OpenVPN
mudp.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "multi.h"
33 #include <inttypes.h>
34 #include "forward.h"
35 
36 #include "memdbg.h"
37 #include "ssl_pkt.h"
38 
39 #ifdef HAVE_SYS_INOTIFY_H
40 #include <sys/inotify.h>
41 #endif
42 
43 static void
45  struct tls_pre_decrypt_state *state,
46  struct tls_auth_standalone *tas,
47  struct session_id *sid,
48  bool request_resend_wkc)
49 {
52  uint8_t header = 0 | (P_CONTROL_HARD_RESET_SERVER_V2 << P_OPCODE_SHIFT);
53  struct buffer buf = tls_reset_standalone(&state->tls_wrap_tmp, tas, sid,
54  &state->peer_session_id, header,
55  request_resend_wkc);
56 
57  struct context *c = &m->top;
58 
60  buf_copy(&c->c2.buffers->aux_buf, &buf);
61  m->hmac_reply = c->c2.buffers->aux_buf;
62  m->hmac_reply_dest = &m->top.c2.from;
63  msg(D_MULTI_DEBUG, "Reset packet from client, sending HMAC based reset challenge");
64 }
65 
66 
67 /* Returns true if this packet should create a new session */
68 static bool
70  struct tls_pre_decrypt_state *state,
71  struct mroute_addr addr)
72 {
74 
75  enum first_packet_verdict verdict;
76 
78 
79  verdict = tls_pre_decrypt_lite(tas, state, &m->top.c2.from, &m->top.c2.buf);
80 
81  hmac_ctx_t *hmac = m->top.c2.session_id_hmac;
82  struct openvpn_sockaddr *from = &m->top.c2.from.dest;
83  int handwindow = m->top.options.handshake_window;
84 
85  if (verdict == VERDICT_VALID_RESET_V3 || verdict == VERDICT_VALID_RESET_V2)
86  {
87  /* Check if we are still below our limit for sending out
88  * responses */
90  {
91  return false;
92  }
93  }
94 
95  if (verdict == VERDICT_VALID_RESET_V3)
96  {
97  /* Extract the packet id to check if it has the special format that
98  * indicates early negotiation support */
99  struct packet_id_net pin;
100  struct buffer tmp = m->top.c2.buf;
101  ASSERT(buf_advance(&tmp, 1 + SID_SIZE));
102  ASSERT(packet_id_read(&pin, &tmp, true));
103 
104  /* The most significant byte is 0x0f if early negotiation is supported */
105  bool early_neg_support = ((pin.id & EARLY_NEG_MASK) & EARLY_NEG_START) == EARLY_NEG_START;
106 
107  /* All clients that support early negotiation and tls-crypt are assumed
108  * to also support resending the WKc in the 2nd packet */
109  if (early_neg_support)
110  {
111  /* Calculate the session ID HMAC for our reply and create reset packet */
113  from, hmac, handwindow, 0);
114  send_hmac_reset_packet(m, state, tas, &sid, true);
115 
116  return false;
117  }
118  else
119  {
120  /* For tls-crypt-v2 we need to keep the state of the first packet
121  * to store the unwrapped key if the client doesn't support resending
122  * the wrapped key. Unless the user specifically disallowed
123  * compatibility with such clients to avoid state exhaustion */
125  {
126  struct gc_arena gc = gc_new();
127  const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
128  msg(D_MULTI_DEBUG, "tls-crypt-v2 force-cookie is enabled, "
129  "ignoring connection attempt from old client (%s)", peer);
130  gc_free(&gc);
131  return false;
132  }
133  else
134  {
135  return true;
136  }
137  }
138  }
139  else if (verdict == VERDICT_VALID_RESET_V2)
140  {
141  /* Calculate the session ID HMAC for our reply and create reset packet */
143  from, hmac, handwindow, 0);
144 
145  send_hmac_reset_packet(m, state, tas, &sid, false);
146 
147  /* We have a reply do not create a new session */
148  return false;
149 
150  }
151  else if (verdict == VERDICT_VALID_CONTROL_V1 || verdict == VERDICT_VALID_ACK_V1
152  || verdict == VERDICT_VALID_WKC_V1)
153  {
154  /* ACK_V1 contains the peer id (our id) while CONTROL_V1 can but does not
155  * need to contain the peer id */
156  struct gc_arena gc = gc_new();
157 
158  bool ret = check_session_id_hmac(state, from, hmac, handwindow);
159 
160  const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
161  uint8_t pkt_firstbyte = *BPTR( &m->top.c2.buf);
162  int op = pkt_firstbyte >> P_OPCODE_SHIFT;
163 
164  if (!ret)
165  {
166  msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from %s",
167  packet_opcode_name(op), peer);
168  }
169  else
170  {
171  msg(D_MULTI_DEBUG, "Valid packet (%s) with HMAC challenge from peer (%s), "
172  "accepting new connection.", packet_opcode_name(op), peer);
173  }
174  gc_free(&gc);
175 
176  return ret;
177  }
178 
179  /* VERDICT_INVALID */
180  return false;
181 }
182 
183 /*
184  * Get a client instance based on real address. If
185  * the instance doesn't exist, create it while
186  * maintaining real address hash table atomicity.
