OpenVPN
forward.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#include "forward.h"
30#include "init.h"
31#include "push.h"
32#include "gremlin.h"
33#include "mss.h"
34#include "event.h"
35#include "occ.h"
36#include "ping.h"
37#include "ps.h"
38#include "dhcp.h"
39#include "common.h"
40#include "ssl_verify.h"
41#include "dco.h"
42#include "auth_token.h"
43#include "tun_afunix.h"
44
45#include "memdbg.h"
46
47#include "mstats.h"
48
51
52/* show event wait debugging info */
53
54#ifdef ENABLE_DEBUG
55
56static const char *
57wait_status_string(struct context *c, struct gc_arena *gc)
58{
59 struct buffer out = alloc_buf_gc(64, gc);
60
61 buf_printf(&out, "I/O WAIT %s|%s| %s", tun_stat(c->c1.tuntap, EVENT_READ, gc),
62 tun_stat(c->c1.tuntap, EVENT_WRITE, gc), tv_string(&c->c2.timeval, gc));
63 for (int i = 0; i < c->c1.link_sockets_num; i++)
64 {
65 buf_printf(&out, "\n %s|%s", socket_stat(c->c2.link_sockets[i], EVENT_READ, gc),
66 socket_stat(c->c2.link_sockets[i], EVENT_WRITE, gc));
67 }
68 return BSTR(&out);
69}
70
71static void
73{
74 struct gc_arena gc = gc_new();
75 dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
76 gc_free(&gc);
77}
78
79#endif /* ifdef ENABLE_DEBUG */
80
81static void
83{
84 msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
85 register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
86}
87
88static void
90{
91 register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
92}
93
94/*
95 * TLS errors are fatal in TCP mode.
96 * Also check for --tls-exit trigger.
97 */
98static inline void
100{
101 if (c->c2.tls_multi && c->c2.tls_exit_signal)
102 {
104 {
105 if (c->c2.tls_multi->n_soft_errors)
106 {
108 }
109 }
110 else
111 {
112 if (c->c2.tls_multi->n_hard_errors)
113 {
115 }
116 }
117 }
118}
119
120/*
121 * Set our wakeup to 0 seconds, so we will be rescheduled
122 * immediately.
123 */
124static inline void
126{
127 c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
128 c->c2.timeval.tv_usec = 0;
129}
130
131static inline void
133{
134 if (sec < 0)
135 {
136 sec = 0;
137 }
138 if (sec < c->c2.timeval.tv_sec)
139 {
140 c->c2.timeval.tv_sec = sec;
141 c->c2.timeval.tv_usec = 0;
142 }
143}
144
145void
147{
148 /* DCO context is not yet initialised or enabled */
149 if (!dco_enabled(&c->options))
150 {
151 return;
152 }
153
154 /* no active peer (p2p tls-server mode) */
155 if (c->c2.tls_multi->dco_peer_id == -1)
156 {
157 return;
158 }
159
160 if (!dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi))
161 {
162 /* Something bad happened. Kill the connection to
163 * be able to recover. */
164 register_signal(c->sig, SIGUSR1, "dco update keys error");
165 }
166}
167
168/*
169 * In TLS mode, let TLS level respond to any control-channel
170 * packets which were received, or prepare any packets for
171 * transmission.
172 *
173 * tmp_int is purely an optimization that allows us to call
174 * tls_multi_process less frequently when there's not much
175 * traffic on the control-channel.
176 *
177 */
178static void
180{
181 interval_t wakeup = BIG_TIMEOUT;
182
183 if (interval_test(&c->c2.tmp_int))
184 {
185 const int tmp_status = tls_multi_process(
186 c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, get_link_socket_info(c), &wakeup);
187
188 if (tmp_status == TLSMP_RECONNECT)
189 {
192 }
193
194 if (tmp_status == TLSMP_ACTIVE || tmp_status == TLSMP_RECONNECT)
195 {
196 update_time();
198 }
199 else if (tmp_status == TLSMP_KILL)
200 {
201 if (c->options.mode == MODE_SERVER)
202 {
204 }
205 else
206 {
207 register_signal(c->sig, SIGTERM, "auth-control-exit");
208 }
209 }
210
212 }
213
214 interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
215
216 /*
217 * Our current code has no good hooks in the TLS machinery to update
218 * DCO keys. So we check the key status after the whole TLS machinery
219 * has been completed and potentially update them
220 *
221 * We have a hidden state transition from secondary to primary key based
222 * on ks->auth_deferred_expire that DCO needs to check that the normal
223 * TLS state engine does not check. So we call the \c check_dco_key_status
224 * function even if tmp_status does not indicate that something has changed.
225 */
227
228 if (wakeup)
229 {
230 context_reschedule_sec(c, wakeup);
231 }
232}
233
234static void
236{
237 if (buf_string_match_head_str(buf, "AUTH_FAILED"))
238 {
239 receive_auth_failed(c, buf);
240 }
241 else if (buf_string_match_head_str(buf, "PUSH_"))
242 {
243 incoming_push_message(c, buf);
244 }
245 else if (buf_string_match_head_str(buf, "RESTART"))
246 {
247 server_pushed_signal(c, buf, true, 7);
248 }
249 else if (buf_string_match_head_str(buf, "HALT"))
250 {
251 server_pushed_signal(c, buf, false, 4);
252 }
253 else if (buf_string_match_head_str(buf, "INFO_PRE"))
254 {
255 server_pushed_info(buf, 8);
256 }
257 else if (buf_string_match_head_str(buf, "INFO"))
258 {
259 server_pushed_info(buf, 4);
260 }
261 else if (buf_string_match_head_str(buf, "CR_RESPONSE"))
262 {
263 receive_cr_response(c, buf);
264 }
265 else if (buf_string_match_head_str(buf, "AUTH_PENDING"))
266 {
267 receive_auth_pending(c, buf);
268 }
269 else if (buf_string_match_head_str(buf, "EXIT"))
270 {
272 }
273 else
274 {
275 msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf));
276 }
277}
278
279/*
280 * Handle incoming configuration
281 * messages on the control channel.
282 */
283static void
285{
286 int len = tls_test_payload_len(c->c2.tls_multi);
287 /* We should only be called with len >0 */
288 ASSERT(len > 0);
289
290 struct gc_arena gc = gc_new();
291 struct buffer buf = alloc_buf_gc(len, &gc);
292 if (tls_rec_payload(c->c2.tls_multi, &buf))
293 {
294 while (BLEN(&buf) > 1)
295 {
296 struct buffer cmdbuf = extract_command_buffer(&buf, &gc);
297
298 if (cmdbuf.len > 0)
299 {
301 }
302 }
303 }
304 else
305 {
306 msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
307 }
308
309 gc_free(&gc);
310}
311
312/*
313 * Periodically resend PUSH_REQUEST until PUSH message received
314 */
315static void
317{
319
320 /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
321 event_timeout_modify_wakeup(&c->c2.push_request_interval, PUSH_REQUEST_INTERVAL);
322}
323
324/*
325 * Things that need to happen immediately after connection initiation should go here.
326 *
327 * Options like --up-delay need to be triggered by this function which
328 * checks for connection establishment.
329 *
330 * Note: The process_incoming_push_reply currently assumes that this function
331 * only sets up the pull request timer when pull is enabled.
332 */
333static void
335{
337 {
338 /* if --pull was specified, send a push request to server */
339 if (c->c2.tls_multi && c->options.pull)
340 {
341#ifdef ENABLE_MANAGEMENT
342 if (management)
343 {
345 NULL);
346 }
347#endif
348 /* fire up push request right away (already 1s delayed) */
349 /* We might receive a AUTH_PENDING request before we armed this
350 * timer. In that case we don't change the value */
351 if (c->c2.push_request_timeout < now)
352 {
353 c->c2.push_request_timeout = now + c->options.handshake_window;
354 }
355 event_timeout_init(&c->c2.push_request_interval, 0, now);
357 }
358 else
359 {
360 if (!do_up(c, false, 0))
361 {
362 register_signal(c->sig, SIGUSR1, "connection initialisation failed");
363 }
364 }
365
366 event_timeout_clear(&c->c2.wait_for_connect);
367 }
368}
369
370#if defined(__GNUC__) || defined(__clang__)
371#pragma GCC diagnostic push
372#pragma GCC diagnostic ignored "-Wconversion"
373#endif
374
375bool
377 msglvl_t msglevel)
378{
379 struct gc_arena gc = gc_new();
380 bool stat;
381
383 struct key_state *ks = &session->key[KS_PRIMARY];
384
385 /* buffered cleartext write onto TLS control channel */
386 stat = tls_send_payload(ks, (uint8_t *)str, strlen(str) + 1);
387
388 msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
389 session->common_name ? session->common_name : "UNDEF", sanitize_control_message(str, &gc),
390 (int)stat);
391
392 gc_free(&gc);
393 return stat;
394}
395
396void
398{
400 context_immediate_reschedule(c); /* ZERO-TIMEOUT */
401}
402
403bool
404send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
405{
406 if (c->c2.tls_multi)
407 {
409 bool ret = send_control_channel_string_dowork(session, str, msglevel);
411
412 return ret;
413 }
414 return true;
415}
416/*
417 * Add routes.
418 */
419
420static void
421check_add_routes_action(struct context *c, const bool errors)
422{
423 bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap,
424 c->plugins, c->c2.es, &c->net_ctx);
425
426 int flags = (errors ? ISC_ERRORS : 0);
427 flags |= (!route_status ? ISC_ROUTE_ERRORS : 0);
428
429 update_time();
432 initialization_sequence_completed(c, flags); /* client/p2p --route-delay was defined */
433}
434
435static void
437{
438 if (test_routes(c->c1.route_list, c->c1.tuntap))
439 {
440 check_add_routes_action(c, false);
441 }
443 {
445 }
446 else
447 {
448 msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
449 if (c->c1.tuntap)
450 {
451 if (!tun_standby(c->c1.tuntap))
452 {
453 register_signal(c->sig, SIGHUP, "ip-fail");
455#ifdef _WIN32
458#endif
459 }
460 }
461 update_time();
462 if (c->c2.route_wakeup.n != 1)
463 {
465 }
467 }
468}
469
470/*
471 * Should we exit due to inactivity timeout?
