OpenVPN
dco.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2021-2024 Arne Schwabe <arne@rfc2549.org>
9  * Copyright (C) 2021-2024 Antonio Quartulli <a@unstable.cc>
10  * Copyright (C) 2021-2024 OpenVPN Inc <sales@openvpn.net>
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License version 2
14  * as published by the Free Software Foundation.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program (see the file COPYING included with this
23  * distribution); if not, write to the Free Software Foundation, Inc.,
24  * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25  */
26 
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30 
31 #if defined(ENABLE_DCO)
32 
33 #include "syshead.h"
34 #include "crypto.h"
35 #include "dco.h"
36 #include "errlevel.h"
37 #include "multi.h"
38 #include "networking.h"
39 #include "openvpn.h"
40 #include "options.h"
41 #include "ssl_common.h"
42 #include "ssl_ncp.h"
43 #include "tun.h"
44 
45 #ifdef HAVE_LIBCAPNG
46 #include <cap-ng.h>
47 #endif
48 
49 static int
50 dco_install_key(struct tls_multi *multi, struct key_state *ks,
51  const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
52  const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
53  const char *ciphername)
54 
55 {
56  msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d, currently %d keys installed",
57  __func__, multi->dco_peer_id, ks->key_id, multi->dco_keys_installed);
58 
59  /* Install a key in the PRIMARY slot only when no other key exist.
60  * From that moment on, any new key will be installed in the SECONDARY
61  * slot and will be promoted to PRIMARY when userspace says so (a swap
62  * will be performed in that case)
63  */
64  dco_key_slot_t slot = OVPN_KEY_SLOT_PRIMARY;
65  if (multi->dco_keys_installed > 0)
66  {
67  slot = OVPN_KEY_SLOT_SECONDARY;
68  }
69 
70  int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot,
71  encrypt_key, encrypt_iv,
72  decrypt_key, decrypt_iv,
73  ciphername);
74  if ((ret == 0) && (multi->dco_keys_installed < 2))
75  {
76  multi->dco_keys_installed++;
77  ks->dco_status = (slot == OVPN_KEY_SLOT_PRIMARY) ? DCO_INSTALLED_PRIMARY :
78  DCO_INSTALLED_SECONDARY;
79  }
80 
81  return ret;
82 }
83 
84 int
85 init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
86  const struct key2 *key2, int key_direction,
87  const char *ciphername, bool server)
88 {
89  struct key_direction_state kds;
90  key_direction_state_init(&kds, key_direction);
91 
92  return dco_install_key(multi, ks,
93  key2->keys[kds.out_key].cipher,
94  key2->keys[(int)server].hmac,
95  key2->keys[kds.in_key].cipher,
96  key2->keys[1 - (int)server].hmac,
97  ciphername);
98 }
99 
108 static struct key_state *
109 dco_get_secondary_key(struct tls_multi *multi, const struct key_state *primary)
110 {
111  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
112  {
113  struct key_state *ks = get_key_scan(multi, i);
114  struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
115 
116  if (ks == primary)
117  {
118  continue;
119  }
120 
121  if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
122  {
123  ASSERT(key->initialized);
124  return ks;
125  }
126  }
127 
128  return NULL;
129 }
130 
131 bool
132 dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
133 {
134  /* this function checks if keys have to be swapped or erased, therefore it
135  * can't do much if we don't have any key installed
136  */
137  if (multi->dco_keys_installed == 0)
138  {
139  return true;
140  }
141 
142  struct key_state *primary = tls_select_encryption_key(multi);
143  /* no primary key available -> no usable key exists, therefore we should
144  * tell DCO to simply wipe all keys
145  */
146  if (!primary)
147  {
