OpenVPN
dco_win.c
Go to the documentation of this file.
1/*
2 * Interface to ovpn-win-dco networking code
3 *
4 * Copyright (C) 2020-2025 Arne Schwabe <arne@rfc2549.org>
5 * Copyright (C) 2020-2025 OpenVPN Inc <sales@openvpn.net>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2
9 * as published by the Free Software Foundation.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program (see the file COPYING included with this
18 * distribution); if not, see <https://www.gnu.org/licenses/>.
19 */
20
21#ifdef HAVE_CONFIG_H
22#include "config.h"
23#endif
24
25#if defined(_WIN32)
26
27#include "syshead.h"
28
29#include "dco.h"
30#include "forward.h"
31#include "tun.h"
32#include "crypto.h"
33#include "multi.h"
34#include "ssl_common.h"
35#include "openvpn.h"
36
37#include <bcrypt.h>
38#include <winsock2.h>
39#include <ws2tcpip.h>
40
41#if defined(__MINGW32__)
42const IN_ADDR in4addr_any = { 0 };
43#endif
44
45/* Sometimes IP Helper API, which we use for setting IP address etc,
46 * complains that interface is not found. Give it some time to settle
47 */
48static void
50{
51 for (int i = 0; i < 20; ++i)
52 {
53 MIB_IPINTERFACE_ROW row = { .InterfaceIndex = idx, .Family = AF_INET };
54 if (GetIpInterfaceEntry(&row) != ERROR_NOT_FOUND)
55 {
56 break;
57 }
58 msg(D_DCO_DEBUG, "interface %ld not yet ready, retrying", idx);
59 Sleep(50);
60 }
61}
62
72static bool
74{
75 CLEAR(*version);
76
77 bool res = false;
78
79 HANDLE h = CreateFile("\\\\.\\ovpn-dco-ver", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
80
81 if (h == INVALID_HANDLE_VALUE)
82 {
83 /* fallback to a "normal" device, this will fail if device is already in use */
84 h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
85 }
86
87 if (h == INVALID_HANDLE_VALUE)
88 {
89 goto done;
90 }
91
92 DWORD bytes_returned = 0;
93 if (!DeviceIoControl(h, OVPN_IOCTL_GET_VERSION, NULL, 0, version, sizeof(*version),
94 &bytes_returned, NULL))
95 {
96 goto done;
97 }
98
99 res = true;
100
101done:
102 if (h != INVALID_HANDLE_VALUE)
103 {
104 CloseHandle(h);
105 }
106
107 msg(D_DCO_DEBUG, "dco version: %ld.%ld.%ld", version->Major, version->Minor, version->Patch);
108
109 return res;
110}
111
121void
122ovpn_dco_init_mp(dco_context_t *dco, const char *dev_node)
123{
124 ASSERT(dco->ifmode == DCO_MODE_UNINIT);
125 dco->ifmode = DCO_MODE_MP;
126
127 /* Use manual reset event so it remains signalled until
128 * explicitly reset. This way we won't lose notifications
129 */
130 dco->ov.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
131 if (dco->ov.hEvent == NULL)
132 {
133 msg(M_ERR, "Error: ovpn_dco_init: CreateEvent failed");
134 }
135
136 dco->rwhandle.read = dco->ov.hEvent;
137
138 /* open DCO device */
139 struct gc_arena gc = gc_new();
140 const char *device_guid;
141 tun_open_device(dco->tt, dev_node, &device_guid, &gc);
142 gc_free(&gc);
143
144 /* set mp mode */
146 DWORD bytes_returned = 0;
147 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_SET_MODE, &m, sizeof(m), NULL, 0,
148 &bytes_returned, NULL))
149 {
150 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_SET_MODE) failed");
151 }
152
153 dco_wait_ready(dco->tt->adapter_index);
154}
155
164void
166{
167 DWORD bytes_returned = 0;
168 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_START_VPN, NULL, 0, NULL, 0, &bytes_returned, NULL))
169 {
170 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_START_VPN) failed");
171 }
172
173 /* Sometimes IP Helper API, which we use for setting IP address etc,
174 * complains that interface is not found. Give it some time to settle
175 */
177}
178
179
189bool
191{
192 dco_context_t *dco = &c->c1.tuntap->dco;
193
194 dco->c = c;
195
196 switch (c->mode)
197 {
199 dco->ifmode = DCO_MODE_P2P;
200 dco_p2p_start_vpn(dco->tt);
201 break;
202
203 case MODE_SERVER:
205 break;
206
207 default:
208 ASSERT(false);
209 }
210
211 return true;
212}
213
214int
215open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
216{
217 ASSERT(0);
218 return 0;
