41#if defined(__MINGW32__)
42const IN_ADDR in4addr_any = { 0 };
51 for (
int i = 0;
i < 20; ++
i)
53 MIB_IPINTERFACE_ROW row = { .InterfaceIndex = idx, .Family = AF_INET };
54 if (GetIpInterfaceEntry(&row) != ERROR_NOT_FOUND)
79 HANDLE h = CreateFile(
"\\\\.\\ovpn-dco-ver", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
81 if (h == INVALID_HANDLE_VALUE)
84 h = CreateFile(
"\\\\.\\ovpn-dco", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
87 if (h == INVALID_HANDLE_VALUE)
92 DWORD bytes_returned = 0;
94 &bytes_returned, NULL))
102 if (h != INVALID_HANDLE_VALUE)
124 ASSERT(dco->ifmode == DCO_MODE_UNINIT);
125 dco->ifmode = DCO_MODE_MP;
130 dco->ov.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
131 if (dco->ov.hEvent == NULL)
133 msg(
M_ERR,
"Error: ovpn_dco_init: CreateEvent failed");
136 dco->rwhandle.read = dco->ov.hEvent;
140 const char *device_guid;
146 DWORD bytes_returned = 0;
148 &bytes_returned, NULL))
150 msg(
M_ERR,
"DeviceIoControl(OVPN_IOCTL_SET_MODE) failed");
167 DWORD bytes_returned = 0;
170 msg(
M_ERR,
"DeviceIoControl(OVPN_IOCTL_START_VPN) failed");
199 dco->ifmode = DCO_MODE_P2P;
226 typedef BOOL(WINAPI * get_overlapped_result_ex_t)(HANDLE, LPOVERLAPPED, LPDWORD, DWORD, BOOL);
227 get_overlapped_result_ex_t get_overlapped_result_ex =
228 (get_overlapped_result_ex_t)GetProcAddress(GetModuleHandle(
"Kernel32.dll"),
229 "GetOverlappedResultEx");
231 if (get_overlapped_result_ex == NULL)
233 msg(
M_ERR,
"Failed to load GetOverlappedResult()");
236 DWORD timeout_msec = timeout * 1000;
237 const int poll_interval_ms = 50;
239 while (timeout_msec > 0)
241 timeout_msec -= poll_interval_ms;
244 if (get_overlapped_result_ex(handle, ov, &transferred, poll_interval_ms, FALSE) != 0)
250 DWORD err = GetLastError();
251 if ((err != WAIT_TIMEOUT) && (err != ERROR_IO_INCOMPLETE))
260 if (*signal_received)
289 struct addrinfo *cur = NULL;
291 for (cur = local; cur; cur = cur->ai_next)
293 if (cur->ai_family == ai_family)
300 msg(
M_FATAL,
"%s: Socket bind failed: Addr to bind has no %s record", __func__,
306 if (ai_family == AF_INET)
318 DWORD bytes_returned = 0;
320 &bytes_returned, NULL))
322 msg(
M_ERR,
"DeviceIoControl(OVPN_IOCTL_MP_START_VPN) failed");
336 struct sockaddr *local = NULL;
337 struct sockaddr *remote = remoteaddr->ai_addr;
339 if (remoteaddr->ai_protocol == IPPROTO_TCP || remoteaddr->ai_socktype == SOCK_STREAM)
352 while (bind && !local)
354 if (bind->ai_family == remote->sa_family)
356 local = bind->ai_addr;
358 bind = bind->ai_next;
364 msg(
M_FATAL,
"DCO: Socket bind failed: Address to bind lacks %s record",
368 if (remote->sa_family == AF_INET6)
370 peer.
Remote.
Addr6 = *((SOCKADDR_IN6 *)(remoteaddr->ai_addr));
382 else if (remote->sa_family == AF_INET)
384 peer.
Remote.
