(&c->c2.push_request_interval, &c->c2.timeval, ETT_DEFAULT))
752  {
753  check_push_request(c);
754  }
755 
756  /* process --route options */
757  if (event_timeout_trigger(&c->c2.route_wakeup, &c->c2.timeval, ETT_DEFAULT))
758  {
759  check_add_routes(c);
760  }
761 
762  /* check if we want to refresh the auth-token */
763  if (event_timeout_trigger(&c->c2.auth_token_renewal_interval, &c->c2.timeval, ETT_DEFAULT))
764  {
765  check_send_auth_token(c);
766  }
767 
768  /* possibly exit due to --inactive */
769  if (c->options.inactivity_timeout
770  && event_timeout_trigger(&c->c2.inactivity_interval, &c->c2.timeval, ETT_DEFAULT))
771  {
772  check_inactivity_timeout(c);
773  }
774 
775  if (c->sig->signal_received)
776  {
777  return;
778  }
779 
780  /* kill session if time is over */
781  check_session_timeout(c);
782  if (c->sig->signal_received)
783  {
784  return;
785  }
786 
787  /* restart if ping not received */
788  check_ping_restart(c);
789  if (c->sig->signal_received)
790  {
791  return;
792  }
793 
794  if (c->c2.tls_multi)
795  {
796  if (c->options.ce.connect_timeout
797  && event_timeout_trigger(&c->c2.server_poll_interval, &c->c2.timeval, ETT_DEFAULT))
798  {
799  check_server_poll_timeout(c);
800  }
801  if (c->sig->signal_received)
802  {
803  return;
804  }
805  if (event_timeout_trigger(&c->c2.scheduled_exit, &c->c2.timeval, ETT_DEFAULT))
806  {
807  check_scheduled_exit(c);
808  }
809  if (c->sig->signal_received)
810  {
811  return;
812  }
813  }
814 
815  /* Should we send an OCC_REQUEST message? */
816  check_send_occ_req(c);
817 
818  /* Should we send an MTU load test? */
819  check_send_occ_load_test(c);
820 
821  /* Should we send an OCC_EXIT message to remote? */
822  if (c->c2.explicit_exit_notification_time_wait)
823  {
824  process_explicit_exit_notification_timer_wakeup(c);
825  }
826 
827  /* Should we ping the remote? */
828  check_ping_send(c);
829 
830 #ifdef ENABLE_MANAGEMENT
831  if (management)
832  {
833  management_check_bytecount(c, management, &c->c2.timeval);
834  }
835 #endif /* ENABLE_MANAGEMENT */
836 }
837 
838 static void
839 check_coarse_timers(struct context *c)
840 {
841  if (now < c->c2.coarse_timer_wakeup)
842  {
843  context_reschedule_sec(c, c->c2.coarse_timer_wakeup - now);
844  return;
845  }
846 
847  const struct timeval save = c->c2.timeval;
848  c->c2.timeval.tv_sec = BIG_TIMEOUT;
849  c->c2.timeval.tv_usec = 0;
850  process_coarse_timers(c);
851  c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
852 
853  dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
854 
855  /* Is the coarse timeout NOT the earliest one? */
856  if (c->c2.timeval.tv_sec > save.tv_sec)
857  {
858  c->c2.timeval = save;
859  }
860 }
861 
862 static void
863 check_timeout_random_component_dowork(struct context *c)
864 {
865  const int update_interval = 10; /* seconds */
866  c->c2.update_timeout_random_component = now + update_interval;
867  c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
868  c->c2.timeout_random_component.tv_sec = 0;
869 
870  dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec);
871 }
872 
873 static inline void
874 check_timeout_random_component(struct context *c)
875 {
876  if (now >= c->c2.update_timeout_random_component)
877  {
878  check_timeout_random_component_dowork(c);
879  }
880  if (c->c2.timeval.tv_sec >= 1)
881  {
882  tv_add(&c->c2.timeval, &c->c2.timeout_random_component);
883  }
884 }
885 
886 /*
887  * Handle addition and removal of the 10-byte Socks5 header
888  * in UDP packets.
889  */
890 
891 static inline void
892 socks_postprocess_incoming_link(struct context *c, struct link_socket *sock)
893 {
894  if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
895  {
896  socks_process_incoming_udp(&c->c2.buf, &c->c2.from);
897  }
898 }
899 
900 static inline void
901 socks_preprocess_outgoing_link(struct context *c,
902  struct link_socket *sock,
903  struct link_socket_actual **to_addr,
904  int *size_delta)
905 {
906  if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
907  {
908  *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
909  *to_addr = &sock->socks_relay;
910  }
911 }
912 
913 /* undo effect of socks_preprocess_outgoing_link */
914 static inline void
915 link_socket_write_post_size_adjust(int *size,
916  int size_delta,
917  struct buffer *buf)
918 {
919  if (size_delta > 0 && *size > size_delta)
920  {
921  *size -= size_delta;
922  if (!buf_advance(buf, size_delta))
923  {
924  *size = 0;
925  }
926  }
927 }
928 
929 /*
930  * Output: c->c2.buf
931  */
932 
933 void
934 read_incoming_link(struct context *c, struct link_socket *sock)
935 {
936  /*
937  * Set up for recvfrom call to read datagram
938  * sent to our TCP/UDP port.
939  */
940  int status;
941 
942  /*ASSERT (!c->c2.to_tun.len);*/
943 
944  perf_push(PERF_READ_IN_LINK);
945 
946  c->c2.buf = c->c2.buffers->read_link_buf;
947  ASSERT(buf_init(&c->c2.buf, c->c2.frame.buf.headroom));
948 
949  status = link_socket_read(sock,
950  &c->c2.buf,
951  &c->c2.from);
952 
953  if (socket_connection_reset(sock, status))
954  {
955 #if PORT_SHARE
956  if (port_share && socket_foreign_protocol_detected(sock))
957  {
958  const struct buffer *fbuf = socket_foreign_protocol_head(sock);
959  const int sd = socket_foreign_protocol_sd(sock);
960  port_share_redirect(port_share, fbuf, sd);
961  register_signal(c->sig, SIGTERM, "port-share-redirect");
962  }
963  else
964 #endif
965  {
966  /* received a disconnect from a connection-oriented protocol */
967  if (event_timeout_defined(&c->c2.explicit_exit_notification_interval))
968  {
969  msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
970  management_sleep(1);
971  }
972  else
973  {
974  register_signal(c->sig, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
975  msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
976  }
977  }
978  perf_pop();
979  return;
980  }
981 
982  /* check_status() call below resets last-error code */
983  bool dco_win_timeout = tuntap_is_dco_win_timeout(c->c1.tuntap, status);
984 
985  /* check recvfrom status */
986  check_status(status, "read", sock, NULL);
987 
988  if (dco_win_timeout)
989  {
990  trigger_ping_timeout_signal(c);
991  }
992 
993  /* Remove socks header if applicable */
994  socks_postprocess_incoming_link(c, sock);
995 
996  perf_pop();
997 }
998 
999 bool
1000 process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
1001 {
1002  struct gc_arena gc = gc_new();
1003  bool decrypt_status = false;
1004 
1005  if (c->c2.buf.len > 0)
1006  {
1007  c->c2.link_read_bytes += c->c2.buf.len;
1008  link_read_bytes_global += c->c2.buf.len;
1009 #ifdef ENABLE_MEMSTATS
1010  if (mmap_stats)
1011  {
1012  mmap_stats->link_read_bytes = link_read_bytes_global;
1013  }
1014 #endif
1015  c->c2.original_recv_size = c->c2.buf.len;
1016 #ifdef ENABLE_MANAGEMENT
1017  if (management)
1018  {
1019  management_bytes_client(management, c->c2.buf.len, 0);
1020  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1021  }
1022 #endif
1023  }
1024  else
1025  {
1026  c->c2.original_recv_size = 0;
1027  }
1028 
1029 #ifdef ENABLE_DEBUG
1030  /* take action to corrupt packet if we are in gremlin test mode */
1031  if (c->options.gremlin)
1032  {
1033  if (!ask_gremlin(c->options.gremlin))
1034  {
1035  c->c2.buf.len = 0;
1036  }
1037  corrupt_gremlin(&c->c2.buf, c->options.gremlin);
1038  }
1039 #endif
1040 
1041  /* log incoming packet */
1042 #ifdef LOG_RW
1043  if (c->c2.log_rw && c->c2.buf.len > 0)
1044  {
1045  fprintf(stderr, "R");
1046  }
1047 #endif
1048  msg(D_LINK_RW, "%s READ [%d] from %s: %s",
1049  proto2ascii(lsi->proto, lsi->af, true),
1050  BLEN(&c->c2.buf),
1051  print_link_socket_actual(&c->c2.from, &gc),
1052  PROTO_DUMP(&c->c2.buf, &gc));
1053 
1054  /*
1055  * Good, non-zero length packet received.
1056  * Commence multi-stage processing of packet,
1057  * such as authenticate, decrypt, decompress.
1058  * If any stage fails, it sets buf.len to 0 or -1,
1059  * telling downstream stages to ignore the packet.
1060  */
1061  if (c->c2.buf.len > 0)
1062  {
1063  struct crypto_options *co = NULL;
1064  const uint8_t *ad_start = NULL;
1065  if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
1066  {
1067  link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
1068  }
1069 
1070  if (c->c2.tls_multi)
1071  {
1072  uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
1073 
1074  /*
1075  * If DCO is enabled, the kernel drivers require that the
1076  * other end only sends P_DATA_V2 packets. V1 are unknown
1077  * to kernel and passed to userland, but we cannot handle them
1078  * either because crypto context is missing - so drop the packet.
1079  *
1080  * This can only happen with particular old (2.4.0-2.4.4) servers.
1081  */
1082  if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
1083  {
1084  msg(D_LINK_ERRORS,
1085  "Data Channel Offload doesn't support DATA_V1 packets. "
1086  "Upgrade your server to 2.4.5 or newer.");
1087  c->c2.buf.len = 0;
1088  }
1089 
1090  /*
1091  * If tls_pre_decrypt returns true, it means the incoming
1092  * packet was a good TLS control channel packet. If so, TLS code
1093  * will deal with the packet and set buf.len to 0 so downstream
1094  * stages ignore it.