148  msg(D_DCO, "No encryption key found. Purging data channel keys");
149 
150  int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_PRIMARY);
151  if (ret < 0)
152  {
153  msg(D_DCO, "Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret);
154  return false;
155  }
156 
157  ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY);
158  if (ret < 0)
159  {
160  msg(D_DCO, "Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret);
161  return false;
162  }
163 
164  multi->dco_keys_installed = 0;
165  return true;
166  }
167 
168  /* if we have a primary key, it must have been installed already (keys
169  * are installed upon generation in the TLS code)
170  */
171  ASSERT(primary->dco_status != DCO_NOT_INSTALLED);
172 
173  struct key_state *secondary = dco_get_secondary_key(multi, primary);
174  /* if the current primary key was installed as secondary in DCO,
175  * this means we have promoted it since installation in DCO, and
176  * we now need to tell DCO to swap keys
177  */
178  if (primary->dco_status == DCO_INSTALLED_SECONDARY)
179  {
180  if (secondary)
181  {
182  msg(D_DCO_DEBUG, "Swapping primary and secondary keys to "
183  "primary-id=%d secondary-id=%d",
184  primary->key_id, secondary->key_id);
185  }
186  else
187  {
188  msg(D_DCO_DEBUG, "Swapping primary and secondary keys to"
189  "primary-id=%d secondary-id=(to be deleted)",
190  primary->key_id);
191  }
192 
193  int ret = dco_swap_keys(dco, multi->dco_peer_id);
194  if (ret < 0)
195  {
196  msg(D_DCO, "Cannot swap keys: %s (%d)", strerror(-ret), ret);
197  return false;
198  }
199 
200  primary->dco_status = DCO_INSTALLED_PRIMARY;
201  if (secondary)
202  {
203  ASSERT(secondary->dco_status == DCO_INSTALLED_PRIMARY);
204  secondary->dco_status = DCO_INSTALLED_SECONDARY;
205  }
206  }
207 
208  /* if we have no secondary key anymore, inform DCO about it */
209  if (!secondary && multi->dco_keys_installed == 2)
210  {
211  int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY);
212  if (ret < 0)
213  {
214  msg(D_DCO, "Cannot delete secondary key: %s (%d)", strerror(-ret), ret);
215  return false;
216  }
217  multi->dco_keys_installed = 1;
218  }
219 
220  /* all keys that are not installed are set to NOT installed. Include also
221  * keys that might even be considered as active keys to be sure*/
222  for (int i = 0; i < TM_SIZE; ++i)
223  {
224  for (int j = 0; j < KS_SIZE; j++)
225  {
226  struct key_state *ks = &multi->session[i].key[j];
227  if (ks != primary && ks != secondary)
228  {
229  ks->dco_status = DCO_NOT_INSTALLED;
230  }
231  }
232  }
233  return true;
234 }
235 
236 static bool
237 dco_check_option_ce(const struct connection_entry *ce, int msglevel)
238 {
239  if (ce->fragment)
240  {
241  msg(msglevel, "Note: --fragment disables data channel offload.");
242  return false;
243  }
244 
245  if (ce->http_proxy_options)
246  {
247  msg(msglevel, "Note: --http-proxy disables data channel offload.");
248  return false;
249  }
250 
251  if (ce->socks_proxy_server)
252  {
253  msg(msglevel, "Note: --socks-proxy disables data channel offload.");
254  return false;
255  }
256 
257 #if defined(TARGET_FREEBSD)
258  if (!proto_is_udp(ce->proto))
259  {
260  msg(msglevel, "NOTE: TCP transport disables data channel offload on FreeBSD.");
261  return false;
262  }
263 #endif
264 
265 #if defined(_WIN32)
266  if (!ce->remote)
267  {
268  msg(msglevel, "NOTE: --remote is not defined, disabling data channel offload.");
269  return false;
270  }
271 #endif
272 
273  return true;
274 }
275 
276 bool
277 dco_check_startup_option(int msglevel, const struct options *o)
278 {
279  /* check if no dev name was specified at all. In the case,
280  * later logic will most likely stop OpenVPN, so no need to
281  * print any message here.
