OpenVPN
dco.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2021-2025 Arne Schwabe <arne@rfc2549.org>
9 * Copyright (C) 2021-2025 Antonio Quartulli <a@unstable.cc>
10 * Copyright (C) 2021-2025 OpenVPN Inc <sales@openvpn.net>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program (see the file COPYING included with this
23 * distribution); if not, write to the Free Software Foundation, Inc.,
24 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 */
26
27#ifdef HAVE_CONFIG_H
28#include "config.h"
29#endif
30
31#if defined(ENABLE_DCO)
32
33#include "syshead.h"
34#include "crypto.h"
35#include "dco.h"
36#include "errlevel.h"
37#include "multi.h"
38#include "networking.h"
39#include "openvpn.h"
40#include "options.h"
41#include "ssl_common.h"
42#include "ssl_ncp.h"
43#include "tun.h"
44#include "tun_afunix.h"
45
46#if defined(_WIN32)
47#include "dco_win.h"
48#endif
49
50#ifdef HAVE_LIBCAPNG
51#include <cap-ng.h>
52#endif
53
54static int
55dco_install_key(struct tls_multi *multi, struct key_state *ks,
56 const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
57 const uint8_t *decrypt_key, const uint8_t *decrypt_iv,
58 const char *ciphername)
59
60{
61 msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d, currently %d keys installed",
62 __func__, multi->dco_peer_id, ks->key_id, multi->dco_keys_installed);
63
64 /* Install a key in the PRIMARY slot only when no other key exist.
65 * From that moment on, any new key will be installed in the SECONDARY
66 * slot and will be promoted to PRIMARY when userspace says so (a swap
67 * will be performed in that case)
68 */
69 dco_key_slot_t slot = OVPN_KEY_SLOT_PRIMARY;
70 if (multi->dco_keys_installed > 0)
71 {
73 }
74
75 int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot,
76 encrypt_key, encrypt_iv,
77 decrypt_key, decrypt_iv,
78 ciphername);
79 if ((ret == 0) && (multi->dco_keys_installed < 2))
80 {
81 multi->dco_keys_installed++;
84 }
85
86 return ret;
87}
88
89int
90init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
91 const struct key2 *key2, int key_direction,
92 const char *ciphername, bool server)
93{
94 struct key_direction_state kds;
95 key_direction_state_init(&kds, key_direction);
96
97 return dco_install_key(multi, ks,
98 key2->keys[kds.out_key].cipher,
99 key2->keys[(int)server].hmac,
100 key2->keys[kds.in_key].cipher,
101 key2->keys[1 - (int)server].hmac,
102 ciphername);
103}
104
113static struct key_state *
114dco_get_secondary_key(struct tls_multi *multi, const struct key_state *primary)
115{
116 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
117 {
118 struct key_state *ks = get_key_scan(multi, i);
120
121 if (ks == primary)
122 {
123 continue;
124 }
125
127 {
128 ASSERT(key->initialized);
129 return ks;
130 }
131 }
132
133 return NULL;
134}
135
136bool
137dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
138{
139 /* this function checks if keys have to be swapped or erased, therefore it
140 * can't do much if we don't have any key installed
141 */
142 if (multi->dco_keys_installed == 0)
143 {
144 return true;
145 }
146
147 struct key_state *primary = tls_select_encryption_key(multi);
148 /* no primary key available -> no usable key exists, therefore we should
149 * tell DCO to simply wipe all keys
150 */
151 if (!primary)
152 {
153 msg(D_DCO, "No encryption key found. Purging data channel keys");
154
155 int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_PRIMARY);
156 if (ret < 0)
157 {
158 msg(D_DCO, "Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret);
159 return false;
160 }
161
163 if (ret < 0)
164 {
165 msg(D_DCO, "Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret);
166 return false;
167 }
168
169 multi->dco_keys_installed = 0;
170 return true;
171 }
172
173 /* if we have a primary key, it must have been installed already (keys
174 * are installed upon generation in the TLS code)
175 */
177
178 struct key_state *secondary = dco_get_secondary_key(multi, primary);
179 /* if the current primary key was installed as secondary in DCO,
180 * this means we have promoted it since installation in DCO, and
181 * we now need to tell DCO to swap keys
182 */
183 if (primary->dco_status == DCO_INSTALLED_SECONDARY)
184 {
185 if (secondary)
186 {
187 msg(D_DCO_DEBUG, "Swapping primary and secondary keys to "
188 "primary-id=%d secondary-id=%d",
189 primary->key_id, secondary->key_id);
190 }
191 else
192 {
193 msg(D_DCO_DEBUG, "Swapping primary and secondary keys to "
