6fbf66fa |
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
* |
49979459 |
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> |
6fbf66fa |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* |
caa54ac3 |
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
6fbf66fa |
*/
#ifndef OPENVPN_H
#define OPENVPN_H
#include "buffer.h"
#include "options.h"
#include "socket.h"
#include "crypto.h"
#include "ssl.h"
#include "packet_id.h" |
38d96bd7 |
#include "comp.h" |
6fbf66fa |
#include "tun.h"
#include "interval.h"
#include "status.h"
#include "fragment.h"
#include "shaper.h"
#include "route.h"
#include "proxy.h"
#include "socks.h"
#include "sig.h"
#include "misc.h"
#include "mbuf.h" |
a54f37d8 |
#include "pf.h" |
6fbf66fa |
#include "pool.h"
#include "plugin.h"
#include "manage.h"
/*
* Our global key schedules, packaged thusly
* to facilitate --persist-key.
*/
struct key_schedule
{ |
81d882d5 |
/* which cipher, HMAC digest, and key sizes are we using? */
struct key_type key_type; |
6fbf66fa |
|
81d882d5 |
/* pre-shared static key, read from a file */
struct key_ctx_bi static_key; |
6fbf66fa |
|
81d882d5 |
/* our global SSL context */
struct tls_root_ctx ssl_ctx; |
6fbf66fa |
|
81d882d5 |
/* optional TLS control channel wrapping */
struct key_type tls_auth_key_type;
struct key_ctx_bi tls_wrap_key; |
19dffdbd |
struct key_ctx tls_crypt_v2_server_key;
struct buffer tls_crypt_v2_wkc; /**< Wrapped client key */ |
6fbf66fa |
};
/*
* struct packet_id_persist should be empty if we are not
* building with crypto.
*/
#ifndef PACKET_ID_H
struct packet_id_persist
{ |
81d882d5 |
int dummy; |
6fbf66fa |
};
static inline void |
81d882d5 |
packet_id_persist_init(struct packet_id_persist *p) |
6fbf66fa |
{
}
#endif
/*
* Packet processing buffers.
*/
struct context_buffers
{ |
81d882d5 |
/* miscellaneous buffer, used by ping, occ, etc. */
struct buffer aux_buf; |
6fbf66fa |
|
81d882d5 |
/* workspace buffers used by crypto routines */
struct buffer encrypt_buf;
struct buffer decrypt_buf; |
6fbf66fa |
|
81d882d5 |
/* workspace buffers for compression */ |
38d96bd7 |
#ifdef USE_COMP |
81d882d5 |
struct buffer compress_buf;
struct buffer decompress_buf; |
6fbf66fa |
#endif
|
81d882d5 |
/*
* Buffers used to read from TUN device
* and TCP/UDP port.
*/
struct buffer read_link_buf;
struct buffer read_tun_buf; |
6fbf66fa |
};
|
a9c802b2 |
/*
* always-persistent context variables
*/
struct context_persist
{ |
81d882d5 |
int restart_sleep_seconds; |
a9c802b2 |
};
|
98619012 |
/**************************************************************************/
/**
* Level 0 %context containing information related to the OpenVPN process.
*
* Level 0 state is initialized once at program startup, and then remains
* throughout the lifetime of the OpenVPN process. This structure |
825b3272 |
* contains information related to the process's PID, user, group, and
* privileges. |
92bbb061 |
*/
struct context_0
{ |
81d882d5 |
/* workspace for --user/--group */
bool uid_gid_specified;
/* helper which tells us whether we should keep trying to drop privileges */
bool uid_gid_chroot_set;
struct platform_state_user platform_state_user;
struct platform_state_group platform_state_group; |
92bbb061 |
};
|
98619012 |
/**
* Level 1 %context containing state that persists across \c SIGUSR1
* restarts.