282  */
283  if (!o->dev)
284  {
285  return false;
286  }
287 
288  if (!o->tls_client && !o->tls_server)
289  {
290  msg(msglevel, "No tls-client or tls-server option in configuration "
291  "detected. Disabling data channel offload.");
292  return false;
293  }
294 
295  if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
296  {
297  msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");
298  return false;
299  }
300 
301  if (o->connection_list)
302  {
303  const struct connection_list *l = o->connection_list;
304  for (int i = 0; i < l->len; ++i)
305  {
306  if (!dco_check_option_ce(l->array[i], msglevel))
307  {
308  return false;
309  }
310  }
311  }
312  else
313  {
314  if (!dco_check_option_ce(&o->ce, msglevel))
315  {
316  return false;
317  }
318  }
319 
320 #if defined(_WIN32)
321  if (o->mode == MODE_SERVER)
322  {
323  msg(msglevel, "--mode server is set. Disabling Data Channel Offload");
324  return false;
325  }
326 
327  if ((o->windows_driver == WINDOWS_DRIVER_WINTUN)
328  || (o->windows_driver == WINDOWS_DRIVER_TAP_WINDOWS6))
329  {
330  msg(msglevel, "--windows-driver is set to '%s'. Disabling Data Channel Offload",
331  print_windows_driver(o->windows_driver));
332  return false;
333  }
334 
335 #elif defined(TARGET_LINUX)
336  /* if the device name is fixed, we need to check if an interface with this
337  * name already exists. IF it does, it must be a DCO interface, otherwise
338  * DCO has to be disabled in order to continue.
339  */
340  if (tun_name_is_fixed(o->dev))
341  {
342  char iftype[IFACE_TYPE_LEN_MAX];
343  /* we pass NULL as net_ctx because using DCO on Linux implies that we
344  * are using SITNL and the latter does not need any context. This way we
345  * don't need to have the net_ctx percolate all the way here
346  */
347  int ret = net_iface_type(NULL, o->dev, iftype);
348  if ((ret == 0) && (strcmp(iftype, "ovpn-dco") != 0))
349  {
350  msg(msglevel, "Interface %s exists and is non-DCO. Disabling data channel offload",
351  o->dev);
352  return false;
353  }
354  else if ((ret < 0) && (ret != -ENODEV))
355  {
356  msg(msglevel, "Cannot retrieve type of device %s: %s (%d)", o->dev,
357  strerror(-ret), ret);
358  }
359  }
360 #endif /* if defined(_WIN32) */
361 
362 #if defined(HAVE_LIBCAPNG)
363  /* DCO can't operate without CAP_NET_ADMIN. To retain it when switching user
364  * we need CAP_SETPCAP. CAP_NET_ADMIN also needs to be part of the permitted set
365  * of capabilities in order to retain it.
366  */
367  if (o->username)
368  {
369  if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP))
370  {
371  msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
372  "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
373  return false;
374  }
375  if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN))
376  {
377  msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
378  "Disabling data channel offload");
379  return false;
380  }
381  }
382 #endif /* if defined(HAVE_LIBCAPNG) */
383 
384  if (o->mode == MODE_SERVER && o->topology != TOP_SUBNET)
385  {
386  msg(msglevel, "Note: NOT using '--topology subnet' disables data channel offload.");
387  return false;
388  }
389 
390  if (o->management_flags & MF_QUERY_PROXY)
391  {
392  msg(msglevel, "Note: --management-query-proxy disables data channel offload.");
393  return false;
394  }
395 
396  /* now that all options have been confirmed to be supported, check
397  * if DCO is truly available on the system
398  */
399  return dco_available(msglevel);
400 }
401 
402 bool
403 dco_check_option(int msglevel, const struct options *o)
404 {
405  /* At this point the ciphers have already been normalised */
406  if (o->enable_ncp_fallback
407  && !tls_item_in_cipher_list(o->ciphername, dco_get_supported_ciphers()))
408  {
409  msg(msglevel, "Note: --data-ciphers-fallback with cipher '%s' "
410  "disables data channel offload.", o->ciphername);
411  return false;
412  }
413 
414 #if defined(USE_COMP)
415  if (o->comp.alg != COMP_ALG_UNDEF
416  || o->comp.flags & COMP_F_ALLOW_ASYM
417  || o->comp.flags & COMP_F_ALLOW_COMPRESS)
418  {
419  msg(msglevel, "Note: '--allow-compression' is not set to 'no', disabling data channel offload.");
420 
421  if (o->mode == MODE_SERVER && !(o->comp.flags & COMP_F_MIGRATE))
422  {
423  /* We can end up here from the multi.c call, only print the
