OpenVPN
openvpn.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifndef OPENVPN_H
25 #define OPENVPN_H
26 
27 #include "buffer.h"
28 #include "options.h"
29 #include "socket.h"
30 #include "crypto.h"
31 #include "ssl.h"
32 #include "packet_id.h"
33 #include "comp.h"
34 #include "tun.h"
35 #include "interval.h"
36 #include "status.h"
37 #include "fragment.h"
38 #include "shaper.h"
39 #include "route.h"
40 #include "proxy.h"
41 #include "socks.h"
42 #include "sig.h"
43 #include "misc.h"
44 #include "mbuf.h"
45 #include "pf.h"
46 #include "pool.h"
47 #include "plugin.h"
48 #include "manage.h"
49 
50 /*
51  * Our global key schedules, packaged thusly
52  * to facilitate --persist-key.
53  */
54 
56 {
57  /* which cipher, HMAC digest, and key sizes are we using? */
59 
60  /* pre-shared static key, read from a file */
62 
63  /* our global SSL context */
65 
66  /* optional TLS control channel wrapping */
72 };
73 
74 /*
75  * struct packet_id_persist should be empty if we are not
76  * building with crypto.
77  */
78 #ifndef PACKET_ID_H
80 {
81  int dummy;
82 };
83 static inline void
85 {
86 }
87 #endif
88 
89 /*
90  * Packet processing buffers.
91  */
93 {
94  /* miscellaneous buffer, used by ping, occ, etc. */
95  struct buffer aux_buf;
96 
97  /* workspace buffers used by crypto routines */
98  struct buffer encrypt_buf;
99  struct buffer decrypt_buf;
100 
101  /* workspace buffers for compression */
102 #ifdef USE_COMP
103  struct buffer compress_buf;
104  struct buffer decompress_buf;
105 #endif
106 
107  /*
108  * Buffers used to read from TUN device
109  * and TCP/UDP port.
110  */
111  struct buffer read_link_buf;
112  struct buffer read_tun_buf;
113 };
114 
115 /*
116  * always-persistent context variables
117  */
119 {
121 };
122 
123 
124 /**************************************************************************/
133 struct context_0
134 {
135  /* workspace for --user/--group */
137  /* helper which tells us whether we should keep trying to drop privileges */
141 };
142 
143 
153 struct context_1
154 {
159  /* tunnel session keys */
160  struct key_schedule ks;
161 
162  /* preresolved and cached host names */
164 
165  /* persist crypto sequence number to/from file */
166  struct packet_id_persist pid_persist;
167 
168  struct tuntap *tuntap;
177  /* list of --route-ipv6 directives */
179 
180  /* --status file */
183 
184  /* HTTP proxy object */
187 
188  /* SOCKS proxy object */
191 
192  /* persist --ifconfig-pool db to file */
195 
196  /* if client mode, hash of option strings we pulled from server */
197  struct sha256_digest pulled_options_digest_save;
205 };
206 
207 
208 static inline bool
210 {
211  return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED
213 }
214 
224 struct context_2
225 {
226  struct gc_arena gc;
230  /* our global wait events */
234 
235  /* bitmask for event status. Check event.h for possible values */
236  unsigned int event_set_status;
237 
238  struct link_socket *link_socket; /* socket used for TCP/UDP connection to remote */
240 
243  const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */
244 
245  struct link_socket_actual *to_link_addr; /* IP address of remote */
246  struct link_socket_actual from; /* address of incoming datagram */
247 
248  /* MTU frame parameters */
249  struct frame frame; /* Active frame parameters */
250  struct frame frame_initial; /* Restored on new session */
251 
252 #ifdef ENABLE_FRAGMENT
253  /* Object to handle advanced MTU negotiation and datagram fragmentation */
255  struct frame frame_fragment;
256  struct frame frame_fragment_initial;
257  struct frame frame_fragment_omit;
258 #endif
259 
260  /*
261  * Traffic shaper object.