*
* Level 1 state is reset on \c SIGHUP restarts. This structure is
* initialized for every iteration of the \c main() function's outer \c
* SIGHUP loop, but persists over iteration of that function's inner \c
* SIGUSR1 loop. |
6fbf66fa |
*/
struct context_1
{ |
81d882d5 |
struct link_socket_addr link_socket_addr;
/**< Local and remote addresses on the
* external network. */ |
6fbf66fa |
|
81d882d5 |
/* tunnel session keys */
struct key_schedule ks; |
6fbf66fa |
|
81d882d5 |
/* preresolved and cached host names */
struct cached_dns_entry *dns_cache; |
e719a053 |
|
81d882d5 |
/* persist crypto sequence number to/from file */
struct packet_id_persist pid_persist; |
6fbf66fa |
|
81d882d5 |
struct tuntap *tuntap; /**< Tun/tap virtual network interface. */
bool tuntap_owned; /**< Whether the tun/tap interface should |
98619012 |
* be cleaned up when this %context is
* cleaned up. */ |
6fbf66fa |
|
81d882d5 |
struct route_list *route_list;
/**< List of routing information. See the
* \c --route command line option. */ |
6fbf66fa |
|
81d882d5 |
/* list of --route-ipv6 directives */
struct route_ipv6_list *route_ipv6_list; |
512cda46 |
|
81d882d5 |
/* --status file */
struct status_output *status_output;
bool status_output_owned; |
6fbf66fa |
|
81d882d5 |
/* HTTP proxy object */
struct http_proxy_info *http_proxy;
bool http_proxy_owned; |
6fbf66fa |
|
81d882d5 |
/* SOCKS proxy object */
struct socks_proxy_info *socks_proxy;
bool socks_proxy_owned; |
6fbf66fa |
#if P2MP
#if P2MP_SERVER |
81d882d5 |
/* persist --ifconfig-pool db to file */
struct ifconfig_pool_persist *ifconfig_pool_persist;
bool ifconfig_pool_persist_owned; |
6fbf66fa |
#endif
|
81d882d5 |
/* if client mode, hash of option strings we pulled from server */ |
5b48e8c9 |
struct sha256_digest pulled_options_digest_save; |
81d882d5 |
/**< Hash of option strings received from the
* remote OpenVPN server. Only used in
* client-mode. */ |
6fbf66fa |
|
81d882d5 |
struct user_pass *auth_user_pass;
/**< Username and password for
* authentication. */ |
d728ebed |
|
81d882d5 |
const char *ciphername; /**< Data channel cipher from config file */
const char *authname; /**< Data channel auth from config file */
int keysize; /**< Data channel keysize from config file */ |
6fbf66fa |
#endif
};
|
98619012 |
/**
* Level 2 %context containing state that is reset on both \c SIGHUP and
* \c SIGUSR1 restarts.
*
* This structure is initialized at the top of the \c
* tunnel_point_to_point(), \c tunnel_server_udp_single_threaded(), and \c
* tunnel_server_tcp() functions. In other words, it is reset for every
* iteration of the \c main() function's inner \c SIGUSR1 loop. |
6fbf66fa |
*/
struct context_2
{ |
81d882d5 |
struct gc_arena gc; /**< Garbage collection arena for |
98619012 |
* allocations done in the level 2 scope
* of this context_2 structure. */ |
6fbf66fa |
|
81d882d5 |
/* our global wait events */
struct event_set *event_set;
int event_set_max;
bool event_set_owned;
/* event flags returned by io_wait */
#define SOCKET_READ (1<<0)
#define SOCKET_WRITE (1<<1)
#define TUN_READ (1<<2)
#define TUN_WRITE (1<<3)
#define ES_ERROR (1<<4)
#define ES_TIMEOUT (1<<5)
#ifdef ENABLE_MANAGEMENT
#define MANAGEMENT_READ (1<<6)
#define MANAGEMENT_WRITE (1<<7)
#endif |
0d1a75bf |
#ifdef ENABLE_ASYNC_PUSH |
81d882d5 |
#define FILE_CLOSED (1<<8) |
0d1a75bf |
#endif |
6fbf66fa |
|
81d882d5 |
unsigned int event_set_status; |
6fbf66fa |
|
81d882d5 |
struct link_socket *link_socket; /* socket used for TCP/UDP connection to remote */
bool link_socket_owned;
struct link_socket_info *link_socket_info;
const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */ |
6fbf66fa |
|
81d882d5 |
struct link_socket_actual *to_link_addr; /* IP address of remote */
struct link_socket_actual from; /* address of incoming datagram */ |
6fbf66fa |
|
81d882d5 |
/* MTU frame parameters */ |
9900e023 |
struct frame frame; /* Active frame parameters */
struct frame frame_initial; /* Restored on new session */ |
6fbf66fa |
#ifdef ENABLE_FRAGMENT |
81d882d5 |
/* Object to handle advanced MTU negotiation and datagram fragmentation */
struct fragment_master *fragment;
struct frame frame_fragment;
struct frame frame_fragment_omit; |
6fbf66fa |
#endif
|
3d163bc5 |
#ifdef ENABLE_FEATURE_SHAPER |
81d882d5 |
/*
* Traffic shaper object.