Addr4 = *((SOCKADDR_IN *)(remoteaddr->ai_addr));
404 DWORD err = GetLastError();
405 if (err != ERROR_IO_PENDING)
407 msg(
M_ERR,
"DeviceIoControl(OVPN_IOCTL_NEW_PEER) failed");
419 struct sockaddr *remoteaddr,
struct in_addr *vpn_ipv4,
struct in6_addr *vpn_ipv6)
423 if (dco->ifmode == DCO_MODE_P2P)
434 newPeer.
Local.
Addr4.sin_family = remoteaddr->sa_family;
436 if (remoteaddr->sa_family == AF_INET)
438 memcpy(&newPeer.
Remote.
Addr4, remoteaddr,
sizeof(
struct sockaddr_in));
442 memcpy(&newPeer.
Remote.
Addr6, remoteaddr,
sizeof(
struct sockaddr_in6));
460 &bytesReturned, NULL))
462 msg(
M_ERR,
"DeviceIoControl(OVPN_IOCTL_MP_NEW_PEER) failed");
478 if (dco->ifmode == DCO_MODE_MP)
482 len =
sizeof(del_peer);
485 DWORD bytes_returned = 0;
486 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
498 msg(
D_DCO_DEBUG,
"%s: peer-id %d, keepalive %d/%d, mss %d", __func__, peerid,
499 keepalive_interval, keepalive_timeout, mss);
501 OVPN_MP_SET_PEER mp_peer = { peerid, keepalive_interval, keepalive_timeout, mss };
502 OVPN_SET_PEER peer = { keepalive_interval, keepalive_timeout, mss };
507 if (dco->ifmode == DCO_MODE_MP)
518 DWORD bytes_returned = 0;
519 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
530 const uint8_t *encrypt_key,
const uint8_t *encrypt_iv,
const uint8_t *decrypt_key,
531 const uint8_t *decrypt_iv,
const char *ciphername)
533 msg(
D_DCO_DEBUG,
"%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid,
536 const int nonce_len = 8;
540 ZeroMemory(&crypto_data,
sizeof(crypto_data));
542 crypto_data.
CipherAlg = dco_get_cipher(ciphername);
543 crypto_data.
KeyId = keyid;
544 crypto_data.
PeerId = peerid;
547 CopyMemory(crypto_data.
Encrypt.
Key, encrypt_key, key_len);
551 CopyMemory(crypto_data.
Decrypt.
Key, decrypt_key, key_len);
557 DWORD bytes_returned = 0;
559 if (!DeviceIoControl(dco->tt->hand,
OVPN_IOCTL_NEW_KEY, &crypto_data,
sizeof(crypto_data), NULL,
560 0, &bytes_returned, NULL))
562 msg(
M_ERR,
"DeviceIoControl(OVPN_IOCTL_NEW_KEY) failed");
570 msg(
D_DCO,
"%s: peer-id %d, slot %d called but ignored", __func__, peerid, slot);
585 if (dco->ifmode == DCO_MODE_MP)
592 DWORD bytes_returned = 0;
593 if (!DeviceIoControl(dco->tt->hand, ioctl, buf, len, NULL, 0, &bytes_returned, NULL))
595 msg(
M_ERR,
"DeviceIoControl(OVPN_IOCTL_SWAP_KEYS) failed");
605 HANDLE h = CreateFile(
"\\\\.\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING,
606 FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL);
608 if (h != INVALID_HANDLE_VALUE)
614 DWORD err = GetLastError();
615 if (err == ERROR_ACCESS_DENIED)
624 msg(msglevel,
"Note: ovpn-dco-win driver is missing, disabling data channel offload.");
665 dco->dco_message_peer_id = dco->notif_buf.PeerId;
666 dco->dco_message_type = dco->notif_buf.Cmd;
667 dco->dco_del_peer_reason = dco->notif_buf.DelPeerReason;
668 dco->dco_float_peer_ss = dco->notif_buf.FloatAddress;
684 dco->dco_message_peer_id = -1;
685 dco->dco_message_type = 0;
687 switch (dco->iostate)
735 DWORD required_size = 0, bytes_returned = 0;
