OpenVPN
dco_win.c
Go to the documentation of this file.
1/*
2 * Interface to ovpn-win-dco networking code
3 *
4 * Copyright (C) 2020-2025 Arne Schwabe <arne@rfc2549.org>
5 * Copyright (C) 2020-2025 OpenVPN Inc <sales@openvpn.net>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2
9 * as published by the Free Software Foundation.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program (see the file COPYING included with this
18 * distribution); if not, see <https://www.gnu.org/licenses/>.
19 */
20
21#ifdef HAVE_CONFIG_H
22#include "config.h"
23#endif
24
25#if defined(_WIN32)
26
27#include "syshead.h"
28
29#include "dco.h"
30#include "forward.h"
31#include "tun.h"
32#include "crypto.h"
33#include "multi.h"
34#include "ssl_common.h"
35#include "openvpn.h"
36
37#include <bcrypt.h>
38#include <winsock2.h>
39#include <ws2tcpip.h>
40
41#if defined(__MINGW32__)
42const IN_ADDR in4addr_any = { 0 };
43#endif
44
45/* Sometimes IP Helper API, which we use for setting IP address etc,
46 * complains that interface is not found. Give it some time to settle
47 */
48static void
50{
51 for (int i = 0; i < 20; ++i)
52 {
53 MIB_IPINTERFACE_ROW row = { .InterfaceIndex = idx, .Family = AF_INET };
54 if (GetIpInterfaceEntry(&row) != ERROR_NOT_FOUND)
55 {
56 break;
57 }
58 msg(D_DCO_DEBUG, "interface %ld not yet ready, retrying", idx);
59 Sleep(50);
60 }
61}
62
72static bool
74{
75 CLEAR(*version);
76
77 bool res = false;
78
79 HANDLE h = CreateFile("\\\\.\\ovpn-dco-ver", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
80
81 if (h == INVALID_HANDLE_VALUE)
82 {
83 /* fallback to a "normal" device, this will fail if device is already in use */
84 h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
85 }
86
87 if (h == INVALID_HANDLE_VALUE)
88 {
89 goto done;
90 }
91
92 DWORD bytes_returned = 0;
93 if (!DeviceIoControl(h, OVPN_IOCTL_GET_VERSION, NULL, 0, version, sizeof(*version),
94 &bytes_returned, NULL))
95 {
96 goto done;
97 }
98
99 res = true;
100
101done:
102 if (h != INVALID_HANDLE_VALUE)
103 {
104 CloseHandle(h);
105 }
106
107 msg(D_DCO_DEBUG, "dco version: %ld.%ld.%ld", version->Major, version->Minor, version->Patch);
108
109 return res;
110}
111
121void
122ovpn_dco_init_mp(dco_context_t *dco, const char *dev_node)
123{
124 ASSERT(dco->ifmode == DCO_MODE_UNINIT);
125 dco->ifmode = DCO_MODE_MP;
126
127 /* Use manual reset event so it remains signalled until
128 * explicitly reset. This way we won't lose notifications
129 */
130 dco->ov.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
131 if (dco->ov.hEvent == NULL)
132 {
133 msg(M_ERR, "Error: ovpn_dco_init: CreateEvent failed");
134 }
135
136 dco->rwhandle.read = dco->ov.hEvent;
137
138 /* open DCO device */
139 struct gc_arena gc = gc_new();
140 const char *device_guid;
141 tun_open_device(dco->tt, dev_node, &device_guid, &gc);
142 gc_free(&gc);
143
144 /* set mp mode */
146 DWORD bytes_returned = 0;
147 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_SET_MODE, &m, sizeof(m), NULL, 0,
148 &bytes_returned, NULL))
149 {
150 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_SET_MODE) failed");
151 }
152
153 dco_wait_ready(dco->tt->adapter_index);
154}
155
164void
166{
167 DWORD bytes_returned = 0;
168 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_START_VPN, NULL, 0, NULL, 0, &bytes_returned, NULL))
169 {
170 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_START_VPN) failed");
171 }
172
173 /* Sometimes IP Helper API, which we use for setting IP address etc,
174 * complains that interface is not found. Give it some time to settle
175 */
177}
178
179
189bool
191{
192 dco_context_t *dco = &c->c1.tuntap->dco;
193
194 dco->c = c;
195
196 switch (c->mode)
197 {
199 dco->ifmode = DCO_MODE_P2P;
200 dco_p2p_start_vpn(dco->tt);
201 break;
202
203 case MODE_SERVER:
205 break;
206
207 default:
208 ASSERT(false);
209 }
210
211 return true;
212}
213
214int
215open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
216{
217 ASSERT(0);
218 return 0;
219}
220
221static void