1095  *
1096  * If the packet is a data channel packet, tls_pre_decrypt
1097  * will load crypto_options with the correct encryption key
1098  * and return false.
1099  */
1100  if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
1101  floated, &ad_start))
1102  {
1103  interval_action(&c->c2.tmp_int);
1104 
1105  /* reset packet received timer if TLS packet */
1106  if (c->options.ping_rec_timeout)
1107  {
1108  event_timeout_reset(&c->c2.ping_rec_interval);
1109  }
1110  }
1111  }
1112  else
1113  {
1114  co = &c->c2.crypto_options;
1115  }
1116 
1117  /*
1118  * Drop non-TLS packet if client-connect script/plugin and cipher selection
1119  * has not yet succeeded. In non-TLS mode tls_multi is not defined
1120  * and we always pass packets.
1121  */
1122  if (c->c2.tls_multi && c->c2.tls_multi->multi_state < CAS_CONNECT_DONE)
1123  {
1124  c->c2.buf.len = 0;
1125  }
1126 
1127  /* authenticate and decrypt the incoming packet */
1128  decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
1129  co, &c->c2.frame, ad_start);
1130 
1131  if (!decrypt_status
1132  /* on the instance context we have only one socket, so just check the first one */
1133  && link_socket_connection_oriented(c->c2.link_sockets[0]))
1134  {
1135  /* decryption errors are fatal in TCP mode */
1136  register_signal(c->sig, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
1137  msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
1138  }
1139  }
1140  else
1141  {
1142  buf_reset(&c->c2.to_tun);
1143  }
1144  gc_free(&gc);
1145 
1146  return decrypt_status;
1147 }
1148 
1149 void
1150 process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
1151 {
1152  if (c->c2.buf.len > 0)
1153  {
1154 #ifdef ENABLE_FRAGMENT
1155  if (c->c2.fragment)
1156  {
1157  fragment_incoming(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment);
1158  }
1159 #endif
1160 
1161 #ifdef USE_COMP
1162  /* decompress the incoming packet */
1163  if (c->c2.comp_context)
1164  {
1165  (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
1166  }
1167 #endif
1168 
1169 #ifdef PACKET_TRUNCATION_CHECK
1170  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1171  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1172  BLEN(&c->c2.buf),
1173  TUNNEL_TYPE(c->c1.tuntap),
1174  "POST_DECRYPT",
1175  &c->c2.n_trunc_post_decrypt);
1176 #endif
1177 
1178  /*
1179  * Set our "official" outgoing address, since
1180  * if buf.len is non-zero, we know the packet
1181  * authenticated. In TLS mode we do nothing
1182  * because TLS mode takes care of source address
1183  * authentication.
1184  *
1185  * Also, update the persisted version of our packet-id.
1186  */
1187  if (!TLS_MODE(c) && c->c2.buf.len > 0)
1188  {
1189  link_socket_set_outgoing_addr(lsi, &c->c2.from, NULL, c->c2.es);
1190  }
1191 
1192  /* reset packet received timer */
1193  if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1194  {
1195  event_timeout_reset(&c->c2.ping_rec_interval);
1196  }
1197 
1198  /* increment authenticated receive byte count */
1199  if (c->c2.buf.len > 0)
1200  {
1201  c->c2.link_read_bytes_auth += c->c2.buf.len;
1202  c->c2.max_recv_size_local = max_int(c->c2.original_recv_size, c->c2.max_recv_size_local);
1203  }
1204 
1205  /* Did we just receive an openvpn ping packet? */
1206  if (is_ping_msg(&c->c2.buf))
1207  {
1208  dmsg(D_PING, "RECEIVED PING PACKET");
1209  c->c2.buf.len = 0; /* drop packet */
1210  }
1211 
1212  /* Did we just receive an OCC packet? */
1213  if (is_occ_msg(&c->c2.buf))
1214  {
1215  process_received_occ_msg(c);
1216  }
1217 
1218  buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1219 
1220  /* to_tun defined + unopened tuntap can cause deadlock */
1221  if (!tuntap_defined(c->c1.tuntap))
1222  {
1223  c->c2.to_tun.len = 0;
1224  }
1225  }
1226  else
1227  {
1228  buf_reset(&c->c2.to_tun);
1229  }
1230 }
1231 
1232 static void
1233 process_incoming_link(struct context *c, struct link_socket *sock)
1234 {
1235  perf_push(PERF_PROC_IN_LINK);
1236 
1237  struct link_socket_info *lsi = &sock->info;
1238  const uint8_t *orig_buf = c->c2.buf.data;
1239 
1240  process_incoming_link_part1(c, lsi, false);
1241  process_incoming_link_part2(c, lsi, orig_buf);
1242 
1243  perf_pop();
1244 }
1245 
1246 static void
1247 process_incoming_dco(struct context *c)
1248 {
1249 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
1250  dco_context_t *dco = &c->c1.tuntap->dco;
1251 
1252  dco_do_read(dco);
1253 
1254  /* FreeBSD currently sends us removal notifcation with the old peer-id in
1255  * p2p mode with the ping timeout reason, so ignore that one to not shoot
1256  * ourselves in the foot and removing the just established session */
1257  if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
1258  {
1259  msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
1260  "expected %d", __func__, dco->dco_message_peer_id,
1261  c->c2.tls_multi->dco_peer_id);
1262  return;
1263  }
1264 
1265  switch (dco->dco_message_type)
1266  {
1267  case OVPN_CMD_DEL_PEER:
1268  /* peer is gone, unset ID to prevent more kernel calls */
1269  c->c2.tls_multi->dco_peer_id = -1;
1270  if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
1271  {
1272  msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
1273  "%d", __func__, dco->dco_message_peer_id);
1274  trigger_ping_timeout_signal(c);
1275  return;
1276  }
1277  break;
1278 
1279  case OVPN_CMD_SWAP_KEYS:
1280  msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d",
1281  __func__, dco->dco_message_peer_id);
1282  tls_session_soft_reset(c->c2.tls_multi);
1283  break;
1284 
1285  default:
1286  msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__,
1287  dco->dco_message_type);
1288  return;
1289  }
1290 
1291 #endif /* if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) */
1292 }
1293 
1294 /*
1295  * Output: c->c2.buf
1296  */
1297 
1298 void
1299 read_incoming_tun(struct context *c)
1300 {
1301  /*
1302  * Setup for read() call on TUN/TAP device.
1303  */
1304  /*ASSERT (!c->c2.to_link.len);*/
1305 
1306  perf_push(PERF_READ_IN_TUN);
1307 
1308  c->c2.buf = c->c2.buffers->read_tun_buf;
1309 
1310 #ifdef _WIN32
1311  if (c->c1.tuntap->backend_driver == WINDOWS_DRIVER_WINTUN)
1312  {
1313  read_wintun(c->c1.tuntap, &c->c2.buf);
1314  if (c->c2.buf.len == -1)
1315  {
1316  register_signal(c->sig, SIGHUP, "tun-abort");
1317  c->persist.restart_sleep_seconds = 1;
1318  msg(M_INFO, "Wintun read error, restarting");
1319  perf_pop();
1320  return;
1321  }
1322  }
1323  else
1324  {
1325  /* we cannot end up here when using dco */
1326  ASSERT(!dco_enabled(&c->options));
1327 
1328  sockethandle_t sh = { .is_handle = true, .h = c->c1.tuntap->hand, .prepend_sa = false };
1329  sockethandle_finalize(sh, &c->c1.tuntap->reads, &c->c2.buf, NULL);
1330  }
1331 #else /* ifdef _WIN32 */
1332  ASSERT(buf_init(&c->c2.buf, c->c2.frame.buf.headroom));
1333  ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size));
1334  if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1335  {
1336  c->c2.buf.len = read_tun_afunix(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
1337  }
1338  else
1339  {
1340  c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
1341  }
1342 #endif /* ifdef _WIN32 */
1343 
1344 #ifdef PACKET_TRUNCATION_CHECK
1345  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1346  BLEN(&c->c2.buf),
1347  TUNNEL_TYPE(c->c1.tuntap),
1348  "READ_TUN",
1349  &c->c2.n_trunc_tun_read);
1350 #endif
1351 
1352  /* Was TUN/TAP interface stopped? */
1353  if (tuntap_stop(c->c2.buf.len))
1354  {
1355  register_signal(c->sig, SIGTERM, "tun-stop");
1356  msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1357  perf_pop();
1358  return;
1359  }
1360 
1361  /* Was TUN/TAP I/O operation aborted? */
1362  if (tuntap_abort(c->c2.buf.len))
1363  {
1364  register_signal(c->sig, SIGHUP, "tun-abort");
1365  c->persist.restart_sleep_seconds = 10;
1366  msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1367  perf_pop();
1368  return;
1369  }
1370 
1371  /* Check the status return from read() */
1372  check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1373 
1374  perf_pop();
1375 }
1376 
1385 static void
1386 drop_if_recursive_routing(struct context *c, struct buffer *buf)
1387 {
1388  bool drop = false;
1389  struct openvpn_sockaddr tun_sa;
1390  int ip_hdr_offset = 0;
1391 
1392  if (c->c2.to_link_addr == NULL) /* no remote addr known */
1393  {
1394  return;
1395  }
1396 
1397  tun_sa = c->c2.to_link_addr->dest;
1398 
1399  int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1400 
1401  if (proto_ver == 4)
1402  {
1403  /* make sure we got whole IP header */
1404  if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1405  {
1406  return;
1407  }
1408 
1409  /* skip ipv4 packets for ipv6 tun */
1410  if (tun_sa.addr.sa.sa_family != AF_INET)
1411  {
1412  return;
1413  }
1414 
1415  struct openvpn_iphdr *pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
1416 
1417  /* drop packets with same dest addr as gateway */
1418  if (memcmp(&tun_sa.addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0)
1419  {
1420  drop = true;
1421  }
1422  }
1423  else if (proto_ver == 6)
1424  {
1425  /* make sure we got whole IPv6 header */
1426  if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1427  {
1428  return;
1429  }
1430 
1431  /* skip ipv6 packets for ipv4 tun */
1432  if (tun_sa.addr.sa.sa_family != AF_INET6)
1433  {
1434  return;
1435  }
1436 
1437  struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
1438 
1439  /* drop packets with same dest addr as gateway */
1440  if (OPENVPN_IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1441  {
1442  drop = true;
1443  }
1444  }
1445 
1446  if (drop)
1447  {
1448  struct gc_arena gc = gc_new();
1449 
1450  c->c2.buf.len = 0;
1451 
1452  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1453  print_link_socket_actual(c->c2.to_link_addr, &gc));
1454  gc_free(&gc);
1455  }
1456 }
1457 
1458 /*
1459  * Input: c->c2.buf
1460  * Output: c->c2.to_link
1461  */
1462 
1463 void
1464 process_incoming_tun(struct context *c, struct link_socket *out_sock)
1465 {
1466  struct gc_arena gc = gc_new();
1467 
1468  perf_push(PERF_PROC_IN_TUN);
1469 
1470  if (c->c2.buf.len > 0)
1471  {
1472  c->c2.tun_read_bytes += c->c2.buf.len;
1473  }
1474 
1475 #ifdef LOG_RW
1476  if (c->c2.log_rw && c->c2.buf.len > 0)
1477  {
1478  fprintf(stderr, "r");
1479  }
1480 #endif
1481 
1482  /* Show packet content */
1483  dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1484 
1485  if (c->c2.buf.len > 0)
1486  {
1487  if ((c->options.mode == MODE_POINT_TO_POINT) && (!c->options.allow_recursive_routing))
1488  {
1489  drop_if_recursive_routing(c, &c->c2.buf);
1490  }
1491  /*
1492  * The --passtos and --mssfix options require
1493  * us to examine the IP header (IPv4 or IPv6).