187  */
188 
189 struct multi_instance *
191 {
192  struct gc_arena gc = gc_new();
193  struct mroute_addr real;
194  struct multi_instance *mi = NULL;
195  struct hash *hash = m->hash;
196 
197  if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true)
198  && m->top.c2.buf.len > 0)
199  {
200  struct hash_element *he;
201  const uint32_t hv = hash_value(hash, &real);
202  struct hash_bucket *bucket = hash_bucket(hash, hv);
203  uint8_t *ptr = BPTR(&m->top.c2.buf);
204  uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
205  bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
206  bool peer_id_disabled = false;
207 
208  /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */
209  if (v2)
210  {
211  uint32_t peer_id = ntohl(*(uint32_t *)ptr) & 0xFFFFFF;
212  peer_id_disabled = (peer_id == MAX_PEER_ID);
213 
214  if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id]))
215  {
216  mi = m->instances[peer_id];
217 
218  *floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from);
219 
220  if (*floated)
221  {
222  /* reset prefix, since here we are not sure peer is the one it claims to be */
223  ungenerate_prefix(mi);
224  msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id,
225  mroute_addr_print(&real, &gc));
226  }
227  }
228  }
229  if (!v2 || peer_id_disabled)
230  {
231  he = hash_lookup_fast(hash, bucket, &real, hv);
232  if (he)
233  {
234  mi = (struct multi_instance *) he->value;
235  }
236  }
237 
238  /* we have no existing multi instance for this connection */
239  if (!mi)
240  {
241  struct tls_pre_decrypt_state state = {0};
243  {
245  "MULTI: Connection attempt from %s ignored while server is "
246  "shutting down", mroute_addr_print(&real, &gc));
247  }
248  else if (do_pre_decrypt_check(m, &state, real))
249  {
250  /* This is an unknown session but with valid tls-auth/tls-crypt
251  * (or no auth at all). If this is the initial packet of a
252  * session, we just send a reply with a HMAC session id and
253  * do not generate a session slot */
254 
256  {
257  /* a successful three-way handshake only counts against
258  * connect-freq but not against connect-freq-initial */
260 
261  mi = multi_create_instance(m, &real);
262  if (mi)
263  {
264  hash_add_fast(hash, bucket, &mi->real, hv, mi);
265  mi->did_real_hash = true;
266  multi_assign_peer_id(m, mi);
267 
268  /* If we have a session id already, ensure that the
269  * state is using the same */
271  && session_id_defined((&state.peer_session_id)))
272  {
276  }
277  }
278  }
279  else
280  {
282  "MULTI: Connection from %s would exceed new connection frequency limit as controlled by --connect-freq",
283  mroute_addr_print(&real, &gc));
284  }
285  }
287  }
288 
289 #ifdef ENABLE_DEBUG
291  {
292  const char *status = mi ? "[ok]" : "[failed]";
293 
294  dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s",
295  mroute_addr_print(&real, &gc),
296  status);
297  }
298 #endif
299  }
300 
301  gc_free(&gc);
302  ASSERT(!(mi && mi->halt));
303  return mi;
304 }
305 
306 /*
307  * Send a packet to UDP socket.
308  */
309 static inline void
310 multi_process_outgoing_link(struct multi_context *m, const unsigned int mpp_flags)
311 {
313  if (mi)
314  {
315  multi_process_outgoing_link_dowork(m, mi, mpp_flags);
316  }
317  if (m->hmac_reply_dest && m->hmac_reply.len > 0)
318  {
319  msg_set_prefix("Connection Attempt");
320  m->top.c2.to_link = m->hmac_reply;
323  m->hmac_reply_dest = NULL;
324  }
325 }
326 
327 /*
328  * Process an I/O event.