222dco_connect_wait(HANDLE handle, OVERLAPPED *ov, int timeout, struct signal_info *sig_info)
223{
224 volatile int *signal_received = &sig_info->signal_received;
225 /* GetOverlappedResultEx is available starting from Windows 8 */
226 typedef BOOL(WINAPI * get_overlapped_result_ex_t)(HANDLE, LPOVERLAPPED, LPDWORD, DWORD, BOOL);
227 get_overlapped_result_ex_t get_overlapped_result_ex =
228 (get_overlapped_result_ex_t)GetProcAddress(GetModuleHandle("Kernel32.dll"),
229 "GetOverlappedResultEx");
230
231 if (get_overlapped_result_ex == NULL)
232 {
233 msg(M_ERR, "Failed to load GetOverlappedResult()");
234 }
235
236 DWORD timeout_msec = timeout * 1000;
237 const int poll_interval_ms = 50;
238
239 while (timeout_msec > 0)
240 {
241 timeout_msec -= poll_interval_ms;
242
243 DWORD transferred;
244 if (get_overlapped_result_ex(handle, ov, &transferred, poll_interval_ms, FALSE) != 0)
245 {
246 /* TCP connection established by dco */
247 return;
248 }
249
250 DWORD err = GetLastError();
251 if ((err != WAIT_TIMEOUT) && (err != ERROR_IO_INCOMPLETE))
252 {
253 /* dco reported connection error */
254 msg(M_NONFATAL | M_ERRNO, "dco connect error");
255 register_signal(sig_info, SIGUSR1, "dco-connect-error");
256 return;
257 }
258
259 get_signal(signal_received);
260 if (*signal_received)
261 {
262 return;
263 }
264
266 }
267
268 /* we end up here when timeout occurs in userspace */
269 msg(M_NONFATAL, "dco connect timeout");
270 register_signal(sig_info, SIGUSR1, "dco-connect-timeout");
271}
272
282void
283dco_mp_start_vpn(HANDLE handle, struct link_socket *sock)
284{
285 msg(D_DCO_DEBUG, "%s", __func__);
286
287 int ai_family = sock->info.lsa->bind_local->ai_family;
288 struct addrinfo *local = sock->info.lsa->bind_local;
289 struct addrinfo *cur = NULL;
290
291 for (cur = local; cur; cur = cur->ai_next)
292 {
293 if (cur->ai_family == ai_family)
294 {
295 break;
296 }
297 }
298 if (!cur)
299 {
300 msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", __func__,
301 addr_family_name(ai_family));
302 }
303
304 OVPN_MP_START_VPN in, out;
305 in.IPv6Only = sock->info.bind_ipv6_only ? 1 : 0;
306 if (ai_family == AF_INET)
307 {
308 memcpy(&in.ListenAddress.Addr4, cur->ai_addr, sizeof(struct sockaddr_in));
309 }
310 else
311 {
312 memcpy(&in.ListenAddress.Addr6, cur->ai_addr, sizeof(struct sockaddr_in6));
313 }
314
315 /* in multipeer mode control channel packets are prepended with remote peer's sockaddr */
316 sock->sockflags |= SF_PREPEND_SA;
317
318 DWORD bytes_returned = 0;
319 if (!DeviceIoControl(handle, OVPN_IOCTL_MP_START_VPN, &in, sizeof(in), &out, sizeof(out),
320 &bytes_returned, NULL))
321 {
322 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_MP_START_VPN) failed");
323 }
324}
325
326void
327dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock,
328 struct signal_info *sig_info)
329{
330 msg(D_DCO_DEBUG, "%s", __func__);
331
332 OVPN_NEW_PEER peer = { 0 };
333
334 struct addrinfo *remoteaddr = sock->info.lsa->current_remote;
335
336 struct sockaddr *local = NULL;
337 struct sockaddr *remote = remoteaddr->ai_addr;
338
339 if (remoteaddr->ai_protocol == IPPROTO_TCP || remoteaddr->ai_socktype == SOCK_STREAM)
340 {
341 peer.Proto = OVPN_PROTO_TCP;
342 }
343 else
344 {
345 peer.Proto = OVPN_PROTO_UDP;
346 }
347
348 if (sock->bind_local)
349 {
350 /* Use first local address with correct address family */
351 struct addrinfo *bind = sock->info.lsa->bind_local;
352 while (bind && !local)
353 {
354 if (bind->ai_family == remote->sa_family)
355 {
356 local = bind->ai_addr;
357 }
358 bind = bind->ai_next;
359 }
360 }
361
362 if (sock->bind_local && !local)
363 {
364 msg(M_FATAL, "DCO: Socket bind failed: Address to bind lacks %s record",
365 addr_family_name(remote->sa_family));
366 }
367
368 if (remote->sa_family == AF_INET6)
369 {
370 peer.Remote.Addr6 = *((SOCKADDR_IN6 *)(remoteaddr->ai_addr));
371 if (local)
372 {
373 peer.Local.Addr6 = *((SOCKADDR_IN6 *)local);
374 }
375 else
376 {
377 peer.Local.Addr6.sin6_addr = in6addr_any;
