OpenVPN
init.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#ifdef ENABLE_SYSTEMD
30#include <systemd/sd-daemon.h>
31#endif
32
33#include "win32.h"
34#include "init.h"
35#include "run_command.h"
36#include "sig.h"
37#include "occ.h"
38#include "list.h"
39#include "otime.h"
40#include "pool.h"
41#include "gremlin.h"
42#include "occ.h"
43#include "pkcs11.h"
44#include "ps.h"
45#include "lladdr.h"
46#include "ping.h"
47#include "mstats.h"
48#include "ssl_verify.h"
49#include "ssl_ncp.h"
50#include "tls_crypt.h"
51#include "forward.h"
52#include "auth_token.h"
53#include "mss.h"
54#include "mudp.h"
55#include "dco.h"
56#include "tun_afunix.h"
57
58#include "memdbg.h"
59
60
61static struct context *static_context; /* GLOBAL */
62static const char *saved_pid_file_name; /* GLOBAL */
63
64/*
65 * Crypto initialization flags
66 */
67#define CF_LOAD_PERSISTED_PACKET_ID (1 << 0)
68#define CF_INIT_TLS_MULTI (1 << 1)
69#define CF_INIT_TLS_AUTH_STANDALONE (1 << 2)
70
71static void do_init_first_time(struct context *c);
72
73static bool do_deferred_p2p_ncp(struct context *c);
74
75void
76context_clear(struct context *c)
77{
78 CLEAR(*c);
79}
80
81void
82context_clear_1(struct context *c)
83{
84 CLEAR(c->c1);
85}
86
87void
88context_clear_2(struct context *c)
89{
90 CLEAR(c->c2);
91}
92
93void
94context_clear_all_except_first_time(struct context *c)
95{
96 const bool first_time_save = c->first_time;
97 const struct context_persist cpsave = c->persist;
98 context_clear(c);
99 c->first_time = first_time_save;
100 c->persist = cpsave;
101}
102
103/*
104 * Pass tunnel endpoint and MTU parms to a user-supplied script.
105 * Used to execute the up/down script/plugins.
106 */
107static void
108run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type,
109 const char *arg,
110#ifdef _WIN32
111 DWORD adapter_index,
112#endif
113 const char *dev_type, int tun_mtu, const char *ifconfig_local,
114 const char *ifconfig_remote, const char *context, const char *signal_text,
115 const char *script_type, struct env_set *es)
116{
117 struct gc_arena gc = gc_new();
118
119 if (signal_text)
120 {
121 setenv_str(es, "signal", signal_text);
122 }
123 setenv_str(es, "script_context", context);
124 setenv_int(es, "tun_mtu", tun_mtu);
125 setenv_str(es, "dev", arg);
126 if (dev_type)
127 {
128 setenv_str(es, "dev_type", dev_type);
129 }
130#ifdef _WIN32
131 setenv_int(es, "dev_idx", adapter_index);
132#endif
133
134 if (!ifconfig_local)
135 {
136 ifconfig_local = "";
137 }
138 if (!ifconfig_remote)
139 {
140 ifconfig_remote = "";
141 }
142 if (!context)
143 {
144 context = "";
145 }
146
147 if (plugin_defined(plugins, plugin_type))
148 {
149 struct argv argv = argv_new();
150 ASSERT(arg);
151 argv_printf(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
152 context);
153
154 if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
155 {
156 msg(M_FATAL, "ERROR: up/down plugin call failed");
157 }
158
159 argv_free(&argv);
160 }
161
162 if (command)
163 {
164 struct argv argv = argv_new();
165 ASSERT(arg);
166 setenv_str(es, "script_type", script_type);
167 argv_parse_cmd(&argv, command);
168 argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
169 context);
170 argv_msg(M_INFO, &argv);
171 openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
172 argv_free(&argv);
173 }
174
175 gc_free(&gc);
176}
177
178/*
179 * Should be called after options->ce is modified at the top
180 * of a SIGUSR1 restart.
181 */
182static void
183update_options_ce_post(struct options *options)
184{
185 /*
186 * In pull mode, we usually import --ping/--ping-restart parameters from
187 * the server. However we should also set an initial default --ping-restart
188 * for the period of time before we pull the --ping-restart parameter
189 * from the server.
190 */
191 if (options->pull && options->ping_rec_timeout_action == PING_UNDEF
192 && proto_is_dgram(options->ce.proto))
193 {
194 options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
195 options->ping_rec_timeout_action = PING_RESTART;
196 }
197}
198
199#ifdef ENABLE_MANAGEMENT
200static bool
201management_callback_proxy_cmd(void *arg, const char **p)
202{
203 struct context *c = arg;
204 struct connection_entry *ce = &c->options.ce;
205 struct gc_arena *gc = &c->c2.gc;
206 bool ret = false;
207
208 update_time();
209 if (streq(p[1], "NONE"))
210 {
211 ret = true;
212 }
213 else if (p[2] && p[3])
214 {
215 if (streq(p[1], "HTTP"))
216 {
217 struct http_proxy_options *ho;
218 if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
219 {
220 msg(M_WARN, "HTTP proxy support only works for TCP based connections");
221 return false;
222 }
223 ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
224 ho->server = string_alloc(p[2], gc);
225 ho->port = string_alloc(p[3], gc);
226 ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
227 ret = true;
228 }
229 else if (streq(p[1], "SOCKS"))
230 {
231 ce->socks_proxy_server = string_alloc(p[2], gc);
232 ce->socks_proxy_port = string_alloc(p[3], gc);
233 ret = true;
234 }
235 }
236 else
237 {
238 msg(M_WARN, "Bad proxy command");
239 }
240
241 ce->flags &= ~CE_MAN_QUERY_PROXY;
242
243 return ret;
244}
245
246static bool
247ce_management_query_proxy(struct context *c)
248{
249 const struct connection_list *l = c->options.connection_list;
250 struct connection_entry *ce = &c->options.ce;
251 struct gc_arena gc;
252 bool ret = true;
253
254 update_time();
255 if (management)
256 {
257 gc = gc_new();
258 {
259 struct buffer out = alloc_buf_gc(256, &gc);
260 buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
261 (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
262 management_notify_generic(management, BSTR(&out));
263 management->persist.special_state_msg = BSTR(&out);
264 }
265 ce->flags |= CE_MAN_QUERY_PROXY;
266 while (ce->flags & CE_MAN_QUERY_PROXY)
267 {
268 management_event_loop_n_seconds(management, 1);
269 if (IS_SIG(c))
270 {
271 ret = false;
272 break;
273 }
274 }
275 management->persist.special_state_msg = NULL;
276 gc_free(&gc);
277 }
278
279 return ret;
280}
281
296static bool
297management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
298{
299 struct context *c = (struct context *)arg;
300 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
301 if (len > PUSH_BUNDLE_SIZE)
302 {
303 return false;
304 }
305
306 struct gc_arena gc = gc_new();
307 struct buffer buf = alloc_buf_gc(len, &gc);
308 ASSERT(buf_printf(&buf, "%s", command));
309 if (parameters)
310 {
311 ASSERT(buf_printf(&buf, ",%s", parameters));
312 }
313 bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
314
315 gc_free(&gc);
316 return status;
317}
318
319static unsigned int
320management_callback_remote_entry_count(void *arg)
321{
322 ASSERT(arg);
323 struct context *c = (struct context *)arg;
324 struct connection_list *l = c->options.connection_list;
325
326 return l->len;
327}
328
329static bool
330management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
331{
332 ASSERT(arg);
333 ASSERT(remote);
334
335 struct context *c = (struct context *)arg;
336 struct connection_list *l = c->options.connection_list;
337 bool ret = true;
338
339 if (index < l->len)
340 {
341 struct connection_entry *ce = l->array[index];
342 const char *proto = proto2ascii(ce->proto, ce->af, false);
343 const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
344
345 /* space for output including 3 commas and a nul */
346 size_t len =
347 strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + strlen(status) + 3 + 1;
348 char *out = malloc(len);
349 check_malloc_return(out);
350
351 snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
352 *remote = out;
353 }
354 else
355 {
356 ret = false;
357 msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
358 }
359
360 return ret;
361}
362
363static bool
364management_callback_remote_cmd(void *arg, const char **p)
365{
366 struct context *c = (struct context *)arg;
367 struct connection_entry *ce = &c->options.ce;
368 int ret = false;
369 if (p[1]
370 && ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK)
371 == CE_MAN_QUERY_REMOTE_QUERY)
372 {
373 unsigned int flags = 0;
374 if (!strcmp(p[1], "ACCEPT"))
375 {
376 flags = CE_MAN_QUERY_REMOTE_ACCEPT;
377 ret = true;
378 }
379 else if (!strcmp(p[1], "SKIP"))
380 {
381 flags = CE_MAN_QUERY_REMOTE_SKIP;
382 ret = true;
383 c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
384 }
385 else if (!strcmp(p[1], "MOD") && p[2] && p[3])
386 {
387 if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
388 {
389 struct remote_host_store *rhs = c->options.rh_store;
390 if (!rhs)
391 {
392 ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
393 c->options.rh_store = rhs;
394 }
395 strncpynt(rhs->host, p[2], RH_HOST_LEN);
396 strncpynt(rhs->port, p[3], RH_PORT_LEN);
397
398 ce->remote = rhs->host;
399 ce->remote_port = rhs->port;
400 flags = CE_MAN_QUERY_REMOTE_MOD;
401 ret = true;
402 }
403 }
404 if (ret)
405 {
406 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
407 ce->flags |= ((flags & CE_MAN_QUERY_REMOTE_MASK) << CE_MAN_QUERY_REMOTE_SHIFT);
408 }
409 }
410 return ret;
411}
412
413static bool
414ce_management_query_remote(struct context *c)
415{
416 struct gc_arena gc = gc_new();
417 volatile struct connection_entry *ce = &c->options.ce;
418 int ce_changed = true; /* presume the connection entry will be changed */
419
420 update_time();
421 if (management)
422 {
423 struct buffer out = alloc_buf_gc(256, &gc);
424
425 buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
426 proto2ascii(ce->proto, ce->af, false));
427 management_notify_generic(management, BSTR(&out));
428 management->persist.special_state_msg = BSTR(&out);
429
430 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
431 ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
432 while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK)
433 == CE_MAN_QUERY_REMOTE_QUERY)
434 {
435 management_event_loop_n_seconds(management, 1);
436 if (IS_SIG(c))
437 {
438 ce_changed = false; /* connection entry have not been set */
439 break;
440 }
441 }
442 management->persist.special_state_msg = NULL;
443 }
444 gc_free(&gc);
445
446 if (ce_changed)
447 {
448 /* If it is likely a connection entry was modified,
449 * check what changed in the flags and that it was not skipped
450 */
451 const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
452 ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
453 }
454 return ce_changed;
455}
456#endif /* ENABLE_MANAGEMENT */
457
458/*
459 * Initialize and possibly randomize the connection list.
460 *
461 * Applies the Fisher-Yates shuffle algorithm to ensure all permutations
462 * are equally probable, thereby eliminating shuffling bias.
463 *
464 * The algorithm randomly selects an element from the unshuffled portion
465 * and places it at position i. There's only one way to obtain each
466 * permutation through these swaps. This guarantees that each permutation
467 * occurs with equal probability in theory.
468 */
469static void
470init_connection_list(struct context *c)
471{
472 struct connection_list *l = c->options.connection_list;
473
474 l->current = -1;
475 if (c->options.remote_random)
476 {
477 int i;
478 for (i = l->len - 1; i > 0; --i)
479 {
480 const int j = get_random() % (i + 1);
481 if (i != j)
482 {
483 struct connection_entry *tmp;
484 tmp = l->array[i];
485 l->array[i] = l->array[j];
486 l->array[j] = tmp;
487 }
488 }
489 }
490}
491
492/*
493 * Clear the remote address list
494 */
495static void
496clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
497{
498 if (lsa->remote_list && free)
499 {
500 freeaddrinfo(lsa->remote_list);
501 }
502 lsa->remote_list = NULL;
503 lsa->current_remote = NULL;
504}
505
506/*
507 * Increment to next connection entry
508 */
509static void
510next_connection_entry(struct context *c)
511{
512 struct connection_list *l = c->options.connection_list;
513 bool ce_defined;
514 struct connection_entry *ce;
515 int n_cycles = 0;
516
517 do
518 {
519 ce_defined = true;
520 if (c->options.no_advance && l->current >= 0)
521 {
522 c->options.no_advance = false;
523 }
524 else
525 {
526 /* Check if there is another resolved address to try for
527 * the current connection */
528 if (c->c1.link_socket_addrs[0].current_remote
529 && c->c1.link_socket_addrs[0].current_remote->ai_next
530 && !c->options.advance_next_remote)
531 {
532 c->c1.link_socket_addrs[0].current_remote =
533 c->c1.link_socket_addrs[0].current_remote->ai_next;
534 }
535 else
536 {
537 c->options.advance_next_remote = false;
538 /* FIXME (schwabe) fix the persist-remote-ip option for real,
539 * this is broken probably ever since connection lists and multiple
540 * remote existed
541 */
542 if (!c->options.persist_remote_ip)
543 {
544 /* Connection entry addrinfo objects might have been
545 * resolved earlier but the entry itself might have been
546 * skipped by management on the previous loop.
547 * If so, clear the addrinfo objects as close_instance does
548 */
549 if (c->c1.link_socket_addrs[0].remote_list)
550 {
551 clear_remote_addrlist(&c->c1.link_socket_addrs[0],
552 !c->options.resolve_in_advance);
553 }
554
555 /* close_instance should have cleared the addrinfo objects */
556 ASSERT(c->c1.link_socket_addrs[0].current_remote == NULL);
557 ASSERT(c->c1.link_socket_addrs[0].remote_list == NULL);
558 }
559 else
560 {
561 c->c1.link_socket_addrs[0].current_remote =
562 c->c1.link_socket_addrs[0].remote_list;
563 }
564
565 int advance_count = 1;
566
567 /* If previous connection entry was skipped by management client
568 * with a count to advance by, apply it.
569 */
570 if (c->options.ce_advance_count > 0)
571 {
572 advance_count = c->options.ce_advance_count;
573 }
574
575 /*
576 * Increase the number of connection attempts
577 * If this is connect-retry-max * size(l)
578 * OpenVPN will quit
579 */
580
581 c->options.unsuccessful_attempts += advance_count;
582 l->current += advance_count;
583
584 if (l->current >= l->len)
585 {
586 l->current %= l->len;
587 if (++n_cycles >= 2)
588 {
589 msg(M_FATAL, "No usable connection profiles are present");
590 }
591 }
592 }
593 }
594
595 c->options.ce_advance_count = 1;
596 ce = l->array[l->current];
597
598 if (ce->flags & CE_DISABLED)
599 {
600 ce_defined = false;
601 }
602
603 c->options.ce = *ce;
604
605#ifdef ENABLE_MANAGEMENT
606 if (ce_defined && management && management_query_remote_enabled(management))
607 {
608 /* allow management interface to override connection entry details */
609 ce_defined = ce_management_query_remote(c);
610 if (IS_SIG(c))
611 {
612 break;
613 }
614 }
615 else if (ce_defined && management && management_query_proxy_enabled(management))
616 {
617 ce_defined = ce_management_query_proxy(c);
618 if (IS_SIG(c))
619 {
620 break;
621 }
622 }
623#endif
624 } while (!ce_defined);
625
626 /* Check if this connection attempt would bring us over the limit */
627 if (c->options.connect_retry_max > 0
628 && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
629 {
630 msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
631 c->options.connect_retry_max);
632 }
633 update_options_ce_post(&c->options);
634}
635
636/*
637 * Query for private key and auth-user-pass username/passwords
638 */
639void
640init_query_passwords(const struct context *c)
641{
642 /* Certificate password input */
643 if (c->options.key_pass_file)
644 {
645 pem_password_setup(c->options.key_pass_file);
646 }
647
648 /* Auth user/pass input */
649 if (c->options.auth_user_pass_file)
650 {
651 enable_auth_user_pass();
652#ifdef ENABLE_MANAGEMENT
653 auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline,
654 &c->options.sc_info);
655#else
656 auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline,
657 NULL);
658#endif
659 }
660}
661
662/*
663 * Initialize/Uninitialize HTTP or SOCKS proxy
664 */
665
666static void
667uninit_proxy_dowork(struct context *c)
668{
669 if (c->c1.http_proxy_owned && c->c1.http_proxy)
670 {
671 http_proxy_close(c->c1.http_proxy);
672 c->c1.http_proxy = NULL;
673 c->c1.http_proxy_owned = false;
674 }
675 if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
676 {
677 socks_proxy_close(c->c1.socks_proxy);
678 c->c1.socks_proxy = NULL;
679 c->c1.socks_proxy_owned = false;
680 }
681}
682
683static void
684init_proxy_dowork(struct context *c)
685{
686 bool did_http = false;
687
688 uninit_proxy_dowork(c);
689
690 if (c->options.ce.http_proxy_options)
691 {
692 c->options.ce.http_proxy_options->first_time = c->first_time;
693
694 /* Possible HTTP proxy user/pass input */
695 c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
696 if (c->c1.http_proxy)
697 {
698 did_http = true;
699 c->c1.http_proxy_owned = true;
700 }
701 }
702
703 if (!did_http && c->options.ce.socks_proxy_server)
704 {
705 c->c1.socks_proxy =
706 socks_proxy_new(c->options.ce.socks_proxy_server, c->options.ce.socks_proxy_port,
707 c->options.ce.socks_proxy_authfile);
708 if (c->c1.socks_proxy)
709 {
710 c->c1.socks_proxy_owned = true;
711 }
712 }
713}
714
715static void
716init_proxy(struct context *c)
717{
718 init_proxy_dowork(c);
719}
720
721static void
722uninit_proxy(struct context *c)
723{
724 uninit_proxy_dowork(c);
725}
726
727static void
733
734void
735context_init_1(struct context *c)
736{
737 context_clear_1(c);
738
739 packet_id_persist_init(&c->c1.pid_persist);
740
741 init_connection_list(c);
742
743 c->c1.link_sockets_num = c->options.ce.local_list->len;
744
745 do_link_socket_addr_new(c);
746
747#if defined(ENABLE_PKCS11)
748 if (c->first_time)
749 {
750 int i;
751 pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
752 for (i = 0; i < MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
753 {
754 pkcs11_addProvider(
755 c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
756 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
757 }
758 }
759#endif
760
761#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
762 {
763 /*
764 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
765 */
766 struct user_pass up;
767 CLEAR(up);
768 strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
769 get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
770 msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
771 * 'needok' command, usually 'ok' or 'cancel'. */
772 }
773#endif
774
775#ifdef ENABLE_SYSTEMD
776 /* We can report the PID via getpid() to systemd here as OpenVPN will not
777 * do any fork due to daemon() a future call.