262  */
263  struct shaper shaper;
264 
265  /*
266  * Statistics
267  */
273 #ifdef PACKET_TRUNCATION_CHECK
274  counter_type n_trunc_tun_read;
275  counter_type n_trunc_tun_write;
276  counter_type n_trunc_pre_encrypt;
277  counter_type n_trunc_post_decrypt;
278 #endif
279 
280  /*
281  * Timer objects for ping and inactivity
282  * timeout features.
283  */
284  struct event_timeout wait_for_connect;
285  struct event_timeout ping_send_interval;
286  struct event_timeout ping_rec_interval;
287 
288  /* --inactive */
289  struct event_timeout inactivity_interval;
291 
292  /* the option strings must match across peers */
295 
296  int occ_op; /* INIT to -1 */
298  struct event_timeout occ_interval;
299 
300  /*
301  * Keep track of maximum packet size received so far
302  * (of authenticated packets).
303  */
304  int original_recv_size; /* temporary */
305  int max_recv_size_local; /* max packet size received */
306  int max_recv_size_remote; /* max packet size received by remote */
307  int max_send_size_local; /* max packet size sent */
308  int max_send_size_remote; /* max packet size sent by remote */
309 
310 
311  /* remote wants us to send back a load test packet of this size */
313 
314  struct event_timeout occ_mtu_load_test_interval;
316 
317  /*
318  * TLS-mode crypto objects.
319  */
334  /* used to optimize calls to tls_multi_process */
335  struct interval tmp_int;
336 
337  /* throw this signal on TLS errors */
339 
346  struct event_timeout packet_id_persist_interval;
347 
348 #ifdef USE_COMP
349  struct compress_context *comp_context;
353 #endif
354 
355  /*
356  * Buffers used for packet processing.
357  */
359  bool buffers_owned; /* if true, we should free all buffers on close */
360 
361  /*
362  * These buffers don't actually allocate storage, they are used
363  * as pointers to the allocated buffers in
364  * struct context_buffers.
365  */
366  struct buffer buf;
367  struct buffer to_tun;
368  struct buffer to_link;
369 
370  /* should we print R|W|r|w to console on packet transfers? */
371  bool log_rw;
372 
373  /* route stuff */
374  struct event_timeout route_wakeup;
375  struct event_timeout route_wakeup_expire;
376 
377  /* did we open tun/tap dev during this cycle? */
379 
380  /*
381  * Event loop info
382  */
383 
384  /* how long to wait on link/tun read before we will need to be serviced */
385  struct timeval timeval;
386 
387  /* next wakeup for processing coarse timers (>1 sec resolution) */
389 
390  /* maintain a random delta to add to timeouts to avoid contexts
391  * waking up simultaneously */
393  struct timeval timeout_random_component;
394 
395  /* Timer for everything up to the first packet from the *OpenVPN* server
396  * socks, http proxy, and tcp packets do not count */
397  struct event_timeout server_poll_interval;
398 
399  /* indicates that the do_up_delay function has run */
400  bool do_up_ran;
401 
402  /* indicates that we have received a SIGTERM when
403  * options->explicit_exit_notification is enabled,
404  * but we have not exited yet */
406  struct event_timeout explicit_exit_notification_interval;
407 
408  /* environmental variables to pass to scripts */
409  struct env_set *es;
410  bool es_owned;
411 
412  /* don't wait for TUN/TAP/UDP to be ready to accept write */
413  bool fast_io;
414 
415  /* --ifconfig endpoints to be pushed to client */
422 
424  struct in6_addr push_ifconfig_ipv6_local;
426  struct in6_addr push_ifconfig_ipv6_remote;
427 
428  struct event_timeout push_request_interval;
430 
431  /* hash of pulled options, so we can compare when options change */
434  struct sha256_digest pulled_options_digest;
435 
436  struct event_timeout scheduled_exit;
438 