378 peer.Local.Addr6.sin6_port = 0;
379 peer.Local.Addr6.sin6_family = AF_INET6;
380 }
381 }
382 else if (remote->sa_family == AF_INET)
383 {
384 peer.Remote.Addr4 = *((SOCKADDR_IN *)(remoteaddr->ai_addr));
385 if (local)
386 {
387 peer.Local.Addr4 = *((SOCKADDR_IN *)local);
388 }
389 else
390 {
391 peer.Local.Addr4.sin_addr = in4addr_any;
392 peer.Local.Addr4.sin_port = 0;
393 peer.Local.Addr4.sin_family = AF_INET;
394 }
395 }
396 else
397 {
398 ASSERT(0);
399 }
400
401 CLEAR(*ov);
402 if (!DeviceIoControl(handle, OVPN_IOCTL_NEW_PEER, &peer, sizeof(peer), NULL, 0, NULL, ov))
403 {
404 DWORD err = GetLastError();
405 if (err != ERROR_IO_PENDING)
406 {
407 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_NEW_PEER) failed");
408 }
409 else
410 {
412 sig_info);
413 }
414 }
415}
416
417int
418dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr,
419 struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
420{
421 msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d", __func__, peerid, sd);
422
423 if (dco->ifmode == DCO_MODE_P2P)
424 {
425 /* no-op for p2p */
426 return 0;
427 }
428
429 OVPN_MP_NEW_PEER newPeer = { 0 };
430
431 if (remoteaddr)
432 {
433 /* while the driver doesn't use the local address yet it requires its AF to be valid */
434 newPeer.Local.Addr4.sin_family = remoteaddr->sa_family;
435
436 if (remoteaddr->sa_family == AF_INET)
437 {
438 memcpy(&newPeer.Remote.Addr4, remoteaddr, sizeof(struct sockaddr_in));
439 }
440 else
441 {
442 memcpy(&newPeer.Remote.Addr6, remoteaddr, sizeof(struct sockaddr_in6));
443 }
444 }
445
446 if (vpn_ipv4)
447 {
448 newPeer.VpnAddr4 = *vpn_ipv4;
449 }
450
451 if (vpn_ipv6)
452 {
453 newPeer.VpnAddr6 = *vpn_ipv6;
454 }
455
456 newPeer.PeerId = peerid;
457
458 DWORD bytesReturned;
459 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_NEW_PEER, &newPeer, sizeof(newPeer), NULL, 0,
460 &bytesReturned, NULL))
461 {
462 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_MP_NEW_PEER) failed");
463 }
464
465 return 0;
466}
467
468int
469dco_del_peer(dco_context_t *dco, unsigned int peerid)
470{
471 msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peerid);
472
473 OVPN_MP_DEL_PEER del_peer = { peerid };
474 VOID *buf = NULL;
475 DWORD len = 0;
476 DWORD ioctl = OVPN_IOCTL_DEL_PEER;
477
478 if (dco->ifmode == DCO_MODE_MP)
479 {
481 buf = &del_peer;
482 len = sizeof(del_peer);
483 }
484
485 DWORD bytes_returned = 0;
486 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
487 {
488 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_DEL_PEER) failed");
489 return -1;
490 }
491 return 0;
492}
493
494int
495dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout,
496 int mss)
497{
498 msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__, peerid,
499 keepalive_interval, keepalive_timeout, mss);
500
501 OVPN_MP_SET_PEER mp_peer = { peerid, keepalive_interval, keepalive_timeout, mss };
502 OVPN_SET_PEER peer = { keepalive_interval, keepalive_timeout, mss };
503 VOID *buf = NULL;
504 DWORD len = 0;
505 DWORD ioctl = (dco->ifmode == DCO_MODE_MP) ? OVPN_IOCTL_MP_SET_PEER : OVPN_IOCTL_SET_PEER;
506
507 if (dco->ifmode == DCO_MODE_MP)
508 {
509 buf = &mp_peer;
510 len = sizeof(OVPN_MP_SET_PEER);
511 }
512 else
513 {
514 buf = &peer;
515 len = sizeof(OVPN_SET_PEER);
516 }
517
518 DWORD bytes_returned = 0;
519 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
520 {
521 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_SET_PEER) failed");
522 return -1;
523 }
524
525 return 0;
526}
527
528#if defined(__GNUC__) || defined(__clang__)
529#pragma GCC diagnostic push
530#pragma GCC diagnostic ignored "-Wconversion"
531#endif
532
533int
534dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot,
535 const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key,
536 const uint8_t *decrypt_iv, const char *ciphername)
537{
538 msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid,
539 ciphername);
540
541 const int nonce_len = 8;
542 size_t key_len = cipher_kt_key_size(ciphername);