472 *
473 * In the non-dco case, the timeout is reset via register_activity()
474 * whenever there is sufficient activity on tun or link, so this function
475 * is only ever called to raise the TERM signal.
476 *
477 * With DCO, OpenVPN does not see incoming or outgoing data packets anymore
478 * and the logic needs to change - we permit the event to trigger and check
479 * kernel DCO counters here, returning and rearming the timer if there was
480 * sufficient traffic.
481 */
482static void
484{
485 if (dco_enabled(&c->options) && dco_get_peer_stats(c, true) == 0)
486 {
487 int64_t tot_bytes = c->c2.tun_read_bytes + c->c2.tun_write_bytes;
488 int64_t new_bytes = tot_bytes - c->c2.inactivity_bytes;
489
490 if (new_bytes > c->options.inactivity_minimum_bytes)
491 {
492 c->c2.inactivity_bytes = tot_bytes;
494 return;
495 }
496 }
497
498 msg(M_INFO, "Inactivity timeout (--inactive), exiting");
499 register_signal(c->sig, SIGTERM, "inactive");
500}
501
502int
504{
505 update_time();
506 int remaining = event_timeout_remaining(server_poll_timeout);
507 return max_int(0, remaining);
508}
509
510static void
512{
514 ASSERT(c->c2.tls_multi);
516 {
517 msg(M_INFO, "Server poll timeout, restarting");
518 register_signal(c->sig, SIGUSR1, "server_poll");
520 }
521}
522
523/*
524 * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
525 */
526bool
528{
529 const int n_seconds = c->options.scheduled_exit_interval;
530 /* don't reschedule if already scheduled. */
532 {
533 return false;
534 }
536 update_time();
538 event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
539 c->c2.scheduled_exit_signal = SIGTERM;
540 msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
541 return true;
542}
543
544/*
545 * Scheduled exit?
546 */
547static void
549{
550 register_signal(c->sig, c->c2.scheduled_exit_signal, "delayed-exit");
551}
552
553/*
554 * Should we write timer-triggered status file.
555 */
556static void
558{
559 if (c->c1.status_output)
560 {
562 }
563}
564
565#ifdef ENABLE_FRAGMENT
566/*
567 * Should we deliver a datagram fragment to remote?
568 * c is expected to be a single-link context (p2p or child)
569 */
570static void
572{
573 struct link_socket_info *lsi = get_link_socket_info(c);
574
575 /* OS MTU Hint? */
576 if (lsi->mtu_changed && lsi->lsa)
577 {
579 lsi->mtu_changed = false;
580 }
581
583 {
584 if (!c->c2.to_link.len)
585 {
586 /* encrypt a fragment for output to TCP/UDP port */
588 encrypt_sign(c, false);
589 }
590 }
591
593}
594#endif /* ifdef ENABLE_FRAGMENT */
595
596/*
597 * Buffer reallocation, for use with null encryption.
598 */
599static inline void
600buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub,
601 struct buffer *storage)
602{
603 if (orig_buf == src_stub->data && src_stub->data != storage->data)
604 {
605 buf_assign(storage, src_stub);
606 *dest_stub = *storage;
607 }
608 else
609 {
610 *dest_stub = *src_stub;
611 }
612}
613
614/*
615 * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
616 * Input: c->c2.buf
617 * Output: c->c2.to_link
618 */
619void
620encrypt_sign(struct context *c, bool comp_frag)
621{
622 struct context_buffers *b = c->c2.buffers;
623 const uint8_t *orig_buf = c->c2.buf.data;
624 struct crypto_options *co = NULL;
625
626 if (dco_enabled(&c->options))
627 {
628 msg(M_WARN, "Attempting to send data packet while data channel offload is in use. "
629 "Dropping packet");
630 c->c2.buf.len = 0;
631 }
632
633 /*
634 * Drop non-TLS outgoing packet if client-connect script/plugin
635 * has not yet succeeded. In non-TLS tls_multi mode is not defined
636 * and we always pass packets.
637 */
639 {
640 c->c2.buf.len = 0;
641 }
642
643 if (comp_frag)
644 {
645#ifdef USE_COMP
646 /* Compress the packet. */
647 if (c->c2.comp_context)
648 {
649 (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context,
650 &c->c2.frame);
651 }
652#endif
653#ifdef ENABLE_FRAGMENT
654 if (c->c2.fragment)
655 {
657 }
658#endif
659 }
660
661 /* initialize work buffer with buf.headroom bytes of prepend capacity */
663
664 if (c->c2.tls_multi)
665 {
666 /* Get the key we will use to encrypt the packet. */
667 tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
668 /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
669 * packet before openvpn_encrypt(), so we can authenticate the opcode too.
670 */
671 if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
672 {
674 }
675 }
676 else
677 {
678 co = &c->c2.crypto_options;
679 }
680
681 /* Encrypt and authenticate the packet */
682 openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
683
684 /* Do packet administration */
685 if (c->c2.tls_multi)
686 {
687 if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
688 {
690 }
692 }
693
694 /*
695 * Get the address we will be sending the packet to.
696 */
698
699 /* if null encryption, copy result to read_tun_buf */
700 buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
701}
702
703/*
704 * Should we exit due to session timeout?
705 */
706static void
708{
711 {
712 msg(M_INFO, "Session timeout, exiting");
713 register_signal(c->sig, SIGTERM, "session-timeout");
714 }
715}
716
717/*
718 * Coarse timers work to 1 second resolution.
719 */
720static void
722{
723 /* flush current packet-id to file once per 60
724 * seconds if --replay-persist was specified */
727 {
729 }
730
731 /* Should we write timer-triggered status file */
732 if (c->c1.status_output
734 {
736 }
737
738 /* process connection establishment items */
740 {
742 }
743
744 /* see if we should send a push_request (option --pull) */
746 {
748 }
749
750 /* process --route options */
752 {
754 }
755
756 /* check if we want to refresh the auth-token */
758 {
760 }
761
762 /* possibly exit due to --inactive */
765 {
767 }
768
769 if (c->sig->signal_received)
770 {
771 return;
772 }
773
774 /* kill session if time is over */
776 if (c->sig->signal_received)
777 {
778 return;
779 }
780
781 /* restart if ping not received */
783 if (c->sig->signal_received)
784 {
785 return;
786 }
787
788 if (c->c2.tls_multi)
789 {
792 {
794 }
795 if (c->sig->signal_received)
796 {
797 return;
798 }
800 {
802 }
803 if (c->sig->signal_received)
804 {
805 return;
806 }
807 }
808
809 /* Should we send an OCC_REQUEST message? */
811
812 /* Should we send an MTU load test? */
814
815 /* Should we send an OCC_EXIT message to remote? */
817 {
819 }
820
821 /* Should we ping the remote? */
823
824#ifdef ENABLE_MANAGEMENT
825 if (management)
826 {
828 }
829#endif /* ENABLE_MANAGEMENT */
830}
831
832static void
834{
835 if (now < c->c2.coarse_timer_wakeup)
836 {
838 return;
839 }
840
841 const struct timeval save = c->c2.timeval;
842 c->c2.timeval.tv_sec = BIG_TIMEOUT;
843 c->c2.timeval.tv_usec = 0;
845 c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
846
847 dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds",
848 (int64_t)c->c2.timeval.tv_sec);
849
850 /* Is the coarse timeout NOT the earliest one? */
851 if (c->c2.timeval.tv_sec > save.tv_sec)
852 {
853 c->c2.timeval = save;
854 }
855}
856
857static void
859{
860 const int update_interval = 10; /* seconds */
861 c->c2.update_timeout_random_component = now + update_interval;
862 c->c2.timeout_random_component.tv_usec = (time_t)get_random() & 0x0003FFFF;
863 c->c2.timeout_random_component.tv_sec = 0;
864
865 dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long)c->c2.timeout_random_component.tv_usec);
866}
867
868static inline void
870{
872 {
874 }
875 if (c->c2.timeval.tv_sec >= 1)
876 {
878 }
879}
880
881/*
882 * Handle addition and removal of the 10-byte Socks5 header
883 * in UDP packets.
884 */
885
886static inline void
888{
889 if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
890 {
892 }
893}
894
895static inline void
897 struct link_socket_actual **to_addr, int *size_delta)
898{
899 if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
900 {
901 *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
902 *to_addr = &sock->socks_relay;
903 }
904}
905
906/* undo effect of socks_preprocess_outgoing_link */
907static inline void
908link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
909{
910 if (size_delta > 0 && *size > size_delta)
911 {
912 *size -= size_delta;
913 if (!buf_advance(buf, size_delta))
914 {
915 *size = 0;
916 }
917 }
918}
919
920/*
921 * Output: c->c2.buf
922 */
923
924void
925read_incoming_link(struct context *c, struct link_socket *sock)
926{
927 /*
928 * Set up for recvfrom call to read datagram
929 * sent to our TCP/UDP port.
