OpenVPN
mudp.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "syshead.h"
29
30#include "multi.h"
31#include <inttypes.h>
32#include "forward.h"
33
34#include "memdbg.h"
35#include "ssl_pkt.h"
36
37#ifdef HAVE_SYS_INOTIFY_H
38#include <sys/inotify.h>
39#endif
40
41static void
42send_hmac_reset_packet(struct multi_context *m,
43 struct tls_pre_decrypt_state *state,
44 struct tls_auth_standalone *tas,
45 struct session_id *sid,
46 bool request_resend_wkc)
47{
48 reset_packet_id_send(&state->tls_wrap_tmp.opt.packet_id.send);
49 state->tls_wrap_tmp.opt.packet_id.rec.initialized = true;
50 uint8_t header = 0 | (P_CONTROL_HARD_RESET_SERVER_V2 << P_OPCODE_SHIFT);
51 struct buffer buf = tls_reset_standalone(&state->tls_wrap_tmp, tas, sid,
52 &state->peer_session_id, header,
53 request_resend_wkc);
54
55 struct context *c = &m->top;
56
57 /* dco-win server requires prepend with sockaddr, so preserve offset */
58 ASSERT(buf_init(&c->c2.buffers->aux_buf, buf.offset));
59
60 buf_copy(&c->c2.buffers->aux_buf, &buf);
61 m->hmac_reply = c->c2.buffers->aux_buf;
62 m->hmac_reply_dest = &m->top.c2.from;
63 msg(D_MULTI_DEBUG, "Reset packet from client, sending HMAC based reset challenge");
64}
65
66
67/* Returns true if this packet should create a new session */
68static bool
69do_pre_decrypt_check(struct multi_context *m,
70 struct tls_pre_decrypt_state *state,
71 struct mroute_addr addr)
72{
73 ASSERT(m->top.c2.tls_auth_standalone);
74
75 enum first_packet_verdict verdict;
76
77 struct tls_auth_standalone *tas = m->top.c2.tls_auth_standalone;
78
79 verdict = tls_pre_decrypt_lite(tas, state, &m->top.c2.from, &m->top.c2.buf);
80
81 hmac_ctx_t *hmac = m->top.c2.session_id_hmac;
82 struct openvpn_sockaddr *from = &m->top.c2.from.dest;
83 int handwindow = m->top.options.handshake_window;
84
85 if (verdict == VERDICT_VALID_RESET_V3 || verdict == VERDICT_VALID_RESET_V2)
86 {
87 /* Check if we are still below our limit for sending out
88 * responses */
89 if (!reflect_filter_rate_limit_check(m->initial_rate_limiter))
90 {
91 return false;
92 }
93 }
94
95 if (verdict == VERDICT_VALID_RESET_V3)
96 {
97 /* Extract the packet id to check if it has the special format that
98 * indicates early negotiation support */
99 struct packet_id_net pin;
100 struct buffer tmp = m->top.c2.buf;
101 ASSERT(buf_advance(&tmp, 1 + SID_SIZE));
102 ASSERT(packet_id_read(&pin, &tmp, true));
103
104 /* The most significant byte is 0x0f if early negotiation is supported */
105 bool early_neg_support = ((pin.id & EARLY_NEG_MASK) & EARLY_NEG_START) == EARLY_NEG_START;
106
107 /* All clients that support early negotiation and tls-crypt are assumed
108 * to also support resending the WKc in the 2nd packet */
109 if (early_neg_support)
110 {
111 /* Calculate the session ID HMAC for our reply and create reset packet */
112 struct session_id sid = calculate_session_id_hmac(state->peer_session_id,
113 from, hmac, handwindow, 0);
114 send_hmac_reset_packet(m, state, tas, &sid, true);
115
116 return false;
117 }
118 else
119 {
120 /* For tls-crypt-v2 we need to keep the state of the first packet
121 * to store the unwrapped key if the client doesn't support resending
122 * the wrapped key. Unless the user specifically disallowed
123 * compatibility with such clients to avoid state exhaustion */
124 if (tas->tls_wrap.opt.flags & CO_FORCE_TLSCRYPTV2_COOKIE)
125 {
126 struct gc_arena gc = gc_new();
127 const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
128 msg(D_MULTI_DEBUG, "tls-crypt-v2 force-cookie is enabled, "
129 "ignoring connection attempt from old client (%s)", peer);
130 gc_free(&gc);
131 return false;
132 }
133 else
134 {
135 return true;
136 }
137 }
138 }
139 else if (verdict == VERDICT_VALID_RESET_V2)
140 {
141 /* Calculate the session ID HMAC for our reply and create reset packet */
142 struct session_id sid = calculate_session_id_hmac(state->peer_session_id,
