31#if defined(ENABLE_DCO)
56 const uint8_t *encrypt_key,
const uint8_t *encrypt_iv,
57 const uint8_t *decrypt_key,
const uint8_t *decrypt_iv,
58 const char *ciphername)
61 msg(
D_DCO_DEBUG,
"%s: peer_id=%d keyid=%d, currently %d keys installed",
76 encrypt_key, encrypt_iv,
77 decrypt_key, decrypt_iv,
91 const struct key2 *
key2,
int key_direction,
92 const char *ciphername,
bool server)
97 return dco_install_key(multi, ks,
153 msg(
D_DCO,
"No encryption key found. Purging data channel keys");
158 msg(
D_DCO,
"Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret);
165 msg(
D_DCO,
"Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret);
178 struct key_state *secondary = dco_get_secondary_key(multi, primary);
188 "primary-id=%d secondary-id=%d",
194 "primary-id=%d secondary-id=(to be deleted)",
201 msg(
D_DCO,
"Cannot swap keys: %s (%d)", strerror(-ret), ret);
219 msg(
D_DCO,
"Cannot delete secondary key: %s (%d)", strerror(-ret), ret);
227 for (
int i = 0; i <
TM_SIZE; ++i)
229 for (
int j = 0; j <
KS_SIZE; j++)
232 if (ks != primary && ks != secondary)
242dco_check_option_ce(
const struct connection_entry *ce,
int msglevel,
int mode)
246 msg(msglevel,
"Note: --fragment disables data channel offload.");
252 msg(msglevel,
"Note: --http-proxy disables data channel offload.");
258 msg(msglevel,
"Note: --socks-proxy disables data channel offload.");
262#if defined(TARGET_FREEBSD)
269 msg(msglevel,
"NOTE: TCP transport disables data channel offload on FreeBSD.");
279 msg(msglevel,
"NOTE: TCP transport disables data channel offload on Windows in server mode.");
285 msg(msglevel,
"NOTE: --remote is not defined. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
291 msg(msglevel,
"NOTE: multiple --local options defined, disabling data channel offload");
313 msg(msglevel,
"No tls-client or tls-server option in configuration "
314 "detected. Disabling data channel offload.");
320 msg(msglevel,
"Note: dev-type not tun, disabling data channel offload.");
326 msg(msglevel,
"Note: afunix tun type selected, disabling data channel offload");
332 msg(msglevel,
"Note: null tun type selected, disabling data channel offload");
339 for (
int i = 0;
i <
l->len; ++
i)
358 msg(msglevel,
"--mode server is set. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
364 msg(msglevel,
"multiple --local options defined, disabling data channel offload");
368#elif defined(TARGET_LINUX)
383 msg(msglevel,
"Interface %s exists and is non-DCO. Disabling data channel offload",
387 else if ((ret < 0) && (ret != -
ENODEV))
389 msg(msglevel,
"Cannot retrieve type of device %s: %s (%d)",
o->dev,
395#if defined(HAVE_LIBCAPNG)
404 msg(msglevel,
"--user specified but lacking CAP_SETPCAP. "
405 "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
410 msg(msglevel,
"--user specified but not permitted to retain CAP_NET_ADMIN. "
411 "Disabling data channel offload");
419 msg(msglevel,
"Note: NOT using '--topology subnet' disables data channel offload.");
425 msg(msglevel,
"Note: --management-query-proxy disables data channel offload.");
439 if (
o->enable_ncp_fallback
442 msg(msglevel,
"Note: --data-ciphers-fallback with cipher '%s' "
443 "disables data channel offload.",
o->ciphername);
451 msg(msglevel,
"Note: '--allow-compression' is not set to 'no', disabling data channel offload.");
457 msg(msglevel,
"Consider using the '--compress migrate' option.");
466 while ((token =
strsep(&tmp_ciphers,
":")))
470 msg(msglevel,
"Note: cipher '%s' in --data-ciphers is not supported "
471 "by ovpn-dco, disabling data channel offload.", token);
486 msg(msglevel,
"OPTIONS IMPORT: Server did not request DATA_V2 packet "
487 "format required for data channel offload");
546 struct sockaddr_storage *local)
562 struct sockaddr_in *sock_in4 = (
struct sockaddr_in *)local;
563#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
564 sock_in4->sin_addr = actual->pi.in4.ipi_spec_dst;
565#elif defined(IP_RECVDSTADDR)
566 sock_in4->sin_addr = actual->pi.in4;
571 sock_in4->sin_family = AF_INET;
577 struct sockaddr_in6 *sock_in6 = (
struct sockaddr_in6 *)local;
578 sock_in6->sin6_addr = actual->pi.in6.ipi6_addr;
579 sock_in6->sin6_family = AF_INET6;
599 struct sockaddr *remoteaddr, *localaddr = NULL;
600 struct sockaddr_storage local = { 0 };
616 struct in_addr vpn_ip4 = { 0 };
617 struct in_addr *vpn_addr4 = NULL;
621 vpn_addr4 = &vpn_ip4;
624 struct in6_addr *vpn_addr6 = NULL;
630 if (dco_multi_get_localaddr(m, mi, &local))
632 localaddr = (
struct sockaddr *)&local;
636 remoteaddr, vpn_addr4, vpn_addr6);
651#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32)
682 in_addr_t dest = htonl(addr->
v4.
