OpenVPN
init.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#ifdef ENABLE_SYSTEMD
30#include <systemd/sd-daemon.h>
31#endif
32
33#include "win32.h"
34#include "init.h"
35#include "run_command.h"
36#include "sig.h"
37#include "occ.h"
38#include "list.h"
39#include "otime.h"
40#include "pool.h"
41#include "gremlin.h"
42#include "occ.h"
43#include "pkcs11.h"
44#include "ps.h"
45#include "lladdr.h"
46#include "ping.h"
47#include "mstats.h"
48#include "ssl_verify.h"
49#include "ssl_ncp.h"
50#include "tls_crypt.h"
51#include "forward.h"
52#include "auth_token.h"
53#include "mss.h"
54#include "mudp.h"
55#include "dco.h"
56#include "tun_afunix.h"
57
58#include "memdbg.h"
59
60
61static struct context *static_context; /* GLOBAL */
62static const char *saved_pid_file_name; /* GLOBAL */
63
64/*
65 * Crypto initialization flags
66 */
67#define CF_LOAD_PERSISTED_PACKET_ID (1 << 0)
68#define CF_INIT_TLS_MULTI (1 << 1)
69#define CF_INIT_TLS_AUTH_STANDALONE (1 << 2)
70
71static void do_init_first_time(struct context *c);
72
73static bool do_deferred_p2p_ncp(struct context *c);
74
75void
77{
78 CLEAR(*c);
79}
80
81void
83{
84 CLEAR(c->c1);
85}
86
87void
89{
90 CLEAR(c->c2);
91}
92
93void
95{
96 const bool first_time_save = c->first_time;
97 const struct context_persist cpsave = c->persist;
99 c->first_time = first_time_save;
100 c->persist = cpsave;
101}
102
103/*
104 * Pass tunnel endpoint and MTU parms to a user-supplied script.
105 * Used to execute the up/down script/plugins.
106 */
107static void
108run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type,
109 const char *arg,
110#ifdef _WIN32
111 DWORD adapter_index,
112#endif
113 const char *dev_type, int tun_mtu, const char *ifconfig_local,
114 const char *ifconfig_remote, const char *context, const char *signal_text,
115 const char *script_type, struct env_set *es)
116{
117 struct gc_arena gc = gc_new();
118
119 if (signal_text)
120 {
121 setenv_str(es, "signal", signal_text);
122 }
123 setenv_str(es, "script_context", context);
124 setenv_int(es, "tun_mtu", tun_mtu);
125 setenv_str(es, "dev", arg);
126 if (dev_type)
127 {
128 setenv_str(es, "dev_type", dev_type);
129 }
130#ifdef _WIN32
131 setenv_int(es, "dev_idx", adapter_index);
132#endif
133
134 if (!ifconfig_local)
135 {
136 ifconfig_local = "";
137 }
138 if (!ifconfig_remote)
139 {
140 ifconfig_remote = "";
141 }
142 if (!context)
143 {
144 context = "";
145 }
146
147 if (plugin_defined(plugins, plugin_type))
148 {
149 struct argv argv = argv_new();
150 ASSERT(arg);
151 argv_printf(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
152 context);
153
154 if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
155 {
156 msg(M_FATAL, "ERROR: up/down plugin call failed");
157 }
158
159 argv_free(&argv);
160 }
161
162 if (command)
163 {
164 struct argv argv = argv_new();
165 ASSERT(arg);
166 setenv_str(es, "script_type", script_type);
167 argv_parse_cmd(&argv, command);
168 argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
169 context);
171 openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
172 argv_free(&argv);
173 }
174
175 gc_free(&gc);
176}
177
178/*
179 * Should be called after options->ce is modified at the top
180 * of a SIGUSR1 restart.
181 */
182static void
184{
185 /*
186 * In pull mode, we usually import --ping/--ping-restart parameters from
187 * the server. However we should also set an initial default --ping-restart
188 * for the period of time before we pull the --ping-restart parameter
189 * from the server.
190 */
193 {
196 }
197}
198
199#ifdef ENABLE_MANAGEMENT
200static bool
201management_callback_proxy_cmd(void *arg, const char **p)
202{
203 struct context *c = arg;
204 struct connection_entry *ce = &c->options.ce;
205 struct gc_arena *gc = &c->c2.gc;
206 bool ret = false;
207
208 update_time();
209 if (streq(p[1], "NONE"))
210 {
211 ret = true;
212 }
213 else if (p[2] && p[3])
214 {
215 if (streq(p[1], "HTTP"))
216 {
217 struct http_proxy_options *ho;
218 if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
219 {
220 msg(M_WARN, "HTTP proxy support only works for TCP based connections");
221 return false;
222 }
224 ho->server = string_alloc(p[2], gc);
225 ho->port = string_alloc(p[3], gc);
226 ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
227 ret = true;
228 }
229 else if (streq(p[1], "SOCKS"))
230 {
232 ce->socks_proxy_port = string_alloc(p[3], gc);
233 ret = true;
234 }
235 }
236 else
237 {
238 msg(M_WARN, "Bad proxy command");
239 }
240
241 ce->flags &= ~CE_MAN_QUERY_PROXY;
242
243 return ret;
244}
245
246static bool
248{
249 const struct connection_list *l = c->options.connection_list;
250 struct connection_entry *ce = &c->options.ce;
251 struct gc_arena gc;
252 bool ret = true;
253
254 update_time();
255 if (management)
256 {
257 gc = gc_new();
258 {
259 struct buffer out = alloc_buf_gc(256, &gc);
260 buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
261 (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
264 }
266 while (ce->flags & CE_MAN_QUERY_PROXY)
267 {
269 if (IS_SIG(c))
270 {
271 ret = false;
272 break;
273 }
274 }
276 gc_free(&gc);
277 }
278
279 return ret;
280}
281
296static bool
297management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
298{
299 struct context *c = (struct context *)arg;
300 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
301 if (len > PUSH_BUNDLE_SIZE)
302 {
303 return false;
304 }
305
306 struct gc_arena gc = gc_new();
307 struct buffer buf = alloc_buf_gc(len, &gc);
308 ASSERT(buf_printf(&buf, "%s", command));
309 if (parameters)
310 {
311 ASSERT(buf_printf(&buf, ",%s", parameters));
312 }
314
315 gc_free(&gc);
316 return status;
317}
318
319static unsigned int
321{
322 ASSERT(arg);
323 struct context *c = (struct context *)arg;
324 struct connection_list *l = c->options.connection_list;
325
326 return l->len;
327}
328
329static bool
330management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
331{
332 ASSERT(arg);
333 ASSERT(remote);
334
335 struct context *c = (struct context *)arg;
336 struct connection_list *l = c->options.connection_list;
337 bool ret = true;
338
339 if (index < l->len)
340 {
341 struct connection_entry *ce = l->array[index];
342 const char *proto = proto2ascii(ce->proto, ce->af, false);
343 const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
344
345 /* space for output including 3 commas and a nul */
346 size_t len =
347 strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + strlen(status) + 3 + 1;
348 char *out = malloc(len);
350
351 snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
352 *remote = out;
353 }
354 else
355 {
356 ret = false;
357 msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
358 }
359
360 return ret;
361}
362
363static bool
364management_callback_remote_cmd(void *arg, const char **p)
365{
366 struct context *c = (struct context *)arg;
367 struct connection_entry *ce = &c->options.ce;
368 int ret = false;
369 if (p[1]
372 {
373 unsigned int flags = 0;
374 if (!strcmp(p[1], "ACCEPT"))
375 {
377 ret = true;
378 }
379 else if (!strcmp(p[1], "SKIP"))
380 {
382 ret = true;
383 c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
384 }
385 else if (!strcmp(p[1], "MOD") && p[2] && p[3])
386 {
387 if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
388 {
389 struct remote_host_store *rhs = c->options.rh_store;
390 if (!rhs)
391 {
393 c->options.rh_store = rhs;
394 }
395 strncpynt(rhs->host, p[2], RH_HOST_LEN);
396 strncpynt(rhs->port, p[3], RH_PORT_LEN);
397
398 ce->remote = rhs->host;
399 ce->remote_port = rhs->port;
401 ret = true;
402 }
403 }
404 if (ret)
405 {
408 }
409 }
410 return ret;
411}
412
413static bool
415{
416 struct gc_arena gc = gc_new();
417 volatile struct connection_entry *ce = &c->options.ce;
418 int ce_changed = true; /* presume the connection entry will be changed */
419
420 update_time();
421 if (management)
422 {
423 struct buffer out = alloc_buf_gc(256, &gc);
424
425 buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
426 proto2ascii(ce->proto, ce->af, false));
429
434 {
436 if (IS_SIG(c))
437 {
438 ce_changed = false; /* connection entry have not been set */
439 break;
440 }
441 }
443 }
444 gc_free(&gc);
445
446 if (ce_changed)
447 {
448 /* If it is likely a connection entry was modified,
449 * check what changed in the flags and that it was not skipped
450 */
451 const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
453 }
454 return ce_changed;
455}
456#endif /* ENABLE_MANAGEMENT */
457
458/*
459 * Initialize and possibly randomize the connection list.
460 *
461 * Applies the Fisher-Yates shuffle algorithm to ensure all permutations
462 * are equally probable, thereby eliminating shuffling bias.
463 *
464 * The algorithm randomly selects an element from the unshuffled portion
465 * and places it at position i. There's only one way to obtain each
466 * permutation through these swaps. This guarantees that each permutation
467 * occurs with equal probability in theory.
468 */
469static void
471{
472 struct connection_list *l = c->options.connection_list;
473
474 l->current = -1;
475 if (c->options.remote_random)
476 {
477 int i;
478 for (i = l->len - 1; i > 0; --i)
479 {
480 const int j = get_random() % (i + 1);
481 if (i != j)
482 {
483 struct connection_entry *tmp;
484 tmp = l->array[i];
485 l->array[i] = l->array[j];
486 l->array[j] = tmp;
487 }
488 }
489 }
490}
491
492/*
493 * Clear the remote address list
494 */
495static void
497{
498 if (lsa->remote_list && free)
499 {
500 freeaddrinfo(lsa->remote_list);
501 }
502 lsa->remote_list = NULL;
503 lsa->current_remote = NULL;
504}
505
506/*
507 * Increment to next connection entry
508 */
509static void
511{
512 struct connection_list *l = c->options.connection_list;
513 bool ce_defined;
514 struct connection_entry *ce;
515 int n_cycles = 0;
516
517 do
518 {
519 ce_defined = true;
520 if (c->options.no_advance && l->current >= 0)
521 {
522 c->options.no_advance = false;
523 }
524 else
525 {
526 /* Check if there is another resolved address to try for
527 * the current connection */
529 && c->c1.link_socket_addrs[0].current_remote->ai_next
531 {
533 c->c1.link_socket_addrs[0].current_remote->ai_next;
534 }
535 else
536 {
537 c->options.advance_next_remote = false;
538 /* FIXME (schwabe) fix the persist-remote-ip option for real,
539 * this is broken probably ever since connection lists and multiple
540 * remote existed
541 */
543 {
544 /* Connection entry addrinfo objects might have been
545 * resolved earlier but the entry itself might have been
546 * skipped by management on the previous loop.
547 * If so, clear the addrinfo objects as close_instance does
548 */
550 {
553 }
554
555 /* close_instance should have cleared the addrinfo objects */
557 ASSERT(c->c1.link_socket_addrs[0].remote_list == NULL);
558 }
559 else
560 {
563 }
564
565 int advance_count = 1;
566
567 /* If previous connection entry was skipped by management client
568 * with a count to advance by, apply it.
569 */
570 if (c->options.ce_advance_count > 0)
571 {
572 advance_count = c->options.ce_advance_count;
573 }
574
575 /*
576 * Increase the number of connection attempts
577 * If this is connect-retry-max * size(l)
578 * OpenVPN will quit
579 */
580
581 c->options.unsuccessful_attempts += advance_count;
582 l->current += advance_count;
583
584 if (l->current >= l->len)
585 {
586 l->current %= l->len;
587 if (++n_cycles >= 2)
588 {
589 msg(M_FATAL, "No usable connection profiles are present");
590 }
591 }
592 }
593 }
594
596 ce = l->array[l->current];
597
598 if (ce->flags & CE_DISABLED)
599 {
600 ce_defined = false;
601 }
602
603 c->options.ce = *ce;
604
605#ifdef ENABLE_MANAGEMENT
607 {
608 /* allow management interface to override connection entry details */
609 ce_defined = ce_management_query_remote(c);
610 if (IS_SIG(c))
611 {
612 break;
613 }
614 }
615 else if (ce_defined && management && management_query_proxy_enabled(management))
616 {
617 ce_defined = ce_management_query_proxy(c);
618 if (IS_SIG(c))
619 {
620 break;
621 }
622 }
623#endif
624 } while (!ce_defined);
625
626 /* Check if this connection attempt would bring us over the limit */
627 if (c->options.connect_retry_max > 0
629 {
630 msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
632 }
634}
635
636/*
637 * Query for private key and auth-user-pass username/passwords
638 */
639void
641{
642 /* Certificate password input */
643 if (c->options.key_pass_file)
644 {
646 }
647
648 /* Auth user/pass input */
650 {
652#ifdef ENABLE_MANAGEMENT
654 &c->options.sc_info);
655#else
657 NULL);
658#endif
659 }
660}
661
662/*
663 * Initialize/Uninitialize HTTP or SOCKS proxy
664 */
665
666static void
668{
669 if (c->c1.http_proxy_owned && c->c1.http_proxy)
670 {
672 c->c1.http_proxy = NULL;
673 c->c1.http_proxy_owned = false;
674 }
675 if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
676 {
678 c->c1.socks_proxy = NULL;
679 c->c1.socks_proxy_owned = false;
680 }
681}
682
683static void
685{
686 bool did_http = false;
687
689
691 {
693
694 /* Possible HTTP proxy user/pass input */
696 if (c->c1.http_proxy)
697 {
698 did_http = true;
699 c->c1.http_proxy_owned = true;
700 }
701 }
702
703 if (!did_http && c->options.ce.socks_proxy_server)
704 {
705 c->c1.socks_proxy =
708 if (c->c1.socks_proxy)
709 {
710 c->c1.socks_proxy_owned = true;
711 }
712 }
713}
714
715static void
717{
719}
720
721static void
723{
725}
726
727static void
733
734void
736{
738
740
742
744
746
747#if defined(ENABLE_PKCS11)
748 if (c->first_time)
749 {
750 int i;
751 pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
752 for (i = 0; i < MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
753 {
754 pkcs11_addProvider(
755 c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
756 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
757 }
758 }
759#endif
760
761#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
762 {
763 /*
764 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
765 */
766 struct user_pass up;
767 CLEAR(up);
768 strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
769 get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
770 msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
771 * 'needok' command, usually 'ok' or 'cancel'. */
772 }
773#endif
774
775#ifdef ENABLE_SYSTEMD
776 /* We can report the PID via getpid() to systemd here as OpenVPN will not
777 * do any fork due to daemon() a future call.
778 * See possibly_become_daemon() [init.c] for more details.
779 */
780 sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
781 (unsigned long)getpid());
782#endif
783}
784
785void
787{
788 gc_free(&c->c2.gc);
789 gc_free(&c->options.gc);
790 gc_free(&c->gc);
791}
792
793#if PORT_SHARE
794
795static void
796close_port_share(void)
797{
798 if (port_share)
799 {
800 port_share_close(port_share);
801 port_share = NULL;
802 }
803}
804
805static void
806init_port_share(struct context *c)
807{
808 if (!port_share && (c->options.port_share_host && c->options.port_share_port))
809 {
810 port_share =
811 port_share_open(c->options.port_share_host, c->options.port_share_port,
812 c->c2.frame.buf.payload_size, c->options.port_share_journal_dir);
813 if (port_share == NULL)
814 {
815 msg(M_FATAL, "Fatal error: Port sharing failed");
816 }
817 }
818}
819
820#endif /* if PORT_SHARE */
821
822
823bool
825{
826#if defined(DMALLOC)
827 crypto_init_dmalloc();
828#endif
829
830
831 /*
832 * Initialize random number seed. random() is only used
833 * when "weak" random numbers are acceptable.
834 * SSL library routines are always used when cryptographically
835 * strong random numbers are required.
836 */
837 struct timeval tv;
838 if (!gettimeofday(&tv, NULL))
839 {
840 const unsigned int seed = (unsigned int)tv.tv_sec ^ tv.tv_usec;
841 srandom(seed);
842 }
843
844 error_reset(); /* initialize error.c */
845 reset_check_status(); /* initialize status check code in socket.c */
846
847#ifdef _WIN32
848 init_win32();
849#endif
850
851#ifdef OPENVPN_DEBUG_COMMAND_LINE
852 {
853 int i;
854 for (i = 0; i < argc; ++i)
855 {
856 msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
857 }
858 }
859#endif
860
861 update_time();
862
863 init_ssl_lib();
864
865#ifdef SCHEDULE_TEST
866 schedule_test();
867 return false;
868#endif
869
870#ifdef IFCONFIG_POOL_TEST
871 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
872 return false;
873#endif
874
875#ifdef TIME_TEST
876 time_test();
877 return false;
878#endif
879
880#ifdef GEN_PATH_TEST
881 {
882 struct gc_arena gc = gc_new();
883 const char *fn = gen_path("foo", "bar", &gc);
884 printf("%s\n", fn);
885 gc_free(&gc);
886 }
887 return false;
888#endif
889
890#ifdef STATUS_PRINTF_TEST
891 {
892 struct gc_arena gc = gc_new();
893 const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
894 struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
895 status_printf(so, "%s", "foo");
896 status_printf(so, "%s", "bar");
897 if (!status_close(so))
898 {
899 msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
900 }
901 gc_free(&gc);
902 }
903 return false;
904#endif
905
906#ifdef MSTATS_TEST
907 {
908 int i;
909 mstats_open("/dev/shm/mstats.dat");
910 for (i = 0; i < 30; ++i)
911 {
912 mmap_stats->n_clients += 1;
913 mmap_stats->link_write_bytes += 8;
914 mmap_stats->link_read_bytes += 16;
915 sleep(1);
916 }
917 mstats_close();
918 return false;
919 }
920#endif
921
922 return true;
923}
924
925void
927{
928 free_ssl_lib();
929
930#ifdef ENABLE_PKCS11
931 pkcs11_terminate();
932#endif
933
934#if PORT_SHARE
935 close_port_share();
936#endif
937
938#if defined(MEASURE_TLS_HANDSHAKE_STATS)
939 show_tls_performance_stats();
940#endif
941}
942
943void
944init_verb_mute(struct context *c, unsigned int flags)
945{
946 if (flags & IVM_LEVEL_1)
947 {
948 /* set verbosity and mute levels */
952 }
953
954 /* special D_LOG_RW mode */
955 if (flags & IVM_LEVEL_2)
956 {
958 }
959}
960
961/*
962 * Possibly set --dev based on --dev-node.
963 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
964 * set --dev to tun.
965 */
966void
968{
969 if (!options->dev && options->dev_node)
970 {
971 /* POSIX basename() implementations may modify its arguments */
972 char *dev_node = string_alloc(options->dev_node, NULL);
973 options->dev = basename(dev_node);
974 }
975}
976
977bool
979{
980 /*
981 * OpenSSL info print mode?
