1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
|
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
*
* Copyright (C) 2021-2023 Arne Schwabe <arne@rfc2549.org>
* Copyright (C) 2021-2023 Antonio Quartulli <a@unstable.cc>
* Copyright (C) 2021-2023 OpenVPN Inc <sales@openvpn.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING included with this
* distribution); if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef DCO_H
#define DCO_H
#include "buffer.h"
#include "error.h"
#include "dco_internal.h"
#include "networking.h"
/* forward declarations (including other headers leads to nasty include
* order problems)
*/
struct event_set;
struct key2;
struct key_state;
struct multi_context;
struct multi_instance;
struct mroute_addr;
struct options;
struct tls_multi;
struct tuntap;
#define DCO_IROUTE_METRIC 100
#define DCO_DEFAULT_METRIC 200
#if defined(ENABLE_DCO)
/**
* Check whether ovpn-dco is available on this platform (i.e. kernel support is
* there)
*
* @param msglevel level to print messages to
* @return true if ovpn-dco is available, false otherwise
*/
bool dco_available(int msglevel);
/**
* Return a human readable string representing the DCO version
*
* @param gc the garbage collector to use for any dynamic allocation
* @return a pointer to the string (allocated via gc) containing the string
*/
const char *dco_version_string(struct gc_arena *gc);
/**
* Check whether the options struct has any option that is not supported by
* our current dco implementation. If so print a warning at warning level
* for the first conflicting option found and return false.
*
* @param msglevel the msg level to use to print the warnings
* @param o the options struct that hold the options
* @return true if no conflict was detected, false otherwise
*/
bool dco_check_option(int msglevel, const struct options *o);
/**
* Check whether the options struct has any further option that is not supported
* by our current dco implementation during early startup.
* If so print a warning at warning level for the first conflicting option
* found and return false.
*
* @param msglevel the msg level to use to print the warnings
* @param o the options struct that hold the options
* @return true if no conflict was detected, false otherwise
*/
bool dco_check_startup_option(int msglevel, const struct options *o);
/**
* Check whether any of the options pushed by the server is not supported by
* our current dco implementation. If so print a warning at warning level
* for the first conflicting option found and return false.
*
* @param msglevel the msg level to use to print the warnings
* @param o the options struct that hold the options
* @return true if no conflict was detected, false otherwise
*/
bool dco_check_pull_options(int msglevel, const struct options *o);
/**
* Initialize the DCO context
*
* @param mode the instance operating mode (P2P or multi-peer)
* @param dco the context to initialize
* @return true on success, false otherwise
*/
bool ovpn_dco_init(int mode, dco_context_t *dco);
/**
* Open/create a DCO interface
*
* @param tt the tuntap context
* @param ctx the networking API context
* @param dev the name of the interface to create
* @return 0 on success or a negative error code otherwise
*/
int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev);
/**
* Close/destroy a DCO interface
*
* @param tt the tuntap context
* @param ctx the networking API context
*/
void close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx);
/**
* Read data from the DCO communication channel (i.e. a control packet)
*
* @param dco the DCO context
* @return 0 on success or a negative error code otherwise
*/
int dco_do_read(dco_context_t *dco);
/**
* Install a DCO in the main event loop
*/
void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg);
/**
* Install the key material in DCO for the specified peer.
* The key is installed in the primary slot when no other key was yet installed.
* Any subsequent invocation will install the key in the secondary slot.
*
* @param multi the TLS context of the current instance
* @param ks the state of the key being installed
* @param key2 the container for the raw key material
* @param key_direction the key direction to be used to extract the material
* @param ciphername the name of the cipher to use the key with
* @param server whether we are running on a server instance or not
*
* @return 0 on success or a negative error code otherwise
*/
int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
const struct key2 *key2, int key_direction,
const char *ciphername, bool server);
/**
* Possibly swap or wipe keys from DCO
*
* @param dco DCO device context
* @param multi TLS multi instance
*
* @return returns false if an error occurred that is not
* recoverable and should reset the connection
*/
bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi);
/**
* Install a new peer in DCO - to be called by a CLIENT (or P2P) instance
*
* @param c the main instance context
* @return 0 on success or a negative error code otherwise
*/
int dco_p2p_add_new_peer(struct context *c);
/**
* Modify DCO peer options. Special values are 0 (disable)
* and -1 (do not touch).