439  /* packet filter */
440 #ifdef ENABLE_PF
441  struct pf_context pf;
442 #endif
443 
444 #ifdef ENABLE_MANAGEMENT
445  struct man_def_auth_context mda_context;
446 #endif
447 
448 #ifdef ENABLE_ASYNC_PUSH
449  int inotify_fd; /* descriptor for monitoring file changes */
450 #endif
451 };
452 
453 
465 struct context
466 {
467  struct options options;
470  bool first_time;
473  /* context modes */
474 #define CM_P2P 0 /* standalone point-to-point session or client */
475 #define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */
476 #define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */
477 #define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */
478 #define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */
479  int mode;
484  struct gc_arena gc;
488  struct env_set *es;
492  struct signal_info *sig;
502  struct context_persist persist;
504  struct context_0 *c0;
505  struct context_1 c1;
506  struct context_2 c2;
507 };
508 
509 /*
510  * Check for a signal when inside an event loop
511  */
512 #define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \
513  if (IS_SIG(c)) \
514  { \
515  const int brk = func(arg); \
516  perf_pop(); \
517  if (brk) { \
518  break;} \
519  else { \
520  continue;} \
521  }
522 
523 /*
524  * Macros for referencing objects which may not
525  * have been compiled in.
526  */
527 
528 #define TLS_MODE(c) ((c)->c2.tls_multi != NULL)
529 #define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)
530 #define PROTO_DUMP(buf, gc) protocol_dump((buf), \
531  PROTO_DUMP_FLAGS \
532  |(c->c2.tls_multi ? PD_TLS : 0) \
533  |(c->options.tls_auth_file ? c->c1.ks.key_type.hmac_length : 0), \
534  gc)
535 
536 #define CIPHER_ENABLED(c) (c->c1.ks.key_type.cipher != NULL)
537 
538 /* this represents "disabled peer-id" */
539 #define MAX_PEER_ID 0xFFFFFF
540 
541 #endif /* ifndef OPENVPN_H */
struct env_set * es
Definition: openvpn.h:409
bool socks_proxy_owned
Definition: openvpn.h:190
counter_type tun_read_bytes
Definition: openvpn.h:268
Security parameter state for processing data channel packets.
Definition: crypto.h:232
bool log_rw
Definition: openvpn.h:371
Definition: tun.h:155
Level 1 context containing state that persists across SIGUSR1 restarts.
Definition: openvpn.h:153
Fragmentation and reassembly state for one VPN tunnel instance.
Definition: fragment.h:136
counter_type link_write_bytes
Definition: openvpn.h:272
bool did_open_tun
Definition: openvpn.h:378
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
Contains all state information for one tunnel.
Definition: openvpn.h:465
Packet geometry parameters.
Definition: mtu.h:93
struct env_set * es
Set of environment variables.
Definition: openvpn.h:488
bool push_ifconfig_defined
Definition: openvpn.h:417
int occ_mtu_load_size
Definition: openvpn.h:312
in_addr_t push_ifconfig_local
Definition: openvpn.h:419
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:561
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:323
int occ_mtu_load_n_tries
Definition: openvpn.h:315
bool pulled_options_digest_init_done
Definition: openvpn.h:432
struct context_buffers * buffers
Definition: openvpn.h:358
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:242
const struct link_socket * accept_from
Definition: openvpn.h:243
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
#define in_addr_t
Definition: config-msvc.h:103
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:492
void * openvpn_net_ctx_t
Definition: networking.h:26
int max_recv_size_local
Definition: openvpn.h:305
int occ_n_tries
Definition: openvpn.h:297
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
Level 2 context containing state that is reset on both SIGHUP and SIGUSR1 restarts.