982 */
985 {
987 {
989 }
991 {
993 }
995 {
997 }
999 {
1002 }
1003 if (options->show_curves)
1004 {
1006 }
1007 return true;
1008 }
1009 return false;
1010}
1011
1012/*
1013 * Static pre-shared key generation mode?
1014 */
1015bool
1017{
1018 /* should we disable paging? */
1019 if (options->mlock && (options->genkey))
1020 {
1021 platform_mlockall(true);
1022 }
1023
1024 /*
1025 * We do not want user to use --genkey with --secret. In the transistion
1026 * phase we for secret.
1027 */
1029 {
1030 msg(M_USAGE, "Using --genkey type with --secret filename is "
1031 "not supported. Use --genkey type filename instead.");
1032 }
1034 {
1035 int nbits_written;
1036 const char *genkey_filename = options->genkey_filename;
1038 {
1039 msg(M_USAGE, "You must provide a filename to either --genkey "
1040 "or --secret, not both");
1041 }
1042
1043 /*
1044 * Copy filename from shared_secret_file to genkey_filename to support
1045 * the old --genkey --secret foo.file syntax.
1046 */
1048 {
1049 msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1050 "DEPRECATED. Use --genkey secret filename instead.");
1051 genkey_filename = options->shared_secret_file;
1052 }
1053
1054 nbits_written = write_key_file(2, genkey_filename);
1055 if (nbits_written < 0)
1056 {
1057 msg(M_FATAL, "Failed to write key file");
1058 }
1059
1060 msg(D_GENKEY | M_NOPREFIX, "Randomly generated %d bit key written to %s", nbits_written,
1062 return true;
1063 }
1065 {
1067 return true;
1068 }
1070 {
1072 {
1073 msg(M_USAGE,
1074 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1075 }
1076
1080 return true;
1081 }
1083 {
1085 return true;
1086 }
1087 else
1088 {
1089 return false;
1090 }
1091}
1092
1093/*
1094 * Persistent TUN/TAP device management mode?
1095 */
1096bool
1098{
1099 if (!options->persist_config)
1100 {
1101 return false;
1102 }
1103
1104 /* sanity check on options for --mktun or --rmtun */
1105 notnull(options->dev, "TUN/TAP device (--dev)");
1108 {
1110 "options --mktun or --rmtun should only be used together with --dev");
1111 }
1112
1113#if defined(ENABLE_DCO)
1114 if (dco_enabled(options))
1115 {
1116 /* creating a DCO interface via --mktun is not supported as it does not
1117 * make much sense. Since DCO is enabled by default, people may run into
1118 * this without knowing, therefore this case should be properly handled.
1119 *
1120 * Disable DCO if --mktun was provided and print a message to let
1121 * user know.
1122 */
1124 {
1125 msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1126 }
1127
1128 options->disable_dco = true;
1129 }
1130#endif
1131
1132#ifdef ENABLE_FEATURE_TUN_PERSIST
1136 {
1137 set_lladdr(ctx, options->dev, options->lladdr, NULL);
1138 }
1139 return true;
1140#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1142 "options --mktun and --rmtun are not available on your operating "
1143 "system. Please check 'man tun' (or 'tap'), whether your system "
1144 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1145 "persistent tunnel interfaces.",
1146 options->dev);
1147#endif
1148 return false;
1149}
1150
1151/*
1152 * Should we become a daemon?
1153 * Return true if we did it.
1154 */
1155bool
1157{
1158 bool ret = false;
1159
1160#ifdef ENABLE_SYSTEMD
1161 /* return without forking if we are running from systemd */
1162 if (sd_notify(0, "READY=0") > 0)
1163 {
1164 return ret;
1165 }
1166#endif
1167
1168 if (options->daemon)
1169 {
1170 /* Don't chdir immediately, but the end of the init sequence, if needed */
1171
1172#if defined(__APPLE__) && defined(__clang__)
1173#pragma clang diagnostic push
1174#pragma clang diagnostic ignored "-Wdeprecated-declarations"
1175#endif
1176 if (daemon(1, options->log) < 0)
1177 {
1178 msg(M_ERR, "daemon() failed or unsupported");
1179 }
1180#if defined(__APPLE__) && defined(__clang__)
1181#pragma clang diagnostic pop
1182#endif
1184 if (options->log)
1185 {
1187 }
1188
1189 ret = true;
1190 }
1191 return ret;
1192}
1193
1194/*
1195 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1196 */
1197static void
1198do_uid_gid_chroot(struct context *c, bool no_delay)
1199{
1200 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1201 struct context_0 *c0 = c->c0;
1202
1203 if (c0 && !c0->uid_gid_chroot_set)
1204 {
1205 /* chroot if requested */
1206 if (c->options.chroot_dir)
1207 {
1208 if (no_delay)
1209 {
1211 }
1212 else if (c->first_time)
1213 {
1214 msg(M_INFO, "NOTE: chroot %s", why_not);
1215 }
1216 }
1217
1218 /* set user and/or group if we want to setuid/setgid */
1219 if (c0->uid_gid_specified)
1220 {
1221 if (no_delay)
1222 {
1224 }
1225 else if (c->first_time)
1226 {
1227 msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1228 }
1229 }
1230
1231#ifdef ENABLE_MEMSTATS
1232 if (c->first_time && c->options.memstats_fn)
1233 {
1234 mstats_open(c->options.memstats_fn);
1235 }
1236#endif
1237
1238#ifdef ENABLE_SELINUX
1239 /* Apply a SELinux context in order to restrict what OpenVPN can do
1240 * to _only_ what it is supposed to do after initialization is complete
1241 * (basically just network I/O operations). Doing it after chroot
1242 * requires /proc to be mounted in the chroot (which is annoying indeed
1243 * but doing it before requires more complex SELinux policies.
1244 */
1245 if (c->options.selinux_context)
1246 {
1247 if (no_delay)
1248 {
1249 if (-1 == setcon(c->options.selinux_context))
1250 {
1251 msg(M_ERR, "setcon to '%s' failed; is /proc accessible?",
1252 c->options.selinux_context);
1253 }
1254 else
1255 {
1256 msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1257 }
1258 }
1259 else if (c->first_time)
1260 {
1261 msg(M_INFO, "NOTE: setcon %s", why_not);
1262 }
1263 }
1264#endif
1265
1266 /* Privileges are going to be dropped by now (if requested), be sure
1267 * to prevent any future privilege dropping attempts from now on.
1268 */
1269 if (no_delay)
1270 {
1271 c0->uid_gid_chroot_set = true;
1272 }
1273 }
1274}
1275
1276/*
1277 * Return common name in a way that is formatted for
1278 * prepending to msg() output.
1279 */
1280const char *
1282{
1283 struct buffer out = alloc_buf_gc(256, gc);
1284 if (c->c2.tls_multi)
1285 {
1286 buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1287 }
1288 return BSTR(&out);
1289}
1290
1291void
1293{
1294#ifdef _WIN32
1296 {
1299 }
1300 else
1301 {
1303
1304 /* put a title on the top window bar */
1306 {
1309 }
1310 }
1311#endif /* ifdef _WIN32 */
1312}
1313
1314void
1316{
1317 c->c2.coarse_timer_wakeup = 0;
1318}
1319
1320/*
1321 * Initialise the server poll timeout timer
1322 * This timer is used in the http/socks proxy setup so it needs to be setup
1323 * before
1324 */
1325static void
1327{
1328 update_time();
1329 if (c->options.ce.connect_timeout)
1330 {
1331 event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1332 }
1333}
1334
1335/*
1336 * Initialize timers
1337 */
1338static void
1340{
1341 update_time();
1343
1344 /* initialize inactivity timeout */
1345 if (c->options.inactivity_timeout)
1346 {
1347 event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1348 }
1349
1350 /* initialize inactivity timeout */
1351 if (c->options.session_timeout)
1352 {
1353 event_timeout_init(&c->c2.session_interval, c->options.session_timeout, now);
1354 }
1355
1356 /* initialize pings */
1357 if (dco_enabled(&c->options))
1358 {
1359 /* The DCO kernel module will send the pings instead of user space */
1360 event_timeout_clear(&c->c2.ping_rec_interval);
1361 event_timeout_clear(&c->c2.ping_send_interval);
1362 }
1363 else
1364 {
1365 if (c->options.ping_send_timeout)
1366 {
1367 event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1368 }
1369
1370 if (c->options.ping_rec_timeout)
1371 {
1372 event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1373 }
1374 }
1375
1376 /* If the auth-token renewal interval is shorter than reneg-sec, arm
1377 * "auth-token renewal" timer to send additional auth-token to update the
1378 * token on the client more often. If not, this happens automatically
1379 * at renegotiation time, without needing an extra event.
1380 */
1381 if (c->options.auth_token_generate
1382 && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1383 {
1384 event_timeout_init(&c->c2.auth_token_renewal_interval, c->options.auth_token_renewal, now);
1385 }
1386
1387 if (!deferred)
1388 {
1389 /* initialize connection establishment timer */
1390 event_timeout_init(&c->c2.wait_for_connect, 1, now);
1391
1392 /* initialize occ timers */
1393
1394 if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_local
1395 && c->c2.options_string_remote)
1396 {
1397 event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1398 }
1399
1400 if (c->options.mtu_test)
1401 {
1402 event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS,
1403 now);
1404 }
1405
1406 /* initialize packet_id persistence timer */
1407 if (c->options.packet_id_file)
1408 {
1409 event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1410 }
1411
1412 /* initialize tmp_int optimization that limits the number of times we call
1413 * tls_multi_process in the main event loop */
1415 }
1416}
1417
1418/*
1419 * Initialize traffic shaper.
1420 */
1421static void
1423{
1424 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1425 if (c->options.shaper)
1426 {
1427 shaper_init(&c->c2.shaper, c->options.shaper);
1428 shaper_msg(&c->c2.shaper);
1429 }
1430}
1431
1432/*
1433 * Allocate route list structures for IPv4 and IPv6
1434 * (we do this for IPv4 even if no --route option has been seen, as other
1435 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1436 */
1437static void
1439{
1440 if (!c->c1.route_list)
1441 {
1442 ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1443 }
1444 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1445 {
1446 ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1447 }
1448}
1449
1450
1451/*
1452 * Initialize the route list, resolving any DNS names in route
1453 * options and saving routes in the environment.
1454 */
1455static void
1457 const struct link_socket_info *link_socket_info, struct env_set *es,
1458 openvpn_net_ctx_t *ctx)
1459{
1460 const char *gw = NULL;
1462 int metric = 0;
1463
1464 /* if DCO is enabled we have both regular routes and iroutes in the system
1465 * routing table, and normal routes must have a higher metric for that to
1466 * work so that iroutes are always matched first
1467 */
1468 if (dco_enabled(options))
1469 {
1470 metric = DCO_DEFAULT_METRIC;
1471 }
1472
1473 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1474 {
1476 }
1478 {
1480 }
1482 {
1483 metric = options->route_default_metric;
1484 }
1485
1488 {
1489 /* copy routes to environment */
1491 }
1492}
1493
1494static void
1496 const struct link_socket_info *link_socket_info, struct env_set *es,
1497 openvpn_net_ctx_t *ctx)
1498{
1499 const char *gw = NULL;
1500 int metric = -1; /* no metric set */
1501
1502 /* see explanation in do_init_route_list() */
1503 if (dco_enabled(options))
1504 {
1505 metric = DCO_DEFAULT_METRIC;
1506 }
1507
1508 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1510 {
1512 }
1513
1515 {
1516 metric = options->route_default_metric;
1517 }
1518
1519 /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1520 */
1522 {
1523 char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1524 int i;
1525
1526 for (i = 0; opt_list[i]; i++)
1527 {
1531 }
1532 }
1533
1536 {
1537 /* copy routes to environment */
1539 }
1540}
1541
1542
1543/*
1544 * Called after all initialization has been completed.
1545 */
1546void
1547initialization_sequence_completed(struct context *c, const unsigned int flags)
1548{
1549 static const char message[] = "Initialization Sequence Completed";
1550
1551 /* Reset the unsuccessful connection counter on complete initialisation */
1552 c->options.unsuccessful_attempts = 0;
1553
1554 /* If we delayed UID/GID downgrade or chroot, do it now */
1555 do_uid_gid_chroot(c, true);
1556
1557 /* Test if errors */
1558 if (flags & ISC_ERRORS)
1559 {
1560#ifdef _WIN32
1563 msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1564#else
1565#ifdef ENABLE_SYSTEMD
1566 sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1567#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1568 msg(M_INFO, "%s With Errors", message);
1569#endif
1570 }
1571 else
1572 {
1573#ifdef ENABLE_SYSTEMD
1574 sd_notifyf(0, "STATUS=%s", message);
1575#endif
1576 msg(M_INFO, "%s", message);
1577 }
1578
1579 /* Flag that we initialized */
1580 if ((flags & (ISC_ERRORS | ISC_SERVER)) == 0)
1581 {
1582 c->options.no_advance = true;
1583 }
1584
1585#ifdef _WIN32
1586 fork_register_dns_action(c->c1.tuntap);
1587#endif
1588
1589#ifdef ENABLE_MANAGEMENT
1590 /* Tell management interface that we initialized */
1591 if (management)
1592 {
1594 struct in6_addr *tun_local6 = NULL;
1595 struct openvpn_sockaddr local, remote;
1596 struct link_socket_actual *actual;
1597 socklen_t sa_len = sizeof(local);
1598 const char *detail = "SUCCESS";
1599 if (flags & ISC_ERRORS)
1600 {
1601 detail = "ERROR";
1602 }
1603 /* Flag route error only on platforms where trivial "already exists" errors
1604 * are filtered out. Currently this is the case on Windows or if usng netlink.
1605 */
1606#if defined(_WIN32) || defined(ENABLE_SITNL)
1607 else if (flags & ISC_ROUTE_ERRORS)
1608 {
1609 detail = "ROUTE_ERROR";
1610 }
1611#endif
1612
1613 CLEAR(local);
1614 actual = &get_link_socket_info(c)->lsa->actual;
1615 remote = actual->dest;
1616 getsockname(c->c2.link_sockets[0]->sd, &local.addr.sa, &sa_len);
1617#if ENABLE_IP_PKTINFO
1618 if (!addr_defined(&local))
1619 {
1620 switch (local.addr.sa.sa_family)
1621 {
1622 case AF_INET:
1623#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1624 local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1625#else
1626 local.addr.in4.sin_addr = actual->pi.in4;
1627#endif
1628 break;
1629
1630 case AF_INET6:
1631 local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1632 break;
1633 }
1634 }
1635#endif
1636
1637 if (c->c1.tuntap)
1638 {
1639 tun_local = &c->c1.tuntap->local;
1640 tun_local6 = &c->c1.tuntap->local_ipv6;
1641 }
1642 management_set_state(management, OPENVPN_STATE_CONNECTED, detail, tun_local, tun_local6,
1643 &local, &remote);
1644 if (tun_local)
1645 {
1647 }
1648 }
1649#endif /* ifdef ENABLE_MANAGEMENT */
1650}
1651
1656static bool
1657route_noexec_enabled(const struct options *o, const struct tuntap *tt)
1658{
1659 return o->route_noexec || (tt && tt->backend_driver == DRIVER_AFUNIX)
1660 || (tt && tt->backend_driver == DRIVER_NULL);
1661}
1662
1663/*
1664 * Possibly add routes and/or call route-up script
1665 * based on options.
1666 */
1667bool
1669 struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt,
1670 const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
1671{
1672 bool ret = true;
1674 {
1677 }
1678#ifdef ENABLE_MANAGEMENT
1679 if (management)
1680 {
1682 }
1683#endif
1684
1685 if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1686 {
1687 if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es)
1688 != OPENVPN_PLUGIN_FUNC_SUCCESS)
1689 {
1690 msg(M_WARN, "WARNING: route-up plugin call failed");
1691 }
1692 }
1693
1694 if (options->route_script)
1695 {
1696 struct argv argv = argv_new();
1697 setenv_str(es, "script_type", "route-up");
1699 openvpn_run_script(&argv, es, 0, "--route-up");
1700 argv_free(&argv);
1701 }
1702
1703#ifdef _WIN32
1704 if (options->show_net_up)
1705 {
1708 }
1709 else if (check_debug_level(D_SHOW_NET))
1710 {
1713 }
1714#endif
1715 return ret;
1716}
1717
1718/*
1719 * initialize tun/tap device object
1720 */
1721static void
1723{
1729 c->c2.es, &c->net_ctx, c->c1.tuntap);
1730
1732 {
1733 /* Using AF_UNIX trumps using DCO */
1735 }
1736 else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
1737 {
1739 }
1740#ifdef _WIN32
1741 else
1742 {
1744 }
1745#else
1746 else if (dco_enabled(&c->options))
1747 {
1749 }
1750 else
1751 {
1753 }
1754#endif
1755
1757
1758 c->c1.tuntap_owned = true;
1759}
1760
1761/*
1762 * Open tun/tap device, ifconfig, call up script, etc.
