OpenVPN
forward.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "syshead.h"
29
30#include "forward.h"
31#include "init.h"
32#include "push.h"
33#include "gremlin.h"
34#include "mss.h"
35#include "event.h"
36#include "occ.h"
37#include "ping.h"
38#include "ps.h"
39#include "dhcp.h"
40#include "common.h"
41#include "ssl_verify.h"
42#include "dco.h"
43#include "auth_token.h"
44#include "tun_afunix.h"
45
46#include "memdbg.h"
47
48#include "mstats.h"
49
50counter_type link_read_bytes_global; /* GLOBAL */
51counter_type link_write_bytes_global; /* GLOBAL */
52
53/* show event wait debugging info */
54
55#ifdef ENABLE_DEBUG
56
57static const char *
58wait_status_string(struct context *c, struct gc_arena *gc)
59{
60 struct buffer out = alloc_buf_gc(64, gc);
61
62 buf_printf(&out, "I/O WAIT %s|%s| %s",
63 tun_stat(c->c1.tuntap, EVENT_READ, gc),
64 tun_stat(c->c1.tuntap, EVENT_WRITE, gc),
65 tv_string(&c->c2.timeval, gc));
66 for (int i = 0; i < c->c1.link_sockets_num; i++)
67 {
68 buf_printf(&out, "\n %s|%s",
69 socket_stat(c->c2.link_sockets[i], EVENT_READ, gc),
70 socket_stat(c->c2.link_sockets[i], EVENT_WRITE, gc));
71 }
72 return BSTR(&out);
73}
74
75static void
76show_wait_status(struct context *c)
77{
78 struct gc_arena gc = gc_new();
79 dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
80 gc_free(&gc);
81}
82
83#endif /* ifdef ENABLE_DEBUG */
84
85static void
86check_tls_errors_co(struct context *c)
87{
88 msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
89 register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
90}
91
92static void
93check_tls_errors_nco(struct context *c)
94{
95 register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
96}
97
98/*
99 * TLS errors are fatal in TCP mode.
100 * Also check for --tls-exit trigger.
101 */
102static inline void
103check_tls_errors(struct context *c)
104{
105 if (c->c2.tls_multi && c->c2.tls_exit_signal)
106 {
107 if (link_socket_connection_oriented(c->c2.link_sockets[0]))
108 {
109 if (c->c2.tls_multi->n_soft_errors)
110 {
111 check_tls_errors_co(c);
112 }
113 }
114 else
115 {
116 if (c->c2.tls_multi->n_hard_errors)
117 {
118 check_tls_errors_nco(c);
119 }
120 }
121 }
122}
123
124/*
125 * Set our wakeup to 0 seconds, so we will be rescheduled
126 * immediately.
127 */
128static inline void
129context_immediate_reschedule(struct context *c)
130{
131 c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
132 c->c2.timeval.tv_usec = 0;
133}
134
135static inline void
136context_reschedule_sec(struct context *c, int sec)
137{
138 if (sec < 0)
139 {
140 sec = 0;
141 }
142 if (sec < c->c2.timeval.tv_sec)
143 {
144 c->c2.timeval.tv_sec = sec;
145 c->c2.timeval.tv_usec = 0;
146 }
147}
148
149void
150check_dco_key_status(struct context *c)
151{
152 /* DCO context is not yet initialised or enabled */
153 if (!dco_enabled(&c->options))
154 {
155 return;
156 }
157
158 /* no active peer (p2p tls-server mode) */
159 if (c->c2.tls_multi->dco_peer_id == -1)
160 {
161 return;
162 }
163
164 if (!dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi))
165 {
166 /* Something bad happened. Kill the connection to
167 * be able to recover. */
168 register_signal(c->sig, SIGUSR1, "dco update keys error");
169 }
170}
171
172/*
173 * In TLS mode, let TLS level respond to any control-channel
174 * packets which were received, or prepare any packets for
175 * transmission.
176 *
177 * tmp_int is purely an optimization that allows us to call
178 * tls_multi_process less frequently when there's not much
179 * traffic on the control-channel.
180 *
181 */
182static void
183check_tls(struct context *c)
184{
185 interval_t wakeup = BIG_TIMEOUT;
186
187 if (interval_test(&c->c2.tmp_int))
188 {
189 const int tmp_status = tls_multi_process
190 (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr,
191 get_link_socket_info(c), &wakeup);
192
193 if (tmp_status == TLSMP_RECONNECT)
194 {
195 event_timeout_init(&c->c2.wait_for_connect, 1, now);
196 reset_coarse_timers(c);
197 }
198
199 if (tmp_status == TLSMP_ACTIVE || tmp_status == TLSMP_RECONNECT)
200 {
201 update_time();
202 interval_action(&c->c2.tmp_int);
203 }
204 else if (tmp_status == TLSMP_KILL)
205 {
206 if (c->options.mode == MODE_SERVER)
207 {
208 send_auth_failed(c, c->c2.tls_multi->client_reason);
209 }
210 else
211 {
212 register_signal(c->sig, SIGTERM, "auth-control-exit");
213 }
214 }
215
216 interval_future_trigger(&c->c2.tmp_int, wakeup);
217 }
218
219 interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
220
221 /*
222 * Our current code has no good hooks in the TLS machinery to update
223 * DCO keys. So we check the key status after the whole TLS machinery
224 * has been completed and potentially update them
225 *
226 * We have a hidden state transition from secondary to primary key based
227 * on ks->auth_deferred_expire that DCO needs to check that the normal
228 * TLS state engine does not check. So we call the \c check_dco_key_status
229 * function even if tmp_status does not indicate that something has changed.
230 */
231 check_dco_key_status(c);
232
233 if (wakeup)
234 {
235 context_reschedule_sec(c, wakeup);
236 }
237}
238
239static void
240parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
241{
242 if (buf_string_match_head_str(buf, "AUTH_FAILED"))
243 {
244 receive_auth_failed(c, buf);
245 }
246 else if (buf_string_match_head_str(buf, "PUSH_"))
247 {
248 incoming_push_message(c, buf);
249 }
250 else if (buf_string_match_head_str(buf, "RESTART"))
251 {
252 server_pushed_signal(c, buf, true, 7);
253 }
254 else if (buf_string_match_head_str(buf, "HALT"))
255 {
256 server_pushed_signal(c, buf, false, 4);
257 }
258 else if (buf_string_match_head_str(buf, "INFO_PRE"))
259 {
260 server_pushed_info(buf, 8);
261 }
262 else if (buf_string_match_head_str(buf, "INFO"))
263 {
264 server_pushed_info(buf, 4);
265 }
266 else if (buf_string_match_head_str(buf, "CR_RESPONSE"))
267 {
268 receive_cr_response(c, buf);
269 }
270 else if (buf_string_match_head_str(buf, "AUTH_PENDING"))
271 {
272 receive_auth_pending(c, buf);
273 }
274 else if (buf_string_match_head_str(buf, "EXIT"))
275 {
276 receive_exit_message(c);
277 }
278 else
279 {
280 msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf));
281 }
282}
283
284/*
285 * Handle incoming configuration
286 * messages on the control channel.
287 */
288static void
289check_incoming_control_channel(struct context *c)
290{
291 int len = tls_test_payload_len(c->c2.tls_multi);
292 /* We should only be called with len >0 */
293 ASSERT(len > 0);
294
295 struct gc_arena gc = gc_new();
296 struct buffer buf = alloc_buf_gc(len, &gc);
297 if (tls_rec_payload(c->c2.tls_multi, &buf))
298 {
299 while (BLEN(&buf) > 1)
300 {
301 struct buffer cmdbuf = extract_command_buffer(&buf, &gc);
302
303 if (cmdbuf.len > 0)
304 {
305 parse_incoming_control_channel_command(c, &cmdbuf);
306 }
307 }
308 }
309 else
310 {
311 msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
312 }
313
314 gc_free(&gc);
315}
316
317/*
318 * Periodically resend PUSH_REQUEST until PUSH message received
319 */
320static void
321check_push_request(struct context *c)
322{
323 send_push_request(c);
324
325 /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
326 event_timeout_modify_wakeup(&c->c2.push_request_interval, PUSH_REQUEST_INTERVAL);
327}
328
329/*
330 * Things that need to happen immediately after connection initiation should go here.
331 *
332 * Options like --up-delay need to be triggered by this function which
333 * checks for connection establishment.
334 *
335 * Note: The process_incoming_push_reply currently assumes that this function
336 * only sets up the pull request timer when pull is enabled.
337 */
338static void
339check_connection_established(struct context *c)
340{
341 if (connection_established(c))
342 {
343 /* if --pull was specified, send a push request to server */
344 if (c->c2.tls_multi && c->options.pull)
345 {
346#ifdef ENABLE_MANAGEMENT
347 if (management)
348 {
349 management_set_state(management,
350 OPENVPN_STATE_GET_CONFIG,
351 NULL,
352 NULL,
353 NULL,
354 NULL,
355 NULL);
356 }
357#endif
358 /* fire up push request right away (already 1s delayed) */
359 /* We might receive a AUTH_PENDING request before we armed this
360 * timer. In that case we don't change the value */
361 if (c->c2.push_request_timeout < now)
362 {
363 c->c2.push_request_timeout = now + c->options.handshake_window;
364 }
365 event_timeout_init(&c->c2.push_request_interval, 0, now);
366 reset_coarse_timers(c);
367 }
368 else
369 {
370 if (!do_up(c, false, 0))
371 {
372 register_signal(c->sig, SIGUSR1, "connection initialisation failed");
373 }
374 }
375
376 event_timeout_clear(&c->c2.wait_for_connect);
377 }
378}
379
380bool
381send_control_channel_string_dowork(struct tls_session *session,
382 const char *str, int msglevel)
383{
384 struct gc_arena gc = gc_new();
385 bool stat;
386
387 ASSERT(session);
388 struct key_state *ks = &session->key[KS_PRIMARY];
389
390 /* buffered cleartext write onto TLS control channel */
391 stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1);
392
393 msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
394 session->common_name ? session->common_name : "UNDEF",
395 sanitize_control_message(str, &gc),
396 (int) stat);
397
398 gc_free(&gc);
399 return stat;
400}
401
402void
403reschedule_multi_process(struct context *c)
404{
405 interval_action(&c->c2.tmp_int);
406 context_immediate_reschedule(c); /* ZERO-TIMEOUT */
407}
408
409bool
410send_control_channel_string(struct context *c, const char *str, int msglevel)
411{
412 if (c->c2.tls_multi)
413 {
414 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
415 bool ret = send_control_channel_string_dowork(session, str, msglevel);
416 reschedule_multi_process(c);
417
418 return ret;
419 }
420 return true;
421}
422/*
423 * Add routes.
424 */
425
426static void
427check_add_routes_action(struct context *c, const bool errors)
428{
429 bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
430 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
431
432 int flags = (errors ? ISC_ERRORS : 0);
433 flags |= (!route_status ? ISC_ROUTE_ERRORS : 0);
434
435 update_time();
436 event_timeout_clear(&c->c2.route_wakeup);
437 event_timeout_clear(&c->c2.route_wakeup_expire);
438 initialization_sequence_completed(c, flags); /* client/p2p --route-delay was defined */
439}
440
441static void
442check_add_routes(struct context *c)
443{
444 if (test_routes(c->c1.route_list, c->c1.tuntap))
445 {
446 check_add_routes_action(c, false);
447 }
448 else if (event_timeout_trigger(&c->c2.route_wakeup_expire, &c->c2.timeval, ETT_DEFAULT))
449 {
450 check_add_routes_action(c, true);
451 }
452 else
453 {
454 msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
455 if (c->c1.tuntap)
456 {
457 if (!tun_standby(c->c1.tuntap))
458 {
459 register_signal(c->sig, SIGHUP, "ip-fail");
460 c->persist.restart_sleep_seconds = 10;
461#ifdef _WIN32
462 show_routes(M_INFO|M_NOPREFIX);
463 show_adapters(M_INFO|M_NOPREFIX);
464#endif
465 }
466 }
467 update_time();
468 if (c->c2.route_wakeup.n != 1)
469 {
470 event_timeout_init(&c->c2.route_wakeup, 1, now);
471 }
472 event_timeout_reset(&c->c2.ping_rec_interval);
473 }
474}
475
476/*
477 * Should we exit due to inactivity timeout?
478 *
479 * In the non-dco case, the timeout is reset via register_activity()
480 * whenever there is sufficient activity on tun or link, so this function
481 * is only ever called to raise the TERM signal.
482 *
483 * With DCO, OpenVPN does not see incoming or outgoing data packets anymore
484 * and the logic needs to change - we permit the event to trigger and check
485 * kernel DCO counters here, returning and rearming the timer if there was
486 * sufficient traffic.
