OpenVPN
forward.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "forward.h"
33 #include "init.h"
34 #include "push.h"
35 #include "gremlin.h"
36 #include "mss.h"
37 #include "event.h"
38 #include "occ.h"
39 #include "ping.h"
40 #include "ps.h"
41 #include "dhcp.h"
42 #include "common.h"
43 #include "ssl_verify.h"
44 
45 #include "memdbg.h"
46 
47 #include "mstats.h"
48 
51 
52 /* show event wait debugging info */
53 
54 #ifdef ENABLE_DEBUG
55 
56 static const char *
57 wait_status_string(struct context *c, struct gc_arena *gc)
58 {
59  struct buffer out = alloc_buf_gc(64, gc);
60  buf_printf(&out, "I/O WAIT %s|%s|%s|%s %s",
61  tun_stat(c->c1.tuntap, EVENT_READ, gc),
62  tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
65  tv_string(&c->c2.timeval, gc));
66  return BSTR(&out);
67 }
68 
69 static void
70 show_wait_status(struct context *c)
71 {
72  struct gc_arena gc = gc_new();
73  dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
74  gc_free(&gc);
75 }
76 
77 #endif /* ifdef ENABLE_DEBUG */
78 
79 static void
81 {
82  msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
83  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
84 }
85 
86 static void
88 {
89  register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
90 }
91 
92 /*
93  * TLS errors are fatal in TCP mode.
94  * Also check for --tls-exit trigger.
95  */
96 static inline void
98 {
99  if (c->c2.tls_multi && c->c2.tls_exit_signal)
100  {
102  {
103  if (c->c2.tls_multi->n_soft_errors)
104  {
106  }
107  }
108  else
109  {
110  if (c->c2.tls_multi->n_hard_errors)
111  {
113  }
114  }
115  }
116 }
117 
118 /*
119  * Set our wakeup to 0 seconds, so we will be rescheduled
120  * immediately.
121  */
122 static inline void
124 {
125  c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
126  c->c2.timeval.tv_usec = 0;
127 }
128 
129 static inline void
130 context_reschedule_sec(struct context *c, int sec)
131 {
132  if (sec < 0)
133  {
134  sec = 0;
135  }
136  if (sec < c->c2.timeval.tv_sec)
137  {
138  c->c2.timeval.tv_sec = sec;
139  c->c2.timeval.tv_usec = 0;
140  }
141 }
142 
143 /*
144  * In TLS mode, let TLS level respond to any control-channel
145  * packets which were received, or prepare any packets for
146  * transmission.
147  *
148  * tmp_int is purely an optimization that allows us to call
149  * tls_multi_process less frequently when there's not much
150  * traffic on the control-channel.
151  *
152  */
153 static void
154 check_tls(struct context *c)
155 {
156  interval_t wakeup = BIG_TIMEOUT;
157 
158  if (interval_test(&c->c2.tmp_int))
159  {
160  const int tmp_status = tls_multi_process
161  (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
162  get_link_socket_info(c), &wakeup);
163  if (tmp_status == TLSMP_ACTIVE)
164  {
165  update_time();
167  }
168  else if (tmp_status == TLSMP_KILL)
169  {
170  if (c->options.mode == MODE_SERVER)
171  {
173  }
174  else
175  {
176  register_signal(c, SIGTERM, "auth-control-exit");
177  }
178  }
179 
180  interval_future_trigger(&c->c2.tmp_int, wakeup);
181  }
182 
183  interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
184 
185  if (wakeup)
186  {
187  context_reschedule_sec(c, wakeup);
188  }
189 }
190 
191 /*
192  * Handle incoming configuration
193  * messages on the control channel.
194  */
195 static void
197 {
198  int len = tls_test_payload_len(c->c2.tls_multi);
199  /* We should only be called with len >0 */
200  ASSERT(len > 0);
201 
202  struct gc_arena gc = gc_new();
203  struct buffer buf = alloc_buf_gc(len, &gc);
204  if (tls_rec_payload(c->c2.tls_multi, &buf))
205  {
206  /* force null termination of message */
207  buf_null_terminate(&buf);
208 
209  /* enforce character class restrictions */
210  string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
211 
212  if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
213  {
214  receive_auth_failed(c, &buf);
215  }
216  else if (buf_string_match_head_str(&buf, "PUSH_"))
217  {
218  incoming_push_message(c, &buf);
219  }
220  else if (buf_string_match_head_str(&buf, "RESTART"))
221  {
222  server_pushed_signal(c, &buf, true, 7);
223  }
224  else if (buf_string_match_head_str(&buf, "HALT"))
225  {
226  server_pushed_signal(c, &buf, false, 4);
227  }
228  else if (buf_string_match_head_str(&buf, "INFO_PRE"))
229  {
230  server_pushed_info(c, &buf, 8);
231  }
232  else if (buf_string_match_head_str(&buf, "INFO"))
233  {
234  server_pushed_info(c, &buf, 4);
235  }
236  else if (buf_string_match_head_str(&buf, "CR_RESPONSE"))
237  {
238  receive_cr_response(c, &buf);
239  }
240  else if (buf_string_match_head_str(&buf, "AUTH_PENDING"))
241  {
242  receive_auth_pending(c, &buf);
243  }
244  else
245  {
246  msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
247  }
248  }
249  else
250  {
251  msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
252  }
253 
254  gc_free(&gc);
255 }
256 
257 /*
258  * Periodically resend PUSH_REQUEST until PUSH message received
259  */
260 static void
262 {
264 
265  /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
267 }
268 
269 /*
270  * Things that need to happen immediately after connection initiation should go here.
271  *
272  * Options like --up-delay need to be triggered by this function which
273  * checks for connection establishment.
274  *
275  * Note: The process_incoming_push_reply currently assumes that this function
276  * only sets up the pull request timer when pull is enabled.
277  */
278 static void
280 {
281 
282  if (connection_established(c))
283  {
284  /* if --pull was specified, send a push request to server */
285  if (c->c2.tls_multi && c->options.pull)
286  {
287 #ifdef ENABLE_MANAGEMENT
288  if (management)
289  {
292  NULL,
293  NULL,
294  NULL,
295  NULL,
296  NULL);
297  }
298 #endif
299  /* fire up push request right away (already 1s delayed) */
300  /* We might receive a AUTH_PENDING request before we armed this
301  * timer. In that case we don't change the value */
302  if (c->c2.push_request_timeout < now)
303  {
305  }
308  }
309  else
310  {
311  do_up(c, false, 0);
312  }
313 
315  }
316 
317 }
318 
319 bool
321  const char *str, int msglevel)
322 {
323  struct gc_arena gc = gc_new();
324  bool stat;
325 
326  /* buffered cleartext write onto TLS control channel */
327  stat = tls_send_payload(multi, (uint8_t *) str, strlen(str) + 1);
328 
329  msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
330  tls_common_name(multi, false),
331  sanitize_control_message(str, &gc),
332  (int) stat);
333 
334  gc_free(&gc);
335  return stat;
336 }
337 
339 {
341  context_immediate_reschedule(c); /* ZERO-TIMEOUT */
342 }
343 
344 bool
345 send_control_channel_string(struct context *c, const char *str, int msglevel)
346 {
347  if (c->c2.tls_multi)
348  {
350  str, msglevel);
352 
353  return ret;
354  }
355  return true;
356 }
357 /*
358  * Add routes.
359  */
360 
361 static void
362 check_add_routes_action(struct context *c, const bool errors)
363 {
365  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
366  update_time();
369  initialization_sequence_completed(c, errors ? ISC_ERRORS : 0); /* client/p2p --route-delay was defined */
370 }
371 
372 static void
374 {
375  if (test_routes(c->c1.route_list, c->c1.tuntap))
376  {
377  check_add_routes_action(c, false);
378  }
380  {
381  check_add_routes_action(c, true);
382  }
383  else
384  {
385  msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
386  if (c->c1.tuntap)
387  {
388  if (!tun_standby(c->c1.tuntap))
389  {
390  register_signal(c, SIGHUP, "ip-fail");
392 #ifdef _WIN32
395 #endif
396  }
397  }
398  update_time();
399  if (c->c2.route_wakeup.n != 1)
400  {
402  }
404  }
405 }
406 
407 /*
408  * Should we exit due to inactivity timeout?
409  */
410 static void
412 {
413  msg(M_INFO, "Inactivity timeout (--inactive), exiting");
414  register_signal(c, SIGTERM, "inactive");
415 }
416 
417 int
418 get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
419 {
420  update_time();
421  int remaining = event_timeout_remaining(server_poll_timeout);
422  return max_int(0, remaining);
423 }
424 
425 static void
427 {
429  ASSERT(c->c2.tls_multi);
431  {
432  msg(M_INFO, "Server poll timeout, restarting");
433  register_signal(c, SIGUSR1, "server_poll");
435  }
436 }
437 
438 /*
439  * Schedule a signal n_seconds from now.
