OpenVPN
forward.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#include "forward.h"
30#include "init.h"
31#include "push.h"
32#include "gremlin.h"
33#include "mss.h"
34#include "event.h"
35#include "occ.h"
36#include "otime.h"
37#include "ping.h"
38#include "ps.h"
39#include "dhcp.h"
40#include "common.h"
41#include "ssl_verify.h"
42#include "dco.h"
43#include "auth_token.h"
44#include "tun_afunix.h"
45
46#include "memdbg.h"
47
50
51/* show event wait debugging info */
52
53#ifdef ENABLE_DEBUG
54
55static const char *
56wait_status_string(struct context *c, struct gc_arena *gc)
57{
58 struct buffer out = alloc_buf_gc(64, gc);
59
60 buf_printf(&out, "I/O WAIT %s|%s| %s", tun_stat(c->c1.tuntap, EVENT_READ, gc),
61 tun_stat(c->c1.tuntap, EVENT_WRITE, gc), tv_string(&c->c2.timeval, gc));
62 for (int i = 0; i < c->c1.link_sockets_num; i++)
63 {
64 buf_printf(&out, "\n %s|%s", socket_stat(c->c2.link_sockets[i], EVENT_READ, gc),
65 socket_stat(c->c2.link_sockets[i], EVENT_WRITE, gc));
66 }
67 return BSTR(&out);
68}
69
70static void
72{
73 struct gc_arena gc = gc_new();
74 dmsg(D_EVENT_WAIT, "%s", wait_status_string(c, &gc));
75 gc_free(&gc);
76}
77
78#endif /* ifdef ENABLE_DEBUG */
79
80static void
82{
83 msg(D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
84 register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
85}
86
87static void
89{
90 register_signal(c->sig, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
91}
92
93/*
94 * TLS errors are fatal in TCP mode.
95 * Also check for --tls-exit trigger.
96 */
97static inline void
99{
100 if (c->c2.tls_multi && c->c2.tls_exit_signal)
101 {
103 {
104 if (c->c2.tls_multi->n_soft_errors)
105 {
107 }
108 }
109 else
110 {
111 if (c->c2.tls_multi->n_hard_errors)
112 {
114 }
115 }
116 }
117}
118
119/*
120 * Set our wakeup to 0 seconds, so we will be rescheduled
121 * immediately.
122 */
123static inline void
125{
126 c->c2.timeval.tv_sec = 0; /* ZERO-TIMEOUT */
127 c->c2.timeval.tv_usec = 0;
128}
129
130static inline void
131context_reschedule_sec(struct context *c, time_t sec)
132{
133 if (sec < 0)
134 {
135 sec = 0;
136 }
137 if (sec < c->c2.timeval.tv_sec)
138 {
139 c->c2.timeval.tv_sec = (tv_sec_t)sec;
140 c->c2.timeval.tv_usec = 0;
141 }
142}
143
144void
146{
147 /* DCO context is not yet initialised or enabled */
148 if (!dco_enabled(&c->options))
149 {
150 return;
151 }
152
153 /* no active peer (p2p tls-server mode) */
154 if (c->c2.tls_multi->dco_peer_id == -1)
155 {
156 return;
157 }
158
159 if (!dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi))
160 {
161 /* Something bad happened. Kill the connection to
162 * be able to recover. */
163 register_signal(c->sig, SIGUSR1, "dco update keys error");
164 }
165}
166
167/*
168 * In TLS mode, let TLS level respond to any control-channel
169 * packets which were received, or prepare any packets for
170 * transmission.
171 *
172 * tmp_int is purely an optimization that allows us to call
173 * tls_multi_process less frequently when there's not much
174 * traffic on the control-channel.
175 *
176 */
177static void
179{
180 interval_t wakeup = BIG_TIMEOUT;
181
182 if (interval_test(&c->c2.tmp_int))
183 {
184 const int tmp_status = tls_multi_process(
185 c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, get_link_socket_info(c), &wakeup);
186
187 if (tmp_status == TLSMP_RECONNECT)
188 {
191 }
192
193 if (tmp_status == TLSMP_ACTIVE || tmp_status == TLSMP_RECONNECT)
194 {
195 update_time();
197 }
198 else if (tmp_status == TLSMP_KILL)
199 {
200 if (c->options.mode == MODE_SERVER)
201 {
203 }
204 else
205 {
206 register_signal(c->sig, SIGTERM, "auth-control-exit");
207 }
208 }
209
211 }
212
213 interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
214
215 /*
216 * Our current code has no good hooks in the TLS machinery to update
217 * DCO keys. So we check the key status after the whole TLS machinery
218 * has been completed and potentially update them
219 *
220 * We have a hidden state transition from secondary to primary key based
221 * on ks->auth_deferred_expire that DCO needs to check that the normal
222 * TLS state engine does not check. So we call the \c check_dco_key_status
223 * function even if tmp_status does not indicate that something has changed.
224 */
226
227 if (wakeup)
228 {
229 context_reschedule_sec(c, wakeup);
230 }
231}
232
233static void
235{
236 if (buf_string_match_head_str(buf, "AUTH_FAILED"))
237 {
238 receive_auth_failed(c, buf);
239 }
240 else if (buf_string_match_head_str(buf, "PUSH_"))
241 {
242 incoming_push_message(c, buf);
243 }
244 else if (buf_string_match_head_str(buf, "RESTART"))
245 {
246 server_pushed_signal(c, buf, true, 7);
247 }
248 else if (buf_string_match_head_str(buf, "HALT"))
249 {
250 server_pushed_signal(c, buf, false, 4);
251 }
252 else if (buf_string_match_head_str(buf, "INFO_PRE"))
253 {
254 server_pushed_info(buf, 8);
255 }
256 else if (buf_string_match_head_str(buf, "INFO"))
257 {
258 server_pushed_info(buf, 4);
259 }
260 else if (buf_string_match_head_str(buf, "CR_RESPONSE"))
261 {
262 receive_cr_response(c, buf);
263 }
264 else if (buf_string_match_head_str(buf, "AUTH_PENDING"))
265 {
266 receive_auth_pending(c, buf);
267 }
268 else if (buf_string_match_head_str(buf, "EXIT"))
269 {
271 }
272 else
273 {
274 msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf));
275 }
276}
277
278/*
279 * Handle incoming configuration
280 * messages on the control channel.
281 */
282static void
284{
285 int len = tls_test_payload_len(c->c2.tls_multi);
286 /* We should only be called with len >0 */
287 ASSERT(len > 0);
288
289 struct gc_arena gc = gc_new();
290 struct buffer buf = alloc_buf_gc(len, &gc);
291 if (tls_rec_payload(c->c2.tls_multi, &buf))
292 {
293 while (BLEN(&buf) > 1)
294 {
295 struct buffer cmdbuf = extract_command_buffer(&buf, &gc);
296
297 if (cmdbuf.len > 0)
298 {
300 }
301 }
302 }
303 else
304 {
305 msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
306 }
307
308 gc_free(&gc);
309}
310
311/*
312 * Periodically resend PUSH_REQUEST until PUSH message received
313 */
314static void
316{
318
319 /* if no response to first push_request, retry at PUSH_REQUEST_INTERVAL second intervals */
320 event_timeout_modify_wakeup(&c->c2.push_request_interval, PUSH_REQUEST_INTERVAL);
321}
322
323/*
324 * Things that need to happen immediately after connection initiation should go here.
325 *
326 * Options like --up-delay need to be triggered by this function which
327 * checks for connection establishment.
328 *
329 * Note: The process_incoming_push_reply currently assumes that this function
330 * only sets up the pull request timer when pull is enabled.
331 */
332static void
334{
336 {
337 /* if --pull was specified, send a push request to server */
338 if (c->c2.tls_multi && c->options.pull)
339 {
340#ifdef ENABLE_MANAGEMENT
341 if (management)
342 {
344 NULL);
345 }
346#endif
347 /* fire up push request right away (already 1s delayed) */
348 /* We might receive a AUTH_PENDING request before we armed this
349 * timer. In that case we don't change the value */
350 if (c->c2.push_request_timeout < now)
351 {
352 c->c2.push_request_timeout = now + c->options.handshake_window;
353 }
354 event_timeout_init(&c->c2.push_request_interval, 0, now);
356 }
357 else
358 {
359 if (!do_up(c, false, 0))
360 {
361 register_signal(c->sig, SIGUSR1, "connection initialisation failed");
362 }
363 }
364
365 event_timeout_clear(&c->c2.wait_for_connect);
366 }
367}
368
369bool
371 msglvl_t msglevel)
372{
373 struct gc_arena gc = gc_new();
374 bool stat;
375
377 struct key_state *ks = &session->key[KS_PRIMARY];
378
379 /* buffered cleartext write onto TLS control channel */
380 stat = tls_send_payload(ks, (uint8_t *)str, strlen(str) + 1);
381
382 msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
383 session->common_name ? session->common_name : "UNDEF", sanitize_control_message(str, &gc),
384 (int)stat);
385
386 gc_free(&gc);
387 return stat;
388}
389
390void
392{
394 context_immediate_reschedule(c); /* ZERO-TIMEOUT */
395}
396
397bool
398send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
399{
400 if (c->c2.tls_multi)
401 {
403 bool ret = send_control_channel_string_dowork(session, str, msglevel);
405
406 return ret;
407 }
408 return true;
409}
410/*
411 * Add routes.
412 */
413
414static void
415check_add_routes_action(struct context *c, const bool errors)
416{
417 bool route_status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap,
418 c->plugins, c->c2.es, &c->net_ctx);
419
420 int flags = (errors ? ISC_ERRORS : 0);
421 flags |= (!route_status ? ISC_ROUTE_ERRORS : 0);
422
423 update_time();
426 initialization_sequence_completed(c, flags); /* client/p2p --route-delay was defined */
427}
428
429static void
431{
432 if (test_routes(c->c1.route_list, c->c1.tuntap))
433 {
434 check_add_routes_action(c, false);
435 }
437 {
439 }
440 else
441 {
442 msg(D_ROUTE, "Route: Waiting for TUN/TAP interface to come up...");
443 if (c->c1.tuntap)
444 {
445 if (!tun_standby(c->c1.tuntap))
446 {
447 register_signal(c->sig, SIGHUP, "ip-fail");
449#ifdef _WIN32
452#endif
453 }
454 }
455 update_time();
456 if (c->c2.route_wakeup.n != 1)
457 {
459 }
461 }
462}
463
464/*
465 * Should we exit due to inactivity timeout?
466 *
467 * In the non-dco case, the timeout is reset via register_activity()
468 * whenever there is sufficient activity on tun or link, so this function
469 * is only ever called to raise the TERM signal.
470 *
471 * With DCO, OpenVPN does not see incoming or outgoing data packets anymore
472 * and the logic needs to change - we permit the event to trigger and check
473 * kernel DCO counters here, returning and rearming the timer if there was
474 * sufficient traffic.