487 */
488static void
489check_inactivity_timeout(struct context *c)
490{
491 if (dco_enabled(&c->options) && dco_get_peer_stats(c, true) == 0)
492 {
493 int64_t tot_bytes = c->c2.tun_read_bytes + c->c2.tun_write_bytes;
494 int64_t new_bytes = tot_bytes - c->c2.inactivity_bytes;
495
496 if (new_bytes > c->options.inactivity_minimum_bytes)
497 {
498 c->c2.inactivity_bytes = tot_bytes;
499 event_timeout_reset(&c->c2.inactivity_interval);
500 return;
501 }
502 }
503
504 msg(M_INFO, "Inactivity timeout (--inactive), exiting");
505 register_signal(c->sig, SIGTERM, "inactive");
506}
507
508int
509get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
510{
511 update_time();
512 int remaining = event_timeout_remaining(server_poll_timeout);
513 return max_int(0, remaining);
514}
515
516static void
517check_server_poll_timeout(struct context *c)
518{
519 event_timeout_reset(&c->c2.server_poll_interval);
520 ASSERT(c->c2.tls_multi);
521 if (!tls_initial_packet_received(c->c2.tls_multi))
522 {
523 msg(M_INFO, "Server poll timeout, restarting");
524 register_signal(c->sig, SIGUSR1, "server_poll");
525 c->persist.restart_sleep_seconds = -1;
526 }
527}
528
529/*
530 * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
531 */
532bool
533schedule_exit(struct context *c)
534{
535 const int n_seconds = c->options.scheduled_exit_interval;
536 /* don't reschedule if already scheduled. */
537 if (event_timeout_defined(&c->c2.scheduled_exit))
538 {
539 return false;
540 }
541 tls_set_single_session(c->c2.tls_multi);
542 update_time();
543 reset_coarse_timers(c);
544 event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
545 c->c2.scheduled_exit_signal = SIGTERM;
546 msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
547 return true;
548}
549
550/*
551 * Scheduled exit?
552 */
553static void
554check_scheduled_exit(struct context *c)
555{
556 register_signal(c->sig, c->c2.scheduled_exit_signal, "delayed-exit");
557}
558
559/*
560 * Should we write timer-triggered status file.
561 */
562static void
563check_status_file(struct context *c)
564{
565 if (c->c1.status_output)
566 {
567 print_status(c, c->c1.status_output);
568 }
569}
570
571#ifdef ENABLE_FRAGMENT
572/*
573 * Should we deliver a datagram fragment to remote?
574 * c is expected to be a single-link context (p2p or child)
575 */
576static void
577check_fragment(struct context *c)
578{
579 struct link_socket_info *lsi = get_link_socket_info(c);
580
581 /* OS MTU Hint? */
582 if (lsi->mtu_changed && lsi->lsa)
583 {
584 frame_adjust_path_mtu(c);
585 lsi->mtu_changed = false;
586 }
587
588 if (fragment_outgoing_defined(c->c2.fragment))
589 {
590 if (!c->c2.to_link.len)
591 {
592 /* encrypt a fragment for output to TCP/UDP port */
593 ASSERT(fragment_ready_to_send(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment));
594 encrypt_sign(c, false);
595 }
596 }
597
598 fragment_housekeeping(c->c2.fragment, &c->c2.frame_fragment, &c->c2.timeval);
599}
600#endif /* ifdef ENABLE_FRAGMENT */
601
602/*
603 * Buffer reallocation, for use with null encryption.
604 */
605static inline void
606buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
607{
608 if (orig_buf == src_stub->data && src_stub->data != storage->data)
609 {
610 buf_assign(storage, src_stub);
611 *dest_stub = *storage;
612 }
613 else
614 {
615 *dest_stub = *src_stub;
616 }
617}
618
619/*
620 * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
621 * Input: c->c2.buf
622 * Output: c->c2.to_link
623 */
624void
625encrypt_sign(struct context *c, bool comp_frag)
626{
627 struct context_buffers *b = c->c2.buffers;
628 const uint8_t *orig_buf = c->c2.buf.data;
629 struct crypto_options *co = NULL;
630
631 if (dco_enabled(&c->options))
632 {
633 msg(M_WARN, "Attempting to send data packet while data channel offload is in use. "
634 "Dropping packet");
635 c->c2.buf.len = 0;
636 }
637
638 /*
639 * Drop non-TLS outgoing packet if client-connect script/plugin
640 * has not yet succeeded. In non-TLS tls_multi mode is not defined
641 * and we always pass packets.
642 */
643 if (c->c2.tls_multi && c->c2.tls_multi->multi_state < CAS_CONNECT_DONE)
644 {
645 c->c2.buf.len = 0;
646 }
647
648 if (comp_frag)
649 {
650#ifdef USE_COMP
651 /* Compress the packet. */
652 if (c->c2.comp_context)
653 {
654 (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context, &c->c2.frame);
655 }
656#endif
657#ifdef ENABLE_FRAGMENT
658 if (c->c2.fragment)
659 {
660 fragment_outgoing(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment);
661 }
662#endif
663 }
664
665 /* initialize work buffer with buf.headroom bytes of prepend capacity */
666 ASSERT(buf_init(&b->encrypt_buf, c->c2.frame.buf.headroom));
667
668 if (c->c2.tls_multi)
669 {
670 /* Get the key we will use to encrypt the packet. */
671 tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
672 /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
673 * packet before openvpn_encrypt(), so we can authenticate the opcode too.
674 */
675 if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
676 {
677 tls_prepend_opcode_v2(c->c2.tls_multi, &b->encrypt_buf);
678 }
679 }
680 else
681 {
682 co = &c->c2.crypto_options;
683 }
684
685 /* Encrypt and authenticate the packet */
686 openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
687
688 /* Do packet administration */
689 if (c->c2.tls_multi)
690 {
691 if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
692 {
693 tls_prepend_opcode_v1(c->c2.tls_multi, &c->c2.buf);
694 }
695 tls_post_encrypt(c->c2.tls_multi, &c->c2.buf);
696 }
697
698 /*
699 * Get the address we will be sending the packet to.
700 */
701 link_socket_get_outgoing_addr(&c->c2.buf, get_link_socket_info(c),
702 &c->c2.to_link_addr);
703
704 /* if null encryption, copy result to read_tun_buf */
705 buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
706}
707
708/*
709 * Should we exit due to session timeout?
710 */
711static void
712check_session_timeout(struct context *c)
713{
714 if (c->options.session_timeout
715 && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval,
716 ETT_DEFAULT))
717 {
718 msg(M_INFO, "Session timeout, exiting");
719 register_signal(c->sig, SIGTERM, "session-timeout");
720 }
721}
722
723/*
724 * Coarse timers work to 1 second resolution.
725 */
726static void
727process_coarse_timers(struct context *c)
728{
729 /* flush current packet-id to file once per 60
730 * seconds if --replay-persist was specified */
731 if (packet_id_persist_enabled(&c->c1.pid_persist)
732 && event_timeout_trigger(&c->c2.packet_id_persist_interval, &c->c2.timeval, ETT_DEFAULT))
733 {
734 packet_id_persist_save(&c->c1.pid_persist);
735 }
736
737 /* Should we write timer-triggered status file */
738 if (c->c1.status_output
739 && event_timeout_trigger(&c->c1.status_output->et, &c->c2.timeval, ETT_DEFAULT))
740 {
741 check_status_file(c);
742 }
743
744 /* process connection establishment items */
745 if (event_timeout_trigger(&c->c2.wait_for_connect, &c->c2.timeval, ETT_DEFAULT))
746 {
747 check_connection_established(c);
748 }
749
750 /* see if we should send a push_request (option --pull) */
751 if (event_timeout_trigger(&c->c2.push_request_interval, &c->c2.timeval, ETT_DEFAULT))
752 {
753 check_push_request(c);
754 }
755
756 /* process --route options */
757 if (event_timeout_trigger(&c->c2.route_wakeup, &c->c2.timeval, ETT_DEFAULT))
758 {
759 check_add_routes(c);
760 }
761
762 /* check if we want to refresh the auth-token */
763 if (event_timeout_trigger(&c->c2.auth_token_renewal_interval, &c->c2.timeval, ETT_DEFAULT))
764 {
765 check_send_auth_token(c);
766 }
767
768 /* possibly exit due to --inactive */
769 if (c->options.inactivity_timeout
770 && event_timeout_trigger(&c->c2.inactivity_interval, &c->c2.timeval, ETT_DEFAULT))
771 {
772 check_inactivity_timeout(c);
773 }
774
775 if (c->sig->signal_received)
776 {
777 return;
778 }
779
780 /* kill session if time is over */
781 check_session_timeout(c);
782 if (c->sig->signal_received)
783 {
784 return;
785 }
786
787 /* restart if ping not received */
788 check_ping_restart(c);
789 if (c->sig->signal_received)
790 {
791 return;
792 }
793
794 if (c->c2.tls_multi)
795 {
796 if (c->options.ce.connect_timeout
797 && event_timeout_trigger(&c->c2.server_poll_interval, &c->c2.timeval, ETT_DEFAULT))
798 {
799 check_server_poll_timeout(c);
800 }
801 if (c->sig->signal_received)
802 {
803 return;
804 }
805 if (event_timeout_trigger(&c->c2.scheduled_exit, &c->c2.timeval, ETT_DEFAULT))
806 {
807 check_scheduled_exit(c);
808 }
809 if (c->sig->signal_received)
810 {
811 return;
812 }
813 }
814
815 /* Should we send an OCC_REQUEST message? */
816 check_send_occ_req(c);
817
818 /* Should we send an MTU load test? */
819 check_send_occ_load_test(c);
820
821 /* Should we send an OCC_EXIT message to remote? */
822 if (c->c2.explicit_exit_notification_time_wait)
823 {
824 process_explicit_exit_notification_timer_wakeup(c);
825 }
826
827 /* Should we ping the remote? */
828 check_ping_send(c);
829
830#ifdef ENABLE_MANAGEMENT
831 if (management)
832 {
833 management_check_bytecount(c, management, &c->c2.timeval);
834 }
835#endif /* ENABLE_MANAGEMENT */
836}
837
838static void
839check_coarse_timers(struct context *c)
840{
841 if (now < c->c2.coarse_timer_wakeup)
842 {
843 context_reschedule_sec(c, c->c2.coarse_timer_wakeup - now);
844 return;
845 }
846
847 const struct timeval save = c->c2.timeval;
848 c->c2.timeval.tv_sec = BIG_TIMEOUT;
849 c->c2.timeval.tv_usec = 0;
850 process_coarse_timers(c);
851 c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
852
853 dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
854
855 /* Is the coarse timeout NOT the earliest one? */
856 if (c->c2.timeval.tv_sec > save.tv_sec)
857 {
858 c->c2.timeval = save;
859 }
860}
861
862static void
863check_timeout_random_component_dowork(struct context *c)
864{
865 const int update_interval = 10; /* seconds */
866 c->c2.update_timeout_random_component = now + update_interval;
867 c->c2.timeout_random_component.tv_usec = (time_t) get_random() & 0x0003FFFF;
868 c->c2.timeout_random_component.tv_sec = 0;
869
870 dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long) c->c2.timeout_random_component.tv_usec);
871}
872
873static inline void
874check_timeout_random_component(struct context *c)
875{
876 if (now >= c->c2.update_timeout_random_component)
877 {
878 check_timeout_random_component_dowork(c);
879 }
880 if (c->c2.timeval.tv_sec >= 1)
881 {
882 tv_add(&c->c2.timeval, &c->c2.timeout_random_component);
883 }
884}
885
886/*
887 * Handle addition and removal of the 10-byte Socks5 header
888 * in UDP packets.
889 */
890
891static inline void
892socks_postprocess_incoming_link(struct context *c, struct link_socket *sock)
893{
894 if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
895 {
896 socks_process_incoming_udp(&c->c2.buf, &c->c2.from);
897 }
898}
899
900static inline void
901socks_preprocess_outgoing_link(struct context *c,
902 struct link_socket *sock,
903 struct link_socket_actual **to_addr,
904 int *size_delta)
905{
906 if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
907 {
908 *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
909 *to_addr = &sock->socks_relay;
910 }
911}
912
913/* undo effect of socks_preprocess_outgoing_link */
914static inline void
915link_socket_write_post_size_adjust(int *size,
916 int size_delta,
917 struct buffer *buf)
918{
919 if (size_delta > 0 && *size > size_delta)
920 {
921 *size -= size_delta;
922 if (!buf_advance(buf, size_delta))
923 {
924 *size = 0;
925 }
926 }
927}
928
929/*
930 * Output: c->c2.buf
931 */
932
933void
934read_incoming_link(struct context *c, struct link_socket *sock)
935{
936 /*
937 * Set up for recvfrom call to read datagram
938 * sent to our TCP/UDP port.