543
544 OVPN_CRYPTO_DATA crypto_data;
545 ZeroMemory(&crypto_data, sizeof(crypto_data));
546
547 crypto_data.CipherAlg = dco_get_cipher(ciphername);
548 crypto_data.KeyId = keyid;
549 crypto_data.PeerId = peerid;
550 crypto_data.KeySlot = slot;
551
552 CopyMemory(crypto_data.Encrypt.Key, encrypt_key, key_len);
553 crypto_data.Encrypt.KeyLen = (char)key_len;
554 CopyMemory(crypto_data.Encrypt.NonceTail, encrypt_iv, nonce_len);
555
556 CopyMemory(crypto_data.Decrypt.Key, decrypt_key, key_len);
557 crypto_data.Decrypt.KeyLen = (char)key_len;
558 CopyMemory(crypto_data.Decrypt.NonceTail, decrypt_iv, nonce_len);
559
560 ASSERT(crypto_data.CipherAlg > 0);
561
562 DWORD bytes_returned = 0;
563
564 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NEW_KEY, &crypto_data, sizeof(crypto_data), NULL,
565 0, &bytes_returned, NULL))
566 {
567 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_NEW_KEY) failed");
568 return -1;
569 }
570 return 0;
571}
572
573#if defined(__GNUC__) || defined(__clang__)
574#pragma GCC diagnostic pop
575#endif
576
577int
578dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
579{
580 msg(D_DCO, "%s: peer-id %d, slot %d called but ignored", __func__, peerid, slot);
581 /* FIXME: Implement in driver first */
582 return 0;
583}
584
585int
586dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
587{
588 msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peer_id);
589
590 OVPN_MP_SWAP_KEYS swap = { peer_id };
591 DWORD ioctl = OVPN_IOCTL_SWAP_KEYS;
592 VOID *buf = NULL;
593 DWORD len = 0;
594
595 if (dco->ifmode == DCO_MODE_MP)
596 {
598 buf = &swap;
599 len = sizeof(swap);
600 }
601
602 DWORD bytes_returned = 0;
603 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
604 {
605 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_SWAP_KEYS) failed");
606 return -1;
607 }
608 return 0;
609}
610
611bool
613{
614 /* try to open device by symbolic name */
615 HANDLE h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING,
616 FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL);
617
618 if (h != INVALID_HANDLE_VALUE)
619 {
620 CloseHandle(h);
621 return true;
622 }
623
624 DWORD err = GetLastError();
625 if (err == ERROR_ACCESS_DENIED)
626 {
627 /* this likely means that device exists but is already in use,
628 * don't bail out since later we try to open all existing dco
629 * devices and then bail out if all devices are in use
630 */
631 return true;
632 }
633
634 msg(msglevel, "Note: ovpn-dco-win driver is missing, disabling data channel offload.");
635 return false;
636}
637
638const char *
640{
641 OVPN_VERSION version = { 0 };
642 if (dco_get_version(&version))
643 {
644 struct buffer out = alloc_buf_gc(256, gc);
645 buf_printf(&out, "%ld.%ld.%ld", version.Major, version.Minor, version.Patch);
646 return BSTR(&out);
647 }
648 else
649 {
650 return "N/A";
651 }
652}
653
665static void
667{
668 DWORD bytes_read = 0;
669 BOOL res = GetOverlappedResult(dco->tt->hand, &dco->ov, &bytes_read, FALSE);
670 if (res)
671 {
672 msg(D_DCO_DEBUG, "%s: completion%s success [%ld]", __func__, queued ? "" : " non-queued",
673 bytes_read);
674
675 dco->dco_message_peer_id = dco->notif_buf.PeerId;
676 dco->dco_message_type = dco->notif_buf.Cmd;
677 dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason;
678 dco->dco_float_peer_ss = dco->notif_buf.FloatAddress;
679 }
680 else
681 {
682 msg(D_DCO_DEBUG | M_ERRNO, "%s: completion%s error", __func__, queued ? "" : " non-queued");
683 }
684}
685
686int
688{
689 if (dco->ifmode != DCO_MODE_MP)
690 {
691 ASSERT(false);
692 }
693
694 dco->dco_message_peer_id = -1;
695 dco->dco_message_type = 0;
696
697 switch (dco->iostate)
698 {
699 case IOSTATE_QUEUED:
701
702 ASSERT(ResetEvent(dco->ov.hEvent));
703 dco->iostate = IOSTATE_INITIAL;
704
705 break;
706
708 dco->iostate = IOSTATE_INITIAL;
709 ASSERT(ResetEvent(dco->ov.hEvent));
710
711 if (dco->ov_ret == ERROR_SUCCESS)
712 {
714 }
715 else
716 {
717 SetLastError(dco->ov_ret);