*/
struct shaper shaper; |
6fbf66fa |
#endif
|
81d882d5 |
/*
* Statistics
*/
counter_type tun_read_bytes;
counter_type tun_write_bytes;
counter_type link_read_bytes;
counter_type link_read_bytes_auth;
counter_type link_write_bytes; |
3c7f2f55 |
#ifdef PACKET_TRUNCATION_CHECK |
81d882d5 |
counter_type n_trunc_tun_read;
counter_type n_trunc_tun_write;
counter_type n_trunc_pre_encrypt;
counter_type n_trunc_post_decrypt; |
3c7f2f55 |
#endif |
6fbf66fa |
|
81d882d5 |
/*
* Timer objects for ping and inactivity
* timeout features.
*/
struct event_timeout wait_for_connect;
struct event_timeout ping_send_interval;
struct event_timeout ping_rec_interval; |
6fbf66fa |
|
81d882d5 |
/* --inactive */
struct event_timeout inactivity_interval;
int inactivity_bytes; |
838911cc |
|
6fbf66fa |
#ifdef ENABLE_OCC |
81d882d5 |
/* the option strings must match across peers */
char *options_string_local;
char *options_string_remote; |
6fbf66fa |
|
81d882d5 |
int occ_op; /* INIT to -1 */
int occ_n_tries;
struct event_timeout occ_interval; |
6fbf66fa |
#endif
|
81d882d5 |
/*
* Keep track of maximum packet size received so far
* (of authenticated packets).
*/
int original_recv_size; /* temporary */
int max_recv_size_local; /* max packet size received */
int max_recv_size_remote; /* max packet size received by remote */
int max_send_size_local; /* max packet size sent */
int max_send_size_remote; /* max packet size sent by remote */ |
6fbf66fa |
#ifdef ENABLE_OCC |
81d882d5 |
/* remote wants us to send back a load test packet of this size */
int occ_mtu_load_size; |
6fbf66fa |
|
81d882d5 |
struct event_timeout occ_mtu_load_test_interval;
int occ_mtu_load_n_tries; |
6fbf66fa |
#endif
|
81d882d5 |
/*
* TLS-mode crypto objects.
*/
struct tls_multi *tls_multi; /**< TLS state structure for this VPN
* tunnel. */
struct tls_auth_standalone *tls_auth_standalone;
/**< TLS state structure required for the
* initial authentication of a client's
* connection attempt. This structure
* is used by the \c
* tls_pre_decrypt_lite() function when
* it performs the HMAC firewall check
* on the first connection packet
* received from a new client. See the
* \c --tls-auth commandline option. */
/* used to optimize calls to tls_multi_process */
struct interval tmp_int;
/* throw this signal on TLS errors */
int tls_exit_signal;
struct crypto_options crypto_options;
/**< Security parameters and crypto state
* used by the \link data_crypto Data
* Channel Crypto module\endlink to
* process data channel packet. */
struct event_timeout packet_id_persist_interval; |
6fbf66fa |
|
38d96bd7 |
#ifdef USE_COMP |
81d882d5 |
struct compress_context *comp_context;
/**< Compression context used by the
* \link compression Data Channel
* Compression module\endlink. */ |
6fbf66fa |
#endif
|
81d882d5 |
/*
* Buffers used for packet processing.