930 */
931 int status;
932
933 /*ASSERT (!c->c2.to_tun.len);*/
934
936
937 c->c2.buf = c->c2.buffers->read_link_buf;
939
940 status = link_socket_read(sock, &c->c2.buf, &c->c2.from);
941
943 {
944#if PORT_SHARE
945 if (port_share && socket_foreign_protocol_detected(sock))
946 {
947 const struct buffer *fbuf = socket_foreign_protocol_head(sock);
948 const int sd = socket_foreign_protocol_sd(sock);
950 register_signal(c->sig, SIGTERM, "port-share-redirect");
951 }
952 else
953#endif
954 {
955 /* received a disconnect from a connection-oriented protocol */
956 if (event_timeout_defined(&c->c2.explicit_exit_notification_interval))
957 {
959 "Connection reset during exit notification period, ignoring [%d]", status);
961 }
962 else
963 {
965 "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
966 msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
967 }
968 }
969 perf_pop();
970 return;
971 }
972
973 /* check_status() call below resets last-error code */
975
976 /* check recvfrom status */
977 check_status(status, "read", sock, NULL);
978
979 if (dco_win_timeout)
980 {
982 }
983
984 /* Remove socks header if applicable */
986
987 perf_pop();
988}
989
990bool
992{
993 struct gc_arena gc = gc_new();
994 bool decrypt_status = false;
995
996 if (c->c2.buf.len > 0)
997 {
998 c->c2.link_read_bytes += c->c2.buf.len;
1000#ifdef ENABLE_MEMSTATS
1001 if (mmap_stats)
1002 {
1003 mmap_stats->link_read_bytes = link_read_bytes_global;
1004 }
1005#endif
1006 c->c2.original_recv_size = c->c2.buf.len;
1007 }
1008 else
1009 {
1010 c->c2.original_recv_size = 0;
1011 }
1012
1013#ifdef ENABLE_DEBUG
1014 /* take action to corrupt packet if we are in gremlin test mode */
1015 if (c->options.gremlin)
1016 {
1017 if (!ask_gremlin(c->options.gremlin))
1018 {
1019 c->c2.buf.len = 0;
1020 }
1021 corrupt_gremlin(&c->c2.buf, c->options.gremlin);
1022 }
1023#endif
1024
1025 /* log incoming packet */
1026#ifdef LOG_RW
1027 if (c->c2.log_rw && c->c2.buf.len > 0)
1028 {
1029 fprintf(stderr, "R");
1030 }
1031#endif
1032 msg(D_LINK_RW, "%s READ [%d] from %s: %s", proto2ascii(lsi->proto, lsi->af, true),
1033 BLEN(&c->c2.buf), print_link_socket_actual(&c->c2.from, &gc), PROTO_DUMP(&c->c2.buf, &gc));
1034
1035 /*
1036 * Good, non-zero length packet received.
1037 * Commence multi-stage processing of packet,
1038 * such as authenticate, decrypt, decompress.
1039 * If any stage fails, it sets buf.len to 0 or -1,
1040 * telling downstream stages to ignore the packet.
1041 */
1042 if (c->c2.buf.len > 0)
1043 {
1044 struct crypto_options *co = NULL;
1045 const uint8_t *ad_start = NULL;
1046 if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
1047 {
1049 }
1050
1051 if (c->c2.tls_multi)
1052 {
1053 uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
1054
1055 /*
1056 * If DCO is enabled, the kernel drivers require that the
1057 * other end only sends P_DATA_V2 packets. V1 are unknown
1058 * to kernel and passed to userland, but we cannot handle them
1059 * either because crypto context is missing - so drop the packet.
1060 *
1061 * This can only happen with particular old (2.4.0-2.4.4) servers.
1062 */
1063 if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
1064 {
1065 msg(D_LINK_ERRORS, "Data Channel Offload doesn't support DATA_V1 packets. "
1066 "Upgrade your server to 2.4.5 or newer.");
1067 c->c2.buf.len = 0;
1068 }
1069
1070 /*
1071 * If tls_pre_decrypt returns true, it means the incoming
1072 * packet was a good TLS control channel packet. If so, TLS code
1073 * will deal with the packet and set buf.len to 0 so downstream
1074 * stages ignore it.
1075 *
1076 * If the packet is a data channel packet, tls_pre_decrypt
1077 * will load crypto_options with the correct encryption key
1078 * and return false.
1079 */
1080 if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, floated, &ad_start))
1081 {
1083
1084 /* reset packet received timer if TLS packet */
1086 {
1088 }
1089 }
1090 }
1091 else
1092 {
1093 co = &c->c2.crypto_options;
1094 }
1095
1096 /*
1097 * Drop non-TLS packet if client-connect script/plugin and cipher selection
1098 * has not yet succeeded. In non-TLS mode tls_multi is not defined
1099 * and we always pass packets.
1100 */
1102 {
1103 c->c2.buf.len = 0;
1104 }
1105
1106 /* authenticate and decrypt the incoming packet */
1107 decrypt_status =
1108 openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf, co, &c->c2.frame, ad_start);
1109
1110 if (!decrypt_status
1111 /* on the instance context we have only one socket, so just check the first one */
1113 {
1114 /* decryption errors are fatal in TCP mode */
1115 register_signal(c->sig, SIGUSR1,
1116 "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
1117 msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
1118 }
1119 }
1120 else
1121 {
1122 buf_reset(&c->c2.to_tun);
1123 }
1124 gc_free(&gc);
1125
1126 return decrypt_status;
1127}
1128
1129void
1131 const uint8_t *orig_buf)
1132{
1133 if (c->c2.buf.len > 0)
1134 {
1135#ifdef ENABLE_FRAGMENT
1136 if (c->c2.fragment)
1137 {
1139 }
1140#endif
1141
1142#ifdef USE_COMP
1143 /* decompress the incoming packet */
1144 if (c->c2.comp_context)
1145 {
1146 (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf,
1147 c->c2.comp_context, &c->c2.frame);
1148 }
1149#endif
1150
1151#ifdef PACKET_TRUNCATION_CHECK
1152 /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1153 ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
1154 "POST_DECRYPT", &c->c2.n_trunc_post_decrypt);
1155#endif
1156
1157 /*
1158 * Set our "official" outgoing address, since
1159 * if buf.len is non-zero, we know the packet
1160 * authenticated. In TLS mode we do nothing
1161 * because TLS mode takes care of source address
1162 * authentication.
1163 *
1164 * Also, update the persisted version of our packet-id.
1165 */
1166 if (!TLS_MODE(c) && c->c2.buf.len > 0)
1167 {
1168 link_socket_set_outgoing_addr(lsi, &c->c2.from, NULL, c->c2.es);
1169 }
1170
1171 /* reset packet received timer */
1172 if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1173 {
1175 }
1176
1177 /* increment authenticated receive byte count */
1178 if (c->c2.buf.len > 0)
1179 {
1180 c->c2.link_read_bytes_auth += c->c2.buf.len;
1183 }
1184
1185 /* Did we just receive an openvpn ping packet? */
1186 if (is_ping_msg(&c->c2.buf))
1187 {
1188 dmsg(D_PING, "RECEIVED PING PACKET");
1189 c->c2.buf.len = 0; /* drop packet */
1190 }
1191
1192 /* Did we just receive an OCC packet? */
1193 if (is_occ_msg(&c->c2.buf))
1194 {
1196 }
1197
1198 buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1199
1200 /* to_tun defined + unopened tuntap can cause deadlock */
1201 if (!tuntap_defined(c->c1.tuntap))
1202 {
1203 c->c2.to_tun.len = 0;
1204 }
1205 }
1206 else
1207 {
1208 buf_reset(&c->c2.to_tun);
1209 }
1210}
1211
1212static void
1214{
1216
1217 struct link_socket_info *lsi = &sock->info;
1218 const uint8_t *orig_buf = c->c2.buf.data;
1219
1220 process_incoming_link_part1(c, lsi, false);
1221 process_incoming_link_part2(c, lsi, orig_buf);
1222
1223 perf_pop();
1224}
1225
1226void
1227extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr,
1228 const struct sockaddr *float_sa)
1229{
1230 if (float_sa->sa_family == AF_INET)
1231 {
1232 struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
1233 /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
1234 * dual-stack socket, we need to preserve the mapping otherwise openvpn
1235 * will not be able to find the peer by its transport address.
1236 */
1237 if (socket_family == AF_INET6)
1238 {
1239 out_osaddr->addr.in6.sin6_family = AF_INET6;
1240 out_osaddr->addr.in6.sin6_port = float4->sin_port;
1241
1242 memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
1243 out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
1244 out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
1245 memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], &float4->sin_addr.s_addr,
1246 sizeof(in_addr_t));
1247 }
1248 else
1249 {
1250 memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
1251 }
1252 }
1253 else
1254 {
1255 struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
1256 memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
1257 }
1258}
1259
1260static void
1262{
1263#if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
1264 dco_context_t *dco = &c->c1.tuntap->dco;
1265
1266 dco_do_read(dco);
1267
1268 /* no message for us to handle - platform specific code has logged details */
1269 if (dco->dco_message_type == 0)
1270 {
1271 return;
1272 }
1273
1274 /* FreeBSD currently sends us removal notifcation with the old peer-id in
1275 * p2p mode with the ping timeout reason, so ignore that one to not shoot
1276 * ourselves in the foot and removing the just established session */
1277 if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
1278 {
1280 "%s: received message for mismatching peer-id %d, "
1281 "expected %d",
1282 __func__, dco->dco_message_peer_id, c->c2.tls_multi->dco_peer_id);
1283 return;
1284 }
1285
1286 switch (dco->dco_message_type)
1287 {
1288 case OVPN_CMD_DEL_PEER:
1289 /* peer is gone, unset ID to prevent more kernel calls */
1290 c->c2.tls_multi->dco_peer_id = -1;
1291 if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
1292 {
1294 "%s: received peer expired notification of for peer-id "
1295 "%d",
1296 __func__, dco->dco_message_peer_id);
1298 return;
1299 }
1300 break;
1301
1302 case OVPN_CMD_SWAP_KEYS:
1303 msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d", __func__,
1304 dco->dco_message_peer_id);
1306 break;
1307
1308 default:
1309 msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__,
1310 dco->dco_message_type);
1311 return;
1312 }
1313
1314#endif /* if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) */
1315}
1316
1317/*
1318 * Output: c->c2.buf
1319 */
1320
1321void
1323{
1324 /*
1325 * Setup for read() call on TUN/TAP device.