475 *
476 * NOTE: FreeBSD DCO does not supply "tun bytes" (= decrypted payload) today,
477 * so "dco bytes" (encrypted bytes, including keepalives) is used instead
478 */
479static void
481{
482 if (dco_enabled(&c->options) && dco_get_peer_stats(c, true) == 0)
483 {
484#ifdef TARGET_FREEBSD
485 int64_t tot_bytes = c->c2.dco_read_bytes + c->c2.dco_write_bytes;
486#else
487 int64_t tot_bytes = c->c2.tun_read_bytes + c->c2.tun_write_bytes;
488#endif
489 int64_t new_bytes = tot_bytes - c->c2.inactivity_bytes;
490
491 if (new_bytes > c->options.inactivity_minimum_bytes)
492 {
493 c->c2.inactivity_bytes = tot_bytes;
495 return;
496 }
497 }
498
499 msg(M_INFO, "Inactivity timeout (--inactive), exiting");
500 register_signal(c->sig, SIGTERM, "inactive");
501}
502
503int
505{
506 update_time();
507 int remaining = event_timeout_remaining(server_poll_timeout);
508 return max_int(0, remaining);
509}
510
511static void
513{
515 ASSERT(c->c2.tls_multi);
517 {
518 msg(M_INFO, "Server poll timeout, restarting");
519 register_signal(c->sig, SIGUSR1, "server_poll");
521 }
522}
523
524/*
525 * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
526 */
527bool
529{
530 const int n_seconds = c->options.scheduled_exit_interval;
531 /* don't reschedule if already scheduled. */
533 {
534 return false;
535 }
537 update_time();
539 event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
541 msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
542 return true;
543}
544
545/*
546 * Scheduled exit?
547 */
548static void
550{
551 register_signal(c->sig, c->c2.scheduled_exit_signal, "delayed-exit");
552}
553
554/*
555 * Should we write timer-triggered status file.
556 */
557static void
559{
560 if (c->c1.status_output)
561 {
563 }
564}
565
566#ifdef ENABLE_FRAGMENT
567/*
568 * Should we deliver a datagram fragment to remote?
569 * c is expected to be a single-link context (p2p or child)
570 */
571static void
573{
574 struct link_socket_info *lsi = get_link_socket_info(c);
575
576 /* OS MTU Hint? */
577 if (lsi->mtu_changed && lsi->lsa)
578 {
580 lsi->mtu_changed = false;
581 }
582
584 {
585 if (!c->c2.to_link.len)
586 {
587 /* encrypt a fragment for output to TCP/UDP port */
589 encrypt_sign(c, false);
590 }
591 }
592
594}
595#endif /* ifdef ENABLE_FRAGMENT */
596
597/*
598 * Buffer reallocation, for use with null encryption.
599 */
600static inline void
601buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub,
602 struct buffer *storage)
603{
604 if (orig_buf == src_stub->data && src_stub->data != storage->data)
605 {
606 buf_assign(storage, src_stub);
607 *dest_stub = *storage;
608 }
609 else
610 {
611 *dest_stub = *src_stub;
612 }
613}
614
615/*
616 * Compress, fragment, encrypt and HMAC-sign an outgoing packet.
617 * Input: c->c2.buf
618 * Output: c->c2.to_link
619 */
620void
621encrypt_sign(struct context *c, bool comp_frag)
622{
623 struct context_buffers *b = c->c2.buffers;
624 const uint8_t *orig_buf = c->c2.buf.data;
625 struct crypto_options *co = NULL;
626
627 if (dco_enabled(&c->options))
628 {
629 msg(M_WARN, "Attempting to send data packet while data channel offload is in use. "
630 "Dropping packet");
631 c->c2.buf.len = 0;
632 }
633
634 /*
635 * Drop non-TLS outgoing packet if client-connect script/plugin
636 * has not yet succeeded. In non-TLS tls_multi mode is not defined
637 * and we always pass packets.
638 */
640 {
641 c->c2.buf.len = 0;
642 }
643
644 if (comp_frag)
645 {
646#ifdef USE_COMP
647 /* Compress the packet. */
648 if (c->c2.comp_context)
649 {
650 (*c->c2.comp_context->alg.compress)(&c->c2.buf, b->compress_buf, c->c2.comp_context,
651 &c->c2.frame);
652 }
653#endif
654#ifdef ENABLE_FRAGMENT
655 if (c->c2.fragment)
656 {
658 }
659#endif
660 }
661
662 /* initialize work buffer with buf.headroom bytes of prepend capacity */
664
665 if (c->c2.tls_multi)
666 {
667 /* Get the key we will use to encrypt the packet. */
668 tls_pre_encrypt(c->c2.tls_multi, &c->c2.buf, &co);
669 /* If using P_DATA_V2, prepend the 1-byte opcode and 3-byte peer-id to the
670 * packet before openvpn_encrypt(), so we can authenticate the opcode too.
671 */
672 if (c->c2.buf.len > 0 && c->c2.tls_multi->use_peer_id)
673 {
675 }
676 }
677 else
678 {
679 co = &c->c2.crypto_options;
680 }
681
682 /* Encrypt and authenticate the packet */
683 openvpn_encrypt(&c->c2.buf, b->encrypt_buf, co);
684
685 /* Do packet administration */
686 if (c->c2.tls_multi)
687 {
688 if (c->c2.buf.len > 0 && !c->c2.tls_multi->use_peer_id)
689 {
691 }
693 }
694
695 /*
696 * Get the address we will be sending the packet to.
697 */
699
700 /* if null encryption, copy result to read_tun_buf */
701 buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
702}
703
704/*
705 * Should we exit due to session timeout?
706 */
707static void
709{
712 {
713 msg(M_INFO, "Session timeout, exiting");
714 register_signal(c->sig, SIGTERM, "session-timeout");
715 }
716}
717
718/*
719 * Coarse timers work to 1 second resolution.
720 */
721static void
723{
724 /* flush current packet-id to file once per 60
725 * seconds if --replay-persist was specified */
728 {
730 }
731
732 /* Should we write timer-triggered status file */
733 if (c->c1.status_output
735 {
737 }
738
739 /* process connection establishment items */
741 {
743 }
744
745 /* see if we should send a push_request (option --pull) */
747 {
749 }
750
751 /* process --route options */
753 {
755 }
756
757 /* check if we want to refresh the auth-token */
759 {
761 }
762
763 /* possibly exit due to --inactive */
766 {
768 }
769
770 if (c->sig->signal_received)
771 {
772 return;
773 }
774
775 /* kill session if time is over */
777 if (c->sig->signal_received)
778 {
779 return;
780 }
781
782 /* restart if ping not received */
784 if (c->sig->signal_received)
785 {
786 return;
787 }
788
789 if (c->c2.tls_multi)
790 {
793 {
795 }
796 if (c->sig->signal_received)
797 {
798 return;
799 }
801 {
803 }
804 if (c->sig->signal_received)
805 {
806 return;
807 }
808 }
809
810 /* Should we send an OCC_REQUEST message? */
812
813 /* Should we send an MTU load test? */
815
816 /* Should we send an OCC_EXIT message to remote? */
818 {
820 }
821
822 /* Should we ping the remote? */
824
825#ifdef ENABLE_MANAGEMENT
826 if (management)
827 {
829 }
830#endif /* ENABLE_MANAGEMENT */
831}
832
833static void
835{
836 if (now < c->c2.coarse_timer_wakeup)
837 {
839 return;
840 }
841
842 const struct timeval save = c->c2.timeval;
843 c->c2.timeval.tv_sec = BIG_TIMEOUT;
844 c->c2.timeval.tv_usec = 0;
846 c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
847
848 dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds",
849 (int64_t)c->c2.timeval.tv_sec);
850
851 /* Is the coarse timeout NOT the earliest one? */
852 if (c->c2.timeval.tv_sec > save.tv_sec)
853 {
854 c->c2.timeval = save;
855 }
856}
857
858static void
860{
861 const int update_interval = 10; /* seconds */
862 c->c2.update_timeout_random_component = now + update_interval;
863 c->c2.timeout_random_component.tv_usec = (time_t)get_random() & 0x0003FFFF;
864 c->c2.timeout_random_component.tv_sec = 0;
865
866 dmsg(D_INTERVAL, "RANDOM USEC=%ld", (long)c->c2.timeout_random_component.tv_usec);
867}
868
869static inline void
871{
873 {
875 }
876 if (c->c2.timeval.tv_sec >= 1)
877 {
879 }
880}
881
882/*
883 * Handle addition and removal of the 10-byte Socks5 header
884 * in UDP packets.
885 */
886
887static inline void
889{
890 if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
891 {
893 }
894}
895
896static inline void
898 struct link_socket_actual **to_addr, int *size_delta)
899{
900 if (sock->socks_proxy && sock->info.proto == PROTO_UDP)
901 {
902 *size_delta += socks_process_outgoing_udp(&c->c2.to_link, c->c2.to_link_addr);
903 *to_addr = &sock->socks_relay;
904 }
905}
906
907/* undo effect of socks_preprocess_outgoing_link */
908static inline void
909link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
910{
911 if (size_delta > 0 && *size > size_delta)
912 {
913 *size -= size_delta;
914 if (!buf_advance(buf, size_delta))
915 {
916 *size = 0;
917 }
918 }
919}
920
921/*
922 * Output: c->c2.buf
923 */
924
925void
926read_incoming_link(struct context *c, struct link_socket *sock)
927{
928 /*
929 * Set up for recvfrom call to read datagram
930 * sent to our TCP/UDP port.
