OpenVPN
occ.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifndef OCC_H
25 #define OCC_H
26 
27 #include "forward.h"
28 
29 /* OCC_STRING_SIZE must be set to sizeof (occ_magic) */
30 #define OCC_STRING_SIZE 16
31 
32 /*
33  * OCC (OpenVPN Configuration Control) protocol opcodes.
34  */
35 
36 #define OCC_REQUEST 0 /* request options string from peer */
37 #define OCC_REPLY 1 /* deliver options string to peer */
38 
39 /*
40  * Send an OCC_REQUEST once every OCC_INTERVAL
41  * seconds until a reply is received.
42  *
43  * If we haven't received a reply after
44  * OCC_N_TRIES, give up.
45  */
46 #define OCC_INTERVAL_SECONDS 10
47 #define OCC_N_TRIES 12
48 
49 /*
50  * Other OCC protocol opcodes used to estimate the MTU empirically.
51  */
52 #define OCC_MTU_LOAD_REQUEST 2 /* Ask peer to send a big packet to us */
53 #define OCC_MTU_LOAD 3 /* Send a big packet to peer */
54 #define OCC_MTU_REQUEST 4 /* Ask peer to tell us the largest
55  * packet it has received from us so far */
56 #define OCC_MTU_REPLY 5 /* Send largest packet size to peer */
57 
58 /*
59  * Process one command from mtu_load_test_sequence
60  * once every n seconds, if --mtu-test is specified.
61  */
62 #define OCC_MTU_LOAD_INTERVAL_SECONDS 3
63 
64 /*
65  * Send an exit message to remote.
66  */
67 #define OCC_EXIT 6
68 
69 /*
70  * Used to conduct a load test command sequence
71  * of UDP connection for empirical MTU measurement.
72  */
73 struct mtu_load_test
74 {
75  int op; /* OCC opcode to send to peer */
76  int delta; /* determine packet size to send by using
77  * this delta against currently
78  * configured MTU */
79 };
80 
81 extern const uint8_t occ_magic[];
82 
83 static inline bool
84 is_occ_msg(const struct buffer *buf)
85 {
86  return buf_string_match_head(buf, occ_magic, OCC_STRING_SIZE);
87 }
88 
89 void process_received_occ_msg(struct context *c);
90 
91 void check_send_occ_req_dowork(struct context *c);
92 
93 void check_send_occ_load_test_dowork(struct context *c);
94 
95 void check_send_occ_msg_dowork(struct context *c);
96 
97 /*
98  * Inline functions
99  */
100 
101 static inline int
102 occ_reset_op(void)
103 {
104  return -1;
105 }
106 
107 /*
108  * Should we send an OCC_REQUEST message?
109  */
110 static inline void
111 check_send_occ_req(struct context *c)
112 {
113  if (event_timeout_defined(&c->c2.occ_interval)
114  && event_timeout_trigger(&c->c2.occ_interval,
115  &c->c2.timeval,
116  (!TO_LINK_DEF(c) && c->c2.occ_op < 0) ? ETT_DEFAULT : 0))
117  {
118  check_send_occ_req_dowork(c);
119  }
120 }
121 
122 /*
123  * Should we send an MTU load test?
124  */
125 static inline void
126 check_send_occ_load_test(struct context *c)
127 {
128  if (event_timeout_defined(&c->c2.occ_mtu_load_test_interval)
129  && event_timeout_trigger(&c->c2.occ_mtu_load_test_interval,
130  &c->c2.timeval,
131  (!TO_LINK_DEF(c) && c->c2.occ_op < 0) ? ETT_DEFAULT : 0))
132  {
133  check_send_occ_load_test_dowork(c);
134  }
135 }
136 
137 /*
138  * Should we send an OCC message?
139  */
140 static inline void
141 check_send_occ_msg(struct context *c)
142 {
143  if (c->c2.occ_op >= 0)
144  {
145  if (!TO_LINK_DEF(c))
146  {
147  check_send_occ_msg_dowork(c);
148  }
149  else
150  {
151  tv_clear(&c->c2.timeval); /* ZERO-TIMEOUT */
152  }
153  }
154 }
155 
160 static inline bool
161 cc_exit_notify_enabled(struct context *c)
162 {
163  /* Check if we have TLS active at all */
164  if (!c->c2.tls_multi)
165  {
166  return false;
167  }
168 
169  const struct key_state *ks = get_primary_key(c->c2.tls_multi);
170  return (ks->crypto_options.flags & CO_USE_CC_EXIT_NOTIFY);
171 }
172 #endif /* ifndef OCC_H */
mtu_load_test::delta
int delta
Definition: occ.h:75
mtu_load_test::op
int op
Definition: occ.h:74
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:326
forward.h
occ_magic
const uint8_t occ_magic[]
Definition: occ.c:55
check_send_occ_msg_dowork
void check_send_occ_msg_dowork(struct context *c)
Definition: occ.c:217
occ_reset_op
static int occ_reset_op(void)
Definition: occ.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:476
check_send_occ_req
static void check_send_occ_req(struct context *c)
Definition: occ.h:110
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:722
OCC_STRING_SIZE
#define OCC_STRING_SIZE
Definition: occ.h:30
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:198
context_2::occ_interval
struct event_timeout occ_interval
Definition: openvpn.h:304
process_received_occ_msg
void process_received_occ_msg(struct context *c)
Definition: occ.c:363
key_state::crypto_options
struct crypto_options crypto_options
Definition: ssl_common.h:228
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:517
check_send_occ_req_dowork
void check_send_occ_req_dowork(struct context *c)
Definition: occ.c:147
mtu_load_test
Definition: occ.h:72
buf_string_match_head
static bool buf_string_match_head(const struct buffer *src, const void *match, int size)
Compare first size bytes of src buffer contents with match.
Definition: buffer.h:866
is_occ_msg
static bool is_occ_msg(const struct buffer *buf)
Definition: occ.h:83
check_send_occ_load_test
static void check_send_occ_load_test(struct context *c)
Definition: occ.h:125
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
check_send_occ_load_test_dowork
void check_send_occ_load_test_dowork(struct context *c)
Definition: occ.c:184
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition: openvpn.h:399
cc_exit_notify_enabled
static bool cc_exit_notify_enabled(struct context *c)
Small helper function to determine if we should send the exit notification via control channel.
Definition: occ.h:160
TO_LINK_DEF
#define TO_LINK_DEF(c)
Definition: forward.h:48
context_2::occ_mtu_load_test_interval
struct event_timeout occ_mtu_load_test_interval
Definition: openvpn.h:320
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:224
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition: interval.c:43
event_timeout_defined
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:283
context_2::occ_op
int occ_op
Definition: openvpn.h:302
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:274
tv_clear
static void tv_clear(struct timeval *tv)
Definition: otime.h:101
check_send_occ_msg
static void check_send_occ_msg(struct context *c)
Definition: occ.h:140
Generated by   doxygen 1.8.17