440  */
441 void
442 schedule_exit(struct context *c, const int n_seconds, const int signal)
443 {
445  update_time();
447  event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
448  c->c2.scheduled_exit_signal = signal;
449  msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
450 }
451 
452 /*
453  * Scheduled exit?
454  */
455 static void
457 {
458  register_signal(c, c->c2.scheduled_exit_signal, "delayed-exit");
459 }
460 
461 /*
462  * Should we write timer-triggered status file.
463  */
464 static void
466 {
467  if (c->c1.status_output)
468  {
470  }
471 }
472 
473 #ifdef ENABLE_FRAGMENT
474 /*
475  * Should we deliver a datagram fragment to remote?
476  */
477 static void
479 {
480  struct link_socket_info *lsi = get_link_socket_info(c);
481 
482  /* OS MTU Hint? */
483  if (lsi->mtu_changed)
484  {
486  c->options.ce.proto);
487  lsi->mtu_changed = false;
488  }
489 
491  {
492  if (!c->c2.to_link.len)
493  {
494  /* encrypt a fragment for output to TCP/UDP port */
496  encrypt_sign(c, false);
497  }
498  }
499 
501 }
502 #endif /* ifdef ENABLE_FRAGMENT */
503 
504 /*
505  * Buffer reallocation, for use with null encryption.
506  */
507 static inline void
508 buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
509 {
510  if (orig_buf == src_stub->data && src_stub->data != storage->data)
511  {
512  buf_assign(storage, src_stub);
513  *dest_stub = *storage;
514  }
515  else
516  {
517  *dest_stub = *src_stub;
518  }
519 }
520 
521 /*
522  * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
523  * Input: c->c2.buf
524  * Output: c->c2.to_link
525  */
526 void
527 encrypt_sign(struct context *c, bool comp_frag)
528 {
529  struct context_buffers *b = c->c2.buffers;
530  const uint8_t *orig_buf = c->c2.buf.data;
531  struct crypto_options *co = NULL;
532 
533  /*
534  * Drop non-TLS outgoing packet if client-connect script/plugin
535  * has not yet succeeded. In non-TLS tls_multi mode is not defined
536  * and we always pass packets.
537  */
539  {
540  c->c2.buf.len = 0;
541  }
542 
543  if (comp_frag)
544  {
545 #ifdef USE_COMP
546  /* Compress the packet. */
547  if (c->c2.comp_context)
548  {
549  (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
550  }
551 #endif
552 #ifdef ENABLE_FRAGMENT
553  if (c->c2.fragment)
554  {
556  }
557 #endif
558  }
559 
560  /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
562 
563  if (c->c2.tls_multi)
564  {
565  /* Get the key we will use to encrypt the packet. */
566  tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
567  /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
568  * packet before openvpn_encrypt(), so we can authenticate the opcode too.
569  */
570  if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
571  {
573  }
574  }
575  else
576  {
577  co = &c->c2.crypto_options;
578  }
579 
580  /* Encrypt and authenticate the packet */
581  openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
582 
583  /* Do packet administration */
584  if (c->c2.tls_multi)
585  {
586  if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
587  {
589  }
591  }
592 
593  /*
594  * Get the address we will be sending the packet to.
595  */
597  &c->c2.to_link_addr);
598 
599  /* if null encryption, copy result to read_tun_buf */
600  buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
601 }
602 
603 /*
604  * Coarse timers work to 1 second resolution.
605  */
606 static void
608 {
609  /* flush current packet-id to file once per 60
610  * seconds if --replay-persist was specified */
613  {
615  }
616 
617  /* Should we write timer-triggered status file */
618  if (c->c1.status_output
620  {
622  }
623 
624  /* process connection establishment items */
626  {
628  }
629 
630  /* see if we should send a push_request (option --pull) */
632  {
634  }
635 
636  /* process --route options */
638  {
639  check_add_routes(c);
640  }
641 
642  /* possibly exit due to --inactive */
645  {
647  }
648 
649  if (c->sig->signal_received)
650  {
651  return;
652  }
653 
654  /* restart if ping not received */
656  if (c->sig->signal_received)
657  {
658  return;
659  }
660 
661  if (c->c2.tls_multi)
662  {
663  if (c->options.ce.connect_timeout
665  {
667  }
668  if (c->sig->signal_received)
669  {
670  return;
671  }
673  {
675  }
676  if (c->sig->signal_received)
677  {
678  return;
679  }
680  }
681 
682  /* Should we send an OCC_REQUEST message? */
684 
685  /* Should we send an MTU load test? */
687 
688  /* Should we send an OCC_EXIT message to remote? */
690  {
692  }
693 
694  /* Should we ping the remote? */
695  check_ping_send(c);
696 }
697 
698 static void
700 {
701  if (now < c->c2.coarse_timer_wakeup)
702  {
704  return;
705  }
706 
707  const struct timeval save = c->c2.timeval;
708  c->c2.timeval.tv_sec = BIG_TIMEOUT;
709  c->c2.timeval.tv_usec = 0;
711  c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
712 
713  dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
714 
715  /* Is the coarse timeout NOT the earliest one? */
716  if (c->c2.timeval.tv_sec > save.tv_sec)
717  {
718  c->c2.timeval = save;
719  }
720 }
721 
722 static void
724 {
725  const int update_interval = 10; /* seconds */
726  c->c2.update_timeout_random_component = now + update_interval;
727  c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
728  c->c2.timeout_random_component.tv_sec = 0;
729 
730  dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec);
731 }
732 
733 static inline void
735 {
737  {
739  }
740  if (c->c2.timeval.tv_sec >= 1)
741  {
743  }
744 }
745 
746 /*
747  * Handle addition and removal of the 10-byte Socks5 header
748  * in UDP packets.
749  */
750 
751 static inline void
753 {
755  {
757  }
758 }
759 
760 static inline void
762  struct link_socket_actual **to_addr,
763  int *size_delta)
764 {
766  {
767  *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
768  *to_addr = &c->c2.link_socket->socks_relay;
769  }
770 }
771 
772 /* undo effect of socks_preprocess_outgoing_link */
773 static inline void
775  int size_delta,
776  struct buffer *buf)
777 {
778  if (size_delta > 0 && *size > size_delta)
779  {
780  *size -= size_delta;
781  if (!buf_advance(buf, size_delta))
782  {
783  *size = 0;
784  }
785  }
786 }
787 
788 /*
789  * Output: c->c2.buf
790  */
791 
792 void
794 {
795  /*
796  * Set up for recvfrom call to read datagram
797  * sent to our TCP/UDP port.
798  */
799  int status;
800 
801  /*ASSERT (!c->c2.to_tun.len);*/
802 
804 
805  c->c2.buf = c->c2.buffers->read_link_buf;
807 
808  status = link_socket_read(c->c2.link_socket,
809  &c->c2.buf,
810  &c->c2.from);
811 
812  if (socket_connection_reset(c->c2.link_socket, status))
813  {
814 #if PORT_SHARE
815  if (port_share && socket_foreign_protocol_detected(c->c2.link_socket))
816  {
817  const struct buffer *fbuf = socket_foreign_protocol_head(c->c2.link_socket);
818  const int sd = socket_foreign_protocol_sd(c->c2.link_socket);
819  port_share_redirect(port_share, fbuf, sd);
820  register_signal(c, SIGTERM, "port-share-redirect");
821  }
822  else
823 #endif
824  {
825  /* received a disconnect from a connection-oriented protocol */
827  {
828  msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
829  management_sleep(1);
830  }
831  else
832  {
833  register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
834  msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
835  }
836  }
837  perf_pop();
838  return;
839  }
840 
841  /* check recvfrom status */
842  check_status(status, "read", c->c2.link_socket, NULL);
843 
844  /* Remove socks header if applicable */
846 
847  perf_pop();
848 }
849 
850 bool
851 process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
852 {
853  struct gc_arena gc = gc_new();
854  bool decrypt_status = false;
855 
856  if (c->c2.buf.len > 0)
857  {
858  c->c2.link_read_bytes += c->c2.buf.len;
860 #ifdef ENABLE_MEMSTATS
861  if (mmap_stats)
862  {
863  mmap_stats->link_read_bytes = link_read_bytes_global;
864  }
865 #endif
866  c->c2.original_recv_size = c->c2.buf.len;
867 #ifdef ENABLE_MANAGEMENT
868  if (management)
869  {
872  }
873 #endif
874  }
875  else
876  {
877  c->c2.original_recv_size = 0;
878  }
879 
880 #ifdef ENABLE_DEBUG
881  /* take action to corrupt packet if we are in gremlin test mode */
882  if (c->options.gremlin)
883  {
884  if (!ask_gremlin(c->options.gremlin))
885  {
886  c->c2.buf.len = 0;
887  }
888  corrupt_gremlin(&c->c2.buf, c->options.gremlin);
889  }
890 #endif
891 
892  /* log incoming packet */
893 #ifdef LOG_RW
894  if (c->c2.log_rw && c->c2.buf.len > 0)
895  {
896  fprintf(stderr, "R");
897  }
898 #endif
899  msg(D_LINK_RW, "%s READ [%d] from %s: %s",
900  proto2ascii(lsi->proto, lsi->af, true),
901  BLEN(&c->c2.buf),
902  print_link_socket_actual(&c->c2.from, &gc),
903  PROTO_DUMP(&c->c2.buf, &gc));
904 
905  /*
906  * Good, non-zero length packet received.
