OpenVPN
openvpn.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifndef OPENVPN_H
25 #define OPENVPN_H
26 
27 #include "buffer.h"
28 #include "options.h"
29 #include "socket.h"
30 #include "crypto.h"
31 #include "ssl.h"
32 #include "packet_id.h"
33 #include "comp.h"
34 #include "tun.h"
35 #include "interval.h"
36 #include "status.h"
37 #include "fragment.h"
38 #include "shaper.h"
39 #include "route.h"
40 #include "proxy.h"
41 #include "socks.h"
42 #include "sig.h"
43 #include "misc.h"
44 #include "mbuf.h"
45 #include "pool.h"
46 #include "plugin.h"
47 #include "manage.h"
48 #include "pf.h"
49 
50 /*
51  * Our global key schedules, packaged thusly
52  * to facilitate --persist-key.
53  */
54 
56 {
57 #ifdef ENABLE_CRYPTO
58  /* which cipher, HMAC digest, and key sizes are we using? */
60 
61  /* pre-shared static key, read from a file */
63 
64  /* our global SSL context */
66 
67  /* optional TLS control channel wrapping */
70 #else /* ENABLE_CRYPTO */
71  int dummy;
72 #endif /* ENABLE_CRYPTO */
73 };
74 
75 /*
76  * struct packet_id_persist should be empty if we are not
77  * building with crypto.
78  */
79 #ifndef PACKET_ID_H
81 {
82  int dummy;
83 };
84 static inline void
86 {
87 }
88 #endif
89 
90 /*
91  * Packet processing buffers.
92  */
94 {
95  /* miscellaneous buffer, used by ping, occ, etc. */
96  struct buffer aux_buf;
97 
98  /* workspace buffers used by crypto routines */
99 #ifdef ENABLE_CRYPTO
100  struct buffer encrypt_buf;
101  struct buffer decrypt_buf;
102 #endif
103 
104  /* workspace buffers for compression */
105 #ifdef USE_COMP
106  struct buffer compress_buf;
107  struct buffer decompress_buf;
108 #endif
109 
110  /*
111  * Buffers used to read from TUN device
112  * and TCP/UDP port.
113  */
114  struct buffer read_link_buf;
115  struct buffer read_tun_buf;
116 };
117 
118 /*
119  * always-persistent context variables
120  */
122 {
124 };
125 
126 
127 /**************************************************************************/
136 struct context_0
137 {
138  /* workspace for --user/--group */
140  /* helper which tells us whether we should keep trying to drop privileges */
144 };
145 
146 
156 struct context_1
157 {
162  /* tunnel session keys */
163  struct key_schedule ks;
164 
165  /* preresolved and cached host names */
167 
168  /* persist crypto sequence number to/from file */
169  struct packet_id_persist pid_persist;
170 
171  struct tuntap *tuntap;
180  /* list of --route-ipv6 directives */
182 
183  /* --status file */
186 
187  /* HTTP proxy object */
190 
191  /* SOCKS proxy object */
194 
195 #if P2MP
196 
197 #if P2MP_SERVER
198  /* persist --ifconfig-pool db to file */
201 #endif
202 
203  /* if client mode, hash of option strings we pulled from server */
204  struct sha256_digest pulled_options_digest_save;
213  const char *ciphername;
214  const char *authname;
215  int keysize;
216 #endif
217 };
218 
228 struct context_2
229 {
230  struct gc_arena gc;
234  /* our global wait events */
238 
239  /* event flags returned by io_wait */
240 #define SOCKET_READ (1<<0)
241 #define SOCKET_WRITE (1<<1)
242 #define TUN_READ (1<<2)
243 #define TUN_WRITE (1<<3)
244 #define ES_ERROR (1<<4)
245 #define ES_TIMEOUT (1<<5)
246 #ifdef ENABLE_MANAGEMENT
247 #define MANAGEMENT_READ (1<<6)
248 #define MANAGEMENT_WRITE (1<<7)
249 #endif
250 #ifdef ENABLE_ASYNC_PUSH
251 #define FILE_CLOSED (1<<8)
252 #endif
253 
254  unsigned int event_set_status;
255 
256  struct link_socket *link_socket; /* socket used for TCP/UDP connection to remote */
259  const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */
260 
261  struct link_socket_actual *to_link_addr; /* IP address of remote */
262  struct link_socket_actual from; /* address of incoming datagram */
263 
264  /* MTU frame parameters */
265  struct frame frame; /* Active frame parameters */
266  struct frame frame_initial; /* Restored on new session */
267 
268 #ifdef ENABLE_FRAGMENT
269  /* Object to handle advanced MTU negotiation and datagram fragmentation */
271  struct frame frame_fragment;
272  struct frame frame_fragment_omit;
273 #endif
274 
275 #ifdef ENABLE_FEATURE_SHAPER
276  /*
277  * Traffic shaper object.