718 msg(D_DCO_DEBUG | M_ERRNO, "%s: completion non-queued error", __func__);
719 }
720
721 break;
722 }
723
724 return 0;
725}
726
727int
729{
730 struct gc_arena gc = gc_new();
731
732 int ret = 0;
733 struct tuntap *tt = dco->tt;
734
735 if (!tuntap_defined(tt))
736 {
737 ret = -1;
738 goto done;
739 }
740
742 .PeerId = -1
743 };
744
745 DWORD required_size = 0, bytes_returned = 0;
746 /* first, figure out buffer size */
747 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_PEER_STATS, &ps, sizeof(ps), &required_size, sizeof(DWORD), &bytes_returned, NULL))
748 {
749 if (GetLastError() == ERROR_MORE_DATA)
750 {
751 if (bytes_returned != sizeof(DWORD))
752 {
753 msg(M_WARN, "%s: invalid bytes returned for size query (%lu, expected %zu)", __func__, bytes_returned, sizeof(DWORD));
754 ret = -1;
755 goto done;
756 }
757 /* required_size now contains the size written by the driver */
758 if (required_size == 0)
759 {
760 ret = 0; /* no peers to process */
761 goto done;
762 }
763 if (required_size < sizeof(OVPN_PEER_STATS))
764 {
765 msg(M_WARN, "%s: invalid required size %lu (minimum %zu)", __func__, required_size, sizeof(OVPN_PEER_STATS));
766 ret = -1;
767 goto done;
768 }
769 }
770 else
771 {
772 msg(M_WARN | M_ERRNO, "%s: failed to fetch required buffer size", __func__);
773 ret = -1;
774 goto done;
775 }
776 }
777 else
778 {
779 /* unexpected success? */
780 if (bytes_returned == 0)
781 {
782 ret = 0; /* no peers to process */
783 goto done;
784 }
785
786 msg(M_WARN, "%s: first DeviceIoControl call succeeded unexpectedly (%lu bytes returned)", __func__, bytes_returned);
787 ret = -1;
788 goto done;
789 }
790
791
792 /* allocate the buffer and fetch stats */
793 OVPN_PEER_STATS *peer_stats = gc_malloc(required_size, true, &gc);
794 if (!peer_stats)
795 {
796 msg(M_WARN, "%s: failed to allocate buffer of size %lu", __func__, required_size);
797 ret = -1;
798 goto done;
799 }
800
801 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_PEER_STATS, &ps, sizeof(ps), peer_stats, required_size, &bytes_returned, NULL))
802 {
803 /* unlikely case when a peer has been added since fetching buffer size, not an error! */
804 if (GetLastError() == ERROR_MORE_DATA)
805 {
806 msg(M_WARN, "%s: peer has been added, skip fetching stats", __func__);
807 ret = 0;
808 goto done;
809 }
810
811 msg(M_WARN | M_ERRNO, "%s: failed to fetch multipeer stats", __func__);
812 ret = -1;
813 goto done;
814 }
815
816 /* iterate over stats and update peers */
817 for (int i = 0; i < bytes_returned / sizeof(OVPN_PEER_STATS); ++i)
818 {
819 OVPN_PEER_STATS *stat = &peer_stats[i];
820
821 if (stat->PeerId >= dco->c->multi->max_clients)
822 {
823 msg(M_WARN, "%s: received out of bound peer_id %u (max=%u)", __func__, stat->PeerId,
824 dco->c->multi->max_clients);
825 continue;
826 }
827
828 struct multi_instance *mi = dco->c->multi->instances[stat->PeerId];
829 if (!mi)
830 {
831 msg(M_WARN, "%s: received data for a non-existing peer %u", __func__, stat->PeerId);
832 continue;
833 }
834
835 /* update peer stats */
836 struct context_2 *c2 = &mi->context.c2;
837 c2->dco_read_bytes = stat->LinkRxBytes;
838 c2->dco_write_bytes = stat->LinkTxBytes;
839 c2->tun_read_bytes = stat->VpnRxBytes;
840 c2->tun_write_bytes = stat->VpnTxBytes;
841 }
842
843done:
844 gc_free(&gc);
845
846 if (raise_sigusr1_on_err && ret < 0)
847 {
848 register_signal(dco->c->sig, SIGUSR1, "dco peer stats error");
849 }
850
851 return ret;
852}
853
854int
855dco_get_peer_stats_fallback(struct context *c, const bool raise_sigusr1_on_err)
856{
857 struct tuntap *tt = c->c1.tuntap;
858
859 if (!tuntap_defined(tt))
860 {
861 return -1;
862 }
863
864 OVPN_STATS stats;
865 ZeroMemory(&stats, sizeof(OVPN_STATS));
866
867 DWORD bytes_returned = 0;
868 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_STATS, NULL, 0, &stats, sizeof(stats),
869 &bytes_returned, NULL))
870 {
871 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_GET_STATS) failed");
872 return -1;
873 }
874
879
880 return 0;
881}
882
883int
884dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
885{
886 struct tuntap *tt = c->c1.tuntap;
887
888 if (!tuntap_defined(tt))
889 {
890 return -1;
891 }
892
893 /* first, try a new ioctl */
895
896 OVPN_PEER_STATS peer_stats = { 0 };
897 DWORD bytes_returned = 0;
898 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_PEER_STATS, &ps, sizeof(ps), &peer_stats, sizeof(peer_stats),
899 &bytes_returned, NULL))
900 {
901 if (GetLastError() == ERROR_INVALID_FUNCTION)
902 {
903 /* are we using the old driver? */
904 return dco_get_peer_stats_fallback(c, raise_sigusr1_on_err);
905 }
906
907 msg(M_WARN | M_ERRNO, "%s: DeviceIoControl(OVPN_IOCTL_GET_PEER_STATS) failed", __func__);
908 return -1;
909 }
910
911 if (bytes_returned != sizeof(OVPN_PEER_STATS))
912 {
913 msg(M_WARN | M_ERRNO, "%s: DeviceIoControl(OVPN_IOCTL_GET_PEER_STATS) returned invalid size", __func__);
914 return -1;
915 }
916
917 c->c2.dco_read_bytes = peer_stats.LinkRxBytes;
918 c->c2.dco_write_bytes = peer_stats.LinkTxBytes;
919 c->c2.tun_read_bytes = peer_stats.VpnRxBytes;
920 c->c2.tun_write_bytes = peer_stats.VpnTxBytes;
921
922 return 0;
923}
924
925void
927{
928 if (dco->ifmode != DCO_MODE_MP)
929 {
930 /* mp only */
931 return;
932 }
933
934 event_ctl(es, &dco->rwhandle, EVENT_READ, arg);
935
936 if (dco->iostate == IOSTATE_INITIAL)
937 {
938 /* the overlapped IOCTL will signal this event on I/O completion */
939 ASSERT(ResetEvent(dco->ov.hEvent));
940
941 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NOTIFY_EVENT, NULL, 0, &dco->notif_buf,
942 sizeof(dco->notif_buf), NULL, &dco->ov))
943 {
944 DWORD err = GetLastError();
945 if (err == ERROR_IO_PENDING) /* operation queued? */
946 {
947 dco->iostate = IOSTATE_QUEUED;
948 dco->ov_ret = ERROR_SUCCESS;
949
950 msg(D_DCO_DEBUG, "%s: notify ioctl queued", __func__);
951 }
952 else
953 {
954 /* error occured */
955 ASSERT(SetEvent(dco->ov.hEvent));
956 dco->iostate = IOSTATE_IMMEDIATE_RETURN;
957 dco->ov_ret = err;
958
959 msg(D_DCO_DEBUG | M_ERRNO, "%s: notify ioctl error", __func__);
960 }
961 }
962 else
963 {
964 ASSERT(SetEvent(dco->ov.hEvent));
965 dco->iostate = IOSTATE_IMMEDIATE_RETURN;
966 dco->ov_ret = ERROR_SUCCESS;
967
968 msg(D_DCO_DEBUG, "%s: notify ioctl immediate return", __func__);
969 }
970 }
971}
972
973const char *
975{
976 /*
977 * this API can be called either from user mode or kernel mode,
978 * which enables us to probe driver's chachapoly support
979 * (available starting from Windows 11)
980 */
981
982 BCRYPT_ALG_HANDLE h;
983 NTSTATUS status = BCryptOpenAlgorithmProvider(&h, L"CHACHA20_POLY1305", NULL, 0);
984 if (BCRYPT_SUCCESS(status))
985 {
986 BCryptCloseAlgorithmProvider(h, 0);
987 return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305";
988 }
989 else
990 {
991 return "AES-128-GCM:AES-256-GCM:AES-192-GCM";
992 }
993}
994
995bool
997{
998 OVPN_VERSION ver = { 0 };
999 return dco_get_version(&ver) && ver.Major >= 2;
1000}
1001
1002void
1003dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits,
1004 unsigned int peer_id)
1005{
1006 struct gc_arena gc = gc_new();
1007
1009 .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 0
1010 };
1011
1012 msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc),
1013 netbits, peer_id);
1014
1015 DWORD bytes_returned = 0;
1016 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, sizeof(route), NULL, 0,
1017 &bytes_returned, NULL))
1018 {
1019 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_ADD_IROUTE) failed");
1020 }
1021
1022 gc_free(&gc);
1023}
1024
1025void
1026dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits,
1027 unsigned int peer_id)
1028{
1029 struct gc_arena gc = gc_new();
1030
1031 OVPN_MP_IROUTE route = { .Addr.Addr6 = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 1 };
1032
1033 msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc),
1034 netbits, peer_id);
1035
1036 DWORD bytes_returned = 0;
1037 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, sizeof(route), NULL, 0,
1038 &bytes_returned, NULL))