1494  */
1495  unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
1496  | PIPV6_ICMP_NOHOST_CLIENT;
1497  process_ip_header(c, flags, &c->c2.buf, out_sock);
1498 
1499 #ifdef PACKET_TRUNCATION_CHECK
1500  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1501  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1502  BLEN(&c->c2.buf),
1503  TUNNEL_TYPE(c->c1.tuntap),
1504  "PRE_ENCRYPT",
1505  &c->c2.n_trunc_pre_encrypt);
1506 #endif
1507 
1508  }
1509  if (c->c2.buf.len > 0)
1510  {
1511  encrypt_sign(c, true);
1512  }
1513  else
1514  {
1515  buf_reset(&c->c2.to_link);
1516  }
1517  perf_pop();
1518  gc_free(&gc);
1519 }
1520 
1531 void
1532 ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
1533 {
1534 #define MAX_ICMPV6LEN 1280
1535  struct openvpn_icmp6hdr icmp6out;
1536  CLEAR(icmp6out);
1537 
1538  /*
1539  * Get a buffer to the ip packet, is_ipv6 automatically forwards
1540  * the buffer to the ip packet
1541  */
1542  struct buffer inputipbuf = *buf;
1543 
1544  is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &inputipbuf);
1545 
1546  if (BLEN(&inputipbuf) < (int)sizeof(struct openvpn_ipv6hdr))
1547  {
1548  return;
1549  }
1550 
1551  const struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)BPTR(&inputipbuf);
1552 
1553  /* Copy version, traffic class, flow label from input packet */
1554  struct openvpn_ipv6hdr pip6out = *pip6;
1555 
1556  pip6out.version_prio = pip6->version_prio;
1557  pip6out.daddr = pip6->saddr;
1558 
1559  /*
1560  * Use the IPv6 remote address if we have one, otherwise use a fake one
1561  * using the remote address is preferred since it makes debugging and
1562  * understanding where the ICMPv6 error originates easier
1563  */
1564  if (c->options.ifconfig_ipv6_remote)
1565  {
1566  inet_pton(AF_INET6, c->options.ifconfig_ipv6_remote, &pip6out.saddr);
1567  }
1568  else
1569  {
1570  inet_pton(AF_INET6, "fe80::7", &pip6out.saddr);
1571  }
1572 
1573  pip6out.nexthdr = OPENVPN_IPPROTO_ICMPV6;
1574 
1575  /*
1576  * The ICMPv6 unreachable code worked best in my (arne) tests with Windows,
1577  * Linux and Android. Windows did not like the administratively prohibited
1578  * return code (no fast fail)
1579  */
1580  icmp6out.icmp6_type = OPENVPN_ICMP6_DESTINATION_UNREACHABLE;
1581  icmp6out.icmp6_code = OPENVPN_ICMP6_DU_NOROUTE;
1582 
1583  int icmpheader_len = sizeof(struct openvpn_ipv6hdr)
1584  + sizeof(struct openvpn_icmp6hdr);
1585  int totalheader_len = icmpheader_len;
1586 
1587  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1588  {
1589  totalheader_len += sizeof(struct openvpn_ethhdr);
1590  }
1591 
1592  /*
1593  * Calculate size for payload, defined in the standard that the resulting
1594  * frame should be <= 1280 and have as much as possible of the original
1595  * packet
1596  */
1597  int max_payload_size = min_int(MAX_ICMPV6LEN,
1598  c->c2.frame.tun_mtu - icmpheader_len);
1599  int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
1600 
1601  pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
1602 
1603  /* Construct the packet as outgoing packet back to the client */
1604  struct buffer *outbuf;
1605  if (client)
1606  {
1607  c->c2.to_tun = c->c2.buffers->aux_buf;
1608  outbuf = &(c->c2.to_tun);
1609  }
1610  else
1611  {
1612  c->c2.to_link = c->c2.buffers->aux_buf;
1613  outbuf = &(c->c2.to_link);
1614  }
1615  ASSERT(buf_init(outbuf, totalheader_len));
1616 
1617  /* Fill the end of the buffer with original packet */
1618  ASSERT(buf_safe(outbuf, payload_len));
1619  ASSERT(buf_copy_n(outbuf, &inputipbuf, payload_len));
1620 
1621  /* ICMP Header, copy into buffer to allow checksum calculation */
1622  ASSERT(buf_write_prepend(outbuf, &icmp6out, sizeof(struct openvpn_icmp6hdr)));
1623 
1624  /* Calculate checksum over the packet and write to header */
1625 
1626  uint16_t new_csum = ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf),
1627  (const uint8_t *)&pip6out.saddr,
1628  (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6);
1629  ((struct openvpn_icmp6hdr *) BPTR(outbuf))->icmp6_cksum = htons(new_csum);
1630 
1631 
1632  /* IPv6 Header */
1633  ASSERT(buf_write_prepend(outbuf, &pip6out, sizeof(struct openvpn_ipv6hdr)));
1634 
1635  /*
1636  * Tap mode, we also need to create an Ethernet header.
1637  */
1638  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1639  {
1640  if (BLEN(buf) < (int)sizeof(struct openvpn_ethhdr))
1641  {
1642  return;
1643  }
1644 
1645  const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *) BPTR(buf);
1646 
1647  /* Copy frametype and reverse source/destination for the response */
1648  struct openvpn_ethhdr ethhdr;
1649  memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
1650  memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
1651  ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
1652  ASSERT(buf_write_prepend(outbuf, &ethhdr, sizeof(struct openvpn_ethhdr)));
1653  }
1654 #undef MAX_ICMPV6LEN
1655 }
1656 
1657 void
1658 process_ip_header(struct context *c, unsigned int flags, struct buffer *buf,
1659  struct link_socket *sock)
1660 {
1661  if (!c->options.ce.mssfix)
1662  {
1663  flags &= ~PIP_MSSFIX;
1664  }
1665 #if PASSTOS_CAPABILITY
1666  if (!c->options.passtos)
1667  {
1668  flags &= ~PIPV4_PASSTOS;
1669  }
1670 #endif
1671  if (!c->options.client_nat)
1672  {
1673  flags &= ~PIPV4_CLIENT_NAT;
1674  }
1675  if (!c->options.route_gateway_via_dhcp)
1676  {
1677  flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1678  }
1679  if (!c->options.block_ipv6)
1680  {
1681  flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
1682  }
1683 
1684  if (buf->len > 0)
1685  {
1686  struct buffer ipbuf = *buf;
1687  if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1688  {
1689 #if PASSTOS_CAPABILITY
1690  /* extract TOS from IP header */
1691  if (flags & PIPV4_PASSTOS)
1692  {
1693  link_socket_extract_tos(sock, &ipbuf);
1694  }
1695 #endif
1696 
1697  /* possibly alter the TCP MSS */
1698  if (flags & PIP_MSSFIX)
1699  {
1700  mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
1701  }
1702 
1703  /* possibly do NAT on packet */
1704  if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1705  {
1706  const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1707  client_nat_transform(c->options.client_nat, &ipbuf, direction);
1708  }
1709  /* possibly extract a DHCP router message */
1710  if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1711  {
1712  const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
1713  if (dhcp_router)
1714  {
1715  route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1716  }
1717  }
1718  }
1719  else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1720  {
1721  /* possibly alter the TCP MSS */
1722  if (flags & PIP_MSSFIX)
1723  {
1724  mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
1725  }
1726  if (!(flags & PIP_OUTGOING) && (flags
1727  &(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER)))
1728  {
1729  ipv6_send_icmp_unreachable(c, buf,
1730  (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT));
1731  /* Drop the IPv6 packet */
1732  buf->len = 0;
1733  }
1734 
1735  }
1736  }
1737 }
1738 
1739 /*
1740  * Input: c->c2.to_link
1741  */
1742 
1743 void
1744 process_outgoing_link(struct context *c, struct link_socket *sock)
1745 {
1746  struct gc_arena gc = gc_new();
1747  int error_code = 0;
1748 
1749  perf_push(PERF_PROC_OUT_LINK);
1750 
1751  if (c->c2.to_link.len > 0 && c->c2.to_link.len <= c->c2.frame.buf.payload_size)
1752  {
1753  /*
1754  * Setup for call to send/sendto which will send
1755  * packet to remote over the TCP/UDP port.
1756  */
1757  int size = 0;
1758  ASSERT(link_socket_actual_defined(c->c2.to_link_addr));
1759 
1760 #ifdef ENABLE_DEBUG
1761  /* In gremlin-test mode, we may choose to drop this packet */
1762  if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1763 #endif
1764  {
1765  /*
1766  * Let the traffic shaper know how many bytes
1767  * we wrote.