143 from, hmac, handwindow, 0);
144
145 send_hmac_reset_packet(m, state, tas, &sid, false);
146
147 /* We have a reply do not create a new session */
148 return false;
149
150 }
151 else if (verdict == VERDICT_VALID_CONTROL_V1 || verdict == VERDICT_VALID_ACK_V1
152 || verdict == VERDICT_VALID_WKC_V1)
153 {
154 /* ACK_V1 contains the peer id (our id) while CONTROL_V1 can but does not
155 * need to contain the peer id */
156 struct gc_arena gc = gc_new();
157
158 bool ret = check_session_id_hmac(state, from, hmac, handwindow);
159
160 const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
161 uint8_t pkt_firstbyte = *BPTR( &m->top.c2.buf);
162 int op = pkt_firstbyte >> P_OPCODE_SHIFT;
163
164 if (!ret)
165 {
166 msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from %s",
167 packet_opcode_name(op), peer);
168 }
169 else
170 {
171 msg(D_MULTI_DEBUG, "Valid packet (%s) with HMAC challenge from peer (%s), "
172 "accepting new connection.", packet_opcode_name(op), peer);
173 }
174 gc_free(&gc);
175
176 return ret;
177 }
178
179 /* VERDICT_INVALID */
180 return false;
181}
182
183/*
184 * Get a client instance based on real address. If
185 * the instance doesn't exist, create it while
186 * maintaining real address hash table atomicity.
187 */
188
189struct multi_instance *
190multi_get_create_instance_udp(struct multi_context *m, bool *floated,
191 struct link_socket *sock)
192{
193 struct gc_arena gc = gc_new();
194 struct mroute_addr real = {0};
195 struct multi_instance *mi = NULL;
196 struct hash *hash = m->hash;
197 real.proto = sock->info.proto;
198 m->hmac_reply_ls = sock;
199
200 if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true)
201 && m->top.c2.buf.len > 0)
202 {
203 struct hash_element *he;
204 const uint32_t hv = hash_value(hash, &real);
205 struct hash_bucket *bucket = hash_bucket(hash, hv);
206 uint8_t *ptr = BPTR(&m->top.c2.buf);
207 uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
208 bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
209 bool peer_id_disabled = false;
210
211 /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */
212 if (v2)
213 {
214 uint32_t peer_id = ntohl(*(uint32_t *)ptr) & 0xFFFFFF;
215 peer_id_disabled = (peer_id == MAX_PEER_ID);
216
217 if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id]))
218 {
219 mi = m->instances[peer_id];
220
221 *floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from);
222
223 if (*floated)
224 {
225 /* reset prefix, since here we are not sure peer is the one it claims to be */
226 ungenerate_prefix(mi);
227 msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id,
228 mroute_addr_print(&real, &gc));
229 }
230 }
231 }
232 if (!v2 || peer_id_disabled)
233 {
234 he = hash_lookup_fast(hash, bucket, &real, hv);
235 if (he)
236 {
237 mi = (struct multi_instance *) he->value;
238 }
239 }
240
241 /* we have no existing multi instance for this connection */
242 if (!mi)
243 {
244 struct tls_pre_decrypt_state state = {0};
245 if (m->deferred_shutdown_signal.signal_received)
246 {
247 msg(D_MULTI_ERRORS,
248 "MULTI: Connection attempt from %s ignored while server is "
249 "shutting down", mroute_addr_print(&real, &gc));
250 }
251 else if (do_pre_decrypt_check(m, &state, real))
252 {
253 /* This is an unknown session but with valid tls-auth/tls-crypt
254 * (or no auth at all). If this is the initial packet of a
255 * session, we just send a reply with a HMAC session id and
256 * do not generate a session slot */
257
258 if (frequency_limit_event_allowed(m->new_connection_limiter))
259 {
260 /* a successful three-way handshake only counts against
261 * connect-freq but not against connect-freq-initial */
262 reflect_filter_rate_limit_decrease(m->initial_rate_limiter);
263
264 mi = multi_create_instance(m, &real, sock);
265 if (mi)
266 {
267 hash_add_fast(hash, bucket, &mi->real, hv, mi);
268 mi->did_real_hash = true;
269 multi_assign_peer_id(m, mi);