424  * note if it is not already enabled */
425  msg(msglevel, "Consider using the '--compress migrate' option.");
426  }
427  return false;
428  }
429 #endif
430 
431  struct gc_arena gc = gc_new();
432  char *tmp_ciphers = string_alloc(o->ncp_ciphers, &gc);
433  const char *token;
434  while ((token = strsep(&tmp_ciphers, ":")))
435  {
436  if (!tls_item_in_cipher_list(token, dco_get_supported_ciphers()))
437  {
438  msg(msglevel, "Note: cipher '%s' in --data-ciphers is not supported "
439  "by ovpn-dco, disabling data channel offload.", token);
440  gc_free(&gc);
441  return false;
442  }
443  }
444  gc_free(&gc);
445 
446  return true;
447 }
448 
449 bool
450 dco_check_pull_options(int msglevel, const struct options *o)
451 {
452  if (!o->use_peer_id)
453  {
454  msg(msglevel, "OPTIONS IMPORT: Server did not request DATA_V2 packet "
455  "format required for data channel offload");
456  return false;
457  }
458  return true;
459 }
460 
461 int
462 dco_p2p_add_new_peer(struct context *c)
463 {
464  if (!dco_enabled(&c->options))
465  {
466  return 0;
467  }
468 
469  struct link_socket *ls = c->c2.link_socket;
470 
471  ASSERT(ls->info.connection_established);
472 
473  struct sockaddr *remoteaddr = &ls->info.lsa->actual.dest.addr.sa;
474  struct tls_multi *multi = c->c2.tls_multi;
475 #ifdef TARGET_FREEBSD
476  /* In Linux in P2P mode the kernel automatically removes an existing peer
477  * when adding a new peer. FreeBSD needs to explicitly be told to do that */
478  if (c->c2.tls_multi->dco_peer_id != -1)
479  {
480  dco_del_peer(&c->c1.tuntap->dco, c->c2.tls_multi->dco_peer_id);
481  c->c2.tls_multi->dco_peer_id = -1;
482  }
483 #endif
484  int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id,
485  c->c2.link_socket->sd, NULL, remoteaddr, NULL, NULL);
486  if (ret < 0)
487  {
488  return ret;
489  }
490 
491  c->c2.tls_multi->dco_peer_id = multi->peer_id;
492 
493  return 0;
494 }
495 
496 void
497 dco_remove_peer(struct context *c)
498 {
499  if (!dco_enabled(&c->options))
500  {
501  return;
502  }
503 
504  if (c->c1.tuntap && c->c2.tls_multi && c->c2.tls_multi->dco_peer_id != -1)
505  {
506  dco_del_peer(&c->c1.tuntap->dco, c->c2.tls_multi->dco_peer_id);
507  c->c2.tls_multi->dco_peer_id = -1;
508  }
509 }
510 
511 static bool
512 dco_multi_get_localaddr(struct multi_context *m, struct multi_instance *mi,
513  struct sockaddr_storage *local)
514 {
515 #if ENABLE_IP_PKTINFO
516  struct context *c = &mi->context;
517 
518  if (!proto_is_udp(c->c2.link_socket->info.proto) || !(c->options.sockflags & SF_USE_IP_PKTINFO))
519  {
520  return false;
521  }
522 
523  struct link_socket_actual *actual = &c->c2.link_socket_info->lsa->actual;
524 
525  switch (actual->dest.addr.sa.sa_family)
526  {
527  case AF_INET:
528  {
529  struct sockaddr_in *sock_in4 = (struct sockaddr_in *)local;
530 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
531  sock_in4->sin_addr = actual->pi.in4.ipi_addr;
532 #elif defined(IP_RECVDSTADDR)
533  sock_in4->sin_addr = actual->pi.in4;
534 #else
535  /* source IP not available on this platform */
536  return false;
537 #endif
538  sock_in4->sin_family = AF_INET;
539  break;
540  }
541 
542  case AF_INET6:
543  {
544  struct sockaddr_in6 *sock_in6 = (struct sockaddr_in6 *)local;
545  sock_in6->sin6_addr = actual->pi.in6.ipi6_addr;
546  sock_in6->sin6_family = AF_INET6;
547  break;
548  }
549 
550  default:
551  ASSERT(false);
552  }
553 
554  return true;
555 #else /* if ENABLE_IP_PKTINFO */
556  return false;
557 #endif /* if ENABLE_IP_PKTINFO */
558 }
559 
560 int
561 dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
562 {
563  struct context *c = &mi->context;
564 
565  int peer_id = c->c2.tls_multi->peer_id;
566  struct sockaddr *remoteaddr, *localaddr = NULL;
567  struct sockaddr_storage local = { 0 };
568  int sd = c->c2.link_socket->sd;
569 
570 
571  if (c->mode == CM_CHILD_TCP)
572  {
573  /* the remote address will be inferred from the TCP socket endpoint */
574  remoteaddr = NULL;
575  }
576  else
577  {
578  ASSERT(c->c2.link_socket_info->connection_established);
579  remoteaddr = &c->c2.link_socket_info->lsa->actual.dest.addr.sa;
580  }
581 
582  /* In server mode we need to fetch the remote addresses from the push config */
583  struct in_addr vpn_ip4 = { 0 };
584  struct in_addr *vpn_addr4 = NULL;