194 "primary-id=%d secondary-id=(to be deleted)",
195 primary->key_id);
196 }
197
198 int ret = dco_swap_keys(dco, multi->dco_peer_id);
199 if (ret < 0)
200 {
201 msg(D_DCO, "Cannot swap keys: %s (%d)", strerror(-ret), ret);
202 return false;
203 }
204
206 if (secondary)
207 {
210 }
211 }
212
213 /* if we have no secondary key anymore, inform DCO about it */
214 if (!secondary && multi->dco_keys_installed == 2)
215 {
216 int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY);
217 if (ret < 0)
218 {
219 msg(D_DCO, "Cannot delete secondary key: %s (%d)", strerror(-ret), ret);
220 return false;
221 }
222 multi->dco_keys_installed = 1;
223 }
224
225 /* all keys that are not installed are set to NOT installed. Include also
226 * keys that might even be considered as active keys to be sure*/
227 for (int i = 0; i < TM_SIZE; ++i)
228 {
229 for (int j = 0; j < KS_SIZE; j++)
230 {
231 struct key_state *ks = &multi->session[i].key[j];
232 if (ks != primary && ks != secondary)
233 {
235 }
236 }
237 }
238 return true;
239}
240
241static bool
242dco_check_option_ce(const struct connection_entry *ce, int msglevel, int mode)
243{
244 if (ce->fragment)
245 {
246 msg(msglevel, "Note: --fragment disables data channel offload.");
247 return false;
248 }
249
250 if (ce->http_proxy_options)
251 {
252 msg(msglevel, "Note: --http-proxy disables data channel offload.");
253 return false;
254 }
255
256 if (ce->socks_proxy_server)
257 {
258 msg(msglevel, "Note: --socks-proxy disables data channel offload.");
259 return false;
260 }
261
262#if defined(TARGET_FREEBSD)
263 if (ce->local_list)
264 {
265 for (int i = 0; i < ce->local_list->len; i++)
266 {
267 if (!proto_is_dgram(ce->local_list->array[i]->proto))
268 {
269 msg(msglevel, "NOTE: TCP transport disables data channel offload on FreeBSD.");
270 return false;
271 }
272 }
273 }
274#endif
275
276#if defined(_WIN32)
277 if (!proto_is_udp(ce->proto) && mode == MODE_SERVER)
278 {
279 msg(msglevel, "NOTE: TCP transport disables data channel offload on Windows in server mode.");
280 return false;
281 }
282
283 if (!ce->remote && !dco_win_supports_multipeer())
284 {
285 msg(msglevel, "NOTE: --remote is not defined. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
286 return false;
287 }
288
289 if ((mode == MODE_SERVER) && (ce->local_list->len > 1))
290 {
291 msg(msglevel, "NOTE: multiple --local options defined, disabling data channel offload");
292 return false;
293 }
294#endif
295
296 return true;
297}
298
299bool
300dco_check_startup_option(int msglevel, const struct options *o)
301{
302 /* check if no dev name was specified at all. In the case,
303 * later logic will most likely stop OpenVPN, so no need to
304 * print any message here.
305 */
306 if (!o->dev)
307 {
308 return false;
309 }
310
311 if (!o->tls_client && !o->tls_server)
312 {
313 msg(msglevel, "No tls-client or tls-server option in configuration "
314 "detected. Disabling data channel offload.");
315 return false;
316 }
317
318 if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
319 {
320 msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");
321 return false;
322 }
323
324 if (is_tun_afunix(o->dev_node))
325 {
326 msg(msglevel, "Note: afunix tun type selected, disabling data channel offload");
327 return false;
328 }
329
330 if (is_dev_type(o->dev, o->dev_type, "null"))
331 {
332 msg(msglevel, "Note: null tun type selected, disabling data channel offload");
333 return false;
334 }
335
336 if (o->connection_list)
337 {
338 const struct connection_list *l = o->connection_list;
339 for (int i = 0; i < l->len; ++i)
340 {
341 if (!dco_check_option_ce(l->array[i], msglevel, o->mode))
342 {
343 return false;
344 }
345 }
346 }
347 else
348 {
349 if (!dco_check_option_ce(&o->ce, msglevel, o->mode))
350 {
351 return false;
352 }
353 }
354
355#if defined(_WIN32)
356 if ((o->mode == MODE_SERVER) && !dco_win_supports_multipeer())
357 {
358 msg(msglevel, "--mode server is set. This DCO version doesn't support multipeer. Disabling Data Channel Offload");
359 return false;
360 }
361
362 if ((o->mode == MODE_SERVER) && o->ce.local_list->len > 1)
363 {
364 msg(msglevel, "multiple --local options defined, disabling data channel offload");
365 return false;
366 }
367
368#elif defined(TARGET_LINUX)
369 /* if the device name is fixed, we need to check if an interface with this
370 * name already exists. IF it does, it must be a DCO interface, otherwise
371 * DCO has to be disabled in order to continue.