778 * See possibly_become_daemon() [init.c] for more details.
779 */
780 sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
781 (unsigned long)getpid());
782#endif
783}
784
785void
786context_gc_free(struct context *c)
787{
788 gc_free(&c->c2.gc);
789 gc_free(&c->options.gc);
790 gc_free(&c->gc);
791}
792
793#if PORT_SHARE
794
795static void
796close_port_share(void)
797{
798 if (port_share)
799 {
800 port_share_close(port_share);
801 port_share = NULL;
802 }
803}
804
805static void
806init_port_share(struct context *c)
807{
808 if (!port_share && (c->options.port_share_host && c->options.port_share_port))
809 {
810 port_share =
811 port_share_open(c->options.port_share_host, c->options.port_share_port,
812 c->c2.frame.buf.payload_size, c->options.port_share_journal_dir);
813 if (port_share == NULL)
814 {
815 msg(M_FATAL, "Fatal error: Port sharing failed");
816 }
817 }
818}
819
820#endif /* if PORT_SHARE */
821
822
823bool
824init_static(void)
825{
826#if defined(DMALLOC)
827 crypto_init_dmalloc();
828#endif
829
830
831 /*
832 * Initialize random number seed. random() is only used
833 * when "weak" random numbers are acceptable.
834 * SSL library routines are always used when cryptographically
835 * strong random numbers are required.
836 */
837 struct timeval tv;
838 if (!gettimeofday(&tv, NULL))
839 {
840 const unsigned int seed = (unsigned int)tv.tv_sec ^ tv.tv_usec;
841 srandom(seed);
842 }
843
844 error_reset(); /* initialize error.c */
845 reset_check_status(); /* initialize status check code in socket.c */
846
847#ifdef _WIN32
848 init_win32();
849#endif
850
851#ifdef OPENVPN_DEBUG_COMMAND_LINE
852 {
853 int i;
854 for (i = 0; i < argc; ++i)
855 {
856 msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
857 }
858 }
859#endif
860
861 update_time();
862
863 init_ssl_lib();
864
865#ifdef SCHEDULE_TEST
866 schedule_test();
867 return false;
868#endif
869
870#ifdef IFCONFIG_POOL_TEST
871 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
872 return false;
873#endif
874
875#ifdef TIME_TEST
876 time_test();
877 return false;
878#endif
879
880#ifdef GEN_PATH_TEST
881 {
882 struct gc_arena gc = gc_new();
883 const char *fn = gen_path("foo", "bar", &gc);
884 printf("%s\n", fn);
885 gc_free(&gc);
886 }
887 return false;
888#endif
889
890#ifdef STATUS_PRINTF_TEST
891 {
892 struct gc_arena gc = gc_new();
893 const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
894 struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
895 status_printf(so, "%s", "foo");
896 status_printf(so, "%s", "bar");
897 if (!status_close(so))
898 {
899 msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
900 }
901 gc_free(&gc);
902 }
903 return false;
904#endif
905
906#ifdef MSTATS_TEST
907 {
908 int i;
909 mstats_open("/dev/shm/mstats.dat");
910 for (i = 0; i < 30; ++i)
911 {
912 mmap_stats->n_clients += 1;
913 mmap_stats->link_write_bytes += 8;
914 mmap_stats->link_read_bytes += 16;
915 sleep(1);
916 }
917 mstats_close();
918 return false;
919 }
920#endif
921
922 return true;
923}
924
925void
926uninit_static(void)
927{
928 free_ssl_lib();
929
930#ifdef ENABLE_PKCS11
931 pkcs11_terminate();
932#endif
933
934#if PORT_SHARE
935 close_port_share();
936#endif
937
938#if defined(MEASURE_TLS_HANDSHAKE_STATS)
939 show_tls_performance_stats();
940#endif
941}
942
943void
944init_verb_mute(struct context *c, unsigned int flags)
945{
946 if (flags & IVM_LEVEL_1)
947 {
948 /* set verbosity and mute levels */
949 set_check_status(D_LINK_ERRORS, D_READ_WRITE);
950 set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
951 set_mute_cutoff(c->options.mute);
952 }
953
954 /* special D_LOG_RW mode */
955 if (flags & IVM_LEVEL_2)
956 {
957 c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
958 }
959}
960
961/*
962 * Possibly set --dev based on --dev-node.
963 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
964 * set --dev to tun.
965 */
966void
967init_options_dev(struct options *options)
968{
969 if (!options->dev && options->dev_node)
970 {
971 /* POSIX basename() implementations may modify its arguments */
972 char *dev_node = string_alloc(options->dev_node, NULL);
973 options->dev = basename(dev_node);
974 }
975}
976
977bool
978print_openssl_info(const struct options *options)
979{
980 /*
981 * OpenSSL info print mode?
982 */
983 if (options->show_ciphers || options->show_digests || options->show_engines
984 || options->show_tls_ciphers || options->show_curves)
985 {
986 if (options->show_ciphers)
987 {
988 show_available_ciphers();
989 }
990 if (options->show_digests)
991 {
992 show_available_digests();
993 }
994 if (options->show_engines)
995 {
996 show_available_engines();
997 }
998 if (options->show_tls_ciphers)
999 {
1000 show_available_tls_ciphers(options->cipher_list, options->cipher_list_tls13,
1001 options->tls_cert_profile);
1002 }
1003 if (options->show_curves)
1004 {
1005 show_available_curves();
1006 }
1007 return true;
1008 }
1009 return false;
1010}
1011
1012/*
1013 * Static pre-shared key generation mode?
1014 */
1015bool
1016do_genkey(const struct options *options)
1017{
1018 /* should we disable paging? */
1019 if (options->mlock && (options->genkey))
1020 {
1021 platform_mlockall(true);
1022 }
1023
1024 /*
1025 * We do not want user to use --genkey with --secret. In the transistion
1026 * phase we for secret.
1027 */
1028 if (options->genkey && options->genkey_type != GENKEY_SECRET && options->shared_secret_file)
1029 {
1030 msg(M_USAGE, "Using --genkey type with --secret filename is "
1031 "not supported. Use --genkey type filename instead.");
1032 }
1033 if (options->genkey && options->genkey_type == GENKEY_SECRET)
1034 {
1035 int nbits_written;
1036 const char *genkey_filename = options->genkey_filename;
1037 if (options->shared_secret_file && options->genkey_filename)
1038 {
1039 msg(M_USAGE, "You must provide a filename to either --genkey "
1040 "or --secret, not both");
1041 }
1042
1043 /*
1044 * Copy filename from shared_secret_file to genkey_filename to support
1045 * the old --genkey --secret foo.file syntax.
1046 */
1047 if (options->shared_secret_file)
1048 {
1049 msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1050 "DEPRECATED. Use --genkey secret filename instead.");
1051 genkey_filename = options->shared_secret_file;
1052 }
1053
1054 nbits_written = write_key_file(2, genkey_filename);
1055 if (nbits_written < 0)
1056 {
1057 msg(M_FATAL, "Failed to write key file");
1058 }
1059
1060 msg(D_GENKEY | M_NOPREFIX, "Randomly generated %d bit key written to %s", nbits_written,
1061 options->shared_secret_file);
1062 return true;
1063 }
1064 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1065 {
1066 tls_crypt_v2_write_server_key_file(options->genkey_filename);
1067 return true;
1068 }
1069 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1070 {
1071 if (!options->tls_crypt_v2_file)
1072 {
1073 msg(M_USAGE,
1074 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1075 }
1076
1077 tls_crypt_v2_write_client_key_file(options->genkey_filename, options->genkey_extra_data,
1078 options->tls_crypt_v2_file,
1079 options->tls_crypt_v2_file_inline);
1080 return true;
1081 }
1082 else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1083 {
1084 auth_token_write_server_key_file(options->genkey_filename);
1085 return true;
1086 }
1087 else
1088 {
1089 return false;
1090 }
1091}
1092
1093/*
1094 * Persistent TUN/TAP device management mode?
1095 */
1096bool
1097do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
1098{
1099 if (!options->persist_config)
1100 {
1101 return false;
1102 }
1103
1104 /* sanity check on options for --mktun or --rmtun */
1105 notnull(options->dev, "TUN/TAP device (--dev)");
1106 if (options->ce.remote || options->ifconfig_local || options->ifconfig_remote_netmask
1107 || options->shared_secret_file || options->tls_server || options->tls_client)
1108 {
1109 msg(M_FATAL | M_OPTERR,
1110 "options --mktun or --rmtun should only be used together with --dev");
1111 }
1112
1113#if defined(ENABLE_DCO)
1114 if (dco_enabled(options))
1115 {
1116 /* creating a DCO interface via --mktun is not supported as it does not
1117 * make much sense. Since DCO is enabled by default, people may run into
1118 * this without knowing, therefore this case should be properly handled.
1119 *
1120 * Disable DCO if --mktun was provided and print a message to let
1121 * user know.
1122 */
1123 if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN)
1124 {
1125 msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1126 }
1127
1128 options->disable_dco = true;
1129 }
1130#endif
1131
1132#ifdef ENABLE_FEATURE_TUN_PERSIST
1133 tuncfg(options->dev, options->dev_type, options->dev_node, options->persist_mode,
1134 options->username, options->groupname, &options->tuntap_options, ctx);
1135 if (options->persist_mode && options->lladdr)
1136 {
1137 set_lladdr(ctx, options->dev, options->lladdr, NULL);
1138 }
1139 return true;
1140#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1141 msg(M_FATAL | M_OPTERR,
1142 "options --mktun and --rmtun are not available on your operating "
1143 "system. Please check 'man tun' (or 'tap'), whether your system "
1144 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1145 "persistent tunnel interfaces.",
1146 options->dev);
1147#endif
1148 return false;
1149}
1150
1151/*
1152 * Should we become a daemon?
1153 * Return true if we did it.
1154 */
1155bool
1156possibly_become_daemon(const struct options *options)
1157{
1158 bool ret = false;
1159
1160#ifdef ENABLE_SYSTEMD
1161 /* return without forking if we are running from systemd */
1162 if (sd_notify(0, "READY=0") > 0)
1163 {
1164 return ret;
1165 }
1166#endif
1167
1168 if (options->daemon)
1169 {
1170 /* Don't chdir immediately, but the end of the init sequence, if needed */
1171
1172#if defined(__APPLE__) && defined(__clang__)
1173#pragma clang diagnostic push
1174#pragma clang diagnostic ignored "-Wdeprecated-declarations"
1175#endif
1176 if (daemon(1, options->log) < 0)
1177 {
1178 msg(M_ERR, "daemon() failed or unsupported");
1179 }
1180#if defined(__APPLE__) && defined(__clang__)
1181#pragma clang diagnostic pop
1182#endif
1183 restore_signal_state();
1184 if (options->log)
1185 {
1186 set_std_files_to_null(true);
1187 }
1188
1189 ret = true;
1190 }
1191 return ret;
1192}
1193
1194/*
1195 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1196 */
1197static void
1198do_uid_gid_chroot(struct context *c, bool no_delay)
1199{
1200 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1201 struct context_0 *c0 = c->c0;
1202
1203 if (c0 && !c0->uid_gid_chroot_set)
1204 {
1205 /* chroot if requested */
1206 if (c->options.chroot_dir)
1207 {
1208 if (no_delay)
1209 {
1210 platform_chroot(c->options.chroot_dir);
1211 }
1212 else if (c->first_time)
1213 {
1214 msg(M_INFO, "NOTE: chroot %s", why_not);
1215 }
1216 }
1217
1218 /* set user and/or group if we want to setuid/setgid */
1219 if (c0->uid_gid_specified)
1220 {
1221 if (no_delay)
1222 {
1223 platform_user_group_set(&c0->platform_state_user, &c0->platform_state_group, c);
1224 }
1225 else if (c->first_time)
1226 {
1227 msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1228 }
1229 }
1230
1231#ifdef ENABLE_MEMSTATS
1232 if (c->first_time && c->options.memstats_fn)
1233 {
1234 mstats_open(c->options.memstats_fn);
1235 }
1236#endif
1237
1238#ifdef ENABLE_SELINUX
1239 /* Apply a SELinux context in order to restrict what OpenVPN can do
1240 * to _only_ what it is supposed to do after initialization is complete
1241 * (basically just network I/O operations). Doing it after chroot
1242 * requires /proc to be mounted in the chroot (which is annoying indeed
1243 * but doing it before requires more complex SELinux policies.
1244 */
1245 if (c->options.selinux_context)
1246 {
1247 if (no_delay)
1248 {
1249 if (-1 == setcon(c->options.selinux_context))
1250 {
1251 msg(M_ERR, "setcon to '%s' failed; is /proc accessible?",
1252 c->options.selinux_context);
1253 }
1254 else
1255 {
1256 msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1257 }
1258 }
1259 else if (c->first_time)
1260 {
1261 msg(M_INFO, "NOTE: setcon %s", why_not);
1262 }
1263 }
1264#endif
1265
1266 /* Privileges are going to be dropped by now (if requested), be sure
1267 * to prevent any future privilege dropping attempts from now on.
1268 */
1269 if (no_delay)
1270 {
1271 c0->uid_gid_chroot_set = true;
1272 }
1273 }
1274}
1275
1276/*
1277 * Return common name in a way that is formatted for
1278 * prepending to msg() output.
1279 */
1280const char *
1281format_common_name(struct context *c, struct gc_arena *gc)
1282{
1283 struct buffer out = alloc_buf_gc(256, gc);
1284 if (c->c2.tls_multi)
1285 {
1286 buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1287 }
1288 return BSTR(&out);
1289}
1290
1291void
1292pre_setup(const struct options *options)
1293{
1294#ifdef _WIN32
1295 if (options->exit_event_name)
1296 {
1297 win32_signal_open(&win32_signal, WSO_FORCE_SERVICE, options->exit_event_name,
1298 options->exit_event_initial_state);
1299 }
1300 else
1301 {
1302 win32_signal_open(&win32_signal, WSO_FORCE_CONSOLE, NULL, false);
1303
1304 /* put a title on the top window bar */
1305 if (win32_signal.mode == WSO_MODE_CONSOLE)
1306 {
1307 window_title_save(&window_title);
1308 window_title_generate(options->config);
1309 }
1310 }
1311#endif /* ifdef _WIN32 */
1312}
1313
1314void
1315reset_coarse_timers(struct context *c)
1316{
1317 c->c2.coarse_timer_wakeup = 0;
1318}
1319
1320/*
1321 * Initialise the server poll timeout timer
1322 * This timer is used in the http/socks proxy setup so it needs to be setup
1323 * before
1324 */
1325static void
1326do_init_server_poll_timeout(struct context *c)
1327{
1328 update_time();
1329 if (c->options.ce.connect_timeout)
1330 {
1331 event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1332 }
1333}
1334
1335/*
1336 * Initialize timers
1337 */
1338static void
1339do_init_timers(struct context *c, bool deferred)
1340{
1341 update_time();
1342 reset_coarse_timers(c);
1343
1344 /* initialize inactivity timeout */
1345 if (c->options.inactivity_timeout)
1346 {
1347 event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1348 }
1349
1350 /* initialize inactivity timeout */
1351 if (c->options.session_timeout)
1352 {
1353 event_timeout_init(&c->c2.session_interval, c->options.session_timeout, now);
1354 }
1355
1356 /* initialize pings */
1357 if (dco_enabled(&c->options))
1358 {
1359 /* The DCO kernel module will send the pings instead of user space */
1360 event_timeout_clear(&c->c2.ping_rec_interval);
1361 event_timeout_clear(&c->c2.ping_send_interval);
1362 }
1363 else
1364 {
1365 if (c->options.ping_send_timeout)
1366 {
1367 event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1368 }
1369
1370 if (c->options.ping_rec_timeout)
1371 {
1372 event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1373 }
1374 }
1375
1376 /* If the auth-token renewal interval is shorter than reneg-sec, arm
1377 * "auth-token renewal" timer to send additional auth-token to update the
1378 * token on the client more often. If not, this happens automatically
1379 * at renegotiation time, without needing an extra event.
1380 */
1381 if (c->options.auth_token_generate
1382 && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1383 {
1384 event_timeout_init(&c->c2.auth_token_renewal_interval, c->options.auth_token_renewal, now);
1385 }
1386
1387 if (!deferred)
1388 {
1389 /* initialize connection establishment timer */
1390 event_timeout_init(&c->c2.wait_for_connect, 1, now);
1391
1392 /* initialize occ timers */
1393
1394 if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_local
1395 && c->c2.options_string_remote)
1396 {
1397 event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1398 }
1399
1400 if (c->options.mtu_test)
1401 {
1402 event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS,
1403 now);
1404 }
1405
1406 /* initialize packet_id persistence timer */
1407 if (c->options.packet_id_file)
1408 {
1409 event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1410 }
1411
1412 /* initialize tmp_int optimization that limits the number of times we call
1413 * tls_multi_process in the main event loop */
1414 interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1415 }
1416}
1417
1418/*
1419 * Initialize traffic shaper.
1420 */
1421static void
1422do_init_traffic_shaper(struct context *c)
1423{
1424 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1425 if (c->options.shaper)
1426 {
1427 shaper_init(&c->c2.shaper, c->options.shaper);
1428 shaper_msg(&c->c2.shaper);
1429 }
1430}
1431
1432/*
1433 * Allocate route list structures for IPv4 and IPv6
1434 * (we do this for IPv4 even if no --route option has been seen, as other
1435 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1436 */
1437static void
1438do_alloc_route_list(struct context *c)
1439{
1440 if (!c->c1.route_list)
1441 {
1442 ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1443 }
1444 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1445 {
1446 ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1447 }
1448}
1449
1450
1451/*
1452 * Initialize the route list, resolving any DNS names in route
1453 * options and saving routes in the environment.