931 */
932 int status;
933
934 /*ASSERT (!c->c2.to_tun.len);*/
935
936 c->c2.buf = c->c2.buffers->read_link_buf;
938
939 status = link_socket_read(sock, &c->c2.buf, &c->c2.from);
940
942 {
943#if PORT_SHARE
944 if (port_share && socket_foreign_protocol_detected(sock))
945 {
946 const struct buffer *fbuf = socket_foreign_protocol_head(sock);
947 const int sd = socket_foreign_protocol_sd(sock);
949 register_signal(c->sig, SIGTERM, "port-share-redirect");
950 }
951 else
952#endif
953 {
954 /* received a disconnect from a connection-oriented protocol */
955 if (event_timeout_defined(&c->c2.explicit_exit_notification_interval))
956 {
958 "Connection reset during exit notification period, ignoring [%d]", status);
960 }
961 else
962 {
964 "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
965 msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
966 }
967 }
968 return;
969 }
970
971 /* check_status() call below resets last-error code */
973
974 /* check recvfrom status */
975 check_status(status, "read", sock, NULL);
976
977 if (dco_win_timeout)
978 {
980 }
981
982 /* Remove socks header if applicable */
984}
985
986bool
988{
989 struct gc_arena gc = gc_new();
990 bool decrypt_status = false;
991
992 if (c->c2.buf.len > 0)
993 {
994 c->c2.link_read_bytes += c->c2.buf.len;
997 }
998 else
999 {
1000 c->c2.original_recv_size = 0;
1001 }
1002
1003#ifdef ENABLE_DEBUG
1004 /* take action to corrupt packet if we are in gremlin test mode */
1005 if (c->options.gremlin)
1006 {
1007 if (!ask_gremlin(c->options.gremlin))
1008 {
1009 c->c2.buf.len = 0;
1010 }
1011 corrupt_gremlin(&c->c2.buf, c->options.gremlin);
1012 }
1013#endif
1014
1015 /* log incoming packet */
1016#ifdef LOG_RW
1017 if (c->c2.log_rw && c->c2.buf.len > 0)
1018 {
1019 fprintf(stderr, "R");
1020 }
1021#endif
1022 msg(D_LINK_RW, "%s READ [%d] from %s: %s", proto2ascii(lsi->proto, lsi->af, true),
1023 BLEN(&c->c2.buf), print_link_socket_actual(&c->c2.from, &gc), PROTO_DUMP(&c->c2.buf, &gc));
1024
1025 /*
1026 * Good, non-zero length packet received.
1027 * Commence multi-stage processing of packet,
1028 * such as authenticate, decrypt, decompress.
1029 * If any stage fails, it sets buf.len to 0 or -1,
1030 * telling downstream stages to ignore the packet.
1031 */
1032 if (c->c2.buf.len > 0)
1033 {
1034 struct crypto_options *co = NULL;
1035 const uint8_t *ad_start = NULL;
1036 if (!link_socket_verify_incoming_addr(&c->c2.buf, lsi, &c->c2.from))
1037 {
1039 }
1040
1041 if (c->c2.tls_multi)
1042 {
1043 uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
1044
1045 /*
1046 * If DCO is enabled, the kernel drivers require that the
1047 * other end only sends P_DATA_V2 packets. V1 are unknown
1048 * to kernel and passed to userland, but we cannot handle them
1049 * either because crypto context is missing - so drop the packet.
1050 *
1051 * This can only happen with particular old (2.4.0-2.4.4) servers.
1052 */
1053 if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
1054 {
1055 msg(D_LINK_ERRORS, "Data Channel Offload doesn't support DATA_V1 packets. "
1056 "Upgrade your server to 2.4.5 or newer.");
1057 c->c2.buf.len = 0;
1058 }
1059
1060 /*
1061 * If tls_pre_decrypt returns true, it means the incoming
1062 * packet was a good TLS control channel packet. If so, TLS code
1063 * will deal with the packet and set buf.len to 0 so downstream
1064 * stages ignore it.
1065 *
1066 * If the packet is a data channel packet, tls_pre_decrypt
1067 * will load crypto_options with the correct encryption key
1068 * and return false.
1069 */
1070 if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, floated, &ad_start))
1071 {
1073
1074 /* reset packet received timer if TLS packet */
1076 {
1078 }
1079 }
1080 }
1081 else
1082 {
1083 co = &c->c2.crypto_options;
1084 }
1085
1086 /*
1087 * Drop non-TLS packet if client-connect script/plugin and cipher selection
1088 * has not yet succeeded. In non-TLS mode tls_multi is not defined
1089 * and we always pass packets.
1090 */
1092 {
1093 c->c2.buf.len = 0;
1094 }
1095
1096 /* authenticate and decrypt the incoming packet */
1097 decrypt_status =
1098 openvpn_decrypt(&c->c2.buf, c->c2.buffers->decrypt_buf, co, &c->c2.frame, ad_start);
1099
1100 if (!decrypt_status
1101 /* on the instance context we have only one socket, so just check the first one */
1103 {
1104 /* decryption errors are fatal in TCP mode */
1106 "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
1107 msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
1108 }
1109 }
1110 else
1111 {
1112 buf_reset(&c->c2.to_tun);
1113 }
1114 gc_free(&gc);
1115
1116 return decrypt_status;
1117}
1118
1119void
1121 const uint8_t *orig_buf)
1122{
1123 if (c->c2.buf.len > 0)
1124 {
1125#ifdef ENABLE_FRAGMENT
1126 if (c->c2.fragment)
1127 {
1129 }
1130#endif
1131
1132#ifdef USE_COMP
1133 /* decompress the incoming packet */
1134 if (c->c2.comp_context)
1135 {
1136 (*c->c2.comp_context->alg.decompress)(&c->c2.buf, c->c2.buffers->decompress_buf,
1137 c->c2.comp_context, &c->c2.frame);
1138 }
1139#endif
1140
1141#ifdef PACKET_TRUNCATION_CHECK
1142 /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1143 ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
1144 "POST_DECRYPT", &c->c2.n_trunc_post_decrypt);
1145#endif
1146
1147 /*
1148 * Set our "official" outgoing address, since
1149 * if buf.len is non-zero, we know the packet
1150 * authenticated. In TLS mode we do nothing
1151 * because TLS mode takes care of source address
1152 * authentication.
1153 *
1154 * Also, update the persisted version of our packet-id.
1155 */
1156 if (!TLS_MODE(c) && c->c2.buf.len > 0)
1157 {
1158 link_socket_set_outgoing_addr(lsi, &c->c2.from, NULL, c->c2.es);
1159 }
1160
1161 /* reset packet received timer */
1162 if (c->options.ping_rec_timeout && c->c2.buf.len > 0)
1163 {
1165 }
1166
1167 /* increment authenticated receive byte count */
1168 if (c->c2.buf.len > 0)
1169 {
1170 c->c2.link_read_bytes_auth += c->c2.buf.len;
1173 }
1174
1175 /* Did we just receive an openvpn ping packet? */
1176 if (is_ping_msg(&c->c2.buf))
1177 {
1178 dmsg(D_PING, "RECEIVED PING PACKET");
1179 c->c2.buf.len = 0; /* drop packet */
1180 }
1181
1182 /* Did we just receive an OCC packet? */
1183 if (is_occ_msg(&c->c2.buf))
1184 {
1186 }
1187
1188 buffer_turnover(orig_buf, &c->c2.to_tun, &c->c2.buf, &c->c2.buffers->read_link_buf);
1189
1190 /* to_tun defined + unopened tuntap can cause deadlock */
1191 if (!tuntap_defined(c->c1.tuntap))
1192 {
1193 c->c2.to_tun.len = 0;
1194 }
1195 }
1196 else
1197 {
1198 buf_reset(&c->c2.to_tun);
1199 }
1200}
1201
1202static void
1204{
1205 struct link_socket_info *lsi = &sock->info;
1206 const uint8_t *orig_buf = c->c2.buf.data;
1207
1208 process_incoming_link_part1(c, lsi, false);
1209 process_incoming_link_part2(c, lsi, orig_buf);
1210}
1211
1212void
1213extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr,
1214 const struct sockaddr *float_sa)
1215{
1216 if (float_sa->sa_family == AF_INET)
1217 {
1218 struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
1219 /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
1220 * dual-stack socket, we need to preserve the mapping otherwise openvpn
1221 * will not be able to find the peer by its transport address.
1222 */
1223 if (socket_family == AF_INET6)
1224 {
1225 out_osaddr->addr.in6.sin6_family = AF_INET6;
1226 out_osaddr->addr.in6.sin6_port = float4->sin_port;
1227
1228 memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
1229 out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
1230 out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
1231 memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], &float4->sin_addr.s_addr,
1232 sizeof(in_addr_t));
1233 }
1234 else
1235 {
1236 memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
1237 }
1238 }
1239 else
1240 {
1241 struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
1242 memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
1243 }
1244}
1245
1246void
1248{
1249#if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
1250 struct context *c = dco->c;
1251
1252 /* FreeBSD currently sends us removal notifcation with the old peer-id in
1253 * p2p mode with the ping timeout reason, so ignore that one to not shoot
1254 * ourselves in the foot and removing the just established session */
1255 if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
1256 {
1258 "%s: received message for mismatching peer-id %d, "
1259 "expected %d",
1260 __func__, dco->dco_message_peer_id, c->c2.tls_multi->dco_peer_id);
1261 return;
1262 }
1263
1264 switch (dco->dco_message_type)
1265 {
1266 case OVPN_CMD_DEL_PEER:
1267 /* peer is gone, unset ID to prevent more kernel calls */
1268 c->c2.tls_multi->dco_peer_id = -1;
1269 if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
1270 {
1272 "%s: received peer expired notification of for peer-id "
1273 "%d",
1274 __func__, dco->dco_message_peer_id);
1276 return;
1277 }
1278 break;
1279
1280 case OVPN_CMD_SWAP_KEYS:
1281 msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d", __func__,
1282 dco->dco_message_peer_id);
1284 break;
1285
1286 default:
1287 msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__,
1288 dco->dco_message_type);
1289 return;
1290 }
1291
1292#endif /* if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) */
1293}
1294
1295/*
1296 * Output: c->c2.buf
1297 */
1298
1299void
1301{
1302 /*
1303 * Setup for read() call on TUN/TAP device.
