OpenVPN
dco.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2021-2025 Arne Schwabe <arne@rfc2549.org>
9 * Copyright (C) 2021-2025 Antonio Quartulli <a@unstable.cc>
10 * Copyright (C) 2021-2025 OpenVPN Inc <sales@openvpn.net>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program (see the file COPYING included with this
23 * distribution); if not, see <https://www.gnu.org/licenses/>.
24 */
25
26#ifdef HAVE_CONFIG_H
27#include "config.h"
28#endif
29
30#if defined(ENABLE_DCO)
31
32#include "syshead.h"
33#include "crypto.h"
34#include "dco.h"
35#include "errlevel.h"
36#include "multi.h"
37#include "networking.h"
38#include "openvpn.h"
39#include "options.h"
40#include "ssl_common.h"
41#include "ssl_ncp.h"
42#include "tun.h"
43#include "tun_afunix.h"
44
45#if defined(_WIN32)
46#include "dco_win.h"
47#endif
48
49#ifdef HAVE_LIBCAPNG
50#include <cap-ng.h>
51#endif
52
53static int
54dco_install_key(struct tls_multi *multi, struct key_state *ks, const uint8_t *encrypt_key,
55 const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
56 const char *ciphername)
57
58{
59 msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d, currently %d keys installed", __func__,
60 multi->dco_peer_id, ks->key_id, multi->dco_keys_installed);
61
62 /* Install a key in the PRIMARY slot only when no other key exist.
63 * From that moment on, any new key will be installed in the SECONDARY
64 * slot and will be promoted to PRIMARY when userspace says so (a swap
65 * will be performed in that case)
66 */
67 dco_key_slot_t slot = OVPN_KEY_SLOT_PRIMARY;
68 if (multi->dco_keys_installed > 0)
69 {
71 }
72
73 int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot, encrypt_key, encrypt_iv,
74 decrypt_key, decrypt_iv, ciphername);
75 if ((ret == 0) && (multi->dco_keys_installed < 2))
76 {
77 multi->dco_keys_installed++;
78 ks->dco_status =
80 }
81
82 return ret;
83}
84
85int
86init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2,
87 int key_direction, const char *ciphername, bool server)
88{
89 struct key_direction_state kds;
90 key_direction_state_init(&kds, key_direction);
91
92 return dco_install_key(multi, ks, key2->keys[kds.out_key].cipher, key2->keys[(int)server].hmac,
93 key2->keys[kds.in_key].cipher, key2->keys[1 - (int)server].hmac,
94 ciphername);
95}
96
105static struct key_state *
106dco_get_secondary_key(struct tls_multi *multi, const struct key_state *primary)
107{
108 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
109 {
110 struct key_state *ks = get_key_scan(multi, i);
112
113 if (ks == primary)
114 {
115 continue;
116 }
117
119 {
120 ASSERT(key->initialized);
121 return ks;
122 }
123 }
124
125 return NULL;
126}
127
128bool
129dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
130{
131 /* this function checks if keys have to be swapped or erased, therefore it
132 * can't do much if we don't have any key installed
133 */
134 if (multi->dco_keys_installed == 0)
135 {
136 return true;
137 }
138
139 struct key_state *primary = tls_select_encryption_key(multi);
140 /* no primary key available -> no usable key exists, therefore we should
141 * tell DCO to simply wipe all keys
142 */
143 if (!primary)
144 {
145 msg(D_DCO, "No encryption key found. Purging data channel keys");
146
147 int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_PRIMARY);
148 if (ret < 0)
149 {
150 msg(D_DCO, "Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret);
151 return false;
152 }
153
155 if (ret < 0)
156 {
157 msg(D_DCO, "Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret);
158 return false;
159 }
160
161 multi->dco_keys_installed = 0;
162 return true;
163 }
164
165 /* if we have a primary key, it must have been installed already (keys
166 * are installed upon generation in the TLS code)
167 */
169
170 struct key_state *secondary = dco_get_secondary_key(multi, primary);
171 /* if the current primary key was installed as secondary in DCO,
172 * this means we have promoted it since installation in DCO, and
173 * we now need to tell DCO to swap keys
174 */
175 if (primary->dco_status == DCO_INSTALLED_SECONDARY)
176 {
177 if (secondary)
178 {
180 "Swapping primary and secondary keys to "
181 "primary-id=%d secondary-id=%d",
182 primary->key_id, secondary->key_id);
183 }
184 else
185 {
187 "Swapping primary and secondary keys to "
188 "primary-id=%d secondary-id=(to be deleted)",