219}
220
221static void
222dco_connect_wait(HANDLE handle, OVERLAPPED *ov, int timeout, struct signal_info *sig_info)
223{
224 volatile int *signal_received = &sig_info->signal_received;
225 /* GetOverlappedResultEx is available starting from Windows 8 */
226 typedef BOOL(WINAPI * get_overlapped_result_ex_t)(HANDLE, LPOVERLAPPED, LPDWORD, DWORD, BOOL);
227 get_overlapped_result_ex_t get_overlapped_result_ex =
228 (get_overlapped_result_ex_t)GetProcAddress(GetModuleHandle("Kernel32.dll"),
229 "GetOverlappedResultEx");
230
231 if (get_overlapped_result_ex == NULL)
232 {
233 msg(M_ERR, "Failed to load GetOverlappedResult()");
234 }
235
236 DWORD timeout_msec = timeout * 1000;
237 const int poll_interval_ms = 50;
238
239 while (timeout_msec > 0)
240 {
241 timeout_msec -= poll_interval_ms;
242
243 DWORD transferred;
244 if (get_overlapped_result_ex(handle, ov, &transferred, poll_interval_ms, FALSE) != 0)
245 {
246 /* TCP connection established by dco */
247 return;
248 }
249
250 DWORD err = GetLastError();
251 if ((err != WAIT_TIMEOUT) && (err != ERROR_IO_INCOMPLETE))
252 {
253 /* dco reported connection error */
254 msg(M_NONFATAL | M_ERRNO, "dco connect error");
255 register_signal(sig_info, SIGUSR1, "dco-connect-error");
256 return;
257 }
258
259 get_signal(signal_received);
260 if (*signal_received)
261 {
262 return;
263 }
264
266 }
267
268 /* we end up here when timeout occurs in userspace */
269 msg(M_NONFATAL, "dco connect timeout");
270 register_signal(sig_info, SIGUSR1, "dco-connect-timeout");
271}
272
282void
283dco_mp_start_vpn(HANDLE handle, struct link_socket *sock)
284{
285 msg(D_DCO_DEBUG, "%s", __func__);
286
287 int ai_family = sock->info.lsa->bind_local->ai_family;
288 struct addrinfo *local = sock->info.lsa->bind_local;
289 struct addrinfo *cur = NULL;
290
291 for (cur = local; cur; cur = cur->ai_next)
292 {
293 if (cur->ai_family == ai_family)
294 {
295 break;
296 }
297 }
298 if (!cur)
299 {
300 msg(M_FATAL, "%s: Socket bind failed: Addr to bind has no %s record", __func__,
301 addr_family_name(ai_family));
302 }
303
304 OVPN_MP_START_VPN in, out;
305 in.IPv6Only = sock->info.bind_ipv6_only ? 1 : 0;
306 if (ai_family == AF_INET)
307 {
308 memcpy(&in.ListenAddress.Addr4, cur->ai_addr, sizeof(struct sockaddr_in));
309 }
310 else
311 {
312 memcpy(&in.ListenAddress.Addr6, cur->ai_addr, sizeof(struct sockaddr_in6));
313 }
314
315 /* in multipeer mode control channel packets are prepended with remote peer's sockaddr */
316 sock->sockflags |= SF_PREPEND_SA;
317
318 DWORD bytes_returned = 0;
319 if (!DeviceIoControl(handle, OVPN_IOCTL_MP_START_VPN, &in, sizeof(in), &out, sizeof(out),
320 &bytes_returned, NULL))
321 {
322 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_MP_START_VPN) failed");
323 }
324}
325
326void
327dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock,
328 struct signal_info *sig_info)
329{
330 msg(D_DCO_DEBUG, "%s", __func__);
331
332 OVPN_NEW_PEER peer = { 0 };
333
334 struct addrinfo *remoteaddr = sock->info.lsa->current_remote;
335
336 struct sockaddr *local = NULL;
337 struct sockaddr *remote = remoteaddr->ai_addr;
338
339 if (remoteaddr->ai_protocol == IPPROTO_TCP || remoteaddr->ai_socktype == SOCK_STREAM)
340 {
341 peer.Proto = OVPN_PROTO_TCP;
342 }
343 else
344 {
345 peer.Proto = OVPN_PROTO_UDP;
346 }
347
348 if (sock->bind_local)
349 {
350 /* Use first local address with correct address family */
351 struct addrinfo *bind = sock->info.lsa->bind_local;
352 while (bind && !local)
353 {
354 if (bind->ai_family == remote->sa_family)
355 {
356 local = bind->ai_addr;
357 }
358 bind = bind->ai_next;
359 }
360 }
361
362 if (sock->bind_local && !local)
363 {
364 msg(M_FATAL, "DCO: Socket bind failed: Address to bind lacks %s record",
365 addr_family_name(remote->sa_family));
366 }
367
368 if (remote->sa_family == AF_INET6)
369 {
370 peer.Remote.Addr6 = *((SOCKADDR_IN6 *)(remoteaddr->ai_addr));
371 if (local)
372 {
373 peer.Local.Addr6 = *((SOCKADDR_IN6 *)local);
374 }
375 else