1763 */
1764
1765
1766static bool
1768{
1769 if (tt && tt->backend_driver == DRIVER_AFUNIX)
1770 {
1771 return false;
1772 }
1773#ifdef TARGET_ANDROID
1774 return false;
1775#else
1776 return is_tun_type_set(tt);
1777#endif
1778}
1779
1788static void
1790{
1791#if defined(_WIN32)
1792 /* Fortify 'redirect-gateway block-local' with firewall rules? */
1793 bool block_local = block_local_needed(c->c1.route_list);
1794
1795 if (c->options.block_outside_dns || block_local)
1796 {
1797 BOOL dns_only = !block_local;
1798 if (!win_wfp_block(c->c1.tuntap->adapter_index, c->options.msg_channel, dns_only))
1799 {
1800 msg(M_FATAL, "WFP: initialization failed");
1801 }
1802 }
1803#endif
1804}
1805
1814static void
1815del_wfp_block(struct context *c, unsigned long adapter_index)
1816{
1817#if defined(_WIN32)
1819 {
1820 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1821 {
1822 msg(M_FATAL, "WFP: deinitialization failed");
1823 }
1824 }
1825#endif
1826}
1827
1833static bool
1835{
1836 return c->options.ifconfig_noexec
1837 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1838 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_NULL);
1839}
1840
1841static void
1843{
1844 struct tuntap *tt = c->c1.tuntap;
1845
1846 if (tt->backend_driver == DRIVER_NULL)
1847 {
1849 }
1850 else if (tt->backend_driver == DRIVER_AFUNIX)
1851 {
1852 open_tun_afunix(&c->options, c->c2.frame.tun_mtu, tt, c->c2.es);
1853 }
1854 else
1855 {
1857 }
1858 msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver),
1859 tt->actual_name);
1860}
1861
1862
1863static bool
1864do_open_tun(struct context *c, int *error_flags)
1865{
1866 struct gc_arena gc = gc_new();
1867 bool ret = false;
1868 *error_flags = 0;
1869
1870 if (!can_preserve_tun(c->c1.tuntap))
1871 {
1872#ifdef TARGET_ANDROID
1873 /* If we emulate persist-tun on android we still have to open a new tun and
1874 * then close the old */
1875 int oldtunfd = -1;
1876 if (c->c1.tuntap)
1877 {
1878 oldtunfd = c->c1.tuntap->fd;
1879 free(c->c1.tuntap);
1880 c->c1.tuntap = NULL;
1881 c->c1.tuntap_owned = false;
1882 }
1883#endif
1884
1885 /* initialize (but do not open) tun/tap object, this also sets
1886 * the backend driver type */
1887 do_init_tun(c);
1888
1889 /* inherit the dco context from the tuntap object */
1890 if (c->c2.tls_multi)
1891 {
1892 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1893 }
1894
1895#ifdef _WIN32
1896 /* store (hide) interactive service handle in tuntap_options */
1898 msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, (intptr_t)c->options.msg_channel);
1899#endif
1900
1901 /* allocate route list structure */
1903
1904 /* parse and resolve the route option list */
1905 ASSERT(c->c2.link_sockets[0]);
1906 if (c->options.routes && c->c1.route_list)
1907 {
1909 c->c2.es, &c->net_ctx);
1910 }
1912 {
1914 &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1915 }
1916
1917 /* do ifconfig */
1919 {
1920 /* guess actual tun/tap unit number that will be returned
1921 * by open_tun */
1922 const char *guess =
1924 do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1925 }
1926
1927 /* possibly add routes */
1929 {
1930 /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1932 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1933 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1934 }
1935#ifdef TARGET_ANDROID
1936 /* Store the old fd inside the fd so open_tun can use it */
1937 c->c1.tuntap->fd = oldtunfd;
1938#endif
1939
1940 if (dco_enabled(&c->options))
1941 {
1942 ovpn_dco_init(c);
1943 }
1944
1945 /* open the tun device */
1947
1948 /* set the hardware address */
1949 if (c->options.lladdr)
1950 {
1952 }
1953
1954 /* do ifconfig */
1956 {
1958 &c->net_ctx);
1959 }
1960
1961 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1962
1963 /* run the up script */
1964 run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name,
1965#ifdef _WIN32
1967#endif
1971 NULL, "up", c->c2.es);
1972
1973 add_wfp_block(c);
1974
1975 /* possibly add routes */
1977 {
1979 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1980 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1981 }
1982
1983 ret = true;
1984 static_context = c;
1985 }
1986 else
1987 {
1988 msg(M_INFO, "Preserving previous TUN/TAP instance: %s", c->c1.tuntap->actual_name);
1989
1990 /* explicitly set the ifconfig_* env vars */
1992
1993 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1994
1995 /* run the up script if user specified --up-restart */
1996 if (c->options.up_restart)
1997 {
1998 run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP,
1999 c->c1.tuntap->actual_name,
2000#ifdef _WIN32
2002#endif
2006 "restart", NULL, "up", c->c2.es);
2007 }
2008
2009 add_wfp_block(c);
2010 }
2011 gc_free(&gc);
2012 return ret;
2013}
2014
2015/*
2016 * Close TUN/TAP device
2017 */
2018
2019static void
2021{
2022 msg(D_CLOSE, "Closing %s interface", print_tun_backend_driver(c->c1.tuntap->backend_driver));
2023
2024 if (c->c1.tuntap)
2025 {
2027 {
2028 undo_ifconfig(c->c1.tuntap, &c->net_ctx);
2029 }
2031 {
2033 }
2034 else if (c->c1.tuntap->backend_driver == DRIVER_NULL)
2035 {
2036 free(c->c1.tuntap->actual_name);
2037 free(c->c1.tuntap);
2038 }
2039 else
2040 {
2041 close_tun(c->c1.tuntap, &c->net_ctx);
2042 }
2043 c->c1.tuntap = NULL;
2044 }
2045 c->c1.tuntap_owned = false;
2047}
2048
2049static void
2050do_close_tun(struct context *c, bool force)
2051{
2052 /* With dco-win we open tun handle in the very beginning.
2053 * In case when tun wasn't opened - like we haven't connected,
2054 * we still need to close tun handle
2055 */
2057 {
2059 return;
2060 }
2061
2062 if (!c->c1.tuntap || !c->c1.tuntap_owned)
2063 {
2064 return;
2065 }
2066
2067 struct gc_arena gc = gc_new();
2068 const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2069 const in_addr_t local = c->c1.tuntap->local;
2070 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2071 unsigned long adapter_index = 0;
2072#ifdef _WIN32
2073 adapter_index = c->c1.tuntap->adapter_index;
2074#endif
2075
2076 run_dns_up_down(false, &c->options, c->c1.tuntap, &c->persist.duri);
2077
2078 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2079 {
2080 static_context = NULL;
2081
2082#ifdef ENABLE_MANAGEMENT
2083 /* tell management layer we are about to close the TUN/TAP device */
2084 if (management)
2085 {
2087 management_up_down(management, "DOWN", c->c2.es);
2088 }
2089#endif
2090
2091 /* delete any routes we added */
2092 if (c->c1.route_list || c->c1.route_ipv6_list)
2093 {
2094 run_up_down(c->options.route_predown_script, c->plugins, OPENVPN_PLUGIN_ROUTE_PREDOWN,
2095 tuntap_actual,
2096#ifdef _WIN32
2097 adapter_index,
2098#endif
2099 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2100 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2102 "route-pre-down", c->c2.es);
2103
2105 ROUTE_OPTION_FLAGS(&c->options), c->c2.es, &c->net_ctx);
2106 }
2107
2108 /* actually close tun/tap device based on --down-pre flag */
2109 if (!c->options.down_pre)
2110 {
2112 }
2113
2114 /* Run the down script -- note that it will run at reduced
2115 * privilege if, for example, "--user" was used. */
2116 run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
2117#ifdef _WIN32
2118 adapter_index,
2119#endif
2120 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2121 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2123 c->c2.es);
2124
2125 del_wfp_block(c, adapter_index);
2126
2127 /* actually close tun/tap device based on --down-pre flag */
2128 if (c->options.down_pre)
2129 {
2131 }
2132 }
2133 else
2134 {
2135 /* run the down script on this restart if --up-restart was specified */
2136 if (c->options.up_restart)
2137 {
2138 run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
2139#ifdef _WIN32
2140 adapter_index,
2141#endif
2142 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2143 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart",
2145 c->c2.es);
2146 }
2147
2148 del_wfp_block(c, adapter_index);
2149 }
2150 gc_free(&gc);
2151}
2152
2153void
2155{
2156 struct context *c = static_context;
2157 if (c)
2158 {
2159 static_context = NULL;
2160 do_close_tun(c, true);
2161 }
2162}
2163
2164/*
2165 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2166 */
2167
2172static bool
2174{
2175 const struct sha256_digest zero = { { 0 } };
2176 return memcmp(a, b, sizeof(struct sha256_digest))
2177 || !memcmp(a, &zero, sizeof(struct sha256_digest));
2178}
2179
2185static void
2186add_delim_if_non_empty(struct buffer *buf, const char *header)
2187{
2188 if (buf_len(buf) > strlen(header))
2189 {
2190 buf_printf(buf, ", ");
2191 }
2192}
2193
2194
2199static void
2201{
2202 struct options *o = &c->options;
2203
2204 struct buffer out;
2205 uint8_t line[1024] = { 0 };
2206 buf_set_write(&out, line, sizeof(line));
2207
2208
2209 if (cipher_kt_mode_aead(o->ciphername))
2210 {
2211 buf_printf(&out, "Data Channel: cipher '%s'", cipher_kt_name(o->ciphername));
2212 }
2213 else
2214 {
2215 buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", cipher_kt_name(o->ciphername),
2216 md_kt_name(o->authname));
2217 }
2218
2219 if (o->use_peer_id)
2220 {
2221 buf_printf(&out, ", peer-id: %d", o->peer_id);
2222 }
2223
2224#ifdef USE_COMP
2225 if (c->c2.comp_context)
2226 {
2227 buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2228 }
2229#endif
2230
2231 msg(D_HANDSHAKE, "%s", BSTR(&out));
2232
2233 buf_clear(&out);
2234
2235 const char *header = "Timers: ";
2236
2237 buf_printf(&out, "%s", header);
2238
2239 if (o->ping_send_timeout)
2240 {
2241 buf_printf(&out, "ping %d", o->ping_send_timeout);
2242 }
2243
2244 if (o->ping_rec_timeout_action != PING_UNDEF)
2245 {
2246 /* yes unidirectional ping is possible .... */
2247 add_delim_if_non_empty(&out, header);
2248
2249 if (o->ping_rec_timeout_action == PING_EXIT)
2250 {
2251 buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2252 }
2253 else
2254 {
2255 buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2256 }
2257 }
2258
2259 if (o->inactivity_timeout)
2260 {
2261 add_delim_if_non_empty(&out, header);
2262
2263 buf_printf(&out, "inactive %d", o->inactivity_timeout);
2264 if (o->inactivity_minimum_bytes)
2265 {
2266 buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2267 }
2268 }
2269
2270 if (o->session_timeout)
2271 {
2272 add_delim_if_non_empty(&out, header);
2273 buf_printf(&out, "session-timeout %d", o->session_timeout);
2274 }
2275
2276 if (buf_len(&out) > strlen(header))
2277 {
2278 msg(D_HANDSHAKE, "%s", BSTR(&out));
2279 }
2280
2281 buf_clear(&out);
2282 header = "Protocol options: ";
2283 buf_printf(&out, "%s", header);
2284
2285 if (c->options.ce.explicit_exit_notification)
2286 {
2287 buf_printf(&out, "explicit-exit-notify %d", c->options.ce.explicit_exit_notification);
2288 }
2289 if (c->options.imported_protocol_flags)
2290 {
2291 add_delim_if_non_empty(&out, header);
2292
2293 buf_printf(&out, "protocol-flags");
2294
2295 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2296 {
2297 buf_printf(&out, " cc-exit");
2298 }
2299 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2300 {
2301 buf_printf(&out, " tls-ekm");
2302 }
2303 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2304 {
2305 buf_printf(&out, " dyn-tls-crypt");
2306 }
2307 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
2308 {
2309 buf_printf(&out, " aead-epoch");
2310 }
2311 }
2312
2313 if (buf_len(&out) > strlen(header))
2314 {
2315 msg(D_HANDSHAKE, "%s", BSTR(&out));
2316 }
2317}
2318
2319
2327static bool
2329{
2330 struct frame *frame_fragment = NULL;
2331#ifdef ENABLE_FRAGMENT
2332 if (c->options.ce.fragment)
2333 {
2334 frame_fragment = &c->c2.frame_fragment;
2335 }
2336#endif
2337
2340 frame_fragment, get_link_socket_info(c),
2341 &c->c1.tuntap->dco))
2342 {
2343 msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2344 return false;
2345 }
2346
2347 return true;
2348}
2349
2350bool
2351do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2352{
2353 int error_flags = 0;
2354 if (!c->c2.do_up_ran)
2355 {
2357
2358 if (pulled_options)
2359 {
2360 if (!do_deferred_options(c, option_types_found, false))
2361 {
2362 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2363 return false;
2364 }
2365 }
2366
2367 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2368 if (c->options.up_delay || PULL_DEFINED(&c->options))
2369 {
2370 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2371 update_time();
2372
2373 /*
2374 * Was tun interface object persisted from previous restart iteration,
2375 * and if so did pulled options string change from previous iteration?
2376 */
2377 if (!c->c2.did_open_tun && PULL_DEFINED(&c->options) && c->c1.tuntap
2380 {
2381 /* if so, close tun, delete routes, then reinitialize tun and add routes */
2382 msg(M_INFO,
2383 "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2384
2385 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2386 do_close_tun(c, true);
2387
2388 if (tt_dco_win)
2389 {
2390 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2391 /* prevent link_socket_close() from closing handle with WinSock API */
2393 return false;
2394 }
2395 else
2396 {
2398 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2399 update_time();
2400 }
2401 }
2402 }
2403 }
2404
2405 /* This part needs to be run in p2p mode (without pull) when the client
2406 * reconnects to setup various things (like DCO and NCP cipher) that
2407 * might have changed from the previous connection.
2408 */
2409 if (!c->c2.do_up_ran
2411 {
2412 if (c->mode == MODE_POINT_TO_POINT)
2413 {
2414 /* ovpn-dco requires adding the peer now, before any option can be set,
2415 * but *after* having parsed the pushed peer-id in do_deferred_options()
2416 */
2417 int ret = dco_p2p_add_new_peer(c);
2418 if (ret < 0)
2419 {
2420 msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2421 return false;
2422 }
2423 }
2424
2425 /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2426 * invoked after open_tun().
2427 * This is required by DCO because we must have created the interface
2428 * and added the peer before we can fiddle with the keys or any other
2429 * data channel per-peer setting.
2430 */
2431 if (pulled_options)
2432 {
2434 {
2435 return false;
2436 }
2437 }
2438 else
2439 {
2440 if (c->mode == MODE_POINT_TO_POINT)
2441 {
2442 if (!do_deferred_p2p_ncp(c))
2443 {
2444 msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2445 return false;
2446 }
2447 }
2448 }
2449
2450 if (c->c2.did_open_tun)
2451 {
2453
2454 /* if --route-delay was specified, start timer */
2456 {
2461 }
2462 else
2463 {
2464 /* client/p2p --route-delay undefined */
2465 initialization_sequence_completed(c, error_flags);
2466 }
2467 }
2468 else if (c->options.mode == MODE_POINT_TO_POINT)
2469 {
2470 /* client/p2p restart with --persist-tun */
2471 initialization_sequence_completed(c, error_flags);
2472 }
2473
2475
2476 c->c2.do_up_ran = true;
2477 if (c->c2.tls_multi)
2478 {
2480 }
2481 }
2482 return true;
2483}
2484
2485bool
2486do_update(struct context *c, unsigned int option_types_found)
2487{
2488 /* Not necessary since to receive the update the openvpn
2489 * instance must be up and running but just in case
2490 */
2491 if (!c->c2.do_up_ran)
2492 {
2493 return false;
2494 }
2495
2496 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2497 if (tt_dco_win)
2498 {
2499 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2500 return false;
2501 }
2502
2503 if (!do_deferred_options(c, option_types_found, true))
2504 {
2505 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2506 return false;
2507 }
2508
2509 do_close_tun(c, true);
2510
2512 int error_flags = 0;
2513 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2514 update_time();
2515
2516 if (c->c2.did_open_tun)
2517 {
2518 /* if --route-delay was specified, start timer */
2520 {
2525 }
2526
2527 initialization_sequence_completed(c, error_flags);
2528 }
2529
2531
2532 return true;
2533}
2534
2535/*
2536 * These are the option categories which will be accepted by pull.
2537 */
2538unsigned int
2540{
2541 unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS
2545
2546 if (!c->options.route_nopull)
2547 {
2548 flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2549 }
2550
2551 return flags;
2552}
2553
2554static bool
2556{
2557 if (!c->c2.tls_multi)
2558 {
2559 return true;
2560 }
2561
2563
2565
2566 const char *ncp_cipher =
2568
2569 if (ncp_cipher)
2570 {
2571 c->options.ciphername = ncp_cipher;
2572 }
2573 else if (!c->options.enable_ncp_fallback)
2574 {
2575 msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2576 "--data-ciphers-fallback not enabled. No usable "
2577 "data channel cipher");
2578 return false;
2579 }
2580
2581 struct frame *frame_fragment = NULL;
2582#ifdef ENABLE_FRAGMENT
2583 if (c->options.ce.fragment)
2584 {
2585 frame_fragment = &c->c2.frame_fragment;
2586 }
2587#endif
2588
2590 frame_fragment, get_link_socket_info(c),
2591 &c->c1.tuntap->dco))
2592 {
2593 msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2594 return false;
2595 }
2596 return true;
2597}
2598
2599bool
2600do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
2601{
2602 if (found & OPT_P_MESSAGES)
2603 {
2605 msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2606 }
2607 if (found & OPT_P_TIMER)
2608 {
2609 do_init_timers(c, true);
2610 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
2611 }
2612
2613 if (found & OPT_P_EXPLICIT_NOTIFY)
2614 {
2615 /* Client side, so just check the first link_socket */
2618 {
2619 msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2621 }
2622 else
2623 {
2624 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
2625 }
2626 }
2627
2628 if (found & OPT_P_COMP)
2629 {
2631 {
2632 msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2633 "settings that are not allowed and will result "
2634 "in a non-working connection. "
2635 "See also allow-compression in the manual.");
2636 return false;
2637 }
2638#ifdef USE_COMP
2639 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
2640 comp_uninit(c->c2.comp_context);
2641 c->c2.comp_context = comp_init(&c->options.comp);
2642#endif
2643 }
2644
2645 if (found & OPT_P_SHAPER)
2646 {
2647 msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2649 }
2650
2651 if (found & OPT_P_SOCKBUF)
2652 {
2653 msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2654
2655 for (int i = 0; i < c->c1.link_sockets_num; i++)
2656 {
2658 c->options.sndbuf);
2659 }
2660 }
2661
2662 if (found & OPT_P_SOCKFLAGS)
2663 {
2664 msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2665 for (int i = 0; i < c->c1.link_sockets_num; i++)
2666 {
2668 }
2669 }
2670
2671 if (found & OPT_P_PERSIST)
2672 {
2673 msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2674 }
2675 if (found & OPT_P_UP)
2676 {
2677 msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2678 }
2679 if (found & OPT_P_ROUTE)
2680 {
2681 msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2682 }
2683 if (found & OPT_P_ROUTE_EXTRAS)
2684 {
2685 msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2686 }
2687 if (found & OPT_P_DHCPDNS)
2688 {
2689 msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2690 }
2691 if (found & OPT_P_SETENV)
2692 {
2693 msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2694 }
2695
2696 if (found & OPT_P_PEER_ID)
2697 {
2698 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
2699 c->c2.tls_multi->use_peer_id = true;
2701 }
2702
2703 /* process (potentially) pushed options */
2704 if (c->options.pull)
2705 {
2706 /* On PUSH_UPDATE, NCP related flags are never updated, and so the code
2707 * would assume "no cipher pushed = NCP failed" - so, don't call it on
2708 * updates */
2709 if (!is_update && !check_pull_client_ncp(c, found))
2710 {
2711 return false;
2712 }
2713
2714 /* Check if pushed options are compatible with DCO, if enabled */
2716 {
2717 msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2718 "with data channel offload. Use --disable-dco to connect to "
2719 "this server");
2720 return false;
2721 }
2722 }
2723
2724 /* Ensure that for epoch data format is only enabled if also data v2
2725 * is enabled */
2727 bool datav2_enabled = (c->options.peer_id >= 0 && c->options.peer_id < MAX_PEER_ID);
2728
2729 if (epoch_data && !datav2_enabled)
2730 {
2731 msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires "
2732 "data v2 (peer-id) to be enabled.");
2733 return false;
2734 }
2735
2736
2737 if (found & OPT_P_PUSH_MTU)
2738 {
2739 /* MTU has changed, check that the pushed MTU is small enough to
2740 * be able to change it */
2741 msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2742
2743 struct frame *frame = &c->c2.frame;
2744
2746 {
2748 "Server-pushed tun-mtu is too large, please add "
2749 "tun-mtu-max %d in the client configuration",
2750 c->options.ce.tun_mtu);
2751 }
2753 }
2754
2755 return true;
2756}
2757
2758/*
2759 * Possible hold on initialization, holdtime is the
2760 * time OpenVPN would wait without management
2761 */
2762static bool
2763do_hold(int holdtime)
2764{
2765#ifdef ENABLE_MANAGEMENT
2766 if (management)
2767 {
2768 /* block until management hold is released */
2769 if (management_hold(management, holdtime))
2770 {
2771 return true;
2772 }
2773 }
2774#endif
2775 return false;
2776}
2777
2778/*
2779 * Sleep before restart.