270
271 /* If we have a session id already, ensure that the
272 * state is using the same */
273 if (session_id_defined(&state.server_session_id)
274 && session_id_defined((&state.peer_session_id)))
275 {
276 mi->context.c2.tls_multi->n_sessions++;
277 struct tls_session *session = &mi->context.c2.tls_multi->session[TM_INITIAL];
278 session_skip_to_pre_start(session, &state, &m->top.c2.from);
279 }
280 }
281 }
282 else
283 {
284 msg(D_MULTI_ERRORS,
285 "MULTI: Connection from %s would exceed new connection frequency limit as controlled by --connect-freq",
286 mroute_addr_print(&real, &gc));
287 }
288 }
289 free_tls_pre_decrypt_state(&state);
290 }
291
292#ifdef ENABLE_DEBUG
293 if (check_debug_level(D_MULTI_DEBUG))
294 {
295 const char *status = mi ? "[ok]" : "[failed]";
296
297 dmsg(D_MULTI_DEBUG, "GET INST BY REAL: %s %s",
298 mroute_addr_print(&real, &gc),
299 status);
300 }
301#endif
302 }
303
304 gc_free(&gc);
305 ASSERT(!(mi && mi->halt));
306 return mi;
307}
308
309/*
310 * Send a packet to UDP socket.
311 */
312static inline void
313multi_process_outgoing_link(struct multi_context *m, const unsigned int mpp_flags)
314{
315 struct multi_instance *mi = multi_process_outgoing_link_pre(m);
316 if (mi)
317 {
318 multi_process_outgoing_link_dowork(m, mi, mpp_flags);
319 }
320 if (m->hmac_reply_dest && m->hmac_reply.len > 0)
321 {
322 msg_set_prefix("Connection Attempt");
323 m->top.c2.to_link = m->hmac_reply;
324 m->top.c2.to_link_addr = m->hmac_reply_dest;
325 process_outgoing_link(&m->top, m->hmac_reply_ls);
326 m->hmac_reply_ls = NULL;
327 m->hmac_reply_dest = NULL;
328 }
329}
330
331/*
332 * Process an I/O event.
333 */
334void
335multi_process_io_udp(struct multi_context *m, struct link_socket *sock)
336{
337 const unsigned int status = m->multi_io->udp_flags;
338 const unsigned int mpp_flags = m->top.c2.fast_io
339 ? (MPP_CONDITIONAL_PRE_SELECT | MPP_CLOSE_ON_SIGNAL)
340 : (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL);
341
342#ifdef MULTI_DEBUG_EVENT_LOOP
343 char buf[16];
344 buf[0] = 0;
345 if (status & SOCKET_READ)
346 {
347 strcat(buf, "SR/");
348 }
349 else if (status & SOCKET_WRITE)
350 {
351 strcat(buf, "SW/");
352 }
353 else if (status & TUN_READ)
354 {
355 strcat(buf, "TR/");
356 }
357 else if (status & TUN_WRITE)
358 {
359 strcat(buf, "TW/");
360 }
361 else if (status & FILE_CLOSED)
362 {
363 strcat(buf, "FC/");
364 }
365 printf("IO %s\n", buf);
366#endif /* ifdef MULTI_DEBUG_EVENT_LOOP */
367
368#ifdef ENABLE_MANAGEMENT
369 if (status & (MANAGEMENT_READ|MANAGEMENT_WRITE))
370 {
371 ASSERT(management);
372 management_io(management);
373 }
374#endif
375
376 /* UDP port ready to accept write */
377 if (status & SOCKET_WRITE)
378 {
379 multi_process_outgoing_link(m, mpp_flags);
380 }
381 /* TUN device ready to accept write */
382 else if (status & TUN_WRITE)
383 {
384 multi_process_outgoing_tun(m, mpp_flags);
385 }
386 /* Incoming data on UDP port */
387 else if (status & SOCKET_READ)
388 {
389 read_incoming_link(&m->top, sock);
390 if (!IS_SIG(&m->top))
391 {
392 multi_process_incoming_link(m, NULL, mpp_flags, sock);
393 }
394 }
395 /* Incoming data on TUN device */
396 else if (status & TUN_READ)
397 {
398 read_incoming_tun(&m->top);
399 if (!IS_SIG(&m->top))
400 {
401 multi_process_incoming_tun(m, mpp_flags);
402 }
403 }
404#ifdef ENABLE_ASYNC_PUSH
405 /* INOTIFY callback */
406 else if (status & FILE_CLOSED)
407 {
408 multi_process_file_closed(m, mpp_flags);
409 }
410#endif
411#if defined(ENABLE_DCO) \
412 && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(TARGET_WIN32))
413 else if (status & DCO_READ)
414 {
415 if (!IS_SIG(&m->top))
416 {
417 bool ret = true;
418 while (ret)
419 {
420 ret = multi_process_incoming_dco(m);
421 }
422 }
423 }
424#endif
425
426 m->multi_io->udp_flags = ES_ERROR;
427}
428
429/*
430 * Return the io_wait() flags appropriate for
431 * a point-to-multipoint tunnel.