585  if (c->c2.push_ifconfig_defined)
586  {
587  vpn_ip4.s_addr = htonl(c->c2.push_ifconfig_local);
588  vpn_addr4 = &vpn_ip4;
589  }
590 
591  struct in6_addr *vpn_addr6 = NULL;
592  if (c->c2.push_ifconfig_ipv6_defined)
593  {
594  vpn_addr6 = &c->c2.push_ifconfig_ipv6_local;
595  }
596 
597  if (dco_multi_get_localaddr(m, mi, &local))
598  {
599  localaddr = (struct sockaddr *)&local;
600  }
601 
602  int ret = dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr,
603  remoteaddr, vpn_addr4, vpn_addr6);
604  if (ret < 0)
605  {
606  return ret;
607  }
608 
609  c->c2.tls_multi->dco_peer_id = peer_id;
610 
611  return 0;
612 }
613 
614 void
615 dco_install_iroute(struct multi_context *m, struct multi_instance *mi,
616  struct mroute_addr *addr)
617 {
618 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
619  if (!dco_enabled(&m->top.options))
620  {
621  return;
622  }
623 
624  int addrtype = (addr->type & MR_ADDR_MASK);
625 
626  /* If we do not have local IP addr to install, skip the route */
627  if ((addrtype == MR_ADDR_IPV6 && !mi->context.c2.push_ifconfig_ipv6_defined)
628  || (addrtype == MR_ADDR_IPV4 && !mi->context.c2.push_ifconfig_defined))
629  {
630  return;
631  }
632 
633  struct context *c = &mi->context;
634  const char *dev = c->c1.tuntap->actual_name;
635 
636  if (addrtype == MR_ADDR_IPV6)
637  {
638  net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
639  &mi->context.c2.push_ifconfig_ipv6_local, dev, 0,
640  DCO_IROUTE_METRIC);
641  }
642  else if (addrtype == MR_ADDR_IPV4)
643  {
644  in_addr_t dest = htonl(addr->v4.addr);
645  net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
646  &mi->context.c2.push_ifconfig_local, dev, 0,
647  DCO_IROUTE_METRIC);
648  }
649 #endif /* if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) */
650 }
651 
652 void
653 dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
654 {
655 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
656  if (!dco_enabled(&m->top.options))
657  {
658  return;
659  }
660  ASSERT(TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN);
661 
662  struct context *c = &mi->context;
663  const char *dev = c->c1.tuntap->actual_name;
664 
665  if (mi->context.c2.push_ifconfig_defined)
666  {
667  for (const struct iroute *ir = c->options.iroutes;
668  ir;
669  ir = ir->next)
670  {
671  net_route_v4_del(&m->top.net_ctx, &ir->network, ir->netbits,
672  &mi->context.c2.push_ifconfig_local, dev,
673  0, DCO_IROUTE_METRIC);
674  }
675  }
676 
677  if (mi->context.c2.push_ifconfig_ipv6_defined)
678  {
679  for (const struct iroute_ipv6 *ir6 = c->options.iroutes_ipv6;
680  ir6;
681  ir6 = ir6->next)
682  {
683  net_route_v6_del(&m->top.net_ctx, &ir6->network, ir6->netbits,
684  &mi->context.c2.push_ifconfig_ipv6_local, dev,
685  0, DCO_IROUTE_METRIC);
686  }
687  }
688 #endif /* if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) */
689 }
690 
691 #endif /* defined(ENABLE_DCO) */
S_GENERATED_KEYS
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition: ssl_common.h:101
link_socket
Definition: socket.h:165
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition: mroute.h:64
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition: dco.h:269
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:101
iroute
Definition: route.h:234
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition: errlevel.h:118
openvpn_sockaddr::addr
union openvpn_sockaddr::@14 addr
key_state::dco_status
enum dco_key_status dco_status
Definition: ssl_common.h:262
compress_options::alg
int alg
Definition: comp.h:66
options::use_peer_id
bool use_peer_id
Definition: options.h:682
dco_new_key
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
Definition: dco_win.c:295
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:557
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1030
dco_get_supported_ciphers
const char * dco_get_supported_ciphers()
Definition: dco_win.c:469
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:326
networking.h
IFACE_TYPE_LEN_MAX
#define IFACE_TYPE_LEN_MAX
Definition: networking.h:26
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:114
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:207
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:170
TM_SIZE
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:533
context
Contains all state information for one tunnel.