1304 */
1305 /*ASSERT (!c->c2.to_link.len);*/
1306
1307 c->c2.buf = c->c2.buffers->read_tun_buf;
1308
1309#ifdef _WIN32
1310 /* we cannot end up here when using dco */
1311 ASSERT(!dco_enabled(&c->options));
1312
1313 sockethandle_t sh = { .is_handle = true, .h = c->c1.tuntap->hand, .prepend_sa = false };
1314 sockethandle_finalize(sh, &c->c1.tuntap->reads, &c->c2.buf, NULL);
1315#else /* ifdef _WIN32 */
1319 {
1320 c->c2.buf.len =
1322 }
1323 else
1324 {
1325 c->c2.buf.len = (int)read_tun(c->c1.tuntap, BPTR(&c->c2.buf), c->c2.frame.buf.payload_size);
1326 }
1327#endif /* ifdef _WIN32 */
1328
1329#ifdef PACKET_TRUNCATION_CHECK
1330 ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
1331 "READ_TUN", &c->c2.n_trunc_tun_read);
1332#endif
1333
1334 /* Was TUN/TAP interface stopped? */
1335 if (tuntap_stop(c->c2.buf.len))
1336 {
1337 register_signal(c->sig, SIGTERM, "tun-stop");
1338 msg(M_INFO, "TUN/TAP interface has been stopped, exiting");
1339 return;
1340 }
1341
1342 /* Was TUN/TAP I/O operation aborted? */
1343 if (tuntap_abort(c->c2.buf.len))
1344 {
1345 register_signal(c->sig, SIGHUP, "tun-abort");
1347 msg(M_INFO, "TUN/TAP I/O operation aborted, restarting");
1348 return;
1349 }
1350
1351 /* Check the status return from read() */
1352 check_status(c->c2.buf.len, "read from TUN/TAP", NULL, c->c1.tuntap);
1353}
1354
1363static void
1365{
1366 if (c->c2.to_link_addr == NULL) /* no remote addr known */
1367 {
1368 return;
1369 }
1370
1371 struct openvpn_sockaddr *link_addr = &c->c2.to_link_addr->dest;
1372 struct link_socket_info *lsi = get_link_socket_info(c);
1373
1374 int ip_hdr_offset = 0;
1375 int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), buf, &ip_hdr_offset);
1376
1377 if (tun_ip_ver == 4)
1378 {
1379 /* Ensure we can safely read the IPv4 header */
1380 const int min_ip_header = ip_hdr_offset + sizeof(struct openvpn_iphdr);
1381 if (BLEN(buf) < min_ip_header)
1382 {
1383 return;
1384 }
1385
1386 struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset);
1387 const int ip_hlen = OPENVPN_IPH_GET_LEN(pip->version_len);
1388 /* Reject malformed or truncated headers */
1389 if (ip_hlen < (int)sizeof(struct openvpn_iphdr)
1390 || BLENZ(buf) < ip_hdr_offset + ip_hlen + sizeof(uint16_t) * 2)
1391 {
1392 return;
1393 }
1394
1395 /* skip ipv4 packets for ipv6 tun */
1396 if (link_addr->addr.sa.sa_family != AF_INET)
1397 {
1398 return;
1399 }
1400
1401 /* skip if tun protocol doesn't match link protocol */
1402 if ((lsi->proto == PROTO_TCP && pip->protocol != OPENVPN_IPPROTO_TCP)
1403 || (lsi->proto == PROTO_UDP && pip->protocol != OPENVPN_IPPROTO_UDP))
1404 {
1405 return;
1406 }
1407
1408 /* drop packets with same dest addr and port as remote */
1409 uint8_t *l4_hdr = (uint8_t *)pip + ip_hlen;
1410
1411 uint16_t link_port = ntohs(link_addr->addr.in4.sin_port);
1412
1413 /* TCP and UDP ports are at the same place in the header, and other protocols
1414 * can not happen here due to the lsi->proto check above */
1415 uint16_t src_port = ntohs(*(uint16_t *)l4_hdr);
1416 uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t)));
1417 if ((memcmp(&link_addr->addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0) && (link_port == dst_port))
1418 {
1419 buf->len = 0;
1420
1421 struct gc_arena gc = gc_new();
1422 msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s",
1424 src_port,
1426 gc_free(&gc);
1427 }
1428 }
1429 else if (tun_ip_ver == 6)
1430 {
1431 /* make sure we got whole IPv6 header and TCP/UDP src/dst ports */
1432 const int min_ipv6 = ip_hdr_offset + sizeof(struct openvpn_ipv6hdr) + sizeof(uint16_t) * 2;
1433 if (BLEN(buf) < min_ipv6)
1434 {
1435 return;
1436 }
1437
1438 /* skip ipv6 packets for ipv4 tun */
1439 if (link_addr->addr.sa.sa_family != AF_INET6)
1440 {
1441 return;
1442 }
1443
1444 struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)(BPTR(buf) + ip_hdr_offset);
1445
1446 /* skip if tun protocol doesn't match link protocol */
1447 if ((lsi->proto == PROTO_TCP && pip6->nexthdr != OPENVPN_IPPROTO_TCP)
1448 || (lsi->proto == PROTO_UDP && pip6->nexthdr != OPENVPN_IPPROTO_UDP))
1449 {
1450 return;
1451 }
1452
1453 uint16_t link_port = ntohs(link_addr->addr.in6.sin6_port);
1454
1455 /* drop packets with same dest addr and port as remote */
1456 uint8_t *l4_hdr = (uint8_t *)pip6 + sizeof(struct openvpn_ipv6hdr);
1457 uint16_t src_port = ntohs(*(uint16_t *)l4_hdr);
1458 uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t)));
1459 if ((OPENVPN_IN6_ARE_ADDR_EQUAL(&link_addr->addr.in6.sin6_addr, &pip6->daddr)) && (link_port == dst_port))
1460 {
1461 buf->len = 0;
1462
1463 struct gc_arena gc = gc_new();
1464 msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s",
1466 src_port,
1468 gc_free(&gc);
1469 }
1470 }
1471}
1472
1473/*
1474 * Input: c->c2.buf
1475 * Output: c->c2.to_link
1476 */
1477
1478void
1479process_incoming_tun(struct context *c, struct link_socket *out_sock)
1480{
1481 if (c->c2.buf.len > 0)
1482 {
1483 c->c2.tun_read_bytes += c->c2.buf.len;
1484 }
1485
1486#ifdef LOG_RW
1487 if (c->c2.log_rw && c->c2.buf.len > 0)
1488 {
1489 fprintf(stderr, "r");
1490 }
1491#endif
1492
1493 /* Show packet content */
1494 dmsg(D_TUN_RW, "TUN READ [%d]", BLEN(&c->c2.buf));
1495
1496 if (c->c2.buf.len > 0)
1497 {
1499 {
1501 }
1502 /*
1503 * The --passtos and --mssfix options require
1504 * us to examine the IP header (IPv4 or IPv6).
1505 */
1506 unsigned int flags =
1508 process_ip_header(c, flags, &c->c2.buf, out_sock);
1509
1510#ifdef PACKET_TRUNCATION_CHECK
1511 /* if (c->c2.buf.len > 1) --c->c2.buf.len; */
1512 ipv4_packet_size_verify(BPTR(&c->c2.buf), BLEN(&c->c2.buf), TUNNEL_TYPE(c->c1.tuntap),
1513 "PRE_ENCRYPT", &c->c2.n_trunc_pre_encrypt);
1514#endif
1515 }
1516 if (c->c2.buf.len > 0)
1517 {
1518 encrypt_sign(c, true);
1519 }
1520 else
1521 {
1522 buf_reset(&c->c2.to_link);
1523 }
1524}
1525
1536void
1537ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
1538{
1539#define MAX_ICMPV6LEN 1280
1540 struct openvpn_icmp6hdr icmp6out;
1541 CLEAR(icmp6out);
1542
1543 /*
1544 * Get a buffer to the ip packet, is_ipv6 automatically forwards
1545 * the buffer to the ip packet
1546 */
1547 struct buffer inputipbuf = *buf;
1548
1549 is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &inputipbuf);
1550
1551 if (BLEN(&inputipbuf) < (int)sizeof(struct openvpn_ipv6hdr))
1552 {
1553 return;
1554 }
1555
1556 const struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *)BPTR(&inputipbuf);
1557
1558 /* Copy version, traffic class, flow label from input packet */
1559 struct openvpn_ipv6hdr pip6out = *pip6;
1560
1561 pip6out.version_prio = pip6->version_prio;
1562 pip6out.daddr = pip6->saddr;
1563
1564 /*
1565 * Use the IPv6 remote address if we have one, otherwise use a fake one
1566 * using the remote address is preferred since it makes debugging and
1567 * understanding where the ICMPv6 error originates easier
1568 */
1570 {
1571 inet_pton(AF_INET6, c->options.ifconfig_ipv6_remote, &pip6out.saddr);
1572 }
1573 else
1574 {
1575 inet_pton(AF_INET6, "fe80::7", &pip6out.saddr);
1576 }
1577
1579
1580 /*
1581 * The ICMPv6 unreachable code worked best in my (arne) tests with Windows,
1582 * Linux and Android. Windows did not like the administratively prohibited
1583 * return code (no fast fail)
1584 */
1587
1588 const int icmpheader_len = sizeof(struct openvpn_ipv6hdr) + sizeof(struct openvpn_icmp6hdr);
1589 int totalheader_len = icmpheader_len;
1590
1591 if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1592 {
1593 totalheader_len += sizeof(struct openvpn_ethhdr);
1594 }
1595
1596 /*
1597 * Calculate size for payload, defined in the standard that the resulting
1598 * frame should be <= 1280 and have as much as possible of the original
1599 * packet
1600 */
1601 int max_payload_size = min_int(MAX_ICMPV6LEN, c->c2.frame.tun_mtu - icmpheader_len);
1602 /* Ensure that minimum payload size is at least 64 bytes as extra safety layer */
1603 max_payload_size = max_int(max_payload_size, 64);
1604 const int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
1605 const uint16_t icmp_len = (uint16_t)(sizeof(struct openvpn_icmp6hdr) + payload_len);
1606
1607 pip6out.payload_len = htons(icmp_len);
1608
1609 /* Construct the packet as outgoing packet back to the client */
1610 struct buffer *outbuf;
1611 if (client)
1612 {
1613 c->c2.to_tun = c->c2.buffers->aux_buf;
1614 outbuf = &(c->c2.to_tun);
1615 }
1616 else
1617 {
1618 c->c2.to_link = c->c2.buffers->aux_buf;
1619 outbuf = &(c->c2.to_link);
1620 }
1622
1623 /* Fill the end of the buffer with original packet */
1624 ASSERT(buf_safe(outbuf, payload_len));
1625 ASSERT(buf_copy_n(outbuf, &inputipbuf, payload_len));
1626
1627 /* ICMP Header, copy into buffer to allow checksum calculation */
1629
1630 /* Calculate checksum over the packet and write to header */
1631
1635 ((struct openvpn_icmp6hdr *)BPTR(outbuf))->icmp6_cksum = htons(new_csum);
1636
1637
1638 /* IPv6 Header */
1639 ASSERT(buf_write_prepend(outbuf, &pip6out, sizeof(struct openvpn_ipv6hdr)));
1640
1641 /*
1642 * Tap mode, we also need to create an Ethernet header.