1039 {
1040 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_ADD_IROUTE) failed");
1041 }
1042
1043 gc_free(&gc);
1044}
1045
1046void
1047dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits)
1048{
1049 struct gc_arena gc = gc_new();
1050
1052 .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 0
1053 };
1054
1055 msg(D_DCO_DEBUG, "%s: %s/%d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc), netbits);
1056
1057 DWORD bytes_returned = 0;
1058 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, sizeof(route), NULL, 0,
1059 &bytes_returned, NULL))
1060 {
1061 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_DEL_IROUTE) failed");
1062 }
1063
1064 gc_free(&gc);
1065}
1066
1067void
1068dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits)
1069{
1070 struct gc_arena gc = gc_new();
1071
1072 OVPN_MP_IROUTE route = { .Addr.Addr6 = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 1 };
1073
1074 msg(D_DCO_DEBUG, "%s: %s/%d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc), netbits);
1075
1076 DWORD bytes_returned = 0;
1077 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, sizeof(route), NULL, 0,
1078 &bytes_returned, NULL))
1079 {
1080 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_DEL_IROUTE) failed");
1081 }
1082
1083 gc_free(&gc);
1084}
1085
1086#endif /* defined(_WIN32) */
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
#define BSTR(buf)
Definition buffer.h:128
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
static struct gc_arena gc_new(void)
Definition buffer.h:1007
Data Channel Cryptography Module.
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
void * dco_context_t
Definition dco.h:261
int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
Definition dco_win.c:215
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
Definition dco_win.c:578
bool dco_available(msglvl_t msglevel)
Definition dco_win.c:612
void dco_mp_start_vpn(HANDLE handle, struct link_socket *sock)
Initializes and binds the kernel UDP transport socket for multipeer mode.
Definition dco_win.c:283
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
Definition dco_win.c:469
void dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id)
Definition dco_win.c:1026
const char * dco_version_string(struct gc_arena *gc)
Definition dco_win.c:639
void dco_p2p_start_vpn(struct tuntap *tt)
Transitions the DCO adapter to the connected state in P2P mode.
Definition dco_win.c:165
const char * dco_get_supported_ciphers(void)
Definition dco_win.c:974
bool ovpn_dco_init(struct context *c)
Initializes DCO depends on mode
Definition dco_win.c:190
static void dco_connect_wait(HANDLE handle, OVERLAPPED *ov, int timeout, struct signal_info *sig_info)
Definition dco_win.c:222
void dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits)
Definition dco_win.c:1047
bool dco_win_supports_multipeer(void)
Definition dco_win.c:996
int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
Definition dco_win.c:728
void dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits)
Definition dco_win.c:1068
int dco_get_peer_stats_fallback(struct context *c, const bool raise_sigusr1_on_err)
Definition dco_win.c:855
static void dco_wait_ready(DWORD idx)
Definition dco_win.c:49
int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco_win.c:495
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
Definition dco_win.c:586
void ovpn_dco_init_mp(dco_context_t *dco, const char *dev_node)
Initializes the DCO adapter in multipeer mode and sets it to "connected" state.
Definition dco_win.c:122
int dco_do_read(dco_context_t *dco)
Definition dco_win.c:687
int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco_win.c:884
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
Definition dco_win.c:418
static void dco_handle_overlapped_success(dco_context_t *dco, bool queued)
Handles successful completion of overlapped operation.
Definition dco_win.c:666
static bool dco_get_version(OVPN_VERSION *version)
Gets version of dco-win driver.
