openvpn.h

Go to the documentation of this file.

/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
#ifndef OPENVPN_H
#define OPENVPN_H
 
#include "buffer.h"
#include "options.h"
#include "socket.h"
#include "crypto.h"
#include "ssl.h"
#include "packet_id.h"
#include "comp.h"
#include "tun.h"
#include "interval.h"
#include "status.h"
#include "fragment.h"
#include "shaper.h"
#include "route.h"
#include "proxy.h"
#include "socks.h"
#include "sig.h"
#include "misc.h"
#include "mbuf.h"
#include "pool.h"
#include "plugin.h"
#include "manage.h"
 
/*
 * Our global key schedules, packaged thusly
 * to facilitate key persistence.
 */
 
struct key_schedule
{
    /* which cipher, HMAC digest, and key sizes are we using? */
    struct key_type key_type;
 
    /* pre-shared static key, read from a file */
    struct key_ctx_bi static_key;
 
    /* our global SSL context */
    struct tls_root_ctx ssl_ctx;
 
    /* optional TLS control channel wrapping */
    struct key_type tls_auth_key_type;
    struct key_ctx_bi tls_wrap_key;
    struct key2 original_wrap_keydata;
    struct key_ctx tls_crypt_v2_server_key;
    struct buffer tls_crypt_v2_wkc;             
    struct key_ctx auth_token_key;
};
 
/*
 * struct packet_id_persist should be empty if we are not
 * building with crypto.
 */
#ifndef PACKET_ID_H
struct packet_id_persist
{
    int dummy;
};
static inline void
packet_id_persist_init(struct packet_id_persist *p)
{
}
#endif
 
/*
 * Packet processing buffers.
 */
struct context_buffers
{
    /* miscellaneous buffer, used by ping, occ, etc. */
    struct buffer aux_buf;
 
    /* workspace buffers used by crypto routines */
    struct buffer encrypt_buf;
    struct buffer decrypt_buf;
 
    /* workspace buffers for compression */
#ifdef USE_COMP
    struct buffer compress_buf;
    struct buffer decompress_buf;
#endif
 
    /*
     * Buffers used to read from TUN device
     * and TCP/UDP port.
     */
    struct buffer read_link_buf;
    struct buffer read_tun_buf;
};
 
/*
 * always-persistent context variables
 */
struct context_persist
{
    int restart_sleep_seconds;
};
 
 
/**************************************************************************/
struct context_0
{
    /* workspace for --user/--group */
    bool uid_gid_specified;
    /* helper which tells us whether we should keep trying to drop privileges */
    bool uid_gid_chroot_set;
    struct platform_state_user platform_state_user;
    struct platform_state_group platform_state_group;
};
 
 
struct context_1
{
    int link_sockets_num;
    struct link_socket_addr *link_socket_addrs;
    /* tunnel session keys */
    struct key_schedule ks;
 
    /* preresolved and cached host names */
    struct cached_dns_entry *dns_cache;
 
    /* persist crypto sequence number to/from file */
    struct packet_id_persist pid_persist;
 
    struct tuntap *tuntap;      
    bool tuntap_owned;          
    struct route_list *route_list;
    /* list of --route-ipv6 directives */
    struct route_ipv6_list *route_ipv6_list;
 
    /* --status file */
    struct status_output *status_output;
    bool status_output_owned;
 
    /* HTTP proxy object */
    struct http_proxy_info *http_proxy;
    bool http_proxy_owned;
 
    /* SOCKS proxy object */
    struct socks_proxy_info *socks_proxy;
    bool socks_proxy_owned;
 
    /* persist --ifconfig-pool db to file */
    struct ifconfig_pool_persist *ifconfig_pool_persist;
    bool ifconfig_pool_persist_owned;
 
    /* if client mode, hash of option strings we pulled from server */
    struct sha256_digest pulled_options_digest_save;
};
 
 
static inline bool
is_cas_pending(enum multi_status cas)
{
    return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED
           || cas == CAS_PENDING_DEFERRED_PARTIAL;
}
 
struct context_2
{
    struct gc_arena gc;         
    /* our global wait events */
    struct event_set *event_set;
    int event_set_max;
    bool event_set_owned;
 