372 */
373 if (tun_name_is_fixed(o->dev))
374 {
376 /* we pass NULL as net_ctx because using DCO on Linux implies that we
377 * are using SITNL and the latter does not need any context. This way we
378 * don't need to have the net_ctx percolate all the way here
379 */
380 int ret = net_iface_type(NULL, o->dev, iftype);
381 if ((ret == 0) && (strcmp(iftype, "ovpn-dco") != 0))
382 {
383 msg(msglevel, "Interface %s exists and is non-DCO. Disabling data channel offload",
384 o->dev);
385 return false;
386 }
387 else if ((ret < 0) && (ret != -ENODEV))
388 {
389 msg(msglevel, "Cannot retrieve type of device %s: %s (%d)", o->dev,
390 strerror(-ret), ret);
391 }
392 }
393#endif /* if defined(_WIN32) */
394
395#if defined(HAVE_LIBCAPNG)
396 /* DCO can't operate without CAP_NET_ADMIN. To retain it when switching user
397 * we need CAP_SETPCAP. CAP_NET_ADMIN also needs to be part of the permitted set
398 * of capabilities in order to retain it.
399 */
400 if (o->username)
401 {
403 {
404 msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
405 "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
406 return false;
407 }
409 {
410 msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
411 "Disabling data channel offload");
412 return false;
413 }
414 }
415#endif /* if defined(HAVE_LIBCAPNG) */
416
417 if (o->mode == MODE_SERVER && o->topology != TOP_SUBNET)
418 {
419 msg(msglevel, "Note: NOT using '--topology subnet' disables data channel offload.");
420 return false;
421 }
422
423 if (o->management_flags & MF_QUERY_PROXY)
424 {
425 msg(msglevel, "Note: --management-query-proxy disables data channel offload.");
426 return false;
427 }
428
429 /* now that all options have been confirmed to be supported, check
430 * if DCO is truly available on the system
431 */
432 return dco_available(msglevel);
433}
434
435bool
436dco_check_option(int msglevel, const struct options *o)
437{
438 /* At this point the ciphers have already been normalised */
439 if (o->enable_ncp_fallback
441 {
442 msg(msglevel, "Note: --data-ciphers-fallback with cipher '%s' "
443 "disables data channel offload.", o->ciphername);
444 return false;
445 }
446
447#if defined(USE_COMP)
448 if (o->comp.alg != COMP_ALG_UNDEF
449 || o->comp.flags & COMP_F_ALLOW_ASYM)
450 {
451 msg(msglevel, "Note: '--allow-compression' is not set to 'no', disabling data channel offload.");
452
453 if (o->mode == MODE_SERVER && !(o->comp.flags & COMP_F_MIGRATE))
454 {
455 /* We can end up here from the multi.c call, only print the
456 * note if it is not already enabled */
457 msg(msglevel, "Consider using the '--compress migrate' option.");
458 }
459 return false;
460 }
461#endif
462
463 struct gc_arena gc = gc_new();
464 char *tmp_ciphers = string_alloc(o->ncp_ciphers, &gc);
465 const char *token;
466 while ((token = strsep(&tmp_ciphers, ":")))
467 {
469 {
470 msg(msglevel, "Note: cipher '%s' in --data-ciphers is not supported "
471 "by ovpn-dco, disabling data channel offload.", token);
472 gc_free(&gc);
473 return false;
474 }
475 }
476 gc_free(&gc);
477
478 return true;
479}
480
481bool
482dco_check_pull_options(int msglevel, const struct options *o)
483{
484 if (!o->use_peer_id)
485 {
486 msg(msglevel, "OPTIONS IMPORT: Server did not request DATA_V2 packet "
487 "format required for data channel offload");
488 return false;
489 }
490 return true;
491}
492
493int
495{
496 if (!dco_enabled(&c->options))
497 {
498 return 0;
499 }
500
501 struct link_socket *sock = c->c2.link_sockets[0];
502
504
505 struct sockaddr *remoteaddr = &sock->info.lsa->actual.dest.addr.sa;
506 struct tls_multi *multi = c->c2.tls_multi;
507#ifdef TARGET_FREEBSD
508 /* In Linux in P2P mode the kernel automatically removes an existing peer