1768  */
1769  if (c->options.shaper)
1770  {
1771  int overhead = datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family,
1772  sock->info.proto);
1773  shaper_wrote_bytes(&c->c2.shaper,
1774  BLEN(&c->c2.to_link) + overhead);
1775  }
1776 
1777  /*
1778  * Let the pinger know that we sent a packet.
1779  */
1780  if (c->options.ping_send_timeout)
1781  {
1782  event_timeout_reset(&c->c2.ping_send_interval);
1783  }
1784 
1785 #if PASSTOS_CAPABILITY
1786  /* Set TOS */
1787  link_socket_set_tos(sock);
1788 #endif
1789 
1790  /* Log packet send */
1791 #ifdef LOG_RW
1792  if (c->c2.log_rw)
1793  {
1794  fprintf(stderr, "W");
1795  }
1796 #endif
1797  msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1798  proto2ascii(sock->info.proto, sock->info.af, true),
1799  BLEN(&c->c2.to_link),
1800  print_link_socket_actual(c->c2.to_link_addr, &gc),
1801  PROTO_DUMP(&c->c2.to_link, &gc));
1802 
1803  /* Packet send complexified by possible Socks5 usage */
1804  {
1805  struct link_socket_actual *to_addr = c->c2.to_link_addr;
1806  int size_delta = 0;
1807 
1808  /* If Socks5 over UDP, prepend header */
1809  socks_preprocess_outgoing_link(c, sock, &to_addr, &size_delta);
1810 
1811  /* Send packet */
1812  size = (int)link_socket_write(sock,
1813  &c->c2.to_link,
1814  to_addr);
1815 
1816  /* Undo effect of prepend */
1817  link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1818  }
1819 
1820  if (size > 0)
1821  {
1822  c->c2.max_send_size_local = max_int(size, c->c2.max_send_size_local);
1823  c->c2.link_write_bytes += size;
1824  link_write_bytes_global += size;
1825 #ifdef ENABLE_MEMSTATS
1826  if (mmap_stats)
1827  {
1828  mmap_stats->link_write_bytes = link_write_bytes_global;
1829  }
1830 #endif
1831 #ifdef ENABLE_MANAGEMENT
1832  if (management)
1833  {
1834  management_bytes_client(management, 0, size);
1835  management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1836  }
1837 #endif
1838  }
1839  }
1840 
1841  /* Check return status */
1842  error_code = openvpn_errno();
1843  check_status(size, "write", sock, NULL);
1844 
1845  if (size > 0)
1846  {
1847  /* Did we write a different size packet than we intended? */
1848  if (size != BLEN(&c->c2.to_link))
1849  {
1850  msg(D_LINK_ERRORS,
1851  "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1852  print_link_socket_actual(c->c2.to_link_addr, &gc),
1853  BLEN(&c->c2.to_link),
1854  size);
1855  }
1856  }
1857 
1858  /* if not a ping/control message, indicate activity regarding --inactive parameter */
1859  if (c->c2.buf.len > 0)
1860  {
1861  register_activity(c, size);
1862  }
1863 
1864  /* for unreachable network and "connecting" state switch to the next host */
1865 
1866  bool unreachable = error_code ==
1867 #ifdef _WIN32
1868  WSAENETUNREACH;
1869 #else
1870  ENETUNREACH;
1871 #endif
1872  if (size < 0 && unreachable && c->c2.tls_multi
1873  && !tls_initial_packet_received(c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT)
1874  {
1875  msg(M_INFO, "Network unreachable, restarting");
1876  register_signal(c->sig, SIGUSR1, "network-unreachable");
1877  }
1878  }
1879  else
1880  {
1881  if (c->c2.to_link.len > 0)
1882  {
1883  msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1884  print_link_socket_actual(c->c2.to_link_addr, &gc),
1885  c->c2.to_link.len,
1886  c->c2.frame.buf.payload_size);
1887  }
1888  }
1889 
1890  buf_reset(&c->c2.to_link);
1891 
1892  perf_pop();
1893  gc_free(&gc);
1894 }
1895 
1896 /*
1897  * Input: c->c2.to_tun
1898  */
1899 
1900 void
1901 process_outgoing_tun(struct context *c, struct link_socket *in_sock)
1902 {
1903  /*
1904  * Set up for write() call to TUN/TAP
1905  * device.
1906  */
1907  if (c->c2.to_tun.len <= 0)
1908  {
1909  return;
1910  }
1911 
1912  perf_push(PERF_PROC_OUT_TUN);
1913 
1914  /*
1915  * The --mssfix option requires
1916  * us to examine the IP header (IPv4 or IPv6).
1917  */
1918  process_ip_header(c, PIP_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIP_OUTGOING, &c->c2.to_tun,
1919  in_sock);
1920 
1921  if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size)
1922  {
1923  /*
1924  * Write to TUN/TAP device.
1925  */
1926  int size;
1927 
1928 #ifdef LOG_RW
1929  if (c->c2.log_rw)
1930  {
1931  fprintf(stderr, "w");
1932  }
1933 #endif
1934  dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1935 
1936 #ifdef PACKET_TRUNCATION_CHECK
1937  ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
1938  BLEN(&c->c2.to_tun),
1939  TUNNEL_TYPE(c->c1.tuntap),
1940  "WRITE_TUN",
1941  &c->c2.n_trunc_tun_write);
1942 #endif
1943 
1944 #ifdef _WIN32
1945  size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun);
1946 #else
1947  if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1948  {
1949  size = write_tun_afunix(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1950  }
1951  else
1952  {
1953  size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1954  }
1955 #endif
1956 
1957  if (size > 0)
1958  {
1959  c->c2.tun_write_bytes += size;
1960  }
1961  check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1962 
1963  /* check written packet size */
1964  if (size > 0)
1965  {
1966  /* Did we write a different size packet than we intended? */
1967  if (size != BLEN(&c->c2.to_tun))
1968  {
1969  msg(D_LINK_ERRORS,
1970  "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1971  c->c1.tuntap->actual_name,
1972  BLEN(&c->c2.to_tun),
1973  size);
1974  }
1975 
1976  /* indicate activity regarding --inactive parameter */
1977  register_activity(c, size);
1978  }
1979  }
1980  else
1981  {
1982  /*
1983  * This should never happen, probably indicates some kind
1984  * of MTU mismatch.
1985  */
1986  msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
1987  c->c2.to_tun.len,
1988  c->c2.frame.buf.payload_size);
1989  }
1990 
1991  buf_reset(&c->c2.to_tun);
1992 
1993  perf_pop();
1994 }
1995 
1996 void
1997 pre_select(struct context *c)
1998 {
1999  /* make sure current time (now) is updated on function entry */
2000 
2001  /*
2002  * Start with an effectively infinite timeout, then let it
2003  * reduce to a timeout that reflects the component which
2004  * needs the earliest service.
2005  */
2006  c->c2.timeval.tv_sec = BIG_TIMEOUT;
2007  c->c2.timeval.tv_usec = 0;
2008 
2009 #if defined(_WIN32)
2010  if (check_debug_level(D_TAP_WIN_DEBUG))
2011  {
2012  c->c2.timeval.tv_sec = 1;
2013  if (tuntap_defined(c->c1.tuntap))
2014  {
2015  tun_show_debug(c->c1.tuntap);
2016  }
2017  }
2018 #endif
2019 
2020  /* check coarse timers? */
2021  check_coarse_timers(c);
2022  if (c->sig->signal_received)
2023  {
2024  return;
2025  }
2026 
2027  /* If tls is enabled, do tls control channel packet processing. */
2028  if (c->c2.tls_multi)
2029  {
2030  check_tls(c);
2031  }
2032 
2033  /* In certain cases, TLS errors will require a restart */
2034  check_tls_errors(c);
2035  if (c->sig->signal_received)
2036  {
2037  return;
2038  }
2039 
2040  /* check for incoming control messages on the control channel like
2041  * push request/reply, or authentication failure and 2FA messages */
2042  if (tls_test_payload_len(c->c2.tls_multi) > 0)
2043  {
2044  check_incoming_control_channel(c);
2045  }
2046 
2047  /* Should we send an OCC message? */
2048  check_send_occ_msg(c);
2049 
2050 #ifdef ENABLE_FRAGMENT
2051  /* Should we deliver a datagram fragment to remote? */
2052  if (c->c2.fragment)
2053  {
2054  check_fragment(c);
2055  }
2056 #endif
2057 
2058  /* Update random component of timeout */
2059  check_timeout_random_component(c);
2060 }
2061 
2062 static void
2063 multi_io_process_flags(struct context *c, struct event_set *es,
2064  const unsigned int flags, unsigned int *out_socket,
2065  unsigned int *out_tuntap)
2066 {
2067  unsigned int socket = 0;
2068  unsigned int tuntap = 0;
2069  static uintptr_t tun_shift = TUN_SHIFT;
2070  static uintptr_t err_shift = ERR_SHIFT;
2071 
2072  /*
2073  * Calculate the flags based on the provided 'flags' argument.
2074  */
2075  if (flags & IOW_WAIT_SIGNAL)
2076  {
2077  wait_signal(es, (void *)err_shift);
2078  }
2079 
2080  if (flags & IOW_TO_LINK)
2081  {
2082  if (flags & IOW_SHAPER)
2083  {
2084  /*
2085  * If sending this packet would put us over our traffic shaping
2086  * quota, don't send -- instead compute the delay we must wait
2087  * until it will be OK to send the packet.
2088  */
2089  int delay = 0;
2090 
2091  /* set traffic shaping delay in microseconds */
2092  if (c->options.shaper)
2093  {
2094  delay = max_int(delay, shaper_delay(&c->c2.shaper));
2095  }
2096 
2097  if (delay < 1000)
2098  {
2099  socket |= EVENT_WRITE;
2100  }
2101  else
2102  {
2103  shaper_soonest_event(&c->c2.timeval, delay);
2104  }
2105  }
2106  else
2107  {
2108  socket |= EVENT_WRITE;
2109  }
2110  }
2111  else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
2112  {
2113  if (flags & IOW_READ_TUN)
2114  {
2115  tuntap |= EVENT_READ;
2116  }
2117  }
2118 
2119  /*
2120  * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
2121  * from device. Otherwise, wait for incoming data on TCP/UDP port.