939 */
940 int status;
941
942 /*ASSERT (!c->c2.to_tun.len);*/
943
944 perf_push(PERF_READ_IN_LINK);
945
946 c->c2.buf = c->c2.buffers->read_link_buf;
947 ASSERT(buf_init(&c->c2.buf, c->c2.frame.buf.headroom));
948
949 status = link_socket_read(sock,
950 &c->c2.buf,
951 &c->c2.from);
952
953 if (socket_connection_reset(sock, status))
954 {
955#if PORT_SHARE
956 if (port_share && socket_foreign_protocol_detected(sock))
957 {
958 const struct buffer *fbuf = socket_foreign_protocol_head(sock);
959 const int sd = socket_foreign_protocol_sd(sock);
960 port_share_redirect(port_share, fbuf, sd);
961 register_signal(c->sig, SIGTERM, "port-share-redirect");
962 }
963 else
964#endif
965 {
966 /* received a disconnect from a connection-oriented protocol */
967 if (event_timeout_defined(&c->c2.explicit_exit_notification_interval))
968 {
969 msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
970 management_sleep(1);
971 }
972 else
973 {
974 register_signal(c->sig, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
975 msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
976 }
977 }
978 perf_pop();
979 return;
980 }
981
982 /* check_status() call below resets last-error code */
983 bool dco_win_timeout = tuntap_is_dco_win_timeout(c->c1.tuntap, status);
984
985 /* check recvfrom status */
986 check_status(status, "read", sock, NULL);
987
988 if (dco_win_timeout)
989 {
990 trigger_ping_timeout_signal(c);
991 }
992
993 /* Remove socks header if applicable */
994 socks_postprocess_incoming_link(c, sock);
995
996 perf_pop();
997}
998
999bool
1000process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
1001{
1002 struct gc_arena gc = gc_new();
1003 bool decrypt_status = false;
1004
1005 if (c->c2.buf.len > 0)
1006 {
1007 c->c2.link_read_bytes += c->c2.buf.len;
1008 link_read_bytes_global += c->c2.buf.len;
1009#ifdef ENABLE_MEMSTATS
1010 if (mmap_stats)
1011 {
1012 mmap_stats->link_read_bytes = link_read_bytes_global;
1013 }
1014#endif
1015 c->c2.original_recv_size = c->c2.buf.len;
1016#ifdef ENABLE_MANAGEMENT
1017 if (management)
1018 {
1019 management_bytes_client(management, c->c2.buf.len, 0);
1020 management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1021 }
1022#endif
1023 }
1024 else
1025 {
1026 c->c2.original_recv_size = 0;
1027 }
1028
1029#ifdef ENABLE_DEBUG
1030 /* take action to corrupt packet if we are in gremlin test mode */
1031 if (c->options.gremlin)
1032 {
1033 if (!ask_gremlin(c->options.gremlin))
1034 {
1035 c->c2.buf.len = 0;
1036 }
1037 corrupt_gremlin(&c->c2.buf, c->options.gremlin);
1038 }
1039#endif
1040
1041 /* log incoming packet */
1042#ifdef LOG_RW
1043 if (c->c2.log_rw && c->c2.buf.len > 0)
1044 {
1045 fprintf(stderr, "R");
1046 }
1047#endif
1048 msg(D_LINK_RW, "%s READ [%d] from %s: %s",
1049 proto2ascii(lsi->proto, lsi->af, true),
1050 BLEN(&c->c2.buf),
1051 print_link_socket_actual(&c->c2.from, &gc),
1052 PROTO_DUMP(&c->c2.buf, &gc));
1053
1054 /*
1055 * Good, non-zero length packet received.
1056 * Commence multi-stage processing of packet,
1057 * such as authenticate, decrypt, decompress.
1058 * If any stage fails, it sets buf.len to 0 or -1,
1059 * telling downstream stages to ignore the packet.
1060 */
1061 if (c->c2.buf.len > 0)
1062 {
1063 struct crypto_options *co = NULL;
1064 const uint8_t *ad_start = NULL;
1065 if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
1066 {
1067 link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
1068 }
1069
1070 if (c->c2.tls_multi)
1071 {
1072 uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
1073
1074 /*
1075 * If DCO is enabled, the kernel drivers require that the
1076 * other end only sends P_DATA_V2 packets. V1 are unknown
1077 * to kernel and passed to userland, but we cannot handle them
1078 * either because crypto context is missing - so drop the packet.
1079 *
1080 * This can only happen with particular old (2.4.0-2.4.4) servers.
1081 */
1082 if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
1083 {
1084 msg(D_LINK_ERRORS,
1085 "Data Channel Offload doesn't support DATA_V1 packets. "
1086 "Upgrade your server to 2.4.5 or newer.");
1087 c->c2.buf.len = 0;
1088 }
1089
1090 /*
1091 * If tls_pre_decrypt returns true, it means the incoming
1092 * packet was a good TLS control channel packet. If so, TLS code
1093 * will deal with the packet and set buf.len to 0 so downstream
1094 * stages ignore it.
1095 *
1096 * If the packet is a data channel packet, tls_pre_decrypt
1097 * will load crypto_options with the correct encryption key
1098 * and return false.
1099 */
1100 if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
1101 floated, &ad_start))
1102 {
1103 interval_action(&c->c2.tmp_int);
1104
1105 /* reset packet received timer if TLS packet */
1106 if (c->options.ping_rec_timeout)
1107 {
1108 event_timeout_reset(&c->c2.ping_rec_interval);
1109 }
1110 }
1111 }
1112 else
1113 {
1114 co = &c->c2.crypto_options;
1115 }
1116
1117 /*
1118 * Drop non-TLS packet if client-connect script/plugin and cipher selection
1119 * has not yet succeeded. In non-TLS mode tls_multi is not defined
1120 * and we always pass packets.
1121 */
1122 if (c->c2.tls_multi && c->c2.tls_multi->multi_state < CAS_CONNECT_DONE)
1123 {
1124 c->c2.buf.len = 0;
1125 }
1126
1127 /* authenticate and decrypt the incoming packet */
1128 decrypt_status = openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf,
1129 co, &c->c2.frame, ad_start);
1130
1131 if (!decrypt_status
1132 /* on the instance context we have only one socket, so just check the first one */
1133 && link_socket_connection_oriented(c->c2.link_sockets[0]))
1134 {
1135 /* decryption errors are fatal in TCP mode */
1136 register_signal(c->sig, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
1137 msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
1138 }
1139 }
1140 else
1141 {
1142 buf_reset(&c->c2.to_tun);
1143 }
1144 gc_free(&gc);
1145
1146 return decrypt_status;
1147}
1148
1149void
1150process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
1151{
1152 if (c->c2.buf.len > 0)
1153 {
1154#ifdef ENABLE_FRAGMENT
1155 if (c->c2.fragment)
1156 {
1157 fragment_incoming(c->c2.fragment, &c->c2.buf, &c->c2.frame_fragment);
1158 }
1159#endif
1160
1161#ifdef USE_COMP
1162 /* decompress the incoming packet */
1163 if (c->c2.comp_context)
1164 {
1165 (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf, c->c2.comp_context, &c->c2.frame);
1166 }
1167#endif
1168
1169#ifdef PACKET_TRUNCATION_CHECK
1170 /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1171 ipv4_packet_size_verify(BPTR(&c->c2.buf),
1172 BLEN(&c->c2.buf),
1173 TUNNEL_TYPE(c->c1.tuntap),
1174 "POST_DECRYPT",
1175 &c->c2.n_trunc_post_decrypt);
1176#endif
1177
1178 /*
1179 * Set our "official" outgoing address, since
1180 * if buf.len is non-zero, we know the packet
1181 * authenticated. In TLS mode we do nothing
1182 * because TLS mode takes care of source address
1183 * authentication.
1184 *
1185 * Also, update the persisted version of our packet-id.
1186 */
1187 if (!TLS_MODE(c) && c->c2.buf.len > 0)
1188 {
1189 link_socket_set_outgoing_addr(lsi, &c->c2.from, NULL, c->c2.es);
1190 }
1191
1192 /* reset packet received timer */
1193 if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1194 {
1195 event_timeout_reset(&c->c2.ping_rec_interval);
1196 }
1197
1198 /* increment authenticated receive byte count */
1199 if (c->c2.buf.len > 0)
1200 {
1201 c->c2.link_read_bytes_auth += c->c2.buf.len;
1202 c->c2.max_recv_size_local = max_int(c->c2.original_recv_size, c->c2.max_recv_size_local);
1203 }
1204
1205 /* Did we just receive an openvpn ping packet? */
1206 if (is_ping_msg(&c->c2.buf))
1207 {
1208 dmsg(D_PING, "RECEIVED PING PACKET");
1209 c->c2.buf.len = 0; /* drop packet */
1210 }
1211
1212 /* Did we just receive an OCC packet? */
1213 if (is_occ_msg(&c->c2.buf))
1214 {
1215 process_received_occ_msg(c);
1216 }
1217
1218 buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1219
1220 /* to_tun defined + unopened tuntap can cause deadlock */
1221 if (!tuntap_defined(c->c1.tuntap))
1222 {
1223 c->c2.to_tun.len = 0;
1224 }
1225 }
1226 else
1227 {
1228 buf_reset(&c->c2.to_tun);
1229 }
1230}
1231
1232static void
1233process_incoming_link(struct context *c, struct link_socket *sock)
1234{
1235 perf_push(PERF_PROC_IN_LINK);
1236
1237 struct link_socket_info *lsi = &sock->info;
1238 const uint8_t *orig_buf = c->c2.buf.data;
1239
1240 process_incoming_link_part1(c, lsi, false);
1241 process_incoming_link_part2(c, lsi, orig_buf);
1242
1243 perf_pop();
1244}
1245
1246static void
1247process_incoming_dco(struct context *c)
1248{
1249#if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
1250 dco_context_t *dco = &c->c1.tuntap->dco;
1251
1252 dco_do_read(dco);
1253
1254 /* FreeBSD currently sends us removal notifcation with the old peer-id in
1255 * p2p mode with the ping timeout reason, so ignore that one to not shoot
1256 * ourselves in the foot and removing the just established session */
1257 if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
1258 {
1259 msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
1260 "expected %d", __func__, dco->dco_message_peer_id,
1261 c->c2.tls_multi->dco_peer_id);
1262 return;
1263 }
1264
1265 switch (dco->dco_message_type)
1266 {
1267 case OVPN_CMD_DEL_PEER:
1268 /* peer is gone, unset ID to prevent more kernel calls */
1269 c->c2.tls_multi->dco_peer_id = -1;
1270 if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
1271 {
1272 msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
1273 "%d", __func__, dco->dco_message_peer_id);
1274 trigger_ping_timeout_signal(c);
1275 return;
1276 }
1277 break;
1278
1279 case OVPN_CMD_SWAP_KEYS:
1280 msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d",
1281 __func__, dco->dco_message_peer_id);
1282 tls_session_soft_reset(c->c2.tls_multi);
1283 break;
1284
1285 default:
1286 msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__,
1287 dco->dco_message_type);
1288 return;
1289 }
1290
1291#endif /* if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) */
1292}
1293
1294/*
1295 * Output: c->c2.buf
1296 */
1297
1298void
1299read_incoming_tun(struct context *c)
1300{
1301 /*
1302 * Setup for read() call on TUN/TAP device.