Definition: openvpn.h:224
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
Definition: socket.h:75
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
at least handler succeeded, no result yet
Definition: ssl_common.h:541
bool push_request_received
Definition: openvpn.h:416
time_t explicit_exit_notification_time_wait
Definition: openvpn.h:405
bool uid_gid_chroot_set
Definition: openvpn.h:138
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:490
md_ctx_t * pulled_options_state
Definition: openvpn.h:433
counter_type tun_write_bytes
Definition: openvpn.h:269
Definition: shaper.h:47
counter_type link_read_bytes
Definition: openvpn.h:270
struct link_socket_actual * to_link_addr
Definition: openvpn.h:245
int inactivity_bytes
Definition: openvpn.h:290
struct route_list * route_list
List of routing information.
Definition: openvpn.h:173
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:421
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:425
uint64_t counter_type
Definition: common.h:30
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
int event_set_max
Definition: openvpn.h:232
static bool is_cas_pending(enum multi_status cas)
Definition: openvpn.h:209
struct key_ctx auth_token_key
Definition: openvpn.h:71
int restart_sleep_seconds
Definition: openvpn.h:120
struct link_socket * link_socket
Definition: openvpn.h:238
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition: openvpn.h:70
bool buffers_owned
Definition: openvpn.h:359
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:178
time_t sent_push_reply_expiry
Definition: openvpn.h:418
time_t update_timeout_random_component
Definition: openvpn.h:392
bool uid_gid_specified
Definition: openvpn.h:136
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:193
struct event_set * event_set
Definition: openvpn.h:231
int max_recv_size_remote
Definition: openvpn.h:306
struct key_type tls_auth_key_type
Definition: openvpn.h:67
int scheduled_exit_signal
Definition: openvpn.h:437
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:423
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:104
struct context_0 * c0
Level 0 context.
Definition: openvpn.h:504
Level 0 context containing information related to the OpenVPN process.
Definition: openvpn.h:133
int max_send_size_remote
Definition: openvpn.h:308
time_t push_request_timeout
Definition: openvpn.h:429
struct tls_root_ctx ssl_ctx
Definition: openvpn.h:64
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:479
char * options_string_remote
Definition: openvpn.h:294
Definition: misc.h:56
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition: openvpn.h:495
struct fragment_master * fragment
Definition: openvpn.h:254
struct status_output * status_output
Definition: openvpn.h:181
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:494
struct http_proxy_info * http_proxy
Definition: openvpn.h:185
bool ifconfig_pool_persist_owned
Definition: openvpn.h:194
struct user_pass * auth_user_pass
Username and password for authentication.
Definition: openvpn.h:202
bool first_time
True on the first iteration of OpenVPN&#39;s main loop.
Definition: openvpn.h:470
bool do_up_ran
Definition: openvpn.h:400
multi_status
Definition: ssl_common.h:536
bool fast_io
Definition: openvpn.h:413
char * options_string_local
Definition: openvpn.h:293
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
int original_recv_size
Definition: openvpn.h:304
struct key_ctx tls_crypt_v2_server_key
Definition: openvpn.h:69
Data Channel Fragmentation module header file.
bool did_we_daemonize
Whether demonization has already taken place.
Definition: openvpn.h:499
bool status_output_owned
Definition: openvpn.h:182
Wrapper struct to pass around SHA256 digests.
Definition: crypto.h:132
bool link_socket_owned
Definition: openvpn.h:239
unsigned int event_set_status
Definition: openvpn.h:236
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:320
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:420
int max_send_size_local
Definition: openvpn.h:307
int occ_op
Definition: openvpn.h:296
bool http_proxy_owned
Definition: openvpn.h:186
bool es_owned
Definition: openvpn.h:410
bool event_set_owned
Definition: openvpn.h:233
mbedtls_md_context_t md_ctx_t
Generic message digest context.
int tls_exit_signal
Definition: openvpn.h:338
struct key_ctx_bi static_key
Definition: openvpn.h:61
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
time_t coarse_timer_wakeup
Definition: openvpn.h:388
counter_type link_read_bytes_auth
Definition: openvpn.h:271