2122  */
2123  if (flags & IOW_TO_TUN)
2124  {
2125  tuntap |= EVENT_WRITE;
2126  }
2127  else
2128  {
2129  if (flags & IOW_READ_LINK)
2130  {
2131  socket |= EVENT_READ;
2132  }
2133  }
2134 
2135  /*
2136  * outgoing bcast buffer waiting to be sent?
2137  */
2138  if (flags & IOW_MBUF)
2139  {
2140  socket |= EVENT_WRITE;
2141  }
2142 
2143  /*
2144  * Force wait on TUN input, even if also waiting on TCP/UDP output
2145  */
2146  if (flags & IOW_READ_TUN_FORCE)
2147  {
2148  tuntap |= EVENT_READ;
2149  }
2150 
2151 #ifdef _WIN32
2152  if (tuntap_is_wintun(c->c1.tuntap))
2153  {
2154  /*
2155  * With wintun we are only interested in read event. Ring buffer is
2156  * always ready for write, so we don't do wait.
2157  */
2158  tuntap = EVENT_READ;
2159  }
2160 #endif
2161 
2162  /*
2163  * Configure event wait based on socket, tuntap flags.
2164  */
2165  for (int i = 0; i < c->c1.link_sockets_num; i++)
2166  {
2167  socket_set(c->c2.link_sockets[i], es, socket,
2168  &c->c2.link_sockets[i]->ev_arg, NULL);
2169  }
2170 
2171  tun_set(c->c1.tuntap, es, tuntap, (void *)tun_shift, NULL);
2172 
2173  if (out_socket)
2174  {
2175  *out_socket = socket;
2176  }
2177 
2178  if (out_tuntap)
2179  {
2180  *out_tuntap = tuntap;
2181  }
2182 
2183 }
2184 
2185 /*
2186  * Wait for I/O events. Used for both TCP & UDP sockets
2187  * in point-to-point mode and for UDP sockets in
2188  * point-to-multipoint mode.
2189  */
2190 
2191 void
2192 get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
2193 {
2194  unsigned int out_socket, out_tuntap;
2195 
2196  multi_io_process_flags(c, multi_io->es, flags, &out_socket, &out_tuntap);
2197  multi_io->udp_flags = out_socket | out_tuntap;
2198 }
2199 
2200 void
2201 get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
2202 {
2203  multi_io->udp_flags = ES_ERROR;
2204  if (c->c2.fast_io && (flags & (IOW_TO_TUN | IOW_TO_LINK | IOW_MBUF)))
2205  {
2206  /* fast path -- only for TUN/TAP/UDP writes */
2207  unsigned int ret = 0;
2208  if (flags & IOW_TO_TUN)
2209  {
2210  ret |= TUN_WRITE;
2211  }
2212  if (flags & (IOW_TO_LINK | IOW_MBUF))
2213  {
2214  ret |= SOCKET_WRITE;
2215  }
2216  multi_io->udp_flags = ret;
2217  }
2218  else
2219  {
2220 #ifdef _WIN32
2221  bool skip_iowait = flags & IOW_TO_TUN;
2222  if (flags & IOW_READ_TUN)
2223  {
2224  /*
2225  * don't read from tun if we have pending write to link,
2226  * since every tun read overwrites to_link buffer filled
2227  * by previous tun read
2228  */
2229  skip_iowait = !(flags & IOW_TO_LINK);
2230  }
2231  if (tuntap_is_wintun(c->c1.tuntap) && skip_iowait)
2232  {
2233  unsigned int ret = 0;
2234  if (flags & IOW_TO_TUN)
2235  {
2236  ret |= TUN_WRITE;
2237  }
2238  if (flags & IOW_READ_TUN)
2239  {
2240  ret |= TUN_READ;
2241  }
2242  multi_io->udp_flags = ret;
2243  }
2244  else
2245 #endif /* ifdef _WIN32 */
2246  {
2247  /* slow path - delegate to io_wait_dowork_udp to calculate flags */
2248  get_io_flags_dowork_udp(c, multi_io, flags);
2249  }
2250  }
2251 }
2252 
2253 void
2254 io_wait_dowork(struct context *c, const unsigned int flags)
2255 {
2256  unsigned int out_socket;
2257  unsigned int out_tuntap;
2258  struct event_set_return esr[4];
2259 
2260  /* These shifts all depend on EVENT_READ and EVENT_WRITE */
2261  static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */
2262 #ifdef ENABLE_MANAGEMENT
2263  static uintptr_t management_shift = MANAGEMENT_SHIFT; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
2264 #endif
2265 #ifdef ENABLE_ASYNC_PUSH
2266  static uintptr_t file_shift = FILE_SHIFT;
2267 #endif
2268 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2269  static uintptr_t dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */
2270 #endif
2271 
2272  /*
2273  * Decide what kind of events we want to wait for.
2274  */
2275  event_reset(c->c2.event_set);
2276 
2277  multi_io_process_flags(c, c->c2.event_set, flags, &out_socket, &out_tuntap);
2278 
2279 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2280  if (out_socket & EVENT_READ && c->c2.did_open_tun)
2281  {
2282  dco_event_set(&c->c1.tuntap->dco, c->c2.event_set, (void *)dco_shift);
2283  }
2284 #endif
2285 
2286 #ifdef ENABLE_MANAGEMENT
2287  if (management)
2288  {
2289  management_socket_set(management, c->c2.event_set, (void *)management_shift, NULL);
2290  }
2291 #endif
2292 
2293 #ifdef ENABLE_ASYNC_PUSH
2294  /* arm inotify watcher */
2295  if (c->options.mode == MODE_SERVER)
2296  {
2297  event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)file_shift);
2298  }
2299 #endif
2300 
2301  /*
2302  * Possible scenarios:
2303  * (1) tcp/udp port has data available to read
2304  * (2) tcp/udp port is ready to accept more data to write
2305  * (3) tun dev has data available to read
2306  * (4) tun dev is ready to accept more data to write
2307  * (5) we received a signal (handler sets signal_received)
2308  * (6) timeout (tv) expired
2309  */
2310 
2311  c->c2.event_set_status = ES_ERROR;
2312 
2313  if (!c->sig->signal_received)
2314  {
2315  if (!(flags & IOW_CHECK_RESIDUAL) || !sockets_read_residual(c))
2316  {
2317  int status;
2318 
2319 #ifdef ENABLE_DEBUG
2320  if (check_debug_level(D_EVENT_WAIT))
2321  {
2322  show_wait_status(c);
2323  }
2324 #endif
2325 
2326  /*
2327  * Wait for something to happen.
2328  */
2329  status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
2330 
2331  check_status(status, "event_wait", NULL, NULL);
2332 
2333  if (status > 0)
2334  {
2335  int i;
2336  c->c2.event_set_status = 0;
2337  for (i = 0; i < status; ++i)
2338  {
2339  const struct event_set_return *e = &esr[i];
2340  uintptr_t shift;
2341 
2342  if (e->arg >= MULTI_N)
2343  {
2344  struct event_arg *ev_arg = (struct event_arg *)e->arg;
2345  if (ev_arg->type != EVENT_ARG_LINK_SOCKET)
2346  {
2347  c->c2.event_set_status = ES_ERROR;
2348  msg(D_LINK_ERRORS,
2349  "io_work: non socket event delivered");
2350  return;
2351  }
2352 
2353  shift = socket_shift;
2354  }
2355  else
2356  {
2357  shift = (uintptr_t)e->arg;
2358  }
2359 
2360  c->c2.event_set_status |= ((e->rwflags & 3) << shift);
2361  }
2362  }
2363  else if (status == 0)
2364  {
2365  c->c2.event_set_status = ES_TIMEOUT;
2366  }
2367  }
2368  else
2369  {
2370  c->c2.event_set_status = SOCKET_READ;
2371  }
2372  }
2373 
2374  /* 'now' should always be a reasonably up-to-date timestamp */
2375  update_time();
2376 
2377  /* set signal_received if a signal was received */
2378  if (c->c2.event_set_status & ES_ERROR)
2379  {
2380  get_signal(&c->sig->signal_received);
2381  }
2382 
2383  dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2384 }
2385 
2386 void
2387 process_io(struct context *c, struct link_socket *sock)
2388 {
2389  const unsigned int status = c->c2.event_set_status;
2390 
2391 #ifdef ENABLE_MANAGEMENT
2392  if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
2393  {
2394  ASSERT(management);
2395  management_io(management);
2396  }
2397 #endif
2398 
2399  /* TCP/UDP port ready to accept write */
2400  if (status & SOCKET_WRITE)
2401  {
2402  process_outgoing_link(c, sock);
2403  }
2404  /* TUN device ready to accept write */
2405  else if (status & TUN_WRITE)
2406  {
2407  process_outgoing_tun(c, sock);
2408  }
2409  /* Incoming data on TCP/UDP port */
2410  else if (status & SOCKET_READ)
2411  {
2412  read_incoming_link(c, sock);
2413  if (!IS_SIG(c))
2414  {
2415  process_incoming_link(c, sock);
2416  }
2417  }
2418  /* Incoming data on TUN device */
2419  else if (status & TUN_READ)
2420  {
2421  read_incoming_tun(c);
2422  if (!IS_SIG(c))
2423  {
2424  process_incoming_tun(c, sock);
2425  }
2426  }
2427  else if (status & DCO_READ)
2428  {
2429  if (!IS_SIG(c))
2430  {
2431  process_incoming_dco(c);
2432  }
2433  }
2434 }
check_timeout_random_component
static void check_timeout_random_component(struct context *c)
Definition: forward.c:874
context_2::max_send_size_local
int max_send_size_local
Definition: openvpn.h:310
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition: buffer.h:520
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:383
process_incoming_dco
static void process_incoming_dco(struct context *c)
Definition: forward.c:1247
TLSMP_ACTIVE
#define TLSMP_ACTIVE
Definition: ssl.h:229
context_2::event_set_status
unsigned int event_set_status
Definition: openvpn.h:235
tuntap::reads
struct overlapped_io reads
Definition: tun.h:217
read_tun
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
check_status_file
static void check_status_file(struct context *c)
Definition: forward.c:563
link_socket
Definition: socket.h:177
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2749
link_socket_read
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.h:1066
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
@OVPN_CMD_DEL_PEER: Remove peer from internal table
Definition: ovpn_dco_linux.h:40
signal_info::signal_received
volatile int signal_received
Definition: sig.h:43
context_1::link_sockets_num
int link_sockets_num
Definition: openvpn.h:157
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition: errlevel.h:118
openvpn_icmp6hdr::icmp6_type
uint8_t icmp6_type
Definition: proto.h:143
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:142
io_wait_dowork
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition: forward.c:2254
check_connection_established
static void check_connection_established(struct context *c)
Definition: forward.c:339
MANAGEMENT_SHIFT
#define MANAGEMENT_SHIFT
Definition: event.h:70
TUN_READ
#define TUN_READ
Definition: event.h:65
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1025
ES_ERROR
#define ES_ERROR
Definition: event.h:68
check_session_timeout
static void check_session_timeout(struct context *c)
Definition: forward.c:712
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1150
check_timeout_random_component_dowork
static void check_timeout_random_component_dowork(struct context *c)
Definition: forward.c:863
auth_token.h
context_2::to_link
struct buffer to_link
Definition: openvpn.h:377
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:323
forward.h
process_coarse_timers
static void process_coarse_timers(struct context *c)
Definition: forward.c:727
openvpn_ipv6hdr::payload_len
uint16_t payload_len
Definition: proto.h:124
openvpn_icmp6hdr::icmp6_code
uint8_t icmp6_code
Definition: proto.h:146
gremlin.h
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition: options.h:438
D_TAP_WIN_DEBUG
#define D_TAP_WIN_DEBUG
Definition: errlevel.h:115
read_tun_afunix
ssize_t read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len)
Reads a packet from a AF_UNIX based tun device.