1326 */
1327 /*ASSERT (!c->c2.to_link.len);*/
1328
1330
1331 c->c2.buf = c->c2.buffers->read_tun_buf;
1332
1333#ifdef _WIN32
1334 /* we cannot end up here when using dco */
1335 ASSERT(!dco_enabled(&c->options));
1336
1337 sockethandle_t sh = { .is_handle = true, .h = c->c1.tuntap->hand, .prepend_sa = false };
1338 sockethandle_finalize(sh, &c->c1.tuntap->reads, &c->c2.buf, NULL);
1339#else /* ifdef _WIN32 */
1343 {
1344 c->c2.buf.len =
1346 }
1347 else
1348 {
1349 c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
1350 }
1351#endif /* ifdef _WIN32 */
1352
1353#ifdef PACKET_TRUNCATION_CHECK
1354 ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
1355 "READ_TUN", &c->c2.n_trunc_tun_read);
1356#endif
1357
1358 /* Was TUN/TAP interface stopped? */
1359 if (tuntap_stop(c->c2.buf.len))
1360 {
1361 register_signal(c->sig, SIGTERM, "tun-stop");
1362 msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1363 perf_pop();
1364 return;
1365 }
1366
1367 /* Was TUN/TAP I/O operation aborted? */
1368 if (tuntap_abort(c->c2.buf.len))
1369 {
1370 register_signal(c->sig, SIGHUP, "tun-abort");
1372 msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1373 perf_pop();
1374 return;
1375 }
1376
1377 /* Check the status return from read() */
1378 check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1379
1380 perf_pop();
1381}
1382
1391static void
1393{
1394 bool drop = false;
1395 struct openvpn_sockaddr tun_sa;
1396 int ip_hdr_offset = 0;
1397
1398 if (c->c2.to_link_addr == NULL) /* no remote addr known */
1399 {
1400 return;
1401 }
1402
1403 tun_sa = c->c2.to_link_addr->dest;
1404
1405 int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1406
1407 if (proto_ver == 4)
1408 {
1409 /* make sure we got whole IP header */
1410 if (BLEN(buf) < ((int)sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1411 {
1412 return;
1413 }
1414
1415 /* skip ipv4 packets for ipv6 tun */
1416 if (tun_sa.addr.sa.sa_family != AF_INET)
1417 {
1418 return;
1419 }
1420
1421 struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset);
1422
1423 /* drop packets with same dest addr as gateway */
1424 if (memcmp(&tun_sa.addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0)
1425 {
1426 drop = true;
1427 }
1428 }
1429 else if (proto_ver == 6)
1430 {
1431 /* make sure we got whole IPv6 header */
1432 if (BLEN(buf) < ((int)sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1433 {
1434 return;
1435 }
1436
1437 /* skip ipv6 packets for ipv4 tun */
1438 if (tun_sa.addr.sa.sa_family != AF_INET6)
1439 {
1440 return;
1441 }
1442
1443 struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)(BPTR(buf) + ip_hdr_offset);
1444
1445 /* drop packets with same dest addr as gateway */
1446 if (OPENVPN_IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1447 {
1448 drop = true;
1449 }
1450 }
1451
1452 if (drop)
1453 {
1454 struct gc_arena gc = gc_new();
1455
1456 c->c2.buf.len = 0;
1457
1458 msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1460 gc_free(&gc);
1461 }
1462}
1463
1464/*
1465 * Input: c->c2.buf
1466 * Output: c->c2.to_link
1467 */
1468
1469void
1470process_incoming_tun(struct context *c, struct link_socket *out_sock)
1471{
1472 struct gc_arena gc = gc_new();
1473
1475
1476 if (c->c2.buf.len > 0)
1477 {
1478 c->c2.tun_read_bytes += c->c2.buf.len;
1479 }
1480
1481#ifdef LOG_RW
1482 if (c->c2.log_rw && c->c2.buf.len > 0)
1483 {
1484 fprintf(stderr, "r");
1485 }
1486#endif
1487
1488 /* Show packet content */
1489 dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1490
1491 if (c->c2.buf.len > 0)
1492 {
1494 {
1496 }
1497 /*
1498 * The --passtos and --mssfix options require
1499 * us to examine the IP header (IPv4 or IPv6).
1500 */
1501 unsigned int flags =
1503 process_ip_header(c, flags, &c->c2.buf, out_sock);
1504
1505#ifdef PACKET_TRUNCATION_CHECK
1506 /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1507 ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
1508 "PRE_ENCRYPT", &c->c2.n_trunc_pre_encrypt);
1509#endif
1510 }
1511 if (c->c2.buf.len > 0)
1512 {
1513 encrypt_sign(c, true);
1514 }
1515 else
1516 {
1517 buf_reset(&c->c2.to_link);
1518 }
1519 perf_pop();
1520 gc_free(&gc);
1521}
1522
1533void
1534ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
1535{
1536#define MAX_ICMPV6LEN 1280
1537 struct openvpn_icmp6hdr icmp6out;
1538 CLEAR(icmp6out);
1539
1540 /*
1541 * Get a buffer to the ip packet, is_ipv6 automatically forwards
1542 * the buffer to the ip packet
1543 */
1544 struct buffer inputipbuf = *buf;
1545
1546 is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &inputipbuf);
1547
1548 if (BLEN(&inputipbuf) < (int)sizeof(struct openvpn_ipv6hdr))
1549 {
1550 return;
1551 }
1552
1553 const struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)BPTR(&inputipbuf);
1554
1555 /* Copy version, traffic class, flow label from input packet */
1556 struct openvpn_ipv6hdr pip6out = *pip6;
1557
1558 pip6out.version_prio = pip6->version_prio;
1559 pip6out.daddr = pip6->saddr;
1560
1561 /*
1562 * Use the IPv6 remote address if we have one, otherwise use a fake one
1563 * using the remote address is preferred since it makes debugging and
1564 * understanding where the ICMPv6 error originates easier
1565 */
1567 {
1568 inet_pton(AF_INET6, c->options.ifconfig_ipv6_remote, &pip6out.saddr);
1569 }
1570 else
1571 {
1572 inet_pton(AF_INET6, "fe80::7", &pip6out.saddr);
1573 }
1574
1576
1577 /*
1578 * The ICMPv6 unreachable code worked best in my (arne) tests with Windows,
1579 * Linux and Android. Windows did not like the administratively prohibited
1580 * return code (no fast fail)
1581 */
1584
1585 int icmpheader_len = sizeof(struct openvpn_ipv6hdr) + sizeof(struct openvpn_icmp6hdr);
1586 int totalheader_len = icmpheader_len;
1587
1588 if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1589 {
1590 totalheader_len += sizeof(struct openvpn_ethhdr);
1591 }
1592
1593 /*
1594 * Calculate size for payload, defined in the standard that the resulting
1595 * frame should be <= 1280 and have as much as possible of the original
1596 * packet
1597 */
1598 int max_payload_size = min_int(MAX_ICMPV6LEN, c->c2.frame.tun_mtu - icmpheader_len);
1599 int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
1600
1601 pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
1602
1603 /* Construct the packet as outgoing packet back to the client */
1604 struct buffer *outbuf;
1605 if (client)
1606 {
1607 c->c2.to_tun = c->c2.buffers->aux_buf;
1608 outbuf = &(c->c2.to_tun);
1609 }
1610 else
1611 {
1612 c->c2.to_link = c->c2.buffers->aux_buf;
1613 outbuf = &(c->c2.to_link);
1614 }
1616
1617 /* Fill the end of the buffer with original packet */
1618 ASSERT(buf_safe(outbuf, payload_len));
1619 ASSERT(buf_copy_n(outbuf, &inputipbuf, payload_len));
1620
1621 /* ICMP Header, copy into buffer to allow checksum calculation */
1623
1624 /* Calculate checksum over the packet and write to header */
1625
1629 ((struct openvpn_icmp6hdr *)BPTR(outbuf))->icmp6_cksum = htons(new_csum);
1630
1631
1632 /* IPv6 Header */
1633 ASSERT(buf_write_prepend(outbuf, &pip6out, sizeof(struct openvpn_ipv6hdr)));
1634
1635 /*
1636 * Tap mode, we also need to create an Ethernet header.
1637 */
1638 if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1639 {
1640 if (BLEN(buf) < (int)sizeof(struct openvpn_ethhdr))
1641 {
1642 return;
1643 }
1644
1645 const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *)BPTR(buf);
1646
1647 /* Copy frametype and reverse source/destination for the response */
1648 struct openvpn_ethhdr ethhdr;
1649 memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
1650 memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
1651 ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
1652 ASSERT(buf_write_prepend(outbuf, &ethhdr, sizeof(struct openvpn_ethhdr)));
1653 }
1654#undef MAX_ICMPV6LEN
1655}
1656
1657void
1658process_ip_header(struct context *c, unsigned int flags, struct buffer *buf,
1659 struct link_socket *sock)
1660{
1661 if (!c->options.ce.mssfix)
1662 {
1663 flags &= ~PIP_MSSFIX;
1664 }
1665#if PASSTOS_CAPABILITY
1666 if (!c->options.passtos)
1667 {
1668 flags &= ~PIPV4_PASSTOS;
1669 }
1670#endif
1671 if (!c->options.client_nat)
1672 {
1673 flags &= ~PIPV4_CLIENT_NAT;
1674 }
1676 {
1677 flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1678 }
1679 if (!c->options.block_ipv6)
1680 {
1682 }
1683
1684 if (buf->len > 0)
1685 {
1686 struct buffer ipbuf = *buf;
1687 if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1688 {
1689#if PASSTOS_CAPABILITY
1690 /* extract TOS from IP header */
1691 if (flags & PIPV4_PASSTOS)
1692 {
1694 }
1695#endif
1696
1697 /* possibly alter the TCP MSS */
1698 if (flags & PIP_MSSFIX)
1699 {
1700 mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
1701 }
1702
1703 /* possibly do NAT on packet */
1704 if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1705 {
1706 const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1707 client_nat_transform(c->options.client_nat, &ipbuf, direction);
1708 }
1709 /* possibly extract a DHCP router message */
1710 if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1711 {
1713 if (dhcp_router)
1714 {
1715 route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1716 }
1717 }
1718 }
1719 else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1720 {
1721 /* possibly alter the TCP MSS */
1722 if (flags & PIP_MSSFIX)
1723 {
1724 mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
1725 }
1726 if (!(flags & PIP_OUTGOING)
1728 {
1730 /* Drop the IPv6 packet */
1731 buf->len = 0;
1732 }
1733 }
1734 }
1735}
1736
1737/*
1738 * Input: c->c2.to_link
1739 */
1740
1741void
1743{
1744 struct gc_arena gc = gc_new();
1745 int error_code = 0;
1746
1748
1749 if (c->c2.to_link.len > 0 && c->c2.to_link.len <= c->c2.frame.buf.payload_size)
1750 {
1751 /*
1752 * Setup for call to send/sendto which will send
1753 * packet to remote over the TCP/UDP port.