*/
struct context_buffers *buffers;
bool buffers_owned; /* if true, we should free all buffers on close */ |
6fbf66fa |
|
81d882d5 |
/*
* These buffers don't actually allocate storage, they are used
* as pointers to the allocated buffers in
* struct context_buffers.
*/
struct buffer buf;
struct buffer to_tun;
struct buffer to_link; |
6fbf66fa |
|
81d882d5 |
/* should we print R|W|r|w to console on packet transfers? */
bool log_rw; |
6fbf66fa |
|
81d882d5 |
/* route stuff */
struct event_timeout route_wakeup;
struct event_timeout route_wakeup_expire; |
6fbf66fa |
|
81d882d5 |
/* did we open tun/tap dev during this cycle? */
bool did_open_tun; |
6fbf66fa |
|
81d882d5 |
/*
* Event loop info
*/ |
6fbf66fa |
|
81d882d5 |
/* how long to wait on link/tun read before we will need to be serviced */
struct timeval timeval; |
6fbf66fa |
|
81d882d5 |
/* next wakeup for processing coarse timers (>1 sec resolution) */
time_t coarse_timer_wakeup; |
6fbf66fa |
|
81d882d5 |
/* maintain a random delta to add to timeouts to avoid contexts
* waking up simultaneously */
time_t update_timeout_random_component;
struct timeval timeout_random_component; |
6fbf66fa |
|
81d882d5 |
/* Timer for everything up to the first packet from the *OpenVPN* server
* socks, http proxy, and tcp packets do not count */
struct event_timeout server_poll_interval; |
f2134b7b |
|
81d882d5 |
/* indicates that the do_up_delay function has run */
bool do_up_ran; |
6fbf66fa |
#ifdef ENABLE_OCC |
81d882d5 |
/* indicates that we have received a SIGTERM when
* options->explicit_exit_notification is enabled,
* but we have not exited yet */
time_t explicit_exit_notification_time_wait;
struct event_timeout explicit_exit_notification_interval; |
6fbf66fa |
#endif
|
81d882d5 |
/* environmental variables to pass to scripts */
struct env_set *es;
bool es_owned; |
6fbf66fa |
|
81d882d5 |
/* don't wait for TUN/TAP/UDP to be ready to accept write */
bool fast_io; |
6fbf66fa |
#if P2MP
#if P2MP_SERVER |
81d882d5 |
/* --ifconfig endpoints to be pushed to client */
bool push_reply_deferred; |
0d1a75bf |
#ifdef ENABLE_ASYNC_PUSH |
81d882d5 |
bool push_request_received; |
47ae8457 |
#endif |
81d882d5 |
bool push_ifconfig_defined;
time_t sent_push_reply_expiry;
in_addr_t push_ifconfig_local;
in_addr_t push_ifconfig_remote_netmask;
in_addr_t push_ifconfig_local_alias;
bool push_ifconfig_ipv6_defined;
struct in6_addr push_ifconfig_ipv6_local;
int push_ifconfig_ipv6_netbits;
struct in6_addr push_ifconfig_ipv6_remote;
/* client authentication state, CAS_SUCCEEDED must be 0 */
#define CAS_SUCCEEDED 0
#define CAS_PENDING 1
#define CAS_FAILED 2
#define CAS_PARTIAL 3 /* at least one client-connect script/plugin
* succeeded while a later one in the chain failed */
int context_auth;
#endif /* if P2MP_SERVER */
struct event_timeout push_request_interval;
int n_sent_push_requests;
bool did_pre_pull_restore;
/* hash of pulled options, so we can compare when options change */ |
5b48e8c9 |
bool pulled_options_digest_init_done; |
c481ef00 |
md_ctx_t *pulled_options_state; |
5b48e8c9 |
struct sha256_digest pulled_options_digest; |
81d882d5 |
struct event_timeout scheduled_exit;
int scheduled_exit_signal;
#endif /* if P2MP */
/* packet filter */ |
47ae8457 |
#ifdef ENABLE_PF |
81d882d5 |
struct pf_context pf; |
6fbf66fa |
#endif |
90efcacb |
#ifdef MANAGEMENT_DEF_AUTH |
81d882d5 |
struct man_def_auth_context mda_context; |
90efcacb |
#endif |
0d1a75bf |
#ifdef ENABLE_ASYNC_PUSH |
81d882d5 |
int inotify_fd; /* descriptor for monitoring file changes */ |
0d1a75bf |
#endif |
6fbf66fa |
};
|
98619012 |
/** |
6fbf66fa |
* Contains all state information for one tunnel. |
98619012 |
*
* This structure represents one VPN tunnel. It is used to store state
* information related to a VPN tunnel, but also includes process-wide
* data, such as configuration options.