Definition dco_win.c:73
void dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info)
Definition dco_win.c:327
void dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id)
Definition dco_win.c:1003
void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition dco_win.c:926
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
Definition dco_win.c:534
#define D_DCO
Definition errlevel.h:93
#define D_DCO_DEBUG
Definition errlevel.h:117
#define EVENT_READ
Definition event.h:38
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:183
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition forward.c:503
Interface functions to the internal and external multiplexers.
static SERVICE_STATUS status
Definition interactive.c:51
@ route
Definition interactive.c:85
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4147
Header file for server-mode related structures and functions.
void * openvpn_net_ctx_t
Definition networking.h:38
#define CLEAR(x)
Definition basic.h:32
#define M_FATAL
Definition error.h:90
#define M_NONFATAL
Definition error.h:91
#define M_ERR
Definition error.h:106
#define msg(flags,...)
Definition error.h:152
unsigned int msglvl_t
Definition error.h:77
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
#define M_ERRNO
Definition error.h:95
#define MODE_POINT_TO_POINT
Definition options.h:260
#define MODE_SERVER
Definition options.h:261
#define OVPN_SET_PEER
#define OVPN_IOCTL_GET_STATS
#define OVPN_IOCTL_GET_VERSION
@ OVPN_PROTO_UDP
@ OVPN_PROTO_TCP
#define OVPN_IOCTL_SWAP_KEYS
#define OVPN_IOCTL_NEW_KEY
#define OVPN_IOCTL_NOTIFY_EVENT
#define OVPN_IOCTL_MP_DEL_IROUTE
OVPN_MODE
@ OVPN_MODE_MP
#define OVPN_IOCTL_MP_SET_PEER
#define OVPN_IOCTL_MP_SWAP_KEYS
#define OVPN_IOCTL_GET_PEER_STATS
#define OVPN_IOCTL_SET_PEER
#define OVPN_IOCTL_NEW_PEER
#define OVPN_IOCTL_MP_ADD_IROUTE
#define OVPN_IOCTL_START_VPN
#define OVPN_IOCTL_MP_NEW_PEER
#define OVPN_IOCTL_SET_MODE
#define OVPN_IOCTL_DEL_PEER
#define OVPN_IOCTL_MP_START_VPN
struct _OVPN_MP_SET_PEER OVPN_MP_SET_PEER
#define OVPN_IOCTL_MP_DEL_PEER
struct _OVPN_PEER_STATS OVPN_PEER_STATS
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition sig.h:109
#define SF_PREPEND_SA
Definition socket.h:197
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
const char * addr_family_name(int af)
#define IA_NET_ORDER
Definition socket_util.h:90
Control Channel Common Data Structures.
OVPN_KEY_SLOT KeySlot
unsigned char KeyId
OVPN_KEY_DIRECTION Decrypt
OVPN_KEY_DIRECTION Encrypt
OVPN_CIPHER_ALG CipherAlg
unsigned char Key[32]
unsigned char NonceTail[8]
unsigned char KeyLen
union _OVPN_MP_IROUTE::@20 Addr
union _OVPN_MP_NEW_PEER::@17 Local
SOCKADDR_IN6 Addr6
SOCKADDR_IN Addr4
union _OVPN_MP_NEW_PEER::@18 Remote
SOCKADDR_IN6 Addr6
union _OVPN_MP_START_VPN::@19 ListenAddress
SOCKADDR_IN6 Addr6
union _OVPN_NEW_PEER::@15 Local
SOCKADDR_IN Addr4
union _OVPN_NEW_PEER::@16 Remote
OVPN_PROTO Proto
LONG64 TunBytesSent
LONG64 TransportBytesSent
LONG64 TunBytesReceived
LONG64 TransportBytesReceived
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
Level 2 context containing state that is reset on both SIGHUP and SIGUSR1 restarts.
Definition openvpn.h:224
counter_type dco_read_bytes
Definition openvpn.h:267
counter_type tun_read_bytes
Definition openvpn.h:264
counter_type dco_write_bytes
Definition openvpn.h:270
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
counter_type tun_write_bytes
Definition openvpn.h:265
Contains all state information for one tunnel.
Definition openvpn.h:474
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
const char * dev_node
Definition options.h:320
volatile int signal_received
Definition sig.h:42
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
Definition tun.h:183
DWORD adapter_index
Definition tun.h:234
HANDLE hand
Definition tun.h:218
dco_context_t dco
Definition tun.h:249
struct env_set * es
char ** res
struct gc_arena gc
Definition test_ssl.c:131
void tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid, struct gc_arena *gc)
Definition tun.c:6239
static bool tuntap_defined(const struct tuntap *tt)
Definition tun.h:254
#define IOSTATE_IMMEDIATE_RETURN
Definition win32.h:207
#define IOSTATE_INITIAL
Definition win32.h:205
#define IOSTATE_QUEUED
Definition win32.h:206