907  * Commence multi-stage processing of packet,
908  * such as authenticate, decrypt, decompress.
909  * If any stage fails, it sets buf.len to 0 or -1,
910  * telling downstream stages to ignore the packet.
911  */
912  if (c->c2.buf.len > 0)
913  {
914  struct crypto_options *co = NULL;
915  const uint8_t *ad_start = NULL;
916  if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
917  {
918  link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
919  }
920 
921  if (c->c2.tls_multi)
922  {
923  /*
924  * If tls_pre_decrypt returns true, it means the incoming
925  * packet was a good TLS control channel packet. If so, TLS code
926  * will deal with the packet and set buf.len to 0 so downstream
927  * stages ignore it.
928  *
929  * If the packet is a data channel packet, tls_pre_decrypt
930  * will load crypto_options with the correct encryption key
931  * and return false.
932  */
933  uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
934  if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
935  floated, &ad_start))
936  {
937  /* Restore pre-NCP frame parameters */
938  if (is_hard_reset_method2(opcode))
939  {
940  c->c2.frame = c->c2.frame_initial;
941 #ifdef ENABLE_FRAGMENT
943 #endif
944  }
945 
947 
948  /* reset packet received timer if TLS packet */
949  if (c->options.ping_rec_timeout)
950  {
952  }
953  }
954  }
955  else
956  {
957  co = &c->c2.crypto_options;
958  }
959 
960  /*
961  * Drop non-TLS packet if client-connect script/plugin and cipher selection
962  * has not yet succeeded. In non-TLS mode tls_multi is not defined
963  * and we always pass packets.
964  */
966  {
967  c->c2.buf.len = 0;
968  }
969 
970  /* authenticate and decrypt the incoming packet */
971  decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
972  co, &c->c2.frame, ad_start);
973 
974  if (!decrypt_status && link_socket_connection_oriented(c->c2.link_socket))
975  {
976  /* decryption errors are fatal in TCP mode */
977  register_signal(c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
978  msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
979  }
980  }
981  else
982  {
983  buf_reset(&c->c2.to_tun);
984  }
985  gc_free(&gc);
986 
987  return decrypt_status;
988 }
989 
990 void
991 process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
992 {
993  if (c->c2.buf.len > 0)
994  {
995 #ifdef ENABLE_FRAGMENT
996  if (c->c2.fragment)
997  {
999  }
1000 #endif
1001 
1002 #ifdef USE_COMP
1003  /* decompress the incoming packet */
1004  if (c->c2.comp_context)
1005  {
1006  (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
1007  }
1008 #endif
1009 
1010 #ifdef PACKET_TRUNCATION_CHECK
1011  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1012  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1013  BLEN(&c->c2.buf),
1014  TUNNEL_TYPE(c->c1.tuntap),
1015  "POST_DECRYPT",
1016  &c->c2.n_trunc_post_decrypt);
1017 #endif
1018 
1019  /*
1020  * Set our "official" outgoing address, since
1021  * if buf.len is non-zero, we know the packet
1022  * authenticated. In TLS mode we do nothing
1023  * because TLS mode takes care of source address
1024  * authentication.
1025  *
1026  * Also, update the persisted version of our packet-id.
1027  */
1028  if (!TLS_MODE(c) && c->c2.buf.len > 0)
1029  {
1030  link_socket_set_outgoing_addr(lsi, &c->c2.from, NULL, c->c2.es);
1031  }
1032 
1033  /* reset packet received timer */
1034  if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1035  {
1037  }
1038 
1039  /* increment authenticated receive byte count */
1040  if (c->c2.buf.len > 0)
1041  {
1042  c->c2.link_read_bytes_auth += c->c2.buf.len;
1044  }
1045 
1046  /* Did we just receive an openvpn ping packet? */
1047  if (is_ping_msg(&c->c2.buf))
1048  {
1049  dmsg(D_PING, "RECEIVED PING PACKET");
1050  c->c2.buf.len = 0; /* drop packet */
1051  }
1052 
1053  /* Did we just receive an OCC packet? */
1054  if (is_occ_msg(&c->c2.buf))
1055  {
1057  }
1058 
1059  buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1060 
1061  /* to_tun defined + unopened tuntap can cause deadlock */
1062  if (!tuntap_defined(c->c1.tuntap))
1063  {
1064  c->c2.to_tun.len = 0;
1065  }
1066  }
1067  else
1068  {
1069  buf_reset(&c->c2.to_tun);
1070  }
1071 }
1072 
1073 static void
1075 {
1077 
1078  struct link_socket_info *lsi = get_link_socket_info(c);
1079  const uint8_t *orig_buf = c->c2.buf.data;
1080 
1081  process_incoming_link_part1(c, lsi, false);
1082  process_incoming_link_part2(c, lsi, orig_buf);
1083 
1084  perf_pop();
1085 }
1086 
1087 /*
1088  * Output: c->c2.buf
1089  */
1090 
1091 void
1093 {
1094  /*
1095  * Setup for read() call on TUN/TAP device.
1096  */
1097  /*ASSERT (!c->c2.to_link.len);*/
1098 
1100 
1101  c->c2.buf = c->c2.buffers->read_tun_buf;
1102 
1103 #ifdef _WIN32
1105  {
1106  read_wintun(c->c1.tuntap, &c->c2.buf);
1107  if (c->c2.buf.len == -1)
1108  {
1109  register_signal(c, SIGHUP, "tun-abort");
1111  msg(M_INFO, "Wintun read error, restarting");
1112  perf_pop();
1113  return;
1114  }
1115  }
1116  else
1117  {
1118  read_tun_buffered(c->c1.tuntap, &c->c2.buf);
1119  }
1120 #else /* ifdef _WIN32 */
1121  ASSERT(buf_init(&c->c2.buf, FRAME_HEADROOM(&c->c2.frame)));
1123  c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), MAX_RW_SIZE_TUN(&c->c2.frame));
1124 #endif /* ifdef _WIN32 */
1125 
1126 #ifdef PACKET_TRUNCATION_CHECK
1127  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1128  BLEN(&c->c2.buf),
1129  TUNNEL_TYPE(c->c1.tuntap),
1130  "READ_TUN",
1131  &c->c2.n_trunc_tun_read);
1132 #endif
1133 
1134  /* Was TUN/TAP interface stopped? */
1135  if (tuntap_stop(c->c2.buf.len))
1136  {
1137  register_signal(c, SIGTERM, "tun-stop");
1138  msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1139  perf_pop();
1140  return;
1141  }
1142 
1143  /* Was TUN/TAP I/O operation aborted? */
1144  if (tuntap_abort(c->c2.buf.len))
1145  {
1146  register_signal(c, SIGHUP, "tun-abort");
1148  msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1149  perf_pop();
1150  return;
1151  }
1152 
1153  /* Check the status return from read() */
1154  check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1155 
1156  perf_pop();
1157 }
1158 
1167 static void
1169 {
1170  bool drop = false;
1171  struct openvpn_sockaddr tun_sa;
1172  int ip_hdr_offset = 0;
1173 
1174  if (c->c2.to_link_addr == NULL) /* no remote addr known */
1175  {
1176  return;
1177  }
1178 
1179  tun_sa = c->c2.to_link_addr->dest;
1180 
1181  int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1182 
1183  if (proto_ver == 4)
1184  {
1185  const struct openvpn_iphdr *pip;
1186 
1187  /* make sure we got whole IP header */
1188  if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1189  {
1190  return;
1191  }
1192 
1193  /* skip ipv4 packets for ipv6 tun */
1194  if (tun_sa.addr.sa.sa_family != AF_INET)
1195  {
1196  return;
1197  }
1198 
1199  pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
1200 
1201  /* drop packets with same dest addr as gateway */
1202  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
1203  {
1204  drop = true;
1205  }
1206  }
1207  else if (proto_ver == 6)
1208  {
1209  const struct openvpn_ipv6hdr *pip6;
1210 
1211  /* make sure we got whole IPv6 header */
1212  if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1213  {
1214  return;
1215  }
1216 
1217  /* skip ipv6 packets for ipv4 tun */
1218  if (tun_sa.addr.sa.sa_family != AF_INET6)
1219  {
1220  return;
1221  }
1222 
1223  /* drop packets with same dest addr as gateway */
1224  pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
1225  if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1226  {
1227  drop = true;
1228  }
1229  }
1230 
1231  if (drop)
1232  {
1233  struct gc_arena gc = gc_new();
1234 
1235  c->c2.buf.len = 0;
1236 
1237  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1239  gc_free(&gc);
1240  }
1241 }
1242 
1243 /*
1244  * Input: c->c2.buf
1245  * Output: c->c2.to_link
1246  */
1247 
1248 void
1250 {
1251  struct gc_arena gc = gc_new();
1252 
1254 
1255  if (c->c2.buf.len > 0)
1256  {
1257  c->c2.tun_read_bytes += c->c2.buf.len;
1258  }
1259 
1260 #ifdef LOG_RW
1261  if (c->c2.log_rw && c->c2.buf.len > 0)
1262  {
1263  fprintf(stderr, "r");
1264  }
1265 #endif
1266 
1267  /* Show packet content */
1268  dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1269 
1270  if (c->c2.buf.len > 0)
1271  {
1273  {
1275  }
1276  /*
1277  * The --passtos and --mssfix options require
1278  * us to examine the IP header (IPv4 or IPv6).