376 {
377 peer.Local.Addr6.sin6_addr = in6addr_any;
378 peer.Local.Addr6.sin6_port = 0;
379 peer.Local.Addr6.sin6_family = AF_INET6;
380 }
381 }
382 else if (remote->sa_family == AF_INET)
383 {
384 peer.Remote.Addr4 = *((SOCKADDR_IN *)(remoteaddr->ai_addr));
385 if (local)
386 {
387 peer.Local.Addr4 = *((SOCKADDR_IN *)local);
388 }
389 else
390 {
391 peer.Local.Addr4.sin_addr = in4addr_any;
392 peer.Local.Addr4.sin_port = 0;
393 peer.Local.Addr4.sin_family = AF_INET;
394 }
395 }
396 else
397 {
398 ASSERT(0);
399 }
400
401 CLEAR(*ov);
402 if (!DeviceIoControl(handle, OVPN_IOCTL_NEW_PEER, &peer, sizeof(peer), NULL, 0, NULL, ov))
403 {
404 DWORD err = GetLastError();
405 if (err != ERROR_IO_PENDING)
406 {
407 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_NEW_PEER) failed");
408 }
409 else
410 {
412 sig_info);
413 }
414 }
415}
416
417int
418dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr,
419 struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
420{
421 msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d", __func__, peerid, sd);
422
423 if (dco->ifmode == DCO_MODE_P2P)
424 {
425 /* no-op for p2p */
426 return 0;
427 }
428
429 OVPN_MP_NEW_PEER newPeer = { 0 };
430
431 if (remoteaddr)
432 {
433 /* while the driver doesn't use the local address yet it requires its AF to be valid */
434 newPeer.Local.Addr4.sin_family = remoteaddr->sa_family;
435
436 if (remoteaddr->sa_family == AF_INET)
437 {
438 memcpy(&newPeer.Remote.Addr4, remoteaddr, sizeof(struct sockaddr_in));
439 }
440 else
441 {
442 memcpy(&newPeer.Remote.Addr6, remoteaddr, sizeof(struct sockaddr_in6));
443 }
444 }
445
446 if (vpn_ipv4)
447 {
448 newPeer.VpnAddr4 = *vpn_ipv4;
449 }
450
451 if (vpn_ipv6)
452 {
453 newPeer.VpnAddr6 = *vpn_ipv6;
454 }
455
456 newPeer.PeerId = peerid;
457
458 DWORD bytesReturned;
459 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_NEW_PEER, &newPeer, sizeof(newPeer), NULL, 0,
460 &bytesReturned, NULL))
461 {
462 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_MP_NEW_PEER) failed");
463 }
464
465 return 0;
466}
467
468int
469dco_del_peer(dco_context_t *dco, unsigned int peerid)
470{
471 msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peerid);
472
473 OVPN_MP_DEL_PEER del_peer = { peerid };
474 VOID *buf = NULL;
475 DWORD len = 0;
476 DWORD ioctl = OVPN_IOCTL_DEL_PEER;
477
478 if (dco->ifmode == DCO_MODE_MP)
479 {
481 buf = &del_peer;
482 len = sizeof(del_peer);
483 }
484
485 DWORD bytes_returned = 0;
486 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
487 {
488 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_DEL_PEER) failed");
489 return -1;
490 }
491 return 0;
492}
493
494int
495dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout,
496 int mss)
497{
498 msg(D_DCO_DEBUG, "%s: peer-id %d, keepalive %d/%d, mss %d", __func__, peerid,
499 keepalive_interval, keepalive_timeout, mss);
500
501 OVPN_MP_SET_PEER mp_peer = { peerid, keepalive_interval, keepalive_timeout, mss };
502 OVPN_SET_PEER peer = { keepalive_interval, keepalive_timeout, mss };
503 VOID *buf = NULL;
504 DWORD len = 0;
505 DWORD ioctl = (dco->ifmode == DCO_MODE_MP) ? OVPN_IOCTL_MP_SET_PEER : OVPN_IOCTL_SET_PEER;
506
507 if (dco->ifmode == DCO_MODE_MP)
508 {
509 buf = &mp_peer;
510 len = sizeof(OVPN_MP_SET_PEER);
511 }
512 else
513 {
514 buf = &peer;
515 len = sizeof(OVPN_SET_PEER);
516 }
517
518 DWORD bytes_returned = 0;
519 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
520 {
521 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_SET_PEER) failed");
522 return -1;
523 }
524
525 return 0;
526}
527
528int
529dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot,
530 const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key,
531 const uint8_t *decrypt_iv, const char *ciphername)
532{
533 msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid,
534 ciphername);
535
536 const int nonce_len = 8;
537 size_t key_len = cipher_kt_key_size(ciphername);
538
539 OVPN_CRYPTO_DATA crypto_data;