509 * when adding a new peer. FreeBSD needs to explicitly be told to do that */
510 if (c->c2.tls_multi->dco_peer_id != -1)
511 {
513 c->c2.tls_multi->dco_peer_id = -1;
514 }
515#endif
516 int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, sock->sd, NULL,
517 proto_is_dgram(sock->info.proto) ? remoteaddr : NULL,
518 NULL, NULL);
519 if (ret < 0)
520 {
521 return ret;
522 }
523
524 c->c2.tls_multi->dco_peer_id = multi->peer_id;
525
526 return 0;
527}
528
529void
530dco_remove_peer(struct context *c)
531{
532 if (!dco_enabled(&c->options))
533 {
534 return;
535 }
536
537 if (c->c1.tuntap && c->c2.tls_multi && c->c2.tls_multi->dco_peer_id != -1)
538 {
540 c->c2.tls_multi->dco_peer_id = -1;
541 }
542}
543
544static bool
545dco_multi_get_localaddr(struct multi_context *m, struct multi_instance *mi,
546 struct sockaddr_storage *local)
547{
548#if ENABLE_IP_PKTINFO
549 struct context *c = &mi->context;
550
552 {
553 return false;
554 }
555
556 struct link_socket_actual *actual = &c->c2.link_socket_infos[0]->lsa->actual;
557
558 switch (actual->dest.addr.sa.sa_family)
559 {
560 case AF_INET:
561 {
562 struct sockaddr_in *sock_in4 = (struct sockaddr_in *)local;
563#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
564 sock_in4->sin_addr = actual->pi.in4.ipi_spec_dst;
565#elif defined(IP_RECVDSTADDR)
566 sock_in4->sin_addr = actual->pi.in4;
567#else
568 /* source IP not available on this platform */
569 return false;
570#endif
571 sock_in4->sin_family = AF_INET;
572 break;
573 }
574
575 case AF_INET6:
576 {
577 struct sockaddr_in6 *sock_in6 = (struct sockaddr_in6 *)local;
578 sock_in6->sin6_addr = actual->pi.in6.ipi6_addr;
579 sock_in6->sin6_family = AF_INET6;
580 break;
581 }
582
583 default:
584 ASSERT(false);
585 }
586
587 return true;
588#else /* if ENABLE_IP_PKTINFO */
589 return false;
590#endif /* if ENABLE_IP_PKTINFO */
591}
592
593int
595{
596 struct context *c = &mi->context;
597
598 int peer_id = c->c2.tls_multi->peer_id;
599 struct sockaddr *remoteaddr, *localaddr = NULL;
600 struct sockaddr_storage local = { 0 };
601 int sd = c->c2.link_sockets[0]->sd;
602
603
604 if (c->mode == CM_CHILD_TCP)
605 {
606 /* the remote address will be inferred from the TCP socket endpoint */
607 remoteaddr = NULL;
608 }
609 else
610 {
612 remoteaddr = &c->c2.link_socket_infos[0]->lsa->actual.dest.addr.sa;
613 }
614
615 /* In server mode we need to fetch the remote addresses from the push config */
616 struct in_addr vpn_ip4 = { 0 };
617 struct in_addr *vpn_addr4 = NULL;
619 {
620 vpn_ip4.s_addr = htonl(c->c2.push_ifconfig_local);
621 vpn_addr4 = &vpn_ip4;
622 }
623
624 struct in6_addr *vpn_addr6 = NULL;
626 {
627 vpn_addr6 = &c->c2.push_ifconfig_ipv6_local;
628 }
629
630 if (dco_multi_get_localaddr(m, mi, &local))
631 {
632 localaddr = (struct sockaddr *)&local;
633 }
634
635 int ret = dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr,
636 remoteaddr, vpn_addr4, vpn_addr6);
637 if (ret < 0)
638 {
639 return ret;
640 }
641
642 c->c2.tls_multi->dco_peer_id = peer_id;
643
644 return 0;
645}
646
647void
649 struct mroute_addr *addr)
650{
651#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32)
652 if (!dco_enabled(&m->top.options))
653 {
654 return;
655 }
656
657 int addrtype = (addr->type & MR_ADDR_MASK);
658
659 /* If we do not have local IP addr to install, skip the route */
660 if ((addrtype == MR_ADDR_IPV6 && !mi->context.c2.push_ifconfig_ipv6_defined)
661 || (addrtype == MR_ADDR_IPV4 && !mi->context.c2.push_ifconfig_defined))
662 {
663 return;
664 }
665
666 struct context *c = &mi->context;
667 if (addrtype == MR_ADDR_IPV6)
668 {
669#if defined(_WIN32)
671#else