*
* The @ref tunnel_state "Structure of VPN tunnel state storage" related
* page describes how this structure is used in client-mode and
* server-mode. |
6fbf66fa |
*/
struct context
{ |
81d882d5 |
struct options options; /**< Options loaded from command line or |
98619012 |
* configuration file. */ |
6fbf66fa |
|
81d882d5 |
bool first_time; /**< True on the first iteration of |
98619012 |
* OpenVPN's main loop. */ |
6fbf66fa |
|
81d882d5 |
/* context modes */
#define CM_P2P 0 /* standalone point-to-point session or client */
#define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */
#define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */
#define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */
#define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */
int mode; /**< Role of this context within the |
98619012 |
* OpenVPN process. Valid values are \c
* CM_P2P, \c CM_TOP, \c CM_TOP_CLONE,
* \c CM_CHILD_UDP, and \c CM_CHILD_TCP. */ |
6fbf66fa |
|
81d882d5 |
struct gc_arena gc; /**< Garbage collection arena for |
98619012 |
* allocations done in the scope of this
* context structure. */ |
6fbf66fa |
|
81d882d5 |
struct env_set *es; /**< Set of environment variables. */ |
6fbf66fa |
|
81d882d5 |
struct signal_info *sig; /**< Internal error signaling object. */ |
6fbf66fa |
|
81d882d5 |
struct plugin_list *plugins; /**< List of plug-ins. */
bool plugins_owned; /**< Whether the plug-ins should be |
98619012 |
* cleaned up when this %context is
* cleaned up. */ |
81d882d5 |
bool did_we_daemonize; /**< Whether demonization has already |
98619012 |
* taken place. */ |
90e105d2 |
|
81d882d5 |
struct context_persist persist;
/**< Persistent %context. */
struct context_0 *c0; /**< Level 0 %context. */
struct context_1 c1; /**< Level 1 %context. */
struct context_2 c2; /**< Level 2 %context. */ |
6fbf66fa |
};
/*
* Check for a signal when inside an event loop
*/
#define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \ |
81d882d5 |
if (IS_SIG(c)) \
{ \
const int brk = func(arg); \
perf_pop(); \
if (brk) { \
break;} \
else { \
continue;} \
} |
6fbf66fa |
/*
* Macros for referencing objects which may not
* have been compiled in.
*/
#define TLS_MODE(c) ((c)->c2.tls_multi != NULL) |
81d882d5 |
#define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0) |
6fbf66fa |
#define PROTO_DUMP(buf, gc) protocol_dump((buf), \ |
81d882d5 |
PROTO_DUMP_FLAGS \
|(c->c2.tls_multi ? PD_TLS : 0) \
|(c->options.tls_auth_file ? c->c1.ks.key_type.hmac_length : 0), \
gc) |
6fbf66fa |
#define CIPHER_ENABLED(c) (c->c1.ks.key_type.cipher != NULL)
|
e8e1377d |
/* this represents "disabled peer-id" */
#define MAX_PEER_ID 0xFFFFFF
|
81d882d5 |
#endif /* ifndef OPENVPN_H */ |