Definition: openvpn.h:476
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:675
options::topology
int topology
Definition: options.h:307
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:115
options::dev_type
const char * dev_type
Definition: options.h:304
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:438
options::iroutes
struct iroute * iroutes
Definition: options.h:494
COMP_F_ALLOW_COMPRESS
#define COMP_F_ALLOW_COMPRESS
Definition: comp.h:36
options::tls_client
bool tls_client
Definition: options.h:574
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:431
openvpn.h
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:433
options::mode
int mode
Definition: options.h:247
options::ce
struct connection_entry ce
Definition: options.h:275
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:45
key_direction_state_init
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition: crypto.c:1478
mroute_addr::netbits
uint8_t netbits
Definition: mroute.h:79
options.h
dco_new_peer
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *remote_in4, struct in6_addr *remote_in6)
Definition: dco_win.c:248
key::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition: crypto.h:153
context::mode
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:490
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:244
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:590
options::tls_server
bool tls_server
Definition: options.h:573
key_state::authenticated
enum ks_auth_state authenticated
Definition: ssl_common.h:250
connection_entry
Definition: options.h:97
tls_multi::dco
dco_context_t * dco
Definition: ssl_common.h:692
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:198
KEY_SCAN_SIZE
#define KEY_SCAN_SIZE
Definition: ssl_common.h:549
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:149
iroute::next
struct iroute * next
Definition: route.h:237
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition: manage.h:42
link_socket::sd
socket_descriptor_t sd
Definition: socket.h:169
tuntap::actual_name
char * actual_name
Definition: tun.h:186
key_state::crypto_options
struct crypto_options crypto_options
Definition: ssl_common.h:228
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition: tun.h:173
connection_list::len
int len
Definition: options.h:185
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:517
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition: mroute.h:63
key_ctx_bi
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:217
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:667
mroute_addr::v4
struct mroute_addr::@1::@3 v4
options::dev
const char * dev
Definition: options.h:303
ASSERT
#define ASSERT(x)
Definition: error.h:195
link_socket_actual
Definition: socket.h:86
D_DCO
#define D_DCO
Definition: errlevel.h:94
get_key_scan
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:699
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition: openvpn.h:489
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:195
connection_list
Definition: options.h:182
options::windows_driver
enum windows_driver_type windows_driver
Definition: options.h:679
tun.h
openvpn_sockaddr::sa
struct sockaddr sa
Definition: socket.h:69
key_direction_state
Key ordering of the key2.keys array.
Definition: crypto.h:196
COMP_F_MIGRATE
#define COMP_F_MIGRATE
Definition: comp.h:40
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:559
options::comp
struct compress_options comp
Definition: options.h:395
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:509
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition: comp.h:45
WINDOWS_DRIVER_WINTUN
@ WINDOWS_DRIVER_WINTUN
Definition: tun.h:52
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:478
MR_ADDR_IPV4
#define MR_ADDR_IPV4
Definition: mroute.h:62
options
Definition: options.h:236
crypto.h
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition: ssl_common.h:690
DCO_INSTALLED_SECONDARY
@ DCO_INSTALLED_SECONDARY
Definition: ssl_common.h:177
multi.h
dco_context_t
void * dco_context_t
Definition: dco.h:254
errlevel.h
dco_p2p_add_new_peer
static int dco_p2p_add_new_peer(struct context *c)
Definition: dco.h:331
OVPN_KEY_SLOT_PRIMARY
@ OVPN_KEY_SLOT_PRIMARY
Definition: ovpn_dco_freebsd.h:48
compress_options::flags
unsigned int flags
Definition: comp.h:67
dco_available
bool dco_available(int msglevel)
Definition: dco_win.c:360
KS_AUTH_TRUE
@ KS_AUTH_TRUE
Key state is authenticated.