672 net_route_v6_add(&m->top.net_ctx, &addr->v6.addr, addr->netbits,
675#endif
676 }
677 else if (addrtype == MR_ADDR_IPV4)
678 {
679#if defined(_WIN32)
681#else
682 in_addr_t dest = htonl(addr->v4.addr);
683 net_route_v4_add(&m->top.net_ctx, &dest, addr->netbits,
686#endif
687 }
688#endif /* if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) */
689}
690
691void
693{
694#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32)
695 if (!dco_enabled(&m->top.options))
696 {
697 return;
698 }
700
701 struct context *c = &mi->context;
702
704 {
705 for (const struct iroute *ir = c->options.iroutes;
706 ir;
707 ir = ir->next)
708 {
709#if defined(_WIN32)
710 dco_win_del_iroute_ipv4(&c->c1.tuntap->dco, htonl(ir->network), ir->netbits);
711#else
712 net_route_v4_del(&m->top.net_ctx, &ir->network, ir->netbits,
715#endif
716 }
717 }
718
720 {
721 for (const struct iroute_ipv6 *ir6 = c->options.iroutes_ipv6;
722 ir6;
723 ir6 = ir6->next)
724 {
725#if defined(_WIN32)
726 dco_win_del_iroute_ipv6(&c->c1.tuntap->dco, ir6->network, ir6->netbits);
727#else
728 net_route_v6_del(&m->top.net_ctx, &ir6->network, ir6->netbits,
731#endif
732 }
733 }
734#endif /* if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) */
735}
736
737#endif /* defined(ENABLE_DCO) */
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
static struct gc_arena gc_new(void)
Definition buffer.h:1025
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
Definition comp.h:49
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
#define COMP_ALG_UNDEF
Definition comp.h:54
char * strsep(char **stringp, const char *delim)
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1705
Data Channel Cryptography Module.
static bool dco_available(int msglevel)
Definition dco.h:270
static const char * dco_get_supported_ciphers(void)
Definition dco.h:392
static void dco_remove_peer(struct context *c)
Definition dco.h:357
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition dco.h:368
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition dco.h:288
static int dco_p2p_add_new_peer(struct context *c)
Definition dco.h:344
static bool dco_check_option(int msglevel, const struct options *o)
Definition dco.h:282
static bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
Definition dco.h:337
void * dco_context_t
Definition dco.h:267
#define DCO_IROUTE_METRIC
Definition dco.h:47
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:362
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:374
static bool dco_check_pull_options(int msglevel, const struct options *o)
Definition dco.h:294
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
Definition dco.h:329
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
Definition dco_win.c:566
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
Definition dco_win.c:465
void dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id)
Definition dco_win.c:847
void dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits)
Definition dco_win.c:866
bool dco_win_supports_multipeer(void)
Definition dco_win.c:821
void dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits)
Definition dco_win.c:885
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
Definition dco_win.c:575
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
Definition dco_win.c:414
void dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id)
Definition dco_win.c:828
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
Definition dco_win.c:525
#define D_DCO
Definition errlevel.h:94
#define D_DCO_DEBUG
Definition errlevel.h:118
#define KS_SIZE
Size of the tls_session.key array.
Definition ssl_common.h:462
#define TM_SIZE
Size of the tls_multi.session array.