739 if (GetLastError() == ERROR_MORE_DATA)
741 if (bytes_returned !=
sizeof(DWORD))
743 msg(
M_WARN,
"%s: invalid bytes returned for size query (%lu, expected %zu)", __func__, bytes_returned,
sizeof(DWORD));
748 if (required_size == 0)
762 msg(
M_WARN |
M_ERRNO,
"%s: failed to fetch required buffer size", __func__);
770 if (bytes_returned == 0)
776 msg(
M_WARN,
"%s: first DeviceIoControl call succeeded unexpectedly (%lu bytes returned)", __func__, bytes_returned);
786 msg(
M_WARN,
"%s: failed to allocate buffer of size %lu", __func__, required_size);
794 if (GetLastError() == ERROR_MORE_DATA)
796 msg(
M_WARN,
"%s: peer has been added, skip fetching stats", __func__);
811 if (stat->
PeerId >=
dco->c->multi->max_clients)
813 msg(
M_WARN,
"%s: received out of bound peer_id %u (max=%u)", __func__, stat->
PeerId,
814 dco->c->multi->max_clients);
821 msg(
M_WARN,
"%s: received data for a non-existing peer %u", __func__, stat->
PeerId);
836 if (raise_sigusr1_on_err && ret < 0)
857 DWORD bytes_returned = 0;
859 &bytes_returned, NULL))
887 DWORD bytes_returned = 0;
889 &bytes_returned, NULL))
891 if (GetLastError() == ERROR_INVALID_FUNCTION)
897 msg(
M_WARN |
M_ERRNO,
"%s: DeviceIoControl(OVPN_IOCTL_GET_PEER_STATS) failed", __func__);
903 msg(
M_WARN |
M_ERRNO,
"%s: DeviceIoControl(OVPN_IOCTL_GET_PEER_STATS) returned invalid size", __func__);
918 if (
dco->ifmode != DCO_MODE_MP)
932 sizeof(
dco->notif_buf), NULL, &
dco->ov))
934 DWORD err = GetLastError();
935 if (err == ERROR_IO_PENDING)
938 dco->ov_ret = ERROR_SUCCESS;
956 dco->ov_ret = ERROR_SUCCESS;
973 NTSTATUS
status = BCryptOpenAlgorithmProvider(&h, L
"CHACHA20_POLY1305", NULL, 0);
974 if (BCRYPT_SUCCESS(
status))
976 BCryptCloseAlgorithmProvider(h, 0);
977 return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305";
981 return "AES-128-GCM:AES-256-GCM:AES-192-GCM";
994 unsigned int peer_id)
999 .
Addr.
Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = peer_id, .IPv6 = 0
1005 DWORD bytes_returned = 0;
1007 &bytes_returned, NULL))
1017 unsigned int peer_id)
1026 DWORD bytes_returned = 0;
1028 &bytes_returned, NULL))
1042 .
Addr.
Addr4.S_un.S_addr = dst, .Netbits = netbits, .PeerId = -1, .IPv6 = 0
1047 DWORD bytes_returned = 0;
1049 &bytes_returned, NULL))
1066 DWORD bytes_returned = 0;
1068 &bytes_returned, NULL))
bool buf_printf(struct buffer *buf, const char *format,...)
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
static void gc_free(struct gc_arena *a)
static struct gc_arena gc_new(void)
Data Channel Cryptography Module.
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
void dco_mp_start_vpn(HANDLE handle, struct link_socket *sock)
Initializes and binds the kernel UDP transport socket for multipeer mode.
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
void dco_win_add_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits, unsigned int peer_id)
const char * dco_version_string(struct gc_arena *gc)
void dco_p2p_start_vpn(struct tuntap *tt)
Transitions the DCO adapter to the connected state in P2P mode.