189 primary->key_id);
190 }
191
192 int ret = dco_swap_keys(dco, multi->dco_peer_id);
193 if (ret < 0)
194 {
195 msg(D_DCO, "Cannot swap keys: %s (%d)", strerror(-ret), ret);
196 return false;
197 }
198
200 if (secondary)
201 {
204 }
205 }
206
207 /* if we have no secondary key anymore, inform DCO about it */
208 if (!secondary && multi->dco_keys_installed == 2)
209 {
210 int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY);
211 if (ret < 0)
212 {
213 msg(D_DCO, "Cannot delete secondary key: %s (%d)", strerror(-ret), ret);
214 return false;
215 }
216 multi->dco_keys_installed = 1;
217 }
218
219 /* all keys that are not installed are set to NOT installed. Include also
220 * keys that might even be considered as active keys to be sure*/
221 for (int i = 0; i < TM_SIZE; ++i)
222 {
223 for (int j = 0; j < KS_SIZE; j++)
224 {
225 struct key_state *ks = &multi->session[i].key[j];
226 if (ks != primary && ks != secondary)
227 {
229 }
230 }
231 }
232 return true;
233}
234
235static bool
236dco_check_option_ce(const struct connection_entry *ce, int msglevel, int mode)
237{
238 if (ce->fragment)
239 {
240 msg(msglevel, "Note: --fragment disables data channel offload.");
241 return false;
242 }
243
244 if (ce->http_proxy_options)
245 {
246 msg(msglevel, "Note: --http-proxy disables data channel offload.");
247 return false;
248 }
249
250 if (ce->socks_proxy_server)
251 {
252 msg(msglevel, "Note: --socks-proxy disables data channel offload.");
253 return false;
254 }
255
256#if defined(TARGET_FREEBSD)
257 if (ce->local_list)
258 {
259 for (int i = 0; i < ce->local_list->len; i++)
260 {
262 {
263 msg(msglevel, "NOTE: TCP transport disables data channel offload on FreeBSD.");
264 return false;
265 }
266 }
267 }
268#endif
269
270#if defined(_WIN32)
271 if (!proto_is_udp(ce->proto) && mode == MODE_SERVER)
272 {
273 msg(msglevel,
274 "NOTE: TCP transport disables data channel offload on Windows in server mode.");
275 return false;
276 }
277
278 if (!ce->remote && !dco_win_supports_multipeer())
279 {
280 msg(msglevel,
281 "NOTE: --remote is not defined. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
282 return false;
283 }
284
285 if ((mode == MODE_SERVER) && (ce->local_list->len > 1))
286 {
287 msg(msglevel, "NOTE: multiple --local options defined, disabling data channel offload");
288 return false;
289 }
290#endif
291
292 return true;
293}
294
295bool
296dco_check_startup_option(int msglevel, const struct options *o)
297{
298 /* check if no dev name was specified at all. In the case,
299 * later logic will most likely stop OpenVPN, so no need to
300 * print any message here.
301 */
302 if (!o->dev)
303 {
304 return false;
305 }
306
307 if (!o->tls_client && !o->tls_server)
308 {
309 msg(msglevel, "No tls-client or tls-server option in configuration "
310 "detected. Disabling data channel offload.");
311 return false;
312 }
313
314 if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
315 {
316 msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");
317 return false;
318 }
319
320 if (is_tun_afunix(o->dev_node))
321 {
322 msg(msglevel, "Note: afunix tun type selected, disabling data channel offload");
323 return false;
324 }
325
326 if (is_dev_type(o->dev, o->dev_type, "null"))
327 {
328 msg(msglevel, "Note: null tun type selected, disabling data channel offload");
329 return false;
330 }
331
332 if (o->connection_list)
333 {
334 const struct connection_list *l = o->connection_list;
335 for (int i = 0; i < l->len; ++i)
336 {
337 if (!dco_check_option_ce(l->array[i], msglevel, o->mode))
338 {
339 return false;
340 }
341 }
342 }
343 else
344 {
345 if (!dco_check_option_ce(&o->ce, msglevel, o->mode))
346 {
347 return false;
348 }
349 }
350
351#if defined(_WIN32)
352 if ((o->mode == MODE_SERVER) && !dco_win_supports_multipeer())
353 {
354 msg(msglevel,
355 "--mode server is set. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
356 return false;
357 }
358
359 if ((o->mode == MODE_SERVER) && o->ce.local_list->len > 1)
360 {
361 msg(msglevel, "multiple --local options defined, disabling data channel offload");
362 return false;
363 }
364
365#elif defined(TARGET_LINUX)
366 /* if the device name is fixed, we need to check if an interface with this
367 * name already exists. IF it does, it must be a DCO interface, otherwise
368 * DCO has to be disabled in order to continue.