540 ZeroMemory(&crypto_data, sizeof(crypto_data));
541
542 crypto_data.CipherAlg = dco_get_cipher(ciphername);
543 crypto_data.KeyId = keyid;
544 crypto_data.PeerId = peerid;
545 crypto_data.KeySlot = slot;
546
547 CopyMemory(crypto_data.Encrypt.Key, encrypt_key, key_len);
548 crypto_data.Encrypt.KeyLen = (char)key_len;
549 CopyMemory(crypto_data.Encrypt.NonceTail, encrypt_iv, nonce_len);
550
551 CopyMemory(crypto_data.Decrypt.Key, decrypt_key, key_len);
552 crypto_data.Decrypt.KeyLen = (char)key_len;
553 CopyMemory(crypto_data.Decrypt.NonceTail, decrypt_iv, nonce_len);
554
555 ASSERT(crypto_data.CipherAlg > 0);
556
557 DWORD bytes_returned = 0;
558
559 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NEW_KEY, &crypto_data, sizeof(crypto_data), NULL,
560 0, &bytes_returned, NULL))
561 {
562 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_NEW_KEY) failed");
563 return -1;
564 }
565 return 0;
566}
567int
568dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
569{
570 msg(D_DCO, "%s: peer-id %d, slot %d called but ignored", __func__, peerid, slot);
571 /* FIXME: Implement in driver first */
572 return 0;
573}
574
575int
576dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
577{
578 msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peer_id);
579
580 OVPN_MP_SWAP_KEYS swap = { peer_id };
581 DWORD ioctl = OVPN_IOCTL_SWAP_KEYS;
582 VOID *buf = NULL;
583 DWORD len = 0;
584
585 if (dco->ifmode == DCO_MODE_MP)
586 {
588 buf = &swap;
589 len = sizeof(swap);
590 }
591
592 DWORD bytes_returned = 0;
593 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
594 {
595 msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_SWAP_KEYS) failed");
596 return -1;
597 }
598 return 0;
599}
600
601bool
602dco_available(int msglevel)
603{
604 /* try to open device by symbolic name */
605 HANDLE h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING,
606 FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL);
607
608 if (h != INVALID_HANDLE_VALUE)
609 {
610 CloseHandle(h);
611 return true;
612 }
613
614 DWORD err = GetLastError();
615 if (err == ERROR_ACCESS_DENIED)
616 {
617 /* this likely means that device exists but is already in use,
618 * don't bail out since later we try to open all existing dco
619 * devices and then bail out if all devices are in use
620 */
621 return true;
622 }
623
624 msg(msglevel, "Note: ovpn-dco-win driver is missing, disabling data channel offload.");
625 return false;
626}
627
628const char *
630{
631 OVPN_VERSION version = { 0 };
632 if (dco_get_version(&version))
633 {
634 struct buffer out = alloc_buf_gc(256, gc);
635 buf_printf(&out, "%ld.%ld.%ld", version.Major, version.Minor, version.Patch);
636 return BSTR(&out);
637 }
638 else
639 {
640 return "N/A";
641 }
642}
643
655static void
657{
658 DWORD bytes_read = 0;
659 BOOL res = GetOverlappedResult(dco->tt->hand, &dco->ov, &bytes_read, FALSE);
660 if (res)
661 {
662 msg(D_DCO_DEBUG, "%s: completion%s success [%ld]", __func__, queued ? "" : " non-queued",
663 bytes_read);
664
665 dco->dco_message_peer_id = dco->notif_buf.PeerId;
666 dco->dco_message_type = dco->notif_buf.Cmd;
667 dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason;
668 dco->dco_float_peer_ss = dco->notif_buf.FloatAddress;
669 }
670 else
671 {
672 msg(D_DCO_DEBUG | M_ERRNO, "%s: completion%s error", __func__, queued ? "" : " non-queued");
673 }
674}
675
676int
678{
679 if (dco->ifmode != DCO_MODE_MP)
680 {
681 ASSERT(false);
682 }
683
684 dco->dco_message_peer_id = -1;
685 dco->dco_message_type = 0;
686
687 switch (dco->iostate)
688 {
689 case IOSTATE_QUEUED:
691
692 ASSERT(ResetEvent(dco->ov.hEvent));
693 dco->iostate = IOSTATE_INITIAL;
694
695 break;
696
698 dco->iostate = IOSTATE_INITIAL;
699 ASSERT(ResetEvent(dco->ov.hEvent));
700
701 if (dco->ov_ret == ERROR_SUCCESS)
702 {
704 }
705 else
706 {
707 SetLastError(dco->ov_ret);
708 msg(D_DCO_DEBUG | M_ERRNO, "%s: completion non-queued error", __func__);
709 }
710
711 break;
712 }
713
714 return 0;
715}
716