1454 */
1455static void
1456do_init_route_list(const struct options *options, struct route_list *route_list,
1457 const struct link_socket_info *link_socket_info, struct env_set *es,
1458 openvpn_net_ctx_t *ctx)
1459{
1460 const char *gw = NULL;
1461 int dev = dev_type_enum(options->dev, options->dev_type);
1462 int metric = 0;
1463
1464 /* if DCO is enabled we have both regular routes and iroutes in the system
1465 * routing table, and normal routes must have a higher metric for that to
1466 * work so that iroutes are always matched first
1467 */
1468 if (dco_enabled(options))
1469 {
1470 metric = DCO_DEFAULT_METRIC;
1471 }
1472
1473 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1474 {
1475 gw = options->ifconfig_remote_netmask;
1476 }
1477 if (options->route_default_gateway)
1478 {
1479 gw = options->route_default_gateway;
1480 }
1481 if (options->route_default_metric)
1482 {
1483 metric = options->route_default_metric;
1484 }
1485
1486 if (init_route_list(route_list, options->routes, gw, metric,
1487 link_socket_current_remote(link_socket_info), es, ctx))
1488 {
1489 /* copy routes to environment */
1490 setenv_routes(es, route_list);
1491 }
1492}
1493
1494static void
1495do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list,
1496 const struct link_socket_info *link_socket_info, struct env_set *es,
1497 openvpn_net_ctx_t *ctx)
1498{
1499 const char *gw = NULL;
1500 int metric = -1; /* no metric set */
1501
1502 /* see explanation in do_init_route_list() */
1503 if (dco_enabled(options))
1504 {
1505 metric = DCO_DEFAULT_METRIC;
1506 }
1507
1508 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1509 if (options->route_ipv6_default_gateway)
1510 {
1511 gw = options->route_ipv6_default_gateway;
1512 }
1513
1514 if (options->route_default_metric)
1515 {
1516 metric = options->route_default_metric;
1517 }
1518
1519 /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1520 */
1521 if (options->routes_ipv6->flags & RG_REROUTE_GW)
1522 {
1523 char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1524 int i;
1525
1526 for (i = 0; opt_list[i]; i++)
1527 {
1528 add_route_ipv6_to_option_list(options->routes_ipv6,
1529 string_alloc(opt_list[i], options->routes_ipv6->gc), NULL,
1530 NULL, options->route_default_table_id);
1531 }
1532 }
1533
1534 if (init_route_ipv6_list(route_ipv6_list, options->routes_ipv6, gw, metric,
1535 link_socket_current_remote_ipv6(link_socket_info), es, ctx))
1536 {
1537 /* copy routes to environment */
1538 setenv_routes_ipv6(es, route_ipv6_list);
1539 }
1540}
1541
1542
1543/*
1544 * Called after all initialization has been completed.
1545 */
1546void
1547initialization_sequence_completed(struct context *c, const unsigned int flags)
1548{
1549 static const char message[] = "Initialization Sequence Completed";
1550
1551 /* Reset the unsuccessful connection counter on complete initialisation */
1552 c->options.unsuccessful_attempts = 0;
1553
1554 /* If we delayed UID/GID downgrade or chroot, do it now */
1555 do_uid_gid_chroot(c, true);
1556
1557 /* Test if errors */
1558 if (flags & ISC_ERRORS)
1559 {
1560#ifdef _WIN32
1561 show_routes(M_INFO | M_NOPREFIX);
1562 show_adapters(M_INFO | M_NOPREFIX);
1563 msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1564#else
1565#ifdef ENABLE_SYSTEMD
1566 sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1567#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1568 msg(M_INFO, "%s With Errors", message);
1569#endif
1570 }
1571 else
1572 {
1573#ifdef ENABLE_SYSTEMD
1574 sd_notifyf(0, "STATUS=%s", message);
1575#endif
1576 msg(M_INFO, "%s", message);
1577 }
1578
1579 /* Flag that we initialized */
1580 if ((flags & (ISC_ERRORS | ISC_SERVER)) == 0)
1581 {
1582 c->options.no_advance = true;
1583 }
1584
1585#ifdef _WIN32
1586 fork_register_dns_action(c->c1.tuntap);
1587#endif
1588
1589#ifdef ENABLE_MANAGEMENT
1590 /* Tell management interface that we initialized */
1591 if (management)
1592 {
1593 in_addr_t *tun_local = NULL;
1594 struct in6_addr *tun_local6 = NULL;
1595 struct openvpn_sockaddr local, remote;
1596 struct link_socket_actual *actual;
1597 socklen_t sa_len = sizeof(local);
1598 const char *detail = "SUCCESS";
1599 if (flags & ISC_ERRORS)
1600 {
1601 detail = "ERROR";
1602 }
1603 /* Flag route error only on platforms where trivial "already exists" errors
1604 * are filtered out. Currently this is the case on Windows or if usng netlink.
1605 */
1606#if defined(_WIN32) || defined(ENABLE_SITNL)
1607 else if (flags & ISC_ROUTE_ERRORS)
1608 {
1609 detail = "ROUTE_ERROR";
1610 }
1611#endif
1612
1613 CLEAR(local);
1614 actual = &get_link_socket_info(c)->lsa->actual;
1615 remote = actual->dest;
1616 getsockname(c->c2.link_sockets[0]->sd, &local.addr.sa, &sa_len);
1617#if ENABLE_IP_PKTINFO
1618 if (!addr_defined(&local))
1619 {
1620 switch (local.addr.sa.sa_family)
1621 {
1622 case AF_INET:
1623#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1624 local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1625#else
1626 local.addr.in4.sin_addr = actual->pi.in4;
1627#endif
1628 break;
1629
1630 case AF_INET6:
1631 local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1632 break;
1633 }
1634 }
1635#endif
1636
1637 if (c->c1.tuntap)
1638 {
1639 tun_local = &c->c1.tuntap->local;
1640 tun_local6 = &c->c1.tuntap->local_ipv6;
1641 }
1642 management_set_state(management, OPENVPN_STATE_CONNECTED, detail, tun_local, tun_local6,
1643 &local, &remote);
1644 if (tun_local)
1645 {
1646 management_post_tunnel_open(management, *tun_local);
1647 }
1648 }
1649#endif /* ifdef ENABLE_MANAGEMENT */
1650}
1651
1656static bool
1657route_noexec_enabled(const struct options *o, const struct tuntap *tt)
1658{
1659 return o->route_noexec || (tt && tt->backend_driver == DRIVER_AFUNIX)
1660 || (tt && tt->backend_driver == DRIVER_NULL);
1661}
1662
1663/*
1664 * Possibly add routes and/or call route-up script
1665 * based on options.
1666 */
1667bool
1668do_route(const struct options *options, struct route_list *route_list,
1669 struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt,
1670 const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
1671{
1672 bool ret = true;
1673 if (!route_noexec_enabled(options, tt) && (route_list || route_ipv6_list))
1674 {
1675 ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es, ctx);
1676 setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1677 }
1678#ifdef ENABLE_MANAGEMENT
1679 if (management)
1680 {
1681 management_up_down(management, "UP", es);
1682 }
1683#endif
1684
1685 if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1686 {
1687 if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es)
1688 != OPENVPN_PLUGIN_FUNC_SUCCESS)
1689 {
1690 msg(M_WARN, "WARNING: route-up plugin call failed");
1691 }
1692 }
1693
1694 if (options->route_script)
1695 {
1696 struct argv argv = argv_new();
1697 setenv_str(es, "script_type", "route-up");
1698 argv_parse_cmd(&argv, options->route_script);
1699 openvpn_run_script(&argv, es, 0, "--route-up");
1700 argv_free(&argv);
1701 }
1702
1703#ifdef _WIN32
1704 if (options->show_net_up)
1705 {
1706 show_routes(M_INFO | M_NOPREFIX);
1707 show_adapters(M_INFO | M_NOPREFIX);
1708 }
1709 else if (check_debug_level(D_SHOW_NET))
1710 {
1711 show_routes(D_SHOW_NET | M_NOPREFIX);
1712 show_adapters(D_SHOW_NET | M_NOPREFIX);
1713 }
1714#endif
1715 return ret;
1716}
1717
1718/*
1719 * initialize tun/tap device object
1720 */
1721static void
1722do_init_tun(struct context *c)
1723{
1724 c->c1.tuntap = init_tun(c->options.dev, c->options.dev_type, c->options.topology,
1725 c->options.ifconfig_local, c->options.ifconfig_remote_netmask,
1726 c->options.ifconfig_ipv6_local, c->options.ifconfig_ipv6_netbits,
1727 c->options.ifconfig_ipv6_remote, c->c1.link_socket_addrs[0].bind_local,
1728 c->c1.link_socket_addrs[0].remote_list, !c->options.ifconfig_nowarn,
1729 c->c2.es, &c->net_ctx, c->c1.tuntap);
1730
1731 if (is_tun_afunix(c->options.dev_node))
1732 {
1733 /* Using AF_UNIX trumps using DCO */
1734 c->c1.tuntap->backend_driver = DRIVER_AFUNIX;
1735 }
1736 else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
1737 {
1738 c->c1.tuntap->backend_driver = DRIVER_NULL;
1739 }
1740#ifdef _WIN32
1741 else
1742 {
1743 c->c1.tuntap->backend_driver = c->options.windows_driver;
1744 }
1745#else
1746 else if (dco_enabled(&c->options))
1747 {
1748 c->c1.tuntap->backend_driver = DRIVER_DCO;
1749 }
1750 else
1751 {
1752 c->c1.tuntap->backend_driver = DRIVER_GENERIC_TUNTAP;
1753 }
1754#endif
1755
1756 init_tun_post(c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options);
1757
1758 c->c1.tuntap_owned = true;
1759}
1760
1761/*
1762 * Open tun/tap device, ifconfig, call up script, etc.
1763 */
1764
1765
1766static bool
1767can_preserve_tun(struct tuntap *tt)
1768{
1769 if (tt && tt->backend_driver == DRIVER_AFUNIX)
1770 {
1771 return false;
1772 }
1773#ifdef TARGET_ANDROID
1774 return false;
1775#else
1776 return is_tun_type_set(tt);
1777#endif
1778}
1779
1788static void
1789add_wfp_block(struct context *c)
1790{
1791#if defined(_WIN32)
1792 /* Fortify 'redirect-gateway block-local' with firewall rules? */
1793 bool block_local = block_local_needed(c->c1.route_list);
1794
1795 if (c->options.block_outside_dns || block_local)
1796 {
1797 BOOL dns_only = !block_local;
1798 if (!win_wfp_block(c->c1.tuntap->adapter_index, c->options.msg_channel, dns_only))
1799 {
1800 msg(M_FATAL, "WFP: initialization failed");
1801 }
1802 }
1803#endif
1804}
1805
1814static void
1815del_wfp_block(struct context *c, unsigned long adapter_index)
1816{
1817#if defined(_WIN32)
1818 if (c->options.block_outside_dns || block_local_needed(c->c1.route_list))
1819 {
1820 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1821 {
1822 msg(M_FATAL, "WFP: deinitialization failed");
1823 }
1824 }
1825#endif
1826}
1827
1833static bool
1834ifconfig_noexec_enabled(const struct context *c)
1835{
1836 return c->options.ifconfig_noexec
1837 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1838 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_NULL);
1839}
1840
1841static void
1842open_tun_backend(struct context *c)
1843{
1844 struct tuntap *tt = c->c1.tuntap;
1845
1846 if (tt->backend_driver == DRIVER_NULL)
1847 {
1848 open_tun_null(c->c1.tuntap);
1849 }
1850 else if (tt->backend_driver == DRIVER_AFUNIX)
1851 {
1852 open_tun_afunix(&c->options, c->c2.frame.tun_mtu, tt, c->c2.es);
1853 }
1854 else
1855 {
1856 open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, tt, &c->net_ctx);
1857 }
1858 msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver),
1859 tt->actual_name);
1860}
1861
1862
1863static bool
1864do_open_tun(struct context *c, int *error_flags)
1865{
1866 struct gc_arena gc = gc_new();
1867 bool ret = false;
1868 *error_flags = 0;
1869
1870 if (!can_preserve_tun(c->c1.tuntap))
1871 {
1872#ifdef TARGET_ANDROID
1873 /* If we emulate persist-tun on android we still have to open a new tun and
1874 * then close the old */
1875 int oldtunfd = -1;
1876 if (c->c1.tuntap)
1877 {
1878 oldtunfd = c->c1.tuntap->fd;
1879 free(c->c1.tuntap);
1880 c->c1.tuntap = NULL;
1881 c->c1.tuntap_owned = false;
1882 }
1883#endif
1884
1885 /* initialize (but do not open) tun/tap object, this also sets
1886 * the backend driver type */
1887 do_init_tun(c);
1888
1889 /* inherit the dco context from the tuntap object */
1890 if (c->c2.tls_multi)
1891 {
1892 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1893 }
1894
1895#ifdef _WIN32
1896 /* store (hide) interactive service handle in tuntap_options */
1897 c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1898 msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, (intptr_t)c->options.msg_channel);
1899#endif
1900
1901 /* allocate route list structure */
1902 do_alloc_route_list(c);
1903
1904 /* parse and resolve the route option list */
1905 ASSERT(c->c2.link_sockets[0]);
1906 if (c->options.routes && c->c1.route_list)
1907 {
1908 do_init_route_list(&c->options, c->c1.route_list, &c->c2.link_sockets[0]->info,
1909 c->c2.es, &c->net_ctx);
1910 }
1911 if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1912 {
1913 do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1914 &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1915 }
1916
1917 /* do ifconfig */
1918 if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN)
1919 {
1920 /* guess actual tun/tap unit number that will be returned
1921 * by open_tun */
1922 const char *guess =
1923 guess_tuntap_dev(c->options.dev, c->options.dev_type, c->options.dev_node, &gc);
1924 do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1925 }
1926
1927 /* possibly add routes */
1928 if (route_order(c->c1.tuntap) == ROUTE_BEFORE_TUN)
1929 {
1930 /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1931 bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1932 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1933 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1934 }
1935#ifdef TARGET_ANDROID
1936 /* Store the old fd inside the fd so open_tun can use it */
1937 c->c1.tuntap->fd = oldtunfd;
1938#endif
1939
1940 if (dco_enabled(&c->options))
1941 {
1942 ovpn_dco_init(c);
1943 }
1944
1945 /* open the tun device */
1946 open_tun_backend(c);
1947
1948 /* set the hardware address */
1949 if (c->options.lladdr)
1950 {
1951 set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1952 }
1953
1954 /* do ifconfig */
1955 if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN)
1956 {
1957 do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, c->c2.frame.tun_mtu, c->c2.es,
1958 &c->net_ctx);
1959 }
1960
1961 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1962
1963 /* run the up script */
1964 run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name,
1965#ifdef _WIN32
1966 c->c1.tuntap->adapter_index,
1967#endif
1968 dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu,
1969 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1970 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
1971 NULL, "up", c->c2.es);
1972
1973 add_wfp_block(c);
1974
1975 /* possibly add routes */
1976 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1977 {
1978 bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1979 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1980 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1981 }
1982
1983 ret = true;
1984 static_context = c;
1985 }
1986 else
1987 {
1988 msg(M_INFO, "Preserving previous TUN/TAP instance: %s", c->c1.tuntap->actual_name);
1989
1990 /* explicitly set the ifconfig_* env vars */
1991 do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1992
1993 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1994
1995 /* run the up script if user specified --up-restart */
1996 if (c->options.up_restart)
1997 {
1998 run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP,
1999 c->c1.tuntap->actual_name,
2000#ifdef _WIN32
2001 c->c1.tuntap->adapter_index,
2002#endif
2003 dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu,
2004 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
2005 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2006 "restart", NULL, "up", c->c2.es);
2007 }
2008
2009 add_wfp_block(c);
2010 }
2011 gc_free(&gc);
2012 return ret;
2013}
2014
2015/*
2016 * Close TUN/TAP device
2017 */
2018
2019static void
2020do_close_tun_simple(struct context *c)
2021{
2022 msg(D_CLOSE, "Closing %s interface", print_tun_backend_driver(c->c1.tuntap->backend_driver));
2023
2024 if (c->c1.tuntap)
2025 {
2026 if (!ifconfig_noexec_enabled(c))
2027 {
2028 undo_ifconfig(c->c1.tuntap, &c->net_ctx);
2029 }
2030 if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
2031 {
2032 close_tun_afunix(c->c1.tuntap);
2033 }
2034 else if (c->c1.tuntap->backend_driver == DRIVER_NULL)
2035 {
2036 free(c->c1.tuntap->actual_name);
2037 free(c->c1.tuntap);
2038 }
2039 else
2040 {
2041 close_tun(c->c1.tuntap, &c->net_ctx);
2042 }
2043 c->c1.tuntap = NULL;
2044 }
2045 c->c1.tuntap_owned = false;
2046 CLEAR(c->c1.pulled_options_digest_save);
2047}
2048
2049static void
2050do_close_tun(struct context *c, bool force)
2051{
2052 /* With dco-win we open tun handle in the very beginning.