369 */
370 if (tun_name_is_fixed(o->dev))
371 {
373 /* we pass NULL as net_ctx because using DCO on Linux implies that we
374 * are using SITNL and the latter does not need any context. This way we
375 * don't need to have the net_ctx percolate all the way here
376 */
377 int ret = net_iface_type(NULL, o->dev, iftype);
378 if ((ret == 0) && (strcmp(iftype, "ovpn-dco") != 0))
379 {
380 msg(msglevel, "Interface %s exists and is non-DCO. Disabling data channel offload",
381 o->dev);
382 return false;
383 }
384 else if ((ret < 0) && (ret != -ENODEV))
385 {
386 msg(msglevel, "Cannot retrieve type of device %s: %s (%d)", o->dev, strerror(-ret),
387 ret);
388 }
389 }
390#endif /* if defined(_WIN32) */
391
392#if defined(HAVE_LIBCAPNG)
393 /* DCO can't operate without CAP_NET_ADMIN. To retain it when switching user
394 * we need CAP_SETPCAP. CAP_NET_ADMIN also needs to be part of the permitted set
395 * of capabilities in order to retain it.
396 */
397 if (o->username)
398 {
400 {
401 msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
402 "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
403 return false;
404 }
406 {
407 msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
408 "Disabling data channel offload");
409 return false;
410 }
411 }
412#endif /* if defined(HAVE_LIBCAPNG) */
413
414 if (o->mode == MODE_SERVER && o->topology != TOP_SUBNET)
415 {
416 msg(msglevel, "Note: NOT using '--topology subnet' disables data channel offload.");
417 return false;
418 }
419
420 if (o->management_flags & MF_QUERY_PROXY)
421 {
422 msg(msglevel, "Note: --management-query-proxy disables data channel offload.");
423 return false;
424 }
425
426 /* now that all options have been confirmed to be supported, check
427 * if DCO is truly available on the system
428 */
429 return dco_available(msglevel);
430}
431
432bool
433dco_check_option(int msglevel, const struct options *o)
434{
435 /* At this point the ciphers have already been normalised */
436 if (o->enable_ncp_fallback
438 {
439 msg(msglevel,
440 "Note: --data-ciphers-fallback with cipher '%s' "
441 "disables data channel offload.",
442 o->ciphername);
443 return false;
444 }
445
446#if defined(USE_COMP)
447 if (o->comp.alg != COMP_ALG_UNDEF || o->comp.flags & COMP_F_ALLOW_ASYM)
448 {
449 msg(msglevel,
450 "Note: '--allow-compression' is not set to 'no', disabling data channel offload.");
451
452 if (o->mode == MODE_SERVER && !(o->comp.flags & COMP_F_MIGRATE))
453 {
454 /* We can end up here from the multi.c call, only print the
455 * note if it is not already enabled */
456 msg(msglevel, "Consider using the '--compress migrate' option.");
457 }
458 return false;
459 }
460#endif
461
462 struct gc_arena gc = gc_new();
463 char *tmp_ciphers = string_alloc(o->ncp_ciphers, &gc);
464 const char *token;
465 while ((token = strsep(&tmp_ciphers, ":")))
466 {
468 {
469 msg(msglevel,
470 "Note: cipher '%s' in --data-ciphers is not supported "
471 "by ovpn-dco, disabling data channel offload.",
472 token);
473 gc_free(&gc);
474 return false;
475 }
476 }
477 gc_free(&gc);
478
479 return true;
480}
481
482bool
483dco_check_pull_options(int msglevel, const struct options *o)
484{
485 if (!o->use_peer_id)
486 {
487 msg(msglevel, "OPTIONS IMPORT: Server did not request DATA_V2 packet "
488 "format required for data channel offload");
489 return false;
490 }
491 return true;
492}
493
494int
496{
497 if (!dco_enabled(&c->options))
498 {
499 return 0;
500 }
501
502 struct link_socket *sock = c->c2.link_sockets[0];
503
505
506 struct sockaddr *remoteaddr = &sock->info.lsa->actual.dest.addr.sa;
507 struct tls_multi *multi = c->c2.tls_multi;
508#ifdef TARGET_FREEBSD