1754 */
1755 int size = 0;
1757
1758#ifdef ENABLE_DEBUG
1759 /* In gremlin-test mode, we may choose to drop this packet */
1760 if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1761#endif
1762 {
1763 /*
1764 * Let the traffic shaper know how many bytes
1765 * we wrote.
1766 */
1767 if (c->options.shaper)
1768 {
1769 int overhead =
1770 datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family, sock->info.proto);
1771 shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link) + overhead);
1772 }
1773
1774 /*
1775 * Let the pinger know that we sent a packet.
1776 */
1778 {
1780 }
1781
1782#if PASSTOS_CAPABILITY
1783 /* Set TOS */
1784 link_socket_set_tos(sock);
1785#endif
1786
1787 /* Log packet send */
1788#ifdef LOG_RW
1789 if (c->c2.log_rw)
1790 {
1791 fprintf(stderr, "W");
1792 }
1793#endif
1794 msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1795 proto2ascii(sock->info.proto, sock->info.af, true), BLEN(&c->c2.to_link),
1797
1798 /* Packet send complexified by possible Socks5 usage */
1799 {
1800 struct link_socket_actual *to_addr = c->c2.to_link_addr;
1801 int size_delta = 0;
1802
1803 /* If Socks5 over UDP, prepend header */
1804 socks_preprocess_outgoing_link(c, sock, &to_addr, &size_delta);
1805
1806 /* Send packet */
1807 size = (int)link_socket_write(sock, &c->c2.to_link, to_addr);
1808
1809 /* Undo effect of prepend */
1810 link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1811 }
1812
1813 if (size > 0)
1814 {
1816 c->c2.link_write_bytes += size;
1818#ifdef ENABLE_MEMSTATS
1819 if (mmap_stats)
1820 {
1821 mmap_stats->link_write_bytes = link_write_bytes_global;
1822 }
1823#endif
1824 }
1825 }
1826
1827 /* Check return status */
1828 error_code = openvpn_errno();
1829 check_status(size, "write", sock, NULL);
1830
1831 if (size > 0)
1832 {
1833 /* Did we write a different size packet than we intended? */
1834 if (size != BLEN(&c->c2.to_link))
1835 {
1837 "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1839 }
1840 }
1841
1842 /* if not a ping/control message, indicate activity regarding --inactive parameter */
1843 if (c->c2.buf.len > 0)
1844 {
1845 register_activity(c, size);
1846 }
1847
1848 /* for unreachable network and "connecting" state switch to the next host */
1849
1850 bool unreachable = error_code ==
1851#ifdef _WIN32
1852 WSAENETUNREACH;
1853#else
1854 ENETUNREACH;
1855#endif
1856 if (size < 0 && unreachable && c->c2.tls_multi
1859 {
1860 msg(M_INFO, "Network unreachable, restarting");
1861 register_signal(c->sig, SIGUSR1, "network-unreachable");
1862 }
1863 }
1864 else
1865 {
1866 if (c->c2.to_link.len > 0)
1867 {
1868 msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1871 }
1872 }
1873
1874 buf_reset(&c->c2.to_link);
1875
1876 perf_pop();
1877 gc_free(&gc);
1878}
1879
1880/*
1881 * Input: c->c2.to_tun
1882 */
1883
1884void
1885process_outgoing_tun(struct context *c, struct link_socket *in_sock)
1886{
1887 /*
1888 * Set up for write() call to TUN/TAP
1889 * device.
1890 */
1891 if (c->c2.to_tun.len <= 0)
1892 {
1893 return;
1894 }
1895
1897
1898 /*
1899 * The --mssfix option requires
1900 * us to examine the IP header (IPv4 or IPv6).
1901 */
1903 &c->c2.to_tun, in_sock);
1904
1905 if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size)
1906 {
1907 /*
1908 * Write to TUN/TAP device.
1909 */
1910 int size;
1911
1912#ifdef LOG_RW
1913 if (c->c2.log_rw)
1914 {
1915 fprintf(stderr, "w");
1916 }
1917#endif
1918 dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1919
1920#ifdef PACKET_TRUNCATION_CHECK
1921 ipv4_packet_size_verify(BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun), TUNNEL_TYPE(c->c1.tuntap),
1922 "WRITE_TUN", &c->c2.n_trunc_tun_write);
1923#endif
1924
1925#ifdef _WIN32
1926 size = tun_write_win32(c->c1.tuntap, &c->c2.to_tun);
1927#else
1929 {
1930 size = write_tun_afunix(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1931 }
1932 else
1933 {
1934 size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1935 }
1936#endif
1937
1938 if (size > 0)
1939 {
1940 c->c2.tun_write_bytes += size;
1941 }
1942 check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1943
1944 /* check written packet size */
1945 if (size > 0)
1946 {
1947 /* Did we write a different size packet than we intended? */
1948 if (size != BLEN(&c->c2.to_tun))
1949 {
1951 "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1952 c->c1.tuntap->actual_name, BLEN(&c->c2.to_tun), size);
1953 }
1954
1955 /* indicate activity regarding --inactive parameter */
1956 register_activity(c, size);
1957 }
1958 }
1959 else
1960 {
1961 /*
1962 * This should never happen, probably indicates some kind
1963 * of MTU mismatch.
1964 */
1965 msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", c->c2.to_tun.len,
1967 }
1968
1969 buf_reset(&c->c2.to_tun);
1970
1971 perf_pop();
1972}
1973
1974#if defined(__GNUC__) || defined(__clang__)
1975#pragma GCC diagnostic pop
1976#endif
1977
1978void
1980{
1981 /* make sure current time (now) is updated on function entry */
1982
1983 /*
1984 * Start with an effectively infinite timeout, then let it
1985 * reduce to a timeout that reflects the component which
1986 * needs the earliest service.
1987 */
1988 c->c2.timeval.tv_sec = BIG_TIMEOUT;
1989 c->c2.timeval.tv_usec = 0;
1990
1991#if defined(_WIN32)
1993 {
1994 c->c2.timeval.tv_sec = 1;
1995 if (tuntap_defined(c->c1.tuntap))
1996 {
1998 }
1999 }
2000#endif
2001
2002 /* check coarse timers? */
2004 if (c->sig->signal_received)
2005 {
2006 return;
2007 }
2008
2009 /* If tls is enabled, do tls control channel packet processing. */
2010 if (c->c2.tls_multi)
2011 {
2012 check_tls(c);
2013 }
2014
2015 /* In certain cases, TLS errors will require a restart */
2017 if (c->sig->signal_received)
2018 {
2019 return;
2020 }
2021
2022 /* check for incoming control messages on the control channel like
2023 * push request/reply/update, or authentication failure and 2FA messages */
2024 if (tls_test_payload_len(c->c2.tls_multi) > 0)
2025 {
2027 }
2028
2029 /* Should we send an OCC message? */
2031
2032#ifdef ENABLE_FRAGMENT
2033 /* Should we deliver a datagram fragment to remote? */
2034 if (c->c2.fragment)
2035 {
2036 check_fragment(c);
2037 }
2038#endif
2039
2040 /* Update random component of timeout */
2042}
2043
2044static void
2045multi_io_process_flags(struct context *c, struct event_set *es, const unsigned int flags,
2046 unsigned int *out_socket, unsigned int *out_tuntap)
2047{
2048 unsigned int socket = 0;
2049 unsigned int tuntap = 0;
2050 static uintptr_t tun_shift = TUN_SHIFT;
2051 static uintptr_t err_shift = ERR_SHIFT;
2052
2053 /*
2054 * Calculate the flags based on the provided 'flags' argument.
2055 */
2056 if ((c->options.mode != MODE_SERVER) && (flags & IOW_WAIT_SIGNAL))
2057 {
2058 wait_signal(es, (void *)err_shift);
2059 }
2060
2061 if (flags & IOW_TO_LINK)
2062 {
2063 if (flags & IOW_SHAPER)
2064 {
2065 /*
2066 * If sending this packet would put us over our traffic shaping
2067 * quota, don't send -- instead compute the delay we must wait
2068 * until it will be OK to send the packet.
2069 */
2070 int delay = 0;
2071
2072 /* set traffic shaping delay in microseconds */
2073 if (c->options.shaper)
2074 {
2075 delay = max_int(delay, shaper_delay(&c->c2.shaper));
2076 }
2077
2078 if (delay < 1000)
2079 {
2080 socket |= EVENT_WRITE;
2081 }
2082 else
2083 {
2084 shaper_soonest_event(&c->c2.timeval, delay);
2085 }
2086 }
2087 else
2088 {
2089 socket |= EVENT_WRITE;
2090 }
2091 }
2092 else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
2093 {
2094 if (flags & IOW_READ_TUN)
2095 {
2096 tuntap |= EVENT_READ;
2097 }
2098 }
2099
2100 /*
2101 * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
2102 * from device. Otherwise, wait for incoming data on TCP/UDP port.