const char * dco_get_supported_ciphers(void)
bool ovpn_dco_init(struct context *c)
Initializes DCO depends on mode
bool dco_available(int msglevel)
static void dco_connect_wait(HANDLE handle, OVERLAPPED *ov, int timeout, struct signal_info *sig_info)
void dco_win_del_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits)
bool dco_win_supports_multipeer(void)
int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
void dco_win_del_iroute_ipv6(dco_context_t *dco, struct in6_addr dst, unsigned int netbits)
int dco_get_peer_stats_fallback(struct context *c, const bool raise_sigusr1_on_err)
static void dco_wait_ready(DWORD idx)
int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
void ovpn_dco_init_mp(dco_context_t *dco, const char *dev_node)
Initializes the DCO adapter in multipeer mode and sets it to "connected" state.
int dco_do_read(dco_context_t *dco)
int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
static void dco_handle_overlapped_success(dco_context_t *dco, bool queued)
Handles successful completion of overlapped operation.
static bool dco_get_version(OVPN_VERSION *version)
Gets version of dco-win driver.
void dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info)
void dco_win_add_iroute_ipv4(dco_context_t *dco, in_addr_t dst, unsigned int netbits, unsigned int peer_id)
void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Interface functions to the internal and external multiplexers.
static SERVICE_STATUS status
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Header file for server-mode related structures and functions.
#define MODE_POINT_TO_POINT
#define OVPN_IOCTL_GET_STATS
#define OVPN_IOCTL_GET_VERSION
#define OVPN_IOCTL_SWAP_KEYS
#define OVPN_IOCTL_NEW_KEY
#define OVPN_IOCTL_NOTIFY_EVENT
#define OVPN_IOCTL_MP_DEL_IROUTE
#define OVPN_IOCTL_MP_SET_PEER
#define OVPN_IOCTL_MP_SWAP_KEYS
#define OVPN_IOCTL_GET_PEER_STATS
#define OVPN_IOCTL_SET_PEER
#define OVPN_IOCTL_NEW_PEER
#define OVPN_IOCTL_MP_ADD_IROUTE
#define OVPN_IOCTL_START_VPN
#define OVPN_IOCTL_MP_NEW_PEER
#define OVPN_IOCTL_SET_MODE
#define OVPN_IOCTL_DEL_PEER
#define OVPN_IOCTL_MP_START_VPN
struct _OVPN_MP_SET_PEER OVPN_MP_SET_PEER
#define OVPN_IOCTL_MP_DEL_PEER
struct _OVPN_PEER_STATS OVPN_PEER_STATS
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
const char * addr_family_name(int af)
Control Channel Common Data Structures.
OVPN_KEY_DIRECTION Decrypt
OVPN_KEY_DIRECTION Encrypt
OVPN_CIPHER_ALG CipherAlg
unsigned char NonceTail[8]
union _OVPN_MP_IROUTE::@20 Addr
union _OVPN_MP_NEW_PEER::@17 Local
union _OVPN_MP_NEW_PEER::@18 Remote
union _OVPN_MP_START_VPN::@19 ListenAddress
union _OVPN_NEW_PEER::@15 Local
union _OVPN_NEW_PEER::@16 Remote
LONG64 TransportBytesSent
LONG64 TransportBytesReceived
Wrapper structure for dynamically allocated memory.
int len
Length in bytes of the actual content within the allocated memory.
struct tuntap * tuntap
Tun/tap virtual network interface.
Level 2 context containing state that is reset on both SIGHUP and SIGUSR1 restarts.
counter_type dco_read_bytes
counter_type tun_read_bytes
counter_type dco_write_bytes
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
counter_type tun_write_bytes
Contains all state information for one tunnel.
int mode
Role of this context within the OpenVPN process.
struct context_2 c2
Level 2 context.
struct options options
Options loaded from command line or configuration file.
struct context_1 c1
Level 1 context.
Garbage collection arena used to keep track of dynamically allocated memory.
struct addrinfo * bind_local
struct addrinfo * current_remote
struct link_socket_addr * lsa
struct event_timeout * server_poll_timeout
struct link_socket_info info
Server-mode state structure for one single VPN tunnel.
struct context context
The context structure storing state for this VPN tunnel.
volatile int signal_received
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
void tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid, struct gc_arena *gc)
static bool tuntap_defined(const struct tuntap *tt)
#define IOSTATE_IMMEDIATE_RETURN