432 */
433unsigned int
434p2mp_iow_flags(const struct multi_context *m)
435{
436 unsigned int flags = IOW_WAIT_SIGNAL;
437 if (m->pending)
438 {
439 if (TUN_OUT(&m->pending->context))
440 {
441 flags |= IOW_TO_TUN;
442 }
443 if (LINK_OUT(&m->pending->context))
444 {
445 flags |= IOW_TO_LINK;
446 }
447 }
448 else if (mbuf_defined(m->mbuf))
449 {
450 flags |= IOW_MBUF;
451 }
452 else if (m->hmac_reply_dest)
453 {
454 flags |= IOW_TO_LINK;
455 }
456 else
457 {
458 flags |= IOW_READ;
459 }
460#ifdef _WIN32
461 if (tuntap_ring_empty(m->top.c1.tuntap))
462 {
463 flags &= ~IOW_READ_TUN;
464 }
465#endif
466 return flags;
467}
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:712
BPTR
#define BPTR(buf)
Definition buffer.h:124
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:618
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
buf_init
#define buf_init(buf, offset)
Definition buffer.h:209
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition crypto.h:364
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition crypto_mbedtls.h:48
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition errlevel.h:65
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition errlevel.h:102
D_MULTI_DEBUG
#define D_MULTI_DEBUG
Definition errlevel.h:127
DCO_READ
#define DCO_READ
Definition event.h:76
FILE_CLOSED
#define FILE_CLOSED
Definition event.h:74
TUN_WRITE
#define TUN_WRITE
Definition event.h:66
SOCKET_READ
#define SOCKET_READ
Definition event.h:62
MANAGEMENT_READ
#define MANAGEMENT_READ
Definition event.h:71
MANAGEMENT_WRITE
#define MANAGEMENT_WRITE
Definition event.h:72
ES_ERROR
#define ES_ERROR
Definition event.h:68
SOCKET_WRITE
#define SOCKET_WRITE
Definition event.h:63
TUN_READ
#define TUN_READ
Definition event.h:65
forward.h
Interface functions to the internal and external multiplexers.
IOW_WAIT_SIGNAL
#define IOW_WAIT_SIGNAL
Definition forward.h:64
IOW_MBUF
#define IOW_MBUF
Definition forward.h:62
LINK_OUT
#define LINK_OUT(c)
Definition forward.h:39
TUN_OUT
#define TUN_OUT(c)
Definition forward.h:38
IOW_TO_TUN
#define IOW_TO_TUN
Definition forward.h:55
IOW_READ
#define IOW_READ
Definition forward.h:66
IOW_TO_LINK
#define IOW_TO_LINK
Definition forward.h:56
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition ssl_common.h:536
tls_pre_decrypt_lite
enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition ssl_pkt.c:307
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags, struct link_socket *sock)
Demultiplex and process a packet received over the external network interface.
Definition multi.c:3352
process_outgoing_link
void process_outgoing_link(struct context *c, struct link_socket *sock)
Write a packet to the external network interface.
Definition forward.c:1744
read_incoming_link
void read_incoming_link(struct context *c, struct link_socket *sock)
Read a packet from the external network interface.
Definition forward.c:934
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition mudp.c:190
read_incoming_tun
void read_incoming_tun(struct context *c)
Read a packet from the virtual tun/tap network interface.
Definition forward.c:1299
multi_process_outgoing_tun
static bool multi_process_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Send a packet over the virtual tun/tap network interface to its locally reachable destination.