1303 */
1304 /*ASSERT (!c->c2.to_link.len);*/
1305
1306 perf_push(PERF_READ_IN_TUN);
1307
1308 c->c2.buf = c->c2.buffers->read_tun_buf;
1309
1310#ifdef _WIN32
1311 if (c->c1.tuntap->backend_driver == WINDOWS_DRIVER_WINTUN)
1312 {
1313 read_wintun(c->c1.tuntap, &c->c2.buf);
1314 if (c->c2.buf.len == -1)
1315 {
1316 register_signal(c->sig, SIGHUP, "tun-abort");
1317 c->persist.restart_sleep_seconds = 1;
1318 msg(M_INFO, "Wintun read error, restarting");
1319 perf_pop();
1320 return;
1321 }
1322 }
1323 else
1324 {
1325 /* we cannot end up here when using dco */
1326 ASSERT(!dco_enabled(&c->options));
1327
1328 sockethandle_t sh = { .is_handle = true, .h = c->c1.tuntap->hand, .prepend_sa = false };
1329 sockethandle_finalize(sh, &c->c1.tuntap->reads, &c->c2.buf, NULL);
1330 }
1331#else /* ifdef _WIN32 */
1332 ASSERT(buf_init(&c->c2.buf, c->c2.frame.buf.headroom));
1333 ASSERT(buf_safe(&c->c2.buf, c->c2.frame.buf.payload_size));
1334 if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1335 {
1336 c->c2.buf.len = read_tun_afunix(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
1337 }
1338 else
1339 {
1340 c->c2.buf.len = read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
1341 }
1342#endif /* ifdef _WIN32 */
1343
1344#ifdef PACKET_TRUNCATION_CHECK
1345 ipv4_packet_size_verify(BPTR(&c->c2.buf),
1346 BLEN(&c->c2.buf),
1347 TUNNEL_TYPE(c->c1.tuntap),
1348 "READ_TUN",
1349 &c->c2.n_trunc_tun_read);
1350#endif
1351
1352 /* Was TUN/TAP interface stopped? */
1353 if (tuntap_stop(c->c2.buf.len))
1354 {
1355 register_signal(c->sig, SIGTERM, "tun-stop");
1356 msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1357 perf_pop();
1358 return;
1359 }
1360
1361 /* Was TUN/TAP I/O operation aborted? */
1362 if (tuntap_abort(c->c2.buf.len))
1363 {
1364 register_signal(c->sig, SIGHUP, "tun-abort");
1365 c->persist.restart_sleep_seconds = 10;
1366 msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1367 perf_pop();
1368 return;
1369 }
1370
1371 /* Check the status return from read() */
1372 check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1373
1374 perf_pop();
1375}
1376
1385static void
1386drop_if_recursive_routing(struct context *c, struct buffer *buf)
1387{
1388 bool drop = false;
1389 struct openvpn_sockaddr tun_sa;
1390 int ip_hdr_offset = 0;
1391
1392 if (c->c2.to_link_addr == NULL) /* no remote addr known */
1393 {
1394 return;
1395 }
1396
1397 tun_sa = c->c2.to_link_addr->dest;
1398
1399 int proto_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset);
1400
1401 if (proto_ver == 4)
1402 {
1403 /* make sure we got whole IP header */
1404 if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
1405 {
1406 return;
1407 }
1408
1409 /* skip ipv4 packets for ipv6 tun */
1410 if (tun_sa.addr.sa.sa_family != AF_INET)
1411 {
1412 return;
1413 }
1414
1415 struct openvpn_iphdr *pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
1416
1417 /* drop packets with same dest addr as gateway */
1418 if (memcmp(&tun_sa.addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0)
1419 {
1420 drop = true;
1421 }
1422 }
1423 else if (proto_ver == 6)
1424 {
1425 /* make sure we got whole IPv6 header */
1426 if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
1427 {
1428 return;
1429 }
1430
1431 /* skip ipv6 packets for ipv4 tun */
1432 if (tun_sa.addr.sa.sa_family != AF_INET6)
1433 {
1434 return;
1435 }
1436
1437 struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
1438
1439 /* drop packets with same dest addr as gateway */
1440 if (OPENVPN_IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
1441 {
1442 drop = true;
1443 }
1444 }
1445
1446 if (drop)
1447 {
1448 struct gc_arena gc = gc_new();
1449
1450 c->c2.buf.len = 0;
1451
1452 msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
1453 print_link_socket_actual(c->c2.to_link_addr, &gc));
1454 gc_free(&gc);
1455 }
1456}
1457
1458/*
1459 * Input: c->c2.buf
1460 * Output: c->c2.to_link
1461 */
1462
1463void
1464process_incoming_tun(struct context *c, struct link_socket *out_sock)
1465{
1466 struct gc_arena gc = gc_new();
1467
1468 perf_push(PERF_PROC_IN_TUN);
1469
1470 if (c->c2.buf.len > 0)
1471 {
1472 c->c2.tun_read_bytes += c->c2.buf.len;
1473 }
1474
1475#ifdef LOG_RW
1476 if (c->c2.log_rw && c->c2.buf.len > 0)
1477 {
1478 fprintf(stderr, "r");
1479 }
1480#endif
1481
1482 /* Show packet content */
1483 dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1484
1485 if (c->c2.buf.len > 0)
1486 {
1487 if ((c->options.mode == MODE_POINT_TO_POINT) && (!c->options.allow_recursive_routing))
1488 {
1489 drop_if_recursive_routing(c, &c->c2.buf);
1490 }
1491 /*
1492 * The --passtos and --mssfix options require
1493 * us to examine the IP header (IPv4 or IPv6).
1494 */
1495 unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
1496 | PIPV6_ICMP_NOHOST_CLIENT;
1497 process_ip_header(c, flags, &c->c2.buf, out_sock);
1498
1499#ifdef PACKET_TRUNCATION_CHECK
1500 /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1501 ipv4_packet_size_verify(BPTR(&c->c2.buf),
1502 BLEN(&c->c2.buf),
1503 TUNNEL_TYPE(c->c1.tuntap),
1504 "PRE_ENCRYPT",
1505 &c->c2.n_trunc_pre_encrypt);
1506#endif
1507
1508 }
1509 if (c->c2.buf.len > 0)
1510 {
1511 encrypt_sign(c, true);
1512 }
1513 else
1514 {
1515 buf_reset(&c->c2.to_link);
1516 }
1517 perf_pop();
1518 gc_free(&gc);
1519}
1520
1531void
1532ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
1533{
1534#define MAX_ICMPV6LEN 1280
1535 struct openvpn_icmp6hdr icmp6out;
1536 CLEAR(icmp6out);
1537
1538 /*
1539 * Get a buffer to the ip packet, is_ipv6 automatically forwards
1540 * the buffer to the ip packet
1541 */
1542 struct buffer inputipbuf = *buf;
1543
1544 is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &inputipbuf);
1545
1546 if (BLEN(&inputipbuf) < (int)sizeof(struct openvpn_ipv6hdr))
1547 {
1548 return;
1549 }
1550
1551 const struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)BPTR(&inputipbuf);
1552
1553 /* Copy version, traffic class, flow label from input packet */
1554 struct openvpn_ipv6hdr pip6out = *pip6;
1555
1556 pip6out.version_prio = pip6->version_prio;
1557 pip6out.daddr = pip6->saddr;
1558
1559 /*
1560 * Use the IPv6 remote address if we have one, otherwise use a fake one
1561 * using the remote address is preferred since it makes debugging and
1562 * understanding where the ICMPv6 error originates easier
1563 */
1564 if (c->options.ifconfig_ipv6_remote)
1565 {
1566 inet_pton(AF_INET6, c->options.ifconfig_ipv6_remote, &pip6out.saddr);
1567 }
1568 else
1569 {
1570 inet_pton(AF_INET6, "fe80::7", &pip6out.saddr);
1571 }
1572
1573 pip6out.nexthdr = OPENVPN_IPPROTO_ICMPV6;
1574
1575 /*
1576 * The ICMPv6 unreachable code worked best in my (arne) tests with Windows,
1577 * Linux and Android. Windows did not like the administratively prohibited
1578 * return code (no fast fail)
1579 */
1580 icmp6out.icmp6_type = OPENVPN_ICMP6_DESTINATION_UNREACHABLE;
1581 icmp6out.icmp6_code = OPENVPN_ICMP6_DU_NOROUTE;
1582
1583 int icmpheader_len = sizeof(struct openvpn_ipv6hdr)
1584 + sizeof(struct openvpn_icmp6hdr);
1585 int totalheader_len = icmpheader_len;
1586
1587 if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1588 {
1589 totalheader_len += sizeof(struct openvpn_ethhdr);
1590 }
1591
1592 /*
1593 * Calculate size for payload, defined in the standard that the resulting
1594 * frame should be <= 1280 and have as much as possible of the original
1595 * packet
1596 */
1597 int max_payload_size = min_int(MAX_ICMPV6LEN,
1598 c->c2.frame.tun_mtu - icmpheader_len);
1599 int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
1600
1601 pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
1602
1603 /* Construct the packet as outgoing packet back to the client */
1604 struct buffer *outbuf;
1605 if (client)
1606 {
1607 c->c2.to_tun = c->c2.buffers->aux_buf;
1608 outbuf = &(c->c2.to_tun);
1609 }
1610 else
1611 {
1612 c->c2.to_link = c->c2.buffers->aux_buf;
1613 outbuf = &(c->c2.to_link);
1614 }
1615 ASSERT(buf_init(outbuf, totalheader_len));
1616
1617 /* Fill the end of the buffer with original packet */
1618 ASSERT(buf_safe(outbuf, payload_len));
1619 ASSERT(buf_copy_n(outbuf, &inputipbuf, payload_len));
1620
1621 /* ICMP Header, copy into buffer to allow checksum calculation */
1622 ASSERT(buf_write_prepend(outbuf, &icmp6out, sizeof(struct openvpn_icmp6hdr)));
1623
1624 /* Calculate checksum over the packet and write to header */
1625
1626 uint16_t new_csum = ip_checksum(AF_INET6, BPTR(outbuf), BLEN(outbuf),
1627 (const uint8_t *)&pip6out.saddr,
1628 (uint8_t *)&pip6out.daddr, OPENVPN_IPPROTO_ICMPV6);
1629 ((struct openvpn_icmp6hdr *) BPTR(outbuf))->icmp6_cksum = htons(new_csum);
1630
1631
1632 /* IPv6 Header */
1633 ASSERT(buf_write_prepend(outbuf, &pip6out, sizeof(struct openvpn_ipv6hdr)));
1634
1635 /*
1636 * Tap mode, we also need to create an Ethernet header.
1637 */
1638 if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1639 {
1640 if (BLEN(buf) < (int)sizeof(struct openvpn_ethhdr))
1641 {
1642 return;
1643 }
1644
1645 const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *) BPTR(buf);
1646
1647 /* Copy frametype and reverse source/destination for the response */
1648 struct openvpn_ethhdr ethhdr;
1649 memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
1650 memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
1651 ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
1652 ASSERT(buf_write_prepend(outbuf, &ethhdr, sizeof(struct openvpn_ethhdr)));
1653 }
1654#undef MAX_ICMPV6LEN
1655}
1656
1657void
1658process_ip_header(struct context *c, unsigned int flags, struct buffer *buf,
1659 struct link_socket *sock)
1660{
1661 if (!c->options.ce.mssfix)
1662 {
1663 flags &= ~PIP_MSSFIX;
1664 }
1665#if PASSTOS_CAPABILITY
1666 if (!c->options.passtos)
1667 {
1668 flags &= ~PIPV4_PASSTOS;
1669 }
1670#endif
1671 if (!c->options.client_nat)
1672 {
1673 flags &= ~PIPV4_CLIENT_NAT;
1674 }
1675 if (!c->options.route_gateway_via_dhcp)
1676 {
1677 flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1678 }
1679 if (!c->options.block_ipv6)
1680 {
1681 flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
1682 }
1683
1684 if (buf->len > 0)
1685 {
1686 struct buffer ipbuf = *buf;
1687 if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1688 {
1689#if PASSTOS_CAPABILITY
1690 /* extract TOS from IP header */
1691 if (flags & PIPV4_PASSTOS)
1692 {
1693 link_socket_extract_tos(sock, &ipbuf);
1694 }
1695#endif
1696
1697 /* possibly alter the TCP MSS */
1698 if (flags & PIP_MSSFIX)
1699 {
1700 mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
1701 }
1702
1703 /* possibly do NAT on packet */
1704 if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1705 {
1706 const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1707 client_nat_transform(c->options.client_nat, &ipbuf, direction);
1708 }
1709 /* possibly extract a DHCP router message */
1710 if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1711 {
1712 const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
1713 if (dhcp_router)
1714 {
1715 route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1716 }
1717 }
1718 }
1719 else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1720 {
1721 /* possibly alter the TCP MSS */
1722 if (flags & PIP_MSSFIX)
1723 {
1724 mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
1725 }
1726 if (!(flags & PIP_OUTGOING) && (flags
1727 &(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER)))
1728 {
1729 ipv6_send_icmp_unreachable(c, buf,
1730 (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT));
1731 /* Drop the IPv6 packet */
1732 buf->len = 0;
1733 }
1734
1735 }
1736 }
1737}
1738
1739/*
1740 * Input: c->c2.to_link
1741 */
1742
1743void
1744process_outgoing_link(struct context *c, struct link_socket *sock)
1745{
1746 struct gc_arena gc = gc_new();
1747 int error_code = 0;
1748
1749 perf_push(PERF_PROC_OUT_LINK);
1750
1751 if (c->c2.to_link.len > 0 && c->c2.to_link.len <= c->c2.frame.buf.payload_size)
1752 {
1753 /*
1754 * Setup for call to send/sendto which will send
1755 * packet to remote over the TCP/UDP port.
1756 */
1757 int size = 0;
1758 ASSERT(link_socket_actual_defined(c->c2.to_link_addr));
1759
1760#ifdef ENABLE_DEBUG
1761 /* In gremlin-test mode, we may choose to drop this packet */
1762 if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1763#endif
1764 {
1765 /*
1766 * Let the traffic shaper know how many bytes
1767 * we wrote.
1768 */
1769 if (c->options.shaper)
1770 {
1771 int overhead = datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family,
1772 sock->info.proto);
1773 shaper_wrote_bytes(&c->c2.shaper,
1774 BLEN(&c->c2.to_link) + overhead);
1775 }
1776
1777 /*
1778 * Let the pinger know that we sent a packet.