Definition ssl_common.h:542
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition ssl_common.h:105
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition ssl.c:4064
#define MF_QUERY_PROXY
Definition manage.h:42
#define MR_ADDR_IPV4
Definition mroute.h:62
#define MR_ADDR_IPV6
Definition mroute.h:63
#define MR_ADDR_MASK
Definition mroute.h:64
Header file for server-mode related structures and functions.
#define IFACE_TYPE_LEN_MAX
Definition networking.h:26
#define msg(flags,...)
Definition error.h:144
#define ASSERT(x)
Definition error.h:195
#define CM_CHILD_TCP
Definition openvpn.h:488
#define MODE_SERVER
Definition options.h:260
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:929
@ OVPN_KEY_SLOT_SECONDARY
@ OVPN_KEY_SLOT_PRIMARY
#define DEV_TYPE_TUN
Definition proto.h:36
#define TOP_SUBNET
Definition proto.h:44
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket.h:586
#define SF_USE_IP_PKTINFO
Definition socket.h:221
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket.h:597
Control Channel Common Data Structures.
#define KEY_SCAN_SIZE
Definition ssl_common.h:558
@ DCO_INSTALLED_PRIMARY
Definition ssl_common.h:180
@ DCO_INSTALLED_SECONDARY
Definition ssl_common.h:181
@ DCO_NOT_INSTALLED
Definition ssl_common.h:179
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:725
@ KS_AUTH_TRUE
Key state is authenticated.
Definition ssl_common.h:154
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:210
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
Definition options.h:105
struct local_list * local_list
Definition options.h:106
const char * remote
Definition options.h:112
struct http_proxy_options * http_proxy_options
Definition options.h:120
const char * socks_proxy_server
Definition options.h:121
int fragment
Definition options.h:139
int proto
Definition options.h:107
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:173
bool push_ifconfig_ipv6_defined
Definition openvpn.h:436
bool push_ifconfig_defined
Definition openvpn.h:430
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:325
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:437
struct link_socket ** link_sockets
Definition openvpn.h:239
struct link_socket_info ** link_socket_infos
Definition openvpn.h:240
in_addr_t push_ifconfig_local
Definition openvpn.h:432
Contains all state information for one tunnel.
Definition openvpn.h:476
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:489
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:500
struct context_2 c2
Level 2 context.
Definition openvpn.h:516
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:477
struct context_1 c1
Level 1 context.
Definition openvpn.h:515
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:293
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:239
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:242
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:279
Key ordering of the key2.keys array.
Definition crypto.h:258
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:203
struct crypto_options crypto_options
Definition ssl_common.h:232
enum dco_key_status dco_status
Definition ssl_common.h:266
enum ks_auth_state authenticated
Definition ssl_common.h:254
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:212
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
int proto
Definition options.h:101
struct local_entry ** array
Definition options.h:193
struct mroute_addr::@2::@6 v6
uint8_t addr[OPENVPN_ETH_ALEN]
Definition mroute.h:87
struct mroute_addr::@2::@5 v4
uint8_t type
Definition mroute.h:81
uint8_t netbits
Definition mroute.h:82
Main OpenVPN server state structure.
Definition multi.h:163
struct context top
Storage structure for process-wide configuration.
Definition multi.h:202
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
struct sockaddr sa
Definition socket.h:69
union openvpn_sockaddr::@24 addr
struct connection_list * connection_list
Definition options.h:290
bool use_peer_id
Definition options.h:703
const char * dev_type
Definition options.h:318
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:514
const char * ncp_ciphers
Definition options.h:580
bool tls_server
Definition options.h:594
bool tls_client
Definition options.h:595
struct iroute * iroutes
Definition options.h:513
unsigned int sockflags
Definition options.h:423
const char * dev_node
Definition options.h:319
const char * dev
Definition options.h:317
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:604
dco_context_t * dco
Definition ssl_common.h:718
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:704
int dco_keys_installed
Definition ssl_common.h:708
uint32_t peer_id
Definition ssl_common.h:692
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:716
struct key_state key[KS_SIZE]
Definition ssl_common.h:518
dco_context_t dco
Definition tun.h:244
char * actual_name
Definition tun.h:202
struct gc_arena gc
Definition test_ssl.c:155
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:547
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition tun.c:529
bool tun_name_is_fixed(const char *dev)
Definition tun.c:1881
#define TUNNEL_TYPE(tt)
Definition tun.h:179
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:69