2103 */
2104 if (flags & IOW_TO_TUN)
2105 {
2107 }
2108 else
2109 {
2110 if (flags & IOW_READ_LINK)
2111 {
2112 socket |= EVENT_READ;
2113 }
2114 }
2115
2116 /*
2117 * outgoing bcast buffer waiting to be sent?
2118 */
2119 if (flags & IOW_MBUF)
2120 {
2121 socket |= EVENT_WRITE;
2122 }
2123
2124 /*
2125 * Force wait on TUN input, even if also waiting on TCP/UDP output
2126 */
2127 if (flags & IOW_READ_TUN_FORCE)
2128 {
2129 tuntap |= EVENT_READ;
2130 }
2131
2132 /*
2133 * Configure event wait based on socket, tuntap flags.
2134 * (for TCP server sockets this happens in
2135 * socket_set_listen_persistent()).
2136 */
2137 for (int i = 0; i < c->c1.link_sockets_num; i++)
2138 {
2140 {
2141 socket_set(c->c2.link_sockets[i], es, socket, &c->c2.link_sockets[i]->ev_arg, NULL);
2142 }
2143 }
2144
2145 tun_set(c->c1.tuntap, es, tuntap, (void *)tun_shift, NULL);
2146
2147 if (out_socket)
2148 {
2149 *out_socket = socket;
2150 }
2151
2152 if (out_tuntap)
2153 {
2154 *out_tuntap = tuntap;
2155 }
2156}
2157
2158/*
2159 * Wait for I/O events. Used for both TCP & UDP sockets
2160 * in point-to-point mode and for UDP sockets in
2161 * point-to-multipoint mode.
2162 */
2163
2164void
2165get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
2166{
2167 unsigned int out_socket, out_tuntap;
2168
2169 multi_io_process_flags(c, multi_io->es, flags, &out_socket, &out_tuntap);
2170 multi_io->udp_flags = out_socket | out_tuntap;
2171}
2172
2173void
2174get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
2175{
2177 if (c->c2.fast_io && (flags & (IOW_TO_TUN | IOW_TO_LINK | IOW_MBUF)))
2178 {
2179 /* fast path -- only for TUN/TAP/UDP writes */
2180 unsigned int ret = 0;
2181 if (flags & IOW_TO_TUN)
2182 {
2183 ret |= TUN_WRITE;
2184 }
2185 if (flags & (IOW_TO_LINK | IOW_MBUF))
2186 {
2187 ret |= SOCKET_WRITE;
2188 }
2189 multi_io->udp_flags = ret;
2190 }
2191 else
2192 {
2193 /* slow path - delegate to io_wait_dowork_udp to calculate flags */
2195 }
2196}
2197
2198void
2199io_wait_dowork(struct context *c, const unsigned int flags)
2200{
2201 unsigned int out_socket;
2202 unsigned int out_tuntap;
2203 struct event_set_return esr[4];
2204
2205 /* These shifts all depend on EVENT_READ and EVENT_WRITE */
2206 static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */
2207#ifdef ENABLE_MANAGEMENT
2208 static uintptr_t management_shift =
2209 MANAGEMENT_SHIFT; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
2210#endif
2211#ifdef ENABLE_ASYNC_PUSH
2212 static uintptr_t file_shift = FILE_SHIFT;
2213#endif
2214#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2215 static uintptr_t dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */
2216#endif
2217
2218 /*
2219 * Decide what kind of events we want to wait for.
2220 */
2222
2223 multi_io_process_flags(c, c->c2.event_set, flags, &out_socket, &out_tuntap);
2224
2225#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2226 if (out_socket & EVENT_READ && c->c2.did_open_tun)
2227 {
2228 dco_event_set(&c->c1.tuntap->dco, c->c2.event_set, (void *)dco_shift);
2229 }
2230#endif
2231
2232#ifdef ENABLE_MANAGEMENT
2233 if (management)
2234 {
2235 management_socket_set(management, c->c2.event_set, (void *)management_shift, NULL);
2236 }
2237#endif
2238
2239#ifdef ENABLE_ASYNC_PUSH
2240 /* arm inotify watcher */
2241 if (c->options.mode == MODE_SERVER)
2242 {
2243 event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)file_shift);
2244 }
2245#endif
2246
2247 /*
2248 * Possible scenarios:
2249 * (1) tcp/udp port has data available to read
2250 * (2) tcp/udp port is ready to accept more data to write
2251 * (3) tun dev has data available to read
2252 * (4) tun dev is ready to accept more data to write
2253 * (5) we received a signal (handler sets signal_received)
2254 * (6) timeout (tv) expired
2255 */
2256
2258
2259 if (!c->sig->signal_received)
2260 {
2261 if (!(flags & IOW_CHECK_RESIDUAL) || !sockets_read_residual(c))
2262 {
2263 int status;
2264
2265#ifdef ENABLE_DEBUG
2267 {
2268 show_wait_status(c);
2269 }
2270#endif
2271
2272 /*
2273 * Wait for something to happen.
2274 */
2275 status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
2276
2277 check_status(status, "event_wait", NULL, NULL);
2278
2279 if (status > 0)
2280 {
2281 int i;
2282 c->c2.event_set_status = 0;
2283 for (i = 0; i < status; ++i)
2284 {
2285 const struct event_set_return *e = &esr[i];
2286 uintptr_t shift;
2287
2288 if (e->arg >= MULTI_N)
2289 {
2290 struct event_arg *ev_arg = (struct event_arg *)e->arg;
2291 if (ev_arg->type != EVENT_ARG_LINK_SOCKET)
2292 {
2294 msg(D_LINK_ERRORS, "io_work: non socket event delivered");
2295 return;
2296 }
2297
2298 shift = socket_shift;
2299 }
2300 else
2301 {
2302 shift = (uintptr_t)e->arg;
2303 }
2304
2305 c->c2.event_set_status |= ((e->rwflags & 3) << shift);
2306 }
2307 }
2308 else if (status == 0)
2309 {
2311 }
2312 }
2313 else
2314 {
2316 }
2317 }
2318
2319 /* 'now' should always be a reasonably up-to-date timestamp */
2320 update_time();
2321
2322 /* set signal_received if a signal was received */
2323 if (c->c2.event_set_status & ES_ERROR)
2324 {
2326 }
2327
2328 dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2329}
2330
2331void
2333{
2334 const unsigned int status = c->c2.event_set_status;
2335
2336#ifdef ENABLE_MANAGEMENT
2338 {
2341 }
2342#endif
2343
2344 /* TCP/UDP port ready to accept write */
2345 if (status & SOCKET_WRITE)
2346 {
2348 }
2349 /* TUN device ready to accept write */
2350 else if (status & TUN_WRITE)
2351 {
2353 }
2354 /* Incoming data on TCP/UDP port */
2355 else if (status & SOCKET_READ)
2356 {
2358 if (!IS_SIG(c))
2359 {
2361 }
2362 }
2363 /* Incoming data on TUN device */
2364 else if (status & TUN_READ)
2365 {
2367 if (!IS_SIG(c))
2368 {
2370 }
2371 }
2372 else if (status & DCO_READ)
2373 {
2374 if (!IS_SIG(c))
2375 {
2377 }
2378 }
2379}
void check_send_auth_token(struct context *c)
Checks if the timer to resend the auth-token has expired and if a new auth-token should be send to th...
Definition auth_token.c:415
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition buffer.c:174
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition buffer.c:778
#define BSTR(buf)
Definition buffer.h:128
#define BPTR(buf)
Definition buffer.h:123
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:672
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition buffer.h:710
static void buf_reset(struct buffer *buf)
Definition buffer.h:303
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:518
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:616
#define BLEN(buf)
Definition buffer.h:126
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
#define buf_init(buf, offset)
Definition buffer.h:209
static struct gc_arena gc_new(void)
Definition buffer.h:1007
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition clinat.c:184
#define CN_INCOMING
Definition clinat.h:31
#define CN_OUTGOING
Definition clinat.h:30
uint64_t counter_type
Definition common.h:29
int interval_t
Definition common.h:35
#define PUSH_REQUEST_INTERVAL
Definition common.h:92
#define BIG_TIMEOUT
Definition common.h:40
long int get_random(void)
Definition crypto.c:1725
static int dco_do_read(dco_context_t *dco)
Definition dco.h:311
static void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition dco.h:318
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
Definition dco.h:330
void * dco_context_t
Definition dco.h:261
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco.h:377
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition dhcp.c:153
#define D_TUN_RW
Definition errlevel.h:113
#define D_TAP_WIN_DEBUG
Definition errlevel.h:114
#define D_PING
Definition errlevel.h:143
#define D_EVENT_WAIT
Definition errlevel.h:161
#define D_INTERVAL
Definition errlevel.h:157
#define D_STREAM_ERRORS
Definition errlevel.h:62
#define D_DCO_DEBUG
Definition errlevel.h:117
#define D_PUSH_ERRORS
Definition errlevel.h:66
#define D_LOW
Definition errlevel.h:96
#define M_INFO
Definition errlevel.h:54
#define D_SCHED_EXIT
Definition errlevel.h:88
#define D_ROUTE
Definition errlevel.h:79
#define D_LINK_ERRORS
Definition errlevel.h:56
#define D_LINK_RW
Definition errlevel.h:112
#define DCO_READ
Definition event.h:75
#define MANAGEMENT_SHIFT
Definition event.h:69
#define SOCKET_SHIFT
Definition event.h:60
#define TUN_WRITE
Definition event.h:65
#define SOCKET_READ
Definition event.h:61
#define MANAGEMENT_READ
Definition event.h:70
#define MANAGEMENT_WRITE
Definition event.h:71
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition event.h:189
#define ES_ERROR
Definition event.h:67
#define SOCKET_WRITE
Definition event.h:62
#define ES_TIMEOUT
Definition event.h:68
#define EVENT_WRITE
Definition event.h:39
#define MULTI_N
Definition event.h:88
#define TUN_SHIFT
Definition event.h:63
#define EVENT_READ
Definition event.h:38
#define FILE_SHIFT
Definition event.h:72
#define TUN_READ
Definition event.h:64
static void event_reset(struct event_set *es)
Definition event.h:171
static void wait_signal(struct event_set *es, void *arg)
Definition event.h:208
#define DCO_SHIFT
Definition event.h:74
#define ERR_SHIFT
Definition event.h:66
@ EVENT_ARG_LINK_SOCKET
Definition event.h:138
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:183
counter_type link_write_bytes_global
Definition forward.c:50
static void check_inactivity_timeout(struct context *c)
Definition forward.c:483
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:397
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition forward.c:503
bool send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
Definition forward.c:404
static void check_fragment(struct context *c)
Definition forward.c:571
static void check_tls_errors(struct context *c)
Definition forward.c:99
static void check_scheduled_exit(struct context *c)
Definition forward.c:548
#define MAX_ICMPV6LEN
static void check_session_timeout(struct context *c)
Definition forward.c:707
void process_io(struct context *c, struct link_socket *sock)
Definition forward.c:2332
static void context_reschedule_sec(struct context *c, int sec)
Definition forward.c:132
static void check_timeout_random_component(struct context *c)
Definition forward.c:869
bool schedule_exit(struct context *c)
Definition forward.c:527
static void process_coarse_timers(struct context *c)
Definition forward.c:721
static void check_connection_established(struct context *c)
Definition forward.c:334
static void check_timeout_random_component_dowork(struct context *c)
Definition forward.c:858
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition forward.c:600
static void check_tls_errors_nco(struct context *c)
Definition forward.c:89
void ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
Forges a IPv6 ICMP packet with a no route to host error code from the IPv6 packet in buf and sends it...