2053 * In case when tun wasn't opened - like we haven't connected,
2054 * we still need to close tun handle
2055 */
2056 if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
2057 {
2058 do_close_tun_simple(c);
2059 return;
2060 }
2061
2062 if (!c->c1.tuntap || !c->c1.tuntap_owned)
2063 {
2064 return;
2065 }
2066
2067 struct gc_arena gc = gc_new();
2068 const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2069 const in_addr_t local = c->c1.tuntap->local;
2070 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2071 unsigned long adapter_index = 0;
2072#ifdef _WIN32
2073 adapter_index = c->c1.tuntap->adapter_index;
2074#endif
2075
2076 run_dns_up_down(false, &c->options, c->c1.tuntap, &c->persist.duri);
2077
2078 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2079 {
2080 static_context = NULL;
2081
2082#ifdef ENABLE_MANAGEMENT
2083 /* tell management layer we are about to close the TUN/TAP device */
2084 if (management)
2085 {
2086 management_pre_tunnel_close(management);
2087 management_up_down(management, "DOWN", c->c2.es);
2088 }
2089#endif
2090
2091 /* delete any routes we added */
2092 if (c->c1.route_list || c->c1.route_ipv6_list)
2093 {
2094 run_up_down(c->options.route_predown_script, c->plugins, OPENVPN_PLUGIN_ROUTE_PREDOWN,
2095 tuntap_actual,
2096#ifdef _WIN32
2097 adapter_index,
2098#endif
2099 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2100 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2101 signal_description(c->sig->signal_received, c->sig->signal_text),
2102 "route-pre-down", c->c2.es);
2103
2104 delete_routes(c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap,
2105 ROUTE_OPTION_FLAGS(&c->options), c->c2.es, &c->net_ctx);
2106 }
2107
2108 /* actually close tun/tap device based on --down-pre flag */
2109 if (!c->options.down_pre)
2110 {
2111 do_close_tun_simple(c);
2112 }
2113
2114 /* Run the down script -- note that it will run at reduced
2115 * privilege if, for example, "--user" was used. */
2116 run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
2117#ifdef _WIN32
2118 adapter_index,
2119#endif
2120 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2121 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2122 signal_description(c->sig->signal_received, c->sig->signal_text), "down",
2123 c->c2.es);
2124
2125 del_wfp_block(c, adapter_index);
2126
2127 /* actually close tun/tap device based on --down-pre flag */
2128 if (c->options.down_pre)
2129 {
2130 do_close_tun_simple(c);
2131 }
2132 }
2133 else
2134 {
2135 /* run the down script on this restart if --up-restart was specified */
2136 if (c->options.up_restart)
2137 {
2138 run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
2139#ifdef _WIN32
2140 adapter_index,
2141#endif
2142 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2143 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart",
2144 signal_description(c->sig->signal_received, c->sig->signal_text), "down",
2145 c->c2.es);
2146 }
2147
2148 del_wfp_block(c, adapter_index);
2149 }
2150 gc_free(&gc);
2151}
2152
2153void
2154tun_abort(void)
2155{
2156 struct context *c = static_context;
2157 if (c)
2158 {
2159 static_context = NULL;
2160 do_close_tun(c, true);
2161 }
2162}
2163
2164/*
2165 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2166 */
2167
2172static bool
2173options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
2174{
2175 const struct sha256_digest zero = { { 0 } };
2176 return memcmp(a, b, sizeof(struct sha256_digest))
2177 || !memcmp(a, &zero, sizeof(struct sha256_digest));
2178}
2179
2185static void
2186add_delim_if_non_empty(struct buffer *buf, const char *header)
2187{
2188 if (buf_len(buf) > strlen(header))
2189 {
2190 buf_printf(buf, ", ");
2191 }
2192}
2193
2194
2199static void
2200tls_print_deferred_options_results(struct context *c)
2201{
2202 struct options *o = &c->options;
2203
2204 struct buffer out;
2205 uint8_t line[1024] = { 0 };
2206 buf_set_write(&out, line, sizeof(line));
2207
2208
2209 if (cipher_kt_mode_aead(o->ciphername))
2210 {
2211 buf_printf(&out, "Data Channel: cipher '%s'", cipher_kt_name(o->ciphername));
2212 }
2213 else
2214 {
2215 buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", cipher_kt_name(o->ciphername),
2216 md_kt_name(o->authname));
2217 }
2218
2219 if (o->use_peer_id)
2220 {
2221 buf_printf(&out, ", peer-id: %d", o->peer_id);
2222 }
2223
2224#ifdef USE_COMP
2225 if (c->c2.comp_context)
2226 {
2227 buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2228 }
2229#endif
2230
2231 msg(D_HANDSHAKE, "%s", BSTR(&out));
2232
2233 buf_clear(&out);
2234
2235 const char *header = "Timers: ";
2236
2237 buf_printf(&out, "%s", header);
2238
2239 if (o->ping_send_timeout)
2240 {
2241 buf_printf(&out, "ping %d", o->ping_send_timeout);
2242 }
2243
2244 if (o->ping_rec_timeout_action != PING_UNDEF)
2245 {
2246 /* yes unidirectional ping is possible .... */
2247 add_delim_if_non_empty(&out, header);
2248
2249 if (o->ping_rec_timeout_action == PING_EXIT)
2250 {
2251 buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2252 }
2253 else
2254 {
2255 buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2256 }
2257 }
2258
2259 if (o->inactivity_timeout)
2260 {
2261 add_delim_if_non_empty(&out, header);
2262
2263 buf_printf(&out, "inactive %d", o->inactivity_timeout);
2264 if (o->inactivity_minimum_bytes)
2265 {
2266 buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2267 }
2268 }
2269
2270 if (o->session_timeout)
2271 {
2272 add_delim_if_non_empty(&out, header);
2273 buf_printf(&out, "session-timeout %d", o->session_timeout);
2274 }
2275
2276 if (buf_len(&out) > strlen(header))
2277 {
2278 msg(D_HANDSHAKE, "%s", BSTR(&out));
2279 }
2280
2281 buf_clear(&out);
2282 header = "Protocol options: ";
2283 buf_printf(&out, "%s", header);
2284
2285 if (c->options.ce.explicit_exit_notification)
2286 {
2287 buf_printf(&out, "explicit-exit-notify %d", c->options.ce.explicit_exit_notification);
2288 }
2289 if (c->options.imported_protocol_flags)
2290 {
2291 add_delim_if_non_empty(&out, header);
2292
2293 buf_printf(&out, "protocol-flags");
2294
2295 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2296 {
2297 buf_printf(&out, " cc-exit");
2298 }
2299 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2300 {
2301 buf_printf(&out, " tls-ekm");
2302 }
2303 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2304 {
2305 buf_printf(&out, " dyn-tls-crypt");
2306 }
2307 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
2308 {
2309 buf_printf(&out, " aead-epoch");
2310 }
2311 }
2312
2313 if (buf_len(&out) > strlen(header))
2314 {
2315 msg(D_HANDSHAKE, "%s", BSTR(&out));
2316 }
2317}
2318
2319
2327static bool
2328do_deferred_options_part2(struct context *c)
2329{
2330 struct frame *frame_fragment = NULL;
2331#ifdef ENABLE_FRAGMENT
2332 if (c->options.ce.fragment)
2333 {
2334 frame_fragment = &c->c2.frame_fragment;
2335 }
2336#endif
2337
2338 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2339 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
2340 frame_fragment, get_link_socket_info(c),
2341 &c->c1.tuntap->dco))
2342 {
2343 msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2344 return false;
2345 }
2346
2347 return true;
2348}
2349
2350bool
2351do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2352{
2353 int error_flags = 0;
2354 if (!c->c2.do_up_ran)
2355 {
2356 reset_coarse_timers(c);
2357
2358 if (pulled_options)
2359 {
2360 if (!do_deferred_options(c, option_types_found, false))
2361 {
2362 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2363 return false;
2364 }
2365 }
2366
2367 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2368 if (c->options.up_delay || PULL_DEFINED(&c->options))
2369 {
2370 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2371 update_time();
2372
2373 /*
2374 * Was tun interface object persisted from previous restart iteration,
2375 * and if so did pulled options string change from previous iteration?
2376 */
2377 if (!c->c2.did_open_tun && PULL_DEFINED(&c->options) && c->c1.tuntap
2378 && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2379 &c->c2.pulled_options_digest))
2380 {
2381 /* if so, close tun, delete routes, then reinitialize tun and add routes */
2382 msg(M_INFO,
2383 "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2384
2385 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2386 do_close_tun(c, true);
2387
2388 if (tt_dco_win)
2389 {
2390 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2391 /* prevent link_socket_close() from closing handle with WinSock API */
2392 c->c2.link_sockets[0]->sd = SOCKET_UNDEFINED;
2393 return false;
2394 }
2395 else
2396 {
2397 management_sleep(1);
2398 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2399 update_time();
2400 }
2401 }
2402 }
2403 }
2404
2405 /* This part needs to be run in p2p mode (without pull) when the client
2406 * reconnects to setup various things (like DCO and NCP cipher) that
2407 * might have changed from the previous connection.
2408 */
2409 if (!c->c2.do_up_ran
2410 || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
2411 {
2412 if (c->mode == MODE_POINT_TO_POINT)
2413 {
2414 /* ovpn-dco requires adding the peer now, before any option can be set,
2415 * but *after* having parsed the pushed peer-id in do_deferred_options()
2416 */
2417 int ret = dco_p2p_add_new_peer(c);
2418 if (ret < 0)
2419 {
2420 msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2421 return false;
2422 }
2423 }
2424
2425 /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2426 * invoked after open_tun().
2427 * This is required by DCO because we must have created the interface
2428 * and added the peer before we can fiddle with the keys or any other
2429 * data channel per-peer setting.
2430 */
2431 if (pulled_options)
2432 {
2433 if (!do_deferred_options_part2(c))
2434 {
2435 return false;
2436 }
2437 }
2438 else
2439 {
2440 if (c->mode == MODE_POINT_TO_POINT)
2441 {
2442 if (!do_deferred_p2p_ncp(c))
2443 {
2444 msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2445 return false;
2446 }
2447 }
2448 }
2449
2450 if (c->c2.did_open_tun)
2451 {
2452 c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2453
2454 /* if --route-delay was specified, start timer */
2455 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2456 {
2457 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2458 event_timeout_init(&c->c2.route_wakeup_expire,
2459 c->options.route_delay + c->options.route_delay_window, now);
2460 tun_standby_init(c->c1.tuntap);
2461 }
2462 else
2463 {
2464 /* client/p2p --route-delay undefined */
2465 initialization_sequence_completed(c, error_flags);
2466 }
2467 }
2468 else if (c->options.mode == MODE_POINT_TO_POINT)
2469 {
2470 /* client/p2p restart with --persist-tun */
2471 initialization_sequence_completed(c, error_flags);
2472 }
2473
2474 tls_print_deferred_options_results(c);
2475
2476 c->c2.do_up_ran = true;
2477 if (c->c2.tls_multi)
2478 {
2479 c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2480 }
2481 }
2482 return true;
2483}
2484
2485bool
2486do_update(struct context *c, unsigned int option_types_found)
2487{
2488 /* Not necessary since to receive the update the openvpn
2489 * instance must be up and running but just in case
2490 */
2491 if (!c->c2.do_up_ran)
2492 {
2493 return false;
2494 }
2495
2496 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2497 if (tt_dco_win)
2498 {
2499 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2500 return false;
2501 }
2502
2503 if (!do_deferred_options(c, option_types_found, true))
2504 {
2505 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2506 return false;
2507 }
2508
2509 do_close_tun(c, true);
2510
2511 management_sleep(1);
2512 int error_flags = 0;
2513 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2514 update_time();
2515
2516 if (c->c2.did_open_tun)
2517 {
2518 /* if --route-delay was specified, start timer */
2519 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2520 {
2521 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2522 event_timeout_init(&c->c2.route_wakeup_expire,
2523 c->options.route_delay + c->options.route_delay_window, now);
2524 tun_standby_init(c->c1.tuntap);
2525 }
2526
2527 initialization_sequence_completed(c, error_flags);
2528 }
2529
2530 CLEAR(c->c1.pulled_options_digest_save);
2531
2532 return true;
2533}
2534
2535/*
2536 * These are the option categories which will be accepted by pull.
2537 */
2538unsigned int
2539pull_permission_mask(const struct context *c)
2540{
2541 unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS
2542 | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_COMP | OPT_P_PERSIST
2543 | OPT_P_MESSAGES | OPT_P_EXPLICIT_NOTIFY | OPT_P_ECHO | OPT_P_PULL_MODE
2544 | OPT_P_PEER_ID | OPT_P_NCP | OPT_P_PUSH_MTU;
2545
2546 if (!c->options.route_nopull)
2547 {
2548 flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2549 }
2550
2551 return flags;
2552}
2553
2554static bool
2555do_deferred_p2p_ncp(struct context *c)
2556{
2557 if (!c->c2.tls_multi)
2558 {
2559 return true;
2560 }
2561
2562 c->options.use_peer_id = c->c2.tls_multi->use_peer_id;
2563
2564 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2565
2566 const char *ncp_cipher =
2567 get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, &c->options.gc);
2568
2569 if (ncp_cipher)
2570 {
2571 c->options.ciphername = ncp_cipher;
2572 }
2573 else if (!c->options.enable_ncp_fallback)
2574 {
2575 msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2576 "--data-ciphers-fallback not enabled. No usable "
2577 "data channel cipher");
2578 return false;
2579 }
2580
2581 struct frame *frame_fragment = NULL;
2582#ifdef ENABLE_FRAGMENT
2583 if (c->options.ce.fragment)
2584 {
2585 frame_fragment = &c->c2.frame_fragment;
2586 }
2587#endif
2588
2589 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
2590 frame_fragment, get_link_socket_info(c),
2591 &c->c1.tuntap->dco))
2592 {
2593 msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2594 return false;
2595 }
2596 return true;
2597}
2598
2599bool
2600do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
2601{
2602 if (found & OPT_P_MESSAGES)
2603 {
2604 init_verb_mute(c, IVM_LEVEL_1 | IVM_LEVEL_2);
2605 msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2606 }
2607 if (found & OPT_P_TIMER)
2608 {
2609 do_init_timers(c, true);
2610 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
2611 }
2612
2613 if (found & OPT_P_EXPLICIT_NOTIFY)
2614 {
2615 /* Client side, so just check the first link_socket */
2616 if (!proto_is_udp(c->c2.link_sockets[0]->info.proto)
2617 && c->options.ce.explicit_exit_notification)
2618 {
2619 msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2620 c->options.ce.explicit_exit_notification = 0;
2621 }
2622 else
2623 {
2624 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
2625 }
2626 }
2627
2628 if (found & OPT_P_COMP)
2629 {
2630 if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
2631 {
2632 msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2633 "settings that are not allowed and will result "
2634 "in a non-working connection. "
2635 "See also allow-compression in the manual.");
2636 return false;
2637 }
2638#ifdef USE_COMP
2639 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
2640 comp_uninit(c->c2.comp_context);
2641 c->c2.comp_context = comp_init(&c->options.comp);
2642#endif
2643 }
2644
2645 if (found & OPT_P_SHAPER)
2646 {
2647 msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2648 do_init_traffic_shaper(c);
2649 }
2650
2651 if (found & OPT_P_SOCKBUF)
2652 {
2653 msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2654
2655 for (int i = 0; i < c->c1.link_sockets_num; i++)
2656 {
2657 link_socket_update_buffer_sizes(c->c2.link_sockets[i], c->options.rcvbuf,
2658 c->options.sndbuf);
2659 }
2660 }
2661
2662 if (found & OPT_P_SOCKFLAGS)
2663 {
2664 msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2665 for (int i = 0; i < c->c1.link_sockets_num; i++)
2666 {
2667 link_socket_update_flags(c->c2.link_sockets[i], c->options.sockflags);
2668 }
2669 }
2670
2671 if (found & OPT_P_PERSIST)
2672 {
2673 msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2674 }
2675 if (found & OPT_P_UP)
2676 {
2677 msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2678 }
2679 if (found & OPT_P_ROUTE)
2680 {
2681 msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2682 }
2683 if (found & OPT_P_ROUTE_EXTRAS)
2684 {
2685 msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2686 }
2687 if (found & OPT_P_DHCPDNS)
2688 {
2689 msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2690 }
2691 if (found & OPT_P_SETENV)
2692 {
2693 msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2694 }
2695
2696 if (found & OPT_P_PEER_ID)
2697 {
2698 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
2699 c->c2.tls_multi->use_peer_id = true;
2700 c->c2.tls_multi->peer_id = c->options.peer_id;
2701 }
2702
2703 /* process (potentially) pushed options */
2704 if (c->options.pull)
2705 {
2706 /* On PUSH_UPDATE, NCP related flags are never updated, and so the code
2707 * would assume "no cipher pushed = NCP failed" - so, don't call it on
2708 * updates */
2709 if (!is_update && !check_pull_client_ncp(c, found))
2710 {
2711 return false;
2712 }
2713
2714 /* Check if pushed options are compatible with DCO, if enabled */
2715 if (dco_enabled(&c->options) && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
2716 {
2717 msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2718 "with data channel offload. Use --disable-dco to connect to "
2719 "this server");
2720 return false;
2721 }
2722 }
2723
2724 /* Ensure that for epoch data format is only enabled if also data v2
2725 * is enabled */
2726 bool epoch_data = (c->options.imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT);
2727 bool datav2_enabled = (c->options.peer_id >= 0 && c->options.peer_id < MAX_PEER_ID);
2728
2729 if (epoch_data && !datav2_enabled)
2730 {
2731 msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires "
2732 "data v2 (peer-id) to be enabled.");
2733 return false;
2734 }
2735
2736
2737 if (found & OPT_P_PUSH_MTU)
2738 {
2739 /* MTU has changed, check that the pushed MTU is small enough to
2740 * be able to change it */
2741 msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2742
2743 struct frame *frame = &c->c2.frame;
2744
2745 if (c->options.ce.tun_mtu > frame->tun_max_mtu)
2746 {
2747 msg(D_PUSH_ERRORS,
2748 "Server-pushed tun-mtu is too large, please add "
2749 "tun-mtu-max %d in the client configuration",
2750 c->options.ce.tun_mtu);
2751 }
2752 frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
2753 }
2754
2755 return true;
2756}
2757
2758/*
2759 * Possible hold on initialization, holdtime is the
2760 * time OpenVPN would wait without management
2761 */
2762static bool
2763do_hold(int holdtime)
2764{
2765#ifdef ENABLE_MANAGEMENT
2766 if (management)
2767 {
2768 /* block until management hold is released */
2769 if (management_hold(management, holdtime))
2770 {
2771 return true;
2772 }
2773 }
2774#endif
2775 return false;
2776}
2777
2778/*
2779 * Sleep before restart.
2780 */
2781static void
2782socket_restart_pause(struct context *c)
2783{
2784 int sec = 2;
2785 int backoff = 0;
2786
2787 switch (c->mode)
2788 {
2789 case CM_TOP:
2790 sec = 1;
2791 break;
2792
2793 case CM_CHILD_UDP:
2794 case CM_CHILD_TCP:
2795 sec = c->options.ce.connect_retry_seconds;
2796 break;
2797 }
2798
2799#ifdef ENABLE_DEBUG
2800 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2801 {
2802 sec = 0;
2803 }
2804#endif
2805
2806 if (auth_retry_get() == AR_NOINTERACT)
2807 {
2808 sec = 10;
2809 }
2810
2811 /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2812 if (c->mode == CM_CHILD_TCP || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2813 {
2814 backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2815 if (backoff > 0)
2816 {
2817 /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2818 sec = max_int(sec, 1) << min_int(backoff, 15);
2819 }
2820 if (c->options.server_backoff_time)
2821 {
2822 sec = max_int(sec, c->options.server_backoff_time);
2823 c->options.server_backoff_time = 0;
2824 }
2825
2826 if (sec > c->options.ce.connect_retry_seconds_max)
2827 {
2828 sec = c->options.ce.connect_retry_seconds_max;
2829 }
2830 }
2831
2832 if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2833 {
2834 sec = c->persist.restart_sleep_seconds;
2835 }
2836 else if (c->persist.restart_sleep_seconds == -1)
2837 {
2838 sec = 0;
2839 }
2840 c->persist.restart_sleep_seconds = 0;
2841
2842 /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2843 if (do_hold(sec))
2844 {
2845 sec = 0;
2846 }
2847
2848 if (sec)
2849 {
2850 msg(D_RESTART, "Restart pause, %d second(s)", sec);
2851 management_sleep(sec);
2852 }
2853}
2854
2855/*
2856 * Do a possible pause on context_2 initialization.
2857 */
2858static void
2859do_startup_pause(struct context *c)
2860{
2861 if (!c->first_time)
2862 {
2863 socket_restart_pause(c);
2864 }
2865 else
2866 {
2867 do_hold(0); /* do management hold on first context initialization */
2868 }
2869}
2870
2871static size_t
2872get_frame_mtu(struct context *c, const struct options *o)
2873{
2874 size_t mtu;
2875
2876 if (o->ce.link_mtu_defined)
2877 {
2878 ASSERT(o->ce.link_mtu_defined);
2879 /* if we have a link mtu defined we calculate what the old code
2880 * would have come up with as tun-mtu */
2881 size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, o, true);
2882 mtu = o->ce.link_mtu - overhead;
2883 }
2884 else
2885 {
2886 ASSERT(o->ce.tun_mtu_defined);
2887 mtu = o->ce.tun_mtu;
2888 }
2889
2890 if (mtu < TUN_MTU_MIN)
2891 {
2892 msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2893 frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2894 }
2895 return mtu;
2896}
2897
2898/*
2899 * Finalize MTU parameters based on command line or config file options.