329  */
330 static void
332 {
333  const unsigned int status = m->top.c2.event_set_status;
334  const unsigned int mpp_flags = m->top.c2.fast_io
337 
338 #ifdef MULTI_DEBUG_EVENT_LOOP
339  char buf[16];
340  buf[0] = 0;
341  if (status & SOCKET_READ)
342  {
343  strcat(buf, "SR/");
344  }
345  else if (status & SOCKET_WRITE)
346  {
347  strcat(buf, "SW/");
348  }
349  else if (status & TUN_READ)
350  {
351  strcat(buf, "TR/");
352  }
353  else if (status & TUN_WRITE)
354  {
355  strcat(buf, "TW/");
356  }
357  else if (status & FILE_CLOSED)
358  {
359  strcat(buf, "FC/");
360  }
361  printf("IO %s\n", buf);
362 #endif /* ifdef MULTI_DEBUG_EVENT_LOOP */
363 
364 #ifdef ENABLE_MANAGEMENT
366  {
369  }
370 #endif
371 
372  /* UDP port ready to accept write */
373  if (status & SOCKET_WRITE)
374  {
375  multi_process_outgoing_link(m, mpp_flags);
376  }
377  /* TUN device ready to accept write */
378  else if (status & TUN_WRITE)
379  {
380  multi_process_outgoing_tun(m, mpp_flags);
381  }
382  /* Incoming data on UDP port */
383  else if (status & SOCKET_READ)
384  {
385  read_incoming_link(&m->top);
386  if (!IS_SIG(&m->top))
387  {
388  multi_process_incoming_link(m, NULL, mpp_flags);
389  }
390  }
391  /* Incoming data on TUN device */
392  else if (status & TUN_READ)
393  {
394  read_incoming_tun(&m->top);
395  if (!IS_SIG(&m->top))
396  {
397  multi_process_incoming_tun(m, mpp_flags);
398  }
399  }
400 #ifdef ENABLE_ASYNC_PUSH
401  /* INOTIFY callback */
402  else if (status & FILE_CLOSED)
403  {
404  multi_process_file_closed(m, mpp_flags);
405  }
406 #endif
407 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
408  else if (status & DCO_READ)
409  {
410  if (!IS_SIG(&m->top))
411  {
412  bool ret = true;
413  while (ret)
414  {
416  }
417  }
418  }
419 #endif
420 }
421 
422 /*
423  * Return the io_wait() flags appropriate for
424  * a point-to-multipoint tunnel.
425  */
426 static inline unsigned int
428 {
429  unsigned int flags = IOW_WAIT_SIGNAL;
430  if (m->pending)
431  {
432  if (TUN_OUT(&m->pending->context))
433  {
434  flags |= IOW_TO_TUN;
435  }
436  if (LINK_OUT(&m->pending->context))
437  {
438  flags |= IOW_TO_LINK;
439  }
440  }
441  else if (mbuf_defined(m->mbuf))
442  {
443  flags |= IOW_MBUF;
444  }
445  else if (m->hmac_reply_dest)
446  {
447  flags |= IOW_TO_LINK;
448  }
449  else
450  {
451  flags |= IOW_READ;
452  }
453 #ifdef _WIN32
454  if (tuntap_ring_empty(m->top.c1.tuntap))
455  {
456  flags &= ~IOW_READ_TUN;
457  }
458 #endif
459  return flags;
460 }
461 
462 
463 void
465 {
466  struct multi_context multi;
467 
468  top->mode = CM_TOP;
470 
471  /* initialize top-tunnel instance */
473  if (IS_SIG(top))
474  {
475  return;
476  }
477 
478  /* initialize global multi_context object */
479  multi_init(&multi, top, false);
480 
481  /* initialize our cloned top object */
482  multi_top_init(&multi, top);
483 
484  /* initialize management interface */
486 
487  /* finished with initialization */
488  initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto udp */
489 
490 #ifdef ENABLE_ASYNC_PUSH
491  multi.top.c2.inotify_fd = inotify_init();
492  if (multi.top.c2.inotify_fd < 0)
493  {
494  msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error");
495  }
496 #endif
497 
498  /* per-packet event loop */
499  while (true)
500  {
502 
503  /* set up and do the io_wait() */
504  multi_get_timeout(&multi, &multi.top.c2.timeval);
505  io_wait(&multi.top, p2mp_iow_flags(&multi));
506  MULTI_CHECK_SIG(&multi);
507 
508  /* check on status of coarse timers */
510 
511  /* timeout? */
512  if (multi.top.c2.event_set_status == ES_TIMEOUT)
513  {
515  }
516  else
517  {
518  /* process I/O */
519  multi_process_io_udp(&multi);
520  MULTI_CHECK_SIG(&multi);
521  }
522 
523  perf_pop();
524  }
525 
526 #ifdef ENABLE_ASYNC_PUSH
527  close(top->c2.inotify_fd);
528 #endif
529 
530  /* shut down management interface */
532 
533  /* save ifconfig-pool */
534  multi_ifconfig_pool_persist(&multi, true);
535 
536  /* tear down tunnel instance (unless --persist-tun) */
537  multi_uninit(&multi);
538  multi_top_free(&multi);
540 }
context_2::event_set_status
unsigned int event_set_status
Definition: openvpn.h:238
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition: openvpn.h:332
VERDICT_VALID_RESET_V2
@ VERDICT_VALID_RESET_V2
This packet is a valid reset packet from the peer (all but tls-crypt-v2)
Definition: ssl_pkt.h:86
P_DATA_V2
#define P_DATA_V2
Definition: ssl_pkt.h:48
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:101
multi_instance::halt
bool halt
Definition: multi.h:106
multi_process_incoming_dco
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