717int
719{
720 struct gc_arena gc = gc_new();
721
722 int ret = 0;
723 struct tuntap *tt = dco->tt;
724
725 if (!tuntap_defined(tt))
726 {
727 ret = -1;
728 goto done;
729 }
730
732 .PeerId = -1
733 };
734
735 DWORD required_size = 0, bytes_returned = 0;
736 /* first, figure out buffer size */
737 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_PEER_STATS, &ps, sizeof(ps), &required_size, sizeof(DWORD), &bytes_returned, NULL))
738 {
739 if (GetLastError() == ERROR_MORE_DATA)
740 {
741 if (bytes_returned != sizeof(DWORD))
742 {
743 msg(M_WARN, "%s: invalid bytes returned for size query (%lu, expected %zu)", __func__, bytes_returned, sizeof(DWORD));
744 ret = -1;
745 goto done;
746 }
747 /* required_size now contains the size written by the driver */
748 if (required_size == 0)
749 {
750 ret = 0; /* no peers to process */
751 goto done;
752 }
753 if (required_size < sizeof(OVPN_PEER_STATS))
754 {
755 msg(M_WARN, "%s: invalid required size %lu (minimum %zu)", __func__, required_size, sizeof(OVPN_PEER_STATS));
756 ret = -1;
757 goto done;
758 }
759 }
760 else
761 {
762 msg(M_WARN | M_ERRNO, "%s: failed to fetch required buffer size", __func__);
763 ret = -1;
764 goto done;
765 }
766 }
767 else
768 {
769 /* unexpected success? */
770 if (bytes_returned == 0)
771 {
772 ret = 0; /* no peers to process */
773 goto done;
774 }
775
776 msg(M_WARN, "%s: first DeviceIoControl call succeeded unexpectedly (%lu bytes returned)", __func__, bytes_returned);
777 ret = -1;
778 goto done;
779 }
780
781
782 /* allocate the buffer and fetch stats */
783 OVPN_PEER_STATS *peer_stats = gc_malloc(required_size, true, &gc);
784 if (!peer_stats)
785 {
786 msg(M_WARN, "%s: failed to allocate buffer of size %lu", __func__, required_size);
787 ret = -1;
788 goto done;
789 }
790
791 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_PEER_STATS, &ps, sizeof(ps), peer_stats, required_size, &bytes_returned, NULL))
792 {
793 /* unlikely case when a peer has been added since fetching buffer size, not an error! */
794 if (GetLastError() == ERROR_MORE_DATA)
795 {
796 msg(M_WARN, "%s: peer has been added, skip fetching stats", __func__);
797 ret = 0;
798 goto done;
799 }
800
801 msg(M_WARN | M_ERRNO, "%s: failed to fetch multipeer stats", __func__);
802 ret = -1;
803 goto done;
804 }
805
806 /* iterate over stats and update peers */
807 for (int i = 0; i < bytes_returned / sizeof(OVPN_PEER_STATS); ++i)
808 {
809 OVPN_PEER_STATS *stat = &peer_stats[i];
810
811 if (stat->PeerId >= dco->c->multi->max_clients)
812 {
813 msg(M_WARN, "%s: received out of bound peer_id %u (max=%u)", __func__, stat->PeerId,
814 dco->c->multi->max_clients);
815 continue;
816 }
817
818 struct multi_instance *mi = dco->c->multi->instances[stat->PeerId];
819 if (!mi)
820 {
821 msg(M_WARN, "%s: received data for a non-existing peer %u", __func__, stat->PeerId);
822 continue;
823 }
824
825 /* update peer stats */
826 struct context_2 *c2 = &mi->context.c2;
827 c2->dco_read_bytes = stat->LinkRxBytes;
828 c2->dco_write_bytes = stat->LinkTxBytes;
829 c2->tun_read_bytes = stat->VpnRxBytes;
830 c2->tun_write_bytes = stat->VpnTxBytes;
831 }
832
833done:
834 gc_free(&gc);
835
836 if (raise_sigusr1_on_err && ret < 0)
837 {
838 register_signal(dco->c->sig, SIGUSR1, "dco peer stats error");
839 }
840
841 return ret;
842}
843
844int
845dco_get_peer_stats_fallback(struct context *c, const bool raise_sigusr1_on_err)
846{
847 struct tuntap *tt = c->c1.tuntap;
848
849 if (!tuntap_defined(tt))
850 {
851 return -1;
852 }
853
854 OVPN_STATS stats;
855 ZeroMemory(&stats, sizeof(OVPN_STATS));
856
857 DWORD bytes_returned = 0;
858 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_STATS, NULL, 0, &stats, sizeof(stats),
859 &bytes_returned, NULL))
860 {
861 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_GET_STATS) failed");
862 return -1;
863 }
864
869
870 return 0;
871}
872
873int
874dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
875{
876 struct tuntap *tt = c->c1.tuntap;
877