Definition: tun_afunix.c:157
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:510
IOW_READ_LINK
#define IOW_READ_LINK
Definition: forward.h:58
management_socket_set
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3127
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
link_socket::ev_arg
struct event_arg ev_arg
this struct will store a pointer to either mi or link_socket, depending on the event type,...
Definition: socket.h:181
context_2::buf
struct buffer buf
Definition: openvpn.h:375
buf_reset
static void buf_reset(struct buffer *buf)
Definition: buffer.h:303
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition: errlevel.h:57
tls_test_payload_len
static int tls_test_payload_len(const struct tls_multi *multi)
Definition: ssl.h:509
status_output::et
struct event_timeout et
Definition: status.h:61
ERR_SHIFT
#define ERR_SHIFT
Definition: event.h:67
socks_process_outgoing_udp
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:603
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:171
extract_command_buffer
struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc)
Extracts a control channel message from buf and adjusts the size of buf after the message has been ex...
Definition: ssl_pkt.c:562
tuntap_is_wintun
static bool tuntap_is_wintun(struct tuntap *tt)
Definition: tun.h:265
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3213
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition: options.h:344
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:536
context_2::max_recv_size_local
int max_recv_size_local
Definition: openvpn.h:308
interval_t
int interval_t
Definition: common.h:36
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:456
context_2::link_write_bytes
counter_type link_write_bytes
Definition: openvpn.h:269
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition: manage.c:4117
packet_id_persist_enabled
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition: packet_id.h:282
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition: forward.c:1658
check_status
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition: error.h:277
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:209
context
Contains all state information for one tunnel.
Definition: openvpn.h:473
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
OPENVPN_IN6_ARE_ADDR_EQUAL
#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b)
Version of IN6_ARE_ADDR_EQUAL that is guaranteed to work for unaligned access.
Definition: proto.h:89
es
struct env_set * es
Definition: test_pkcs11.c:141
interval_action
static void interval_action(struct interval *top)
Definition: interval.h:124
receive_auth_pending
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition: push.c:341
ipv6_send_icmp_unreachable
void ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
Forges a IPv6 ICMP packet with a no route to host error code from the IPv6 packet in buf and sends it...
Definition: forward.c:1532
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:690
process_outgoing_tun
void process_outgoing_tun(struct context *c, struct link_socket *in_sock)
Write a packet to the virtual tun/tap network interface.
Definition: forward.c:1901
socks_preprocess_outgoing_link
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket *sock, struct link_socket_actual **to_addr, int *size_delta)
Definition: forward.c:901
event_arg::sock
struct link_socket * sock
Definition: event.h:146
context_2::auth_token_renewal_interval
struct event_timeout auth_token_renewal_interval
Definition: openvpn.h:293
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:115
BSTR
#define BSTR(buf)
Definition: buffer.h:129
context_2::tun_read_bytes
counter_type tun_read_bytes
Definition: openvpn.h:264
get_random
long int get_random(void)
Definition: crypto.c:1757
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:344
check_fragment
static void check_fragment(struct context *c)
Definition: forward.c:577
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:502
PERF_PROC_OUT_TUN
#define PERF_PROC_OUT_TUN
Definition: perf.h:56
PERF_PROC_IN_TUN
#define PERF_PROC_IN_TUN
Definition: perf.h:54
context_2::log_rw
bool log_rw
Definition: openvpn.h:380
register_activity
static void register_activity(struct context *c, const int size)
Definition: forward.h:334
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
context_2::es
struct env_set * es
Definition: openvpn.h:420
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:119
process_outgoing_link
void process_outgoing_link(struct context *c, struct link_socket *sock)
Write a packet to the external network interface.
Definition: forward.c:1744
tuntap_abort
static bool tuntap_abort(int status)
Definition: tun.h:513
check_send_occ_req
static void check_send_occ_req(struct context *c)
Definition: occ.h:110
MULTI_N
#define MULTI_N
Definition: event.h:89
multi_io
Definition: multi_io.h:52
interval_schedule_wakeup
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition: interval.h:94
session::key
char key[48]
Definition: keyingmaterialexporter.c:58
options::mode
int mode
Definition: options.h:260
options::session_timeout
int session_timeout
Definition: options.h:346
BIG_TIMEOUT
#define BIG_TIMEOUT
Definition: common.h:41
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition: init.c:1342
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:287
TUN_SHIFT
#define TUN_SHIFT
Definition: event.h:64
is_ipv6
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition: proto.c:116
pre_select
void pre_select(struct context *c)
Definition: forward.c:1997
TO_LINK_FRAG
#define TO_LINK_FRAG(c)
Definition: forward.h:43
dmsg
#define dmsg(flags,...)
Definition: error.h:148
options::ce
struct connection_entry ce
Definition: options.h:288
MANAGEMENT_READ
#define MANAGEMENT_READ
Definition: event.h:71
DRIVER_AFUNIX
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition: tun.h:53
openvpn_sockaddr
Definition: socket.h:65
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:367
link_socket_verify_incoming_addr
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.h:935
D_LOW
#define D_LOW
Definition: errlevel.h:97
tls_multi::n_soft_errors
int n_soft_errors
Definition: ssl_common.h:624
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:387
tls_multi_process
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3310
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:97
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:384
read_incoming_link
void read_incoming_link(struct context *c, struct link_socket *sock)
Read a packet from the external network interface.
Definition: forward.c:934
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:101
check_send_auth_token
void check_send_auth_token(struct context *c)
Checks if the timer to resend the auth-token has expired and if a new auth-token should be send to th...
Definition: auth_token.c:422
EVENT_READ
#define EVENT_READ
Definition: event.h:39
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition: ssl_pkt.h:40
options::shaper
int shaper
Definition: options.h:328
FILE_SHIFT
#define FILE_SHIFT
Definition: event.h:73
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2457
MODE_SERVER
#define MODE_SERVER
Definition: options.h:259
dco_do_read
int dco_do_read(dco_context_t *dco)
Definition: dco_win.c:674
openvpn_ipv6hdr::version_prio
uint8_t version_prio
Definition: proto.h:122
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition: openvpn.h:244
link_socket_connection_oriented
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition: socket.h:648
event_timeout_modify_wakeup
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Sets the interval n of a timeout.
Definition: interval.h:206
PIP_MSSFIX
#define PIP_MSSFIX
Definition: forward.h:307
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:71
management_check_bytecount
void management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval)
Definition: manage.c:4141
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:199
openvpn_iphdr::daddr
uint32_t daddr
Definition: proto.h:114
options::allow_recursive_routing
bool allow_recursive_routing
Definition: options.h:720
context_2::link_read_bytes
counter_type link_read_bytes
Definition: openvpn.h:266
SOCKET_SHIFT
#define SOCKET_SHIFT
Definition: event.h:61
IOW_MBUF
#define IOW_MBUF
Definition: forward.h:62
IOW_SHAPER
#define IOW_SHAPER
Definition: forward.h:59
tuntap::backend_driver
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition: tun.h:191
context_1::route_list
struct route_list * route_list
List of routing information.
Definition: openvpn.h:176
CN_INCOMING
#define CN_INCOMING
Definition: clinat.h:32
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:282
tuntap::actual_name
char * actual_name
Definition: tun.h:205
get_server_poll_remaining_time
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition: forward.c:509
CLEAR
#define CLEAR(x)
Definition: basic.h:33
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:618
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition: tun.h:182
tls_set_single_session
static void tls_set_single_session(struct tls_multi *multi)
Definition: ssl.h:523
IOW_TO_LINK
#define IOW_TO_LINK
Definition: forward.h:56
event_ctl
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:181
check_push_request
static void check_push_request(struct context *c)
Definition: forward.c:321
test_routes
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2647
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:514
openvpn_ipv6hdr::daddr
struct in6_addr daddr
Definition: proto.h:129
socks_postprocess_incoming_link
static void socks_postprocess_incoming_link(struct context *c, struct link_socket *sock)
Definition: forward.c:892
tuntap_defined
static bool tuntap_defined(const struct tuntap *tt)
Definition: tun.h:254
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:535
tuntap::hand
HANDLE hand
Definition: tun.h:216
write_tun_afunix
ssize_t write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len)
Writes a packet to a AF_UNIX based tun device.