Definition multi.h:659
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition multi.c:3556
status
static SERVICE_STATUS status
Definition interactive.c:53
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition list.c:83
hash_value
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition list.h:116
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition list.h:158
management_io
void management_io(struct management *man)
Definition manage.c:3167
mbuf_defined
static bool mbuf_defined(const struct mbuf_set *ms)
Definition mbuf.h:80
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition mroute.c:264
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition mroute.c:384
do_pre_decrypt_check
static bool do_pre_decrypt_check(struct multi_context *m, struct tls_pre_decrypt_state *state, struct mroute_addr addr)
Definition mudp.c:69
p2mp_iow_flags
unsigned int p2mp_iow_flags(const struct multi_context *m)
Definition mudp.c:434
send_hmac_reset_packet
static void send_hmac_reset_packet(struct multi_context *m, struct tls_pre_decrypt_state *state, struct tls_auth_standalone *tas, struct session_id *sid, bool request_resend_wkc)
Definition mudp.c:42
multi_process_io_udp
void multi_process_io_udp(struct multi_context *m, struct link_socket *sock)
Definition mudp.c:335
multi_process_outgoing_link
static void multi_process_outgoing_link(struct multi_context *m, const unsigned int mpp_flags)
Definition mudp.c:313
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real, struct link_socket *sock)
Definition multi.c:756
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition multi.c:512
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition multi.c:4155
multi.h
Header file for server-mode related structures and functions.
multi_process_incoming_dco
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition multi.h:293
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition multi.h:294
multi_process_outgoing_link_pre
static struct multi_instance * multi_process_outgoing_link_pre(struct multi_context *m)
Definition multi.h:432
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition multi.h:292
multi_process_outgoing_link_dowork
static bool multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags)
Definition multi.h:683
msg_set_prefix
static void msg_set_prefix(const char *prefix)
Definition error.h:301
check_debug_level
static bool check_debug_level(unsigned int level)
Definition error.h:220
dmsg
#define dmsg(flags,...)
Definition error.h:148
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:546
frequency_limit_event_allowed
bool frequency_limit_event_allowed(struct frequency_limit *f)
Definition otime.c:167
packet_id_read
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition packet_id.c:323
reset_packet_id_send
static void reset_packet_id_send(struct packet_id_send *p)
Reset the current send packet id to its initial state.
Definition packet_id.h:307
reflect_filter_rate_limit_decrease
void reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl)
decreases the counter of initial packets seen, so connections that successfully completed the three-w...
Definition reflect_filter.c:76
reflect_filter_rate_limit_check
bool reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl)
checks if the connection is still allowed to connect under the rate limit.
Definition reflect_filter.c:43
session_id_defined
static bool session_id_defined(const struct session_id *sid1)
Definition session_id.h:55
SID_SIZE
#define SID_SIZE
Definition session_id.h:45
IS_SIG
#define IS_SIG(c)
Definition sig.h:48
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition socket.c:2893
link_socket_actual_match
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition socket.h:883
session_skip_to_pre_start
bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from)
Definition ssl.c:2580
check_session_id_hmac
bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow)
Checks if a control packet has a correct HMAC server session id.
Definition ssl_pkt.c:529
calculate_session_id_hmac
struct session_id calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, int offset)
Calculates the HMAC based server session id based on a client session id and socket addr.
Definition ssl_pkt.c:487
free_tls_pre_decrypt_state
void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state)
Definition ssl_pkt.c:285
tls_reset_standalone
struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc)
This function creates a reset packet using the information from the tls pre decrypt state.
Definition ssl_pkt.c:428
ssl_pkt.h
SSL control channel wrap/unwrap and decode functions.
P_DATA_V2
#define P_DATA_V2
Definition ssl_pkt.h:49
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:40
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition ssl_pkt.h:249
EARLY_NEG_MASK
#define EARLY_NEG_MASK
Definition ssl_pkt.h:322
P_CONTROL_HARD_RESET_SERVER_V2
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition ssl_pkt.h:53
first_packet_verdict
first_packet_verdict
Definition ssl_pkt.h:85
VERDICT_VALID_ACK_V1
@ VERDICT_VALID_ACK_V1
This packet is a valid ACK control packet from the peer, i.e.
Definition ssl_pkt.h:94
VERDICT_VALID_WKC_V1
@ VERDICT_VALID_WKC_V1
The packet is a valid control packet with appended wrapped client key.