2900 */
2901static void
2902frame_finalize_options(struct context *c, const struct options *o)
2903{
2904 if (!o)
2905 {
2906 o = &c->options;
2907 }
2908
2909 struct frame *frame = &c->c2.frame;
2910
2911 frame->tun_mtu = get_frame_mtu(c, o);
2912 frame->tun_max_mtu = o->ce.tun_mtu_max;
2913
2914 /* max mtu needs to be at least as large as the tun mtu */
2915 frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
2916
2917 /* We always allow at least 1600 MTU packets to be received in our buffer
2918 * space to allow server to push "baby giant" MTU sizes */
2919 frame->tun_max_mtu = max_int(TUN_MTU_MAX_MIN, frame->tun_max_mtu);
2920
2921 size_t payload_size = frame->tun_max_mtu;
2922
2923 /* we need to be also large enough to hold larger control channel packets
2924 * if configured */
2925 payload_size = max_int(payload_size, o->ce.tls_mtu);
2926
2927 /* The extra tun needs to be added to the payload size */
2928 if (o->ce.tun_mtu_defined)
2929 {
2930 payload_size += o->ce.tun_mtu_extra;
2931 }
2932
2933 /* Add 32 byte of extra space in the buffer to account for small errors
2934 * in the calculation */
2935 payload_size += 32;
2936
2937
2938 /* the space that is reserved before the payload to add extra headers to it
2939 * we always reserve the space for the worst case */
2940 size_t headroom = 0;
2941
2942 /* includes IV and packet ID */
2943 headroom += crypto_max_overhead();
2944
2945 /* peer id + opcode */
2946 headroom += 4;
2947
2948 /* socks proxy header */
2949 headroom += 10;
2950
2951 /* compression header and fragment header (part of the encrypted payload) */
2952 headroom += 1 + 1;
2953
2954 /* Round up headroom to the next multiple of 4 to ensure alignment */
2955 headroom = (headroom + 3) & ~3;
2956
2957 /* Add the headroom to the payloadsize as a received (IP) packet can have
2958 * all the extra headers in it */
2959 payload_size += headroom;
2960
2961 /* the space after the payload, this needs some extra buffer space for
2962 * encryption so headroom is probably too much but we do not really care
2963 * the few extra bytes */
2964 size_t tailroom = headroom;
2965
2966#ifdef USE_COMP
2967 msg(D_MTU_DEBUG,
2968 "MTU: adding %zu buffer tailroom for compression for %zu "
2969 "bytes of payload",
2970 COMP_EXTRA_BUFFER(payload_size), payload_size);
2971 tailroom += COMP_EXTRA_BUFFER(payload_size);
2972#endif
2973
2974 frame->buf.payload_size = payload_size;
2975 frame->buf.headroom = headroom;
2976 frame->buf.tailroom = tailroom;
2977}
2978
2979/*
2980 * Free a key schedule, including OpenSSL components.
2981 */
2982static void
2983key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2984{
2985 free_key_ctx_bi(&ks->static_key);
2986 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2987 {
2988 tls_ctx_free(&ks->ssl_ctx);
2989 free_key_ctx(&ks->auth_token_key);
2990 }
2991 CLEAR(*ks);
2992}
2993
2994static void
2995init_crypto_pre(struct context *c, const unsigned int flags)
2996{
2997 if (c->options.engine)
2998 {
2999 crypto_init_lib_engine(c->options.engine);
3000 }
3001
3002 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
3003 {
3004 /* load a persisted packet-id for cross-session replay-protection */
3005 if (c->options.packet_id_file)
3006 {
3007 packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
3008 }
3009 }
3010
3011#ifdef ENABLE_PREDICTION_RESISTANCE
3012 if (c->options.use_prediction_resistance)
3013 {
3014 rand_ctx_enable_prediction_resistance();
3015 }
3016#endif
3017}
3018
3019/*
3020 * Static Key Mode (using a pre-shared key)
3021 */
3022static void
3023do_init_crypto_static(struct context *c, const unsigned int flags)
3024{
3025 const struct options *options = &c->options;
3026 ASSERT(options->shared_secret_file);
3027
3028 init_crypto_pre(c, flags);
3029
3030 /* Initialize flags */
3031 if (c->options.mute_replay_warnings)
3032 {
3033 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
3034 }
3035
3036 /* Initialize packet ID tracking */
3037 packet_id_init(&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time,
3038 "STATIC", 0);
3039 c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
3040 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
3041 packet_id_persist_load_obj(&c->c1.pid_persist, &c->c2.crypto_options.packet_id);
3042
3043 if (!key_ctx_bi_defined(&c->c1.ks.static_key))
3044 {
3045 /* Get cipher & hash algorithms */
3046 init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
3047 options->test_crypto, true);
3048
3049 /* Read cipher and hmac keys from shared secret file */
3050 crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
3051 options->shared_secret_file, options->shared_secret_file_inline,
3052 options->key_direction, "Static Key Encryption", "secret", NULL);
3053 }
3054 else
3055 {
3056 msg(M_INFO, "Re-using pre-shared static key");
3057 }
3058
3059 /* Get key schedule */
3060 c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
3061}
3062
3063/*
3064 * Initialize the tls-auth/crypt key context
3065 */
3066static void
3067do_init_tls_wrap_key(struct context *c)
3068{
3069 const struct options *options = &c->options;
3070
3071 /* TLS handshake authentication (--tls-auth) */
3072 if (options->ce.tls_auth_file)
3073 {
3074 /* Initialize key_type for tls-auth with auth only */
3075 CLEAR(c->c1.ks.tls_auth_key_type);
3076 c->c1.ks.tls_auth_key_type.cipher = "none";
3077 c->c1.ks.tls_auth_key_type.digest = options->authname;
3078 if (!md_valid(options->authname))
3079 {
3080 msg(M_FATAL,
3081 "ERROR: tls-auth enabled, but no valid --auth "
3082 "algorithm specified ('%s')",
3083 options->authname);
3084 }
3085
3086 crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, &c->c1.ks.tls_wrap_key,
3087 options->ce.tls_auth_file, options->ce.tls_auth_file_inline,
3088 options->ce.key_direction, "Control Channel Authentication",
3089 "tls-auth", &c->c1.ks.original_wrap_keydata);
3090 }
3091
3092 /* TLS handshake encryption+authentication (--tls-crypt) */
3093 if (options->ce.tls_crypt_file)
3094 {
3095 tls_crypt_init_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata,
3096 options->ce.tls_crypt_file, options->ce.tls_crypt_file_inline,
3097 options->tls_server);
3098 }
3099
3100 /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3101 if (options->ce.tls_crypt_v2_file)
3102 {
3103 if (options->tls_server)
3104 {
3105 tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key, true,
3106 options->ce.tls_crypt_v2_file,
3107 options->ce.tls_crypt_v2_file_inline);
3108 }
3109 else
3110 {
3111 tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata,
3112 &c->c1.ks.tls_crypt_v2_wkc, options->ce.tls_crypt_v2_file,
3113 options->ce.tls_crypt_v2_file_inline);
3114 }
3115 /* We have to ensure that the loaded tls-crypt key is small enough
3116 * to fit into the initial hard reset v3 packet */
3117 int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3118
3119 /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3120 int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3121
3122 if (required_size > c->options.ce.tls_mtu)
3123 {
3124 msg(M_WARN,
3125 "ERROR: tls-crypt-v2 client key too large to work with "
3126 "requested --max-packet-size %d, requires at least "
3127 "--max-packet-size %d. Packets will ignore requested "
3128 "maximum packet size",
3129 c->options.ce.tls_mtu, required_size);
3130 }
3131 }
3132}
3133
3134/*
3135 * Initialize the persistent component of OpenVPN's TLS mode,
3136 * which is preserved across SIGUSR1 resets.
3137 */
3138static void
3139do_init_crypto_tls_c1(struct context *c)
3140{
3141 const struct options *options = &c->options;
3142
3143 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3144 {
3145 /*
3146 * Initialize the OpenSSL library's global
3147 * SSL context.
3148 */
3149 init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
3150 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3151 {
3152 switch (auth_retry_get())
3153 {
3154 case AR_NONE:
3155 msg(M_FATAL, "Error: private key password verification failed");
3156 break;
3157
3158 case AR_INTERACT:
3159 ssl_purge_auth(false);
3160 /* Intentional [[fallthrough]]; */
3161
3162 case AR_NOINTERACT:
3163 /* SOFT-SIGUSR1 -- Password failure error */
3164 register_signal(c->sig, SIGUSR1, "private-key-password-failure");
3165 break;
3166
3167 default:
3168 ASSERT(0);
3169 }
3170 return;
3171 }
3172
3173 /*
3174 * BF-CBC is allowed to be used only when explicitly configured
3175 * as NCP-fallback or when NCP has been disabled or explicitly
3176 * allowed in the in ncp_ciphers list.
3177 * In all other cases do not attempt to initialize BF-CBC as it
3178 * may not even be supported by the underlying SSL library.
3179 *
3180 * Therefore, the key structure has to be initialized when:
3181 * - any non-BF-CBC cipher was selected; or
3182 * - BF-CBC is selected, NCP is enabled and fallback is enabled
3183 * (BF-CBC will be the fallback).
3184 * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3185 * If the negotiated cipher and options->ciphername are the
3186 * same we do not reinit the cipher
3187 *
3188 * Note that BF-CBC will still be part of the OCC string to retain
3189 * backwards compatibility with older clients.
3190 */
3191 const char *ciphername = options->ciphername;
3192 if (streq(options->ciphername, "BF-CBC")
3193 && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
3194 && !options->enable_ncp_fallback)
3195 {
3196 ciphername = "none";
3197 }
3198
3199 /* Do not warn if the cipher is used only in OCC */
3200 bool warn = options->enable_ncp_fallback;
3201 init_key_type(&c->c1.ks.key_type, ciphername, options->authname, true, warn);
3202
3203 /* initialize tls-auth/crypt/crypt-v2 key */
3204 do_init_tls_wrap_key(c);
3205
3206 /* initialise auth-token crypto support */
3207 if (c->options.auth_token_generate)
3208 {
3209 auth_token_init_secret(&c->c1.ks.auth_token_key, c->options.auth_token_secret_file,
3210 c->options.auth_token_secret_file_inline);
3211 }
3212
3213#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
3214 if (options->priv_key_file_inline)
3215 {
3216 string_clear(c->options.priv_key_file_inline);
3217 c->options.priv_key_file_inline = NULL;
3218 }
3219#endif
3220 }
3221 else
3222 {
3223 msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
3224
3225 /*
3226 * tls-auth/crypt key can be configured per connection block, therefore
3227 * we must reload it as it may have changed
3228 */
3229 do_init_tls_wrap_key(c);
3230 }
3231}
3232
3233static void
3234do_init_crypto_tls(struct context *c, const unsigned int flags)
3235{
3236 const struct options *options = &c->options;
3237 struct tls_options to;
3238 bool packet_id_long_form;
3239
3240 ASSERT(options->tls_server || options->tls_client);
3241 ASSERT(!options->test_crypto);
3242
3243 init_crypto_pre(c, flags);
3244
3245 /* Make sure we are either a TLS client or server but not both */
3246 ASSERT(options->tls_server == !options->tls_client);
3247
3248 /* initialize persistent component */
3249 do_init_crypto_tls_c1(c);
3250 if (IS_SIG(c))
3251 {
3252 return;
3253 }
3254
3255 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3256 packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3257
3258 /* Set all command-line TLS-related options */
3259 CLEAR(to);
3260
3261 if (options->mute_replay_warnings)
3262 {
3263 to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
3264 }
3265
3266 to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
3267 if (packet_id_long_form)
3268 {
3269 to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
3270 }
3271
3272 to.ssl_ctx = c->c1.ks.ssl_ctx;
3273 to.key_type = c->c1.ks.key_type;
3274 to.server = options->tls_server;
3275 to.replay_window = options->replay_window;
3276 to.replay_time = options->replay_time;
3277 to.config_ciphername = c->options.ciphername;
3278 to.config_ncp_ciphers = c->options.ncp_ciphers;
3279 to.transition_window = options->transition_window;
3280 to.handshake_window = options->handshake_window;
3281 to.packet_timeout = options->tls_timeout;
3282 to.renegotiate_bytes = options->renegotiate_bytes;
3283 to.renegotiate_packets = options->renegotiate_packets;
3284 if (options->renegotiate_seconds_min < 0)
3285 {
3286 /* Add 10% jitter to reneg-sec by default (server side only) */
3287 int auto_jitter = options->mode != MODE_SERVER
3288 ? 0
3289 : get_random() % max_int(options->renegotiate_seconds / 10, 1);
3290 to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
3291 }
3292 else
3293 {
3294 /* Add user-specified jitter to reneg-sec */
3295 to.renegotiate_seconds =
3296 options->renegotiate_seconds
3297 - (get_random()
3298 % max_int(options->renegotiate_seconds - options->renegotiate_seconds_min, 1));
3299 }
3300 to.single_session = options->single_session;
3301 to.mode = options->mode;
3302 to.pull = options->pull;
3303 if (options->push_peer_info) /* all there is */
3304 {
3305 to.push_peer_info_detail = 3;
3306 }
3307 else if (options->pull) /* pull clients send some details */
3308 {
3309 to.push_peer_info_detail = 2;
3310 }
3311 else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3312 {
3313 to.push_peer_info_detail = 0;
3314 }
3315 else /* default: minimal info to allow NCP in P2P mode */
3316 {
3317 to.push_peer_info_detail = 1;
3318 }
3319
3320 /* Check if the DCO drivers support the epoch data format */
3321 if (dco_enabled(options))
3322 {
3323 to.data_epoch_supported = dco_supports_epoch_data(c);
3324 }
3325 else
3326 {
3327 to.data_epoch_supported = true;
3328 }
3329
3330 /* should we not xmit any packets until we get an initial
3331 * response from client? */
3332 if (to.server && c->mode == CM_CHILD_TCP)
3333 {
3334 to.xmit_hold = true;
3335 }
3336
3337 to.verify_command = options->tls_verify;
3338 to.verify_x509_type = (options->verify_x509_type & 0xff);
3339 to.verify_x509_name = options->verify_x509_name;
3340 to.crl_file = options->crl_file;
3341 to.crl_file_inline = options->crl_file_inline;
3342 to.ssl_flags = options->ssl_flags;
3343 to.ns_cert_type = options->ns_cert_type;
3344 memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3345 to.remote_cert_eku = options->remote_cert_eku;
3346 to.verify_hash = options->verify_hash;
3347 to.verify_hash_algo = options->verify_hash_algo;
3348 to.verify_hash_depth = options->verify_hash_depth;
3349 to.verify_hash_no_ca = options->verify_hash_no_ca;
3350#ifdef ENABLE_X509ALTUSERNAME
3351 memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3352#else
3353 to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
3354#endif
3355 to.es = c->c2.es;
3356 to.net_ctx = &c->net_ctx;
3357
3358#ifdef ENABLE_DEBUG
3359 to.gremlin = c->options.gremlin;
3360#endif
3361
3362 to.plugins = c->plugins;
3363
3364#ifdef ENABLE_MANAGEMENT
3365 to.mda_context = &c->c2.mda_context;
3366#endif
3367
3368 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
3369 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
3370 to.client_crresponse_script = options->client_crresponse_script;
3371 to.tmp_dir = options->tmp_dir;
3372 to.export_peer_cert_dir = options->tls_export_peer_cert_dir;
3373 if (options->ccd_exclusive)
3374 {
3375 to.client_config_dir_exclusive = options->client_config_dir;
3376 }
3377 to.auth_user_pass_file = options->auth_user_pass_file;
3378 to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
3379 to.auth_token_generate = options->auth_token_generate;
3380 to.auth_token_lifetime = options->auth_token_lifetime;
3381 to.auth_token_renewal = options->auth_token_renewal;
3382 to.auth_token_call_auth = options->auth_token_call_auth;
3383 to.auth_token_key = c->c1.ks.auth_token_key;
3384
3385 to.x509_track = options->x509_track;
3386
3387#ifdef ENABLE_MANAGEMENT
3388 to.sci = &options->sc_info;
3389#endif
3390
3391#ifdef USE_COMP
3392 to.comp_options = options->comp;
3393#endif
3394
3395 if (options->keying_material_exporter_label)
3396 {
3397 to.ekm_size = options->keying_material_exporter_length;
3398 if (to.ekm_size < 16 || to.ekm_size > 4095)
3399 {
3400 to.ekm_size = 0;
3401 }
3402
3403 to.ekm_label = options->keying_material_exporter_label;
3404 to.ekm_label_size = strlen(to.ekm_label);
3405 }
3406 else
3407 {
3408 to.ekm_size = 0;
3409 }
3410
3411 /* TLS handshake authentication (--tls-auth) */
3412 if (options->ce.tls_auth_file)
3413 {
3414 to.tls_wrap.mode = TLS_WRAP_AUTH;
3415 }
3416
3417 /* TLS handshake encryption (--tls-crypt) */
3418 if (options->ce.tls_crypt_file || (options->ce.tls_crypt_v2_file && options->tls_client))
3419 {
3420 to.tls_wrap.mode = TLS_WRAP_CRYPT;
3421 }
3422
3423 if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3424 {
3425 to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3426 to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3427 to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3428 to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata;
3429 }
3430
3431 if (options->ce.tls_crypt_v2_file)
3432 {
3433 to.tls_crypt_v2 = true;
3434 to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3435
3436 if (options->tls_server)
3437 {
3438 to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3439 to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3440 if (options->ce.tls_crypt_v2_force_cookie)
3441 {
3442 to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
3443 }
3444 }
3445 }
3446
3447 /* let the TLS engine know if keys have to be installed in DCO or not */
3448 to.dco_enabled = dco_enabled(options);
3449
3450 /*
3451 * Initialize OpenVPN's master TLS-mode object.
3452 */
3453 if (flags & CF_INIT_TLS_MULTI)
3454 {
3455 c->c2.tls_multi = tls_multi_init(&to);
3456 /* inherit the dco context from the tuntap object */
3457 if (c->c1.tuntap)
3458 {
3459 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3460 }
3461 }
3462
3463 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3464 {
3465 c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3466 c->c2.session_id_hmac = session_id_hmac_init();
3467 }
3468}
3469
3470static void
3471do_init_frame_tls(struct context *c)
3472{
3473 if (c->c2.tls_multi)
3474 {
3475 tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
3476 ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= c->c2.frame.buf.payload_size);
3477 frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms");
3478
3479 /* Keep the max mtu also in the frame of tls multi so it can access
3480 * it in push_peer_info */
3481 c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
3482 }
3483 if (c->c2.tls_auth_standalone)
3484 {
3485 tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame,
3486 c->options.ce.tls_mtu);
3487 frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, "TLS-Auth MTU parms");
3488 c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3489 c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3490 }
3491}
3492
3493/*
3494 * No encryption or authentication.