878 if (!tuntap_defined(tt))
879 {
880 return -1;
881 }
882
883 /* first, try a new ioctl */
885
886 OVPN_PEER_STATS peer_stats = { 0 };
887 DWORD bytes_returned = 0;
888 if (!DeviceIoControl(tt->hand, OVPN_IOCTL_GET_PEER_STATS, &ps, sizeof(ps), &peer_stats, sizeof(peer_stats),
889 &bytes_returned, NULL))
890 {
891 if (GetLastError() == ERROR_INVALID_FUNCTION)
892 {
893 /* are we using the old driver? */
894 return dco_get_peer_stats_fallback(c, raise_sigusr1_on_err);
895 }
896
897 msg(M_WARN | M_ERRNO, "%s: DeviceIoControl(OVPN_IOCTL_GET_PEER_STATS) failed", __func__);
898 return -1;
899 }
900
901 if (bytes_returned != sizeof(OVPN_PEER_STATS))
902 {
903 msg(M_WARN | M_ERRNO, "%s: DeviceIoControl(OVPN_IOCTL_GET_PEER_STATS) returned invalid size", __func__);
904 return -1;
905 }
906
907 c->c2.dco_read_bytes = peer_stats.LinkRxBytes;
908 c->c2.dco_write_bytes = peer_stats.LinkTxBytes;
909 c->c2.tun_read_bytes = peer_stats.VpnRxBytes;
910 c->c2.tun_write_bytes = peer_stats.VpnTxBytes;
911
912 return 0;
913}
914
915void
917{
918 if (dco->ifmode != DCO_MODE_MP)
919 {
920 /* mp only */
921 return;
922 }
923
924 event_ctl(es, &dco->rwhandle, EVENT_READ, arg);
925
926 if (dco->iostate == IOSTATE_INITIAL)
927 {
928 /* the overlapped IOCTL will signal this event on I/O completion */
929 ASSERT(ResetEvent(dco->ov.hEvent));
930
931 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NOTIFY_EVENT, NULL, 0, &dco->notif_buf,
932 sizeof(dco->notif_buf), NULL, &dco->ov))
933 {
934 DWORD err = GetLastError();
935 if (err == ERROR_IO_PENDING) /* operation queued? */
936 {
937 dco->iostate = IOSTATE_QUEUED;
938 dco->ov_ret = ERROR_SUCCESS;
939
940 msg(D_DCO_DEBUG, "%s: notify ioctl queued", __func__);
941 }
942 else
943 {
944 /* error occured */
945 ASSERT(SetEvent(dco->ov.hEvent));
946 dco->iostate = IOSTATE_IMMEDIATE_RETURN;
947 dco->ov_ret = err;
948
949 msg(D_DCO_DEBUG | M_ERRNO, "%s: notify ioctl error", __func__);
950 }
951 }
952 else
953 {
954 ASSERT(SetEvent(dco->ov.hEvent));
955 dco->iostate = IOSTATE_IMMEDIATE_RETURN;
956 dco->ov_ret = ERROR_SUCCESS;
957
958 msg(D_DCO_DEBUG, "%s: notify ioctl immediate return", __func__);
959 }
960 }
961}
962
963const char *
965{
966 /*
967 * this API can be called either from user mode or kernel mode,
968 * which enables us to probe driver's chachapoly support
969 * (available starting from Windows 11)
970 */
971
972 BCRYPT_ALG_HANDLE h;
973 NTSTATUS status = BCryptOpenAlgorithmProvider(&h, L"CHACHA20_POLY1305", NULL, 0);
974 if (BCRYPT_SUCCESS(status))
975 {
976 BCryptCloseAlgorithmProvider(h, 0);
977 return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305";
978 }
979 else
980 {
981 return "AES-128-GCM:AES-256-GCM:AES-192-GCM";
982 }
983}
984
985bool
987{
988 OVPN_VERSION ver = { 0 };
989 return dco_get_version(&ver) && ver.Major >= 2;
990}
991
992void
993dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits,
994 unsigned int peer_id)
995{
996 struct gc_arena gc = gc_new();
997
999 .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 0
1000 };
1001
1002 msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc),
1003 netbits, peer_id);
1004
1005 DWORD bytes_returned = 0;
1006 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, sizeof(route), NULL, 0,
1007 &bytes_returned, NULL))
1008 {
1009 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_ADD_IROUTE) failed");
1010 }
1011
1012 gc_free(&gc);
1013}
1014
1015void
1016dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits,
1017 unsigned int peer_id)
1018{
1019 struct gc_arena gc = gc_new();
1020
1021 OVPN_MP_IROUTE route = { .Addr.Addr6 = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 1 };
1022
1023 msg(D_DCO_DEBUG, "%s: %s/%d -> peer %d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc),
1024 netbits, peer_id);
1025
1026 DWORD bytes_returned = 0;
1027 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_ADD_IROUTE, &route, sizeof(route), NULL, 0,
1028 &bytes_returned, NULL))
1029 {