1643 */
1644 if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
1645 {
1646 if (BLEN(buf) < (int)sizeof(struct openvpn_ethhdr))
1647 {
1648 return;
1649 }
1650
1651 const struct openvpn_ethhdr *orig_ethhdr = (struct openvpn_ethhdr *)BPTR(buf);
1652
1653 /* Copy frametype and reverse source/destination for the response */
1654 struct openvpn_ethhdr ethhdr;
1655 memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
1656 memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
1657 ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
1658 ASSERT(buf_write_prepend(outbuf, &ethhdr, sizeof(struct openvpn_ethhdr)));
1659 }
1660#undef MAX_ICMPV6LEN
1661}
1662
1663void
1664process_ip_header(struct context *c, unsigned int flags, struct buffer *buf,
1665 struct link_socket *sock)
1666{
1667 if (!c->options.ce.mssfix)
1668 {
1669 flags &= ~PIP_MSSFIX;
1670 }
1671#if PASSTOS_CAPABILITY
1672 if (!c->options.passtos)
1673 {
1674 flags &= ~PIPV4_PASSTOS;
1675 }
1676#endif
1677 if (!c->options.client_nat)
1678 {
1679 flags &= ~PIPV4_CLIENT_NAT;
1680 }
1682 {
1683 flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
1684 }
1685 if (!c->options.block_ipv6)
1686 {
1688 }
1689
1690 if (buf->len > 0)
1691 {
1692 struct buffer ipbuf = *buf;
1693 if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1694 {
1695#if PASSTOS_CAPABILITY
1696 /* extract TOS from IP header */
1697 if (flags & PIPV4_PASSTOS)
1698 {
1700 }
1701#endif
1702
1703 /* possibly alter the TCP MSS */
1704 if (flags & PIP_MSSFIX)
1705 {
1706 mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
1707 }
1708
1709 /* possibly do NAT on packet */
1710 if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
1711 {
1712 const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
1713 client_nat_transform(c->options.client_nat, &ipbuf, direction);
1714 }
1715 /* possibly extract a DHCP router message */
1716 if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
1717 {
1719 if (dhcp_router)
1720 {
1721 route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
1722 }
1723 }
1724 }
1725 else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
1726 {
1727 /* possibly alter the TCP MSS */
1728 if (flags & PIP_MSSFIX)
1729 {
1730 mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
1731 }
1732 if (!(flags & PIP_OUTGOING)
1734 {
1736 /* Drop the IPv6 packet */
1737 buf->len = 0;
1738 }
1739 }
1740 }
1741}
1742
1743/*
1744 * Input: c->c2.to_link
1745 */
1746
1747void
1749{
1750 struct gc_arena gc = gc_new();
1751 int error_code = 0;
1752
1753 if (c->c2.to_link.len > 0 && c->c2.to_link.len <= c->c2.frame.buf.payload_size)
1754 {
1755 /*
1756 * Setup for call to send/sendto which will send
1757 * packet to remote over the TCP/UDP port.
1758 */
1759 int size = 0;
1761
1762#ifdef ENABLE_DEBUG
1763 /* In gremlin-test mode, we may choose to drop this packet */
1764 if (!c->options.gremlin || ask_gremlin(c->options.gremlin))
1765#endif
1766 {
1767 /*
1768 * Let the traffic shaper know how many bytes
1769 * we wrote.
1770 */
1771 if (c->options.shaper)
1772 {
1773 int overhead =
1774 datagram_overhead(c->c2.to_link_addr->dest.addr.sa.sa_family, sock->info.proto);
1775 shaper_wrote_bytes(&c->c2.shaper, BLEN(&c->c2.to_link) + overhead);
1776 }
1777
1778 /*
1779 * Let the pinger know that we sent a packet.
1780 */
1782 {
1784 }
1785
1786#if PASSTOS_CAPABILITY
1787 /* Set TOS */
1788 link_socket_set_tos(sock);
1789#endif
1790
1791 /* Log packet send */
1792#ifdef LOG_RW
1793 if (c->c2.log_rw)
1794 {
1795 fprintf(stderr, "W");
1796 }
1797#endif
1798 msg(D_LINK_RW, "%s WRITE [%d] to %s: %s",
1799 proto2ascii(sock->info.proto, sock->info.af, true), BLEN(&c->c2.to_link),
1801
1802 /* Packet send complexified by possible Socks5 usage */
1803 {
1804 struct link_socket_actual *to_addr = c->c2.to_link_addr;
1805 int size_delta = 0;
1806
1807 /* If Socks5 over UDP, prepend header */
1808 socks_preprocess_outgoing_link(c, sock, &to_addr, &size_delta);
1809
1810 /* Send packet */
1811 size = (int)link_socket_write(sock, &c->c2.to_link, to_addr);
1812
1813 /* Undo effect of prepend */
1814 link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
1815 }
1816
1817 if (size > 0)
1818 {
1820 c->c2.link_write_bytes += size;
1822 }
1823 }
1824
1825 /* Check return status */
1826 error_code = openvpn_errno();
1827 check_status(size, "write", sock, NULL);
1828
1829 if (size > 0)
1830 {
1831 /* Did we write a different size packet than we intended? */
1832 if (size != BLEN(&c->c2.to_link))
1833 {
1835 "TCP/UDP packet was truncated/expanded on write to %s (tried=%d,actual=%d)",
1837 }
1838 }
1839
1840 /* if not a ping/control message, indicate activity regarding --inactive parameter */
1841 if (c->c2.buf.len > 0)
1842 {
1843 register_activity(c, size);
1844 }
1845
1846 /* for unreachable network and "connecting" state switch to the next host */
1847
1848 bool unreachable = error_code ==
1849#ifdef _WIN32
1850 WSAENETUNREACH;
1851#else
1852 ENETUNREACH;
1853#endif
1854 if (size < 0 && unreachable && c->c2.tls_multi
1857 {
1858 msg(M_INFO, "Network unreachable, restarting");
1859 register_signal(c->sig, SIGUSR1, "network-unreachable");
1860 }
1861 }
1862 else
1863 {
1864 if (c->c2.to_link.len > 0)
1865 {
1866 msg(D_LINK_ERRORS, "TCP/UDP packet too large on write to %s (tried=%d,max=%d)",
1869 }
1870 }
1871
1872 buf_reset(&c->c2.to_link);
1873
1874 gc_free(&gc);
1875}
1876
1877/*
1878 * Input: c->c2.to_tun
1879 */
1880
1881void
1882process_outgoing_tun(struct context *c, struct link_socket *in_sock)
1883{
1884 /*
1885 * Set up for write() call to TUN/TAP
1886 * device.
1887 */
1888 if (c->c2.to_tun.len <= 0)
1889 {
1890 return;
1891 }
1892
1893 /*
1894 * The --mssfix option requires
1895 * us to examine the IP header (IPv4 or IPv6).
1896 */
1898 &c->c2.to_tun, in_sock);
1899
1900 if (c->c2.to_tun.len <= c->c2.frame.buf.payload_size)
1901 {
1902 /*
1903 * Write to TUN/TAP device.
1904 */
1905 ssize_t size;
1906
1907#ifdef LOG_RW
1908 if (c->c2.log_rw)
1909 {
1910 fprintf(stderr, "w");
1911 }
1912#endif
1913 dmsg(D_TUN_RW, "TUN WRITE [%d]", BLEN(&c->c2.to_tun));
1914
1915#ifdef PACKET_TRUNCATION_CHECK
1916 ipv4_packet_size_verify(BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun), TUNNEL_TYPE(c->c1.tuntap),
1917 "WRITE_TUN", &c->c2.n_trunc_tun_write);
1918#endif
1919
1920#ifdef _WIN32
1921 size = tun_write_win32(c->c1.tuntap, &c->c2.to_tun);
1922#else
1924 {
1925 size = write_tun_afunix(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1926 }
1927 else
1928 {
1929 size = write_tun(c->c1.tuntap, BPTR(&c->c2.to_tun), BLEN(&c->c2.to_tun));
1930 }
1931#endif
1932
1933 if (size > 0)
1934 {
1935 c->c2.tun_write_bytes += size;
1936 }
1937 check_status(size, "write to TUN/TAP", NULL, c->c1.tuntap);
1938
1939 /* check written packet size */
1940 if (size > 0)
1941 {
1942 /* Did we write a different size packet than we intended? */
1943 if (size != BLEN(&c->c2.to_tun))
1944 {
1946 "TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%zd)",
1947 c->c1.tuntap->actual_name, BLEN(&c->c2.to_tun), size);
1948 }
1949
1950 /* indicate activity regarding --inactive parameter */
1951 register_activity(c, size);
1952 }
1953 }
1954 else
1955 {
1956 /*
1957 * This should never happen, probably indicates some kind
1958 * of MTU mismatch.
1959 */
1960 msg(D_LINK_ERRORS, "tun packet too large on write (tried=%d,max=%d)", c->c2.to_tun.len,
1962 }
1963
1964 buf_reset(&c->c2.to_tun);
1965}
1966
1967void
1969{
1970 /* make sure current time (now) is updated on function entry */
1971
1972 /*
1973 * Start with an effectively infinite timeout, then let it
1974 * reduce to a timeout that reflects the component which
1975 * needs the earliest service.
1976 */
1977 c->c2.timeval.tv_sec = BIG_TIMEOUT;
1978 c->c2.timeval.tv_usec = 0;
1979
1980#if defined(_WIN32)
1982 {
1983 c->c2.timeval.tv_sec = 1;
1984 if (tuntap_defined(c->c1.tuntap))
1985 {
1987 }
1988 }
1989#endif
1990
1991 /* check coarse timers? */
1993 if (c->sig->signal_received)
1994 {
1995 return;
1996 }
1997
1998 /* If tls is enabled, do tls control channel packet processing. */
1999 if (c->c2.tls_multi)
2000 {
2001 check_tls(c);
2002 }
2003
2004 /* In certain cases, TLS errors will require a restart */
2006 if (c->sig->signal_received)
2007 {
2008 return;
2009 }
2010
2011 /* check for incoming control messages on the control channel like
2012 * push request/reply/update, or authentication failure and 2FA messages */
2013 if (tls_test_payload_len(c->c2.tls_multi) > 0)
2014 {
2016 }
2017
2018 /* Should we send an OCC message? */
2020
2021#ifdef ENABLE_FRAGMENT
2022 /* Should we deliver a datagram fragment to remote? */
2023 if (c->c2.fragment)
2024 {
2025 check_fragment(c);
2026 }
2027#endif
2028
2029 /* Update random component of timeout */
2031}
2032
2033void
2034multi_io_process_flags(struct context *c, struct event_set *es, struct link_socket *sock, const unsigned int flags)
2035{
2036 unsigned int socket = 0;
2037 unsigned int tuntap = 0;
2038 static uintptr_t tun_shift = TUN_SHIFT;
2039 static uintptr_t err_shift = ERR_SHIFT;
2040
2041 /*
2042 * Calculate the flags based on the provided 'flags' argument.
2043 */
2044 if ((c->options.mode != MODE_SERVER) && (flags & IOW_WAIT_SIGNAL))
2045 {
2046 wait_signal(es, (void *)err_shift);
2047 }
2048
2049 if (flags & IOW_TO_LINK)
2050 {
2051 if (flags & IOW_SHAPER)
2052 {
2053 /*
2054 * If sending this packet would put us over our traffic shaping
2055 * quota, don't send -- instead compute the delay we must wait
2056 * until it will be OK to send the packet.