1779 */
1780 if (c->options.ping_send_timeout)
1781 {
1782 event_timeout_reset(&c->c2.ping_send_interval);
1783 }
1784
1785#if PASSTOS_CAPABILITY
1786 /* Set TOS */
1787 link_socket_set_tos(sock);
1788#endif
1789
1790 /* Log packet send */
1791#ifdef LOG_RW
1792 if (c->c2.log_rw)
1793 {
1794 fprintf(stderr, "W");
1795 }
1796#endif
1797 msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1798 proto2ascii(sock->info.proto, sock->info.af, true),
1799 BLEN(&c->c2.to_link),
1800 print_link_socket_actual(c->c2.to_link_addr, &gc),
1801 PROTO_DUMP(&c->c2.to_link, &gc));
1802
1803 /* Packet send complexified by possible Socks5 usage */
1804 {
1805 struct link_socket_actual *to_addr = c->c2.to_link_addr;
1806 int size_delta = 0;
1807
1808 /* If Socks5 over UDP, prepend header */
1809 socks_preprocess_outgoing_link(c, sock, &to_addr, &size_delta);
1810
1811 /* Send packet */
1812 size = (int)link_socket_write(sock,
1813 &c->c2.to_link,
1814 to_addr);
1815
1816 /* Undo effect of prepend */
1817 link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1818 }
1819
1820 if (size > 0)
1821 {
1822 c->c2.max_send_size_local = max_int(size, c->c2.max_send_size_local);
1823 c->c2.link_write_bytes += size;
1824 link_write_bytes_global += size;
1825#ifdef ENABLE_MEMSTATS
1826 if (mmap_stats)
1827 {
1828 mmap_stats->link_write_bytes = link_write_bytes_global;
1829 }
1830#endif
1831#ifdef ENABLE_MANAGEMENT
1832 if (management)
1833 {
1834 management_bytes_client(management, 0, size);
1835 management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
1836 }
1837#endif
1838 }
1839 }
1840
1841 /* Check return status */
1842 error_code = openvpn_errno();
1843 check_status(size, "write", sock, NULL);
1844
1845 if (size > 0)
1846 {
1847 /* Did we write a different size packet than we intended? */
1848 if (size != BLEN(&c->c2.to_link))
1849 {
1850 msg(D_LINK_ERRORS,
1851 "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1852 print_link_socket_actual(c->c2.to_link_addr, &gc),
1853 BLEN(&c->c2.to_link),
1854 size);
1855 }
1856 }
1857
1858 /* if not a ping/control message, indicate activity regarding --inactive parameter */
1859 if (c->c2.buf.len > 0)
1860 {
1861 register_activity(c, size);
1862 }
1863
1864 /* for unreachable network and "connecting" state switch to the next host */
1865
1866 bool unreachable = error_code ==
1867#ifdef _WIN32
1868 WSAENETUNREACH;
1869#else
1870 ENETUNREACH;
1871#endif
1872 if (size < 0 && unreachable && c->c2.tls_multi
1873 && !tls_initial_packet_received(c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT)
1874 {
1875 msg(M_INFO, "Network unreachable, restarting");
1876 register_signal(c->sig, SIGUSR1, "network-unreachable");
1877 }
1878 }
1879 else
1880 {
1881 if (c->c2.to_link.len > 0)
1882 {
1883 msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1884 print_link_socket_actual(c->c2.to_link_addr, &gc),
1885 c->c2.to_link.len,
1886 c->c2.frame.buf.payload_size);
1887 }
1888 }
1889
1890 buf_reset(&c->c2.to_link);
1891
1892 perf_pop();
1893 gc_free(&gc);
1894}
1895
1896/*
1897 * Input: c->c2.to_tun
1898 */
1899
1900void
1901process_outgoing_tun(struct context *c, struct link_socket *in_sock)
1902{
1903 /*
1904 * Set up for write() call to TUN/TAP
1905 * device.
1906 */
1907 if (c->c2.to_tun.len <= 0)
1908 {
1909 return;
1910 }
1911
1912 perf_push(PERF_PROC_OUT_TUN);
1913
1914 /*
1915 * The --mssfix option requires
1916 * us to examine the IP header (IPv4 or IPv6).
1917 */
1918 process_ip_header(c, PIP_MSSFIX|PIPV4_EXTRACT_DHCP_ROUTER|PIPV4_CLIENT_NAT|PIP_OUTGOING, &c->c2.to_tun,
1919 in_sock);
1920
1921 if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size)
1922 {
1923 /*
1924 * Write to TUN/TAP device.
1925 */
1926 int size;
1927
1928#ifdef LOG_RW
1929 if (c->c2.log_rw)
1930 {
1931 fprintf(stderr, "w");
1932 }
1933#endif
1934 dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1935
1936#ifdef PACKET_TRUNCATION_CHECK
1937 ipv4_packet_size_verify(BPTR(&c->c2.to_tun),
1938 BLEN(&c->c2.to_tun),
1939 TUNNEL_TYPE(c->c1.tuntap),
1940 "WRITE_TUN",
1941 &c->c2.n_trunc_tun_write);
1942#endif
1943
1944#ifdef _WIN32
1945 size = write_tun_buffered(c->c1.tuntap, &c->c2.to_tun);
1946#else
1947 if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1948 {
1949 size = write_tun_afunix(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1950 }
1951 else
1952 {
1953 size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1954 }
1955#endif
1956
1957 if (size > 0)
1958 {
1959 c->c2.tun_write_bytes += size;
1960 }
1961 check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1962
1963 /* check written packet size */
1964 if (size > 0)
1965 {
1966 /* Did we write a different size packet than we intended? */
1967 if (size != BLEN(&c->c2.to_tun))
1968 {
1969 msg(D_LINK_ERRORS,
1970 "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)",
1971 c->c1.tuntap->actual_name,
1972 BLEN(&c->c2.to_tun),
1973 size);
1974 }
1975
1976 /* indicate activity regarding --inactive parameter */
1977 register_activity(c, size);
1978 }
1979 }
1980 else
1981 {
1982 /*
1983 * This should never happen, probably indicates some kind
1984 * of MTU mismatch.
1985 */
1986 msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)",
1987 c->c2.to_tun.len,
1988 c->c2.frame.buf.payload_size);
1989 }
1990
1991 buf_reset(&c->c2.to_tun);
1992
1993 perf_pop();
1994}
1995
1996void
1997pre_select(struct context *c)
1998{
1999 /* make sure current time (now) is updated on function entry */
2000
2001 /*
2002 * Start with an effectively infinite timeout, then let it
2003 * reduce to a timeout that reflects the component which
2004 * needs the earliest service.
2005 */
2006 c->c2.timeval.tv_sec = BIG_TIMEOUT;
2007 c->c2.timeval.tv_usec = 0;
2008
2009#if defined(_WIN32)
2010 if (check_debug_level(D_TAP_WIN_DEBUG))
2011 {
2012 c->c2.timeval.tv_sec = 1;
2013 if (tuntap_defined(c->c1.tuntap))
2014 {
2015 tun_show_debug(c->c1.tuntap);
2016 }
2017 }
2018#endif
2019
2020 /* check coarse timers? */
2021 check_coarse_timers(c);
2022 if (c->sig->signal_received)
2023 {
2024 return;
2025 }
2026
2027 /* If tls is enabled, do tls control channel packet processing. */
2028 if (c->c2.tls_multi)
2029 {
2030 check_tls(c);
2031 }
2032
2033 /* In certain cases, TLS errors will require a restart */
2034 check_tls_errors(c);
2035 if (c->sig->signal_received)
2036 {
2037 return;
2038 }
2039
2040 /* check for incoming control messages on the control channel like
2041 * push request/reply, or authentication failure and 2FA messages */
2042 if (tls_test_payload_len(c->c2.tls_multi) > 0)
2043 {
2044 check_incoming_control_channel(c);
2045 }
2046
2047 /* Should we send an OCC message? */
2048 check_send_occ_msg(c);
2049
2050#ifdef ENABLE_FRAGMENT
2051 /* Should we deliver a datagram fragment to remote? */
2052 if (c->c2.fragment)
2053 {
2054 check_fragment(c);
2055 }
2056#endif
2057
2058 /* Update random component of timeout */
2059 check_timeout_random_component(c);
2060}
2061
2062static void
2063multi_io_process_flags(struct context *c, struct event_set *es,
2064 const unsigned int flags, unsigned int *out_socket,
2065 unsigned int *out_tuntap)
2066{
2067 unsigned int socket = 0;
2068 unsigned int tuntap = 0;
2069 static uintptr_t tun_shift = TUN_SHIFT;
2070 static uintptr_t err_shift = ERR_SHIFT;
2071
2072 /*
2073 * Calculate the flags based on the provided 'flags' argument.
2074 */
2075 if (flags & IOW_WAIT_SIGNAL)
2076 {
2077 wait_signal(es, (void *)err_shift);
2078 }
2079
2080 if (flags & IOW_TO_LINK)
2081 {
2082 if (flags & IOW_SHAPER)
2083 {
2084 /*
2085 * If sending this packet would put us over our traffic shaping
2086 * quota, don't send -- instead compute the delay we must wait
2087 * until it will be OK to send the packet.
2088 */
2089 int delay = 0;
2090
2091 /* set traffic shaping delay in microseconds */
2092 if (c->options.shaper)
2093 {
2094 delay = max_int(delay, shaper_delay(&c->c2.shaper));
2095 }
2096
2097 if (delay < 1000)
2098 {
2099 socket |= EVENT_WRITE;
2100 }
2101 else
2102 {
2103 shaper_soonest_event(&c->c2.timeval, delay);
2104 }
2105 }
2106 else
2107 {
2108 socket |= EVENT_WRITE;
2109 }
2110 }
2111 else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
2112 {
2113 if (flags & IOW_READ_TUN)
2114 {
2115 tuntap |= EVENT_READ;
2116 }
2117 }
2118
2119 /*
2120 * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
2121 * from device. Otherwise, wait for incoming data on TCP/UDP port.
2122 */
2123 if (flags & IOW_TO_TUN)
2124 {
2125 tuntap |= EVENT_WRITE;
2126 }
2127 else
2128 {
2129 if (flags & IOW_READ_LINK)
2130 {
2131 socket |= EVENT_READ;
2132 }
2133 }
2134
2135 /*
2136 * outgoing bcast buffer waiting to be sent?
2137 */
2138 if (flags & IOW_MBUF)
2139 {
2140 socket |= EVENT_WRITE;
2141 }
2142
2143 /*
2144 * Force wait on TUN input, even if also waiting on TCP/UDP output
2145 */
2146 if (flags & IOW_READ_TUN_FORCE)
2147 {
2148 tuntap |= EVENT_READ;
2149 }
2150
2151#ifdef _WIN32
2152 if (tuntap_is_wintun(c->c1.tuntap))
2153 {
2154 /*
2155 * With wintun we are only interested in read event. Ring buffer is
2156 * always ready for write, so we don't do wait.
2157 */
2158 tuntap = EVENT_READ;
2159 }
2160#endif
2161
2162 /*
2163 * Configure event wait based on socket, tuntap flags.
2164 */
2165 for (int i = 0; i < c->c1.link_sockets_num; i++)
2166 {
2167 socket_set(c->c2.link_sockets[i], es, socket,
2168 &c->c2.link_sockets[i]->ev_arg, NULL);
2169 }
2170
2171 tun_set(c->c1.tuntap, es, tuntap, (void *)tun_shift, NULL);
2172
2173 if (out_socket)
2174 {
2175 *out_socket = socket;
2176 }
2177
2178 if (out_tuntap)
2179 {
2180 *out_tuntap = tuntap;
2181 }
2182
2183}
2184
2185/*
2186 * Wait for I/O events. Used for both TCP & UDP sockets
2187 * in point-to-point mode and for UDP sockets in
2188 * point-to-multipoint mode.