278  */
279  struct shaper shaper;
280 #endif
281 
282  /*
283  * Statistics
284  */
290 #ifdef PACKET_TRUNCATION_CHECK
291  counter_type n_trunc_tun_read;
292  counter_type n_trunc_tun_write;
293  counter_type n_trunc_pre_encrypt;
294  counter_type n_trunc_post_decrypt;
295 #endif
296 
297  /*
298  * Timer objects for ping and inactivity
299  * timeout features.
300  */
301  struct event_timeout wait_for_connect;
302  struct event_timeout ping_send_interval;
303  struct event_timeout ping_rec_interval;
304 
305  /* --inactive */
306  struct event_timeout inactivity_interval;
308 
309 #ifdef ENABLE_OCC
310  /* the option strings must match across peers */
313 
314  int occ_op; /* INIT to -1 */
316  struct event_timeout occ_interval;
317 #endif
318 
319  /*
320  * Keep track of maximum packet size received so far
321  * (of authenticated packets).
322  */
323  int original_recv_size; /* temporary */
324  int max_recv_size_local; /* max packet size received */
325  int max_recv_size_remote; /* max packet size received by remote */
326  int max_send_size_local; /* max packet size sent */
327  int max_send_size_remote; /* max packet size sent by remote */
328 
329 #ifdef ENABLE_OCC
330  /* remote wants us to send back a load test packet of this size */
332 
333  struct event_timeout occ_mtu_load_test_interval;
335 #endif
336 
337 #ifdef ENABLE_CRYPTO
338 
339  /*
340  * TLS-mode crypto objects.
341  */
356  /* used to optimize calls to tls_multi_process */
357  struct interval tmp_int;
358 
359  /* throw this signal on TLS errors */
361 
368  struct event_timeout packet_id_persist_interval;
369 
370 #endif /* ENABLE_CRYPTO */
371 
372 #ifdef USE_COMP
373  struct compress_context *comp_context;
377 #endif
378 
379  /*
380  * Buffers used for packet processing.
381  */
383  bool buffers_owned; /* if true, we should free all buffers on close */
384 
385  /*
386  * These buffers don't actually allocate storage, they are used
387  * as pointers to the allocated buffers in
388  * struct context_buffers.
389  */
390  struct buffer buf;
391  struct buffer to_tun;
392  struct buffer to_link;
393 
394  /* should we print R|W|r|w to console on packet transfers? */
395  bool log_rw;
396 
397  /* route stuff */
398  struct event_timeout route_wakeup;
399  struct event_timeout route_wakeup_expire;
400 
401  /* did we open tun/tap dev during this cycle? */
403 
404  /*
405  * Event loop info
406  */
407 
408  /* how long to wait on link/tun read before we will need to be serviced */
409  struct timeval timeval;
410 
411  /* next wakeup for processing coarse timers (>1 sec resolution) */
413 
414  /* maintain a random delta to add to timeouts to avoid contexts
415  * waking up simultaneously */
417  struct timeval timeout_random_component;
418 
419  /* Timer for everything up to the first packet from the *OpenVPN* server
420  * socks, http proxy, and tcp packets do not count */
421  struct event_timeout server_poll_interval;
422 
423  /* indicates that the do_up_delay function has run */
424  bool do_up_ran;
425 
426 #ifdef ENABLE_OCC
427  /* indicates that we have received a SIGTERM when
428  * options->explicit_exit_notification is enabled,
429  * but we have not exited yet */
431  struct event_timeout explicit_exit_notification_interval;
432 #endif
433 
434  /* environmental variables to pass to scripts */
435  struct env_set *es;
436  bool es_owned;
437 
438  /* don't wait for TUN/TAP/UDP to be ready to accept write */
439  bool fast_io;
440 
441 #if P2MP
442 
443 #if P2MP_SERVER
444  /* --ifconfig endpoints to be pushed to client */
446 #ifdef ENABLE_ASYNC_PUSH
447  bool push_request_received;
448 #endif
454 
456  struct in6_addr push_ifconfig_ipv6_local;
458  struct in6_addr push_ifconfig_ipv6_remote;
459 
460  /* client authentication state, CAS_SUCCEEDED must be 0 */
461 #define CAS_SUCCEEDED 0
462 #define CAS_PENDING 1
463 #define CAS_FAILED 2
464 #define CAS_PARTIAL 3 /* at least one client-connect script/plugin