2780 */
2781static void
2783{
2784 int sec = 2;
2785 int backoff = 0;
2786
2787 switch (c->mode)
2788 {
2789 case CM_TOP:
2790 sec = 1;
2791 break;
2792
2793 case CM_CHILD_UDP:
2794 case CM_CHILD_TCP:
2796 break;
2797 }
2798
2799#ifdef ENABLE_DEBUG
2800 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2801 {
2802 sec = 0;
2803 }
2804#endif
2805
2807 {
2808 sec = 10;
2809 }
2810
2811 /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2812 if (c->mode == CM_CHILD_TCP || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2813 {
2814 backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2815 if (backoff > 0)
2816 {
2817 /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2818 sec = max_int(sec, 1) << min_int(backoff, 15);
2819 }
2821 {
2822 sec = max_int(sec, c->options.server_backoff_time);
2824 }
2825
2827 {
2829 }
2830 }
2831
2833 {
2835 }
2836 else if (c->persist.restart_sleep_seconds == -1)
2837 {
2838 sec = 0;
2839 }
2841
2842 /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2843 if (do_hold(sec))
2844 {
2845 sec = 0;
2846 }
2847
2848 if (sec)
2849 {
2850 msg(D_RESTART, "Restart pause, %d second(s)", sec);
2851 management_sleep(sec);
2852 }
2853}
2854
2855/*
2856 * Do a possible pause on context_2 initialization.
2857 */
2858static void
2860{
2861 if (!c->first_time)
2862 {
2864 }
2865 else
2866 {
2867 do_hold(0); /* do management hold on first context initialization */
2868 }
2869}
2870
2871static size_t
2872get_frame_mtu(struct context *c, const struct options *o)
2873{
2874 size_t mtu;
2875
2876 if (o->ce.link_mtu_defined)
2877 {
2879 /* if we have a link mtu defined we calculate what the old code
2880 * would have come up with as tun-mtu */
2881 size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, o, true);
2882 mtu = o->ce.link_mtu - overhead;
2883 }
2884 else
2885 {
2887 mtu = o->ce.tun_mtu;
2888 }
2889
2890 if (mtu < TUN_MTU_MIN)
2891 {
2892 msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2893 frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2894 }
2895 return mtu;
2896}
2897
2898/*
2899 * Finalize MTU parameters based on command line or config file options.
2900 */
2901static void
2902frame_finalize_options(struct context *c, const struct options *o)
2903{
2904 if (!o)
2905 {
2906 o = &c->options;
2907 }
2908
2909 struct frame *frame = &c->c2.frame;
2910
2911 frame->tun_mtu = get_frame_mtu(c, o);
2913
2914 /* max mtu needs to be at least as large as the tun mtu */
2916
2917 /* We always allow at least 1600 MTU packets to be received in our buffer
2918 * space to allow server to push "baby giant" MTU sizes */
2920
2921 size_t payload_size = frame->tun_max_mtu;
2922
2923 /* we need to be also large enough to hold larger control channel packets
2924 * if configured */
2926
2927 /* The extra tun needs to be added to the payload size */
2928 if (o->ce.tun_mtu_defined)
2929 {
2931 }
2932
2933 /* Add 32 byte of extra space in the buffer to account for small errors
2934 * in the calculation */
2935 payload_size += 32;
2936
2937
2938 /* the space that is reserved before the payload to add extra headers to it
2939 * we always reserve the space for the worst case */
2940 size_t headroom = 0;
2941
2942 /* includes IV and packet ID */
2944
2945 /* peer id + opcode */
2946 headroom += 4;
2947
2948 /* socks proxy header */
2949 headroom += 10;
2950
2951 /* compression header and fragment header (part of the encrypted payload) */
2952 headroom += 1 + 1;
2953
2954 /* Round up headroom to the next multiple of 4 to ensure alignment */
2955 headroom = (headroom + 3) & ~3;
2956
2957 /* Add the headroom to the payloadsize as a received (IP) packet can have
2958 * all the extra headers in it */
2960
2961 /* the space after the payload, this needs some extra buffer space for
2962 * encryption so headroom is probably too much but we do not really care
2963 * the few extra bytes */
2964 size_t tailroom = headroom;
2965
2966#ifdef USE_COMP
2968 "MTU: adding %zu buffer tailroom for compression for %zu "
2969 "bytes of payload",
2970 COMP_EXTRA_BUFFER(payload_size), payload_size);
2971 tailroom += COMP_EXTRA_BUFFER(payload_size);
2972#endif
2973
2977}
2978
2979/*
2980 * Free a key schedule, including OpenSSL components.
2981 */
2982static void
2983key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2984{
2986 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2987 {
2988 tls_ctx_free(&ks->ssl_ctx);
2990 }
2991 CLEAR(*ks);
2992}
2993
2994static void
2995init_crypto_pre(struct context *c, const unsigned int flags)
2996{
2997 if (c->options.engine)
2998 {
3000 }
3001
3002 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
3003 {
3004 /* load a persisted packet-id for cross-session replay-protection */
3005 if (c->options.packet_id_file)
3006 {
3008 }
3009 }
3010
3011#ifdef ENABLE_PREDICTION_RESISTANCE
3012 if (c->options.use_prediction_resistance)
3013 {
3014 rand_ctx_enable_prediction_resistance();
3015 }
3016#endif
3017}
3018
3019/*
3020 * Static Key Mode (using a pre-shared key)
3021 */
3022static void
3023do_init_crypto_static(struct context *c, const unsigned int flags)
3024{
3025 const struct options *options = &c->options;
3027
3028 init_crypto_pre(c, flags);
3029
3030 /* Initialize flags */
3032 {
3034 }
3035
3036 /* Initialize packet ID tracking */
3038 "STATIC", 0);
3042
3044 {
3045 /* Get cipher & hash algorithms */
3047 options->test_crypto, true);
3048
3049 /* Read cipher and hmac keys from shared secret file */
3052 options->key_direction, "Static Key Encryption", "secret", NULL);
3053 }
3054 else
3055 {
3056 msg(M_INFO, "Re-using pre-shared static key");
3057 }
3058
3059 /* Get key schedule */
3061}
3062
3063/*
3064 * Initialize the tls-auth/crypt key context
3065 */
3066static void
3068{
3069 const struct options *options = &c->options;
3070
3071 /* TLS handshake authentication (--tls-auth) */
3073 {
3074 /* Initialize key_type for tls-auth with auth only */
3076 c->c1.ks.tls_auth_key_type.cipher = "none";
3078 if (!md_valid(options->authname))
3079 {
3080 msg(M_FATAL,
3081 "ERROR: tls-auth enabled, but no valid --auth "
3082 "algorithm specified ('%s')",
3083 options->authname);
3084 }
3085
3088 options->ce.key_direction, "Control Channel Authentication",
3089 "tls-auth", &c->c1.ks.original_wrap_keydata);
3090 }
3091
3092 /* TLS handshake encryption+authentication (--tls-crypt) */
3094 {
3098 }
3099
3100 /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3102 {
3103 if (options->tls_server)
3104 {
3108 }
3109 else
3110 {
3114 }
3115 /* We have to ensure that the loaded tls-crypt key is small enough
3116 * to fit into the initial hard reset v3 packet */
3117 int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3118
3119 /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3120 int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3121
3122 if (required_size > c->options.ce.tls_mtu)
3123 {
3124 msg(M_WARN,
3125 "ERROR: tls-crypt-v2 client key too large to work with "
3126 "requested --max-packet-size %d, requires at least "
3127 "--max-packet-size %d. Packets will ignore requested "
3128 "maximum packet size",
3129 c->options.ce.tls_mtu, required_size);
3130 }
3131 }
3132}
3133
3134/*
3135 * Initialize the persistent component of OpenVPN's TLS mode,
3136 * which is preserved across SIGUSR1 resets.
3137 */
3138static void
3140{
3141 const struct options *options = &c->options;
3142
3143 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3144 {
3145 /*
3146 * Initialize the OpenSSL library's global
3147 * SSL context.
3148 */
3149 init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
3150 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3151 {
3152 switch (auth_retry_get())
3153 {
3154 case AR_NONE:
3155 msg(M_FATAL, "Error: private key password verification failed");
3156 break;
3157
3158 case AR_INTERACT:
3159 ssl_purge_auth(false);
3160 /* Intentional [[fallthrough]]; */
3161
3162 case AR_NOINTERACT:
3163 /* SOFT-SIGUSR1 -- Password failure error */
3164 register_signal(c->sig, SIGUSR1, "private-key-password-failure");
3165 break;
3166
3167 default:
3168 ASSERT(0);
3169 }
3170 return;
3171 }
3172
3173 /*
3174 * BF-CBC is allowed to be used only when explicitly configured
3175 * as NCP-fallback or when NCP has been disabled or explicitly
3176 * allowed in the in ncp_ciphers list.
3177 * In all other cases do not attempt to initialize BF-CBC as it
3178 * may not even be supported by the underlying SSL library.
3179 *
3180 * Therefore, the key structure has to be initialized when:
3181 * - any non-BF-CBC cipher was selected; or
3182 * - BF-CBC is selected, NCP is enabled and fallback is enabled
3183 * (BF-CBC will be the fallback).
3184 * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3185 * If the negotiated cipher and options->ciphername are the
3186 * same we do not reinit the cipher
3187 *
3188 * Note that BF-CBC will still be part of the OCC string to retain
3189 * backwards compatibility with older clients.
3190 */
3191 const char *ciphername = options->ciphername;
3192 if (streq(options->ciphername, "BF-CBC")
3195 {
3196 ciphername = "none";
3197 }
3198
3199 /* Do not warn if the cipher is used only in OCC */
3200 bool warn = options->enable_ncp_fallback;
3202
3203 /* initialize tls-auth/crypt/crypt-v2 key */
3205
3206 /* initialise auth-token crypto support */
3208 {
3211 }
3212
3213#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
3215 {
3217 c->options.priv_key_file_inline = NULL;
3218 }
3219#endif
3220 }
3221 else
3222 {
3223 msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
3224
3225 /*
3226 * tls-auth/crypt key can be configured per connection block, therefore
3227 * we must reload it as it may have changed
3228 */
3230 }
3231}
3232
3233static void
3234do_init_crypto_tls(struct context *c, const unsigned int flags)
3235{
3236 const struct options *options = &c->options;
3237 struct tls_options to;
3238 bool packet_id_long_form;
3239
3242
3243 init_crypto_pre(c, flags);
3244
3245 /* Make sure we are either a TLS client or server but not both */
3247
3248 /* initialize persistent component */
3250 if (IS_SIG(c))
3251 {
3252 return;
3253 }
3254
3255 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3256 packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3257
3258 /* Set all command-line TLS-related options */
3259 CLEAR(to);
3260
3262 {
3264 }
3265
3267 if (packet_id_long_form)
3268 {
3270 }
3271
3272 to.ssl_ctx = c->c1.ks.ssl_ctx;
3273 to.key_type = c->c1.ks.key_type;
3285 {
3286 /* Add 10% jitter to reneg-sec by default (server side only) */
3287 int auto_jitter = options->mode != MODE_SERVER
3288 ? 0
3291 }
3292 else
3293 {
3294 /* Add user-specified jitter to reneg-sec */
3297 - (get_random()
3299 }
3301 to.mode = options->mode;
3302 to.pull = options->pull;
3303 if (options->push_peer_info) /* all there is */
3304 {
3305 to.push_peer_info_detail = 3;
3306 }
3307 else if (options->pull) /* pull clients send some details */
3308 {
3309 to.push_peer_info_detail = 2;
3310 }
3311 else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3312 {
3313 to.push_peer_info_detail = 0;
3314 }
3315 else /* default: minimal info to allow NCP in P2P mode */
3316 {
3317 to.push_peer_info_detail = 1;
3318 }
3319
3320 /* Check if the DCO drivers support the epoch data format */
3321 if (dco_enabled(options))
3322 {
3324 }
3325 else
3326 {
3327 to.data_epoch_supported = true;
3328 }
3329
3330 /* should we not xmit any packets until we get an initial
3331 * response from client? */
3332 if (to.server && c->mode == CM_CHILD_TCP)
3333 {
3334 to.xmit_hold = true;
3335 }
3336
3344 memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3350#ifdef ENABLE_X509ALTUSERNAME
3351 memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3352#else
3354#endif
3355 to.es = c->c2.es;
3356 to.net_ctx = &c->net_ctx;
3357
3358#ifdef ENABLE_DEBUG
3359 to.gremlin = c->options.gremlin;
3360#endif
3361
3362 to.plugins = c->plugins;
3363
3364#ifdef ENABLE_MANAGEMENT
3365 to.mda_context = &c->c2.mda_context;
3366#endif
3367
3371 to.tmp_dir = options->tmp_dir;
3374 {
3376 }
3384
3386
3387#ifdef ENABLE_MANAGEMENT
3388 to.sci = &options->sc_info;
3389#endif
3390
3391#ifdef USE_COMP
3392 to.comp_options = options->comp;
3393#endif
3394
3396 {
3398 if (to.ekm_size < 16 || to.ekm_size > 4095)
3399 {
3400 to.ekm_size = 0;
3401 }
3402
3404 to.ekm_label_size = strlen(to.ekm_label);
3405 }
3406 else
3407 {
3408 to.ekm_size = 0;
3409 }
3410
3411 /* TLS handshake authentication (--tls-auth) */
3413 {
3414 to.tls_wrap.mode = TLS_WRAP_AUTH;
3415 }
3416
3417 /* TLS handshake encryption (--tls-crypt) */
3419 {
3420 to.tls_wrap.mode = TLS_WRAP_CRYPT;
3421 }
3422
3423 if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3424 {
3429 }
3430
3432 {
3433 to.tls_crypt_v2 = true;
3435
3436 if (options->tls_server)
3437 {
3441 {
3443 }
3444 }
3445 }
3446
3447 /* let the TLS engine know if keys have to be installed in DCO or not */
3449
3450 /*
3451 * Initialize OpenVPN's master TLS-mode object.
3452 */
3453 if (flags & CF_INIT_TLS_MULTI)
3454 {
3455 c->c2.tls_multi = tls_multi_init(&to);
3456 /* inherit the dco context from the tuntap object */
3457 if (c->c1.tuntap)
3458 {
3459 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3460 }
3461 }
3462
3463 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3464 {
3467 }
3468}
3469
3470static void
3472{
3473 if (c->c2.tls_multi)
3474 {
3477 frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms");
3478
3479 /* Keep the max mtu also in the frame of tls multi so it can access
3480 * it in push_peer_info */
3482 }
3483 if (c->c2.tls_auth_standalone)
3484 {
3486 c->options.ce.tls_mtu);
3487 frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, "TLS-Auth MTU parms");
3490 }
3491}
3492
3493/*
3494 * No encryption or authentication.
3495 */
3496static void
3498{
3500
3501 /* Initialise key_type with auth/cipher "none", so the key_type struct is
3502 * valid */
3503 init_key_type(&c->c1.ks.key_type, "none", "none", c->options.test_crypto, true);
3504
3505 msg(M_WARN, "******* WARNING *******: All encryption and authentication features "
3506 "disabled -- All data will be tunnelled as clear text and will not be "
3507 "protected against man-in-the-middle changes. "
3508 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3509}
3510
3511static void
3512do_init_crypto(struct context *c, const unsigned int flags)
3513{
3515 {
3516 do_init_crypto_static(c, flags);
3517 }
3518 else if (c->options.tls_server || c->options.tls_client)
3519 {
3520 do_init_crypto_tls(c, flags);
3521 }
3522 else /* no encryption or authentication. */
3523 {
3525 }
3526}
3527
3528static void
3530{
3531 /*
3532 * Adjust frame size based on the --tun-mtu-extra parameter.
3533 */
3535 {
3537 }
3538
3539 /*
3540 * Fill in the blanks in the frame parameters structure,
3541 * make sure values are rational, etc.
3542 */
3543 frame_finalize_options(c, NULL);
3544
3545
3546#if defined(ENABLE_FRAGMENT)
3547 /*
3548 * MTU advisories
3549 */
3550 if (c->options.ce.fragment && c->options.mtu_test)
3551 {
3552 msg(M_WARN,
3553 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3554 }
3555#endif
3556
3557#ifdef ENABLE_FRAGMENT
3558 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3559 {
3560 msg(M_WARN,
3561 "WARNING: if you use --mssfix and --fragment, you should "
3562 "set --fragment (%d) larger or equal than --mssfix (%d)",
3564 }
3565 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3567 {
3568 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3569 "use the \"mtu\" flag for both or none of of them.");
3570 }
3571#endif
3572}
3573
3574static void
3576{
3577 const struct options *o = &c->options;
3578
3579 if (o->ping_send_timeout && !o->ping_rec_timeout)
3580 {
3581 msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3582 }
3583
3584 if (o->username || o->groupname || o->chroot_dir
3585#ifdef ENABLE_SELINUX
3586 || o->selinux_context
3587#endif
3588 )
3589 {
3590 if (!o->persist_tun)
3591 {
3592 msg(M_WARN,
3593 "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3594 }
3595 }
3596
3597 if (o->chroot_dir && !(o->username && o->groupname))
3598 {
3599 msg(M_WARN,
3600 "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3601 }
3602
3603 if (o->pull && o->ifconfig_local && c->first_time)
3604 {
3605 msg(M_WARN,
3606 "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3607 }
3608
3610 {
3611 msg(M_WARN,
3612 "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3613 }
3614
3615 if (o->mode == MODE_SERVER)
3616 {
3617 if (o->duplicate_cn && o->client_config_dir)
3618 {
3619 msg(M_WARN,
3620 "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3621 }
3623 {
3624 msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3625 }
3626 if (!o->keepalive_ping || !o->keepalive_timeout)
3627 {
3628 msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3629 }
3630 }
3631
3632 if (o->tls_server)
3633 {
3635 }
3638 && !(o->verify_hash_depth == 0 && o->verify_hash))
3639 {
3640 msg(M_WARN,
3641 "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3642 }
3643 if (o->ns_cert_type)
3644 {
3645 msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3646 }
3647
3648 /* If a script is used, print appropriate warnings */
3649 if (o->user_script_used)
3650 {
3652 {
3653 msg(M_WARN,
3654 "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3655 }
3656 else if (script_security() >= SSEC_PW_ENV)
3657 {
3658 msg(M_WARN,
3659 "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3660 }
3661 else
3662 {
3663 msg(M_WARN,
3664 "NOTE: starting with " PACKAGE_NAME
3665 " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3666 }
3667 }
3668}
3669
3670struct context_buffers *
3672{
3673 struct context_buffers *b;
3674
3676
3677 size_t buf_size = BUF_SIZE(frame);
3678
3679 b->read_link_buf = alloc_buf(buf_size);
3680 b->read_tun_buf = alloc_buf(buf_size);
3681
3682 b->aux_buf = alloc_buf(buf_size);
3683
3684 b->encrypt_buf = alloc_buf(buf_size);
3685 b->decrypt_buf = alloc_buf(buf_size);
3686
3687#ifdef USE_COMP
3688 b->compress_buf = alloc_buf(buf_size);
3689 b->decompress_buf = alloc_buf(buf_size);
3690#endif
3691
3692 return b;
3693}
3694
3695void
3697{
3698 if (b)
3699 {
3702 free_buf(&b->aux_buf);
3703
3704#ifdef USE_COMP
3705 free_buf(&b->compress_buf);
3706 free_buf(&b->decompress_buf);
3707#endif
3708
3709 free_buf(&b->encrypt_buf);
3710 free_buf(&b->decrypt_buf);
3711
3712 free(b);
3713 }
3714}
3715
3716/*
3717 * Now that we know all frame parameters, initialize
3718 * our buffers.