2189 */
2190
2191void
2192get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
2193{
2194 unsigned int out_socket, out_tuntap;
2195
2196 multi_io_process_flags(c, multi_io->es, flags, &out_socket, &out_tuntap);
2197 multi_io->udp_flags = out_socket | out_tuntap;
2198}
2199
2200void
2201get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
2202{
2203 multi_io->udp_flags = ES_ERROR;
2204 if (c->c2.fast_io && (flags & (IOW_TO_TUN | IOW_TO_LINK | IOW_MBUF)))
2205 {
2206 /* fast path -- only for TUN/TAP/UDP writes */
2207 unsigned int ret = 0;
2208 if (flags & IOW_TO_TUN)
2209 {
2210 ret |= TUN_WRITE;
2211 }
2212 if (flags & (IOW_TO_LINK | IOW_MBUF))
2213 {
2214 ret |= SOCKET_WRITE;
2215 }
2216 multi_io->udp_flags = ret;
2217 }
2218 else
2219 {
2220#ifdef _WIN32
2221 bool skip_iowait = flags & IOW_TO_TUN;
2222 if (flags & IOW_READ_TUN)
2223 {
2224 /*
2225 * don't read from tun if we have pending write to link,
2226 * since every tun read overwrites to_link buffer filled
2227 * by previous tun read
2228 */
2229 skip_iowait = !(flags & IOW_TO_LINK);
2230 }
2231 if (tuntap_is_wintun(c->c1.tuntap) && skip_iowait)
2232 {
2233 unsigned int ret = 0;
2234 if (flags & IOW_TO_TUN)
2235 {
2236 ret |= TUN_WRITE;
2237 }
2238 if (flags & IOW_READ_TUN)
2239 {
2240 ret |= TUN_READ;
2241 }
2242 multi_io->udp_flags = ret;
2243 }
2244 else
2245#endif /* ifdef _WIN32 */
2246 {
2247 /* slow path - delegate to io_wait_dowork_udp to calculate flags */
2248 get_io_flags_dowork_udp(c, multi_io, flags);
2249 }
2250 }
2251}
2252
2253void
2254io_wait_dowork(struct context *c, const unsigned int flags)
2255{
2256 unsigned int out_socket;
2257 unsigned int out_tuntap;
2258 struct event_set_return esr[4];
2259
2260 /* These shifts all depend on EVENT_READ and EVENT_WRITE */
2261 static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */
2262#ifdef ENABLE_MANAGEMENT
2263 static uintptr_t management_shift = MANAGEMENT_SHIFT; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
2264#endif
2265#ifdef ENABLE_ASYNC_PUSH
2266 static uintptr_t file_shift = FILE_SHIFT;
2267#endif
2268#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2269 static uintptr_t dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */
2270#endif
2271
2272 /*
2273 * Decide what kind of events we want to wait for.
2274 */
2275 event_reset(c->c2.event_set);
2276
2277 multi_io_process_flags(c, c->c2.event_set, flags, &out_socket, &out_tuntap);
2278
2279#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2280 if (out_socket & EVENT_READ && c->c2.did_open_tun)
2281 {
2282 dco_event_set(&c->c1.tuntap->dco, c->c2.event_set, (void *)dco_shift);
2283 }
2284#endif
2285
2286#ifdef ENABLE_MANAGEMENT
2287 if (management)
2288 {
2289 management_socket_set(management, c->c2.event_set, (void *)management_shift, NULL);
2290 }
2291#endif
2292
2293#ifdef ENABLE_ASYNC_PUSH
2294 /* arm inotify watcher */
2295 if (c->options.mode == MODE_SERVER)
2296 {
2297 event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)file_shift);
2298 }
2299#endif
2300
2301 /*
2302 * Possible scenarios:
2303 * (1) tcp/udp port has data available to read
2304 * (2) tcp/udp port is ready to accept more data to write
2305 * (3) tun dev has data available to read
2306 * (4) tun dev is ready to accept more data to write
2307 * (5) we received a signal (handler sets signal_received)
2308 * (6) timeout (tv) expired
2309 */
2310
2311 c->c2.event_set_status = ES_ERROR;
2312
2313 if (!c->sig->signal_received)
2314 {
2315 if (!(flags & IOW_CHECK_RESIDUAL) || !sockets_read_residual(c))
2316 {
2317 int status;
2318
2319#ifdef ENABLE_DEBUG
2320 if (check_debug_level(D_EVENT_WAIT))
2321 {
2322 show_wait_status(c);
2323 }
2324#endif
2325
2326 /*
2327 * Wait for something to happen.
2328 */
2329 status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
2330
2331 check_status(status, "event_wait", NULL, NULL);
2332
2333 if (status > 0)
2334 {
2335 int i;
2336 c->c2.event_set_status = 0;
2337 for (i = 0; i < status; ++i)
2338 {
2339 const struct event_set_return *e = &esr[i];
2340 uintptr_t shift;
2341
2342 if (e->arg >= MULTI_N)
2343 {
2344 struct event_arg *ev_arg = (struct event_arg *)e->arg;
2345 if (ev_arg->type != EVENT_ARG_LINK_SOCKET)
2346 {
2347 c->c2.event_set_status = ES_ERROR;
2348 msg(D_LINK_ERRORS,
2349 "io_work: non socket event delivered");
2350 return;
2351 }
2352
2353 shift = socket_shift;
2354 }
2355 else
2356 {
2357 shift = (uintptr_t)e->arg;
2358 }
2359
2360 c->c2.event_set_status |= ((e->rwflags & 3) << shift);
2361 }
2362 }
2363 else if (status == 0)
2364 {
2365 c->c2.event_set_status = ES_TIMEOUT;
2366 }
2367 }
2368 else
2369 {
2370 c->c2.event_set_status = SOCKET_READ;
2371 }
2372 }
2373
2374 /* 'now' should always be a reasonably up-to-date timestamp */
2375 update_time();
2376
2377 /* set signal_received if a signal was received */
2378 if (c->c2.event_set_status & ES_ERROR)
2379 {
2380 get_signal(&c->sig->signal_received);
2381 }
2382
2383 dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2384}
2385
2386void
2387process_io(struct context *c, struct link_socket *sock)
2388{
2389 const unsigned int status = c->c2.event_set_status;
2390
2391#ifdef ENABLE_MANAGEMENT
2392 if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
2393 {
2394 ASSERT(management);
2395 management_io(management);
2396 }
2397#endif
2398
2399 /* TCP/UDP port ready to accept write */
2400 if (status & SOCKET_WRITE)
2401 {
2402 process_outgoing_link(c, sock);
2403 }
2404 /* TUN device ready to accept write */
2405 else if (status & TUN_WRITE)
2406 {
2407 process_outgoing_tun(c, sock);
2408 }
2409 /* Incoming data on TCP/UDP port */
2410 else if (status & SOCKET_READ)
2411 {
2412 read_incoming_link(c, sock);
2413 if (!IS_SIG(c))
2414 {
2415 process_incoming_link(c, sock);
2416 }
2417 }
2418 /* Incoming data on TUN device */
2419 else if (status & TUN_READ)
2420 {
2421 read_incoming_tun(c);
2422 if (!IS_SIG(c))
2423 {
2424 process_incoming_tun(c, sock);
2425 }
2426 }
2427 else if (status & DCO_READ)
2428 {
2429 if (!IS_SIG(c))
2430 {
2431 process_incoming_dco(c);
2432 }
2433 }
2434}
check_send_auth_token
void check_send_auth_token(struct context *c)
Checks if the timer to resend the auth-token has expired and if a new auth-token should be send to th...
Definition auth_token.c:422
auth_token.h
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
buf_assign
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition buffer.c:173
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
buf_string_match_head_str
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition buffer.c:778
BSTR
#define BSTR(buf)
Definition buffer.h:129
BPTR
#define BPTR(buf)
Definition buffer.h:124
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:680
buf_copy_n
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition buffer.h:718
buf_reset
static void buf_reset(struct buffer *buf)
Definition buffer.h:303
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:520
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:618
BLEN
#define BLEN(buf)
Definition buffer.h:127
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
buf_init
#define buf_init(buf, offset)
Definition buffer.h:209
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
client_nat_transform
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition clinat.c:193
CN_INCOMING
#define CN_INCOMING
Definition clinat.h:32
CN_OUTGOING
#define CN_OUTGOING
Definition clinat.h:31
counter_type
uint64_t counter_type
Definition common.h:30
interval_t
int interval_t
Definition common.h:36
PUSH_REQUEST_INTERVAL
#define PUSH_REQUEST_INTERVAL
Definition common.h:93
BIG_TIMEOUT
#define BIG_TIMEOUT
Definition common.h:41
get_random
long int get_random(void)
Definition crypto.c:1757
dco_do_read
static int dco_do_read(dco_context_t *dco)
Definition dco.h:317
dco_event_set
static void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition dco.h:324
dco_update_keys
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
Definition dco.h:337
dco_context_t
void * dco_context_t
Definition dco.h:267
dco_get_peer_stats
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco.h:386
dhcp_extract_router_msg
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition dhcp.c:149
D_TUN_RW
#define D_TUN_RW
Definition errlevel.h:114
D_TAP_WIN_DEBUG
#define D_TAP_WIN_DEBUG
Definition errlevel.h:115
D_PING
#define D_PING
Definition errlevel.h:144
D_EVENT_WAIT
#define D_EVENT_WAIT
Definition errlevel.h:162
D_INTERVAL
#define D_INTERVAL
Definition errlevel.h:158
D_STREAM_ERRORS
#define D_STREAM_ERRORS
Definition errlevel.h:63
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition errlevel.h:118
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:67
D_LOW
#define D_LOW
Definition errlevel.h:97
M_INFO
#define M_INFO
Definition errlevel.h:55
D_SCHED_EXIT
#define D_SCHED_EXIT
Definition errlevel.h:89
D_ROUTE
#define D_ROUTE
Definition errlevel.h:80
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition errlevel.h:57
D_LINK_RW
#define D_LINK_RW
Definition errlevel.h:113
DCO_READ
#define DCO_READ
Definition event.h:76
MANAGEMENT_SHIFT
#define MANAGEMENT_SHIFT
Definition event.h:70
SOCKET_SHIFT
#define SOCKET_SHIFT
Definition event.h:61
TUN_WRITE
#define TUN_WRITE
Definition event.h:66
SOCKET_READ
#define SOCKET_READ
Definition event.h:62
MANAGEMENT_READ
#define MANAGEMENT_READ
Definition event.h:71
MANAGEMENT_WRITE
#define MANAGEMENT_WRITE
Definition event.h:72
event_wait
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition event.h:187
ES_ERROR
#define ES_ERROR
Definition event.h:68
SOCKET_WRITE
#define SOCKET_WRITE
Definition event.h:63
ES_TIMEOUT
#define ES_TIMEOUT
Definition event.h:69
EVENT_WRITE
#define EVENT_WRITE
Definition event.h:40
MULTI_N
#define MULTI_N
Definition event.h:89
TUN_SHIFT
#define TUN_SHIFT
Definition event.h:64
EVENT_READ
#define EVENT_READ
Definition event.h:39
FILE_SHIFT
#define FILE_SHIFT
Definition event.h:73
TUN_READ
#define TUN_READ
Definition event.h:65
event_reset
static void event_reset(struct event_set *es)
Definition event.h:169
wait_signal
static void wait_signal(struct event_set *es, void *arg)
Definition event.h:206
DCO_SHIFT
#define DCO_SHIFT
Definition event.h:75
ERR_SHIFT
#define ERR_SHIFT
Definition event.h:67
EVENT_ARG_LINK_SOCKET
@ EVENT_ARG_LINK_SOCKET
Definition event.h:137
event_ctl
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:181
link_write_bytes_global
counter_type link_write_bytes_global
Definition forward.c:51
check_inactivity_timeout
static void check_inactivity_timeout(struct context *c)
Definition forward.c:489
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:403
get_server_poll_remaining_time
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition forward.c:509
check_fragment
static void check_fragment(struct context *c)
Definition forward.c:577
check_tls_errors
static void check_tls_errors(struct context *c)
Definition forward.c:103
check_scheduled_exit
static void check_scheduled_exit(struct context *c)
Definition forward.c:554
MAX_ICMPV6LEN
#define MAX_ICMPV6LEN
check_session_timeout
static void check_session_timeout(struct context *c)
Definition forward.c:712
send_control_channel_string_dowork
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
Definition forward.c:381
process_io
void process_io(struct context *c, struct link_socket *sock)
Definition forward.c:2387
context_reschedule_sec
static void context_reschedule_sec(struct context *c, int sec)
Definition forward.c:136
check_timeout_random_component
static void check_timeout_random_component(struct context *c)
Definition forward.c:874
schedule_exit
bool schedule_exit(struct context *c)
Definition forward.c:533
process_coarse_timers
static void process_coarse_timers(struct context *c)
Definition forward.c:727
check_connection_established
static void check_connection_established(struct context *c)
Definition forward.c:339
check_timeout_random_component_dowork
static void check_timeout_random_component_dowork(struct context *c)
Definition forward.c:863
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:410
buffer_turnover
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition forward.c:606
check_tls_errors_nco
static void check_tls_errors_nco(struct context *c)
Definition forward.c:93
ipv6_send_icmp_unreachable
void ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
Forges a IPv6 ICMP packet with a no route to host error code from the IPv6 packet in buf and sends it...
