1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
|
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
*
* Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING included with this
* distribution); if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef OPENVPN_H
#define OPENVPN_H
#include "buffer.h"
#include "options.h"
#include "socket.h"
#include "crypto.h"
#include "ssl.h"
#include "packet_id.h"
#include "lzo.h"
#include "tun.h"
#include "interval.h"
#include "status.h"
#include "fragment.h"
#include "shaper.h"
#include "route.h"
#include "proxy.h"
#include "socks.h"
#include "sig.h"
#include "misc.h"
#include "mbuf.h"
#include "pool.h"
#include "plugin.h"
#include "manage.h"
/*
* Our global key schedules, packaged thusly
* to facilitate --persist-key.
*/
struct key_schedule
{
#ifdef USE_CRYPTO
/* which cipher, HMAC digest, and key sizes are we using? */
struct key_type key_type;
/* pre-shared static key, read from a file */
struct key_ctx_bi static_key;
#ifdef USE_SSL
/* our global SSL context */
SSL_CTX *ssl_ctx;
/* optional authentication HMAC key for TLS control channel */
struct key_ctx_bi tls_auth_key;
#endif /* USE_SSL */
#else /* USE_CRYPTO */
int dummy;
#endif /* USE_CRYPTO */
};
/*
* struct packet_id_persist should be empty if we are not
* building with crypto.
*/
#ifndef PACKET_ID_H
struct packet_id_persist
{
int dummy;
};
static inline void
packet_id_persist_init (struct packet_id_persist *p)
{
}
#endif
/*
* Packet processing buffers.
*/
struct context_buffers
{
/* miscellaneous buffer, used by ping, occ, etc. */
struct buffer aux_buf;
/* workspace buffers used by crypto routines */
#ifdef USE_CRYPTO
struct buffer encrypt_buf;
struct buffer decrypt_buf;
#endif
/* workspace buffers for LZO compression */
#ifdef USE_LZO
struct buffer lzo_compress_buf;
struct buffer lzo_decompress_buf;
#endif
/*
* Buffers used to read from TUN device
* and TCP/UDP port.
*/
struct buffer read_link_buf;
struct buffer read_tun_buf;
};
/*
* Contains the persist-across-restart OpenVPN tunnel instance state.
* Reset only for SIGHUP restarts.
*/
struct context_1
{
/* local and remote addresses */
struct link_socket_addr link_socket_addr;
/* tunnel session keys */
struct key_schedule ks;
/* persist crypto sequence number to/from file */
struct packet_id_persist pid_persist;
/* array of remote addresses */
struct remote_list *remote_list;
/* TUN/TAP interface */
struct tuntap *tuntap;
bool tuntap_owned;
/* list of --route directives */
struct route_list *route_list;
/* --status file */
struct status_output *status_output;
bool status_output_owned;
#ifdef ENABLE_HTTP_PROXY
/* HTTP proxy object */
struct http_proxy_info *http_proxy;
#endif
#ifdef ENABLE_SOCKS
/* SOCKS proxy object */
struct socks_proxy_info *socks_proxy;
#endif
#if P2MP
#if P2MP_SERVER
/* persist --ifconfig-pool db to file */
struct ifconfig_pool_persist *ifconfig_pool_persist;
bool ifconfig_pool_persist_owned;
#endif
/* if client mode, option strings we pulled from server */
char *pulled_options_string_save;
/* save user/pass for authentication */
struct user_pass *auth_user_pass;
#endif
};
/*
* Contains the OpenVPN tunnel instance state, wiped across
* SIGUSR1 and SIGHUP restarts.