Definition: tun_afunix.c:144
process_incoming_link
static void process_incoming_link(struct context *c, struct link_socket *sock)
Definition: forward.c:1233
MAX_ICMPV6LEN
#define MAX_ICMPV6LEN
ssl_verify.h
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:726
check_tls_errors
static void check_tls_errors(struct context *c)
Definition: forward.c:103
ASSERT
#define ASSERT(x)
Definition: error.h:195
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition: ssl.c:1843
D_STREAM_ERRORS
#define D_STREAM_ERRORS
Definition: errlevel.h:63
send_auth_failed
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:397
frame::buf
struct frame::@8 buf
buffer_turnover
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition: forward.c:606
link_read_bytes_global
counter_type link_read_bytes_global
Definition: forward.c:50
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:618
options::client_nat
struct client_nat_option_list * client_nat
Definition: options.h:440
counter_type
uint64_t counter_type
Definition: common.h:30
openvpn_icmp6hdr::icmp6_cksum
uint16_t icmp6_cksum
Definition: proto.h:147
link_socket_actual
Definition: socket.h:86
ping.h
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:348
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:519
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:625
check_coarse_timers
static void check_coarse_timers(struct context *c)
Definition: forward.c:839
multi_io_process_flags
static void multi_io_process_flags(struct context *c, struct event_set *es, const unsigned int flags, unsigned int *out_socket, unsigned int *out_tuntap)
Definition: forward.c:2063
openvpn_sockaddr::sa
struct sockaddr sa
Definition: socket.h:69
BLEN
#define BLEN(buf)
Definition: buffer.h:127
PIPV4_CLIENT_NAT
#define PIPV4_CLIENT_NAT
Definition: forward.h:310
PERF_PROC_OUT_LINK
#define PERF_PROC_OUT_LINK
Definition: perf.h:55
process_explicit_exit_notification_timer_wakeup
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition: sig.c:567
schedule_exit
bool schedule_exit(struct context *c)
Definition: forward.c:533
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition: forward.h:306
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:680
event_set_return::arg
void * arg
Definition: event.h:127
IOW_TO_TUN
#define IOW_TO_TUN
Definition: forward.h:55
send_push_request
bool send_push_request(struct context *c)
Definition: push.c:552
buf_assign
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition: buffer.c:173
mss_fixup_ipv6
void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss)
Definition: mss.c:87
shaper_soonest_event
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition: shaper.c:37
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:102
shaper_wrote_bytes
static void shaper_wrote_bytes(struct shaper *s, int nbytes)
Definition: shaper.h:122
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
update_time
static void update_time(void)
Definition: otime.h:77
context_buffers
Definition: openvpn.h:94
server_pushed_signal
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:133
D_PING
#define D_PING
Definition: errlevel.h:144
is_occ_msg
static bool is_occ_msg(const struct buffer *buf)
Definition: occ.h:83
init.h
socks_process_incoming_udp
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:564
process_received_occ_msg
void process_received_occ_msg(struct context *c)
Definition: occ.c:363
event_timeout::n
interval_t n
periodic interval for periodic timeouts
Definition: interval.h:139
context_2::shaper
struct shaper shaper
Definition: openvpn.h:259
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:403
M_WARN
#define M_WARN
Definition: error.h:91
sockets_read_residual
bool sockets_read_residual(const struct context *c)
Definition: socket.c:46
openvpn_encrypt
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:336
perf_pop
static void perf_pop(void)
Definition: perf.h:82
tun_standby
bool tun_standby(struct tuntap *tt)
Definition: tun.c:5762
is_ping_msg
static bool is_ping_msg(const struct buffer *buf)
Definition: ping.h:41
check_ping_send
static void check_ping_send(struct context *c)
Definition: ping.h:77
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:475
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:181
tls_multi::n_hard_errors
int n_hard_errors
Definition: ssl_common.h:623
tls_send_payload
bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
Definition: ssl.c:4157
dco_event_set
void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition: dco_win.c:752
route_list_add_vpn_gateway
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:557
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:283
IOW_FRAG
#define IOW_FRAG
Definition: forward.h:61
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition: ssl_common.h:705
read_incoming_tun
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1299
SOCKET_WRITE
#define SOCKET_WRITE
Definition: event.h:63
dhcp_extract_router_msg
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition: dhcp.c:149
interval_test
static bool interval_test(struct interval *top)
Definition: interval.h:66
DCO_READ
#define DCO_READ
Definition: event.h:76
tls_prepend_opcode_v2
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:4122
dco_context_t
void * dco_context_t
Definition: dco.h:267
openvpn_decrypt
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:794
context_2::explicit_exit_notification_time_wait
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:416
fragment_outgoing
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition: fragment.c:321
check_ping_restart
static void check_ping_restart(struct context *c)
Definition: ping.h:60
get_io_flags_dowork_udp
void get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
Definition: forward.c:2192
D_TUN_RW
#define D_TUN_RW
Definition: errlevel.h:114
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:253
TUN_WRITE
#define TUN_WRITE
Definition: event.h:66
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:37
context_2::tun_write_bytes
counter_type tun_write_bytes
Definition: openvpn.h:265
PERF_READ_IN_TUN
#define PERF_READ_IN_TUN
Definition: perf.h:53
options::scheduled_exit_interval
int scheduled_exit_interval
Definition: options.h:563
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:349
fragment_housekeeping
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition: fragment.h:465
check_send_occ_load_test
static void check_send_occ_load_test(struct context *c)
Definition: occ.h:125
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:321
tun_afunix.h
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
PIP_OUTGOING
#define PIP_OUTGOING
Definition: forward.h:308
server_pushed_info
void server_pushed_info(const struct buffer *buffer, const int adv)
Definition: push.c:229
openvpn_ethhdr::proto
uint16_t proto
Definition: proto.h:63
dco_get_peer_stats
int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition: dco_win.c:723
check_tls_errors_nco
static void check_tls_errors_nco(struct context *c)
Definition: forward.c:93
trigger_ping_timeout_signal
void trigger_ping_timeout_signal(struct context *c)
Trigger the correct signal on a –ping timeout depending if –ping-exit is set (SIGTERM) or not (SIGUSR...
Definition: ping.c:48
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition: perf.h:52
context_2::push_request_timeout
time_t push_request_timeout
Definition: openvpn.h:440
openvpn_ethhdr::source
uint8_t source[OPENVPN_ETH_ALEN]
Definition: proto.h:57
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
D_EVENT_WAIT
#define D_EVENT_WAIT
Definition: errlevel.h:162
context_2::scheduled_exit_signal
int scheduled_exit_signal
Definition: openvpn.h:448
event_reset
static void event_reset(struct event_set *es)
Definition: event.h:169
event_arg
Definition: event.h:141
IOW_READ_TUN_FORCE
#define IOW_READ_TUN_FORCE
Definition: forward.h:63
IOW_WAIT_SIGNAL
#define IOW_WAIT_SIGNAL
Definition: forward.h:64
event.h
openvpn_ethhdr::dest
uint8_t dest[OPENVPN_ETH_ALEN]
Definition: proto.h:56
link_socket::info
struct link_socket_info info
Definition: socket.h:179
PROTO_DUMP
#define PROTO_DUMP(buf, gc)
Definition: openvpn.h:538
get_io_flags_udp
void get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
Definition: forward.c:2201
options::handshake_window
int handshake_window
Definition: options.h:652
ps.h
context_2::event_set
struct event_set * event_set
Definition: openvpn.h:230
link_socket_set_outgoing_addr
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:984
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition: ovpn_dco_linux.h:73
context_buffers::read_link_buf
struct buffer read_link_buf
Definition: openvpn.h:113
link_socket_info
Definition: socket.h:113
check_scheduled_exit
static void check_scheduled_exit(struct context *c)
Definition: forward.c:554
context_buffers::aux_buf
struct buffer aux_buf
Definition: openvpn.h:97
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:479
link_socket_info::proto
int proto
Definition: socket.h:120
context_2::timeout_random_component
struct timeval timeout_random_component
Definition: openvpn.h:404
OPENVPN_STATE_GET_CONFIG
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:480
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition: openvpn.h:396
options::block_ipv6
bool block_ipv6
Definition: options.h:436
show_adapters
void show_adapters(int msglev)
Definition: tun.c:5034
sockethandle_finalize
int sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.c:3922
context_2::explicit_exit_notification_interval
struct event_timeout explicit_exit_notification_interval
Definition: openvpn.h:417
context_2::scheduled_exit
struct event_timeout scheduled_exit
Definition: openvpn.h:447
context_2::frame
struct frame frame
Definition: openvpn.h:248
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:579
link_socket_bad_incoming_addr
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.c:2509
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
fragment_ready_to_send
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition: fragment.c:376
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition: openvpn.h:122
dhcp.h
management_bytes_server
static void management_bytes_server(struct management *man, const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac)
Definition: manage.h:539
show_routes
void show_routes(int msglev)
Definition: route.c:3308
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
link_socket_info::mtu_changed
int mtu_changed
Definition: socket.h:123
PIPV6_ICMP_NOHOST_SERVER
#define PIPV6_ICMP_NOHOST_SERVER
Definition: forward.h:312
check_inactivity_timeout
static void check_inactivity_timeout(struct context *c)
Definition: forward.c:489
context_2::link_sockets
struct link_socket ** link_sockets
Definition: openvpn.h:237
TLSMP_KILL
#define TLSMP_KILL
Definition: ssl.h:230
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
check_tls
static void check_tls(struct context *c)
Definition: forward.c:183
occ.h
multi_io::udp_flags
unsigned int udp_flags
Definition: multi_io.h:59
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:500
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition: options.h:258
send_control_channel_string_dowork
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
Definition: forward.c:381
check_dco_key_status
void check_dco_key_status(struct context *c)
Definition: forward.c:150
openvpn_ipv6hdr
Definition: proto.h:121
tls_initial_packet_received
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition: ssl.h:503
openvpn_ipv6hdr::nexthdr
uint8_t nexthdr
Definition: proto.h:125
sockethandle_t
Definition: socket.h:285
client_nat_transform
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition: clinat.c:193
link_socket::socks_relay
struct link_socket_actual socks_relay
Definition: socket.h:242
mss_fixup_ipv4
void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss)
Definition: mss.c:47
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:930
dco.h
common.h
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:220
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:682
tls_multi::client_reason
char * client_reason
Definition: ssl_common.h:652
parse_incoming_control_channel_command