Definition forward.c:1532
get_io_flags_udp
void get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
Definition forward.c:2201
multi_io_process_flags
static void multi_io_process_flags(struct context *c, struct event_set *es, const unsigned int flags, unsigned int *out_socket, unsigned int *out_tuntap)
Definition forward.c:2063
pre_select
void pre_select(struct context *c)
Definition forward.c:1997
check_incoming_control_channel
static void check_incoming_control_channel(struct context *c)
Definition forward.c:289
check_add_routes
static void check_add_routes(struct context *c)
Definition forward.c:442
check_server_poll_timeout
static void check_server_poll_timeout(struct context *c)
Definition forward.c:517
parse_incoming_control_channel_command
static void parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
Definition forward.c:240
socks_postprocess_incoming_link
static void socks_postprocess_incoming_link(struct context *c, struct link_socket *sock)
Definition forward.c:892
check_push_request
static void check_push_request(struct context *c)
Definition forward.c:321
process_incoming_link
static void process_incoming_link(struct context *c, struct link_socket *sock)
Definition forward.c:1233
check_tls_errors_co
static void check_tls_errors_co(struct context *c)
Definition forward.c:86
socks_preprocess_outgoing_link
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket *sock, struct link_socket_actual **to_addr, int *size_delta)
Definition forward.c:901
link_socket_write_post_size_adjust
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition forward.c:915
get_io_flags_dowork_udp
void get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags)
Definition forward.c:2192
context_immediate_reschedule
static void context_immediate_reschedule(struct context *c)
Definition forward.c:129
check_add_routes_action
static void check_add_routes_action(struct context *c, const bool errors)
Definition forward.c:427
drop_if_recursive_routing
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition forward.c:1386
link_read_bytes_global
counter_type link_read_bytes_global
Definition forward.c:50
check_coarse_timers
static void check_coarse_timers(struct context *c)
Definition forward.c:839
check_dco_key_status
void check_dco_key_status(struct context *c)
Definition forward.c:150
io_wait_dowork
void io_wait_dowork(struct context *c, const unsigned int flags)
Definition forward.c:2254
process_incoming_dco
static void process_incoming_dco(struct context *c)
Definition forward.c:1247
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition forward.c:1658
check_tls
static void check_tls(struct context *c)
Definition forward.c:183
check_status_file
static void check_status_file(struct context *c)
Definition forward.c:563
forward.h
Interface functions to the internal and external multiplexers.
PIP_MSSFIX
#define PIP_MSSFIX
Definition forward.h:307
PIPV4_CLIENT_NAT
#define PIPV4_CLIENT_NAT
Definition forward.h:310
IOW_WAIT_SIGNAL
#define IOW_WAIT_SIGNAL
Definition forward.h:64
IOW_READ_TUN
#define IOW_READ_TUN
Definition forward.h:57
PIPV4_EXTRACT_DHCP_ROUTER
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition forward.h:309
PIPV6_ICMP_NOHOST_SERVER
#define PIPV6_ICMP_NOHOST_SERVER
Definition forward.h:312
PIPV6_ICMP_NOHOST_CLIENT
#define PIPV6_ICMP_NOHOST_CLIENT
Definition forward.h:311
IOW_SHAPER
#define IOW_SHAPER
Definition forward.h:59
IOW_FRAG
#define IOW_FRAG
Definition forward.h:61
IOW_MBUF
#define IOW_MBUF
Definition forward.h:62
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:321
IOW_READ_LINK
#define IOW_READ_LINK
Definition forward.h:58
IOW_CHECK_RESIDUAL
#define IOW_CHECK_RESIDUAL
Definition forward.h:60
TO_LINK_FRAG
#define TO_LINK_FRAG(c)
Definition forward.h:43
connection_established
static bool connection_established(struct context *c)
Definition forward.h:430
register_activity
static void register_activity(struct context *c, const int size)
Definition forward.h:334
IOW_TO_TUN
#define IOW_TO_TUN
Definition forward.h:55
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition forward.h:306
IOW_READ_TUN_FORCE
#define IOW_READ_TUN_FORCE
Definition forward.h:63
PIP_OUTGOING
#define PIP_OUTGOING
Definition forward.h:308
IOW_TO_LINK
#define IOW_TO_LINK
Definition forward.h:56
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:456
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:535
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition forward.c:625
tls_post_encrypt
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:4136
openvpn_encrypt
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition crypto.c:336
tls_prepend_opcode_v1
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:4107
tls_pre_encrypt
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:4074
tls_prepend_opcode_v2
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:4121
openvpn_decrypt
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition crypto.c:794
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition forward.c:1000
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition forward.c:1150
process_outgoing_link
void process_outgoing_link(struct context *c, struct link_socket *sock)
Write a packet to the external network interface.
Definition forward.c:1744
read_incoming_link
void read_incoming_link(struct context *c, struct link_socket *sock)
Read a packet from the external network interface.
Definition forward.c:934
tls_pre_decrypt
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3682
fragment_housekeeping
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition fragment.h:465
fragment_outgoing_defined
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition fragment.h:438
fragment_outgoing
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition fragment.c:321
fragment_incoming
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition fragment.c:136
fragment_ready_to_send
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition fragment.c:376
read_incoming_tun
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition forward.c:1299
process_incoming_tun
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition forward.c:1464
process_outgoing_tun
void process_outgoing_tun(struct context *c, struct link_socket *in_sock)
Write a packet to the virtual tun/tap network interface.
Definition forward.c:1901
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1590
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition init.c:1342
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2457
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1717
ISC_ERRORS
#define ISC_ERRORS
Definition init.h:115
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition init.h:117
min_int
static int min_int(int x, int y)
Definition integer.h:102
max_int
static int max_int(int x, int y)
Definition integer.h:89
status
static SERVICE_STATUS status
Definition interactive.c:53
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:43
ETT_DEFAULT
#define ETT_DEFAULT
Definition interval.h:224
interval_future_trigger
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition interval.h:108
event_timeout_reset
static void event_timeout_reset(struct event_timeout *et)
Resets a timer.
Definition interval.h:189
interval_action
static void interval_action(struct interval *top)
Definition interval.h:124
event_timeout_defined
static bool event_timeout_defined(const struct event_timeout *et)
Definition interval.h:144
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:174
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:155
interval_schedule_wakeup
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition interval.h:94
event_timeout_modify_wakeup
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Sets the interval n of a timeout.
Definition interval.h:206
interval_test
static bool interval_test(struct interval *top)
Definition interval.h:66
event_timeout_remaining
static interval_t event_timeout_remaining(struct event_timeout *et)
Returns the time until the timeout should triggered, from now.
Definition interval.h:219
management_check_bytecount
void management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval)
Definition manage.c:4141
management_socket_set
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition manage.c:3127
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2749
management_io
void management_io(struct management *man)
Definition manage.c:3167
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4117
management_bytes_server
static void management_bytes_server(struct management *man, const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac)
Definition manage.h:539
management_bytes_client
static void management_bytes_client(struct management *man, const int size_in, const int size_out)
Definition manage.h:522
OPENVPN_STATE_GET_CONFIG
#define OPENVPN_STATE_GET_CONFIG
Definition manage.h:480
sanitize_control_message
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition misc.c:670
mss_fixup_ipv6
void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss)
Definition mss.c:87
mss_fixup_ipv4
void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss)
Definition mss.c:47
frame_adjust_path_mtu
void frame_adjust_path_mtu(struct context *c)
Checks and adjusts the fragment and mssfix value according to the discovered path mtu value.
Definition mss.c:355
process_received_occ_msg
void process_received_occ_msg(struct context *c)
Definition occ.c:363
check_send_occ_msg
static void check_send_occ_msg(struct context *c)
Definition occ.h:140
is_occ_msg
static bool is_occ_msg(const struct buffer *buf)
Definition occ.h:83
check_send_occ_req
static void check_send_occ_req(struct context *c)
Definition occ.h:110
check_send_occ_load_test
static void check_send_occ_load_test(struct context *c)
Definition occ.h:125
CLEAR
#define CLEAR(x)
Definition basic.h:33
SIZE
#define SIZE(x)
Definition basic.h:30
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:97
check_debug_level
static bool check_debug_level(unsigned int level)
Definition error.h:220
dmsg
#define dmsg(flags,...)
Definition error.h:148
openvpn_errno
#define openvpn_errno()
Definition error.h:72
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
M_WARN
#define M_WARN
Definition error.h:91
check_status
static void check_status(int status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition error.h:277
TLS_MODE
#define TLS_MODE(c)
Definition openvpn.h:536
PROTO_DUMP
#define PROTO_DUMP(buf, gc)
Definition openvpn.h:538
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:258
MODE_SERVER
#define MODE_SERVER
Definition options.h:259
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:929
now
time_t now
Definition otime.c:34
tv_string
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition otime.c:82
update_time
static void update_time(void)
Definition otime.h:77
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition otime.h:132
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition ovpn_dco_linux.h:44
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
@OVPN_CMD_DEL_PEER: Remove peer from internal table
Definition ovpn_dco_linux.h:40
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition ovpn_dco_linux.h:73
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:519
packet_id_persist_enabled
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition packet_id.h:282
perf_push
static void perf_push(int type)
Definition perf.h:78
PERF_PROC_OUT_TUN
#define PERF_PROC_OUT_TUN
Definition perf.h:56
PERF_PROC_OUT_LINK
#define PERF_PROC_OUT_LINK
Definition perf.h:55
PERF_PROC_IN_TUN
#define PERF_PROC_IN_TUN
Definition perf.h:54
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition perf.h:52
perf_pop
static void perf_pop(void)
Definition perf.h:82
PERF_READ_IN_TUN
#define PERF_READ_IN_TUN
Definition perf.h:53
PERF_READ_IN_LINK
#define PERF_READ_IN_LINK
Definition perf.h:51
trigger_ping_timeout_signal
void trigger_ping_timeout_signal(struct context *c)
Trigger the correct signal on a –ping timeout depending if –ping-exit is set (SIGTERM) or not (SIGUSR...
Definition ping.c:48
check_ping_restart
static void check_ping_restart(struct context *c)
Definition ping.h:60
is_ping_msg
static bool is_ping_msg(const struct buffer *buf)
Definition ping.h:41
check_ping_send
static void check_ping_send(struct context *c)
Definition ping.h:77
is_ipv4
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition proto.c:111
is_ipv6
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition proto.c:116
ip_checksum
uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, const uint8_t *src_addr, const uint8_t *dest_addr, const int proto)
Calculates an IP or IPv6 checksum with a pseudo header as required by TCP, UDP and ICMPv6.
Definition proto.c:123
get_tun_ip_ver
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition proto.h:241
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:37
OPENVPN_ETH_ALEN
#define OPENVPN_ETH_ALEN
Definition proto.h:53
OPENVPN_ETH_P_IPV6
#define OPENVPN_ETH_P_IPV6
Definition proto.h:60
OPENVPN_IPPROTO_ICMPV6
#define OPENVPN_IPPROTO_ICMPV6
Definition proto.h:109
OPENVPN_IN6_ARE_ADDR_EQUAL
#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b)
Version of IN6_ARE_ADDR_EQUAL that is guaranteed to work for unaligned access.
Definition proto.h:89
OPENVPN_ICMP6_DESTINATION_UNREACHABLE
#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE
Definition proto.h:136
OPENVPN_ICMP6_DU_NOROUTE
#define OPENVPN_ICMP6_DU_NOROUTE
Definition proto.h:144
receive_auth_pending
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition push.c:341
receive_auth_failed
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition push.c:51
server_pushed_signal
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition push.c:133
receive_cr_response
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition push.c:266
send_auth_failed
void send_auth_failed(struct context *c, const char *client_reason)
Definition push.c:397
receive_exit_message
void receive_exit_message(struct context *c)
Definition push.c:193
send_push_request
bool send_push_request(struct context *c)
Definition push.c:552
incoming_push_message
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition push.c:507
server_pushed_info
void server_pushed_info(const struct buffer *buffer, const int adv)
Definition push.c:229
test_routes
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition route.c:2647
show_routes
void show_routes(int msglev)
Definition route.c:3308
route_list_add_vpn_gateway
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition route.c:557
shaper_soonest_event
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition shaper.c:37
shaper_wrote_bytes
static void shaper_wrote_bytes(struct shaper *s, int nbytes)
Definition shaper.h:122
shaper_delay
static int shaper_delay(struct shaper *s)
Definition shaper.h:97
print_status
void print_status(struct context *c, struct status_output *so)
Definition sig.c:484
process_explicit_exit_notification_timer_wakeup
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition sig.c:567
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:231
IS_SIG
#define IS_SIG(c)
Definition sig.h:48
get_signal
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition sig.h:110
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket.c:3196
socket_stat
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition socket.c:2595
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition socket.c:2893
sockethandle_finalize
int sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from)
Definition socket.c:3905
socket_set
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition socket.c:4000
link_socket_bad_incoming_addr
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition socket.c:2492
sockets_read_residual
bool sockets_read_residual(const struct context *c)
Definition socket.c:46
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition socket.h:726
datagram_overhead
static int datagram_overhead(sa_family_t af, int proto)
Definition socket.h:629
link_socket_write
static ssize_t link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition socket.h:1196
link_socket_connection_oriented
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition socket.h:648
PROTO_UDP
@ PROTO_UDP
Definition socket.h:568
socket_connection_reset
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition socket.h:912
link_socket_verify_incoming_addr
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition socket.h:935
link_socket_set_outgoing_addr
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition socket.h:984
link_socket_read
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition socket.h:1066
link_socket_get_outgoing_addr
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition socket.h:963
socks_process_outgoing_udp
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition socks.c:603
socks_process_incoming_udp
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition socks.c:564
tls_send_payload
bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
Definition ssl.c:4156
tls_rec_payload
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4190
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1842
tls_multi_process
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3309
TLSMP_RECONNECT
#define TLSMP_RECONNECT
Definition ssl.h:231
TLSMP_ACTIVE
#define TLSMP_ACTIVE
Definition ssl.h:229
tls_initial_packet_received
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition ssl.h:503
tls_set_single_session
static void tls_set_single_session(struct tls_multi *multi)
Definition ssl.h:523
TLSMP_KILL
#define TLSMP_KILL
Definition ssl.h:230
tls_test_payload_len
static int tls_test_payload_len(const struct tls_multi *multi)
Definition ssl.h:509
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:579
extract_command_buffer
struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc)
Extracts a control channel message from buf and adjusts the size of buf after the message has been ex...