1279  */
1280  unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
1282  process_ip_header(c, flags, &c->c2.buf);
1283 
1284 #ifdef PACKET_TRUNCATION_CHECK
1285  /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1286  ipv4_packet_size_verify(BPTR(&c->c2.buf),
1287  BLEN(&c->c2.buf),
1288  TUNNEL_TYPE(c->c1.tuntap),
1289  "PRE_ENCRYPT",
1290  &c->c2.n_trunc_pre_encrypt);
1291 #endif
1292 
1293  }
1294  if (c->c2.buf.len > 0)
1295  {
1296  encrypt_sign(c, true);
1297  }
1298  else
1299  {
1300  buf_reset(&c->c2.to_link);
1301  }
1302  perf_pop();
1303  gc_free(&gc);
1304 }
1305 
1316 void
1317 ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
1318 {
1319 #define MAX_ICMPV6LEN 1280
1320  struct openvpn_icmp6hdr icmp6out;
1321  CLEAR(icmp6out);
1322 
1323  /*
1324  * Get a buffer to the ip packet, is_ipv6 automatically forwards
1325  * the buffer to the ip packet
1326  */
1327  struct buffer inputipbuf = *buf;
1328 
1329  is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &inputipbuf);
1330 
1331  if (BLEN(&inputipbuf) < (int)sizeof(struct openvpn_ipv6hdr))
1332  {
1333  return;
1334  }
1335 
1336  const struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)BPTR(&inputipbuf);
1337 
1338  /* Copy version, traffic class, flow label from input packet */
1339  struct openvpn_ipv6hdr pip6out = *pip6;
1340 
1341  pip6out.version_prio = pip6->version_prio;
1342  pip6out.daddr = pip6->saddr;
1343 
1344  /*
1345  * Use the IPv6 remote address if we have one, otherwise use a fake one
1346  * using the remote address is preferred since it makes debugging and
1347  * understanding where the ICMPv6 error originates easier
1348  */
1350  {
1351  inet_pton(AF_INET6, c->options.ifconfig_ipv6_remote, &pip6out.saddr);
1352  }
1353  else
1354  {
1355  inet_pton(AF_INET6, "fe80::7", &pip6out.saddr);
1356  }
1357 
1358  pip6out.nexthdr = OPENVPN_IPPROTO_ICMPV6;
1359 
1360  /*
1361  * The ICMPv6 unreachable code worked best in my (arne) tests with Windows,
1362  * Linux and Android. Windows did not like the administratively prohibited
1363  * return code (no fast fail)
1364  */
1367 
1368  int icmpheader_len = sizeof(struct openvpn_ipv6hdr)
1369  + sizeof(struct openvpn_icmp6hdr);
1370  int totalheader_len = icmpheader_len;
1371 
1372  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1373  {
1374  totalheader_len += sizeof(struct openvpn_ethhdr);
1375  }
1376 
1377  /*
1378  * Calculate size for payload, defined in the standard that the resulting
1379  * frame should be <= 1280 and have as much as possible of the original
1380  * packet
1381  */
1382  int max_payload_size = min_int(MAX_ICMPV6LEN,
1383  TUN_MTU_SIZE(&c->c2.frame) - icmpheader_len);
1384  int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
1385 
1386  pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
1387 
1388  /* Construct the packet as outgoing packet back to the client */
1389  struct buffer *outbuf;
1390  if (client)
1391  {
1392  c->c2.to_tun = c->c2.buffers->aux_buf;
1393  outbuf = &(c->c2.to_tun);
1394  }
1395  else
1396  {
1397  c->c2.to_link = c->c2.buffers->aux_buf;
1398  outbuf = &(c->c2.to_link);
1399  }
1400  ASSERT(buf_init(outbuf, totalheader_len));
1401 
1402  /* Fill the end of the buffer with original packet */
1403  ASSERT(buf_safe(outbuf, payload_len));
1404  ASSERT(buf_copy_n(outbuf, &inputipbuf, payload_len));
1405 
1406  /* ICMP Header, copy into buffer to allow checksum calculation */
1407  ASSERT(buf_write_prepend(outbuf, &icmp6out, sizeof(struct openvpn_icmp6hdr)));
1408 
1409  /* Calculate checksum over the packet and write to header */
1410 
1411  uint16_t new_csum = ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf),
1412  (const uint8_t *)&pip6out.saddr,
1413  (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6);
1414  ((struct openvpn_icmp6hdr *) BPTR(outbuf))->icmp6_cksum = htons(new_csum);
1415 
1416 
1417  /* IPv6 Header */
1418  ASSERT(buf_write_prepend(outbuf, &pip6out, sizeof(struct openvpn_ipv6hdr)));
1419 
1420  /*
1421  * Tap mode, we also need to create an Ethernet header.
1422  */
1423  if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1424  {
1425  if (BLEN(buf) < (int)sizeof(struct openvpn_ethhdr))
1426  {
1427  return;
1428  }
1429 
1430  const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *) BPTR(buf);
1431 
1432  /* Copy frametype and reverse source/destination for the response */
1433  struct openvpn_ethhdr ethhdr;
1434  memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
1435  memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
1436  ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
1437  ASSERT(buf_write_prepend(outbuf, &ethhdr, sizeof(struct openvpn_ethhdr)));
1438  }
1439 #undef MAX_ICMPV6LEN
1440 }
1441 
1442 void
1443 process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
1444 {
1445  if (!c->options.ce.mssfix)
1446  {
1447  flags &= ~PIP_MSSFIX;
1448  }
1449 #if PASSTOS_CAPABILITY
1450  if (!c->options.passtos)
1451  {
1452  flags &= ~PIPV4_PASSTOS;
1453  }
1454 #endif
1455  if (!c->options.client_nat)
1456  {
1457  flags &= ~PIPV4_CLIENT_NAT;
1458  }
1460  {
1461  flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1462  }
1463  if (!c->options.block_ipv6)
1464  {
1466  }
1467 
1468  if (buf->len > 0)
1469  {
1470  /*
1471  * The --passtos and --mssfix options require
1472  * us to examine the IPv4 header.
1473  */
1474 
1475  if (flags & (PIP_MSSFIX
1477  | PIPV4_PASSTOS
1478 #endif
1480  ))
1481  {
1482  struct buffer ipbuf = *buf;
1483  if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1484  {
1485 #if PASSTOS_CAPABILITY
1486  /* extract TOS from IP header */
1487  if (flags & PIPV4_PASSTOS)
1488  {
1489  link_socket_extract_tos(c->c2.link_socket, &ipbuf);
1490  }
1491 #endif
1492 
1493  /* possibly alter the TCP MSS */
1494  if (flags & PIP_MSSFIX)
1495  {
1497  }
1498 
1499  /* possibly do NAT on packet */
1500  if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1501  {
1502  const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1503  client_nat_transform(c->options.client_nat, &ipbuf, direction);
1504  }
1505  /* possibly extract a DHCP router message */
1506  if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1507  {
1508  const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
1509  if (dhcp_router)
1510  {
1511  route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1512  }
1513  }
1514  }
1515  else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1516  {
1517  /* possibly alter the TCP MSS */
1518  if (flags & PIP_MSSFIX)
1519  {
1520  mss_fixup_ipv6(&ipbuf,
1522  }
1523  if (!(flags & PIP_OUTGOING) && (flags
1525  {
1527  (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT));
1528  /* Drop the IPv6 packet */
1529  buf->len = 0;
1530  }
1531 
1532  }
1533  }
1534  }
1535 }
1536 
1537 /*
1538  * Input: c->c2.to_link
1539  */
1540 
1541 void
1543 {
1544  struct gc_arena gc = gc_new();
1545  int error_code = 0;
1546 
1548 
1549  if (c->c2.to_link.len > 0 && c->c2.to_link.len <= EXPANDED_SIZE(&c->c2.frame))
1550  {
1551  /*
1552  * Setup for call to send/sendto which will send
1553  * packet to remote over the TCP/UDP port.