2057 */
2058 int delay = 0;
2059
2060 /* set traffic shaping delay in microseconds */
2061 if (c->options.shaper)
2062 {
2063 delay = max_int(delay, shaper_delay(&c->c2.shaper));
2064 }
2065
2066 if (delay < 1000)
2067 {
2068 socket |= EVENT_WRITE;
2069 }
2070 else
2071 {
2072 shaper_soonest_event(&c->c2.timeval, delay);
2073 }
2074 }
2075 else
2076 {
2077 socket |= EVENT_WRITE;
2078 }
2079 }
2080 else if (!((flags & IOW_FRAG) && TO_LINK_FRAG(c)))
2081 {
2082 if (flags & IOW_READ_TUN)
2083 {
2084 tuntap |= EVENT_READ;
2085 }
2086 }
2087
2088 /*
2089 * If outgoing data (for TUN/TAP device) pending, wait for ready-to-send status
2090 * from device. Otherwise, wait for incoming data on TCP/UDP port.
2091 */
2092 if (flags & IOW_TO_TUN)
2093 {
2095 }
2096 else
2097 {
2098 if (flags & IOW_READ_LINK)
2099 {
2100 socket |= EVENT_READ;
2101 }
2102 }
2103
2104 /*
2105 * outgoing bcast buffer waiting to be sent?
2106 */
2107 if (flags & IOW_MBUF)
2108 {
2109 socket |= EVENT_WRITE;
2110 }
2111
2112 /*
2113 * Force wait on TUN input, even if also waiting on TCP/UDP output
2114 */
2115 if (flags & IOW_READ_TUN_FORCE)
2116 {
2117 tuntap |= EVENT_READ;
2118 }
2119
2120 /*
2121 * Configure event wait based on socket, tuntap flags.
2122 * (for TCP server sockets this happens in
2123 * socket_set_listen_persistent()).
2124 */
2125 socket_set(sock, es, socket, &sock->ev_arg, NULL);
2126 tun_set(c->c1.tuntap, es, tuntap, (void *)tun_shift, NULL);
2127}
2128
2129/*
2130 * This is the core I/O wait function, used for all I/O waits.
2131 *
2132 * Invoked by P2P instances in tunnel_point_to_point() or by P2MP
2133 * instances within the per-client context in multi_io.c.
2134 */
2135void
2136io_wait(struct context *c, const unsigned int flags)
2137{
2138 struct event_set_return esr[4];
2139
2140 /* These shifts all depend on EVENT_READ and EVENT_WRITE */
2141 static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */
2142#ifdef ENABLE_MANAGEMENT
2143 static uintptr_t management_shift =
2144 MANAGEMENT_SHIFT; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
2145#endif
2146
2147#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2148 static uintptr_t dco_shift = DCO_SHIFT; /* Event from DCO linux kernel module */
2149#endif
2150
2151 /*
2152 * Decide what kind of events we want to wait for.
2153 */
2155
2156 multi_io_process_flags(c, c->c2.event_set, c->c2.link_sockets[0], flags);
2157
2158#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
2159 if (c->c1.tuntap)
2160 {
2161 dco_event_set(&c->c1.tuntap->dco, c->c2.event_set, (void *)dco_shift);
2162 }
2163#endif
2164
2165#ifdef ENABLE_MANAGEMENT
2166 if (management)
2167 {
2168 management_socket_set(management, c->c2.event_set, (void *)management_shift, NULL);
2169 }
2170#endif
2171
2172 /*
2173 * Possible scenarios:
2174 * (1) tcp/udp port has data available to read
2175 * (2) tcp/udp port is ready to accept more data to write
2176 * (3) tun dev has data available to read
2177 * (4) tun dev is ready to accept more data to write
2178 * (5) we received a signal (handler sets signal_received)
2179 * (6) timeout (tv) expired
2180 */
2181
2183
2184 if (!c->sig->signal_received)
2185 {
2186 if (!(flags & IOW_CHECK_RESIDUAL) || !sockets_read_residual(c))
2187 {
2188 int status;
2189
2190#ifdef ENABLE_DEBUG
2192 {
2193 show_wait_status(c);
2194 }
2195#endif
2196
2197 /*
2198 * Wait for something to happen.
2199 */
2200 status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
2201
2202 check_status(status, "event_wait", NULL, NULL);
2203
2204 if (status > 0)
2205 {
2206 int i;
2207 c->c2.event_set_status = 0;
2208 for (i = 0; i < status; ++i)
2209 {
2210 const struct event_set_return *e = &esr[i];
2211 uintptr_t shift;
2212
2213 if (e->arg >= MULTI_N)
2214 {
2215 struct event_arg *ev_arg = (struct event_arg *)e->arg;
2216 if (ev_arg->type != EVENT_ARG_LINK_SOCKET)
2217 {
2219 msg(D_LINK_ERRORS, "io_work: non socket event delivered");
2220 return;
2221 }
2222
2223 shift = socket_shift;
2224 }
2225 else
2226 {
2227 shift = (uintptr_t)e->arg;
2228 }
2229
2230 c->c2.event_set_status |= ((e->rwflags & 3) << shift);
2231 }
2232 }
2233 else if (status == 0)
2234 {
2236 }
2237 }
2238 else
2239 {
2241 }
2242 }
2243
2244 /* 'now' should always be a reasonably up-to-date timestamp */
2245 update_time();
2246
2247 /* set signal_received if a signal was received */
2248 if (c->c2.event_set_status & ES_ERROR)
2249 {
2251 }
2252
2253 dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
2254}
2255
2256void
2258{
2259 const unsigned int status = c->c2.event_set_status;
2260
2261#ifdef ENABLE_MANAGEMENT
2263 {
2266 }
2267#endif
2268
2269 /* TCP/UDP port ready to accept write */
2270 if (status & SOCKET_WRITE)
2271 {
2273 }
2274 /* TUN device ready to accept write */
2275 else if (status & TUN_WRITE)
2276 {
2278 }
2279 /* Incoming data on TCP/UDP port */
2280 else if (status & SOCKET_READ)
2281 {
2283 if (!IS_SIG(c))
2284 {
2286 }
2287 }
2288 /* Incoming data on TUN device */
2289 else if (status & TUN_READ)
2290 {
2292 if (!IS_SIG(c))
2293 {
2295 }
2296 }
2297 else if (status & DCO_READ)
2298 {
2299 if (!IS_SIG(c))
2300 {
2302 }
2303 }
2304}
void check_send_auth_token(struct context *c)
Checks if the timer to resend the auth-token has expired and if a new auth-token should be send to th...
Definition auth_token.c:436
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:246
bool buf_assign(struct buffer *dest, const struct buffer *src)
Definition buffer.c:179
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition buffer.c:782
#define BSTR(buf)
Definition buffer.h:129
#define BPTR(buf)
Definition buffer.h:123
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:673
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition buffer.h:711
static void buf_reset(struct buffer *buf)
Definition buffer.h:304
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:519
static bool buf_advance(struct buffer *buf, ssize_t size)
Definition buffer.h:617
#define BLEN(buf)
Definition buffer.h:126
#define BLENZ(buf)
Definition buffer.h:127
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
#define buf_init(buf, offset)
Definition buffer.h:210
static struct gc_arena gc_new(void)
Definition buffer.h:1041
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition clinat.c:184
#define CN_INCOMING
Definition clinat.h:31
#define CN_OUTGOING
Definition clinat.h:30
uint64_t counter_type
Definition common.h:31
int interval_t
Definition common.h:37
#define PUSH_REQUEST_INTERVAL
Definition common.h:94
#define BIG_TIMEOUT
Definition common.h:42
int64_t get_random(void)
an analogue to the random() function, but use prng_bytes and also int64_t instead of long to avoid LL...
Definition crypto.c:1737
static void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition dco.h:316
static int dco_read_and_process(dco_context_t *dco)
Definition dco.h:309
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
Definition dco.h:328
void * dco_context_t
Definition dco.h:259
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco.h:375
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf)
Definition dhcp.c:148
#define D_TUN_RW
Definition errlevel.h:113
#define D_TAP_WIN_DEBUG
Definition errlevel.h:114
#define D_PING
Definition errlevel.h:143
#define D_EVENT_WAIT
Definition errlevel.h:161
#define D_INTERVAL
Definition errlevel.h:157
#define D_STREAM_ERRORS
Definition errlevel.h:62
#define D_DCO_DEBUG
Definition errlevel.h:117
#define D_PUSH_ERRORS
Definition errlevel.h:66
#define D_LOW
Definition errlevel.h:96
#define M_INFO
Definition errlevel.h:54
#define D_SCHED_EXIT
Definition errlevel.h:88
#define D_ROUTE
Definition errlevel.h:79
#define D_LINK_ERRORS
Definition errlevel.h:56
#define D_LINK_RW
Definition errlevel.h:112
#define DCO_READ
Definition event.h:72
#define MANAGEMENT_SHIFT
Definition event.h:68
#define SOCKET_SHIFT
Definition event.h:59
#define TUN_WRITE
Definition event.h:64
#define SOCKET_READ
Definition event.h:60
#define MANAGEMENT_READ
Definition event.h:69
#define MANAGEMENT_WRITE
Definition event.h:70
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition event.h:186
#define ES_ERROR
Definition event.h:66
#define SOCKET_WRITE
Definition event.h:61
#define ES_TIMEOUT
Definition event.h:67
#define EVENT_WRITE
Definition event.h:38
#define MULTI_N
Definition event.h:85
#define TUN_SHIFT
Definition event.h:62
#define EVENT_READ
Definition event.h:37
#define TUN_READ
Definition event.h:63
static void event_reset(struct event_set *es)
Definition event.h:168
static void wait_signal(struct event_set *es, void *arg)
Definition event.h:203
#define DCO_SHIFT
Definition event.h:71
#define ERR_SHIFT
Definition event.h:65
@ EVENT_ARG_LINK_SOCKET
Definition event.h:135
void process_incoming_dco(dco_context_t *dco)
Process an incoming DCO message (from kernel space).
Definition forward.c:1247
counter_type link_write_bytes_global
Definition forward.c:49
static void check_inactivity_timeout(struct context *c)
Definition forward.c:480
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:391
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition forward.c:504
bool send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
Definition forward.c:398
static void context_reschedule_sec(struct context *c, time_t sec)
Definition forward.c:131
static void check_fragment(struct context *c)
Definition forward.c:572
static void check_tls_errors(struct context *c)
Definition forward.c:98
static void check_scheduled_exit(struct context *c)
Definition forward.c:549
#define MAX_ICMPV6LEN
static void check_session_timeout(struct context *c)
Definition forward.c:708
void process_io(struct context *c, struct link_socket *sock)
Definition forward.c:2257
static void check_timeout_random_component(struct context *c)
Definition forward.c:870
bool schedule_exit(struct context *c)
Definition forward.c:528
static void process_coarse_timers(struct context *c)
Definition forward.c:722
static void check_connection_established(struct context *c)
Definition forward.c:333
static void check_timeout_random_component_dowork(struct context *c)
Definition forward.c:859
static void buffer_turnover(const uint8_t *orig_buf, struct buffer *dest_stub, struct buffer *src_stub, struct buffer *storage)
Definition forward.c:601
static void check_tls_errors_nco(struct context *c)
Definition forward.c:88
void ipv6_send_icmp_unreachable(struct context *c, struct buffer *buf, bool client)
Forges a IPv6 ICMP packet with a no route to host error code from the IPv6 packet in buf and sends it...