*
* @param dco DCO device context
* @param peer_id the ID of the peer to be modified
* @param keepalive_interval keepalive interval in seconds
* @param keepalive_timeout keepalive timeout in seconds
* @param mss TCP MSS value
*
* @return 0 on success or a negative error code otherwise
*/
int dco_set_peer(dco_context_t *dco, unsigned int peerid,
int keepalive_interval, int keepalive_timeout, int mss);
/**
* Remove a peer from DCO
*
* @param c the main instance context of the peer to remove
*/
void dco_remove_peer(struct context *c);
/**
* Install a new peer in DCO - to be called by a SERVER instance
*
* @param m the server context
* @param mi the client instance
* @return 0 on success or a negative error code otherwise
*/
int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi);
/**
* Install an iroute in DCO, which means adding a route to the system routing
* table. To be called by a SERVER instance only.
*
* @param m the server context
* @param mi the client instance acting as nexthop for the route
* @param addr the route to add
*/
void dco_install_iroute(struct multi_context *m, struct multi_instance *mi,
struct mroute_addr *addr);
/**
* Remove all routes added through the specified client
*
* @param m the server context
* @param mi the client instance for which routes have to be removed
*/
void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi);
/**
* Update traffic statistics for all peers
*
* @param dco DCO device context
* @param m the server context
**/
int dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m);
/**
* Update traffic statistics for single peer
*
* @param c instance context of the peer
**/
int dco_get_peer_stats(struct context *c);
/**
* Retrieve the list of ciphers supported by the current platform
*
* @return list of colon-separated ciphers
*/
const char *dco_get_supported_ciphers();
#else /* if defined(ENABLE_DCO) */
typedef void *dco_context_t;
static inline bool
dco_available(int msglevel)
{
return false;
}
static inline const char *
dco_version_string(struct gc_arena *gc)
{
return "not-compiled";
}
static inline bool
dco_check_option(int msglevel, const struct options *o)
{
return false;
}
static inline bool
dco_check_startup_option(int msglevel, const struct options *o)
{
return false;
}
static inline bool
dco_check_pull_options(int msglevel, const struct options *o)
{
return false;
}
static inline bool
ovpn_dco_init(int mode, dco_context_t *dco)
{
return true;
}
static inline int
open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
{
return 0;
}
static inline void
close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)
{
}
static inline int
dco_do_read(dco_context_t *dco)
{
ASSERT(false);
return 0;
}
static inline void
dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
{
}
static inline int
init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
const struct key2 *key2, int key_direction,
const char *ciphername, bool server)
{
return 0;
}
static inline bool
dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
{
ASSERT(false);
return false;
}
static inline int
dco_p2p_add_new_peer(struct context *c)
{
return 0;
}
static inline int
dco_set_peer(dco_context_t *dco, unsigned int peerid,
int keepalive_interval, int keepalive_timeout, int mss)
{
return 0;
}
static inline void
dco_remove_peer(struct context *c)
{
}
static inline int
dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
{
return 0;
}
static inline void
dco_install_iroute(struct multi_context *m, struct multi_instance *mi,
struct mroute_addr *addr)
{
}
static inline void
dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
{
}
static inline int
dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
{
return 0;
}
static inline int
dco_get_peer_stats(struct context *c)
{
return 0;
}
static inline const char *
dco_get_supported_ciphers()
{
return "";
}
#endif /* defined(ENABLE_DCO) */
#endif /* ifndef DCO_H */
|