509 /* In Linux in P2P mode the kernel automatically removes an existing peer
510 * when adding a new peer. FreeBSD needs to explicitly be told to do that */
511 if (c->c2.tls_multi->dco_peer_id != -1)
512 {
514 c->c2.tls_multi->dco_peer_id = -1;
515 }
516#endif
517 int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
518 proto_is_dgram(sock->info.proto) ? remoteaddr : NULL, NULL, NULL);
519 if (ret < 0)
520 {
521 return ret;
522 }
523
524 c->c2.tls_multi->dco_peer_id = multi->peer_id;
525
526 return 0;
527}
528
529void
530dco_remove_peer(struct context *c)
531{
532 if (!dco_enabled(&c->options))
533 {
534 return;
535 }
536
537 if (c->c1.tuntap && c->c2.tls_multi && c->c2.tls_multi->dco_peer_id != -1)
538 {
540 c->c2.tls_multi->dco_peer_id = -1;
541 }
542}
543
544static bool
545dco_multi_get_localaddr(struct multi_context *m, struct multi_instance *mi,
546 struct sockaddr_storage *local)
547{
548#if ENABLE_IP_PKTINFO
549 struct context *c = &mi->context;
550
553 {
554 return false;
555 }
556
557 struct link_socket_actual *actual = &c->c2.link_socket_infos[0]->lsa->actual;
558
559 switch (actual->dest.addr.sa.sa_family)
560 {
561 case AF_INET:
562 {
563 struct sockaddr_in *sock_in4 = (struct sockaddr_in *)local;
564#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
565 sock_in4->sin_addr = actual->pi.in4.ipi_spec_dst;
566#elif defined(IP_RECVDSTADDR)
567 sock_in4->sin_addr = actual->pi.in4;
568#else
569 /* source IP not available on this platform */
570 return false;
571#endif
572 sock_in4->sin_family = AF_INET;
573 break;
574 }
575
576 case AF_INET6:
577 {
578 struct sockaddr_in6 *sock_in6 = (struct sockaddr_in6 *)local;
579 sock_in6->sin6_addr = actual->pi.in6.ipi6_addr;
580 sock_in6->sin6_family = AF_INET6;
581 break;
582 }
583
584 default:
585 ASSERT(false);
586 }
587
588 return true;
589#else /* if ENABLE_IP_PKTINFO */
590 return false;
591#endif /* if ENABLE_IP_PKTINFO */
592}
593
594int
596{
597 struct context *c = &mi->context;
598
599 int peer_id = c->c2.tls_multi->peer_id;
600 struct sockaddr *remoteaddr, *localaddr = NULL;
601 struct sockaddr_storage local = { 0 };
602 int sd = c->c2.link_sockets[0]->sd;
603
604
605 if (c->mode == CM_CHILD_TCP)
606 {
607 /* the remote address will be inferred from the TCP socket endpoint */
608 remoteaddr = NULL;
609 }
610 else
611 {
613 remoteaddr = &c->c2.link_socket_infos[0]->lsa->actual.dest.addr.sa;
614 }
615
616 /* In server mode we need to fetch the remote addresses from the push config */
617 struct in_addr vpn_ip4 = { 0 };
618 struct in_addr *vpn_addr4 = NULL;
620 {
621 vpn_ip4.s_addr = htonl(c->c2.push_ifconfig_local);
622 vpn_addr4 = &vpn_ip4;
623 }
624
625 struct in6_addr *vpn_addr6 = NULL;
627 {
628 vpn_addr6 = &c->c2.push_ifconfig_ipv6_local;
629 }
630
631 if (dco_multi_get_localaddr(m, mi, &local))
632 {
633 localaddr = (struct sockaddr *)&local;
634 }
635
636 int ret =
637 dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr, remoteaddr, vpn_addr4, vpn_addr6);
638 if (ret < 0)
639 {
640 return ret;
641 }
642
643 c->c2.tls_multi->dco_peer_id = peer_id;
644
645 return 0;
646}
647
648void
649dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
650{
651#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32)
652 if (!dco_enabled(&m->top.options))
653 {
654 return;
655 }
656
657 int addrtype = (addr->type & MR_ADDR_MASK);
658
659 /* If we do not have local IP addr to install, skip the route */
660 if ((addrtype == MR_ADDR_IPV6 && !mi->context.c2.push_ifconfig_ipv6_defined)
661 || (addrtype == MR_ADDR_IPV4 && !mi->context.c2.push_ifconfig_defined))
662 {
663 return;
664 }
665
666 struct context *c = &mi->context;
667 if (addrtype == MR_ADDR_IPV6)
668 {
669#if defined(_WIN32)