Definition ssl_pkt.c:562
P_DATA_V1
#define P_DATA_V1
Definition ssl_pkt.h:48
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:40
ssl_verify.h
Control Channel Verification Module.
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:68
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
connection_entry::mssfix
int mssfix
Definition options.h:142
connection_entry::connect_timeout
int connect_timeout
Definition options.h:119
context_1::status_output
struct status_output * status_output
Definition openvpn.h:184
context_1::route_list
struct route_list * route_list
List of routing information.
Definition openvpn.h:176
context_1::link_sockets_num
int link_sockets_num
Definition openvpn.h:157
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:181
context_1::pid_persist
struct packet_id_persist pid_persist
Definition openvpn.h:169
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:171
context_2::link_read_bytes
counter_type link_read_bytes
Definition openvpn.h:266
context_2::link_write_bytes
counter_type link_write_bytes
Definition openvpn.h:269
context_2::server_poll_interval
struct event_timeout server_poll_interval
Definition openvpn.h:408
context_2::max_recv_size_local
int max_recv_size_local
Definition openvpn.h:308
context_2::fragment
struct fragment_master * fragment
Definition openvpn.h:252
context_2::update_timeout_random_component
time_t update_timeout_random_component
Definition openvpn.h:403
context_2::event_set_status
unsigned int event_set_status
Definition openvpn.h:235
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition openvpn.h:283
context_2::max_send_size_local
int max_send_size_local
Definition openvpn.h:310
context_2::did_open_tun
bool did_open_tun
Definition openvpn.h:387
context_2::timeout_random_component
struct timeval timeout_random_component
Definition openvpn.h:404
context_2::tun_read_bytes
counter_type tun_read_bytes
Definition openvpn.h:264
context_2::mda_context
struct man_def_auth_context mda_context
Definition openvpn.h:453
context_2::scheduled_exit
struct event_timeout scheduled_exit
Definition openvpn.h:447
context_2::es
struct env_set * es
Definition openvpn.h:420
context_2::tmp_int
struct interval tmp_int
Definition openvpn.h:344
context_2::auth_token_renewal_interval
struct event_timeout auth_token_renewal_interval
Definition openvpn.h:293
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition openvpn.h:282
context_2::shaper
struct shaper shaper
Definition openvpn.h:259
context_2::push_request_interval
struct event_timeout push_request_interval
Definition openvpn.h:439
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context_2::coarse_timer_wakeup
time_t coarse_timer_wakeup
Definition openvpn.h:399
context_2::scheduled_exit_signal
int scheduled_exit_signal
Definition openvpn.h:448
context_2::frame
struct frame frame
Definition openvpn.h:248
context_2::from
struct link_socket_actual from
Definition openvpn.h:245
context_2::frame_fragment
struct frame frame_fragment
Definition openvpn.h:253
context_2::to_link
struct buffer to_link
Definition openvpn.h:377
context_2::inactivity_bytes
int64_t inactivity_bytes
Definition openvpn.h:288
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
context_2::to_tun
struct buffer to_tun
Definition openvpn.h:376
context_2::tun_write_bytes
counter_type tun_write_bytes
Definition openvpn.h:265
context_2::link_sockets
struct link_socket ** link_sockets
Definition openvpn.h:237
context_2::link_read_bytes_auth
counter_type link_read_bytes_auth
Definition openvpn.h:268
context_2::packet_id_persist_interval
struct event_timeout packet_id_persist_interval
Definition openvpn.h:355
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition openvpn.h:244
context_2::session_interval
struct event_timeout session_interval
Definition openvpn.h:290
context_2::original_recv_size
int original_recv_size
Definition openvpn.h:307
context_2::buf
struct buffer buf
Definition openvpn.h:375
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition openvpn.h:396
context_2::explicit_exit_notification_time_wait
time_t explicit_exit_notification_time_wait
Definition openvpn.h:416
context_2::log_rw
bool log_rw
Definition openvpn.h:380
context_2::fast_io
bool fast_io
Definition openvpn.h:424
context_2::event_set
struct event_set * event_set
Definition openvpn.h:230
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:367
context_2::route_wakeup
struct event_timeout route_wakeup
Definition openvpn.h:383
context_2::tls_exit_signal
int tls_exit_signal
Definition openvpn.h:347
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition openvpn.h:287
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition openvpn.h:284
context_buffers
Definition openvpn.h:95
context_buffers::read_link_buf
struct buffer read_link_buf
Definition openvpn.h:113
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition openvpn.h:100
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition openvpn.h:114
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition openvpn.h:101
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition openvpn.h:122
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::sig
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:500
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:498
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:502
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:514
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:513
context::persist
struct context_persist persist
Persistent context.
Definition openvpn.h:510
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:292
event_arg
Definition event.h:142
event_arg::sock
struct link_socket * sock
Definition event.h:146
event_arg::type
event_arg_t type
Definition event.h:143
event_set_return
Definition event.h:125
event_set_return::rwflags
unsigned int rwflags
Definition event.h:126
event_set_return::arg
void * arg
Definition event.h:127
event_set
Definition event.h:131
event_timeout
Definition interval.h:137
event_timeout::n
interval_t n
periodic interval for periodic timeouts
Definition interval.h:139
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:131
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:102
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:108
frame::buf
struct frame::@8 buf
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:200
link_socket_actual
Definition socket.h:87
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket.h:90
link_socket_info
Definition socket.h:114
link_socket_info::mtu_changed
int mtu_changed
Definition socket.h:123
link_socket_info::af
sa_family_t af
Definition socket.h:121
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:115
link_socket_info::proto
int proto
Definition socket.h:120
link_socket
Definition socket.h:178
link_socket::socks_relay
struct link_socket_actual socks_relay
Definition socket.h:242
link_socket::info
struct link_socket_info info
Definition socket.h:179
link_socket::socks_proxy
struct socks_proxy_info * socks_proxy
Definition socket.h:241
link_socket::ev_arg
struct event_arg ev_arg
this struct will store a pointer to either mi or link_socket, depending on the event type,...
Definition socket.h:181
multi_io
Definition multi_io.h:53
multi_io::es
struct event_set * es
Definition multi_io.h:54
multi_io::udp_flags
unsigned int udp_flags
Definition multi_io.h:59
openvpn_ethhdr
Definition proto.h:55
openvpn_ethhdr::dest
uint8_t dest[OPENVPN_ETH_ALEN]
Definition proto.h:56
openvpn_ethhdr::proto
uint16_t proto
Definition proto.h:63
openvpn_ethhdr::source
uint8_t source[OPENVPN_ETH_ALEN]
Definition proto.h:57
openvpn_icmp6hdr
Definition proto.h:135
openvpn_icmp6hdr::icmp6_type
uint8_t icmp6_type
Definition proto.h:143
openvpn_icmp6hdr::icmp6_cksum
uint16_t icmp6_cksum
Definition proto.h:147
openvpn_icmp6hdr::icmp6_code
uint8_t icmp6_code
Definition proto.h:146
openvpn_iphdr
Definition proto.h:92
openvpn_iphdr::daddr
uint32_t daddr
Definition proto.h:114
openvpn_ipv6hdr
Definition proto.h:121
openvpn_ipv6hdr::version_prio
uint8_t version_prio
Definition proto.h:122
openvpn_ipv6hdr::saddr
struct in6_addr saddr
Definition proto.h:128
openvpn_ipv6hdr::daddr
struct in6_addr daddr
Definition proto.h:129
openvpn_ipv6hdr::nexthdr
uint8_t nexthdr
Definition proto.h:125
openvpn_ipv6hdr::payload_len
uint16_t payload_len
Definition proto.h:124
openvpn_sockaddr
Definition socket.h:66
openvpn_sockaddr::addr
union openvpn_sockaddr::@20 addr
openvpn_sockaddr::sa
struct sockaddr sa
Definition socket.h:69
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket.h:70
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition socket.h:71
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:325
options::scheduled_exit_interval
int scheduled_exit_interval
Definition options.h:562
options::shaper
int shaper
Definition options.h:328
options::allow_recursive_routing
bool allow_recursive_routing
Definition options.h:719
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition options.h:344
options::inactivity_timeout
int inactivity_timeout
Definition options.h:343
options::ce
struct connection_entry ce
Definition options.h:288
options::mode
int mode
Definition options.h:260
options::block_ipv6
bool block_ipv6
Definition options.h:436
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:349
options::ping_send_timeout
int ping_send_timeout
Definition options.h:348
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition options.h:438
options::client_nat
struct client_nat_option_list * client_nat
Definition options.h:440
options::session_timeout
int session_timeout
Definition options.h:346
signal_info::signal_received
volatile int signal_received
Definition sig.h:43
sockethandle_t
Definition socket.h:285
sockethandle_t::is_handle
bool is_handle
Definition socket.h:290
status_output::et
struct event_timeout et
Definition status.h:61
tls_multi::n_hard_errors
int n_hard_errors
Definition ssl_common.h:623
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:618
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:681
tls_multi::client_reason
char * client_reason
Definition ssl_common.h:643
tls_multi::use_peer_id
bool use_peer_id
Definition ssl_common.h:673
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:696
tls_multi::n_soft_errors
int n_soft_errors
Definition ssl_common.h:624
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:480
tuntap
Definition tun.h:181
tuntap::backend_driver
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:191
tuntap::hand
HANDLE hand
Definition tun.h:216
tuntap::reads
struct overlapped_io reads
Definition tun.h:217
tuntap::dco
dco_context_t dco
Definition tun.h:249
tuntap::actual_name
char * actual_name
Definition tun.h:205
es
struct env_set * es
Definition test_pkcs11.c:141
gc
struct gc_arena gc
Definition test_ssl.c:155
tun_show_debug
void tun_show_debug(struct tuntap *tt)
Definition tun.c:6788
tun_stat
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition tun.c:691
show_adapters
void show_adapters(int msglev)
Definition tun.c:5012
tun_standby
bool tun_standby(struct tuntap *tt)
Definition tun.c:5740
tuntap_abort
static bool tuntap_abort(int status)
Definition tun.h:513
read_wintun
static void read_wintun(struct tuntap *tt, struct buffer *buf)
Definition tun.h:540
tuntap_is_wintun
static bool tuntap_is_wintun(struct tuntap *tt)
Definition tun.h:265
write_tun_buffered
static int write_tun_buffered(struct tuntap *tt, struct buffer *buf)
Definition tun.h:669
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition tun.h:182
tuntap_defined
static bool tuntap_defined(const struct tuntap *tt)
Definition tun.h:254
WINDOWS_DRIVER_WINTUN
@ WINDOWS_DRIVER_WINTUN
Definition tun.h:48
DRIVER_AFUNIX
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:53
tun_set
static void tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition tun.h:748
read_tun
int read_tun(struct tuntap *tt, uint8_t *buf, int len)
tuntap_is_dco_win_timeout
static bool tuntap_is_dco_win_timeout(struct tuntap *tt, int status)
Definition tun.h:688
tuntap_stop
static bool tuntap_stop(int status)
Definition tun.h:499
write_tun
int write_tun(struct tuntap *tt, uint8_t *buf, int len)
read_tun_afunix
ssize_t read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len)
Reads a packet from a AF_UNIX based tun device.
Definition tun_afunix.c:157
write_tun_afunix
ssize_t write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len)
Writes a packet to a AF_UNIX based tun device.
Definition tun_afunix.c:144
tun_afunix.h
Generated by doxygen 1.9.8