*/
struct context_2
{
/* garbage collection arena for context_2 scope */
struct gc_arena gc;
/* our global wait events */
struct event_set *event_set;
int event_set_max;
bool event_set_owned;
/* event flags returned by io_wait */
# define SOCKET_READ (1<<0)
# define SOCKET_WRITE (1<<1)
# define TUN_READ (1<<2)
# define TUN_WRITE (1<<3)
# define ES_ERROR (1<<4)
# define ES_TIMEOUT (1<<5)
# ifdef ENABLE_MANAGEMENT
# define MANAGEMENT_READ (1<<6)
# define MANAGEMENT_WRITE (1<<7)
# endif
unsigned int event_set_status;
struct link_socket *link_socket; /* socket used for TCP/UDP connection to remote */
bool link_socket_owned;
struct link_socket_info *link_socket_info;
const struct link_socket *accept_from; /* possibly do accept() on a parent link_socket */
struct link_socket_actual *to_link_addr; /* IP address of remote */
struct link_socket_actual from; /* address of incoming datagram */
/* MTU frame parameters */
struct frame frame;
#ifdef ENABLE_FRAGMENT
/* Object to handle advanced MTU negotiation and datagram fragmentation */
struct fragment_master *fragment;
struct frame frame_fragment;
struct frame frame_fragment_omit;
#endif
#ifdef HAVE_GETTIMEOFDAY
/*
* Traffic shaper object.
*/
struct shaper shaper;
#endif
/*
* Statistics
*/
counter_type tun_read_bytes;
counter_type tun_write_bytes;
counter_type link_read_bytes;
counter_type link_read_bytes_auth;
counter_type link_write_bytes;
#ifdef PACKET_TRUNCATION_CHECK
counter_type n_trunc_tun_read;
counter_type n_trunc_tun_write;
counter_type n_trunc_pre_encrypt;
counter_type n_trunc_post_decrypt;
#endif
/*
* Timer objects for ping and inactivity
* timeout features.
*/
struct event_timeout wait_for_connect;
struct event_timeout inactivity_interval;
struct event_timeout ping_send_interval;
struct event_timeout ping_rec_interval;
#ifdef ENABLE_OCC
/* the option strings must match across peers */
char *options_string_local;
char *options_string_remote;
int occ_op; /* INIT to -1 */
int occ_n_tries;
struct event_timeout occ_interval;
#endif
/*
* Keep track of maximum packet size received so far
* (of authenticated packets).
*/
int original_recv_size; /* temporary */
int max_recv_size_local; /* max packet size received */
int max_recv_size_remote; /* max packet size received by remote */
int max_send_size_local; /* max packet size sent */
int max_send_size_remote; /* max packet size sent by remote */
#ifdef ENABLE_OCC
/* remote wants us to send back a load test packet of this size */
int occ_mtu_load_size;
struct event_timeout occ_mtu_load_test_interval;
int occ_mtu_load_n_tries;
#endif
#ifdef USE_CRYPTO
/*
* TLS-mode crypto objects.
*/
#ifdef USE_SSL
/* master OpenVPN SSL/TLS object */
struct tls_multi *tls_multi;
/* check --tls-auth signature without needing
a full-size tls_multi object */
struct tls_auth_standalone *tls_auth_standalone;
/* used to optimize calls to tls_multi_process */
struct interval tmp_int;
/* throw this signal on TLS errors */
int tls_exit_signal;
#endif /* USE_SSL */
/* passed to encrypt or decrypt, contains all
crypto-related command line options related
to data channel encryption/decryption */
struct crypto_options crypto_options;
/* used to keep track of data channel packet sequence numbers */
struct packet_id packet_id;
struct event_timeout packet_id_persist_interval;
#endif /* USE_CRYPTO */
/*
* LZO compression library workspace.
*/
#ifdef USE_LZO
struct lzo_compress_workspace lzo_compwork;
#endif
/*
* Buffers used for packet processing.
*/
struct context_buffers *buffers;
bool buffers_owned; /* if true, we should free all buffers on close */
/*
* These buffers don't actually allocate storage, they are used
* as pointers to the allocated buffers in
* struct context_buffers.
*/
struct buffer buf;
struct buffer to_tun;
struct buffer to_link;
/*
* IPv4 TUN device?