1554  */
1555  int size = 0;
1557 
1558 #ifdef ENABLE_DEBUG
1559  /* In gremlin-test mode, we may choose to drop this packet */
1560  if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1561 #endif
1562  {
1563  /*
1564  * Let the traffic shaper know how many bytes
1565  * we wrote.
1566  */
1567  if (c->options.shaper)
1568  {
1571  }
1572 
1573  /*
1574  * Let the pinger know that we sent a packet.
1575  */
1576  if (c->options.ping_send_timeout)
1577  {
1579  }
1580 
1581 #if PASSTOS_CAPABILITY
1582  /* Set TOS */
1583  link_socket_set_tos(c->c2.link_socket);
1584 #endif
1585 
1586  /* Log packet send */
1587 #ifdef LOG_RW
1588  if (c->c2.log_rw)
1589  {
1590  fprintf(stderr, "W");
1591  }
1592 #endif
1593  msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1595  BLEN(&c->c2.to_link),
1597  PROTO_DUMP(&c->c2.to_link, &gc));
1598 
1599  /* Packet send complexified by possible Socks5 usage */
1600  {
1601  struct link_socket_actual *to_addr = c->c2.to_link_addr;
1602  int size_delta = 0;
1603 
1604  /* If Socks5 over UDP, prepend header */
1605  socks_preprocess_outgoing_link(c, &to_addr, &size_delta);
1606 
1607  /* Send packet */
1608  size = link_socket_write(c->c2.link_socket,
1609  &c->c2.to_link,
1610  to_addr);
1611 
1612  /* Undo effect of prepend */
1613  link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1614  }
1615 
1616  if (size > 0)
1617  {
1619  c->c2.link_write_bytes += size;
1620  link_write_bytes_global += size;
1621 #ifdef ENABLE_MEMSTATS
1622  if (mmap_stats)
1623  {
1624  mmap_stats->link_write_bytes = link_write_bytes_global;
1625  }
1626 #endif
1627 #ifdef ENABLE_MANAGEMENT
1628  if (management)
1629  {
1632  }
1633 #endif
1634  }
1635  }
1636 
1637  /* Check return status */
1638  error_code = openvpn_errno();
1639  check_status(size, "write", c->c2.link_socket, NULL);
1640 
1641  if (size > 0)
1642  {
1643  /* Did we write a different size packet than we intended? */
1644  if (size != BLEN(&c->c2.to_link))
1645  {
1647  "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1649  BLEN(&c->c2.to_link),
1650  size);
1651  }
1652  }
1653 
1654  /* if not a ping/control message, indicate activity regarding --inactive parameter */
1655  if (c->c2.buf.len > 0)
1656  {
1657  register_activity(c, size);
1658  }
1659 
1660  /* for unreachable network and "connecting" state switch to the next host */
1661  if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi
1663  {
1664  msg(M_INFO, "Network unreachable, restarting");
1665  register_signal(c, SIGUSR1, "network-unreachable");
1666  }
1667  }
1668  else
1669  {
1670  if (c->c2.to_link.len > 0)
1671  {
1672  msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1674  c->c2.to_link.len,
1675  EXPANDED_SIZE(&c->c2.frame));
1676  }
1677  }
1678 
1679  buf_reset(&c->c2.to_link);
1680 
1681  perf_pop();
1682  gc_free(&gc);
1683 }
1684 
1685 /*
1686  * Input: c->c2.to_tun
1687  */
1688 
1689 void
1691 {
1692  struct gc_arena gc = gc_new();
1693 
1694  /*
1695  * Set up for write() call to TUN/TAP
1696  * device.
1697  */
1698  if (c->c2.to_tun.len <= 0)
1699  {
1700  return;
1701  }
1702 
1704 
1705  /*
1706  * The --mssfix option requires
1707  * us to examine the IP header (IPv4 or IPv6).
1708  */
1711  &c->c2.to_tun);
1712 
1713  if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN(&c->c2.frame))
1714  {
1715  /*
1716  * Write to TUN/TAP device.
1717  */
1718  int size;
1719 
1720 #ifdef LOG_RW
1721  if (c->c2.log_rw)
1722  {
1723  fprintf(stderr, "w");
1724  }
1725 #endif
1726  dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1727 
1728 #ifdef PACKET_TRUNCATION_CHECK
1729  ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
1730  BLEN(&c->c2.to_tun),
1731  TUNNEL_TYPE(c->c1.tuntap),
1732  "WRITE_TUN",
1733  &c->c2.n_trunc_tun_write);
1734 #endif
1735 
1736 #ifdef _WIN32
1737  size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun);
1738 #else
1739  size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1740 #endif
1741 
1742  if (size > 0)
1743  {
1744  c->c2.tun_write_bytes += size;
1745  }
1746  check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1747 
1748  /* check written packet size */
1749  if (size > 0)
1750  {
1751  /* Did we write a different size packet than we intended? */
1752  if (size != BLEN(&c->c2.to_tun))
1753  {
1755  "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1756  c->c1.tuntap->actual_name,
1757  BLEN(&c->c2.to_tun),
1758  size);
1759  }
1760 
1761  /* indicate activity regarding --inactive parameter */
1762  register_activity(c, size);
1763  }
1764  }
1765  else
1766  {
1767  /*
1768  * This should never happen, probably indicates some kind
1769  * of MTU mismatch.
1770  */
1771  msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
1772  c->c2.to_tun.len,
1773  MAX_RW_SIZE_TUN(&c->c2.frame));
1774  }
1775 
1776  buf_reset(&c->c2.to_tun);
1777 
1778  perf_pop();
1779  gc_free(&gc);
1780 }
1781 
1782 void
1784 {
1785  /* make sure current time (now) is updated on function entry */
1786 
1787  /*
1788  * Start with an effectively infinite timeout, then let it
1789  * reduce to a timeout that reflects the component which
1790  * needs the earliest service.
1791  */
1792  c->c2.timeval.tv_sec = BIG_TIMEOUT;
1793  c->c2.timeval.tv_usec = 0;
1794 
1795 #if defined(_WIN32)
1797  {
1798  c->c2.timeval.tv_sec = 1;
1799  if (tuntap_defined(c->c1.tuntap))
1800  {
1801  tun_show_debug(c->c1.tuntap);
1802  }
1803  }
1804 #endif
1805 
1806  /* check coarse timers? */
1808  if (c->sig->signal_received)
1809  {
1810  return;
1811  }
1812 
1813  /* If tls is enabled, do tls control channel packet processing. */
1814  if (c->c2.tls_multi)
1815  {
1816  check_tls(c);
1817  }
1818 
1819  /* In certain cases, TLS errors will require a restart */
1820  check_tls_errors(c);
1821  if (c->sig->signal_received)
1822  {
1823  return;
1824  }
1825 
1826  /* check for incoming control messages on the control channel like
1827  * push request/reply, or authentication failure and 2FA messages */
1828  if (tls_test_payload_len(c->c2.tls_multi) > 0)
1829  {
1831  }
1832 
1833  /* Should we send an OCC message? */
1834  check_send_occ_msg(c);
1835 
1836 #ifdef ENABLE_FRAGMENT
1837  /* Should we deliver a datagram fragment to remote? */
1838  if (c->c2.fragment)
1839  {
1840  check_fragment(c);
1841  }
1842 #endif
1843 
1844  /* Update random component of timeout */
1846 }
1847 
1848 /*
1849  * Wait for I/O events. Used for both TCP & UDP sockets
1850  * in point-to-point mode and for UDP sockets in
1851  * point-to-multipoint mode.
1852  */
1853 
1854 void
1855 io_wait_dowork(struct context *c, const unsigned int flags)
1856 {
1857  unsigned int socket = 0;
1858  unsigned int tuntap = 0;
1859  struct event_set_return esr[4];
1860 
1861  /* These shifts all depend on EVENT_READ (=1) and EVENT_WRITE (=2)
1862  * and are added to the shift. Check openvpn.h for more details.
1863  */
1864  static int socket_shift = SOCKET_SHIFT;
1865  static int tun_shift = TUN_SHIFT;
1866  static int err_shift = ERR_SHIFT;
1867 #ifdef ENABLE_MANAGEMENT
1868  static int management_shift = MANAGEMENT_SHIFT;
1869 #endif
1870 #ifdef ENABLE_ASYNC_PUSH
1871  static int file_shift = FILE_SHIFT;
1872 #endif
1873 
1874  /*
1875  * Decide what kind of events we want to wait for.
1876  */
1877  event_reset(c->c2.event_set);
1878 
1879  /*
1880  * On win32 we use the keyboard or an event object as a source
1881  * of asynchronous signals.