671 c->c2.tls_multi->peer_id);
672#else
673 net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
676#endif
677 }
678 else if (addrtype == MR_ADDR_IPV4)
679 {
680#if defined(_WIN32)
682 c->c2.tls_multi->peer_id);
683#else
684 in_addr_t dest = htonl(addr->v4.addr);
685 net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits, &mi->context.c2.push_ifconfig_local,
687#endif
688 }
689#endif /* if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) */
690}
691
692void
694{
695#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32)
696 if (!dco_enabled(&m->top.options))
697 {
698 return;
699 }
701
702 struct context *c = &mi->context;
703
705 {
706 for (const struct iroute *ir = c->options.iroutes; ir; ir = ir->next)
707 {
708#if defined(_WIN32)
709 dco_win_del_iroute_ipv4(&c->c1.tuntap->dco, htonl(ir->network), ir->netbits);
710#else
711 net_route_v4_del(&m->top.net_ctx, &ir->network, ir->netbits,
714#endif
715 }
716 }
717
719 {
720 for (const struct iroute_ipv6 *ir6 = c->options.iroutes_ipv6; ir6; ir6 = ir6->next)
721 {
722#if defined(_WIN32)
723 dco_win_del_iroute_ipv6(&c->c1.tuntap->dco, ir6->network, ir6->netbits);
724#else
725 net_route_v6_del(&m->top.net_ctx, &ir6->network, ir6->netbits,
728#endif
729 }
730 }
731#endif /* if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) */
732}
733
734#endif /* defined(ENABLE_DCO) */
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
static struct gc_arena gc_new(void)
Definition buffer.h:1007
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
Definition comp.h:49
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
#define COMP_ALG_UNDEF
Definition comp.h:54
char * strsep(char **stringp, const char *delim)
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1664
Data Channel Cryptography Module.
static bool dco_available(int msglevel)
Definition dco.h:264
static const char * dco_get_supported_ciphers(void)
Definition dco.h:383
static void dco_remove_peer(struct context *c)
Definition dco.h:350
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition dco.h:361
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition dco.h:282
static int dco_p2p_add_new_peer(struct context *c)
Definition dco.h:337
static bool dco_check_option(int msglevel, const struct options *o)
Definition dco.h:276
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
Definition dco.h:330
void * dco_context_t
Definition dco.h:261
#define DCO_IROUTE_METRIC
Definition dco.h:46
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:355
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:366
static bool dco_check_pull_options(int msglevel, const struct options *o)
Definition dco.h:288
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
Definition dco.h:323
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
Definition dco_win.c:568
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
Definition dco_win.c:469
void dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id)
Definition dco_win.c:1016
void dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits)
Definition dco_win.c:1037
bool dco_win_supports_multipeer(void)
Definition dco_win.c:986
void dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits)
Definition dco_win.c:1058
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
Definition dco_win.c:576
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
Definition dco_win.c:418
void dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id)
Definition dco_win.c:993
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
Definition dco_win.c:529
#define D_DCO
Definition errlevel.h:93
#define D_DCO_DEBUG
Definition errlevel.h:117
#define KS_SIZE
Size of the tls_session.key array.