Definition ssl_pkt.h:96
VERDICT_VALID_RESET_V2
@ VERDICT_VALID_RESET_V2
This packet is a valid reset packet from the peer (all but tls-crypt-v2)
Definition ssl_pkt.h:87
VERDICT_VALID_RESET_V3
@ VERDICT_VALID_RESET_V3
This is a valid v3 reset (tls-crypt-v2)
Definition ssl_pkt.h:89
VERDICT_VALID_CONTROL_V1
@ VERDICT_VALID_CONTROL_V1
This packet is a valid control packet from the peer.
Definition ssl_pkt.h:91
EARLY_NEG_START
#define EARLY_NEG_START
Definition ssl_pkt.h:323
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
buffer::offset
int offset
Offset in bytes of the actual content within the allocated memory.
Definition buffer.h:64
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:171
context_2::session_id_hmac
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition openvpn.h:338
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition openvpn.h:326
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context_2::from
struct link_socket_actual from
Definition openvpn.h:245
context_2::to_link
struct buffer to_link
Definition openvpn.h:377
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition openvpn.h:244
context_2::buf
struct buffer buf
Definition openvpn.h:375
context_2::fast_io
bool fast_io
Definition openvpn.h:424
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:367
context_buffers::aux_buf
struct buffer aux_buf
Definition openvpn.h:97
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:514
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:513
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:383
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:330
deferred_signal_schedule_entry::signal_received
int signal_received
Definition multi.h:64
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
hash_bucket
Definition list.h:52
hash_element
Definition list.h:44
hash_element::value
void * value
Definition list.h:45
hash
Definition list.h:57
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket.h:90
link_socket_info::proto
int proto
Definition socket.h:120
link_socket
Definition socket.h:178
link_socket::info
struct link_socket_info info
Definition socket.h:179
mroute_addr
Definition mroute.h:78
mroute_addr::proto
uint8_t proto
Definition mroute.h:80
multi_context
Main OpenVPN server state structure.
Definition multi.h:163
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition multi.h:175
multi_context::initial_rate_limiter
struct initial_packet_rate_limit * initial_rate_limiter
Definition multi.h:181
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition multi.h:219
multi_context::hmac_reply_dest
struct link_socket_actual * hmac_reply_dest
Definition multi.h:206
multi_context::multi_io
struct multi_io * multi_io
I/O state and events tracker.
Definition multi.h:178
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition multi.h:167
multi_context::hmac_reply_ls
struct link_socket * hmac_reply_ls
Definition multi.h:207
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition multi.h:180
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition multi.h:202
multi_context::pending
struct multi_instance * pending
Definition multi.h:196
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition multi.h:164
multi_context::hmac_reply
struct buffer hmac_reply
Definition multi.h:205
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition multi.h:122
multi_instance::did_real_hash
bool did_real_hash
Definition multi.h:135
multi_instance::halt
bool halt
Definition multi.h:114
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
multi_io::udp_flags
unsigned int udp_flags
Definition multi_io.h:59
openvpn_sockaddr
Definition socket.h:66
options::handshake_window
int handshake_window
Definition options.h:651
packet_id_net
Data structure for describing the packet id that is received/send to the network.
Definition packet_id.h:192
packet_id_rec::initialized
bool initialized
Definition packet_id.h:122
packet_id::send
struct packet_id_send send
Definition packet_id.h:201
packet_id::rec
struct packet_id_rec rec
Definition packet_id.h:202
session_id
Definition session_id.h:39
tls_auth_standalone
Definition ssl_pkt.h:79
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:80
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:681
tls_multi::n_sessions
int n_sessions
Number of sessions negotiated thus far.
Definition ssl_common.h:616
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:105
tls_pre_decrypt_state::peer_session_id
struct session_id peer_session_id
Definition ssl_pkt.h:108
tls_pre_decrypt_state::server_session_id
struct session_id server_session_id
Definition ssl_pkt.h:109
tls_pre_decrypt_state::tls_wrap_tmp
struct tls_wrap_ctx tls_wrap_tmp
Definition ssl_pkt.h:106
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:480
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:274
gc
struct gc_arena gc
Definition test_ssl.c:155
tuntap_ring_empty
static bool tuntap_ring_empty(struct tuntap *tt)
Definition tun.h:271
Generated by doxygen 1.9.8