3495 */
3496static void
3497do_init_crypto_none(struct context *c)
3498{
3499 ASSERT(!c->options.test_crypto);
3500
3501 /* Initialise key_type with auth/cipher "none", so the key_type struct is
3502 * valid */
3503 init_key_type(&c->c1.ks.key_type, "none", "none", c->options.test_crypto, true);
3504
3505 msg(M_WARN, "******* WARNING *******: All encryption and authentication features "
3506 "disabled -- All data will be tunnelled as clear text and will not be "
3507 "protected against man-in-the-middle changes. "
3508 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3509}
3510
3511static void
3512do_init_crypto(struct context *c, const unsigned int flags)
3513{
3514 if (c->options.shared_secret_file)
3515 {
3516 do_init_crypto_static(c, flags);
3517 }
3518 else if (c->options.tls_server || c->options.tls_client)
3519 {
3520 do_init_crypto_tls(c, flags);
3521 }
3522 else /* no encryption or authentication. */
3523 {
3524 do_init_crypto_none(c);
3525 }
3526}
3527
3528static void
3529do_init_frame(struct context *c)
3530{
3531 /*
3532 * Adjust frame size based on the --tun-mtu-extra parameter.
3533 */
3534 if (c->options.ce.tun_mtu_extra_defined)
3535 {
3536 c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra;
3537 }
3538
3539 /*
3540 * Fill in the blanks in the frame parameters structure,
3541 * make sure values are rational, etc.
3542 */
3543 frame_finalize_options(c, NULL);
3544
3545
3546#if defined(ENABLE_FRAGMENT)
3547 /*
3548 * MTU advisories
3549 */
3550 if (c->options.ce.fragment && c->options.mtu_test)
3551 {
3552 msg(M_WARN,
3553 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3554 }
3555#endif
3556
3557#ifdef ENABLE_FRAGMENT
3558 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3559 {
3560 msg(M_WARN,
3561 "WARNING: if you use --mssfix and --fragment, you should "
3562 "set --fragment (%d) larger or equal than --mssfix (%d)",
3563 c->options.ce.fragment, c->options.ce.mssfix);
3564 }
3565 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3566 && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3567 {
3568 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3569 "use the \"mtu\" flag for both or none of of them.");
3570 }
3571#endif
3572}
3573
3574static void
3575do_option_warnings(struct context *c)
3576{
3577 const struct options *o = &c->options;
3578
3579 if (o->ping_send_timeout && !o->ping_rec_timeout)
3580 {
3581 msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3582 }
3583
3584 if (o->username || o->groupname || o->chroot_dir
3585#ifdef ENABLE_SELINUX
3586 || o->selinux_context
3587#endif
3588 )
3589 {
3590 if (!o->persist_tun)
3591 {
3592 msg(M_WARN,
3593 "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3594 }
3595 }
3596
3597 if (o->chroot_dir && !(o->username && o->groupname))
3598 {
3599 msg(M_WARN,
3600 "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3601 }
3602
3603 if (o->pull && o->ifconfig_local && c->first_time)
3604 {
3605 msg(M_WARN,
3606 "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3607 }
3608
3609 if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3610 {
3611 msg(M_WARN,
3612 "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3613 }
3614
3615 if (o->mode == MODE_SERVER)
3616 {
3617 if (o->duplicate_cn && o->client_config_dir)
3618 {
3619 msg(M_WARN,
3620 "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3621 }
3622 if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3623 {
3624 msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3625 }
3626 if (!o->keepalive_ping || !o->keepalive_timeout)
3627 {
3628 msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3629 }
3630 }
3631
3632 if (o->tls_server)
3633 {
3634 warn_on_use_of_common_subnets(&c->net_ctx);
3635 }
3636 if (o->tls_client && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE
3637 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) && !o->remote_cert_eku
3638 && !(o->verify_hash_depth == 0 && o->verify_hash))
3639 {
3640 msg(M_WARN,
3641 "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3642 }
3643 if (o->ns_cert_type)
3644 {
3645 msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3646 }
3647
3648 /* If a script is used, print appropriate warnings */
3649 if (o->user_script_used)
3650 {
3651 if (script_security() >= SSEC_SCRIPTS)
3652 {
3653 msg(M_WARN,
3654 "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3655 }
3656 else if (script_security() >= SSEC_PW_ENV)
3657 {
3658 msg(M_WARN,
3659 "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3660 }
3661 else
3662 {
3663 msg(M_WARN,
3664 "NOTE: starting with " PACKAGE_NAME
3665 " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3666 }
3667 }
3668}
3669
3670struct context_buffers *
3671init_context_buffers(const struct frame *frame)
3672{
3673 struct context_buffers *b;
3674
3675 ALLOC_OBJ_CLEAR(b, struct context_buffers);
3676
3677 size_t buf_size = BUF_SIZE(frame);
3678
3679 b->read_link_buf = alloc_buf(buf_size);
3680 b->read_tun_buf = alloc_buf(buf_size);
3681
3682 b->aux_buf = alloc_buf(buf_size);
3683
3684 b->encrypt_buf = alloc_buf(buf_size);
3685 b->decrypt_buf = alloc_buf(buf_size);
3686
3687#ifdef USE_COMP
3688 b->compress_buf = alloc_buf(buf_size);
3689 b->decompress_buf = alloc_buf(buf_size);
3690#endif
3691
3692 return b;
3693}
3694
3695void
3696free_context_buffers(struct context_buffers *b)
3697{
3698 if (b)
3699 {
3700 free_buf(&b->read_link_buf);
3701 free_buf(&b->read_tun_buf);
3702 free_buf(&b->aux_buf);
3703
3704#ifdef USE_COMP
3705 free_buf(&b->compress_buf);
3706 free_buf(&b->decompress_buf);
3707#endif
3708
3709 free_buf(&b->encrypt_buf);
3710 free_buf(&b->decrypt_buf);
3711
3712 free(b);
3713 }
3714}
3715
3716/*
3717 * Now that we know all frame parameters, initialize
3718 * our buffers.
3719 */
3720static void
3721do_init_buffers(struct context *c)
3722{
3723 c->c2.buffers = init_context_buffers(&c->c2.frame);
3724 c->c2.buffers_owned = true;
3725}
3726
3727#ifdef ENABLE_FRAGMENT
3728/*
3729 * Fragmenting code has buffers to initialize
3730 * once frame parameters are known.
3731 */
3732static void
3733do_init_fragment(struct context *c)
3734{
3735 ASSERT(c->options.ce.fragment);
3736
3737 /*
3738 * Set frame parameter for fragment code. This is necessary because
3739 * the fragmentation code deals with payloads which have already been
3740 * passed through the compression code.
3741 */
3742 c->c2.frame_fragment = c->c2.frame;
3743
3744 frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, &c->options,
3745 get_link_socket_info(c));
3746 fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3747}
3748#endif
3749
3750/*
3751 * Allocate our socket object.
3752 */
3753static void
3754do_link_socket_new(struct context *c)
3755{
3756 ASSERT(!c->c2.link_sockets);
3757
3758 ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *, c->c1.link_sockets_num, &c->c2.gc);
3759
3760 for (int i = 0; i < c->c1.link_sockets_num; i++)
3761 {
3762 c->c2.link_sockets[i] = link_socket_new();
3763 }
3764 c->c2.link_socket_owned = true;
3765}
3766
3767/*
3768 * bind TCP/UDP sockets
3769 */
3770static void
3771do_init_socket_phase1(struct context *c)
3772{
3773 for (int i = 0; i < c->c1.link_sockets_num; i++)
3774 {
3775 int mode = LS_MODE_DEFAULT;
3776
3777 /* mode allows CM_CHILD_TCP
3778 * instances to inherit acceptable fds
3779 * from a top-level parent */
3780 if (c->options.mode == MODE_SERVER)
3781 {
3782 /* initializing listening socket */
3783 if (c->mode == CM_TOP)
3784 {
3785 mode = LS_MODE_TCP_LISTEN;
3786 }
3787 /* initializing socket to client */
3788 else if (c->mode == CM_CHILD_TCP)
3789 {
3790 mode = LS_MODE_TCP_ACCEPT_FROM;
3791 }
3792 }
3793
3794 /* init each socket with its specific args */
3795 link_socket_init_phase1(c, i, mode);
3796 }
3797}
3798
3799/*
3800 * finalize TCP/UDP sockets
3801 */
3802static void
3803do_init_socket_phase2(struct context *c)
3804{
3805 for (int i = 0; i < c->c1.link_sockets_num; i++)
3806 {
3807 link_socket_init_phase2(c, c->c2.link_sockets[i]);
3808 }
3809}
3810
3811/*
3812 * Print MTU INFO
3813 */
3814static void
3815do_print_data_channel_mtu_parms(struct context *c)
3816{
3817 frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3818#ifdef ENABLE_FRAGMENT
3819 if (c->c2.fragment)
3820 {
3821 frame_print(&c->c2.frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
3822 }
3823#endif
3824}
3825
3826/*
3827 * Get local and remote options compatibility strings.
3828 */
3829static void
3830do_compute_occ_strings(struct context *c)
3831{
3832 struct gc_arena gc = gc_new();
3833
3834 c->c2.options_string_local =
3835 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, false, &gc);
3836 c->c2.options_string_remote =
3837 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, true, &gc);
3838
3839 msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3840 options_string_version(c->c2.options_string_local, &gc), c->c2.options_string_local);
3841 msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3842 options_string_version(c->c2.options_string_remote, &gc), c->c2.options_string_remote);
3843
3844 if (c->c2.tls_multi)
3845 {
3846 tls_multi_init_set_options(c->c2.tls_multi, c->c2.options_string_local,
3847 c->c2.options_string_remote);
3848 }
3849
3850 gc_free(&gc);
3851}
3852
3853/*
3854 * These things can only be executed once per program instantiation.
3855 * Set up for possible UID/GID downgrade, but don't do it yet.
3856 * Daemonize if requested.
3857 */
3858static void
3859do_init_first_time(struct context *c)
3860{
3861 if (c->first_time && !c->c0)
3862 {
3863 struct context_0 *c0;
3864
3865 ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3866 c0 = c->c0;
3867
3868 /* get user and/or group that we want to setuid/setgid to,
3869 * sets also platform_x_state */
3870 bool group_defined = platform_group_get(c->options.groupname, &c0->platform_state_group);
3871 bool user_defined = platform_user_get(c->options.username, &c0->platform_state_user);
3872
3873 c0->uid_gid_specified = user_defined || group_defined;
3874
3875 /* fork the dns script runner to preserve root? */
3876 c->persist.duri.required = user_defined;
3877
3878 /* perform postponed chdir if --daemon */
3879 if (c->did_we_daemonize && c->options.cd_dir == NULL)
3880 {
3881 platform_chdir("/");
3882 }
3883
3884 /* should we change scheduling priority? */
3885 platform_nice(c->options.nice);
3886 }
3887}
3888
3889/*
3890 * free buffers
3891 */
3892static void
3893do_close_free_buf(struct context *c)
3894{
3895 if (c->c2.buffers_owned)
3896 {
3897 free_context_buffers(c->c2.buffers);
3898 c->c2.buffers = NULL;
3899 c->c2.buffers_owned = false;
3900 }
3901}
3902
3903/*
3904 * close TLS
3905 */
3906static void
3907do_close_tls(struct context *c)
3908{
3909 if (c->c2.tls_multi)
3910 {
3911 tls_multi_free(c->c2.tls_multi, true);
3912 c->c2.tls_multi = NULL;
3913 }
3914
3915 /* free options compatibility strings */
3916 free(c->c2.options_string_local);
3917 free(c->c2.options_string_remote);
3918
3919 c->c2.options_string_local = c->c2.options_string_remote = NULL;
3920
3921 if (c->c2.pulled_options_state)
3922 {
3923 md_ctx_cleanup(c->c2.pulled_options_state);
3924 md_ctx_free(c->c2.pulled_options_state);
3925 }
3926
3927 tls_auth_standalone_free(c->c2.tls_auth_standalone);
3928}
3929
3930/*
3931 * Free key schedules
3932 */
3933static void
3934do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3935{
3936 /*
3937 * always free the tls_auth/crypt key. The key will
3938 * be reloaded from memory (pre-cached)
3939 */
3940 free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3941 free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3942 CLEAR(c->c1.ks.tls_wrap_key);
3943 buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3944 free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3945
3946 if (!(c->sig->signal_received == SIGUSR1))
3947 {
3948 key_schedule_free(&c->c1.ks, free_ssl_ctx);
3949 }
3950}
3951
3952/*
3953 * Close TCP/UDP connection
3954 */
3955static void
3956do_close_link_socket(struct context *c)
3957{
3958 if (c->c2.link_sockets && c->c2.link_socket_owned)
3959 {
3960 for (int i = 0; i < c->c1.link_sockets_num; i++)
3961 {
3962 /* in dco-win case, link socket is a tun handle which is
3963 * closed in do_close_tun(). Set it to UNDEFINED so
3964 * we won't use WinSock API to close it. */
3965 if (tuntap_is_dco_win(c->c1.tuntap))
3966 {
3967 c->c2.link_sockets[i]->sd = SOCKET_UNDEFINED;
3968 }
3969
3970 link_socket_close(c->c2.link_sockets[i]);
3971 }
3972 c->c2.link_sockets = NULL;
3973 }
3974
3975
3976 /* Preserve the resolved list of remote if the user request to or if we want
3977 * reconnect to the same host again or there are still addresses that need
3978 * to be tried */
3979 if (!(c->sig->signal_received == SIGUSR1
3980 && ((c->options.persist_remote_ip)
3981 || (c->sig->source != SIG_SOURCE_HARD
3982 && ((c->c1.link_socket_addrs[0].current_remote
3983 && c->c1.link_socket_addrs[0].current_remote->ai_next)
3984 || c->options.no_advance)))))
3985 {
3986 clear_remote_addrlist(&c->c1.link_socket_addrs[0], !c->options.resolve_in_advance);
3987 }
3988
3989 /* Clear the remote actual address when persist_remote_ip is not in use */
3990 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3991 {
3992 for (int i = 0; i < c->c1.link_sockets_num; i++)
3993 {
3994 CLEAR(c->c1.link_socket_addrs[i].actual);
3995 }
3996 }
3997
3998 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3999 {
4000 for (int i = 0; i < c->c1.link_sockets_num; i++)
4001 {
4002 if (c->c1.link_socket_addrs[i].bind_local && !c->options.resolve_in_advance)
4003 {
4004 freeaddrinfo(c->c1.link_socket_addrs[i].bind_local);
4005 }
4006
4007 c->c1.link_socket_addrs[i].bind_local = NULL;
4008 }
4009 }
4010}
4011
4012/*
4013 * Close packet-id persistence file
4014 */
4015static void
4016do_close_packet_id(struct context *c)
4017{
4018 packet_id_free(&c->c2.crypto_options.packet_id);
4019 packet_id_persist_save(&c->c1.pid_persist);
4020 if (!(c->sig->signal_received == SIGUSR1))
4021 {
4022 packet_id_persist_close(&c->c1.pid_persist);
4023 }
4024}
4025
4026#ifdef ENABLE_FRAGMENT
4027/*
4028 * Close fragmentation handler.
4029 */
4030static void
4031do_close_fragment(struct context *c)
4032{
4033 if (c->c2.fragment)
4034 {
4035 fragment_free(c->c2.fragment);
4036 c->c2.fragment = NULL;
4037 }
4038}
4039#endif
4040
4041/*
4042 * Open and close our event objects.
4043 */
4044
4045static void
4046do_event_set_init(struct context *c, bool need_us_timeout)
4047{
4048 unsigned int flags = 0;
4049
4050 c->c2.event_set_max = BASE_N_EVENTS;
4051
4052 flags |= EVENT_METHOD_FAST;
4053
4054 if (need_us_timeout)
4055 {
4056 flags |= EVENT_METHOD_US_TIMEOUT;
4057 }
4058
4059 c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
4060 c->c2.event_set_owned = true;
4061}
4062
4063static void
4064do_close_event_set(struct context *c)
4065{
4066 if (c->c2.event_set && c->c2.event_set_owned)
4067 {
4068 event_free(c->c2.event_set);
4069 c->c2.event_set = NULL;
4070 c->c2.event_set_owned = false;
4071 }
4072}
4073
4074/*
4075 * Open and close --status file
4076 */
4077
4078static void
4079do_open_status_output(struct context *c)
4080{
4081 if (!c->c1.status_output)
4082 {
4083 c->c1.status_output =
4084 status_open(c->options.status_file, c->options.status_file_update_freq, -1, NULL,
4085 STATUS_OUTPUT_WRITE);
4086 c->c1.status_output_owned = true;
4087 }
4088}
4089
4090static void
4091do_close_status_output(struct context *c)
4092{
4093 if (!(c->sig->signal_received == SIGUSR1))
4094 {
4095 if (c->c1.status_output_owned && c->c1.status_output)
4096 {
4097 status_close(c->c1.status_output);
4098 c->c1.status_output = NULL;
4099 c->c1.status_output_owned = false;
4100 }
4101 }
4102}
4103
4104/*
4105 * Handle ifconfig-pool persistence object.