static void parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
Definition: forward.c:240
tuntap_is_dco_win_timeout
static bool tuntap_is_dco_win_timeout(struct tuntap *tt, int status)
Definition: tun.h:688
context_2::update_timeout_random_component
time_t update_timeout_random_component
Definition: openvpn.h:403
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:224
buf_string_match_head_str
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:778
context_2::packet_id_persist_interval
struct event_timeout packet_id_persist_interval
Definition: openvpn.h:355
openvpn_ipv6hdr::saddr
struct in6_addr saddr
Definition: proto.h:128
event_set
Definition: event.h:130
management_bytes_client
static void management_bytes_client(struct management *man, const int size_in, const int size_out)
Definition: manage.h:522
openvpn_ethhdr
Definition: proto.h:54
OPENVPN_IPPROTO_ICMPV6
#define OPENVPN_IPPROTO_ICMPV6
Definition: proto.h:109
context_2::inactivity_bytes
int64_t inactivity_bytes
Definition: openvpn.h:288
IOW_CHECK_RESIDUAL
#define IOW_CHECK_RESIDUAL
Definition: forward.h:60
tls_prepend_opcode_v1
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:4108
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:453
mstats.h
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition: interval.c:43
context_2::to_tun
struct buffer to_tun
Definition: openvpn.h:376
frame::mss_fix
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition: mtu.h:118
IS_SIG
#define IS_SIG(c)
Definition: sig.h:48
link_write_bytes_global
counter_type link_write_bytes_global
Definition: forward.c:51
dco_update_keys
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
Definition: dco.h:337
process_incoming_tun
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1464
DCO_SHIFT
#define DCO_SHIFT
Definition: event.h:75
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:252
ES_TIMEOUT
#define ES_TIMEOUT
Definition: event.h:69
max_int
static int max_int(int x, int y)
Definition: integer.h:89
socket_set
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: socket.c:4017
drop_if_recursive_routing
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition: forward.c:1386
PUSH_REQUEST_INTERVAL
#define PUSH_REQUEST_INTERVAL
Definition: common.h:93
D_LINK_RW
#define D_LINK_RW
Definition: errlevel.h:113
OPENVPN_ETH_ALEN
#define OPENVPN_ETH_ALEN
Definition: proto.h:53
tls_rec_payload
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4191
tuntap::dco
dco_context_t dco
Definition: tun.h:249
read_wintun
static void read_wintun(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:540
receive_exit_message
void receive_exit_message(struct context *c)
Definition: push.c:193
get_tun_ip_ver
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition: proto.h:241
status
static SERVICE_STATUS status
Definition: interactive.c:53
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1717
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2910
management
Definition: manage.h:335
min_int
static int min_int(int x, int y)
Definition: integer.h:102
process_io
void process_io(struct context *c, struct link_socket *sock)
Definition: forward.c:2387
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1033
check_tls_errors_co
static void check_tls_errors_co(struct context *c)
Definition: forward.c:86
event_set_return
Definition: event.h:124
socket_connection_reset
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition: socket.h:912
mss.h
WINDOWS_DRIVER_WINTUN
@ WINDOWS_DRIVER_WINTUN
Definition: tun.h:48
PIPV4_EXTRACT_DHCP_ROUTER
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition: forward.h:309
tuntap
Definition: tun.h:180
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:349
IOW_READ_TUN
#define IOW_READ_TUN
Definition: forward.h:57
openvpn_icmp6hdr
Definition: proto.h:135
now
time_t now
Definition: otime.c:34
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition: openvpn.h:100
tun_stat
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition: tun.c:713
wait_signal
static void wait_signal(struct event_set *es, void *arg)
Definition: event.h:206
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:184
config.h
check_server_poll_timeout
static void check_server_poll_timeout(struct context *c)
Definition: forward.c:517
context_2::from
struct link_socket_actual from
Definition: openvpn.h:245
event_timeout
Definition: interval.h:136
context_1::pid_persist
struct packet_id_persist pid_persist
Definition: openvpn.h:169
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition: init.h:117
context_2::tls_exit_signal
int tls_exit_signal
Definition: openvpn.h:347
EVENT_WRITE
#define EVENT_WRITE
Definition: event.h:40
context_2::link_read_bytes_auth
counter_type link_read_bytes_auth
Definition: openvpn.h:268
sanitize_control_message
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:670
EVENT_ARG_LINK_SOCKET
@ EVENT_ARG_LINK_SOCKET
Definition: event.h:137
D_INTERVAL
#define D_INTERVAL
Definition: errlevel.h:158
tls_post_encrypt
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:4137
context_2::push_request_interval
struct event_timeout push_request_interval
Definition: openvpn.h:439
context_2::server_poll_interval
struct event_timeout server_poll_interval
Definition: openvpn.h:408
get_signal
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition: sig.h:110
print_status
void print_status(struct context *c, struct status_output *so)
Definition: sig.c:484
context_reschedule_sec
static void context_reschedule_sec(struct context *c, int sec)
Definition: forward.c:136
shaper_delay
static int shaper_delay(struct shaper *s)
Definition: shaper.h:97
OPENVPN_ICMP6_DESTINATION_UNREACHABLE
#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE
Definition: proto.h:136
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition: ovpn_dco_linux.h:44
MANAGEMENT_WRITE
#define MANAGEMENT_WRITE
Definition: event.h:72
tls_pre_encrypt
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:4075
openvpn_errno
#define openvpn_errno()
Definition: error.h:72
tun_show_debug
void tun_show_debug(struct tuntap *tt)
Definition: tun.c:6810
session
Definition: keyingmaterialexporter.c:56
receive_auth_failed
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:51
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:1000
datagram_overhead
static int datagram_overhead(sa_family_t af, int proto)
Definition: socket.h:629
receive_cr_response
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition: push.c:266
PIPV6_ICMP_NOHOST_CLIENT
#define PIPV6_ICMP_NOHOST_CLIENT
Definition: forward.h:311
link_socket_write_post_size_adjust
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition: forward.c:915
link_socket_write
static ssize_t link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition: socket.h:1196
context_2::session_interval
struct event_timeout session_interval
Definition: openvpn.h:290
event_timeout_defined
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
is_ipv4
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition: proto.c:111
openvpn_iphdr
Definition: proto.h:92
event_set_return::rwflags
unsigned int rwflags
Definition: event.h:126
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition: socket.h:90
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition: interval.h:155
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition: sig.c:231
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:114
OPENVPN_ICMP6_DU_NOROUTE
#define OPENVPN_ICMP6_DU_NOROUTE
Definition: proto.h:144
event_arg::type
event_arg_t type
Definition: event.h:143
memdbg.h
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:284
context_2::original_recv_size
int original_recv_size
Definition: openvpn.h:307
incoming_push_message
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:507
fragment_incoming
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition: fragment.c:136
options::inactivity_timeout
int inactivity_timeout
Definition: options.h:343
context_2::coarse_timer_wakeup
time_t coarse_timer_wakeup
Definition: openvpn.h:399
tun_set
static void tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: tun.h:748
interval_future_trigger
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition: interval.h:108
SOCKET_READ
#define SOCKET_READ
Definition: event.h:62
TLSMP_RECONNECT
#define TLSMP_RECONNECT
Definition: ssl.h:231
frame_adjust_path_mtu
void frame_adjust_path_mtu(struct context *c)
Checks and adjusts the fragment and mssfix value according to the discovered path mtu value.
Definition: mss.c:355
link_socket_get_outgoing_addr
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition: socket.h:963
CN_OUTGOING
#define CN_OUTGOING
Definition: clinat.h:31
event_timeout_reset
static void event_timeout_reset(struct event_timeout *et)
Resets a timer.
Definition: interval.h:189
msg
#define msg(flags,...)
Definition: error.h:144
P_DATA_V1
#define P_DATA_V1
Definition: ssl_pkt.h:48
check_incoming_control_channel
static void check_incoming_control_channel(struct context *c)
Definition: forward.c:289
socket_stat
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition: socket.c:2612
tuntap_stop
static bool tuntap_stop(int status)
Definition: tun.h:499
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition: mtu.h:131
link_socket::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: socket.h:241
ISC_ERRORS
#define ISC_ERRORS
Definition: init.h:115
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition: options.h:325
perf_push
static void perf_push(int type)
Definition: perf.h:78
check_send_occ_msg
static void check_send_occ_msg(struct context *c)
Definition: occ.h:140
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
PERF_READ_IN_LINK
#define PERF_READ_IN_LINK
Definition: perf.h:51
management_io
void management_io(struct management *man)
Definition: manage.c:3167
sockethandle_t::is_handle
bool is_handle
Definition: socket.h:290
ip_checksum
uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, const uint8_t *src_addr, const uint8_t *dest_addr, const int proto)
Calculates an IP or IPv6 checksum with a pseudo header as required by TCP, UDP and ICMPv6.
Definition: proto.c:123
tv_string
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition: otime.c:82
check_add_routes_action
static void check_add_routes_action(struct context *c, const bool errors)
Definition: forward.c:427
link_socket_info::af
sa_family_t af
Definition: socket.h:121
multi_io::es
struct event_set * es
Definition: multi_io.h:54
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1590
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition: mtu.h:108
check_add_routes
static void check_add_routes(struct context *c)
Definition: forward.c:442
buf_copy_n
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition: buffer.h:718
D_SCHED_EXIT
#define D_SCHED_EXIT
Definition: errlevel.h:89
options::pull
bool pull
Definition: options.h:556
event_timeout_remaining
static interval_t event_timeout_remaining(struct event_timeout *et)
Returns the time until the timeout should triggered, from now.
Definition: interval.h:219
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:291
openvpn_sockaddr::addr
union openvpn_sockaddr::@20 addr
write_tun
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
event_wait
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:187
PROTO_UDP
@ PROTO_UDP
Definition: socket.h:568
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:513
connection_established
static bool connection_established(struct context *c)
Definition: forward.h:430
context_immediate_reschedule
static void context_immediate_reschedule(struct context *c)
Definition: forward.c:129
write_tun_buffered
static int write_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:669
OPENVPN_ETH_P_IPV6
#define OPENVPN_ETH_P_IPV6
Definition: proto.h:60
gc
struct gc_arena gc
Definition: test_ssl.c:155
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:410
fragment_outgoing_defined
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition: fragment.h:438
tls_pre_decrypt
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3683
context_2::fast_io
bool fast_io
Definition: openvpn.h:424
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:498
Generated by   doxygen 1.8.17