1882  */
1883  if (flags & IOW_WAIT_SIGNAL)
1884  {
1885  wait_signal(c->c2.event_set, (void *)&err_shift);
1886  }
1887 
1888  /*
1889  * If outgoing data (for TCP/UDP port) pending, wait for ready-to-send
1890  * status from TCP/UDP port. Otherwise, wait for incoming data on
1891  * TUN/TAP device.
1892  */
1893  if (flags & IOW_TO_LINK)
1894  {
1895  if (flags & IOW_SHAPER)
1896  {
1897  /*
1898  * If sending this packet would put us over our traffic shaping
1899  * quota, don't send -- instead compute the delay we must wait
1900  * until it will be OK to send the packet.
1901  */
1902  int delay = 0;
1903 
1904  /* set traffic shaping delay in microseconds */
1905  if (c->options.shaper)
1906  {
1907  delay = max_int(delay, shaper_delay(&c->c2.shaper));
1908  }
1909 
1910  if (delay < 1000)
1911  {
1912  socket |= EVENT_WRITE;
1913  }
1914  else
1915  {
1916  shaper_soonest_event(&c->c2.timeval, delay);
1917  }
1918  }
1919  else
1920  {
1921  socket |= EVENT_WRITE;
1922  }
1923  }
1924  else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
1925  {
1926  if (flags & IOW_READ_TUN)
1927  {
1928  tuntap |= EVENT_READ;
1929  }
1930  }
1931 
1932  /*
1933  * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
1934  * from device. Otherwise, wait for incoming data on TCP/UDP port.
1935  */
1936  if (flags & IOW_TO_TUN)
1937  {
1938  tuntap |= EVENT_WRITE;
1939  }
1940  else
1941  {
1942  if (flags & IOW_READ_LINK)
1943  {
1944  socket |= EVENT_READ;
1945  }
1946  }
1947 
1948  /*
1949  * outgoing bcast buffer waiting to be sent?
1950  */
1951  if (flags & IOW_MBUF)
1952  {
1953  socket |= EVENT_WRITE;
1954  }
1955 
1956  /*
1957  * Force wait on TUN input, even if also waiting on TCP/UDP output
1958  */
1959  if (flags & IOW_READ_TUN_FORCE)
1960  {
1961  tuntap |= EVENT_READ;
1962  }
1963 
1964 #ifdef _WIN32
1965  if (tuntap_is_wintun(c->c1.tuntap))
1966  {
1967  /*
1968  * With wintun we are only interested in read event. Ring buffer is
1969  * always ready for write, so we don't do wait.
1970  */
1971  tuntap = EVENT_READ;
1972  }
1973 #endif
1974 
1975  /*
1976  * Configure event wait based on socket, tuntap flags.
1977  */
1978  socket_set(c->c2.link_socket, c->c2.event_set, socket, (void *)&socket_shift, NULL);
1979  tun_set(c->c1.tuntap, c->c2.event_set, tuntap, (void *)&tun_shift, NULL);
1980 
1981 #ifdef ENABLE_MANAGEMENT
1982  if (management)
1983  {
1984  management_socket_set(management, c->c2.event_set, (void *)&management_shift, NULL);
1985  }
1986 #endif
1987 
1988 #ifdef ENABLE_ASYNC_PUSH
1989  /* arm inotify watcher */
1990  if (c->options.mode == MODE_SERVER)
1991  {
1992  event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)&file_shift);
1993  }
1994 #endif
1995 
1996  /*
1997  * Possible scenarios:
1998  * (1) tcp/udp port has data available to read
1999  * (2) tcp/udp port is ready to accept more data to write
2000  * (3) tun dev has data available to read
2001  * (4) tun dev is ready to accept more data to write
2002  * (5) we received a signal (handler sets signal_received)
2003  * (6) timeout (tv) expired
2004  */
2005 
2007 
2008  if (!c->sig->signal_received)
2009  {
2010  if (!(flags & IOW_CHECK_RESIDUAL) || !socket_read_residual(c->c2.link_socket))
2011  {
2012  int status;
2013 
2014 #ifdef ENABLE_DEBUG
2016  {
2017  show_wait_status(c);
2018  }
2019 #endif
2020 
2021  /*
2022  * Wait for something to happen.
2023  */
2024  status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
2025 
2026  check_status(status, "event_wait", NULL, NULL);
2027 
2028  if (status > 0)
2029  {
2030  int i;
2031  c->c2.event_set_status = 0;
2032  for (i = 0; i < status; ++i)
2033  {
2034  const struct event_set_return *e = &esr[i];
2035  c->c2.event_set_status |= ((e->rwflags & 3) << *((int *)e->arg));
2036  }
2037  }
2038  else if (status == 0)
2039  {
2041  }
2042  }
2043  else
2044  {
2046  }
2047  }
2048 
2049  /* 'now' should always be a reasonably up-to-date timestamp */
2050  update_time();
2051 
2052  /* set signal_received if a signal was received */
2053  if (c->c2.event_set_status & ES_ERROR)
2054  {
2056  }
2057 
2058  dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2059 }
2060 
2061 void
2063 {
2064  const unsigned int status = c->c2.event_set_status;
2065 
2066 #ifdef ENABLE_MANAGEMENT
2067  if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
2068  {
2069  ASSERT(management);
2071  }
2072 #endif
2073 
2074  /* TCP/UDP port ready to accept write */
2075  if (status & SOCKET_WRITE)
2076  {
2078  }
2079  /* TUN device ready to accept write */
2080  else if (status & TUN_WRITE)
2081  {
2083  }
2084  /* Incoming data on TCP/UDP port */
2085  else if (status & SOCKET_READ)
2086  {
2087  read_incoming_link(c);
2088  if (!IS_SIG(c))
2089  {
2091  }
2092  }
2093  /* Incoming data on TUN device */
2094  else if (status & TUN_READ)
2095  {
2096  read_incoming_tun(c);
2097  if (!IS_SIG(c))
2098  {
2100  }
2101  }
2102 }
struct env_set * es
Definition: openvpn.h:408
static void check_fragment(struct context *c)
Definition: forward.c:478
#define TLSMP_ACTIVE
Definition: ssl.h:245
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition: forward.c:1855
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition: socket.h:951
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:51
static void register_activity(struct context *c, const int size)
Definition: forward.h:320
counter_type tun_read_bytes
Definition: openvpn.h:267
struct buffer to_link
Definition: openvpn.h:367
static void context_reschedule_sec(struct context *c, int sec)
Definition: forward.c:130
#define ETT_DEFAULT
Definition: interval.h:213
Security parameter state for processing data channel packets.
Definition: crypto.h:232
bool log_rw
Definition: openvpn.h:370
uint32_t daddr
Definition: proto.h:128
struct event_timeout route_wakeup
Definition: openvpn.h:373
static bool connection_established(struct context *c)
Definition: forward.h:415
#define TO_LINK_FRAG(c)
Definition: forward.h:43
Definition: tun.h:155
struct client_nat_option_list * client_nat
Definition: options.h:391
static bool tuntap_abort(int status)
Definition: tun.h:461
struct buffer read_tun_buf
Definition: openvpn.h:111
#define M_NOPREFIX
Definition: error.h:106
struct event_timeout ping_rec_interval
Definition: openvpn.h:285
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:463
#define BIG_TIMEOUT
Definition: common.h:41
struct event_timeout route_wakeup_expire
Definition: openvpn.h:374
#define OPENVPN_IPPROTO_ICMPV6
Definition: proto.h:123
#define D_ROUTE
Definition: errlevel.h:80
counter_type link_write_bytes
Definition: openvpn.h:271
#define OPENVPN_ETH_P_IPV6
Definition: proto.h:61
#define SOCKET_READ
Definition: event.h:62
#define openvpn_errno()
Definition: error.h:78
struct interval tmp_int
Definition: openvpn.h:334
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2142
#define M_INFO
Definition: errlevel.h:55
Contains all state information for one tunnel.