*/
bool ipv4_tun;
/* workspace for get_pid_file/write_pid */
struct pid_state pid_state;
/* workspace for --user/--group */
bool uid_gid_specified;
bool uid_gid_set;
struct user_state user_state;
struct group_state group_state;
/* should we print R|W|r|w to console on packet transfers? */
bool log_rw;
/* route stuff */
struct event_timeout route_wakeup;
struct event_timeout route_wakeup_expire;
/* did we open tun/tap dev during this cycle? */
bool did_open_tun;
/*
* Event loop info
*/
/* how long to wait on link/tun read before we will need to be serviced */
struct timeval timeval;
/* next wakeup for processing coarse timers (>1 sec resolution) */
time_t coarse_timer_wakeup;
/* maintain a random delta to add to timeouts to avoid contexts
waking up simultaneously */
time_t update_timeout_random_component;
struct timeval timeout_random_component;
/* indicates that the do_up_delay function has run */
bool do_up_ran;
#ifdef ENABLE_OCC
/* indicates that we have received a SIGTERM when
options->explicit_exit_notification is enabled,
but we have not exited yet */
time_t explicit_exit_notification_time_wait;
struct event_timeout explicit_exit_notification_interval;
#endif
/* environmental variables to pass to scripts */
struct env_set *es;
/* don't wait for TUN/TAP/UDP to be ready to accept write */
bool fast_io;
#if P2MP
#if P2MP_SERVER
/* --ifconfig endpoints to be pushed to client */
bool push_reply_deferred;
bool push_ifconfig_defined;
in_addr_t push_ifconfig_local;
in_addr_t push_ifconfig_remote_netmask;
/* client authentication state, CAS_SUCCEEDED must be 0 */
# define CAS_SUCCEEDED 0
# define CAS_PENDING 1
# define CAS_FAILED 2
# define CAS_PARTIAL 3 /* at least one client-connect script/plugin
succeeded while a later one in the chain failed */
int context_auth;
#endif
struct event_timeout push_request_interval;
const char *pulled_options_string;
struct event_timeout scheduled_exit;
#endif
};
/*
* Contains all state information for one tunnel.
*/
struct context
{
/* command line or config file options */
struct options options;
/* true on initial VPN iteration */
bool first_time;
/* used by multi-client code to lock the context */
/*MUTEX_DEFINE (mutex);*/
/* context modes */
# define CM_P2P 0 /* standalone point-to-point session or client */
# define CM_TOP 1 /* top level of a multi-client or point-to-multipoint server */
# define CM_TOP_CLONE 2 /* clone of a CM_TOP context for one thread */
# define CM_CHILD_UDP 3 /* child context of a CM_TOP or CM_THREAD */
# define CM_CHILD_TCP 4 /* child context of a CM_TOP or CM_THREAD */
int mode;
/* garbage collection for context scope
allocations */
struct gc_arena gc;
/* environmental variable settings */
struct env_set *es;
/* signal info */
struct signal_info *sig;
/* shared object plugins */
struct plugin_list *plugins;
bool plugins_owned;
/* set to true after we daemonize */
bool did_we_daemonize;
/* level 1 context is preserved for
SIGUSR1 restarts, but initialized
for SIGHUP restarts */
struct context_1 c1;
/* level 2 context is initialized for all
restarts (SIGUSR1 and SIGHUP) */
struct context_2 c2;
};
/*
* Check for a signal when inside an event loop
*/
#define EVENT_LOOP_CHECK_SIGNAL(c, func, arg) \
if (IS_SIG (c)) \
{ \
const int brk = func (arg); \
perf_pop (); \
if (brk) \
break; \
else \
continue; \
}
/*
* Macros for referencing objects which may not
* have been compiled in.
*/
#if defined(USE_CRYPTO) && defined(USE_SSL)
#define TLS_MODE(c) ((c)->c2.tls_multi != NULL)
#define PROTO_DUMP_FLAGS (check_debug_level (D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)
#define PROTO_DUMP(buf, gc) protocol_dump((buf), \
PROTO_DUMP_FLAGS | \
(c->c2.tls_multi ? PD_TLS : 0) | \
(c->options.tls_auth_file ? c->c1.ks.key_type.hmac_length : 0), \
gc)
#else
#define TLS_MODE(c) (false)
#define PROTO_DUMP(buf, gc) format_hex (BPTR (buf), BLEN (buf), 80, gc)
#endif
#ifdef USE_CRYPTO
#define MD5SUM(buf, len, gc) md5sum((buf), (len), 0, (gc))
#else
#define MD5SUM(buf, len, gc) "[unavailable]"
#endif
#ifdef USE_CRYPTO
#define CIPHER_ENABLED(c) (c->c1.ks.key_type.cipher != NULL)
#else
#define CIPHER_ENABLED(c) (false)
#endif
#endif
|