Definition forward.c:1537
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, msglvl_t msglevel)
Definition forward.c:370
void pre_select(struct context *c)
Definition forward.c:1968
static void check_incoming_control_channel(struct context *c)
Definition forward.c:283
static void check_add_routes(struct context *c)
Definition forward.c:430
static void check_server_poll_timeout(struct context *c)
Definition forward.c:512
static void parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
Definition forward.c:234
static void socks_postprocess_incoming_link(struct context *c, struct link_socket *sock)
Definition forward.c:888
static void check_push_request(struct context *c)
Definition forward.c:315
static void process_incoming_link(struct context *c, struct link_socket *sock)
Definition forward.c:1203
static void check_tls_errors_co(struct context *c)
Definition forward.c:81
static void socks_preprocess_outgoing_link(struct context *c, struct link_socket *sock, struct link_socket_actual **to_addr, int *size_delta)
Definition forward.c:897
void io_wait(struct context *c, const unsigned int flags)
Definition forward.c:2136
static void link_socket_write_post_size_adjust(int *size, int size_delta, struct buffer *buf)
Definition forward.c:909
static void context_immediate_reschedule(struct context *c)
Definition forward.c:124
static void check_add_routes_action(struct context *c, const bool errors)
Definition forward.c:415
static void drop_if_recursive_routing(struct context *c, struct buffer *buf)
Drops UDP packets which OS decided to route via tun.
Definition forward.c:1364
counter_type link_read_bytes_global
Definition forward.c:48
static void check_coarse_timers(struct context *c)
Definition forward.c:834
void multi_io_process_flags(struct context *c, struct event_set *es, struct link_socket *sock, const unsigned int flags)
Processes I/O flags to configure socket and TUN/TAP event monitors.
Definition forward.c:2034
void check_dco_key_status(struct context *c)
Definition forward.c:145
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition forward.c:1664
void extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr, const struct sockaddr *float_sa)
Transfers float_sa data extracted from an incoming DCO PEER_FLOAT_NTF to out_osaddr for later process...
Definition forward.c:1213
static void check_tls(struct context *c)
Definition forward.c:178
static void check_status_file(struct context *c)
Definition forward.c:558
Interface functions to the internal and external multiplexers.
#define PIP_MSSFIX
Definition forward.h:338
#define PIPV4_CLIENT_NAT
Definition forward.h:341
static void register_activity(struct context *c, const int64_t size)
Definition forward.h:365
#define IOW_WAIT_SIGNAL
Definition forward.h:63
#define IOW_READ_TUN
Definition forward.h:56
#define PIPV4_EXTRACT_DHCP_ROUTER
Definition forward.h:340
#define PIPV6_ICMP_NOHOST_SERVER
Definition forward.h:343
#define PIPV6_ICMP_NOHOST_CLIENT
Definition forward.h:342
#define IOW_SHAPER
Definition forward.h:58
#define IOW_FRAG
Definition forward.h:60
#define IOW_MBUF
Definition forward.h:61
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:352
#define IOW_READ_LINK
Definition forward.h:57
#define IOW_CHECK_RESIDUAL
Definition forward.h:59
#define TO_LINK_FRAG(c)
Definition forward.h:42
static bool connection_established(struct context *c)
Definition forward.h:399
#define IOW_TO_TUN
Definition forward.h:54
#define PIPV4_PASSTOS
Definition forward.h:337
#define IOW_READ_TUN_FORCE
Definition forward.h:62
#define PIP_OUTGOING
Definition forward.h:339
#define IOW_TO_LINK
Definition forward.h:55
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:464
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:544
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition forward.c:621
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:4025
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition crypto.c:329
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:3997
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:3965
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:4011
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition crypto.c:779
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition forward.c:987
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition forward.c:1120
void process_outgoing_link(struct context *c, struct link_socket *sock)
Write a packet to the external network interface.
Definition forward.c:1748
void read_incoming_link(struct context *c, struct link_socket *sock)
Read a packet from the external network interface.
Definition forward.c:926
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3587
static void fragment_housekeeping(struct fragment_master *f, struct frame *frame, struct timeval *tv)
Perform housekeeping of a fragment_master structure.
Definition fragment.h:456
static bool fragment_outgoing_defined(struct fragment_master *f)
Check whether a fragment_master structure contains fragments ready to be sent.
Definition fragment.h:428
void fragment_outgoing(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an outgoing packet, which may or may not need to be fragmented.
Definition fragment.c:313
void fragment_incoming(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Process an incoming packet, which may or may not be fragmented.
Definition fragment.c:139
bool fragment_ready_to_send(struct fragment_master *f, struct buffer *buf, const struct frame *frame)
Check whether outgoing fragments are ready to be send, and if so make one available.
Definition fragment.c:363
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition forward.c:1300
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition forward.c:1479
void process_outgoing_tun(struct context *c, struct link_socket *in_sock)
Write a packet to the virtual tun/tap network interface.
Definition forward.c:1882
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1538
void reset_coarse_timers(struct context *c)
Definition init.c:1306
bool do_up(struct context *c, bool pulled_options, uint64_t option_types_found)
Definition init.c:2342
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1659
#define ISC_ERRORS
Definition init.h:120
#define ISC_ROUTE_ERRORS
Definition init.h:122
static int min_int(int x, int y)
Definition integer.h:105
static int max_int(int x, int y)
Definition integer.h:92
static SERVICE_STATUS status
Definition interactive.c:52
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:42
#define ETT_DEFAULT
Definition interval.h:222
static void interval_future_trigger(struct interval *top, interval_t wakeup)
Definition interval.h:106
static void event_timeout_reset(struct event_timeout *et)
Resets a timer.
Definition interval.h:187
static void interval_action(struct interval *top)
Definition interval.h:122
static bool event_timeout_defined(const struct event_timeout *et)
Definition interval.h:142
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
static void interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
Definition interval.h:92
static void event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
Sets the interval n of a timeout.
Definition interval.h:204
static bool interval_test(struct interval *top)
Definition interval.h:65
static interval_t event_timeout_remaining(struct event_timeout *et)
Returns the time until the timeout should triggered, from now.
Definition interval.h:217
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition manage.c:3247
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2884
void management_io(struct management *man)
Definition manage.c:3285
void management_check_bytecount_client(struct context *c, struct management *man, struct timeval *timeval)
Definition manage.c:4264
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4240
#define OPENVPN_STATE_GET_CONFIG
Definition manage.h:461
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition misc.c:660
void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss)
Definition mss.c:83
void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss)
Definition mss.c:46
void frame_adjust_path_mtu(struct context *c)
Checks and adjusts the fragment and mssfix value according to the discovered path mtu value.
Definition mss.c:336
void process_received_occ_msg(struct context *c)
Definition occ.c:360
static void check_send_occ_msg(struct context *c)
Definition occ.h:138
static bool is_occ_msg(const struct buffer *buf)
Definition occ.h:83
static void check_send_occ_req(struct context *c)
Definition occ.h:110
static void check_send_occ_load_test(struct context *c)
Definition occ.h:124
#define CLEAR(x)
Definition basic.h:32
#define SIZE(x)
Definition basic.h:29
static bool check_debug_level(msglvl_t level)
Definition error.h:251
#define M_NOPREFIX
Definition error.h:98
static void check_status(ssize_t status, const char *description, struct link_socket *sock, struct tuntap *tt)
Definition error.h:306
#define dmsg(flags,...)
Definition error.h:172
#define openvpn_errno()
Definition error.h:71
#define msg(flags,...)
Definition error.h:152
unsigned int msglvl_t
Definition error.h:77
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
#define TLS_MODE(c)
Definition openvpn.h:539
#define PROTO_DUMP(buf, gc)
Definition openvpn.h:541
#define MODE_POINT_TO_POINT
Definition options.h:262
#define MODE_SERVER
Definition options.h:263
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:987
time_t now
Definition otime.c:33
const char * tv_string(const struct timeval *tv, struct gc_arena *gc)
Definition otime.c:83
static void update_time(void)
Definition otime.h:84
long tv_sec_t
Definition otime.h:31
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition otime.h:140
@ OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_DEL_PEER
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:508
static bool packet_id_persist_enabled(const struct packet_id_persist *p)
Definition packet_id.h:278
void trigger_ping_timeout_signal(struct context *c)
Trigger the correct signal on a –ping timeout depending if –ping-exit is set (SIGTERM) or not (SIGUSR...
Definition ping.c:45
static void check_ping_restart(struct context *c)
Definition ping.h:59
static bool is_ping_msg(const struct buffer *buf)
Definition ping.h:40
static void check_ping_send(struct context *c)
Definition ping.h:76
bool is_ipv4(int tunnel_type, struct buffer *buf)
Definition proto.c:108
bool is_ipv6(int tunnel_type, struct buffer *buf)
Definition proto.c:113
uint16_t ip_checksum(const sa_family_t af, const uint8_t *payload, const int len_payload, const uint8_t *src_addr, const uint8_t *dest_addr, const int proto)
Calculates an IP or IPv6 checksum with a pseudo header as required by TCP, UDP and ICMPv6.
Definition proto.c:120
#define OPENVPN_IPH_GET_LEN(v)
Definition proto.h:92
static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset)
Definition proto.h:251
#define DEV_TYPE_TAP
Definition proto.h:36
#define OPENVPN_ETH_ALEN
Definition proto.h:52
#define OPENVPN_ETH_P_IPV6
Definition proto.h:59
#define OPENVPN_IPPROTO_ICMPV6
Definition proto.h:107
#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b)
Version of IN6_ARE_ADDR_EQUAL that is guaranteed to work for unaligned access.