    /* bitmask for event status. Check event.h for possible values */
    unsigned int event_set_status;
 
    struct link_socket **link_sockets;
    struct link_socket_info **link_socket_infos;
 
    bool link_socket_owned;
 
    const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */
 
    struct link_socket_actual *to_link_addr;    /* IP address of remote */
    struct link_socket_actual from;             /* address of incoming datagram */
 
    /* MTU frame parameters */
    struct frame frame;                         /* Active frame parameters */
 
#ifdef ENABLE_FRAGMENT
    /* Object to handle advanced MTU negotiation and datagram fragmentation */
    struct fragment_master *fragment;
    struct frame frame_fragment;
#endif
 
    /*
     * Traffic shaper object.
     */
    struct shaper shaper;
 
    /*
     * Statistics
     */
    counter_type tun_read_bytes;
    counter_type tun_write_bytes;
    counter_type link_read_bytes;
    counter_type dco_read_bytes;
    counter_type link_read_bytes_auth;
    counter_type link_write_bytes;
    counter_type dco_write_bytes;
#ifdef PACKET_TRUNCATION_CHECK
    counter_type n_trunc_tun_read;
    counter_type n_trunc_tun_write;
    counter_type n_trunc_pre_encrypt;
    counter_type n_trunc_post_decrypt;
#endif
 
    /*
     * Timer objects for ping and inactivity
     * timeout features.
     */
    struct event_timeout wait_for_connect;
    struct event_timeout ping_send_interval;
    struct event_timeout ping_rec_interval;
 
    /* --inactive */
    struct event_timeout inactivity_interval;
    int64_t inactivity_bytes;
 
    struct event_timeout session_interval;
 
    /* auth token renewal timer */
    struct event_timeout auth_token_renewal_interval;
 
    /* the option strings must match across peers */
    char *options_string_local;
    char *options_string_remote;
 
    int occ_op;                 /* INIT to -1 */
    int occ_n_tries;
    struct event_timeout occ_interval;
 
    /*
     * Keep track of maximum packet size received so far
     * (of authenticated packets).
     */
    int original_recv_size;     /* temporary */
    int max_recv_size_local;    /* max packet size received */
    int max_recv_size_remote;   /* max packet size received by remote */
    int max_send_size_local;    /* max packet size sent */
    int max_send_size_remote;   /* max packet size sent by remote */
 
 
    /* remote wants us to send back a load test packet of this size */
    int occ_mtu_load_size;
 
    struct event_timeout occ_mtu_load_test_interval;
    int occ_mtu_load_n_tries;
 
    /*
     * TLS-mode crypto objects.
     */
    struct tls_multi *tls_multi; 
    struct tls_auth_standalone *tls_auth_standalone;
    hmac_ctx_t *session_id_hmac;
    /* used to optimize calls to tls_multi_process */
    struct interval tmp_int;
 
    /* throw this signal on TLS errors */
    int tls_exit_signal;
 
    struct crypto_options crypto_options;
    struct event_timeout packet_id_persist_interval;
 
#ifdef USE_COMP
    struct compress_context *comp_context;
#endif
 
    /*
     * Buffers used for packet processing.
     */
    struct context_buffers *buffers;
    bool buffers_owned; /* if true, we should free all buffers on close */
 
    /*
     * These buffers don't actually allocate storage, they are used
     * as pointers to the allocated buffers in
     * struct context_buffers.
     */
    struct buffer buf;
    struct buffer to_tun;
    struct buffer to_link;
 
    /* should we print R|W|r|w to console on packet transfers? */
    bool log_rw;
 
    /* route stuff */
    struct event_timeout route_wakeup;
    struct event_timeout route_wakeup_expire;
 
    /* did we open tun/tap dev during this cycle? */
    bool did_open_tun;
 
    /*
     * Event loop info
     */
 
    struct timeval timeval;
 
    /* next wakeup for processing coarse timers (>1 sec resolution) */
    time_t coarse_timer_wakeup;
 