Definition: openvpn.h:461
void tun_show_debug(struct tuntap *tt)
Definition: tun.c:6703
static void check_connection_established(struct context *c)
Definition: forward.c:279
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition: dhcp.c:151
static void check_timeout_random_component_dowork(struct context *c)
Definition: forward.c:723
bool tun_standby(struct tuntap *tt)
Definition: tun.c:5670
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2795
static void check_ping_restart(struct context *c)
Definition: ping.h:60
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition: push.c:284
#define D_EVENT_WAIT
Definition: errlevel.h:156
void mss_fixup_ipv6(struct buffer *buf, int maxmss)
Definition: mss.c:86
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:3966
#define MTU_TO_MSS(mtu)
Definition: proto.h:258
uint8_t icmp6_type
Definition: proto.h:157
#define PERF_PROC_OUT_LINK
Definition: perf.h:55
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:338
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:345
#define IOW_READ_LINK
Definition: forward.h:57
enum multi_status multi_state
Definition: ssl_common.h:588
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:566
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition: buffer.c:175
static void check_timeout_random_component(struct context *c)
Definition: forward.c:734
#define CC_PRINT
Definition: buffer.h:915
struct buffer buf
Definition: openvpn.h:365
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1443
static int tls_test_payload_len(const struct tls_multi *multi)
Definition: ssl.h:548
#define SIGUSR1
Definition: config-msvc.h:115
static void check_status_file(struct context *c)
Definition: forward.c:465
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition: socket.h:1036
struct context_buffers * buffers
Definition: openvpn.h:357
static void check_push_request(struct context *c)
Definition: forward.c:261
struct event_timeout wait_for_connect
Definition: openvpn.h:283
uint8_t version_prio
Definition: proto.h:136
static bool is_occ_msg(const struct buffer *buf)
Definition: occ.h:84
static void check_tls_errors(struct context *c)
Definition: forward.c:97
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition: ssl.c:895
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
static void perf_pop(void)
Definition: perf.h:82
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition: push.c:212
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
void process_received_occ_msg(struct context *c)
Definition: occ.c:351
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:3951
struct event_timeout et
Definition: status.h:61
#define PERF_READ_IN_LINK
Definition: perf.h:51
static void event_timeout_clear(struct event_timeout *et)
Definition: interval.h:150
#define SIZE(x)
Definition: basic.h:30
#define in_addr_t
Definition: config-msvc.h:103
#define dmsg(flags,...)
Definition: error.h:157
static void process_coarse_timers(struct context *c)
Definition: forward.c:607
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:488
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition: interval.h:108
#define IOW_SHAPER
Definition: forward.h:58
struct frame frame_initial
Definition: openvpn.h:249
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition: fragment.h:448
void pre_select(struct context *c)
Definition: forward.c:1783
int max_recv_size_local
Definition: openvpn.h:304
#define SIGTERM
Definition: config-msvc.h:117
uint8_t icmp6_code
Definition: proto.h:160
#define TLS_MODE(c)
Definition: openvpn.h:524
static void get_signal(volatile int *sig)
Definition: sig.h:89
#define SIGHUP
Definition: config-msvc.h:113
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
#define ES_TIMEOUT
Definition: event.h:69
#define TUN_SHIFT
Definition: event.h:64
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:163
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2635
int handshake_window
Definition: options.h:595
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:568
#define ASSERT(x)
Definition: error.h:204
bool allow_recursive_routing
Definition: options.h:661
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition: fragment.c:381
static void read_wintun(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:517
#define IOW_TO_LINK
Definition: forward.h:55
static bool check_debug_level(unsigned int level)
Definition: error.h:234
void read_incoming_link(struct context *c)
Read a packet from the external network interface.
Definition: forward.c:793
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.h:923
void ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
Forges a IPv6 ICMP packet with a no route to host error code from the IPv6 packet in buf and sends it...
Definition: forward.c:1317
uint16_t proto
Definition: proto.h:64
void * arg
Definition: event.h:118
static bool tuntap_defined(const struct tuntap *tt)
Definition: tun.h:224
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition: socket.h:607
#define MAX_ICMPV6LEN
int ping_rec_timeout
Definition: options.h:300
#define D_LOW
Definition: errlevel.h:97
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:338
static bool interval_test(struct interval *top)
Definition: interval.h:66
struct in6_addr daddr
Definition: proto.h:143
counter_type link_read_bytes_global
Definition: forward.c:49
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:527
struct frame frame_fragment_initial
Definition: openvpn.h:255
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition: fragment.c:326
#define MODE_SERVER
Definition: options.h:223
bool send_push_request(struct context *c)
Definition: push.c:481
bool use_peer_id
Definition: ssl_common.h:643
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3904
struct event_timeout ping_send_interval
Definition: openvpn.h:284
#define D_PING
Definition: errlevel.h:140
#define D_LINK_RW
Definition: errlevel.h:112
#define PIP_MSSFIX
Definition: forward.h:295
#define FRAME_HEADROOM_ADJ(f, fm)
Definition: mtu.h:188
static void check_send_occ_load_test(struct context *c)
Definition: occ.h:126
bool send_control_channel_string_dowork(struct tls_multi *multi, const char *str, int msglevel)
Definition: forward.c:320
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:404
#define PIPV4_CLIENT_NAT
Definition: forward.h:298
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition: socket.c:2394
struct context_1 c1
Level 1 context.
Definition: openvpn.h:501
static void tls_set_single_session(struct tls_multi *multi)
Definition: ssl.h:562
#define IOW_TO_TUN
Definition: forward.h:54
#define PIPV4_PASSTOS
Definition: forward.h:294
struct context_persist persist
Persistent context.
Definition: openvpn.h:498
struct buffer decrypt_buf
Definition: openvpn.h:98
struct event_timeout inactivity_interval
Definition: openvpn.h:288
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:486
#define D_INTERVAL
Definition: errlevel.h:152
#define CLEAR(x)
Definition: basic.h:33
#define BPTR(buf)
Definition: buffer.h:124
struct frame frame_fragment
Definition: openvpn.h:254
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:307
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition: fragment.h:475
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3937
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition: otime.c:84
static void event_timeout_reset(struct event_timeout *et)
Definition: interval.h:174
uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, const uint8_t *src_addr, const uint8_t *dest_addr, const int proto)
Calculates an IP or IPv6 checksum with a pseudo header as required by TCP, UDP and ICMPv6...
Definition: proto.c:125
#define ERR_SHIFT
Definition: event.h:67
counter_type tun_write_bytes
Definition: openvpn.h:268
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:98
#define IOW_READ_TUN_FORCE
Definition: forward.h:62
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition: clinat.c:195
counter_type link_read_bytes
Definition: openvpn.h:269
static void process_incoming_link(struct context *c)
Definition: forward.c:1074
int mode
Definition: options.h:224
static void check_coarse_timers(struct context *c)
Definition: forward.c:699
#define PROTO_DUMP(buf, gc)
Definition: openvpn.h:526
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:244
void buf_null_terminate(struct buffer *buf)
Definition: buffer.c:569
static void interval_action(struct interval *top)
Definition: interval.h:124
int shaper
Definition: options.h:281
struct route_list * route_list
List of routing information.
Definition: openvpn.h:172
#define IOW_MBUF
Definition: forward.h:61
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3044
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition: sig.c:340
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition: forward.c:418
static void management_bytes_in(struct management *man, const int size)
Definition: manage.h:553
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
int mssfix
Definition: options.h:128
struct frame frame
Definition: openvpn.h:248
int n_hard_errors
Definition: ssl_common.h:593
#define TUN_WRITE
Definition: event.h:66
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition: ssl.h:542
struct timeval timeval
Definition: openvpn.h:384
#define ES_ERROR
Definition: event.h:68
struct sockaddr_in in4
Definition: socket.h:69
static void check_inactivity_timeout(struct context *c)
Definition: forward.c:411
uint64_t counter_type
Definition: common.h:30
static int write_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:646
interval_t n
Definition: interval.h:139
#define OPENVPN_ICMP6_DU_NOROUTE
Definition: proto.h:158
#define TUN_MTU_SIZE(f)
Definition: mtu.h:156
#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE
Definition: proto.h:150
#define D_TAP_WIN_DEBUG
Definition: errlevel.h:114
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:685
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition: forward.c:508
#define MANAGEMENT_READ
Definition: event.h:71
static int link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition: socket.h:1150
#define IOW_FRAG
Definition: forward.h:60
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
#define D_SCHED_EXIT
Definition: errlevel.h:89
static void event_reset(struct event_set *es)
Definition: event.h:145
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition: proto.h:266
#define EXPANDED_SIZE(f)
Definition: mtu.h:172
#define PERF_PROC_IN_TUN
Definition: perf.h:54
struct event_timeout scheduled_exit
Definition: openvpn.h:435
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:157
struct in6_addr saddr
Definition: proto.h:142
uint8_t nexthdr
Definition: proto.h:139
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:656
static void check_scheduled_exit(struct context *c)
Definition: forward.c:456
void process_outgoing_link(struct context *c)
Write a packet to the external network interface.
Definition: forward.c:1542
int n_soft_errors
Definition: ssl_common.h:594
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:540
int restart_sleep_seconds
Definition: openvpn.h:119
union openvpn_sockaddr::@10 addr
struct link_socket * link_socket
Definition: openvpn.h:237
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition: socket.h:901
void process_io(struct context *c)
Definition: forward.c:2062
#define CN_OUTGOING
Definition: clinat.h:31
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1568
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition: socket.c:2497
void reset_coarse_timers(struct context *c)
Definition: init.c:1362
counter_type link_write_bytes_global
Definition: forward.c:50
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
int ping_send_timeout
Definition: options.h:299
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:440
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4023
char * client_reason
Definition: ssl_common.h:613
struct connection_entry ce
Definition: options.h:252
#define D_TUN_RW
Definition: errlevel.h:113
static void check_tls(struct context *c)
Definition: forward.c:154
static int shaper_delay(struct shaper *s)
Definition: shaper.h:103
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:177
struct context_2 c2
Level 2 context.