1030 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_ADD_IROUTE) failed");
1031 }
1032
1033 gc_free(&gc);
1034}
1035
1036void
1037dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits)
1038{
1039 struct gc_arena gc = gc_new();
1040
1042 .Addr.Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 0
1043 };
1044
1045 msg(D_DCO_DEBUG, "%s: %s/%d", __func__, print_in_addr_t(dst, IA_NET_ORDER, &gc), netbits);
1046
1047 DWORD bytes_returned = 0;
1048 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, sizeof(route), NULL, 0,
1049 &bytes_returned, NULL))
1050 {
1051 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_DEL_IROUTE) failed");
1052 }
1053
1054 gc_free(&gc);
1055}
1056
1057void
1058dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits)
1059{
1060 struct gc_arena gc = gc_new();
1061
1062 OVPN_MP_IROUTE route = { .Addr.Addr6 = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 1 };
1063
1064 msg(D_DCO_DEBUG, "%s: %s/%d", __func__, print_in6_addr(dst, IA_NET_ORDER, &gc), netbits);
1065
1066 DWORD bytes_returned = 0;
1067 if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_MP_DEL_IROUTE, &route, sizeof(route), NULL, 0,
1068 &bytes_returned, NULL))
1069 {
1070 msg(M_WARN | M_ERRNO, "DeviceIoControl(OVPN_IOCTL_MP_DEL_IROUTE) failed");
1071 }
1072
1073 gc_free(&gc);
1074}
1075
1076#endif /* defined(_WIN32) */
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
#define BSTR(buf)
Definition buffer.h:128
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
static struct gc_arena gc_new(void)
Definition buffer.h:1007
Data Channel Cryptography Module.
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
void * dco_context_t
Definition dco.h:261
int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
Definition dco_win.c:215
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
Definition dco_win.c:568
void dco_mp_start_vpn(HANDLE handle, struct link_socket *sock)
Initializes and binds the kernel UDP transport socket for multipeer mode.
Definition dco_win.c:283
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
Definition dco_win.c:469
void dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id)
Definition dco_win.c:1016
const char * dco_version_string(struct gc_arena *gc)
Definition dco_win.c:629
void dco_p2p_start_vpn(struct tuntap *tt)
Transitions the DCO adapter to the connected state in P2P mode.
Definition dco_win.c:165
const char * dco_get_supported_ciphers(void)
Definition dco_win.c:964
bool ovpn_dco_init(struct context *c)
Initializes DCO depends on mode
Definition dco_win.c:190
bool dco_available(int msglevel)
Definition dco_win.c:602
static void dco_connect_wait(HANDLE handle, OVERLAPPED *ov, int timeout, struct signal_info *sig_info)
Definition dco_win.c:222
void dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits)
Definition dco_win.c:1037
bool dco_win_supports_multipeer(void)
Definition dco_win.c:986
int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
Definition dco_win.c:718
void dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits)
Definition dco_win.c:1058
int dco_get_peer_stats_fallback(struct context *c, const bool raise_sigusr1_on_err)
Definition dco_win.c:845
static void dco_wait_ready(DWORD idx)
Definition dco_win.c:49
int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco_win.c:495
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
Definition dco_win.c:576
void ovpn_dco_init_mp(dco_context_t *dco, const char *dev_node)
Initializes the DCO adapter in multipeer mode and sets it to "connected" state.
Definition dco_win.c:122
int dco_do_read(dco_context_t *dco)
Definition dco_win.c:677
int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco_win.c:874
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
Definition dco_win.c:418
static void dco_handle_overlapped_success(dco_context_t *dco, bool queued)
Handles successful completion of overlapped operation.
Definition dco_win.c:656
static bool dco_get_version(OVPN_VERSION *version)
Gets version of dco-win driver.