mbuf_defined
static bool mbuf_defined(const struct mbuf_set *ms)
Definition: mbuf.h:80
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:289
hash_bucket
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
TUN_READ
#define TUN_READ
Definition: event.h:65
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1011
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition: crypto_mbedtls.h:46
M_ERRNO
#define M_ERRNO
Definition: error.h:100
context_2::to_link
struct buffer to_link
Definition: openvpn.h:383
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:329
forward.h
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
p2mp_iow_flags
static unsigned int p2mp_iow_flags(const struct multi_context *m)
Definition: mudp.c:427
context_2::buf
struct buffer buf
Definition: openvpn.h:381
reflect_filter_rate_limit_check
bool reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl)
checks if the connection is still allowed to connect under the rate limit.
Definition: reflect_filter.c:45
tunnel_server_udp
void tunnel_server_udp(struct context *top)
Main event loop for OpenVPN in UDP server mode.
Definition: mudp.c:464
TUN_OUT
#define TUN_OUT(c)
Definition: forward.h:38
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:170
context
Contains all state information for one tunnel.
Definition: openvpn.h:479
hash
Definition: list.h:58
first_packet_verdict
first_packet_verdict
Definition: ssl_pkt.h:84
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:673
packet_id::rec
struct packet_id_rec rec
Definition: packet_id.h:203
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:167
tls_reset_standalone
struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc)
This function creates a reset packet using the information from the tls pre decrypt state.
Definition: ssl_pkt.c:430
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:114
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition: errlevel.h:65
tls_pre_decrypt_lite
enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl_pkt.c:309
config-msvc.h
multi_uninit
void multi_uninit(struct multi_context *m)
Definition: multi.c:704
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition: multi.h:287
hash_element::value
void * value
Definition: list.h:47
VERDICT_VALID_CONTROL_V1
@ VERDICT_VALID_CONTROL_V1
This packet is a valid control packet from the peer.
Definition: ssl_pkt.h:90
free_tls_pre_decrypt_state
void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state)
Definition: ssl_pkt.c:287
dmsg
#define dmsg(flags,...)
Definition: error.h:154
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition: crypto.h:270
MANAGEMENT_READ
#define MANAGEMENT_READ
Definition: event.h:71
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:730
openvpn_sockaddr
Definition: socket.h:65
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:373
send_hmac_reset_packet
static void send_hmac_reset_packet(struct multi_context *m, struct tls_pre_decrypt_state *state, struct tls_auth_standalone *tas, struct session_id *sid, bool request_resend_wkc)
Definition: mudp.c:44
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:165
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition: ssl_pkt.h:39
context::mode
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:493
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition: openvpn.h:247
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:551
tls_pre_decrypt_state::server_session_id
struct session_id server_session_id
Definition: ssl_pkt.h:108
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:312
tls_pre_decrypt_state::tls_wrap_tmp
struct tls_wrap_ctx tls_wrap_tmp
Definition: ssl_pkt.h:105
IOW_MBUF
#define IOW_MBUF
Definition: forward.h:61
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition: multi.h:173
session_id
Definition: session_id.h:38
packet_id_net::id
packet_id_type id
Definition: packet_id.h:196
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:211
IOW_TO_LINK
#define IOW_TO_LINK
Definition: forward.h:55
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:520
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:270
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:156
ASSERT
#define ASSERT(x)
Definition: error.h:201
tls_pre_decrypt_state::peer_session_id
struct session_id peer_session_id
Definition: ssl_pkt.h:107
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:636
multi_init
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
Definition: multi.c:294
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:195
reset_packet_id_send
static void reset_packet_id_send(struct packet_id_send *p)
Reset the current send packet id to its initial state.