Definition forward.c:1534
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, msglvl_t msglevel)
Definition forward.c:376
void get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
Definition forward.c:2174
static void multi_io_process_flags(struct context *c, struct event_set *es, const unsigned int flags, unsigned int *out_socket, unsigned int *out_tuntap)
Definition forward.c:2045
void pre_select(struct context *c)
Definition forward.c:1979
static void check_incoming_control_channel(struct context *c)
Definition forward.c:284
static void check_add_routes(struct context *c)
Definition forward.c:436
static void check_server_poll_timeout(struct context *c)
Definition forward.c:511
static void parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
Definition forward.c:235
static void socks_postprocess_incoming_link(struct context *c, struct link_socket *sock)
Definition forward.c:887
static void check_push_request(struct context *c)
Definition forward.c:316
static void process_incoming_link(struct context *c, struct link_socket *sock)
Definition forward.c:1213
static void check_tls_errors_co(struct context *c)
Definition forward.c:82
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket *sock, struct link_socket_actual **to_addr, int *size_delta)
Definition forward.c:896
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition forward.c:908
void get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
Definition forward.c:2165
static void context_immediate_reschedule(struct context *c)
Definition forward.c:125
static void check_add_routes_action(struct context *c, const bool errors)
Definition forward.c:421
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition forward.c:1392
counter_type link_read_bytes_global
Definition forward.c:49
static void check_coarse_timers(struct context *c)
Definition forward.c:833
void check_dco_key_status(struct context *c)
Definition forward.c:146
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition forward.c:2199
static void process_incoming_dco(struct context *c)
Definition forward.c:1261
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition forward.c:1658
void extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr, const struct sockaddr *float_sa)
Transfers float_sa data extracted from an incoming DCO PEER_FLOAT_NTF to out_osaddr for later process...
Definition forward.c:1227
static void check_tls(struct context *c)
Definition forward.c:179
static void check_status_file(struct context *c)
Definition forward.c:557
Interface functions to the internal and external multiplexers.
#define PIP_MSSFIX
Definition forward.h:319
#define PIPV4_CLIENT_NAT
Definition forward.h:322
#define IOW_WAIT_SIGNAL
Definition forward.h:63
#define IOW_READ_TUN
Definition forward.h:56
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition forward.h:321
#define PIPV6_ICMP_NOHOST_SERVER
Definition forward.h:324
#define PIPV6_ICMP_NOHOST_CLIENT
Definition forward.h:323
#define IOW_SHAPER
Definition forward.h:58
#define IOW_FRAG
Definition forward.h:60
#define IOW_MBUF
Definition forward.h:61
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:333
#define IOW_READ_LINK
Definition forward.h:57
#define IOW_CHECK_RESIDUAL
Definition forward.h:59
#define TO_LINK_FRAG(c)
Definition forward.h:42
static bool connection_established(struct context *c)
Definition forward.h:408
static void register_activity(struct context *c, const int size)
Definition forward.h:346
#define IOW_TO_TUN
Definition forward.h:54
#define PIPV4_PASSTOS
Definition forward.h:318
#define IOW_READ_TUN_FORCE
Definition forward.h:62
#define PIP_OUTGOING
Definition forward.h:320
#define IOW_TO_LINK
Definition forward.h:55
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition forward.c:620
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:4015
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition crypto.c:327
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:3983
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:3951
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:4001
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition crypto.c:778
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition forward.c:991
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition forward.c:1130
void process_outgoing_link(struct context *c, struct link_socket *sock)
Write a packet to the external network interface.
Definition forward.c:1742
void read_incoming_link(struct context *c, struct link_socket *sock)
Read a packet from the external network interface.
Definition forward.c:925
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3571
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition fragment.h:456
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition fragment.h:428
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition fragment.c:313
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition fragment.c:139
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition fragment.c:363
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition forward.c:1322
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition forward.c:1470
void process_outgoing_tun(struct context *c, struct link_socket *in_sock)
Write a packet to the virtual tun/tap network interface.
Definition forward.c:1885
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1552
void reset_coarse_timers(struct context *c)
Definition init.c:1320
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2356
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1673
#define ISC_ERRORS
Definition init.h:126
#define ISC_ROUTE_ERRORS
Definition init.h:128
static int min_int(int x, int y)
Definition integer.h:105
static int max_int(int x, int y)
Definition integer.h:92
static SERVICE_STATUS status
Definition interactive.c:51
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:47
#define ETT_DEFAULT
Definition interval.h:222
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition interval.h:106
static void event_timeout_reset(struct event_timeout *et)
Resets a timer.
Definition interval.h:187
static void interval_action(struct interval *top)
Definition interval.h:122
static bool event_timeout_defined(const struct event_timeout *et)
Definition interval.h:142
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition interval.h:92
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Sets the interval n of a timeout.
Definition interval.h:204
static bool interval_test(struct interval *top)
Definition interval.h:65
static interval_t event_timeout_remaining(struct event_timeout *et)
Returns the time until the timeout should triggered, from now.
Definition interval.h:217
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition manage.c:3159
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2796
void management_io(struct management *man)
Definition manage.c:3197
void management_check_bytecount_client(struct context *c, struct management *man, struct timeval *timeval)
Definition manage.c:4171
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4147
#define OPENVPN_STATE_GET_CONFIG
Definition manage.h:459
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition misc.c:660
void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss)
Definition mss.c:83
void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss)
Definition mss.c:46
void frame_adjust_path_mtu(struct context *c)
Checks and adjusts the fragment and mssfix value according to the discovered path mtu value.
Definition mss.c:350
void process_received_occ_msg(struct context *c)
Definition occ.c:360
static void check_send_occ_msg(struct context *c)
Definition occ.h:138
static bool is_occ_msg(const struct buffer *buf)
Definition occ.h:83
static void check_send_occ_req(struct context *c)
Definition occ.h:110
static void check_send_occ_load_test(struct context *c)
Definition occ.h:124
#define CLEAR(x)
Definition basic.h:32
#define SIZE(x)
Definition basic.h:29
static bool check_debug_level(msglvl_t level)
Definition error.h:259
#define M_NOPREFIX
Definition error.h:98
#define dmsg(flags,...)
Definition error.h:172
#define openvpn_errno()
Definition error.h:71
#define msg(flags,...)
Definition error.h:152
unsigned int msglvl_t
Definition error.h:77
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition error.h:314
#define TLS_MODE(c)
Definition openvpn.h:543
#define PROTO_DUMP(buf, gc)
Definition openvpn.h:545
#define MODE_POINT_TO_POINT
Definition options.h:260
#define MODE_SERVER
Definition options.h:261
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
time_t now
Definition otime.c:33
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition otime.c:83
static void update_time(void)
Definition otime.h:81
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition otime.h:136
@ OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_DEL_PEER
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:508
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition packet_id.h:278
static void perf_push(int type)
Definition perf.h:77
#define PERF_PROC_OUT_TUN
Definition perf.h:55
#define PERF_PROC_OUT_LINK
Definition perf.h:54
#define PERF_PROC_IN_TUN
Definition perf.h:53
#define PERF_PROC_IN_LINK
Definition perf.h:51
static void perf_pop(void)
Definition perf.h:81
#define PERF_READ_IN_TUN
Definition perf.h:52
#define PERF_READ_IN_LINK
Definition perf.h:50
void trigger_ping_timeout_signal(struct context *c)
Trigger the correct signal on a –ping timeout depending if –ping-exit is set (SIGTERM) or not (SIGUSR...
Definition ping.c:45
static void check_ping_restart(struct context *c)
Definition ping.h:59
static bool is_ping_msg(const struct buffer *buf)
Definition ping.h:40
static void check_ping_send(struct context *c)
Definition ping.h:76
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition proto.c:108
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition proto.c:113
uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, const uint8_t *src_addr, const uint8_t *dest_addr, const int proto)
Calculates an IP or IPv6 checksum with a pseudo header as required by TCP, UDP and ICMPv6.