3719 */
3720static void
3722{
3724 c->c2.buffers_owned = true;
3725}
3726
3727#ifdef ENABLE_FRAGMENT
3728/*
3729 * Fragmenting code has buffers to initialize
3730 * once frame parameters are known.
3731 */
3732static void
3734{
3736
3737 /*
3738 * Set frame parameter for fragment code. This is necessary because
3739 * the fragmentation code deals with payloads which have already been
3740 * passed through the compression code.
3741 */
3742 c->c2.frame_fragment = c->c2.frame;
3743
3747}
3748#endif
3749
3750/*
3751 * Allocate our socket object.
3752 */
3753static void
3755{
3756 ASSERT(!c->c2.link_sockets);
3757
3759
3760 for (int i = 0; i < c->c1.link_sockets_num; i++)
3761 {
3763 }
3764 c->c2.link_socket_owned = true;
3765}
3766
3767/*
3768 * bind TCP/UDP sockets
3769 */
3770static void
3772{
3773 for (int i = 0; i < c->c1.link_sockets_num; i++)
3774 {
3775 int mode = LS_MODE_DEFAULT;
3776
3777 /* mode allows CM_CHILD_TCP
3778 * instances to inherit acceptable fds
3779 * from a top-level parent */
3780 if (c->options.mode == MODE_SERVER)
3781 {
3782 /* initializing listening socket */
3783 if (c->mode == CM_TOP)
3784 {
3785 mode = LS_MODE_TCP_LISTEN;
3786 }
3787 /* initializing socket to client */
3788 else if (c->mode == CM_CHILD_TCP)
3789 {
3791 }
3792 }
3793
3794 /* init each socket with its specific args */
3795 link_socket_init_phase1(c, i, mode);
3796 }
3797}
3798
3799/*
3800 * finalize TCP/UDP sockets
3801 */
3802static void
3804{
3805 for (int i = 0; i < c->c1.link_sockets_num; i++)
3806 {
3808 }
3809}
3810
3811/*
3812 * Print MTU INFO
3813 */
3814static void
3816{
3817 frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3818#ifdef ENABLE_FRAGMENT
3819 if (c->c2.fragment)
3820 {
3821 frame_print(&c->c2.frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
3822 }
3823#endif
3824}
3825
3826/*
3827 * Get local and remote options compatibility strings.
3828 */
3829static void
3831{
3832 struct gc_arena gc = gc_new();
3833
3835 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, false, &gc);
3837 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, true, &gc);
3838
3839 msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3841 msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3843
3844 if (c->c2.tls_multi)
3845 {
3848 }
3849
3850 gc_free(&gc);
3851}
3852
3853/*
3854 * These things can only be executed once per program instantiation.
3855 * Set up for possible UID/GID downgrade, but don't do it yet.
3856 * Daemonize if requested.
3857 */
3858static void
3860{
3861 if (c->first_time && !c->c0)
3862 {
3863 struct context_0 *c0;
3864
3865 ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3866 c0 = c->c0;
3867
3868 /* get user and/or group that we want to setuid/setgid to,
3869 * sets also platform_x_state */
3870 bool group_defined = platform_group_get(c->options.groupname, &c0->platform_state_group);
3871 bool user_defined = platform_user_get(c->options.username, &c0->platform_state_user);
3872
3873 c0->uid_gid_specified = user_defined || group_defined;
3874
3875 /* fork the dns script runner to preserve root? */
3876 c->persist.duri.required = user_defined;
3877
3878 /* perform postponed chdir if --daemon */
3879 if (c->did_we_daemonize && c->options.cd_dir == NULL)
3880 {
3881 platform_chdir("/");
3882 }
3883
3884 /* should we change scheduling priority? */
3886 }
3887}
3888
3889/*
3890 * free buffers
3891 */
3892static void
3894{
3895 if (c->c2.buffers_owned)
3896 {
3898 c->c2.buffers = NULL;
3899 c->c2.buffers_owned = false;
3900 }
3901}
3902
3903/*
3904 * close TLS
3905 */
3906static void
3908{
3909 if (c->c2.tls_multi)
3910 {
3911 tls_multi_free(c->c2.tls_multi, true);
3912 c->c2.tls_multi = NULL;
3913 }
3914
3915 /* free options compatibility strings */
3916 free(c->c2.options_string_local);
3917 free(c->c2.options_string_remote);
3918
3920
3921 if (c->c2.pulled_options_state)
3922 {
3925 }
3926
3928}
3929
3930/*
3931 * Free key schedules
3932 */
3933static void
3934do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3935{
3936 /*
3937 * always free the tls_auth/crypt key. The key will
3938 * be reloaded from memory (pre-cached)
3939 */
3942 CLEAR(c->c1.ks.tls_wrap_key);
3945
3946 if (!(c->sig->signal_received == SIGUSR1))
3947 {
3948 key_schedule_free(&c->c1.ks, free_ssl_ctx);
3949 }
3950}
3951
3952/*
3953 * Close TCP/UDP connection
3954 */
3955static void
3957{
3958 if (c->c2.link_sockets && c->c2.link_socket_owned)
3959 {
3960 for (int i = 0; i < c->c1.link_sockets_num; i++)
3961 {
3962 /* in dco-win case, link socket is a tun handle which is
3963 * closed in do_close_tun(). Set it to UNDEFINED so
3964 * we won't use WinSock API to close it. */
3965 if (tuntap_is_dco_win(c->c1.tuntap))
3966 {
3968 }
3969
3971 }
3972 c->c2.link_sockets = NULL;
3973 }
3974
3975
3976 /* Preserve the resolved list of remote if the user request to or if we want
3977 * reconnect to the same host again or there are still addresses that need
3978 * to be tried */
3979 if (!(c->sig->signal_received == SIGUSR1
3980 && ((c->options.persist_remote_ip)
3981 || (c->sig->source != SIG_SOURCE_HARD
3983 && c->c1.link_socket_addrs[0].current_remote->ai_next)
3984 || c->options.no_advance)))))
3985 {
3987 }
3988
3989 /* Clear the remote actual address when persist_remote_ip is not in use */
3990 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3991 {
3992 for (int i = 0; i < c->c1.link_sockets_num; i++)
3993 {
3995 }
3996 }
3997
3998 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3999 {
4000 for (int i = 0; i < c->c1.link_sockets_num; i++)
4001 {
4003 {
4004 freeaddrinfo(c->c1.link_socket_addrs[i].bind_local);
4005 }
4006
4007 c->c1.link_socket_addrs[i].bind_local = NULL;
4008 }
4009 }
4010}
4011
4012/*
4013 * Close packet-id persistence file
4014 */
4015static void
4017{
4020 if (!(c->sig->signal_received == SIGUSR1))
4021 {
4023 }
4024}
4025
4026#ifdef ENABLE_FRAGMENT
4027/*
4028 * Close fragmentation handler.
4029 */
4030static void
4032{
4033 if (c->c2.fragment)
4034 {
4036 c->c2.fragment = NULL;
4037 }
4038}
4039#endif
4040
4041/*
4042 * Open and close our event objects.
4043 */
4044
4045static void
4046do_event_set_init(struct context *c, bool need_us_timeout)
4047{
4048 unsigned int flags = 0;
4049
4051
4052 flags |= EVENT_METHOD_FAST;
4053
4054 if (need_us_timeout)
4055 {
4056 flags |= EVENT_METHOD_US_TIMEOUT;
4057 }
4058
4059 c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
4060 c->c2.event_set_owned = true;
4061}
4062
4063static void
4065{
4066 if (c->c2.event_set && c->c2.event_set_owned)
4067 {
4069 c->c2.event_set = NULL;
4070 c->c2.event_set_owned = false;
4071 }
4072}
4073
4074/*
4075 * Open and close --status file
4076 */
4077
4078static void
4080{
4081 if (!c->c1.status_output)
4082 {
4083 c->c1.status_output =
4086 c->c1.status_output_owned = true;
4087 }
4088}
4089
4090static void
4092{
4093 if (!(c->sig->signal_received == SIGUSR1))
4094 {
4096 {
4098 c->c1.status_output = NULL;
4099 c->c1.status_output_owned = false;
4100 }
4101 }
4102}
4103
4104/*
4105 * Handle ifconfig-pool persistence object.
4106 */
4107static void
4118
4119static void
4121{
4122 if (!(c->sig->signal_received == SIGUSR1))
4123 {
4125 {
4127 c->c1.ifconfig_pool_persist = NULL;
4129 }
4130 }
4131}
4132
4133/*
4134 * Inherit environmental variables
4135 */
4136
4137static void
4138do_inherit_env(struct context *c, const struct env_set *src)
4139{
4140 c->c2.es = env_set_create(NULL);
4141 c->c2.es_owned = true;
4142 env_set_inherit(c->c2.es, src);
4143}
4144
4145static void
4147{
4148 if (c->c2.es && c->c2.es_owned)
4149 {
4150 env_set_destroy(c->c2.es);
4151 c->c2.es = NULL;
4152 c->c2.es_owned = false;
4153 }
4154}
4155
4156/*
4157 * Fast I/O setup. Fast I/O is an optimization which only works
4158 * if all of the following are true:
4159 *
4160 * (1) The platform is not Windows
4161 * (2) --proto udp is enabled
4162 * (3) --shaper is disabled
4163 */
4164static void
4166{
4167 if (c->options.fast_io)
4168 {
4169#ifdef _WIN32
4170 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
4171#else
4172 if (c->options.shaper)
4173 {
4174 msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4175 }
4176 else
4177 {
4178 c->c2.fast_io = true;
4179 }
4180#endif
4181 }
4182}
4183
4184static void
4186{
4187 if (c->options.tls_exit)
4188 {
4189 c->c2.tls_exit_signal = SIGTERM;
4190 }
4191 else
4192 {
4193 c->c2.tls_exit_signal = SIGUSR1;
4194 }
4195}
4196
4197#ifdef ENABLE_PLUGIN
4198
4199void
4201{
4202 if (c->options.plugin_list && !c->plugins)
4203 {
4205 c->plugins_owned = true;
4206 }
4207}
4208
4209void
4210open_plugins(struct context *c, const bool import_options, int init_point)
4211{
4212 if (c->plugins && c->plugins_owned)
4213 {
4214 if (import_options)
4215 {
4216 struct plugin_return pr, config;
4217 plugin_return_init(&pr);
4218 plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4219 plugin_return_get_column(&pr, &config, "config");
4220 if (plugin_return_defined(&config))
4221 {
4222 int i;
4223 for (i = 0; i < config.n; ++i)
4224 {
4225 unsigned int option_types_found = 0;
4226 if (config.list[i] && config.list[i]->value)
4227 {
4229 &c->options, config.list[i]->value, D_IMPORT_ERRORS | M_OPTERR,
4230 OPT_P_DEFAULT & ~OPT_P_PLUGIN, &option_types_found, c->es);
4231 }
4232 }
4233 }
4234 plugin_return_free(&pr);
4235 }
4236 else
4237 {
4238 plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4239 }
4240 }
4241}
4242
4243static void
4245{
4246 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
4247 {
4249 c->plugins = NULL;
4250 c->plugins_owned = false;
4251 }
4252}
4253
4254static void
4255do_inherit_plugins(struct context *c, const struct context *src)
4256{
4257 if (!c->plugins && src->plugins)
4258 {
4260 c->plugins_owned = true;
4261 }
4262}
4263
4264#endif /* ifdef ENABLE_PLUGIN */
4265
4266#ifdef ENABLE_MANAGEMENT
4267
4268static void
4269management_callback_status_p2p(void *arg, const int version, struct status_output *so)
4270{
4271 struct context *c = (struct context *)arg;
4272 print_status(c, so);
4273}
4274
4275void
4276management_show_net_callback(void *arg, const int msglevel)
4277{
4278#ifdef _WIN32
4279 show_routes(msglevel);
4280 show_adapters(msglevel);
4281 msg(msglevel, "END");
4282#else
4283 msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4284#endif
4285}
4286
4287#ifdef TARGET_ANDROID
4288int
4289management_callback_network_change(void *arg, bool samenetwork)
4290{
4291 /* Check if the client should translate the network change to a SIGUSR1 to
4292 * reestablish the connection or just reprotect the socket
4293 *
4294 * At the moment just assume that, for all settings that use pull (not
4295 * --static) and are not using peer-id reestablishing the connection is
4296 * required (unless the network is the same)
4297 *
4298 * The function returns -1 on invalid fd and -2 if the socket cannot be
4299 * reused. On the -2 return value the man_network_change function triggers
4300 * a SIGUSR1 to force a reconnect.
4301 */
4302
4303 int socketfd = -1;
4304 struct context *c = (struct context *)arg;
4305 if (!c->c2.link_sockets || !c->c2.link_sockets[0])
4306 {
4307 return -1;
4308 }
4309 if (c->c2.link_sockets[0]->sd == SOCKET_UNDEFINED)
4310 {
4311 return -1;
4312 }
4313
4314 /* On some newer Android handsets, changing to a different network
4315 * often does not trigger a TCP reset but continue using the old
4316 * connection (e.g. using mobile connection when WiFi becomes available */
4317 struct link_socket_info *lsi = get_link_socket_info(c);
4318 if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
4319 {
4320 return -2;
4321 }
4322
4323 socketfd = c->c2.link_sockets[0]->sd;
4324 if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4325 {
4326 return socketfd;
4327 }
4328 else
4329 {
4330 return -2;
4331 }
4332}
4333#endif /* ifdef TARGET_ANDROID */
4334
4335#endif /* ifdef ENABLE_MANAGEMENT */
4336
4337void
4339{
4340#ifdef ENABLE_MANAGEMENT
4341 if (management)
4342 {
4343 struct management_callback cb;
4344 CLEAR(cb);
4345 cb.arg = c;
4351#ifdef TARGET_ANDROID
4352 cb.network_change = management_callback_network_change;
4353#endif
4357 }
4358#endif
4359}
4360
4361#ifdef ENABLE_MANAGEMENT
4362
4363void
4365{
4366 if (!management)
4367 {
4369 }
4370}
4371
4372bool
4374{
4375 /* initialize management layer */
4376 if (management)
4377 {
4378 if (c->options.management_addr)
4379 {
4380 unsigned int flags = c->options.management_flags;
4381 if (c->options.mode == MODE_SERVER)
4382 {
4383 flags |= MF_SERVER;
4384 }
4385 if (management_open(
4391 {
4393 NULL);
4394 }
4395
4396 /* initial management hold, called early, before first context initialization */
4397 do_hold(0);
4398 if (IS_SIG(c))
4399 {
4400 msg(M_WARN, "Signal received from management interface, exiting");
4401 return false;
4402 }
4403 }
4404 else
4405 {
4407 }
4408 }
4409 return true;
4410}
4411
4412void
4414{
4415 if (management)
4416 {
4418 management = NULL;
4419 }
4420}
4421
4422#endif /* ifdef ENABLE_MANAGEMENT */
4423
4424
4425void
4427{
4428#ifdef ENABLE_MANAGEMENT
4429 if (management)
4430 {
4432 }
4433#endif
4434}
4435
4436void
4438{
4439#ifdef ENABLE_MANAGEMENT
4440 if (management)
4441 {
4443 }
4444#endif
4445}
4446
4447/*
4448 * Initialize a tunnel instance, handle pre and post-init
4449 * signal settings.
4450 */
4451void
4452init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4453{
4455 init_instance(c, env, flags);
4457
4458 /*
4459 * This is done so that signals thrown during
4460 * initialization can bring us back to
4461 * a management hold.
4462 */
4463 if (IS_SIG(c))
4464 {
4465 remap_signal(c);
4467 }
4468}
4469
4470/*
4471 * Initialize a tunnel instance.
4472 */
4473void
4474init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4475{
4476 const struct options *options = &c->options;
4477 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4478
4479 /* init garbage collection level */
4480 gc_init(&c->c2.gc);
4481
4482 /* inherit environmental variables */
4483 if (env)
4484 {
4485 do_inherit_env(c, env);
4486 }
4487
4488 if (c->mode == CM_P2P)
4489 {
4491 }
4492
4493 /* possible sleep or management hold if restart */
4494 if (c->mode == CM_P2P || c->mode == CM_TOP)
4495 {
4497 if (IS_SIG(c))
4498 {
4499 goto sig;
4500 }
4501 }
4502
4504 {
4505 do_preresolve(c);
4506 if (IS_SIG(c))
4507 {
4508 goto sig;
4509 }
4510 }
4511
4512 /* Resets all values to the initial values from the config where needed */
4513 pre_connect_restore(&c->options, &c->c2.gc);
4514
4515 /* map in current connection entry */
4517
4518 /* should we disable paging? */
4519 if (c->first_time && options->mlock)
4520 {
4521 platform_mlockall(true);
4522 }
4523
4524 /* get passwords if undefined */
4525 if (auth_retry_get() == AR_INTERACT)
4526 {
4528 }
4529
4530 /* initialize context level 2 --verb/--mute parms */
4532
4533 /* set error message delay for non-server modes */
4534 if (c->mode == CM_P2P)
4535 {
4537 }
4538
4539 /* warn about inconsistent options */
4540 if (c->mode == CM_P2P || c->mode == CM_TOP)
4541 {
4543 }
4544
4545#ifdef ENABLE_PLUGIN
4546 /* initialize plugins */
4547 if (c->mode == CM_P2P || c->mode == CM_TOP)
4548 {
4549 open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4550 }
4551#endif
4552
4553 /* should we enable fast I/O? */
4554 if (c->mode == CM_P2P || c->mode == CM_TOP)
4555 {
4557 }
4558
4559 /* should we throw a signal on TLS errors? */
4561
4562 /* open --status file */
4563 if (c->mode == CM_P2P || c->mode == CM_TOP)
4564 {
4566 }
4567
4568 /* open --ifconfig-pool-persist file */
4569 if (c->mode == CM_TOP)
4570 {
4572 }
4573
4574 /* reset OCC state */
4575 if (c->mode == CM_P2P || child)
4576 {
4577 c->c2.occ_op = occ_reset_op();
4578 }
4579
4580 /* our wait-for-i/o objects, different for posix vs. win32 */
4581 if (c->mode == CM_P2P || c->mode == CM_TOP)
4582 {
4584 }
4585 else if (c->mode == CM_CHILD_TCP)
4586 {
4587 do_event_set_init(c, false);
4588 }
4589
4590 /* initialize HTTP or SOCKS proxy object at scope level 2 */
4591 init_proxy(c);
4592
4593 /* allocate our socket object */
4594 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4595 {
4597 }
4598
4599#ifdef ENABLE_FRAGMENT
4600 /* initialize internal fragmentation object */
4601 if (options->ce.fragment && (c->mode == CM_P2P || child))
4602 {
4603 c->c2.fragment = fragment_init(&c->c2.frame);
4604 }
4605#endif
4606
4607 /* init crypto layer */
4608 {
4609 unsigned int crypto_flags = 0;
4610 if (c->mode == CM_TOP)
4611 {
4612 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4613 }
4614 else if (c->mode == CM_P2P)
4615 {
4617 }
4618 else if (child)
4619 {
4620 crypto_flags = CF_INIT_TLS_MULTI;
4621 }
4622 do_init_crypto(c, crypto_flags);
4623 if (IS_SIG(c) && !child)
4624 {
4625 goto sig;
4626 }
4627 }
4628
4629#ifdef USE_COMP
4630 /* initialize compression library. */
4631 if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4632 {
4633 c->c2.comp_context = comp_init(&options->comp);
4634 }
4635#endif
4636
4637 /* initialize MTU variables */
4638 do_init_frame(c);
4639
4640 /* initialize TLS MTU variables */
4642
4643 /* init workspace buffers whose size is derived from frame size */
4644 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4645 {
4646 do_init_buffers(c);
4647 }
4648
4649#ifdef ENABLE_FRAGMENT
4650 /* initialize internal fragmentation capability with known frame size */
4651 if (options->ce.fragment && (c->mode == CM_P2P || child))
4652 {
4654 }
4655#endif
4656
4657 /* bind the TCP/UDP socket */
4658 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4659 {
4661 }
4662
4663 /* initialize tun/tap device object,
4664 * open tun/tap device, ifconfig, run up script, etc. */
4665 if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4666 {
4667 int error_flags = 0;
4668 c->c2.did_open_tun = do_open_tun(c, &error_flags);
4669 }
4670
4671 /* print MTU info */
4673
4674 /* get local and remote options compatibility strings */
4675 if (c->mode == CM_P2P || child)
4676 {
4678 }
4679
4680 /* initialize output speed limiter */
4681 if (c->mode == CM_P2P)
4682 {
4684 }
4685
4686 /* do one-time inits, and possibly become a daemon here */
4688
4689#ifdef ENABLE_PLUGIN
4690 /* initialize plugins */
4691 if (c->mode == CM_P2P || c->mode == CM_TOP)
4692 {
4693 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4694 }
4695#endif
4696
4697 /* initialise connect timeout timer */
4699
4700 /* finalize the TCP/UDP socket */
4701 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4702 {
4704
4705
4706 /* Update dynamic frame calculation as exact transport socket information
4707 * (IP vs IPv6) may be only available after socket phase2 has finished.