Definition: packet_id.h:301
packet_id_rec::initialized
bool initialized
Definition: packet_id.h:135
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition: multi.c:4094
SID_SIZE
#define SID_SIZE
Definition: session_id.h:45
io_wait
static void io_wait(struct context *c, const unsigned int flags)
Definition: forward.h:363
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:288
multi_process_io_udp
static void multi_process_io_udp(struct multi_context *m)
Definition: mudp.c:331
IOW_TO_TUN
#define IOW_TO_TUN
Definition: forward.h:54
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3643
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:515
multi_process_outgoing_link_dowork
static bool multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags)
Definition: multi.h:676
close_instance
void close_instance(struct context *c)
Definition: init.c:4748
perf_pop
static void perf_pop(void)
Definition: perf.h:82
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition: ssl_pkt.h:104
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:85
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:481
read_incoming_tun
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition: forward.c:1231
SOCKET_WRITE
#define SOCKET_WRITE
Definition: event.h:63
multi.h
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:159
DCO_READ
#define DCO_READ
Definition: event.h:76
multi_process_per_second_timers
static void multi_process_per_second_timers(struct multi_context *m)
Definition: multi.h:591
session_skip_to_pre_start
bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from)
Definition: ssl.c:2620
EARLY_NEG_START
#define EARLY_NEG_START
Definition: ssl_pkt.h:308
MULTI_CHECK_SIG
#define MULTI_CHECK_SIG(m)
Definition: multi.h:689
tuntap_ring_empty
static bool tuntap_ring_empty(struct tuntap *tt)
Definition: tun.h:255
multi_context::pending
struct multi_instance * pending
Definition: multi.h:189
msg_set_prefix
static void msg_set_prefix(const char *prefix)
Definition: error.h:311
packet_id_read
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition: packet_id.c:301
TUN_WRITE
#define TUN_WRITE
Definition: event.h:66
context_2::session_id_hmac
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition: openvpn.h:344
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:266
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:752
deferred_signal_schedule_entry::signal_received
int signal_received
Definition: multi.h:62
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition: mudp.c:190
ISC_SERVER
#define ISC_SERVER
Definition: init.h:115
calculate_session_id_hmac
struct session_id calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, int offset)
Calculates the HMAC based server session id based on a client session id and socket addr.
Definition: ssl_pkt.c:489
IOW_WAIT_SIGNAL
#define IOW_WAIT_SIGNAL
Definition: forward.h:63
multi_context::hmac_reply
struct buffer hmac_reply
Definition: multi.h:198
options::handshake_window
int handshake_window
Definition: options.h:638
context_buffers::aux_buf
struct buffer aux_buf
Definition: openvpn.h:97
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:469
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition: openvpn.h:402
mroute_addr
Definition: mroute.h:75
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3514
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
session_id_defined
static bool session_id_defined(const struct session_id *sid1)
Definition: session_id.h:55
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
context_clear_2
void context_clear_2(struct context *c)
Definition: init.c:90
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:378
uninit_management_callback
void uninit_management_callback(void)
Definition: init.c:4391
reflect_filter_rate_limit_decrease
void reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl)
decreases the counter of initial packets seen, so connections that successfully completed the three-w...
Definition: reflect_filter.c:78
LINK_OUT
#define LINK_OUT(c)
Definition: forward.h:39
multi_context
Main OpenVPN server state structure.
Definition: multi.h:155
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:4069
multi_top_init
void multi_top_init(struct multi_context *m, struct context *top)
Definition: multi.c:3783
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition: ssl_pkt.h:79
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:226
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:502
tls_multi::n_sessions
int n_sessions
Number of sessions negotiated thus far.