Definition proto.h:87
#define OPENVPN_IPPROTO_UDP
Definition proto.h:106
#define OPENVPN_ICMP6_DESTINATION_UNREACHABLE
Definition proto.h:136
#define OPENVPN_IPPROTO_TCP
Definition proto.h:105
#define OPENVPN_ICMP6_DU_NOROUTE
Definition proto.h:144
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition push.c:336
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition push.c:48
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition push.c:128
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition push.c:263
void send_auth_failed(struct context *c, const char *client_reason)
Definition push.c:393
void receive_exit_message(struct context *c)
Definition push.c:189
bool send_push_request(struct context *c)
Definition push.c:571
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition push.c:505
void server_pushed_info(const struct buffer *buffer, const int adv)
Definition push.c:225
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition route.c:2438
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition route.c:537
void show_routes(msglvl_t msglevel)
Definition route.c:3065
bool shaper_soonest_event(struct timeval *tv, int delay)
Definition shaper.c:36
static void shaper_wrote_bytes(struct shaper *s, int nbytes)
Definition shaper.h:121
static int shaper_delay(struct shaper *s)
Definition shaper.h:96
void print_status(struct context *c, struct status_output *so)
Definition sig.c:478
void process_explicit_exit_notification_timer_wakeup(struct context *c)
Definition sig.c:563
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
#define IS_SIG(c)
Definition sig.h:47
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition sig.h:109
const char * socket_stat(const struct link_socket *s, unsigned int rwflags, struct gc_arena *gc)
Definition socket.c:2029
int sockethandle_finalize(sockethandle_t sh, struct overlapped_io *io, struct buffer *buf, struct link_socket_actual *from)
Definition socket.c:2846
unsigned int socket_set(struct link_socket *s, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition socket.c:2939
void link_socket_bad_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition socket.c:1929
bool sockets_read_residual(const struct context *c)
Definition socket.c:45
static ssize_t link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to)
Definition socket.h:735
static bool link_socket_connection_oriented(const struct link_socket *sock)
Definition socket.h:427
static bool socket_connection_reset(const struct link_socket *sock, int status)
Definition socket.h:462
static bool link_socket_verify_incoming_addr(struct buffer *buf, const struct link_socket_info *info, const struct link_socket_actual *from_addr)
Definition socket.h:485
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition socket.h:532
static int link_socket_read(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *from)
Definition socket.h:616
static void link_socket_get_outgoing_addr(struct buffer *buf, const struct link_socket_info *info, struct link_socket_actual **act)
Definition socket.h:512
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
static bool link_socket_actual_defined(const struct link_socket_actual *act)
static int datagram_overhead(sa_family_t af, int proto)
@ PROTO_UDP
@ PROTO_TCP
#define IA_NET_ORDER
Definition socket_util.h:90
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition socks.c:484
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition socks.c:446
bool tls_send_payload(struct key_state *ks, const uint8_t *data, size_t size)
Definition ssl.c:4045
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4078
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1772
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3228
#define TLSMP_RECONNECT
Definition ssl.h:232
#define TLSMP_ACTIVE
Definition ssl.h:230
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition ssl.h:490
static void tls_set_single_session(struct tls_multi *multi)
Definition ssl.h:510
#define TLSMP_KILL
Definition ssl.h:231
static int tls_test_payload_len(const struct tls_multi *multi)
Definition ssl.h:496
@ CAS_CONNECT_DONE
Definition ssl_common.h:593
struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc)
Extracts a control channel message from buf and adjusts the size of buf after the message has been ex...
Definition ssl_pkt.c:565
#define P_DATA_V1
Definition ssl_pkt.h:47
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
Control Channel Verification Module.
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
int mssfix
Definition options.h:144
int connect_timeout
Definition options.h:121
struct status_output * status_output
Definition openvpn.h:185
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
struct packet_id_persist pid_persist
Definition openvpn.h:170
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
counter_type link_read_bytes
Definition openvpn.h:266
counter_type link_write_bytes
Definition openvpn.h:269
struct event_timeout server_poll_interval
Definition openvpn.h:408
int max_recv_size_local
Definition openvpn.h:308
struct fragment_master * fragment
Definition openvpn.h:252
time_t update_timeout_random_component
Definition openvpn.h:403
unsigned int event_set_status
Definition openvpn.h:235
counter_type dco_read_bytes
Definition openvpn.h:267
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
struct event_timeout ping_send_interval
Definition openvpn.h:283
int max_send_size_local
Definition openvpn.h:310
struct timeval timeout_random_component
Definition openvpn.h:404
counter_type tun_read_bytes
Definition openvpn.h:264
counter_type dco_write_bytes
Definition openvpn.h:270
struct event_timeout scheduled_exit
Definition openvpn.h:444
struct env_set * es
Definition openvpn.h:420
struct interval tmp_int
Definition openvpn.h:344
struct event_timeout auth_token_renewal_interval
Definition openvpn.h:293
struct event_timeout wait_for_connect
Definition openvpn.h:282
struct shaper shaper
Definition openvpn.h:259
struct event_timeout push_request_interval
Definition openvpn.h:436
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
time_t coarse_timer_wakeup
Definition openvpn.h:399
int scheduled_exit_signal
Definition openvpn.h:445
struct frame frame
Definition openvpn.h:248
struct link_socket_actual from
Definition openvpn.h:245
struct frame frame_fragment
Definition openvpn.h:253
struct buffer to_link
Definition openvpn.h:377
int64_t inactivity_bytes
Definition openvpn.h:288
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
struct buffer to_tun
Definition openvpn.h:376
counter_type tun_write_bytes
Definition openvpn.h:265
struct link_socket ** link_sockets
Definition openvpn.h:237
counter_type link_read_bytes_auth
Definition openvpn.h:268
struct event_timeout packet_id_persist_interval
Definition openvpn.h:355
struct link_socket_actual * to_link_addr
Definition openvpn.h:244
struct event_timeout session_interval
Definition openvpn.h:290
int original_recv_size
Definition openvpn.h:307
struct buffer buf
Definition openvpn.h:375
struct timeval timeval
Time to next event of timers and similar.
Definition openvpn.h:396
time_t explicit_exit_notification_time_wait
Definition openvpn.h:416
bool log_rw
Definition openvpn.h:380
struct event_set * event_set
Definition openvpn.h:230
struct context_buffers * buffers
Definition openvpn.h:367
struct event_timeout route_wakeup
Definition openvpn.h:383
int tls_exit_signal
Definition openvpn.h:347
struct event_timeout inactivity_interval
Definition openvpn.h:287
struct event_timeout ping_rec_interval
Definition openvpn.h:284
struct buffer read_link_buf
Definition openvpn.h:113
struct buffer encrypt_buf
Definition openvpn.h:100
struct buffer read_tun_buf
Definition openvpn.h:114
struct buffer decrypt_buf
Definition openvpn.h:101
int restart_sleep_seconds
Definition openvpn.h:122
Contains all state information for one tunnel.
Definition openvpn.h:471
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:500
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:498
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:502
struct context_2 c2
Level 2 context.
Definition openvpn.h:514
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:472
struct context_1 c1
Level 1 context.
Definition openvpn.h:513
struct context_persist persist
Persistent context.
Definition openvpn.h:510
Security parameter state for processing data channel packets.
Definition crypto.h:293
struct link_socket * sock
Definition event.h:145
event_arg_t type
Definition event.h:141
unsigned int rwflags
Definition event.h:123
interval_t n
periodic interval for periodic timeouts
Definition interval.h:137
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:147
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:118
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:124
struct frame::@8 buf
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
uint8_t dest[OPENVPN_ETH_ALEN]
Definition proto.h:55
uint16_t proto
Definition proto.h:62
uint8_t source[OPENVPN_ETH_ALEN]
Definition proto.h:56
uint8_t icmp6_type
Definition proto.h:143
uint16_t icmp6_cksum
Definition proto.h:147
uint8_t icmp6_code
Definition proto.h:146
uint32_t saddr
Definition proto.h:111
uint32_t daddr
Definition proto.h:112
uint8_t protocol
Definition proto.h:108
uint8_t version_len
Definition proto.h:93
uint8_t version_prio
Definition proto.h:121
struct in6_addr saddr
Definition proto.h:127
struct in6_addr daddr
Definition proto.h:128
uint8_t nexthdr
Definition proto.h:124
uint16_t payload_len
Definition proto.h:123
union openvpn_sockaddr::@27 addr
struct sockaddr sa
Definition socket_util.h:42
struct sockaddr_in in4
Definition socket_util.h:43
struct sockaddr_in6 in6
Definition socket_util.h:44
const char * ifconfig_ipv6_remote
Definition options.h:329
int scheduled_exit_interval
Definition options.h:563
int shaper
Definition options.h:332
bool allow_recursive_routing
Definition options.h:715
int64_t inactivity_minimum_bytes
Definition options.h:344
int inactivity_timeout
Definition options.h:343
struct connection_entry ce
Definition options.h:292
int mode
Definition options.h:264
bool block_ipv6
Definition options.h:434
int ping_rec_timeout
Definition options.h:349
int ping_send_timeout
Definition options.h:348
bool route_gateway_via_dhcp
Definition options.h:436
struct client_nat_option_list * client_nat
Definition options.h:438
int session_timeout
Definition options.h:346
volatile int signal_received
Definition sig.h:42
bool is_handle
Definition socket.h:280
struct event_timeout et
Definition status.h:62
int n_hard_errors
Definition ssl_common.h:637
enum multi_status multi_state
Definition ssl_common.h:632
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:711
char * client_reason
An error message to send to client on AUTH_FAILED.
Definition ssl_common.h:666
bool use_peer_id
Definition ssl_common.h:700
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:723
int n_soft_errors
Definition ssl_common.h:638
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:489
Definition tun.h:181
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:191
HANDLE hand
Definition tun.h:216
struct overlapped_io reads
Definition tun.h:219
dco_context_t dco
Definition tun.h:247
char * actual_name
Definition tun.h:205
#define SIGHUP
Definition syshead.h:55
unsigned short sa_family_t
Definition syshead.h:409
#define SIGTERM
Definition syshead.h:59
#define SIGUSR1
Definition syshead.h:57
uint32_t in_addr_t
Definition syshead.h:52
struct env_set * es
struct gc_arena gc
Definition test_ssl.c:133
void tun_show_debug(struct tuntap *tt)
Definition tun.c:6051
const char * tun_stat(const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
Definition tun.c:731
int tun_write_win32(struct tuntap *tt, struct buffer *buf)
Definition tun.c:3378
bool tun_standby(struct tuntap *tt)
Definition tun.c:5310
void show_adapters(msglvl_t msglevel)
Definition tun.c:4652
ssize_t write_tun(struct tuntap *tt, uint8_t *buf, int len)
static bool tuntap_abort(int status)
Definition tun.h:490
ssize_t read_tun(struct tuntap *tt, uint8_t *buf, int len)
#define TUNNEL_TYPE(tt)
Definition tun.h:182
static bool tuntap_defined(const struct tuntap *tt)
Definition tun.h:252
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:51
static void tun_set(struct tuntap *tt, struct event_set *es, unsigned int rwflags, void *arg, unsigned int *persistent)
Definition tun.h:598
static bool tuntap_is_dco_win_timeout(struct tuntap *tt, int status)
Definition tun.h:538
static bool tuntap_stop(int status)
Definition tun.h:476
ssize_t read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len)
Reads a packet from a AF_UNIX based tun device.
Definition tun_afunix.c:161
ssize_t write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len)
Writes a packet to a AF_UNIX based tun device.
Definition tun_afunix.c:148