addr);
694#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32)
712 net_route_v4_del(&m->
top.
net_ctx, &ir->network, ir->netbits,
728 net_route_v6_del(&m->
top.
net_ctx, &ir6->network, ir6->netbits,
char * string_alloc(const char *str, struct gc_arena *gc)
static void gc_free(struct gc_arena *a)
static struct gc_arena gc_new(void)
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
char * strsep(char **stringp, const char *delim)
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Data Channel Cryptography Module.
static bool dco_available(int msglevel)
static const char * dco_get_supported_ciphers(void)
static void dco_remove_peer(struct context *c)
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
static bool dco_check_startup_option(int msglevel, const struct options *o)
static int dco_p2p_add_new_peer(struct context *c)
static bool dco_check_option(int msglevel, const struct options *o)
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
#define DCO_IROUTE_METRIC
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
static bool dco_check_pull_options(int msglevel, const struct options *o)
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
void dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id)
void dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits)
bool dco_win_supports_multipeer(void)
void dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits)
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
void dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id)
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
#define KS_SIZE
Size of the tls_session.key array.
#define TM_SIZE
Size of the tls_multi.session array.
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Header file for server-mode related structures and functions.
#define IFACE_TYPE_LEN_MAX
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
@ OVPN_KEY_SLOT_SECONDARY
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
#define SF_USE_IP_PKTINFO
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Control Channel Common Data Structures.
@ DCO_INSTALLED_SECONDARY
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
@ KS_AUTH_TRUE
Key state is authenticated.
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
struct local_list * local_list
struct http_proxy_options * http_proxy_options
const char * socks_proxy_server
struct tuntap * tuntap
Tun/tap virtual network interface.
bool push_ifconfig_ipv6_defined
bool push_ifconfig_defined
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
struct in6_addr push_ifconfig_ipv6_local
struct link_socket ** link_sockets
struct link_socket_info ** link_socket_infos
in_addr_t push_ifconfig_local
Contains all state information for one tunnel.
int mode
Role of this context within the OpenVPN process.
openvpn_net_ctx_t net_ctx
Networking API opaque context.
struct context_2 c2
Level 2 context.
struct options options
Options loaded from command line or configuration file.
struct context_1 c1
Level 1 context.
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Garbage collection arena used to keep track of dynamically allocated memory.
Container for bidirectional cipher and HMAC key material.
struct key keys[2]
Two unidirectional sets of key material.
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Key ordering of the key2.keys array.
Security parameter state of one TLS and data channel key session.
struct crypto_options crypto_options
enum dco_key_status dco_status
enum ks_auth_state authenticated
int key_id
Key id for this key_state, inherited from struct tls_session.
Container for unidirectional cipher and HMAC key material.
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
struct openvpn_sockaddr dest
struct link_socket_actual actual
bool connection_established
struct link_socket_addr * lsa
struct link_socket_info info
struct local_entry ** array
struct mroute_addr::@2::@6 v6
uint8_t addr[OPENVPN_ETH_ALEN]
struct mroute_addr::@2::@5 v4
Main OpenVPN server state structure.
struct context top
Storage structure for process-wide configuration.
Server-mode state structure for one single VPN tunnel.
struct context context
The context structure storing state for this VPN tunnel.
union openvpn_sockaddr::@24 addr
struct connection_list * connection_list
struct iroute_ipv6 * iroutes_ipv6
Security parameter state for a single VPN tunnel.
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
struct key_state key[KS_SIZE]
int dev_type_enum(const char *dev, const char *dev_type)
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
bool tun_name_is_fixed(const char *dev)
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.