Definition: openvpn.h:502
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define PIP_OUTGOING
Definition: forward.h:296
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1092
const char * ifconfig_ipv6_remote
Definition: options.h:278
struct shaper shaper
Definition: openvpn.h:262
void print_status(const struct context *c, struct status_output *so)
Definition: sig.c:282
static bool tuntap_is_wintun(struct tuntap *tt)
Definition: tun.h:235
static void check_tls_errors_co(struct context *c)
Definition: forward.c:80
#define TUN_MTU_SIZE_DYNAMIC(f)
Definition: mtu.h:157
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:299
#define IOW_WAIT_SIGNAL
Definition: forward.h:63
uint8_t source[OPENVPN_ETH_ALEN]
Definition: proto.h:58
#define PIPV6_IMCP_NOHOST_CLIENT
Definition: forward.h:299
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:972
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:607
#define EVENT_READ
Definition: event.h:39
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1687
uint8_t dest[OPENVPN_ETH_ALEN]
Definition: proto.h:57
int inactivity_timeout
Definition: options.h:296
time_t update_timeout_random_component
Definition: openvpn.h:391
#define MANAGEMENT_SHIFT
Definition: event.h:70
#define BLEN(buf)
Definition: buffer.h:127
static void check_send_occ_req(struct context *c)
Definition: occ.h:111
#define ISC_ERRORS
Definition: init.h:117
#define CN_INCOMING
Definition: clinat.h:32
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition: tun.c:628
struct buffer aux_buf
Definition: openvpn.h:94
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition: shaper.c:39
#define P_OPCODE_SHIFT
Definition: ssl.h:51
void show_adapters(int msglev)
Definition: tun.c:4944
struct event_set * event_set
Definition: openvpn.h:230
#define msg(flags,...)
Definition: error.h:153
struct event_timeout packet_id_persist_interval
Definition: openvpn.h:345
struct buffer read_link_buf
Definition: openvpn.h:110
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:656
static int max_int(int x, int y)
Definition: integer.h:69
struct event_timeout push_request_interval
Definition: openvpn.h:427
#define TLSMP_KILL
Definition: ssl.h:246
static void check_send_occ_msg(struct context *c)
Definition: occ.h:141
#define MODE_POINT_TO_POINT
Definition: options.h:222
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Definition: interval.h:183
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3380
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Definition: buffer.c:1077
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition: forward.c:1168
int scheduled_exit_signal
Definition: openvpn.h:436
#define PERF_READ_IN_TUN
Definition: perf.h:53
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: socket.c:3800
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition: buffer.h:740
volatile int signal_received
Definition: sig.h:45
static void check_tls_errors_nco(struct context *c)
Definition: forward.c:87
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition: proto.c:118
#define PUSH_REQUEST_INTERVAL
Definition: common.h:80
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition: interval.h:94
static bool is_ping_msg(const struct buffer *buf)
Definition: ping.h:41
#define IN6_ARE_ADDR_EQUAL(a, b)
Definition: win32.h:49
time_t push_request_timeout
Definition: openvpn.h:428
#define FILE_SHIFT
Definition: event.h:73
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:447
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:479
uint16_t icmp6_cksum
Definition: proto.h:161
static bool buf_safe(const struct buffer *buf, size_t len)
Definition: buffer.h:541
struct timeval timeout_random_component
Definition: openvpn.h:392
int connect_timeout
Definition: options.h:111
static void check_ping_send(struct context *c)
Definition: ping.h:77
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition: error.h:291
void show_routes(int msglev)
Definition: route.c:3150
struct event_timeout explicit_exit_notification_interval
Definition: openvpn.h:405
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:120
void frame_adjust_path_mtu(struct frame *frame, int pmtu, int proto)
Definition: socket.c:1664
#define buf_init(buf, offset)
Definition: buffer.h:196
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:3986
struct fragment_master * fragment
Definition: openvpn.h:253
#define IOW_CHECK_RESIDUAL
Definition: forward.h:59
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:701
struct status_output * status_output
Definition: openvpn.h:180
static void shaper_wrote_bytes(struct shaper *s, int nbytes)
Definition: shaper.h:128
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:300
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:490
struct packet_id_persist pid_persist
Definition: openvpn.h:165
void management_io(struct management *man)
Definition: manage.c:3084
static void management_bytes_out(struct management *man, const int size)
Definition: manage.h:544
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2665
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition: proto.c:113
struct event_timeout server_poll_interval
Definition: openvpn.h:396
static void wait_signal(struct event_set *es, void *arg)
Definition: event.h:182
static void check_add_routes_action(struct context *c, const bool errors)
Definition: forward.c:362
#define FRAME_HEADROOM_MARKER_READ_LINK
Definition: mtu.h:131
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:112
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
#define SOCKET_WRITE
Definition: event.h:63
static void check_add_routes(struct context *c)
Definition: forward.c:373
static int min_int(int x, int y)
Definition: integer.h:82
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
#define SOCKET_SHIFT
Definition: event.h:61
#define EVENT_WRITE
Definition: event.h:40
#define OPENVPN_ETH_ALEN
Definition: proto.h:54
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition: forward.h:297
#define TUNNEL_TYPE(tt)
Definition: tun.h:157
static bool socket_read_residual(const struct link_socket *s)
Definition: socket.h:1205
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
#define IOW_READ_TUN
Definition: forward.h:56
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition: packet_id.h:281
int original_recv_size
Definition: openvpn.h:303
int interval_t
Definition: common.h:36
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:991
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing...
Definition: manage.c:4043
#define PERF_PROC_OUT_TUN
Definition: perf.h:56
struct link_socket_actual from
Definition: openvpn.h:245
static void socks_postprocess_incoming_link(struct context *c)
Definition: forward.c:752
#define D_STREAM_ERRORS
Definition: errlevel.h:63
bool pull
Definition: options.h:501
#define BSTR(buf)
Definition: buffer.h:129
long int get_random(void)
Definition: crypto.c:1775
static int read_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition: tun.h:499
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition: fragment.c:141
static void management_bytes_server(struct management *man, const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac)
Definition: manage.h:567
static void check_incoming_control_channel(struct context *c)
Definition: forward.c:196
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket_actual **to_addr, int *size_delta)
Definition: forward.c:761
struct man_def_auth_context mda_context
Definition: openvpn.h:441
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:851
static interval_t event_timeout_remaining(struct event_timeout *et)
Definition: interval.h:197
static int datagram_overhead(int proto)
Definition: socket.h:590
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:479
char * actual_name
Definition: tun.h:170
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3091
struct buffer to_tun
Definition: openvpn.h:366
static void update_time(void)
Definition: otime.h:77
static bool tuntap_stop(int status)
Definition: tun.h:447
#define CC_CRLF
Definition: buffer.h:944
static SERVICE_STATUS status
Definition: interactive.c:56
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition: forward.c:774
bool block_ipv6
Definition: options.h:387
struct sockaddr sa
Definition: socket.h:68
unsigned int event_set_status
Definition: openvpn.h:235
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:319
void mss_fixup_ipv4(struct buffer *buf, int maxmss)
Definition: mss.c:46
static void context_immediate_reschedule(struct context *c)
Definition: forward.c:123
struct buffer encrypt_buf
Definition: openvpn.h:97
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1249
unsigned int rwflags
Definition: event.h:117
int max_send_size_local
Definition: openvpn.h:306
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:442
uint16_t payload_len
Definition: proto.h:138
#define MANAGEMENT_WRITE
Definition: event.h:72
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:339
#define TUN_READ
Definition: event.h:65
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:814
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
void process_outgoing_tun(struct context *c)
Write a packet to the virtual tun/tap network interface.
Definition: forward.c:1690
void server_pushed_info(struct context *c, const struct buffer *buffer, const int adv)
Definition: push.c:180
static void tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition: tun.h:700
int tls_exit_signal
Definition: openvpn.h:337
enum windows_driver_type windows_driver
Definition: tun.h:197
#define D_LINK_ERRORS
Definition: errlevel.h:57
time_t coarse_timer_wakeup
Definition: openvpn.h:387
#define PASSTOS_CAPABILITY
Definition: syshead.h:368
#define DEV_TYPE_TAP
Definition: proto.h:38
bool route_gateway_via_dhcp
Definition: options.h:389
static void check_server_poll_timeout(struct context *c)
Definition: forward.c:426
counter_type link_read_bytes_auth
Definition: openvpn.h:270
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3064
#define D_PUSH_ERRORS
Definition: errlevel.h:67