4106 */
4107static void
4118
4119static void
4120do_close_ifconfig_pool_persist(struct context *c)
4121{
4122 if (!(c->sig->signal_received == SIGUSR1))
4123 {
4124 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
4125 {
4126 ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
4127 c->c1.ifconfig_pool_persist = NULL;
4128 c->c1.ifconfig_pool_persist_owned = false;
4129 }
4130 }
4131}
4132
4133/*
4134 * Inherit environmental variables
4135 */
4136
4137static void
4138do_inherit_env(struct context *c, const struct env_set *src)
4139{
4140 c->c2.es = env_set_create(NULL);
4141 c->c2.es_owned = true;
4142 env_set_inherit(c->c2.es, src);
4143}
4144
4145static void
4146do_env_set_destroy(struct context *c)
4147{
4148 if (c->c2.es && c->c2.es_owned)
4149 {
4150 env_set_destroy(c->c2.es);
4151 c->c2.es = NULL;
4152 c->c2.es_owned = false;
4153 }
4154}
4155
4156/*
4157 * Fast I/O setup. Fast I/O is an optimization which only works
4158 * if all of the following are true:
4159 *
4160 * (1) The platform is not Windows
4161 * (2) --proto udp is enabled
4162 * (3) --shaper is disabled
4163 */
4164static void
4165do_setup_fast_io(struct context *c)
4166{
4167 if (c->options.fast_io)
4168 {
4169#ifdef _WIN32
4170 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
4171#else
4172 if (c->options.shaper)
4173 {
4174 msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4175 }
4176 else
4177 {
4178 c->c2.fast_io = true;
4179 }
4180#endif
4181 }
4182}
4183
4184static void
4185do_signal_on_tls_errors(struct context *c)
4186{
4187 if (c->options.tls_exit)
4188 {
4189 c->c2.tls_exit_signal = SIGTERM;
4190 }
4191 else
4192 {
4193 c->c2.tls_exit_signal = SIGUSR1;
4194 }
4195}
4196
4197#ifdef ENABLE_PLUGIN
4198
4199void
4200init_plugins(struct context *c)
4201{
4202 if (c->options.plugin_list && !c->plugins)
4203 {
4204 c->plugins = plugin_list_init(c->options.plugin_list);
4205 c->plugins_owned = true;
4206 }
4207}
4208
4209void
4210open_plugins(struct context *c, const bool import_options, int init_point)
4211{
4212 if (c->plugins && c->plugins_owned)
4213 {
4214 if (import_options)
4215 {
4216 struct plugin_return pr, config;
4217 plugin_return_init(&pr);
4218 plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4219 plugin_return_get_column(&pr, &config, "config");
4220 if (plugin_return_defined(&config))
4221 {
4222 int i;
4223 for (i = 0; i < config.n; ++i)
4224 {
4225 unsigned int option_types_found = 0;
4226 if (config.list[i] && config.list[i]->value)
4227 {
4228 options_string_import(
4229 &c->options, config.list[i]->value, D_IMPORT_ERRORS | M_OPTERR,
4230 OPT_P_DEFAULT & ~OPT_P_PLUGIN, &option_types_found, c->es);
4231 }
4232 }
4233 }
4234 plugin_return_free(&pr);
4235 }
4236 else
4237 {
4238 plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4239 }
4240 }
4241}
4242
4243static void
4244do_close_plugins(struct context *c)
4245{
4246 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
4247 {
4248 plugin_list_close(c->plugins);
4249 c->plugins = NULL;
4250 c->plugins_owned = false;
4251 }
4252}
4253
4254static void
4255do_inherit_plugins(struct context *c, const struct context *src)
4256{
4257 if (!c->plugins && src->plugins)
4258 {
4259 c->plugins = plugin_list_inherit(src->plugins);
4260 c->plugins_owned = true;
4261 }
4262}
4263
4264#endif /* ifdef ENABLE_PLUGIN */
4265
4266#ifdef ENABLE_MANAGEMENT
4267
4268static void
4269management_callback_status_p2p(void *arg, const int version, struct status_output *so)
4270{
4271 struct context *c = (struct context *)arg;
4272 print_status(c, so);
4273}
4274
4275void
4276management_show_net_callback(void *arg, const int msglevel)
4277{
4278#ifdef _WIN32
4279 show_routes(msglevel);
4280 show_adapters(msglevel);
4281 msg(msglevel, "END");
4282#else
4283 msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4284#endif
4285}
4286
4287#ifdef TARGET_ANDROID
4288int
4289management_callback_network_change(void *arg, bool samenetwork)
4290{
4291 /* Check if the client should translate the network change to a SIGUSR1 to
4292 * reestablish the connection or just reprotect the socket
4293 *
4294 * At the moment just assume that, for all settings that use pull (not
4295 * --static) and are not using peer-id reestablishing the connection is
4296 * required (unless the network is the same)
4297 *
4298 * The function returns -1 on invalid fd and -2 if the socket cannot be
4299 * reused. On the -2 return value the man_network_change function triggers
4300 * a SIGUSR1 to force a reconnect.
4301 */
4302
4303 int socketfd = -1;
4304 struct context *c = (struct context *)arg;
4305 if (!c->c2.link_sockets || !c->c2.link_sockets[0])
4306 {
4307 return -1;
4308 }
4309 if (c->c2.link_sockets[0]->sd == SOCKET_UNDEFINED)
4310 {
4311 return -1;
4312 }
4313
4314 /* On some newer Android handsets, changing to a different network
4315 * often does not trigger a TCP reset but continue using the old
4316 * connection (e.g. using mobile connection when WiFi becomes available */
4317 struct link_socket_info *lsi = get_link_socket_info(c);
4318 if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
4319 {
4320 return -2;
4321 }
4322
4323 socketfd = c->c2.link_sockets[0]->sd;
4324 if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4325 {
4326 return socketfd;
4327 }
4328 else
4329 {
4330 return -2;
4331 }
4332}
4333#endif /* ifdef TARGET_ANDROID */
4334
4335#endif /* ifdef ENABLE_MANAGEMENT */
4336
4337void
4338init_management_callback_p2p(struct context *c)
4339{
4340#ifdef ENABLE_MANAGEMENT
4341 if (management)
4342 {
4343 struct management_callback cb;
4344 CLEAR(cb);
4345 cb.arg = c;
4346 cb.status = management_callback_status_p2p;
4347 cb.show_net = management_show_net_callback;
4348 cb.proxy_cmd = management_callback_proxy_cmd;
4349 cb.remote_cmd = management_callback_remote_cmd;
4350 cb.send_cc_message = management_callback_send_cc_message;
4351#ifdef TARGET_ANDROID
4352 cb.network_change = management_callback_network_change;
4353#endif
4354 cb.remote_entry_count = management_callback_remote_entry_count;
4355 cb.remote_entry_get = management_callback_remote_entry_get;
4356 management_set_callback(management, &cb);
4357 }
4358#endif
4359}
4360
4361#ifdef ENABLE_MANAGEMENT
4362
4363void
4364init_management(void)
4365{
4366 if (!management)
4367 {
4368 management = management_init();
4369 }
4370}
4371
4372bool
4373open_management(struct context *c)
4374{
4375 /* initialize management layer */
4376 if (management)
4377 {
4378 if (c->options.management_addr)
4379 {
4380 unsigned int flags = c->options.management_flags;
4381 if (c->options.mode == MODE_SERVER)
4382 {
4383 flags |= MF_SERVER;
4384 }
4385 if (management_open(
4386 management, c->options.management_addr, c->options.management_port,
4387 c->options.management_user_pass, c->options.management_client_user,
4388 c->options.management_client_group, c->options.management_log_history_cache,
4389 c->options.management_echo_buffer_size, c->options.management_state_buffer_size,
4390 c->options.remap_sigusr1, flags))
4391 {
4392 management_set_state(management, OPENVPN_STATE_CONNECTING, NULL, NULL, NULL, NULL,
4393 NULL);
4394 }
4395
4396 /* initial management hold, called early, before first context initialization */
4397 do_hold(0);
4398 if (IS_SIG(c))
4399 {
4400 msg(M_WARN, "Signal received from management interface, exiting");
4401 return false;
4402 }
4403 }
4404 else
4405 {
4406 close_management();
4407 }
4408 }
4409 return true;
4410}
4411
4412void
4413close_management(void)
4414{
4415 if (management)
4416 {
4417 management_close(management);
4418 management = NULL;
4419 }
4420}
4421
4422#endif /* ifdef ENABLE_MANAGEMENT */
4423
4424
4425void
4426uninit_management_callback(void)
4427{
4428#ifdef ENABLE_MANAGEMENT
4429 if (management)
4430 {
4431 management_clear_callback(management);
4432 }
4433#endif
4434}
4435
4436void
4437persist_client_stats(struct context *c)
4438{
4439#ifdef ENABLE_MANAGEMENT
4440 if (management)
4441 {
4442 man_persist_client_stats(management, c);
4443 }
4444#endif
4445}
4446
4447/*
4448 * Initialize a tunnel instance, handle pre and post-init
4449 * signal settings.
4450 */
4451void
4452init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4453{
4454 pre_init_signal_catch();
4455 init_instance(c, env, flags);
4456 post_init_signal_catch();
4457
4458 /*
4459 * This is done so that signals thrown during
4460 * initialization can bring us back to
4461 * a management hold.
4462 */
4463 if (IS_SIG(c))
4464 {
4465 remap_signal(c);
4466 uninit_management_callback();
4467 }
4468}
4469
4470/*
4471 * Initialize a tunnel instance.
4472 */
4473void
4474init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4475{
4476 const struct options *options = &c->options;
4477 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4478
4479 /* init garbage collection level */
4480 gc_init(&c->c2.gc);
4481
4482 /* inherit environmental variables */
4483 if (env)
4484 {
4485 do_inherit_env(c, env);
4486 }
4487
4488 if (c->mode == CM_P2P)
4489 {
4490 init_management_callback_p2p(c);
4491 }
4492
4493 /* possible sleep or management hold if restart */
4494 if (c->mode == CM_P2P || c->mode == CM_TOP)
4495 {
4496 do_startup_pause(c);
4497 if (IS_SIG(c))
4498 {
4499 goto sig;
4500 }
4501 }
4502
4503 if (c->options.resolve_in_advance)
4504 {
4505 do_preresolve(c);
4506 if (IS_SIG(c))
4507 {
4508 goto sig;
4509 }
4510 }
4511
4512 /* Resets all values to the initial values from the config where needed */
4513 pre_connect_restore(&c->options, &c->c2.gc);
4514
4515 /* map in current connection entry */
4516 next_connection_entry(c);
4517
4518 /* should we disable paging? */
4519 if (c->first_time && options->mlock)
4520 {
4521 platform_mlockall(true);
4522 }
4523
4524 /* get passwords if undefined */
4525 if (auth_retry_get() == AR_INTERACT)
4526 {
4527 init_query_passwords(c);
4528 }
4529
4530 /* initialize context level 2 --verb/--mute parms */
4531 init_verb_mute(c, IVM_LEVEL_2);
4532
4533 /* set error message delay for non-server modes */
4534 if (c->mode == CM_P2P)
4535 {
4536 set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4537 }
4538
4539 /* warn about inconsistent options */
4540 if (c->mode == CM_P2P || c->mode == CM_TOP)
4541 {
4542 do_option_warnings(c);
4543 }
4544
4545#ifdef ENABLE_PLUGIN
4546 /* initialize plugins */
4547 if (c->mode == CM_P2P || c->mode == CM_TOP)
4548 {
4549 open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4550 }
4551#endif
4552
4553 /* should we enable fast I/O? */
4554 if (c->mode == CM_P2P || c->mode == CM_TOP)
4555 {
4556 do_setup_fast_io(c);
4557 }
4558
4559 /* should we throw a signal on TLS errors? */
4560 do_signal_on_tls_errors(c);
4561
4562 /* open --status file */
4563 if (c->mode == CM_P2P || c->mode == CM_TOP)
4564 {
4565 do_open_status_output(c);
4566 }
4567
4568 /* open --ifconfig-pool-persist file */
4569 if (c->mode == CM_TOP)
4570 {
4571 do_open_ifconfig_pool_persist(c);
4572 }
4573
4574 /* reset OCC state */
4575 if (c->mode == CM_P2P || child)
4576 {
4577 c->c2.occ_op = occ_reset_op();
4578 }
4579
4580 /* our wait-for-i/o objects, different for posix vs. win32 */
4581 if (c->mode == CM_P2P || c->mode == CM_TOP)
4582 {
4583 do_event_set_init(c, SHAPER_DEFINED(&c->options));
4584 }
4585 else if (c->mode == CM_CHILD_TCP)
4586 {
4587 do_event_set_init(c, false);
4588 }
4589
4590 /* initialize HTTP or SOCKS proxy object at scope level 2 */
4591 init_proxy(c);
4592
4593 /* allocate our socket object */
4594 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4595 {
4596 do_link_socket_new(c);
4597 }
4598
4599#ifdef ENABLE_FRAGMENT
4600 /* initialize internal fragmentation object */
4601 if (options->ce.fragment && (c->mode == CM_P2P || child))
4602 {
4603 c->c2.fragment = fragment_init(&c->c2.frame);
4604 }
4605#endif
4606
4607 /* init crypto layer */
4608 {
4609 unsigned int crypto_flags = 0;
4610 if (c->mode == CM_TOP)
4611 {
4612 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4613 }
4614 else if (c->mode == CM_P2P)
4615 {
4616 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4617 }
4618 else if (child)
4619 {
4620 crypto_flags = CF_INIT_TLS_MULTI;
4621 }
4622 do_init_crypto(c, crypto_flags);
4623 if (IS_SIG(c) && !child)
4624 {
4625 goto sig;
4626 }
4627 }
4628
4629#ifdef USE_COMP
4630 /* initialize compression library. */
4631 if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4632 {
4633 c->c2.comp_context = comp_init(&options->comp);
4634 }
4635#endif
4636
4637 /* initialize MTU variables */
4638 do_init_frame(c);
4639
4640 /* initialize TLS MTU variables */
4641 do_init_frame_tls(c);
4642
4643 /* init workspace buffers whose size is derived from frame size */
4644 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4645 {
4646 do_init_buffers(c);
4647 }
4648
4649#ifdef ENABLE_FRAGMENT
4650 /* initialize internal fragmentation capability with known frame size */
4651 if (options->ce.fragment && (c->mode == CM_P2P || child))
4652 {
4653 do_init_fragment(c);
4654 }
4655#endif
4656
4657 /* bind the TCP/UDP socket */
4658 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4659 {
4660 do_init_socket_phase1(c);
4661 }
4662
4663 /* initialize tun/tap device object,
4664 * open tun/tap device, ifconfig, run up script, etc. */
4665 if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4666 {
4667 int error_flags = 0;
4668 c->c2.did_open_tun = do_open_tun(c, &error_flags);
4669 }
4670
4671 /* print MTU info */
4672 do_print_data_channel_mtu_parms(c);
4673
4674 /* get local and remote options compatibility strings */
4675 if (c->mode == CM_P2P || child)
4676 {
4677 do_compute_occ_strings(c);
4678 }
4679
4680 /* initialize output speed limiter */
4681 if (c->mode == CM_P2P)
4682 {
4683 do_init_traffic_shaper(c);
4684 }
4685
4686 /* do one-time inits, and possibly become a daemon here */
4687 do_init_first_time(c);
4688
4689#ifdef ENABLE_PLUGIN
4690 /* initialize plugins */
4691 if (c->mode == CM_P2P || c->mode == CM_TOP)
4692 {
4693 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4694 }
4695#endif
4696
4697 /* initialise connect timeout timer */
4698 do_init_server_poll_timeout(c);
4699
4700 /* finalize the TCP/UDP socket */
4701 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4702 {
4703 do_init_socket_phase2(c);
4704
4705
4706 /* Update dynamic frame calculation as exact transport socket information
4707 * (IP vs IPv6) may be only available after socket phase2 has finished.
4708 * This is only needed for --static or no crypto, NCP will recalculate this
4709 * in tls_session_update_crypto_params (P2MP) */
4710 for (int i = 0; i < c->c1.link_sockets_num; i++)
4711 {
4712 frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4713 &c->c2.link_sockets[i]->info);
4714 }
4715 }
4716
4717 /*
4718 * Actually do UID/GID downgrade, and chroot, if requested.
4719 * May be delayed by --client, --pull, or --up-delay.
4720 */
4721 do_uid_gid_chroot(c, c->c2.did_open_tun);
4722
4723 /* initialize timers */
4724 if (c->mode == CM_P2P || child)
4725 {
4726 do_init_timers(c, false);
4727 }
4728
4729#ifdef ENABLE_PLUGIN
4730 /* initialize plugins */
4731 if (c->mode == CM_P2P || c->mode == CM_TOP)
4732 {
4733 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4734 }
4735#endif
4736
4737#if PORT_SHARE
4738 /* share OpenVPN port with foreign (such as HTTPS) server */
4739 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4740 {
4741 init_port_share(c);
4742 }
4743#endif
4744
4745 /* Check for signals */
4746 if (IS_SIG(c))
4747 {
4748 goto sig;
4749 }
4750
4751 return;
4752
4753sig:
4754 if (!c->sig->signal_text)
4755 {
4756 c->sig->signal_text = "init_instance";
4757 }
4758 close_context(c, -1, flags);
4759 return;
4760}
4761
4762/*
4763 * Close a tunnel instance.
4764 */
4765void
4766close_instance(struct context *c)
4767{
4768 /* close event objects */
4769 do_close_event_set(c);
4770
4771 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP
4772 || c->mode == CM_TOP)
4773 {
4774#ifdef USE_COMP
4775 if (c->c2.comp_context)
4776 {
4777 comp_uninit(c->c2.comp_context);
4778 c->c2.comp_context = NULL;
4779 }
4780#endif
4781
4782 /* free buffers */
4783 do_close_free_buf(c);
4784
4785 /* close peer for DCO if enabled, needs peer-id so must be done before
4786 * closing TLS contexts */
4787 dco_remove_peer(c);
4788
4789 /* close TLS */
4790 do_close_tls(c);
4791
4792 /* free key schedules */
4793 do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4794
4795 /* close TCP/UDP connection */
4796 do_close_link_socket(c);
4797
4798 /* close TUN/TAP device */
4799 do_close_tun(c, false);
4800
4801#ifdef ENABLE_MANAGEMENT
4802 if (management)
4803 {
4804 management_notify_client_close(management, &c->c2.mda_context, NULL);
4805 }
4806#endif
4807
4808#ifdef ENABLE_PLUGIN
4809 /* call plugin close functions and unload */
4810 do_close_plugins(c);
4811#endif
4812
4813 /* close packet-id persistence file */
4814 do_close_packet_id(c);
4815
4816 /* close --status file */
4817 do_close_status_output(c);
4818
4819#ifdef ENABLE_FRAGMENT
4820 /* close fragmentation handler */
4821 do_close_fragment(c);
4822#endif
4823
4824 /* close --ifconfig-pool-persist obj */
4825 do_close_ifconfig_pool_persist(c);
4826
4827 /* free up environmental variable store */
4828 do_env_set_destroy(c);
4829
4830 /* close HTTP or SOCKS proxy */
4831 uninit_proxy(c);
4832
4833 /* garbage collect */
4834 gc_free(&c->c2.gc);
4835 }
4836}
4837
4838void
4839inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
4840{
4841 CLEAR(*dest);
4842
4843 /* proto_is_dgram will ASSERT(0) if proto is invalid */
4844 dest->mode = proto_is_dgram(sock->info.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4845
4846 dest->gc = gc_new();
4847
4848 ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4849
4850 /* c1 init */
4851 packet_id_persist_init(&dest->c1.pid_persist);
4852 dest->c1.link_sockets_num = 1;
4853 do_link_socket_addr_new(dest);
4854
4855 dest->c1.ks.key_type = src->c1.ks.key_type;
4856 /* inherit SSL context */
4857 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4858 dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4859 dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4860 dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4861 /* inherit pre-NCP ciphers */
4862 dest->options.ciphername = src->options.ciphername;
4863 dest->options.authname = src->options.authname;
4864
4865 /* inherit auth-token */
4866 dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4867
4868 /* options */
4869 dest->options = src->options;
4870 dest->options.ce.proto = sock->info.proto;
4871 options_detach(&dest->options);
4872
4873 dest->c2.event_set = src->c2.event_set;
4874
4875 if (dest->mode == CM_CHILD_TCP)
4876 {
4877 /*
4878 * The CM_TOP context does the socket listen(),
4879 * and the CM_CHILD_TCP context does the accept().