4708 * This is only needed for --static or no crypto, NCP will recalculate this
4709 * in tls_session_update_crypto_params (P2MP) */
4710 for (int i = 0; i < c->c1.link_sockets_num; i++)
4711 {
4713 &c->c2.link_sockets[i]->info);
4714 }
4715 }
4716
4717 /*
4718 * Actually do UID/GID downgrade, and chroot, if requested.
4719 * May be delayed by --client, --pull, or --up-delay.
4720 */
4722
4723 /* initialize timers */
4724 if (c->mode == CM_P2P || child)
4725 {
4726 do_init_timers(c, false);
4727 }
4728
4729#ifdef ENABLE_PLUGIN
4730 /* initialize plugins */
4731 if (c->mode == CM_P2P || c->mode == CM_TOP)
4732 {
4733 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4734 }
4735#endif
4736
4737#if PORT_SHARE
4738 /* share OpenVPN port with foreign (such as HTTPS) server */
4739 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4740 {
4741 init_port_share(c);
4742 }
4743#endif
4744
4745 /* Check for signals */
4746 if (IS_SIG(c))
4747 {
4748 goto sig;
4749 }
4750
4751 return;
4752
4753sig:
4754 if (!c->sig->signal_text)
4755 {
4756 c->sig->signal_text = "init_instance";
4757 }
4758 close_context(c, -1, flags);
4759 return;
4760}
4761
4762/*
4763 * Close a tunnel instance.
4764 */
4765void
4767{
4768 /* close event objects */
4770
4771 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP
4772 || c->mode == CM_TOP)
4773 {
4774#ifdef USE_COMP
4775 if (c->c2.comp_context)
4776 {
4777 comp_uninit(c->c2.comp_context);
4778 c->c2.comp_context = NULL;
4779 }
4780#endif
4781
4782 /* free buffers */
4784
4785 /* close peer for DCO if enabled, needs peer-id so must be done before
4786 * closing TLS contexts */
4787 dco_remove_peer(c);
4788
4789 /* close TLS */
4790 do_close_tls(c);
4791
4792 /* free key schedules */
4793 do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4794
4795 /* close TCP/UDP connection */
4797
4798 /* close TUN/TAP device */
4799 do_close_tun(c, false);
4800
4801#ifdef ENABLE_MANAGEMENT
4802 if (management)
4803 {
4805 }
4806#endif
4807
4808#ifdef ENABLE_PLUGIN
4809 /* call plugin close functions and unload */
4811#endif
4812
4813 /* close packet-id persistence file */
4815
4816 /* close --status file */
4818
4819#ifdef ENABLE_FRAGMENT
4820 /* close fragmentation handler */
4822#endif
4823
4824 /* close --ifconfig-pool-persist obj */
4826
4827 /* free up environmental variable store */
4829
4830 /* close HTTP or SOCKS proxy */
4831 uninit_proxy(c);
4832
4833 /* garbage collect */
4834 gc_free(&c->c2.gc);
4835 }
4836}
4837
4838void
4839inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
4840{
4841 CLEAR(*dest);
4842
4843 /* proto_is_dgram will ASSERT(0) if proto is invalid */
4845
4846 dest->gc = gc_new();
4847
4848 ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4849
4850 /* c1 init */
4852 dest->c1.link_sockets_num = 1;
4854
4855 dest->c1.ks.key_type = src->c1.ks.key_type;
4856 /* inherit SSL context */
4857 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4858 dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4861 /* inherit pre-NCP ciphers */
4862 dest->options.ciphername = src->options.ciphername;
4863 dest->options.authname = src->options.authname;
4864
4865 /* inherit auth-token */
4866 dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4867
4868 /* options */
4869 dest->options = src->options;
4870 dest->options.ce.proto = sock->info.proto;
4871 options_detach(&dest->options);
4872
4873 dest->c2.event_set = src->c2.event_set;
4874
4875 if (dest->mode == CM_CHILD_TCP)
4876 {
4877 /*
4878 * The CM_TOP context does the socket listen(),
4879 * and the CM_CHILD_TCP context does the accept().
4880 */
4881 dest->c2.accept_from = sock;
4882 }
4883
4884#ifdef ENABLE_PLUGIN
4885 /* inherit plugins */
4886 do_inherit_plugins(dest, src);
4887#endif
4888
4889 /* context init */
4890
4891 /* inherit tun/tap interface object now as it may be required
4892 * to initialize the DCO context in init_instance()
4893 */
4894 dest->c1.tuntap = src->c1.tuntap;
4895
4896 /* UDP inherits some extra things which TCP does not */
4897 if (dest->mode == CM_CHILD_UDP)
4898 {
4899 ASSERT(!dest->c2.link_sockets);
4900 ASSERT(dest->options.ce.local_list);
4901
4902 /* inherit buffers */
4903 dest->c2.buffers = src->c2.buffers;
4904
4905 ALLOC_ARRAY_GC(dest->c2.link_sockets, struct link_socket *, 1, &dest->gc);
4906
4907 /* inherit parent link_socket and tuntap */
4908 dest->c2.link_sockets[0] = sock;
4909
4910 ALLOC_ARRAY_GC(dest->c2.link_socket_infos, struct link_socket_info *, 1, &dest->gc);
4911 ALLOC_OBJ_GC(dest->c2.link_socket_infos[0], struct link_socket_info, &dest->gc);
4912 *dest->c2.link_socket_infos[0] = sock->info;
4913
4914 /* locally override some link_socket_info fields */
4915 dest->c2.link_socket_infos[0]->lsa = &dest->c1.link_socket_addrs[0];
4917 }
4918
4920 if (IS_SIG(dest))
4921 {
4922 return;
4923 }
4924}
4925
4926void
4927inherit_context_top(struct context *dest, const struct context *src)
4928{
4929 /* copy parent */
4930 *dest = *src;
4931
4932 /*
4933 * CM_TOP_CLONE will prevent close_instance from freeing or closing
4934 * resources owned by the parent.
4935 *
4936 * Also note that CM_TOP_CLONE context objects are
4937 * closed by multi_top_free in multi.c.
4938 */
4939 dest->mode = CM_TOP_CLONE;
4940
4941 dest->first_time = false;
4942 dest->c0 = NULL;
4943
4944 options_detach(&dest->options);
4945 gc_detach(&dest->gc);
4946 gc_detach(&dest->c2.gc);
4947
4948 /* detach plugins */
4949 dest->plugins_owned = false;
4950
4951 dest->c2.tls_multi = NULL;
4952
4953 /* detach c1 ownership */
4954 dest->c1.tuntap_owned = false;
4955 dest->c1.status_output_owned = false;
4956 dest->c1.ifconfig_pool_persist_owned = false;
4957
4958 /* detach c2 ownership */
4959 dest->c2.event_set_owned = false;
4960 dest->c2.link_socket_owned = false;
4961 dest->c2.buffers_owned = false;
4962 dest->c2.es_owned = false;
4963
4964 dest->c2.event_set = NULL;
4965 do_event_set_init(dest, false);
4966
4967#ifdef USE_COMP
4968 dest->c2.comp_context = NULL;
4969#endif
4970}
4971
4972void
4973close_context(struct context *c, int sig, unsigned int flags)
4974{
4975 ASSERT(c);
4976 ASSERT(c->sig);
4977
4978 if (sig >= 0)
4979 {
4980 register_signal(c->sig, sig, "close_context");
4981 }
4982
4983 if (c->sig->signal_received == SIGUSR1)
4984 {
4985 if ((flags & CC_USR1_TO_HUP)
4986 || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4987 {
4988 register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
4989 }
4990 }
4991
4992 if (!(flags & CC_NO_CLOSE))
4993 {
4994 close_instance(c);
4995 }
4996
4997 if (flags & CC_GC_FREE)
4998 {
4999 context_gc_free(c);
5000 }
5001}
5002
5003/* Write our PID to a file */
5004void
5005write_pid_file(const char *filename, const char *chroot_dir)
5006{
5007 if (filename)
5008 {
5009 unsigned int pid = 0;
5010 FILE *fp = platform_fopen(filename, "w");
5011 if (!fp)
5012 {
5013 msg(M_ERR, "Open error on pid file %s", filename);
5014 return;
5015 }
5016
5017 pid = platform_getpid();
5018 fprintf(fp, "%u\n", pid);
5019 if (fclose(fp))
5020 {
5021 msg(M_ERR, "Close error on pid file %s", filename);
5022 }
5023
5024 /* remember file name so it can be deleted "out of context" later */
5025 /* (the chroot case is more complex and not handled today) */
5026 if (!chroot_dir)
5027 {
5028 saved_pid_file_name = strdup(filename);
5030 {
5031 msg(M_FATAL, "Failed allocate memory saved_pid_file_name");
5032 }
5033 }
5034 }
5035}
5036
5037/* remove PID file on exit, called from openvpn_exit() */
5038void
5040{
5042 {
5044 }
5045}
5046
5047
5048/*
5049 * Do a loopback test
5050 * on the crypto subsystem.
5051 */
5052static void *
5054{
5055 struct context *c = (struct context *)arg;
5056 const struct options *options = &c->options;
5057
5060 context_init_1(c);
5063
5065
5067
5068 key_schedule_free(&c->c1.ks, true);
5070
5071 context_gc_free(c);
5072 return NULL;
5073}
5074
5075bool
5076do_test_crypto(const struct options *o)
5077{
5078 if (o->test_crypto)
5079 {
5080 struct context c;
5081
5082 /* print version number */
5083 msg(M_INFO, "%s", title_string);
5084
5085 context_clear(&c);
5086 c.options = *o;
5088 c.first_time = true;
5089 test_crypto_thread((void *)&c);
5090 return true;
5091 }
5092 return false;
5093}
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition auth_token.c:118
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition auth_token.c:124
void free_buf(struct buffer *buf)
Definition buffer.c:184
void buf_clear(struct buffer *buf)
Definition buffer.c:163
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
void string_clear(char *str)
Definition buffer.c:691
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1001
#define BSTR(buf)
Definition buffer.h:128
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1053
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1064
static void gc_init(struct gc_arena *a)
Definition buffer.h:994
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1074
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void check_malloc_return(void *p)
Definition buffer.h:1085
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
static struct gc_arena gc_new(void)
Definition buffer.h:1007
#define PUSH_BUNDLE_SIZE
Definition common.h:87
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
char * basename(char *filename)
int daemon(int nochdir, int noclose)
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1094
long int get_random(void)
Definition crypto.c:1716
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:869
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition crypto.c:1536
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition crypto.c:844
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1193
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition crypto.c:1284
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1075
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:345
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
#define CO_MUTE_REPLAY_WARNINGS
Bit-flag indicating not to display replay warnings.
Definition crypto.h:354
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition crypto.h:365
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition crypto.h:644
void show_available_engines(void)
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
void show_available_ciphers(void)
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
void crypto_init_lib_engine(const char *engine_name)
void md_ctx_cleanup(md_ctx_t *ctx)
void show_available_digests(void)
void md_ctx_free(md_ctx_t *ctx)
#define DCO_DEFAULT_METRIC
Definition dco.h:47
static bool dco_supports_epoch_data(struct context *c)
Definition dco.h:389
static void dco_remove_peer(struct context *c)
Definition dco.h:350
static bool ovpn_dco_init(struct context *c)
Definition dco.h:294
static int dco_p2p_add_new_peer(struct context *c)
Definition dco.h:337
static bool dco_check_pull_options(int msglevel, const struct options *o)
Definition dco.h:288
void run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *duri)
Invokes the action associated with bringing DNS up or down.
Definition dns.c:848
void env_set_destroy(struct env_set *es)
Definition env_set.c:166
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition env_set.c:262
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
#define D_MTU_DEBUG
Definition errlevel.h:125
#define D_SHOW_OCC
Definition errlevel.h:150
#define D_PUSH
Definition errlevel.h:82
#define D_SHOW_NET
Definition errlevel.h:131
#define P2P_ERROR_DELAY_MS
Definition errlevel.h:40
#define D_RESTART
Definition errlevel.h:81
#define D_IMPORT_ERRORS
Definition errlevel.h:63
#define D_CLOSE
Definition errlevel.h:72
#define D_PUSH_DEBUG
Definition errlevel.h:149
#define D_DCO
Definition errlevel.h:93
#define D_HANDSHAKE
Definition errlevel.h:71
#define D_GENKEY
Definition errlevel.h:78
#define D_MTU_INFO
Definition errlevel.h:104
#define D_PUSH_ERRORS
Definition errlevel.h:66
#define D_INIT_MEDIUM
Definition errlevel.h:103
#define D_TLS_ERRORS
Definition errlevel.h:58
#define D_READ_WRITE
Definition errlevel.h:166
#define M_INFO
Definition errlevel.h:54
#define D_LOG_RW
Definition errlevel.h:109
#define D_ROUTE
Definition errlevel.h:79
#define D_LINK_ERRORS
Definition errlevel.h:56
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1167
#define EVENT_METHOD_FAST
Definition event.h:82
#define EVENT_METHOD_US_TIMEOUT
Definition event.h:81
static void event_free(struct event_set *es)
Definition event.h:162
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:398
Interface functions to the internal and external multiplexers.
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:332
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1184
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:142
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1236
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1155
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1170
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1209
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1225
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition fragment.c:125
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition fragment.c:92
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition fragment.c:116
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with --tls-crypt.
Definition tls_crypt.c:60
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition tls_crypt.c:338
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition tls_crypt.c:661
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition tls_crypt.c:655
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:54
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition tls_crypt.c:315
void uninit_management_callback(void)
Definition init.c:4426
static void uninit_proxy(struct context *c)
Definition init.c:722
bool open_management(struct context *c)
Definition init.c:4373
static void do_init_first_time(struct context *c)
Definition init.c:3859
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1456
static void do_init_tls_wrap_key(struct context *c)
Definition init.c:3067
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition init.c:364
bool do_genkey(const struct options *options)
Definition init.c:1016
static void next_connection_entry(struct context *c)
Definition init.c:510
static bool can_preserve_tun(struct tuntap *tt)
Definition init.c:1767
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1547
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition init.c:4210
static void do_setup_fast_io(struct context *c)
Definition init.c:4165
static void tls_print_deferred_options_results(struct context *c)
Prints the results of options imported for the data channel.
Definition init.c:2200
static const char * saved_pid_file_name
Definition init.c:62
void init_verb_mute(struct context *c, unsigned int flags)
Definition init.c:944
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition init.c:1198
const char * format_common_name(struct context *c, struct gc_arena *gc)
Definition init.c:1281
static void do_close_link_socket(struct context *c)
Definition init.c:3956
static unsigned int management_callback_remote_entry_count(void *arg)
Definition init.c:320
static void do_signal_on_tls_errors(struct context *c)
Definition init.c:4185
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition init.c:3023
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition init.c:2983
static void do_init_tun(struct context *c)
Definition init.c:1722
static void do_option_warnings(struct context *c)
Definition init.c:3575
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4474
static void do_link_socket_addr_new(struct context *c)
Definition init.c:728
void close_instance(struct context *c)
Definition init.c:4766
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1495
static void do_init_frame(struct context *c)
Definition init.c:3529
void persist_client_stats(struct context *c)
Definition init.c:4437
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:4927
void context_clear_1(struct context *c)
Definition init.c:82
static bool ce_management_query_proxy(struct context *c)
Definition init.c:247
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition init.c:3512
static void do_init_frame_tls(struct context *c)
Definition init.c:3471
static void do_init_traffic_shaper(struct context *c)
Definition init.c:1422
static bool route_noexec_enabled(const struct options *o, const struct tuntap *tt)
Determine if external route commands should be executed based on configured options and backend drive...
Definition init.c:1657
static bool ifconfig_noexec_enabled(const struct context *c)
Determines if ifconfig execution should be disabled because of a.
Definition init.c:1834
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition init.c:496
bool do_test_crypto(const struct options *o)
Definition init.c:5076
static void do_print_data_channel_mtu_parms(struct context *c)
Definition init.c:3815
void init_plugins(struct context *c)
Definition init.c:4200
void free_context_buffers(struct context_buffers *b)
Definition init.c:3696
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition init.c:2995
static void do_init_timers(struct context *c, bool deferred)
Definition init.c:1339
#define CF_LOAD_PERSISTED_PACKET_ID
Definition init.c:67
static void do_alloc_route_list(struct context *c)
Definition init.c:1438
static void do_close_status_output(struct context *c)
Definition init.c:4091
static void do_event_set_init(struct context *c, bool need_us_timeout)
Definition init.c:4046
static struct context * static_context
Definition init.c:61
static void do_init_fragment(struct context *c)
Definition init.c:3733
#define CF_INIT_TLS_MULTI
Definition init.c:68
void context_init_1(struct context *c)
Definition init.c:735
static void * test_crypto_thread(void *arg)
Definition init.c:5053
void pre_setup(const struct options *options)
Definition init.c:1292
static void do_link_socket_new(struct context *c)
Definition init.c:3754
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition init.c:3934
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition init.c:201
static void del_wfp_block(struct context *c, unsigned long adapter_index)
Remove any WFP block filters previously added.