465  * succeeded while a later one in the chain failed */
467 #endif /* if P2MP_SERVER */
468 
469  struct event_timeout push_request_interval;
472 
473  /* hash of pulled options, so we can compare when options change */
476  struct sha256_digest pulled_options_digest;
477 
478  struct event_timeout scheduled_exit;
480 #endif /* if P2MP */
481 
482  /* packet filter */
483 #ifdef ENABLE_PF
484  struct pf_context pf;
485 #endif
486 
487 #ifdef MANAGEMENT_DEF_AUTH
488  struct man_def_auth_context mda_context;
489 #endif
490 
491 #ifdef ENABLE_ASYNC_PUSH
492  int inotify_fd; /* descriptor for monitoring file changes */
493 #endif
494 };
495 
496 
508 struct context
509 {
510  struct options options;
513  bool first_time;
516  /* context modes */
517 #define CM_P2P 0 /* standalone point-to-point session or client */
518 #define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */
519 #define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */
520 #define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */
521 #define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */
522  int mode;
527  struct gc_arena gc;
531  struct env_set *es;
533  struct signal_info *sig;
543  struct context_persist persist;
545  struct context_0 *c0;
546  struct context_1 c1;
547  struct context_2 c2;
548 };
549 
550 /*
551  * Check for a signal when inside an event loop
552  */
553 #define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \
554  if (IS_SIG(c)) \
555  { \
556  const int brk = func(arg); \
557  perf_pop(); \
558  if (brk) { \
559  break;} \
560  else { \
561  continue;} \
562  }
563 
564 /*
565  * Macros for referencing objects which may not
566  * have been compiled in.
567  */
568 
569 #ifdef ENABLE_CRYPTO
570 #define TLS_MODE(c) ((c)->c2.tls_multi != NULL)
571 #define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)
572 #define PROTO_DUMP(buf, gc) protocol_dump((buf), \
573  PROTO_DUMP_FLAGS \
574  |(c->c2.tls_multi ? PD_TLS : 0) \
575  |(c->options.tls_auth_file ? c->c1.ks.key_type.hmac_length : 0), \
576  gc)
577 #else /* ifdef ENABLE_CRYPTO */
578 #define TLS_MODE(c) (false)
579 #define PROTO_DUMP(buf, gc) format_hex(BPTR(buf), BLEN(buf), 80, gc)
580 #endif
581 
582 #ifdef ENABLE_CRYPTO
583 #define MD5SUM(buf, len, gc) md5sum((buf), (len), 0, (gc))
584 #else
585 #define MD5SUM(buf, len, gc) "[unavailable]"
586 #endif
587 
588 #ifdef ENABLE_CRYPTO
589 #define CIPHER_ENABLED(c) (c->c1.ks.key_type.cipher != NULL)
590 #else
591 #define CIPHER_ENABLED(c) (false)
592 #endif
593 
594 /* this represents "disabled peer-id" */
595 #define MAX_PEER_ID 0xFFFFFF
596 
597 #endif /* ifndef OPENVPN_H */
struct env_set * es
Definition: openvpn.h:435
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:213
bool socks_proxy_owned
Definition: openvpn.h:193
counter_type tun_read_bytes
Definition: openvpn.h:285
Security parameter state for processing data channel packets.
Definition: crypto.h:234
bool log_rw
Definition: openvpn.h:395
Definition: tun.h:131
Level 1 context containing state that persists across SIGUSR1 restarts.
Definition: openvpn.h:156
Fragmentation and reassembly state for one VPN tunnel instance.
Definition: fragment.h:136
counter_type link_write_bytes
Definition: openvpn.h:289
bool did_open_tun
Definition: openvpn.h:402
struct cached_dns_entry * dns_cache
Definition: openvpn.h:166
Contains all state information for one tunnel.
Definition: openvpn.h:508
Packet geometry parameters.
Definition: mtu.h:93
struct env_set * es
Set of environment variables.
Definition: openvpn.h:531
bool push_ifconfig_defined
Definition: openvpn.h:449
int occ_mtu_load_size
Definition: openvpn.h:331
in_addr_t push_ifconfig_local
Definition: openvpn.h:451
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:85
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:496
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:345
int keysize
Data channel keysize from config file.