Definition: ssl_common.h:608
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition: init.h:105
do_pre_decrypt_check
static bool do_pre_decrypt_check(struct multi_context *m, struct tls_pre_decrypt_state *state, struct mroute_addr addr)
Definition: mudp.c:69
multi_context::hmac_reply_dest
struct link_socket_actual * hmac_reply_dest
Definition: multi.h:199
IS_SIG
#define IS_SIG(c)
Definition: sig.h:48
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4417
ES_TIMEOUT
#define ES_TIMEOUT
Definition: event.h:69
ssl_pkt.h
packet_id::send
struct packet_id_send send
Definition: packet_id.h:202
EARLY_NEG_MASK
#define EARLY_NEG_MASK
Definition: ssl_pkt.h:307
CM_TOP
#define CM_TOP
Definition: openvpn.h:489
status
static SERVICE_STATUS status
Definition: interactive.c:56
read_incoming_link
void read_incoming_link(struct context *c)
Read a packet from the external network interface.
Definition: forward.c:888
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2822
FILE_CLOSED
#define FILE_CLOSED
Definition: event.h:74
management
Definition: manage.h:334
hash_element
Definition: list.h:45
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1019
hash_bucket
Definition: list.h:53
IOW_READ_TUN
#define IOW_READ_TUN
Definition: forward.h:56
VERDICT_VALID_RESET_V3
@ VERDICT_VALID_RESET_V3
This is a valid v3 reset (tls-crypt-v2)
Definition: ssl_pkt.h:88
check_session_id_hmac
bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow)
Checks if a control packet has a correct HMAC server session id.
Definition: ssl_pkt.c:531
config.h
packet_id_net
Definition: packet_id.h:194
context_2::from
struct link_socket_actual from
Definition: openvpn.h:248
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3310
multi_context::initial_rate_limiter
struct initial_packet_rate_limit * initial_rate_limiter
Definition: multi.h:174
PERF_EVENT_LOOP
#define PERF_EVENT_LOOP
Definition: perf.h:44
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:528
MANAGEMENT_WRITE
#define MANAGEMENT_WRITE
Definition: event.h:72
multi_process_outgoing_tun
static bool multi_process_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Send a packet over the virtual tun/tap network interface to its locally reachable destination.
Definition: multi.h:652
session
Definition: keyingmaterialexporter.c:56
multi_process_outgoing_link
static void multi_process_outgoing_link(struct multi_context *m, const unsigned int mpp_flags)
Definition: mudp.c:310
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:236
VERDICT_VALID_ACK_V1
@ VERDICT_VALID_ACK_V1
This packet is a valid ACK control packet from the peer, i.e.
Definition: ssl_pkt.h:93
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:283
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition: errlevel.h:102
memdbg.h
multi_top_free
void multi_top_free(struct multi_context *m)
Definition: multi.c:3790
SOCKET_READ
#define SOCKET_READ
Definition: event.h:62
IOW_READ
#define IOW_READ
Definition: forward.h:65
VERDICT_VALID_WKC_V1
@ VERDICT_VALID_WKC_V1
The packet is a valid control packet with appended wrapped client key.
Definition: ssl_pkt.h:95
msg
#define msg(flags,...)
Definition: error.h:150
multi_instance::did_real_hash
bool did_real_hash
Definition: multi.h:127
process_outgoing_link
void process_outgoing_link(struct context *c)
Write a packet to the external network interface.
Definition: forward.c:1681
perf_push
static void perf_push(int type)
Definition: perf.h:78
management_io
void management_io(struct management *man)
Definition: manage.c:3155
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:136
D_MULTI_DEBUG
#define D_MULTI_DEBUG
Definition: errlevel.h:126
multi_get_timeout
static void multi_get_timeout(struct multi_context *m, struct timeval *dest)
Definition: multi.h:609
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1603
multi_process_outgoing_link_pre
static struct multi_instance * multi_process_outgoing_link_pre(struct multi_context *m)
Definition: multi.h:425
hash_value
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:123
P_CONTROL_HARD_RESET_SERVER_V2
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition: ssl_pkt.h:52
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:519
link_socket_actual_match
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition: socket.h:886
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition: ssl_pkt.h:234
tls_auth_standalone
Definition: ssl_pkt.h:77
frequency_limit_event_allowed
bool frequency_limit_event_allowed(struct frequency_limit *f)
Definition: otime.c:169
context_2::fast_io
bool fast_io
Definition: openvpn.h:430