Definition init.c:1815
void reset_coarse_timers(struct context *c)
Definition init.c:1315
static void do_open_ifconfig_pool_persist(struct context *c)
Definition init.c:4108
static void do_close_ifconfig_pool_persist(struct context *c)
Definition init.c:4120
static void do_close_tun(struct context *c, bool force)
Definition init.c:2050
void init_management(void)
Definition init.c:4364
void uninit_static(void)
Definition init.c:926
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4452
bool do_update(struct context *c, unsigned int option_types_found)
A simplified version of the do_up() function.
Definition init.c:2486
static void do_init_crypto_tls(struct context *c, const unsigned int flags)
Definition init.c:3234
void write_pid_file(const char *filename, const char *chroot_dir)
Definition init.c:5005
void context_gc_free(struct context *c)
Definition init.c:786
static void socket_restart_pause(struct context *c)
Definition init.c:2782
static void do_open_status_output(struct context *c)
Definition init.c:4079
void init_options_dev(struct options *options)
Definition init.c:967
static void do_close_free_buf(struct context *c)
Definition init.c:3893
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition init.c:640
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
Definition init.c:2600
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4839
static void do_compute_occ_strings(struct context *c)
Definition init.c:3830
void context_clear_2(struct context *c)
Definition init.c:88
static void do_close_fragment(struct context *c)
Definition init.c:4031
void context_clear(struct context *c)
Definition init.c:76
static void update_options_ce_post(struct options *options)
Definition init.c:183
static void do_init_crypto_none(struct context *c)
Definition init.c:3497
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition init.c:4269
void remove_pid_file(void)
Definition init.c:5039
static void add_delim_if_non_empty(struct buffer *buf, const char *header)
Helper function for tls_print_deferred_options_results Adds the ", " delimitor if there already some ...
Definition init.c:2186
bool print_openssl_info(const struct options *options)
Definition init.c:978
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:4973
static bool ce_management_query_remote(struct context *c)
Definition init.c:414
static void open_tun_backend(struct context *c)
Definition init.c:1842
static void do_close_event_set(struct context *c)
Definition init.c:4064
bool do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
Definition init.c:1097
static bool do_hold(int holdtime)
Definition init.c:2763
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2351
void tun_abort(void)
Definition init.c:2154
static void do_init_server_poll_timeout(struct context *c)
Definition init.c:1326
static void do_close_plugins(struct context *c)
Definition init.c:4244
static void do_init_socket_phase1(struct context *c)
Definition init.c:3771
bool init_static(void)
Definition init.c:824
static void do_init_crypto_tls_c1(struct context *c)
Definition init.c:3139
static void frame_finalize_options(struct context *c, const struct options *o)
Definition init.c:2902
static void uninit_proxy_dowork(struct context *c)
Definition init.c:667
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition init.c:2173
static void add_wfp_block(struct context *c)
Add WFP filters to block traffic to local networks.
Definition init.c:1789
static void do_close_tun_simple(struct context *c)
Definition init.c:2020
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition init.c:4255
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es)
Definition init.c:108
static void do_init_socket_phase2(struct context *c)
Definition init.c:3803
bool possibly_become_daemon(const struct options *options)
Definition init.c:1156
static bool management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
Definition init.c:330
static void init_connection_list(struct context *c)
Definition init.c:470
static void init_proxy_dowork(struct context *c)
Definition init.c:684
static void do_close_packet_id(struct context *c)
Definition init.c:4016
static void do_startup_pause(struct context *c)
Definition init.c:2859
static size_t get_frame_mtu(struct context *c, const struct options *o)
Definition init.c:2872
static bool do_deferred_p2p_ncp(struct context *c)
Definition init.c:2555
#define CF_INIT_TLS_AUTH_STANDALONE
Definition init.c:69
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2539
static bool do_deferred_options_part2(struct context *c)
This function is expected to be invoked after open_tun() was performed.
Definition init.c:2328
static void do_env_set_destroy(struct context *c)
Definition init.c:4146
static void do_init_buffers(struct context *c)
Definition init.c:3721
static void init_proxy(struct context *c)
Definition init.c:716
void init_management_callback_p2p(struct context *c)
Definition init.c:4338
void management_show_net_callback(void *arg, const int msglevel)
Definition init.c:4276
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition init.c:297
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1668
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition init.c:4138
void context_clear_all_except_first_time(struct context *c)
Definition init.c:94
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3671
static bool do_open_tun(struct context *c, int *error_flags)
Definition init.c:1864
static void do_close_tls(struct context *c)
Definition init.c:3907
void close_management(void)
Definition init.c:4413
#define ISC_ERRORS
Definition init.h:126
#define CC_GC_FREE
Definition init.h:115
#define IVM_LEVEL_2
Definition init.h:49
#define ISC_ROUTE_ERRORS
Definition init.h:128
#define IVM_LEVEL_1
Definition init.h:48
#define CC_USR1_TO_HUP
Definition init.h:116
#define BASE_N_EVENTS
Definition init.h:32
#define CC_HARD_USR1_TO_HUP
Definition init.h:117
#define ISC_SERVER
Definition init.h:127
#define CC_NO_CLOSE
Definition init.h:118
static int min_int(int x, int y)
Definition integer.h:105
static int max_int(int x, int y)
Definition integer.h:92
static SERVICE_STATUS status
Definition interactive.c:51
void interval_init(struct interval *top, int horizon, int refresh)
Definition interval.c:34
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition lladdr.c:17
void management_pre_tunnel_close(struct management *man)
Definition manage.c:3097
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3015
void management_clear_callback(struct management *man)
Definition manage.c:2769
bool management_hold(struct management *man, int holdtime)
Definition manage.c:3823
struct management * management_init(void)
Definition manage.c:2699
void management_event_loop_n_seconds(struct management *man, int sec)
Definition manage.c:3452
void management_close(struct management *man)
Definition manage.c:2752
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2778
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2713
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2929
void man_persist_client_stats(struct management *man, struct context *c)
Definition manage.c:4221
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2762
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition manage.c:2913
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4131
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition manage.c:3074
static bool management_query_remote_enabled(const struct management *man)
Definition manage.h:425
#define OPENVPN_STATE_CONNECTING
Definition manage.h:449
static bool management_query_proxy_enabled(const struct management *man)
Definition manage.h:431
#define OPENVPN_STATE_CONNECTED
Definition manage.h:452
#define MF_SERVER
Definition manage.h:27
void set_std_files_to_null(bool stdin_only)
Definition misc.c:55
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
#define GET_USER_PASS_NEED_OK
Definition misc.h:113
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:322
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition mtu.c:190
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition mtu.c:61
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
#define BUF_SIZE(f)
Definition mtu.h:178
#define TUN_MTU_MIN
Definition mtu.h:59
static const char * np(const char *str)
Definition multi-auth.c:146
void * openvpn_net_ctx_t
Definition networking.h:38
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition occ.h:61
static int occ_reset_op(void)
Definition occ.h:101
#define OCC_INTERVAL_SECONDS
Definition occ.h:45
#define CLEAR(x)
Definition basic.h:32
void error_reset(void)
Definition error.c:160
bool set_mute_cutoff(const int cutoff)
Definition error.c:122
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition error.c:614
void reset_check_status(void)
Definition error.c:607
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:104
#define M_OPTERR
Definition error.h:99
#define SDL_CONSTRAIN
Definition error.h:199
#define M_NOPREFIX
Definition error.h:96
#define M_USAGE
Definition error.h:105
#define M_FATAL
Definition error.h:88
static bool check_debug_level(unsigned int level)
Definition error.h:257
static void set_check_status_error_delay(unsigned int milliseconds)
Definition error.h:321
#define M_NONFATAL
Definition error.h:89
#define M_ERR
Definition error.h:104
#define msg(flags,...)
Definition error.h:150
#define ASSERT(x)
Definition error.h:217
#define M_WARN
Definition error.h:90
#define TLS_MODE(c)
Definition openvpn.h:543
static void packet_id_persist_init(struct packet_id_persist *p)
Definition openvpn.h:86
#define CM_P2P
Definition openvpn.h:482
#define CM_TOP_CLONE
Definition openvpn.h:484
#define CM_CHILD_TCP
Definition openvpn.h:486
#define CM_CHILD_UDP
Definition openvpn.h:485
#define MAX_PEER_ID
Definition openvpn.h:554
#define CM_TOP
Definition openvpn.h:483
void options_detach(struct options *o)
Definition options.c:1557
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3157
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5527
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4691
const char title_string[]
Definition options.c:70
int auth_retry_get(void)
Definition options.c:4782
void notnull(const char *arg, const char *description)
Definition options.c:4922
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4342
#define MODE_POINT_TO_POINT
Definition options.h:260
#define OPT_P_UP
Definition options.h:733
#define CE_MAN_QUERY_REMOTE_QUERY
Definition options.h:153
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:744
#define OPT_P_ECHO
Definition options.h:752
#define MODE_SERVER
Definition options.h:261
#define streq(x, y)
Definition options.h:727
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:751
#define CE_MAN_QUERY_REMOTE_SKIP
Definition options.h:156
#define AR_INTERACT
Definition options.h:915
#define OPT_P_SHAPER
Definition options.h:738
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
#define OPT_P_SOCKFLAGS
Definition options.h:758
#define SHAPER_DEFINED(opt)
Definition options.h:784
#define CE_MAN_QUERY_REMOTE_MOD
Definition options.h:155
#define CE_MAN_QUERY_PROXY
Definition options.h:151
#define OPT_P_MESSAGES
Definition options.h:743
#define OPT_P_SETENV
Definition options.h:737
#define OPT_P_SOCKBUF
Definition options.h:757
#define CE_MAN_QUERY_REMOTE_MASK
Definition options.h:157
#define OPT_P_PLUGIN
Definition options.h:756
#define OPT_P_TIMER
Definition options.h:739
#define PING_RESTART
Definition options.h:356
#define RH_PORT_LEN
Definition options.h:230
#define OPT_P_DEFAULT
Definition options.h:765
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition options.h:158
#define OPT_P_DHCPDNS
Definition options.h:735
#define OPT_P_PULL_MODE
Definition options.h:755
@ GENKEY_AUTH_TOKEN
Definition options.h:239
@ GENKEY_SECRET
Definition options.h:236
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:238
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:237
#define OPT_P_PUSH_MTU
Definition options.h:762
#define AR_NONE
Definition options.h:914
#define AR_NOINTERACT
Definition options.h:916
#define RH_HOST_LEN
Definition options.h:228
#define OPT_P_PERSIST
Definition options.h:740
#define MAX_PARMS
Definition options.h:51
#define PING_UNDEF
Definition options.h:354
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition options.h:154
#define PULL_DEFINED(opt)
Definition options.h:767
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:779
#define PING_EXIT
Definition options.h:355
#define OPT_P_COMP
Definition options.h:742
#define OPT_P_ROUTE_EXTRAS
Definition options.h:754
#define OPT_P_PEER_ID
Definition options.h:760
#define OPT_P_ROUTE
Definition options.h:734
#define CE_DISABLED
Definition options.h:150
time_t now
Definition otime.c:33
static void update_time(void)
Definition otime.h:76
void time_test(void)
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:503
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:543
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:91
void packet_id_persist_close(struct packet_id_persist *p)
Definition packet_id.c:445
void packet_id_free(struct packet_id *p)
Definition packet_id.c:121
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition packet_id.c:459
#define PRE_PULL_INITIAL_PING_RESTART
Definition ping.h:32
unsigned int platform_getpid(void)
Definition platform.c:337
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:544
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition platform.c:222
void platform_nice(int niceval)
Definition platform.c:315
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition platform.c:80
bool platform_unlink(const char *filename)
Definition platform.c:491
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:504
int platform_chdir(const char *dir)
Definition platform.c:396
void platform_mlockall(bool print_msg)
Definition platform.c:348
void platform_chroot(const char *path)
Definition platform.c:54
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition platform.c:126
void plugin_list_close(struct plugin_list *pl)
Definition plugin.c:869
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:986
struct plugin_list * plugin_list_inherit(const struct plugin_list *src)
Definition plugin.c:690
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition plugin.c:764
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:972
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition plugin.c:774
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:163
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:157
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition pool.c:538
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition pool.c:560
#define TOP_NET30
Definition proto.h:41
#define DEV_TYPE_TUN
Definition proto.h:35
#define TOP_P2P
Definition proto.h:42
void http_proxy_close(struct http_proxy_info *hp)
Definition proxy.c:553
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition proxy.c:488
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:45
#define PAR_NCT
Definition proxy.h:51
#define PAR_ALL
Definition proxy.h:50
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1101
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1404
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:596
void show_routes(int msglev)
Definition route.c:3062
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:753
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:604
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1166
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1367
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition route.h:424
#define RG_REROUTE_GW
Definition route.h:91
int script_security(void)
Definition run_command.c:42
#define S_FATAL
Definition run_command.h:50
#define SSEC_SCRIPTS
allow calling of built-in programs and user-defined scripts
Definition run_command.h:35
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
void shaper_msg(struct shaper *s)
Definition shaper.c:87
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition shaper.h:85
void post_init_signal_catch(void)
Definition sig.c:421
void print_status(struct context *c, struct status_output *so)
Definition sig.c:478
void pre_init_signal_catch(void)
Definition sig.c:392
void remap_signal(struct context *c)
Definition sig.c:588
const char * signal_description(const int signum, const char *sigtext)
Definition sig.c:105
void restore_signal_state(void)
Definition sig.c:460
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
#define IS_SIG(c)
Definition sig.h:47
#define SIG_SOURCE_HARD
Definition sig.h:30
void link_socket_init_phase1(struct context *c, int sock_index, int mode)
Definition socket.c:1361
void link_socket_init_phase2(struct context *c, struct link_socket *sock)
Definition socket.c:1704
void link_socket_update_buffer_sizes(struct link_socket *sock, int rcvbuf, int sndbuf)
Definition socket.c:551
const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info)
Definition socket.c:2018
void link_socket_close(struct link_socket *sock)
Definition socket.c:1825
in_addr_t link_socket_current_remote(const struct link_socket_info *info)
Definition socket.c:1984
void do_preresolve(struct context *c)
Definition socket.c:314
struct link_socket * link_socket_new(void)
Definition socket.c:1347
bool link_socket_update_flags(struct link_socket *sock, unsigned int sockflags)
Definition socket.c:537
#define LS_MODE_TCP_ACCEPT_FROM
Definition socket.h:181
#define LS_MODE_DEFAULT
Definition socket.h:179
#define LS_MODE_TCP_LISTEN
Definition socket.h:180
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
@ PROTO_UDP
@ PROTO_TCP
@ PROTO_TCP_CLIENT
static bool proto_is_tcp(int proto)
returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
static bool addr_defined(const struct openvpn_sockaddr *addr)
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition socks.c:51
void socks_proxy_close(struct socks_proxy_info *sp)
Definition socks.c:78
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:382
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:512
void pem_password_setup(const char *auth_file)
Definition ssl.c:249
void init_ssl_lib(void)
Definition ssl.c:226
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1637
void free_ssl_lib(void)
Definition ssl.c:234
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:294
void enable_auth_user_pass(void)
Definition ssl.c:288
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4102
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
#define TLS_MULTI_HORIZON
Definition ssl.h:61
#define TLS_MULTI_REFRESH
Definition ssl.h:60
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:593
bool check_pull_client_ncp(struct context *c, const unsigned int found)
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should ...
Definition ssl_ncp.c:310
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
Determines the best common cipher from both peers IV_CIPHER lists.
Definition ssl_ncp.c:355
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
hmac_ctx_t * session_id_hmac_init(void)
Definition ssl_pkt.c:445
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
Control Channel Verification Module.
#define VERIFY_X509_NONE
Definition ssl_verify.h:68
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:213
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:60
bool status_close(struct status_output *so)
Definition status.c:179
#define STATUS_OUTPUT_WRITE
Definition status.h:51
Definition argv.h:35
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
Definition options.h:104
struct local_list * local_list
Definition options.h:105
int tun_mtu_max
Definition options.h:126
int connect_retry_seconds
Definition options.h:116
bool tls_crypt_v2_force_cookie
Definition options.h:176
int link_mtu
Definition options.h:131
bool link_mtu_defined
Definition options.h:132
int tun_mtu_extra
Definition options.h:129
int connect_retry_seconds_max
Definition options.h:117
int mssfix
Definition options.h:141
const char * tls_crypt_file
Definition options.h:167
const char * tls_crypt_v2_file
Definition options.h:172
bool tun_mtu_extra_defined
Definition options.h:130
const char * remote
Definition options.h:111
const char * socks_proxy_port
Definition options.h:121
bool mssfix_encap
Definition options.h:143
struct http_proxy_options * http_proxy_options
Definition options.h:119
bool tls_crypt_file_inline
Definition options.h:168
bool tls_auth_file_inline
Definition options.h:163
bool tun_mtu_defined
Definition options.h:128
int tls_mtu
Definition options.h:133
int explicit_exit_notification
Definition options.h:147
const char * socks_proxy_authfile
Definition options.h:122
const char * remote_port
Definition options.h:110
bool fragment_encap
Definition options.h:139
const char * socks_proxy_server
Definition options.h:120
int fragment
Definition options.h:138
int proto
Definition options.h:106
sa_family_t af
Definition options.h:107
const char * tls_auth_file
Definition options.h:162
int tun_mtu
Definition options.h:124
int key_direction
Definition options.h:164
bool tls_crypt_v2_file_inline
Definition options.h:173
unsigned int flags
Definition options.h:159
struct connection_entry ** array
Definition options.h:201
Level 0 context containing information related to the OpenVPN process.
Definition openvpn.h:137
struct platform_state_group platform_state_group
Definition openvpn.h:143
struct platform_state_user platform_state_user
Definition openvpn.h:142
bool uid_gid_chroot_set
Definition openvpn.h:141
bool uid_gid_specified
Definition openvpn.h:139
struct key_schedule ks
Definition openvpn.h:164
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:197
bool http_proxy_owned
Definition openvpn.h:190
struct status_output * status_output
Definition openvpn.h:185
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
struct link_socket_addr * link_socket_addrs
Local and remote addresses on the external network.
Definition openvpn.h:159
struct sha256_digest pulled_options_digest_save
Hash of option strings received from the remote OpenVPN server.