Definition ssl_common.h:469
#define TM_SIZE
Size of the tls_multi.session \ array.
Definition ssl_common.h:550
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition ssl_common.h:105
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition ssl.c:3910
#define MF_QUERY_PROXY
Definition manage.h:41
#define MR_ADDR_IPV4
Definition mroute.h:61
#define MR_ADDR_IPV6
Definition mroute.h:62
#define MR_ADDR_MASK
Definition mroute.h:63
Header file for server-mode related structures and functions.
#define IFACE_TYPE_LEN_MAX
Definition networking.h:25
#define msg(flags,...)
Definition error.h:150
#define ASSERT(x)
Definition error.h:217
#define CM_CHILD_TCP
Definition openvpn.h:486
#define MODE_SERVER
Definition options.h:261
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
@ OVPN_KEY_SLOT_SECONDARY
@ OVPN_KEY_SLOT_PRIMARY
#define DEV_TYPE_TUN
Definition proto.h:35
#define TOP_SUBNET
Definition proto.h:43
#define SF_USE_IP_PKTINFO
Definition socket.h:191
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Control Channel Common Data Structures.
#define KEY_SCAN_SIZE
Definition ssl_common.h:567
@ DCO_INSTALLED_PRIMARY
Definition ssl_common.h:185
@ DCO_INSTALLED_SECONDARY
Definition ssl_common.h:186
@ DCO_NOT_INSTALLED
Definition ssl_common.h:184
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:733
@ KS_AUTH_TRUE
Key state is authenticated.
Definition ssl_common.h:157
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
Definition options.h:104
struct local_list * local_list
Definition options.h:105
const char * remote
Definition options.h:111
struct http_proxy_options * http_proxy_options
Definition options.h:119
const char * socks_proxy_server
Definition options.h:120
int fragment
Definition options.h:138
int proto
Definition options.h:106
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
bool push_ifconfig_ipv6_defined
Definition openvpn.h:434
bool push_ifconfig_defined
Definition openvpn.h:428
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:435
struct link_socket ** link_sockets
Definition openvpn.h:237
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
in_addr_t push_ifconfig_local
Definition openvpn.h:430
Contains all state information for one tunnel.
Definition openvpn.h:474
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:243
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:280
Key ordering of the key2.keys array.
Definition crypto.h:259
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
struct crypto_options crypto_options
Definition ssl_common.h:237
enum dco_key_status dco_status
Definition ssl_common.h:271
enum ks_auth_state authenticated
Definition ssl_common.h:259
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:217
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
int proto
Definition options.h:100
struct local_entry ** array
Definition options.h:193
struct mroute_addr::@2::@6 v6
uint8_t addr[OPENVPN_ETH_ALEN]
Definition mroute.h:89
struct mroute_addr::@2::@5 v4
uint8_t type
Definition mroute.h:81
uint8_t netbits
Definition mroute.h:82
Main OpenVPN server state structure.
Definition multi.h:164
struct context top
Storage structure for process-wide configuration.
Definition multi.h:203
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
union openvpn_sockaddr::@27 addr
struct sockaddr sa
Definition socket_util.h:42
struct connection_list * connection_list
Definition options.h:291
bool use_peer_id
Definition options.h:704
const char * dev_type
Definition options.h:319
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:515
const char * ncp_ciphers
Definition options.h:581
bool tls_server
Definition options.h:595
bool tls_client
Definition options.h:596
struct iroute * iroutes
Definition options.h:514
unsigned int sockflags
Definition options.h:424
const char * dev_node
Definition options.h:320
const char * dev
Definition options.h:318
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
dco_context_t * dco
Definition ssl_common.h:726
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
int dco_keys_installed
Definition ssl_common.h:716
uint32_t peer_id
Definition ssl_common.h:700
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
struct key_state key[KS_SIZE]
Definition ssl_common.h:525
dco_context_t dco
Definition tun.h:249
char * actual_name
Definition tun.h:207
struct gc_arena gc
Definition test_ssl.c:154
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:517
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition tun.c:499
bool tun_name_is_fixed(const char *dev)
Definition tun.c:1776
#define TUNNEL_TYPE(tt)
Definition tun.h:184
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61