    /* maintain a random delta to add to timeouts to avoid contexts
     * waking up simultaneously */
    time_t update_timeout_random_component;
    struct timeval timeout_random_component;
 
    /* Timer for everything up to the first packet from the *OpenVPN* server
     * socks, http proxy, and tcp packets do not count */
    struct event_timeout server_poll_interval;
 
    /* indicates that the do_up_delay function has run */
    bool do_up_ran;
 
    /* indicates that we have received a SIGTERM when
     * options->explicit_exit_notification is enabled,
     * but we have not exited yet */
    time_t explicit_exit_notification_time_wait;
    struct event_timeout explicit_exit_notification_interval;
 
    /* environmental variables to pass to scripts */
    struct env_set *es;
    bool es_owned;
 
    /* don't wait for TUN/TAP/UDP to be ready to accept write */
    bool fast_io;
 
    /* --ifconfig endpoints to be pushed to client */
    bool push_request_received;
    bool push_ifconfig_defined;
    time_t sent_push_reply_expiry;
    in_addr_t push_ifconfig_local;
    in_addr_t push_ifconfig_remote_netmask;
    in_addr_t push_ifconfig_local_alias;
 
    bool push_ifconfig_ipv6_defined;
    struct in6_addr push_ifconfig_ipv6_local;
    int push_ifconfig_ipv6_netbits;
    struct in6_addr push_ifconfig_ipv6_remote;
 
    struct event_timeout push_request_interval;
    time_t push_request_timeout;
 
    /* hash of pulled options, so we can compare when options change */
    bool pulled_options_digest_init_done;
    md_ctx_t *pulled_options_state;
    struct sha256_digest pulled_options_digest;
 
    struct event_timeout scheduled_exit;
    int scheduled_exit_signal;
 
    /* packet filter */
 
#ifdef ENABLE_MANAGEMENT
    struct man_def_auth_context mda_context;
#endif
 
#ifdef ENABLE_ASYNC_PUSH
    int inotify_fd; /* descriptor for monitoring file changes */
#endif
};
 
 
struct context
{
    struct options options;     
    bool first_time;            
    /* context modes */
#define CM_P2P            0  /* standalone point-to-point session or client */
#define CM_TOP            1  /* top level of a multi-client or point-to-multipoint server */
#define CM_TOP_CLONE      2  /* clone of a CM_TOP context for one thread */
#define CM_CHILD_UDP      3  /* child context of a CM_TOP or CM_THREAD */
#define CM_CHILD_TCP      4  /* child context of a CM_TOP or CM_THREAD */
    int mode;                   
    struct gc_arena gc;         
    struct env_set *es;         
    openvpn_net_ctx_t net_ctx;  
    struct signal_info *sig;    
    struct plugin_list *plugins; 
    bool plugins_owned;         
    bool did_we_daemonize;      
    struct context_persist persist;
    struct context_0 *c0;       
    struct context_1 c1;        
    struct context_2 c2;        
};
 
/*
 * Check for a signal when inside an event loop
 */
#define EVENT_LOOP_CHECK_SIGNAL(c, func, arg)   \
    if (IS_SIG(c))                           \
    {                                       \
        const int brk = func(arg);           \
        perf_pop();                          \
        if (brk) {                              \
            break;}                              \
        else {                                  \
            continue;}                           \
    }
 
/*
 * Macros for referencing objects which may not
 * have been compiled in.
 */
 
#define TLS_MODE(c) ((c)->c2.tls_multi != NULL)
#define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)
#define PROTO_DUMP(buf, gc) protocol_dump((buf), \
                                          PROTO_DUMP_FLAGS   \
                                          |(c->c2.tls_multi ? PD_TLS : 0)   \
                                          |(c->options.tls_auth_file ? md_kt_size(c->c1.ks.key_type.digest) : 0) \
                                          |(c->options.tls_crypt_file || c->options.tls_crypt_v2_file ? PD_TLS_CRYPT : 0), \
                                          gc)
 
/* this represents "disabled peer-id" */
#define MAX_PEER_ID 0xFFFFFF
 
#endif /* ifndef OPENVPN_H */