Definition openvpn.h:201
int link_sockets_num
Definition openvpn.h:158
bool status_output_owned
Definition openvpn.h:186
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
struct packet_id_persist pid_persist
Definition openvpn.h:170
struct http_proxy_info * http_proxy
Definition openvpn.h:189
bool socks_proxy_owned
Definition openvpn.h:194
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition openvpn.h:173
bool ifconfig_pool_persist_owned
Definition openvpn.h:198
struct socks_proxy_info * socks_proxy
Definition openvpn.h:193
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
char * options_string_local
Definition openvpn.h:296
struct fragment_master * fragment
Definition openvpn.h:252
bool do_up_ran
Definition openvpn.h:411
char * options_string_remote
Definition openvpn.h:297
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
bool did_open_tun
Definition openvpn.h:387
md_ctx_t * pulled_options_state
Definition openvpn.h:444
bool es_owned
Definition openvpn.h:421
struct man_def_auth_context mda_context
Definition openvpn.h:453
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition openvpn.h:338
const struct link_socket * accept_from
Definition openvpn.h:242
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition openvpn.h:326
int occ_op
Definition openvpn.h:299
struct env_set * es
Definition openvpn.h:420
bool link_socket_owned
Definition openvpn.h:240
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
struct frame frame
Definition openvpn.h:248
struct frame frame_fragment
Definition openvpn.h:253
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
bool buffers_owned
Definition openvpn.h:368
struct link_socket ** link_sockets
Definition openvpn.h:237
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
bool log_rw
Definition openvpn.h:380
int event_set_max
Definition openvpn.h:231
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition openvpn.h:225
bool fast_io
Definition openvpn.h:424
struct sha256_digest pulled_options_digest
Definition openvpn.h:445
struct event_set * event_set
Definition openvpn.h:230
struct context_buffers * buffers
Definition openvpn.h:367
struct event_timeout route_wakeup
Definition openvpn.h:383
int tls_exit_signal
Definition openvpn.h:347
bool event_set_owned
Definition openvpn.h:232
struct buffer read_link_buf
Definition openvpn.h:113
struct buffer encrypt_buf
Definition openvpn.h:100
struct buffer read_tun_buf
Definition openvpn.h:114
struct buffer decrypt_buf
Definition openvpn.h:101
struct buffer aux_buf
Definition openvpn.h:97
int restart_sleep_seconds
Definition openvpn.h:122
struct dns_updown_runner_info duri
Definition openvpn.h:123
Contains all state information for one tunnel.
Definition openvpn.h:474
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
struct context_0 * c0
Level 0 context.
Definition openvpn.h:515
bool did_we_daemonize
Whether demonization has already taken place.
Definition openvpn.h:510
bool first_time
True on the first iteration of OpenVPN's main loop.
Definition openvpn.h:478
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:505
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct env_set * es
Set of environment variables.
Definition openvpn.h:499
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition openvpn.h:506
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition openvpn.h:495
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
struct context_persist persist
Persistent context.
Definition openvpn.h:513
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:384
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:340
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:331
Packet geometry parameters.
Definition mtu.h:103
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
int tun_max_mtu
the maximum tun-mtu size the buffers are are sized for.
Definition mtu.h:147
int extra_tun
Maximum number of bytes in excess of the tun/tap MTU that might be read from or written to the virtua...
Definition mtu.h:151
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
struct frame::@8 buf
int tailroom
the tailroom in the buffer.
Definition mtu.h:118
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
const char * port
Definition proxy.h:47
const char * server
Definition proxy.h:46
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition openvpn.h:72
struct key2 original_wrap_keydata
original tls-crypt key preserved to xored into the tls_crypt renegotiation key
Definition openvpn.h:70
struct key_type key_type
Definition openvpn.h:57
struct key_ctx auth_token_key
Definition openvpn.h:73
struct tls_root_ctx ssl_ctx
Definition openvpn.h:63
struct key_type tls_auth_key_type
Definition openvpn.h:66
struct key_ctx_bi tls_wrap_key
Definition openvpn.h:67
struct key_ctx_bi static_key
Definition openvpn.h:60
struct key_ctx tls_crypt_v2_server_key
Definition openvpn.h:71
const char * cipher
const name of the cipher
Definition crypto.h:142
const char * digest
Message digest static parameters.
Definition crypto.h:143
const char * special_state_msg
Definition manage.h:232
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition manage.h:198
unsigned int(* remote_entry_count)(void *arg)
Definition manage.h:197
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition manage.h:184
bool(* proxy_cmd)(void *arg, const char **p)
Definition manage.h:192
unsigned int flags
Definition manage.h:176
bool(* remote_cmd)(void *arg, const char **p)
Definition manage.h:193
void(* show_net)(void *arg, const int msglevel)
Definition manage.h:179
struct man_persist persist
Definition manage.h:333
union openvpn_sockaddr::@27 addr
struct sockaddr sa
Definition socket_util.h:42
struct sockaddr_in in4
Definition socket_util.h:43
struct sockaddr_in6 in6
Definition socket_util.h:44
int rcvbuf
Definition options.h:416
bool resolve_in_advance
Definition options.h:368
bool route_nopull
Definition options.h:440
const char * genkey_extra_data
Definition options.h:286
struct compress_options comp
Definition options.h:413
bool persist_config
Definition options.h:274
struct connection_list * connection_list
Definition options.h:291
const char * management_port
Definition options.h:450
const char * ifconfig_ipv6_remote
Definition options.h:327
int server_backoff_time
Definition options.h:306
int auth_token_renewal
Definition options.h:548
const char * tmp_dir
Definition options.h:469
bool push_peer_info
Definition options.h:685
bool daemon
Definition options.h:391
int route_default_metric
Definition options.h:432
int renegotiate_seconds_min
Definition options.h:651
const char * auth_token_secret_file
Definition options.h:549
unsigned int imported_protocol_flags
Definition options.h:724
const char * tls_export_peer_cert_dir
Definition options.h:616
bool crl_file_inline
Definition options.h:620
const char * down_script
Definition options.h:386
hash_algo_type verify_hash_algo
Definition options.h:626
int replay_time
Definition options.h:587
int management_state_buffer_size
Definition options.h:454
bool duplicate_cn
Definition options.h:530
int shaper
Definition options.h:330
int management_echo_buffer_size
Definition options.h:453
bool show_net_up
Definition options.h:698
bool verify_hash_no_ca
Definition options.h:628
bool use_peer_id
Definition options.h:704
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:623
bool server_bridge_defined
Definition options.h:484
const char * keying_material_exporter_label
Definition options.h:708
const char * status_file
Definition options.h:406
unsigned int ssl_flags
Definition options.h:629
bool route_noexec
Definition options.h:433
bool ifconfig_nowarn
Definition options.h:329
const char * remote_cert_eku
Definition options.h:624
int tls_timeout
Definition options.h:645
bool test_crypto
Definition options.h:589
bool up_delay
Definition options.h:389
bool server_bridge_proxy_dhcp
Definition options.h:482
const char * authname
Definition options.h:582
const char * exit_event_name
Definition options.h:696
const char * ifconfig_ipv6_local
Definition options.h:325
int replay_window
Definition options.h:586
int mute
Definition options.h:400
bool auth_user_pass_verify_script_via_file
Definition options.h:544
const char * dev_type
Definition options.h:319
int persist_mode
Definition options.h:275
int ifconfig_pool_persist_refresh_freq
Definition options.h:496
bool show_digests
Definition options.h:279
const char * up_script
Definition options.h:385
int ce_advance_count
Definition options.h:302
bool single_session
Definition options.h:683
struct remote_host_store * rh_store
Definition options.h:312
int verify_hash_depth
Definition options.h:627
bool route_delay_defined
Definition options.h:436
const char * packet_id_file
Definition options.h:588
const char * tls_crypt_v2_file
Definition options.h:675
int management_log_history_cache
Definition options.h:452
uint32_t peer_id
Definition options.h:705
struct route_option_list * routes
Definition options.h:437
int keepalive_timeout
Definition options.h:343
bool fast_io
Definition options.h:411
bool block_outside_dns
Definition options.h:700
bool tls_exit
Definition options.h:687
bool show_engines
Definition options.h:280
HANDLE msg_channel
Definition options.h:695
const char * key_pass_file
Definition options.h:277
bool mute_replay_warnings
Definition options.h:585
unsigned int unsuccessful_attempts
Definition options.h:300
int handshake_window
Definition options.h:655
const char * ifconfig_local
Definition options.h:323
struct connection_entry ce
Definition options.h:290
bool user_script_used
Definition options.h:387
bool show_tls_ciphers
Definition options.h:281
struct tuntap_options tuntap_options
Definition options.h:371
struct verify_hash_list * verify_hash
Definition options.h:625
const char * tls_cert_profile
Definition options.h:613
int64_t renegotiate_packets
Definition options.h:649
unsigned int management_flags
Definition options.h:462
const char * route_default_gateway
Definition options.h:429
bool exit_event_initial_state
Definition options.h:697
struct static_challenge_info sc_info
Definition options.h:569
bool auth_token_call_auth
Definition options.h:546
int topology
Definition options.h:322
bool disable_dco
Definition options.h:374
const char * ncp_ciphers
Definition options.h:581
bool genkey
Definition options.h:283
const char * ciphername
Definition options.h:576
const char * auth_user_pass_file
Definition options.h:562
const char * username
Definition options.h:377
struct plugin_option_list * plugin_list
Definition options.h:465
int auth_token_lifetime
Definition options.h:547
int ns_cert_type
Definition options.h:622
const char * tls_crypt_v2_verify_script
Definition options.h:680
int mode
Definition options.h:262
bool tls_server
Definition options.h:595
const char * auth_user_pass_verify_script
Definition options.h:543
int connect_retry_max
Definition options.h:289
bool pull
Definition options.h:559
bool show_curves
Definition options.h:282
const char * route_ipv6_default_gateway
Definition options.h:430
bool tls_client
Definition options.h:596
bool auth_token_generate
Definition options.h:545
bool priv_key_file_inline
Definition options.h:607
const char * tls_verify
Definition options.h:615
const char * crl_file
Definition options.h:619
int ping_rec_timeout_action
Definition options.h:357
bool auth_user_pass_file_inline
Definition options.h:563
bool show_ciphers
Definition options.h:278
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:577
const char * route_predown_script
Definition options.h:428
int route_delay_window
Definition options.h:435
bool mlock
Definition options.h:340
int sndbuf
Definition options.h:417
struct gc_arena gc
Definition options.h:253
bool down_pre
Definition options.h:388
bool persist_tun
Definition options.h:359
int route_default_table_id
Definition options.h:431
bool auth_token_secret_file_inline
Definition options.h:550
const char * config
Definition options.h:257
int keying_material_exporter_length
Definition options.h:709
bool mtu_test
Definition options.h:334
int verify_x509_type
Definition options.h:617
const char * cipher_list_tls13
Definition options.h:611
int status_file_update_freq
Definition options.h:408
const char * management_client_user
Definition options.h:456
const char * cipher_list
Definition options.h:610
bool ccd_exclusive
Definition options.h:509
const char * genkey_filename
Definition options.h:285
const struct x509_track * x509_track
Definition options.h:689
const char * chroot_dir
Definition options.h:379
bool log
Definition options.h:395
bool shared_secret_file_inline
Definition options.h:573
int renegotiate_seconds
Definition options.h:650
int ping_rec_timeout
Definition options.h:351
unsigned int sockflags
Definition options.h:424
const char * engine
Definition options.h:583
const char * management_addr
Definition options.h:449
const char * verify_x509_name
Definition options.h:618
int ping_send_timeout
Definition options.h:350
int route_delay
Definition options.h:434
const char * dev_node
Definition options.h:320
const char * client_crresponse_script
Definition options.h:507
struct route_ipv6_option_list * routes_ipv6
Definition options.h:438
int key_direction
Definition options.h:575
bool persist_remote_ip
Definition options.h:361
bool up_restart
Definition options.h:390
int keepalive_ping
Definition options.h:342
bool no_advance
Definition options.h:295
bool tls_crypt_v2_file_inline
Definition options.h:676
const char * groupname
Definition options.h:378
const char * cd_dir
Definition options.h:380
int nice
Definition options.h:398
int transition_window
Definition options.h:663
const char * ifconfig_remote_netmask
Definition options.h:324
const char * lladdr
Definition options.h:321
int verbosity
Definition options.h:399
enum tun_driver_type windows_driver
Definition options.h:701
int remap_sigusr1
Definition options.h:393
int64_t renegotiate_bytes
Definition options.h:648
const char * route_script
Definition options.h:427
const char * management_user_pass
Definition options.h:451
const char * shared_secret_file
Definition options.h:572
bool ifconfig_noexec
Definition options.h:328
const char * dev
Definition options.h:318
const char * management_client_group
Definition options.h:457
const char * client_config_dir
Definition options.h:508
enum genkey_type genkey_type
Definition options.h:284
bool advance_next_remote
Definition options.h:298
const char * ifconfig_pool_persist_filename
Definition options.h:495
int ifconfig_ipv6_netbits
Definition options.h:326
bool persist_local_ip
Definition options.h:360
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:106
char port[RH_PORT_LEN]
Definition options.h:231
char host[RH_HOST_LEN]
Definition options.h:229
struct gc_arena gc
Definition route.h:254
unsigned int flags
Definition route.h:113
struct gc_arena * gc
Definition route.h:115
struct gc_arena gc
Definition route.h:239
Wrapper struct to pass around SHA256 digests.
Definition crypto.h:133
const char * signal_text
Definition sig.h:44
volatile int signal_received
Definition sig.h:42
volatile int source
Definition sig.h:43
unsigned int flags
Definition status.h:52
struct frame frame
Definition ssl_pkt.h:81
struct buffer workbuf
Definition ssl_pkt.h:80
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
dco_context_t * dco
Definition ssl_common.h:726
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
enum multi_status multi_state
Definition ssl_common.h:633
struct tls_options opt
Definition ssl_common.h:617
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
uint32_t peer_id
Definition ssl_common.h:700
bool use_peer_id
Definition ssl_common.h:701
int64_t renegotiate_bytes
Definition ssl_common.h:343
struct key_ctx auth_token_key
Definition ssl_common.h:408
unsigned int auth_token_renewal
Definition ssl_common.h:406
struct env_set * es
Definition ssl_common.h:414
unsigned int auth_token_lifetime
Definition ssl_common.h:405
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:388
size_t ekm_label_size
Definition ssl_common.h:452
unsigned int crypto_flags
Definition ssl_common.h:370
unsigned remote_cert_ku[MAX_PARMS]
Definition ssl_common.h:357
interval_t packet_timeout
Definition ssl_common.h:342
const char * auth_user_pass_file
Definition ssl_common.h:398
const char * client_crresponse_script
Definition ssl_common.h:394
const struct static_challenge_info * sci
Definition ssl_common.h:444
openvpn_net_ctx_t * net_ctx
Definition ssl_common.h:415
const char * tmp_dir
Definition ssl_common.h:396
interval_t renegotiate_seconds
Definition ssl_common.h:348
struct frame frame
Definition ssl_common.h:390
int64_t renegotiate_packets
Definition ssl_common.h:344
bool auth_user_pass_file_inline
Definition ssl_common.h:399
int verify_hash_depth
Definition ssl_common.h:360
const struct plugin_list * plugins
Definition ssl_common.h:416
const char * client_config_dir_exclusive
Definition ssl_common.h:411
bool tls_crypt_v2
Definition ssl_common.h:384
const char * export_peer_cert_dir
Definition ssl_common.h:397
const char * verify_command
Definition ssl_common.h:351
struct verify_hash_list * verify_hash
Definition ssl_common.h:359
const char * ekm_label
Definition ssl_common.h:451
size_t ekm_size
Definition ssl_common.h:453
char * x509_username_field[2]
Definition ssl_common.h:366
int transition_window
Definition ssl_common.h:340
const char * config_ciphername
Definition ssl_common.h:375
int verify_x509_type
Definition ssl_common.h:352
bool single_session
Definition ssl_common.h:326
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:382
const char * verify_x509_name
Definition ssl_common.h:353
bool crl_file_inline
Definition ssl_common.h:355
const struct x509_track * x509_track
Definition ssl_common.h:441
bool verify_hash_no_ca
Definition ssl_common.h:361
struct man_def_auth_context * mda_context
Definition ssl_common.h:438
const char * tls_crypt_v2_verify_script
Definition ssl_common.h:385
struct tls_root_ctx ssl_ctx
Definition ssl_common.h:309
bool auth_user_pass_verify_script_via_file
Definition ssl_common.h:395
const char * config_ncp_ciphers
Definition ssl_common.h:376
unsigned int ssl_flags
Definition ssl_common.h:435
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition ssl_common.h:401
struct key_type key_type
Definition ssl_common.h:312
int push_peer_info_detail
The detail of info we push in peer info.
Definition ssl_common.h:339
hash_algo_type verify_hash_algo
Definition ssl_common.h:362
bool auth_token_call_auth
always call normal authentication
Definition ssl_common.h:404
const char * crl_file
Definition ssl_common.h:354
int handshake_window
Definition ssl_common.h:341
bool dco_enabled
Whether keys have to be installed in DCO or not.
Definition ssl_common.h:455
const char * auth_user_pass_verify_script
Definition ssl_common.h:393
const char * remote_cert_eku
Definition ssl_common.h:358
int replay_window
Definition ssl_common.h:372
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
enum tls_wrap_ctx::@28 mode
Control channel wrapping mode.
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:284
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:285
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition ssl_common.h:286
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:299
HANDLE msg_channel
Definition tun.h:88
Definition tun.h:183
in_addr_t local
Definition tun.h:210
DWORD adapter_index
Definition tun.h:234
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:193
struct tuntap_options options
Definition tun.h:205
struct in6_addr local_ipv6
Definition tun.h:213
dco_context_t dco
Definition tun.h:249
char * actual_name
Definition tun.h:207
in_addr_t remote_netmask
Definition tun.h:211
char password[USER_PASS_LEN]
Definition misc.h:68
char username[USER_PASS_LEN]
Definition misc.h:67
#define srandom
Definition syshead.h:44
#define SOCKET_UNDEFINED
Definition syshead.h:438
#define sleep(x)
Definition syshead.h:42
struct env_set * es
struct gc_arena gc
Definition test_ssl.c:154
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6372
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:517
void fork_register_dns_action(struct tuntap *tt)
Definition tun.c:5760
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:826
void show_adapters(int msglev)
Definition tun.c:4838
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition tun.c:499
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition tun.c:1562
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:536
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6523
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition tun.c:666
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition tun.c:950
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition tun.c:556
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition tun.c:782
void undo_ifconfig(struct tuntap *tt, openvpn_net_ctx_t *ctx)
undo_ifconfig - undo configuration of the tunnel interface
Definition tun.c:1651
void tun_standby_init(struct tuntap *tt)
Definition tun.c:5491
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:58
#define IFCONFIG_AFTER_TUN_OPEN
Definition tun.h:349
#define IFCONFIG_BEFORE_TUN_OPEN
Definition tun.h:348
static bool tuntap_is_dco_win(struct tuntap *tt)
Definition tun.h:532
@ DRIVER_NULL
Definition tun.h:52
@ DRIVER_GENERIC_TUNTAP
Definition tun.h:47
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:51
@ DRIVER_DCO
Definition tun.h:53
#define ROUTE_AFTER_TUN
Definition tun.h:380
static int ifconfig_order(struct tuntap *tt)
Definition tun.h:354
static void open_tun_null(struct tuntap *tt)
Definition tun.h:634
static int route_order(struct tuntap *tt)
Definition tun.h:384
#define ROUTE_BEFORE_TUN
Definition tun.h:379
static bool is_tun_type_set(const struct tuntap *tt)
Definition tun.h:628
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env)
Opens an AF_UNIX based tun device.
Definition tun_afunix.c:71
void close_tun_afunix(struct tuntap *tt)
Closes the socket used for the AF_UNIX based device.
Definition tun_afunix.c:123
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state)
Definition win32.c:452
bool win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only)
Definition win32.c:1202
void window_title_generate(const char *title)
Definition win32.c:723
void window_title_save(struct window_title *wt)
Definition win32.c:697
bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
Definition win32.c:1251
void init_win32(void)
Definition win32.c:107
#define WSO_MODE_CONSOLE
Definition win32.h:159
#define WSO_FORCE_SERVICE
Definition win32.h:173
#define WSO_FORCE_CONSOLE
Definition win32.h:174