Definition: ssl_common.h:150
DCO_IROUTE_METRIC
#define DCO_IROUTE_METRIC
Definition: dco.h:47
dco_remove_peer
static void dco_remove_peer(struct context *c)
Definition: dco.h:344
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:573
tls_multi::dco_keys_installed
int dco_keys_installed
Definition: ssl_common.h:682
link_socket::info
struct link_socket_info info
Definition: socket.h:167
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:110
dco_delete_iroutes
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:361
DCO_INSTALLED_PRIMARY
@ DCO_INSTALLED_PRIMARY
Definition: ssl_common.h:176
link_socket_info::proto
int proto
Definition: socket.h:120
key_state::state
int state
Definition: ssl_common.h:200
context_2::link_socket
struct link_socket * link_socket
Definition: openvpn.h:240
mroute_addr
Definition: mroute.h:75
syshead.h
options::management_flags
unsigned int management_flags
Definition: options.h:443
connection_list::array
struct connection_entry ** array
Definition: options.h:187
dco_check_startup_option
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition: dco.h:275
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:208
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
dco_del_peer
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
Definition: dco_win.c:257
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition: options.h:113
multi_context
Main OpenVPN server state structure.
Definition: multi.h:155
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:907
dco.h
tls_select_encryption_key
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition: ssl.c:3864
mroute_addr::v6
struct mroute_addr::@1::@4 v6
dco_del_key
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
Definition: dco_win.c:336
dco_swap_keys
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
Definition: dco_win.c:345
link_socket_info::connection_established
bool connection_established
Definition: socket.h:116
dco_update_keys
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
Definition: dco.h:324
connection_entry::remote
const char * remote
Definition: options.h:105
tuntap::dco
dco_context_t dco
Definition: tun.h:234
iroute_ipv6
Definition: route.h:240
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1038
mroute_addr::type
uint8_t type
Definition: mroute.h:78
options::connection_list
struct connection_list * connection_list
Definition: options.h:276
key::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition: crypto.h:151
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:232
options::sockflags
unsigned int sockflags
Definition: options.h:406
options::username
const char * username
Definition: options.h:359
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition: tun.h:51
strsep
char * strsep(char **stringp, const char *delim)
Definition: compat-strsep.c:36
config.h
ssl_ncp.h
ssl_common.h
connection_entry::fragment
int fragment
Definition: options.h:132
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:666
init_key_dco_bi
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
Definition: dco.h:316
key2
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:179
connection_entry::proto
int proto
Definition: options.h:99
OVPN_KEY_SLOT_SECONDARY
@ OVPN_KEY_SLOT_SECONDARY
Definition: ovpn_dco_freebsd.h:49
dco_multi_add_new_peer
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:349
DCO_NOT_INSTALLED
@ DCO_NOT_INSTALLED
Definition: ssl_common.h:175
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:437
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:495
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Definition: comp.h:41
tun_name_is_fixed
bool tun_name_is_fixed(const char *dev)
Definition: tun.c:1881
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition: socket.h:90
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition: socket.h:204
KS_SIZE
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:451
key2::keys
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:183
print_windows_driver
const char * print_windows_driver(enum windows_driver_type windows_driver)
Definition: tun.c:7145
options::ciphername
const char * ciphername
Definition: options.h:556
msg
#define msg(flags,...)
Definition: error.h:144
dco_install_iroute
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition: dco.h:355
dco_check_pull_options
static bool dco_check_pull_options(int msglevel, const struct options *o)
Definition: dco.h:281
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:136
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:516
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:436
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:501
Generated by   doxygen 1.8.17