Definition dco_win.c:73
void dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info)
Definition dco_win.c:327
void dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id)
Definition dco_win.c:993
void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition dco_win.c:916
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
Definition dco_win.c:529
#define D_DCO
Definition errlevel.h:93
#define D_DCO_DEBUG
Definition errlevel.h:117
#define EVENT_READ
Definition event.h:38
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:183
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition forward.c:497
Interface functions to the internal and external multiplexers.
static SERVICE_STATUS status
Definition interactive.c:51
@ route
Definition interactive.c:85
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4131
Header file for server-mode related structures and functions.
void * openvpn_net_ctx_t
Definition networking.h:38
#define CLEAR(x)
Definition basic.h:32
#define M_FATAL
Definition error.h:88
#define M_NONFATAL
Definition error.h:89
#define M_ERR
Definition error.h:104
#define msg(flags,...)
Definition error.h:150
#define ASSERT(x)
Definition error.h:217
#define M_WARN
Definition error.h:90
#define M_ERRNO
Definition error.h:93
#define MODE_POINT_TO_POINT
Definition options.h:260
#define MODE_SERVER
Definition options.h:261
#define OVPN_SET_PEER
#define OVPN_IOCTL_GET_STATS
#define OVPN_IOCTL_GET_VERSION
@ OVPN_PROTO_UDP
@ OVPN_PROTO_TCP
#define OVPN_IOCTL_SWAP_KEYS
#define OVPN_IOCTL_NEW_KEY
#define OVPN_IOCTL_NOTIFY_EVENT
#define OVPN_IOCTL_MP_DEL_IROUTE
OVPN_MODE
@ OVPN_MODE_MP
#define OVPN_IOCTL_MP_SET_PEER
#define OVPN_IOCTL_MP_SWAP_KEYS
#define OVPN_IOCTL_GET_PEER_STATS
#define OVPN_IOCTL_SET_PEER
#define OVPN_IOCTL_NEW_PEER
#define OVPN_IOCTL_MP_ADD_IROUTE
#define OVPN_IOCTL_START_VPN
#define OVPN_IOCTL_MP_NEW_PEER
#define OVPN_IOCTL_SET_MODE
#define OVPN_IOCTL_DEL_PEER
#define OVPN_IOCTL_MP_START_VPN
struct _OVPN_MP_SET_PEER OVPN_MP_SET_PEER
#define OVPN_IOCTL_MP_DEL_PEER
struct _OVPN_PEER_STATS OVPN_PEER_STATS
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition sig.h:109
#define SF_PREPEND_SA
Definition socket.h:197
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
const char * addr_family_name(int af)
#define IA_NET_ORDER
Definition socket_util.h:90
Control Channel Common Data Structures.
OVPN_KEY_SLOT KeySlot
unsigned char KeyId
OVPN_KEY_DIRECTION Decrypt
OVPN_KEY_DIRECTION Encrypt
OVPN_CIPHER_ALG CipherAlg
unsigned char Key[32]
unsigned char NonceTail[8]
unsigned char KeyLen
union _OVPN_MP_IROUTE::@20 Addr
union _OVPN_MP_NEW_PEER::@17 Local
SOCKADDR_IN6 Addr6
SOCKADDR_IN Addr4
union _OVPN_MP_NEW_PEER::@18 Remote
SOCKADDR_IN6 Addr6
union _OVPN_MP_START_VPN::@19 ListenAddress
SOCKADDR_IN6 Addr6
union _OVPN_NEW_PEER::@15 Local
SOCKADDR_IN Addr4
union _OVPN_NEW_PEER::@16 Remote
OVPN_PROTO Proto
LONG64 TunBytesSent
LONG64 TransportBytesSent
LONG64 TunBytesReceived
LONG64 TransportBytesReceived
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
Level 2 context containing state that is reset on both SIGHUP and SIGUSR1 restarts.
Definition openvpn.h:224
counter_type dco_read_bytes
Definition openvpn.h:267
counter_type tun_read_bytes
Definition openvpn.h:264
counter_type dco_write_bytes
Definition openvpn.h:270
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
counter_type tun_write_bytes
Definition openvpn.h:265
Contains all state information for one tunnel.
Definition openvpn.h:474
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
const char * dev_node
Definition options.h:320
volatile int signal_received
Definition sig.h:42
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
Definition tun.h:183
DWORD adapter_index
Definition tun.h:234
HANDLE hand
Definition tun.h:218
dco_context_t dco
Definition tun.h:249
struct env_set * es
char ** res
struct gc_arena gc
Definition test_ssl.c:154
void tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid, struct gc_arena *gc)
Definition tun.c:6190
static bool tuntap_defined(const struct tuntap *tt)
Definition tun.h:254
#define IOSTATE_IMMEDIATE_RETURN
Definition win32.h:207
#define IOSTATE_INITIAL
Definition win32.h:205
#define IOSTATE_QUEUED
Definition win32.h:206