Definition proto.c:120
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition proto.h:251
#define DEV_TYPE_TAP
Definition proto.h:36
#define OPENVPN_ETH_ALEN
Definition proto.h:52
#define OPENVPN_ETH_P_IPV6
Definition proto.h:59
#define OPENVPN_IPPROTO_ICMPV6
Definition proto.h:107
#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b)
Version of IN6_ARE_ADDR_EQUAL that is guaranteed to work for unaligned access.
Definition proto.h:87
#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE
Definition proto.h:136
#define OPENVPN_ICMP6_DU_NOROUTE
Definition proto.h:144
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition push.c:336
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition push.c:48
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition push.c:128
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition push.c:263
void send_auth_failed(struct context *c, const char *client_reason)
Definition push.c:393
void receive_exit_message(struct context *c)
Definition push.c:189
bool send_push_request(struct context *c)
Definition push.c:567
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition push.c:505
void server_pushed_info(const struct buffer *buffer, const int adv)
Definition push.c:225
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition route.c:2442
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition route.c:535
void show_routes(msglvl_t msglevel)
Definition route.c:3070
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition shaper.c:36
static void shaper_wrote_bytes(struct shaper *s, int nbytes)
Definition shaper.h:121
static int shaper_delay(struct shaper *s)
Definition shaper.h:96
void print_status(struct context *c, struct status_output *so)
Definition sig.c:478
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition sig.c:563
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
#define IS_SIG(c)
Definition sig.h:47
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition sig.h:109
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition socket.c:2057
int sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from)
Definition socket.c:2851
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition socket.c:2944
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition socket.c:1957
bool sockets_read_residual(const struct context *c)
Definition socket.c:45
static ssize_t link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition socket.h:677
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition socket.h:379
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition socket.h:414
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition socket.h:437
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition socket.h:484
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition socket.h:558
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition socket.h:464
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
static bool link_socket_actual_defined(const struct link_socket_actual *act)
static int datagram_overhead(sa_family_t af, int proto)
@ PROTO_UDP
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition socks.c:536
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition socks.c:498
bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
Definition ssl.c:4035
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4067
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1779
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3211
#define TLSMP_RECONNECT
Definition ssl.h:232
#define TLSMP_ACTIVE
Definition ssl.h:230
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition ssl.h:490
static void tls_set_single_session(struct tls_multi *multi)
Definition ssl.h:510
#define TLSMP_KILL
Definition ssl.h:231
static int tls_test_payload_len(const struct tls_multi *multi)
Definition ssl.h:496
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc)
Extracts a control channel message from buf and adjusts the size of buf after the message has been ex...
Definition ssl_pkt.c:572
#define P_DATA_V1
Definition ssl_pkt.h:47
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
Control Channel Verification Module.
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
int mssfix
Definition options.h:141
int connect_timeout
Definition options.h:118
struct status_output * status_output
Definition openvpn.h:185
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
int link_sockets_num
Definition openvpn.h:158
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
struct packet_id_persist pid_persist
Definition openvpn.h:170
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
counter_type link_read_bytes
Definition openvpn.h:266
counter_type link_write_bytes
Definition openvpn.h:269
struct event_timeout server_poll_interval
Definition openvpn.h:408
int max_recv_size_local
Definition openvpn.h:308
struct fragment_master * fragment
Definition openvpn.h:252
time_t update_timeout_random_component
Definition openvpn.h:403
unsigned int event_set_status
Definition openvpn.h:235
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
struct event_timeout ping_send_interval
Definition openvpn.h:283
int max_send_size_local
Definition openvpn.h:310
bool did_open_tun
Definition openvpn.h:387
struct timeval timeout_random_component
Definition openvpn.h:404
counter_type tun_read_bytes
Definition openvpn.h:264
struct event_timeout scheduled_exit
Definition openvpn.h:447
struct env_set * es
Definition openvpn.h:420
struct interval tmp_int
Definition openvpn.h:344
struct event_timeout auth_token_renewal_interval
Definition openvpn.h:293
struct event_timeout wait_for_connect
Definition openvpn.h:282
struct shaper shaper
Definition openvpn.h:259
struct event_timeout push_request_interval
Definition openvpn.h:439
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
time_t coarse_timer_wakeup
Definition openvpn.h:399
int scheduled_exit_signal
Definition openvpn.h:448
struct frame frame
Definition openvpn.h:248
struct link_socket_actual from
Definition openvpn.h:245
struct frame frame_fragment
Definition openvpn.h:253
struct buffer to_link
Definition openvpn.h:377
int64_t inactivity_bytes
Definition openvpn.h:288
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
struct buffer to_tun
Definition openvpn.h:376
counter_type tun_write_bytes
Definition openvpn.h:265
struct link_socket ** link_sockets
Definition openvpn.h:237
counter_type link_read_bytes_auth
Definition openvpn.h:268
struct event_timeout packet_id_persist_interval
Definition openvpn.h:355
struct link_socket_actual * to_link_addr
Definition openvpn.h:244
struct event_timeout session_interval
Definition openvpn.h:290
int original_recv_size
Definition openvpn.h:307
struct buffer buf
Definition openvpn.h:375
struct timeval timeval
Time to next event of timers and similar.
Definition openvpn.h:396
time_t explicit_exit_notification_time_wait
Definition openvpn.h:416
bool log_rw
Definition openvpn.h:380
bool fast_io
Definition openvpn.h:424
struct event_set * event_set
Definition openvpn.h:230
struct context_buffers * buffers
Definition openvpn.h:367
struct event_timeout route_wakeup
Definition openvpn.h:383
int tls_exit_signal
Definition openvpn.h:347
struct event_timeout inactivity_interval
Definition openvpn.h:287
struct event_timeout ping_rec_interval
Definition openvpn.h:284
struct buffer read_link_buf
Definition openvpn.h:113
struct buffer encrypt_buf
Definition openvpn.h:100
struct buffer read_tun_buf
Definition openvpn.h:114
struct buffer decrypt_buf
Definition openvpn.h:101
int restart_sleep_seconds
Definition openvpn.h:122
Contains all state information for one tunnel.
Definition openvpn.h:474
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:505
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
struct context_persist persist
Persistent context.
Definition openvpn.h:513
Security parameter state for processing data channel packets.
Definition crypto.h:293
struct link_socket * sock
Definition event.h:148
event_arg_t type
Definition event.h:144
unsigned int rwflags
Definition event.h:126
interval_t n
periodic interval for periodic timeouts
Definition interval.h:137
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
struct frame::@8 buf
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
struct event_set * es
Definition multi_io.h:53
unsigned int udp_flags
Definition multi_io.h:58
uint8_t dest[OPENVPN_ETH_ALEN]
Definition proto.h:55
uint16_t proto
Definition proto.h:62
uint8_t source[OPENVPN_ETH_ALEN]
Definition proto.h:56
uint8_t icmp6_type
Definition proto.h:143
uint16_t icmp6_cksum
Definition proto.h:147
uint8_t icmp6_code
Definition proto.h:146
uint32_t daddr
Definition proto.h:112
uint8_t version_prio
Definition proto.h:121
struct in6_addr saddr
Definition proto.h:127
struct in6_addr daddr
Definition proto.h:128
uint8_t nexthdr
Definition proto.h:124
uint16_t payload_len
Definition proto.h:123
union openvpn_sockaddr::@27 addr
struct sockaddr sa
Definition socket_util.h:42
struct sockaddr_in in4
Definition socket_util.h:43
struct sockaddr_in6 in6
Definition socket_util.h:44
const char * ifconfig_ipv6_remote
Definition options.h:327
int scheduled_exit_interval
Definition options.h:566
int shaper
Definition options.h:330
bool allow_recursive_routing
Definition options.h:721
int64_t inactivity_minimum_bytes
Definition options.h:346
int inactivity_timeout
Definition options.h:345
struct connection_entry ce
Definition options.h:290
int mode
Definition options.h:262
bool block_ipv6
Definition options.h:439
int ping_rec_timeout
Definition options.h:351
int ping_send_timeout
Definition options.h:350
bool route_gateway_via_dhcp
Definition options.h:441
struct client_nat_option_list * client_nat
Definition options.h:443
int session_timeout
Definition options.h:348
volatile int signal_received
Definition sig.h:42
bool is_handle
Definition socket.h:261
struct event_timeout et
Definition status.h:62
int n_hard_errors
Definition ssl_common.h:638
enum multi_status multi_state
Definition ssl_common.h:633
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
char * client_reason
An error message to send to client on AUTH_FAILED.
Definition ssl_common.h:667
bool use_peer_id
Definition ssl_common.h:701
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
int n_soft_errors
Definition ssl_common.h:639
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
Definition tun.h:183
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:193
HANDLE hand
Definition tun.h:218
struct overlapped_io reads
Definition tun.h:221
dco_context_t dco
Definition tun.h:249
char * actual_name
Definition tun.h:207
unsigned short sa_family_t
Definition syshead.h:396
struct env_set * es
struct gc_arena gc
Definition test_ssl.c:131
void tun_show_debug(struct tuntap *tt)
Definition tun.c:6478
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition tun.c:730
int tun_write_win32(struct tuntap *tt, struct buffer *buf)
Definition tun.c:3614
bool tun_standby(struct tuntap *tt)
Definition tun.c:5537
void show_adapters(msglvl_t msglevel)
Definition tun.c:4878
static bool tuntap_abort(int status)
Definition tun.h:490
#define TUNNEL_TYPE(tt)
Definition tun.h:184
static bool tuntap_defined(const struct tuntap *tt)
Definition tun.h:254
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:51
static void tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition tun.h:598
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
static bool tuntap_is_dco_win_timeout(struct tuntap *tt, int status)
Definition tun.h:538
static bool tuntap_stop(int status)
Definition tun.h:476
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
ssize_t read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len)
Reads a packet from a AF_UNIX based tun device.
Definition tun_afunix.c:151
ssize_t write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len)
Writes a packet to a AF_UNIX based tun device.
Definition tun_afunix.c:138