Definition: openvpn.h:215
int occ_mtu_load_n_tries
Definition: openvpn.h:334
bool pulled_options_digest_init_done
Definition: openvpn.h:474
struct context_buffers * buffers
Definition: openvpn.h:382
struct link_socket_info * link_socket_info
Definition: openvpn.h:258
const struct link_socket * accept_from
Definition: openvpn.h:259
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:192
#define in_addr_t
Definition: config-msvc.h:104
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:533
bool did_pre_pull_restore
Definition: openvpn.h:471
static void dummy(void)
Definition: comp-lz4.c:319
int max_recv_size_local
Definition: openvpn.h:324
int occ_n_tries
Definition: openvpn.h:315
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:171
Level 2 context containing state that is reset on both SIGHUP and SIGUSR1 restarts.
Definition: openvpn.h:228
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:69
Definition: socket.h:75
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:172
int context_auth
Definition: openvpn.h:466
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:430
bool uid_gid_chroot_set
Definition: openvpn.h:141
md_ctx_t * pulled_options_state
Definition: openvpn.h:475
counter_type tun_write_bytes
Definition: openvpn.h:286
counter_type link_read_bytes
Definition: openvpn.h:287
struct link_socket_actual * to_link_addr
Definition: openvpn.h:261
int inactivity_bytes
Definition: openvpn.h:307
struct route_list * route_list
List of routing information.
Definition: openvpn.h:176
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:453
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:457
int event_set_max
Definition: openvpn.h:236
int restart_sleep_seconds
Definition: openvpn.h:123
unsigned int counter_type
Definition: common.h:38
struct link_socket * link_socket
Definition: openvpn.h:256
const char * authname
Data channel auth from config file.
Definition: openvpn.h:214
bool buffers_owned
Definition: openvpn.h:383
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:181
time_t sent_push_reply_expiry
Definition: openvpn.h:450
time_t update_timeout_random_component
Definition: openvpn.h:416
bool uid_gid_specified
Definition: openvpn.h:139
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:199
struct event_set * event_set
Definition: openvpn.h:235
int max_recv_size_remote
Definition: openvpn.h:325
struct key_type tls_auth_key_type
Definition: openvpn.h:68
int scheduled_exit_signal
Definition: openvpn.h:479
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:455
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:66
struct context_0 * c0
Level 0 context.
Definition: openvpn.h:545
Level 0 context containing information related to the OpenVPN process.
Definition: openvpn.h:136
int max_send_size_remote
Definition: openvpn.h:327
struct tls_root_ctx ssl_ctx
Definition: openvpn.h:65
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:522
char * options_string_remote
Definition: openvpn.h:312
bool push_reply_deferred
Definition: openvpn.h:445
int n_sent_push_requests
Definition: openvpn.h:470
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition: openvpn.h:536
struct fragment_master * fragment
Definition: openvpn.h:270
struct status_output * status_output
Definition: openvpn.h:184
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:535
struct http_proxy_info * http_proxy
Definition: openvpn.h:188
bool ifconfig_pool_persist_owned
Definition: openvpn.h:200
struct user_pass * auth_user_pass
Username and password for authentication.
Definition: openvpn.h:209
bool first_time
True on the first iteration of OpenVPN&#39;s main loop.
Definition: openvpn.h:513
bool do_up_ran
Definition: openvpn.h:424
Definition: misc.h:49
bool fast_io
Definition: openvpn.h:439
char * options_string_local
Definition: openvpn.h:311
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
int original_recv_size
Definition: openvpn.h:323
Data Channel Fragmentation module header file.
bool did_we_daemonize
Whether demonization has already taken place.
Definition: openvpn.h:540
bool status_output_owned
Definition: openvpn.h:185
Wrapper struct to pass around SHA256 digests.
Definition: crypto.h:134
bool link_socket_owned
Definition: openvpn.h:257
unsigned int event_set_status
Definition: openvpn.h:254
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:342
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:452
int max_send_size_local
Definition: openvpn.h:326
int occ_op
Definition: openvpn.h:314
bool http_proxy_owned
Definition: openvpn.h:189
bool es_owned
Definition: openvpn.h:436
bool event_set_owned
Definition: openvpn.h:237
mbedtls_md_context_t md_ctx_t
Generic message digest context.
int tls_exit_signal
Definition: openvpn.h:360
struct key_ctx_bi static_key
Definition: openvpn.h:62
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:221
time_t coarse_timer_wakeup
Definition: openvpn.h:412
counter_type link_read_bytes_auth
Definition: openvpn.h:288