4880 */
4881 dest->c2.accept_from = sock;
4882 }
4883
4884#ifdef ENABLE_PLUGIN
4885 /* inherit plugins */
4886 do_inherit_plugins(dest, src);
4887#endif
4888
4889 /* context init */
4890
4891 /* inherit tun/tap interface object now as it may be required
4892 * to initialize the DCO context in init_instance()
4893 */
4894 dest->c1.tuntap = src->c1.tuntap;
4895
4896 /* UDP inherits some extra things which TCP does not */
4897 if (dest->mode == CM_CHILD_UDP)
4898 {
4899 ASSERT(!dest->c2.link_sockets);
4900 ASSERT(dest->options.ce.local_list);
4901
4902 /* inherit buffers */
4903 dest->c2.buffers = src->c2.buffers;
4904
4905 ALLOC_ARRAY_GC(dest->c2.link_sockets, struct link_socket *, 1, &dest->gc);
4906
4907 /* inherit parent link_socket and tuntap */
4908 dest->c2.link_sockets[0] = sock;
4909
4910 ALLOC_ARRAY_GC(dest->c2.link_socket_infos, struct link_socket_info *, 1, &dest->gc);
4911 ALLOC_OBJ_GC(dest->c2.link_socket_infos[0], struct link_socket_info, &dest->gc);
4912 *dest->c2.link_socket_infos[0] = sock->info;
4913
4914 /* locally override some link_socket_info fields */
4915 dest->c2.link_socket_infos[0]->lsa = &dest->c1.link_socket_addrs[0];
4916 dest->c2.link_socket_infos[0]->connection_established = false;
4917 }
4918
4919 init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4920 if (IS_SIG(dest))
4921 {
4922 return;
4923 }
4924}
4925
4926void
4927inherit_context_top(struct context *dest, const struct context *src)
4928{
4929 /* copy parent */
4930 *dest = *src;
4931
4932 /*
4933 * CM_TOP_CLONE will prevent close_instance from freeing or closing
4934 * resources owned by the parent.
4935 *
4936 * Also note that CM_TOP_CLONE context objects are
4937 * closed by multi_top_free in multi.c.
4938 */
4939 dest->mode = CM_TOP_CLONE;
4940
4941 dest->first_time = false;
4942 dest->c0 = NULL;
4943
4944 options_detach(&dest->options);
4945 gc_detach(&dest->gc);
4946 gc_detach(&dest->c2.gc);
4947
4948 /* detach plugins */
4949 dest->plugins_owned = false;
4950
4951 dest->c2.tls_multi = NULL;
4952
4953 /* detach c1 ownership */
4954 dest->c1.tuntap_owned = false;
4955 dest->c1.status_output_owned = false;
4956 dest->c1.ifconfig_pool_persist_owned = false;
4957
4958 /* detach c2 ownership */
4959 dest->c2.event_set_owned = false;
4960 dest->c2.link_socket_owned = false;
4961 dest->c2.buffers_owned = false;
4962 dest->c2.es_owned = false;
4963
4964 dest->c2.event_set = NULL;
4965 do_event_set_init(dest, false);
4966
4967#ifdef USE_COMP
4968 dest->c2.comp_context = NULL;
4969#endif
4970}
4971
4972void
4973close_context(struct context *c, int sig, unsigned int flags)
4974{
4975 ASSERT(c);
4976 ASSERT(c->sig);
4977
4978 if (sig >= 0)
4979 {
4980 register_signal(c->sig, sig, "close_context");
4981 }
4982
4983 if (c->sig->signal_received == SIGUSR1)
4984 {
4985 if ((flags & CC_USR1_TO_HUP)
4986 || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4987 {
4988 register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
4989 }
4990 }
4991
4992 if (!(flags & CC_NO_CLOSE))
4993 {
4994 close_instance(c);
4995 }
4996
4997 if (flags & CC_GC_FREE)
4998 {
4999 context_gc_free(c);
5000 }
5001}
5002
5003/* Write our PID to a file */
5004void
5005write_pid_file(const char *filename, const char *chroot_dir)
5006{
5007 if (filename)
5008 {
5009 unsigned int pid = 0;
5010 FILE *fp = platform_fopen(filename, "w");
5011 if (!fp)
5012 {
5013 msg(M_ERR, "Open error on pid file %s", filename);
5014 return;
5015 }
5016
5017 pid = platform_getpid();
5018 fprintf(fp, "%u\n", pid);
5019 if (fclose(fp))
5020 {
5021 msg(M_ERR, "Close error on pid file %s", filename);
5022 }
5023
5024 /* remember file name so it can be deleted "out of context" later */
5025 /* (the chroot case is more complex and not handled today) */
5026 if (!chroot_dir)
5027 {
5028 saved_pid_file_name = strdup(filename);
5029 if (!saved_pid_file_name)
5030 {
5031 msg(M_FATAL, "Failed allocate memory saved_pid_file_name");
5032 }
5033 }
5034 }
5035}
5036
5037/* remove PID file on exit, called from openvpn_exit() */
5038void
5039remove_pid_file(void)
5040{
5041 if (saved_pid_file_name)
5042 {
5043 platform_unlink(saved_pid_file_name);
5044 }
5045}
5046
5047
5048/*
5049 * Do a loopback test
5050 * on the crypto subsystem.
5051 */
5052static void *
5053test_crypto_thread(void *arg)
5054{
5055 struct context *c = (struct context *)arg;
5056 const struct options *options = &c->options;
5057
5058 ASSERT(options->test_crypto);
5059 init_verb_mute(c, IVM_LEVEL_1);
5060 context_init_1(c);
5061 next_connection_entry(c);
5062 do_init_crypto_static(c, 0);
5063
5064 frame_finalize_options(c, options);
5065
5066 test_crypto(&c->c2.crypto_options, &c->c2.frame);
5067
5068 key_schedule_free(&c->c1.ks, true);
5069 packet_id_free(&c->c2.crypto_options.packet_id);
5070
5071 context_gc_free(c);
5072 return NULL;
5073}
5074
5075bool
5076do_test_crypto(const struct options *o)
5077{
5078 if (o->test_crypto)
5079 {
5080 struct context c;
5081
5082 /* print version number */
5083 msg(M_INFO, "%s", title_string);
5084
5085 context_clear(&c);
5086 c.options = *o;
5087 options_detach(&c.options);
5088 c.first_time = true;
5089 test_crypto_thread((void *)&c);
5090 return true;
5091 }
5092 return false;
5093}
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
auth_token_write_server_key_file
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition auth_token.c:118
auth_token_init_secret
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition auth_token.c:124
auth_token.h
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:184
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
string_clear
void string_clear(char *str)
Definition buffer.c:691
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1001
BSTR
#define BSTR(buf)
Definition buffer.h:128
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1053
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1064
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:994
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1074
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1085
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1007
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition common.h:87
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
basename
char * basename(char *filename)
Definition compat-basename.c:36
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:50
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1094
get_random
long int get_random(void)
Definition crypto.c:1716
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:869
write_key_file
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition crypto.c:1536
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition crypto.c:844
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1193
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition crypto.c:1284
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1075
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:345
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
CO_MUTE_REPLAY_WARNINGS
#define CO_MUTE_REPLAY_WARNINGS
Bit-flag indicating not to display replay warnings.
Definition crypto.h:354
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition crypto.h:365
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition crypto.h:644
show_available_engines
void show_available_engines(void)
Definition crypto_openssl.c:473
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:811
show_available_ciphers
void show_available_ciphers(void)
Definition crypto_openssl.c:364
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition crypto_openssl.c:1033
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition crypto_openssl.c:798
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1065
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
crypto_init_lib_engine
void crypto_init_lib_engine(const char *engine_name)
Definition crypto_openssl.c:139
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
show_available_digests
void show_available_digests(void)
Definition crypto_openssl.c:432
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
DCO_DEFAULT_METRIC
#define DCO_DEFAULT_METRIC
Definition dco.h:47
dco_supports_epoch_data
static bool dco_supports_epoch_data(struct context *c)
Definition dco.h:389
dco_remove_peer
static void dco_remove_peer(struct context *c)
Definition dco.h:350
ovpn_dco_init
static bool ovpn_dco_init(struct context *c)
Definition dco.h:294
dco_p2p_add_new_peer
static int dco_p2p_add_new_peer(struct context *c)
Definition dco.h:337
dco_check_pull_options
static bool dco_check_pull_options(int msglevel, const struct options *o)
Definition dco.h:288
run_dns_up_down
void run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *duri)
Invokes the action associated with bringing DNS up or down.
Definition dns.c:849
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition env_set.c:166
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
env_set_inherit
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition env_set.c:262
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
D_MTU_DEBUG
#define D_MTU_DEBUG
Definition errlevel.h:125
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:150
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_SHOW_NET
#define D_SHOW_NET
Definition errlevel.h:131
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition errlevel.h:40
D_RESTART
#define D_RESTART
Definition errlevel.h:81
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition errlevel.h:63
D_CLOSE
#define D_CLOSE
Definition errlevel.h:72
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition errlevel.h:149
D_DCO
#define D_DCO
Definition errlevel.h:93
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:71
D_GENKEY
#define D_GENKEY
Definition errlevel.h:78
D_MTU_INFO
#define D_MTU_INFO
Definition errlevel.h:104
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:66
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition errlevel.h:103
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
D_READ_WRITE
#define D_READ_WRITE
Definition errlevel.h:166
M_INFO
#define M_INFO
Definition errlevel.h:54
D_LOG_RW
#define D_LOG_RW
Definition errlevel.h:109
D_ROUTE
#define D_ROUTE
Definition errlevel.h:79
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition errlevel.h:56
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1167
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition event.h:82
EVENT_METHOD_US_TIMEOUT
#define EVENT_METHOD_US_TIMEOUT
Definition event.h:81
event_free
static void event_free(struct event_set *es)
Definition event.h:162
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:398
forward.h
Interface functions to the internal and external multiplexers.
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:332
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1184
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:142
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1236
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1155
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1170
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1209
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1225
fragment_frame_init
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition fragment.c:125
fragment_init
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition fragment.c:92
fragment_free
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition fragment.c:116
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with --tls-crypt.
Definition tls_crypt.c:60
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition tls_crypt.c:338
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition tls_crypt.c:661
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition tls_crypt.c:655
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:54
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition tls_crypt.c:315
uninit_management_callback
void uninit_management_callback(void)
Definition init.c:4426
uninit_proxy
static void uninit_proxy(struct context *c)
Definition init.c:722
open_management
bool open_management(struct context *c)
Definition init.c:4373
do_init_first_time
static void do_init_first_time(struct context *c)
Definition init.c:3859
do_init_route_list
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1456
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition init.c:3067
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition init.c:364
do_genkey
bool do_genkey(const struct options *options)
Definition init.c:1016
next_connection_entry
static void next_connection_entry(struct context *c)
Definition init.c:510
can_preserve_tun
static bool can_preserve_tun(struct tuntap *tt)
Definition init.c:1767
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1547
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition init.c:4210
do_setup_fast_io
static void do_setup_fast_io(struct context *c)
Definition init.c:4165
tls_print_deferred_options_results
static void tls_print_deferred_options_results(struct context *c)
Prints the results of options imported for the data channel.
Definition init.c:2200
saved_pid_file_name
static const char * saved_pid_file_name
Definition init.c:62
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition init.c:944
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition init.c:1198
format_common_name
const char * format_common_name(struct context *c, struct gc_arena *gc)
Definition init.c:1281
do_close_link_socket
static void do_close_link_socket(struct context *c)
Definition init.c:3956
management_callback_remote_entry_count
static unsigned int management_callback_remote_entry_count(void *arg)
Definition init.c:320
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition init.c:4185
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition init.c:3023
key_schedule_free
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition init.c:2983
do_init_tun
static void do_init_tun(struct context *c)
Definition init.c:1722
do_option_warnings
static void do_option_warnings(struct context *c)
Definition init.c:3575
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4474
do_link_socket_addr_new
static void do_link_socket_addr_new(struct context *c)
Definition init.c:728
close_instance
void close_instance(struct context *c)
Definition init.c:4766
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1495
do_init_frame
static void do_init_frame(struct context *c)
Definition init.c:3529
persist_client_stats
void persist_client_stats(struct context *c)
Definition init.c:4437
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:4927
context_clear_1
void context_clear_1(struct context *c)
Definition init.c:82
ce_management_query_proxy
static bool ce_management_query_proxy(struct context *c)
Definition init.c:247
do_init_crypto
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition init.c:3512
do_init_frame_tls
static void do_init_frame_tls(struct context *c)
Definition init.c:3471
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition init.c:1422
route_noexec_enabled
static bool route_noexec_enabled(const struct options *o, const struct tuntap *tt)
Determine if external route commands should be executed based on configured options and backend drive...
Definition init.c:1657
ifconfig_noexec_enabled
static bool ifconfig_noexec_enabled(const struct context *c)
Determines if ifconfig execution should be disabled because of a.
Definition init.c:1834
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition init.c:496
do_test_crypto
bool do_test_crypto(const struct options *o)
Definition init.c:5076
do_print_data_channel_mtu_parms
static void do_print_data_channel_mtu_parms(struct context *c)
Definition init.c:3815
init_plugins
void init_plugins(struct context *c)
Definition init.c:4200
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition init.c:3696
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition init.c:2995
do_init_timers
static void do_init_timers(struct context *c, bool deferred)
Definition init.c:1339
CF_LOAD_PERSISTED_PACKET_ID
#define CF_LOAD_PERSISTED_PACKET_ID
Definition init.c:67
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition init.c:1438
do_close_status_output
static void do_close_status_output(struct context *c)
Definition init.c:4091
do_event_set_init
static void do_event_set_init(struct context *c, bool need_us_timeout)
Definition init.c:4046
static_context
static struct context * static_context
Definition init.c:61
do_init_fragment
static void do_init_fragment(struct context *c)
Definition init.c:3733
CF_INIT_TLS_MULTI
#define CF_INIT_TLS_MULTI
Definition init.c:68
context_init_1
void context_init_1(struct context *c)
Definition init.c:735
test_crypto_thread
static void * test_crypto_thread(void *arg)
Definition init.c:5053
pre_setup
void pre_setup(const struct options *options)
Definition init.c:1292
do_link_socket_new
static void do_link_socket_new(struct context *c)
Definition init.c:3754
do_close_free_key_schedule
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition init.c:3934
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition init.c:201
del_wfp_block
static void del_wfp_block(struct context *c, unsigned long adapter_index)
Remove any WFP block filters previously added.
Definition init.c:1815
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition init.c:1315
do_open_ifconfig_pool_persist
static void do_open_ifconfig_pool_persist(struct context *c)
Definition init.c:4108
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition init.c:4120
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition init.c:2050
init_management
void init_management(void)
Definition init.c:4364
uninit_static
void uninit_static(void)
Definition init.c:926
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4452
do_update
bool do_update(struct context *c, unsigned int option_types_found)
A simplified version of the do_up() function.
Definition init.c:2486
do_init_crypto_tls
static void do_init_crypto_tls(struct context *c, const unsigned int flags)
Definition init.c:3234
write_pid_file
void write_pid_file(const char *filename, const char *chroot_dir)
Definition init.c:5005
context_gc_free
void context_gc_free(struct context *c)
Definition init.c:786
socket_restart_pause
static void socket_restart_pause(struct context *c)
Definition init.c:2782
do_open_status_output
static void do_open_status_output(struct context *c)
Definition init.c:4079
init_options_dev
void init_options_dev(struct options *options)
Definition init.c:967
do_close_free_buf
static void do_close_free_buf(struct context *c)
Definition init.c:3893
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition init.c:640
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
Definition init.c:2600
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4839
do_compute_occ_strings
static void do_compute_occ_strings(struct context *c)
Definition init.c:3830
context_clear_2
void context_clear_2(struct context *c)
Definition init.c:88
do_close_fragment
static void do_close_fragment(struct context *c)
Definition init.c:4031
context_clear
void context_clear(struct context *c)
Definition init.c:76
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition init.c:183
do_init_crypto_none
static void do_init_crypto_none(struct context *c)
Definition init.c:3497
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition init.c:4269
remove_pid_file
void remove_pid_file(void)
Definition init.c:5039
add_delim_if_non_empty
static void add_delim_if_non_empty(struct buffer *buf, const char *header)
Helper function for tls_print_deferred_options_results Adds the ", " delimitor if there already some ...
Definition init.c:2186
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition init.c:978
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:4973
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition init.c:414
open_tun_backend
static void open_tun_backend(struct context *c)
Definition init.c:1842
do_close_event_set
static void do_close_event_set(struct context *c)
Definition init.c:4064
do_persist_tuntap
bool do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
Definition init.c:1097
do_hold
static bool do_hold(int holdtime)
Definition init.c:2763
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2351
tun_abort
void tun_abort(void)
Definition init.c:2154
do_init_server_poll_timeout
static void do_init_server_poll_timeout(struct context *c)
Definition init.c:1326
do_close_plugins
static void do_close_plugins(struct context *c)
Definition init.c:4244
do_init_socket_phase1
static void do_init_socket_phase1(struct context *c)
Definition init.c:3771
init_static
bool init_static(void)
Definition init.c:824
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition init.c:3139
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition init.c:2902
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition init.c:667
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition init.c:2173
add_wfp_block
static void add_wfp_block(struct context *c)
Add WFP filters to block traffic to local networks.
Definition init.c:1789
do_close_tun_simple
static void do_close_tun_simple(struct context *c)
Definition init.c:2020
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition init.c:4255
run_up_down
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es)
Definition init.c:108
do_init_socket_phase2
static void do_init_socket_phase2(struct context *c)
Definition init.c:3803
possibly_become_daemon
bool possibly_become_daemon(const struct options *options)
Definition init.c:1156
management_callback_remote_entry_get
static bool management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
Definition init.c:330
init_connection_list
static void init_connection_list(struct context *c)
Definition init.c:470
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition init.c:684
do_close_packet_id
static void do_close_packet_id(struct context *c)
Definition init.c:4016
do_startup_pause
static void do_startup_pause(struct context *c)
Definition init.c:2859
get_frame_mtu
static size_t get_frame_mtu(struct context *c, const struct options *o)
Definition init.c:2872
do_deferred_p2p_ncp
static bool do_deferred_p2p_ncp(struct context *c)
Definition init.c:2555
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition init.c:69
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2539
do_deferred_options_part2
static bool do_deferred_options_part2(struct context *c)
This function is expected to be invoked after open_tun() was performed.
Definition init.c:2328
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition init.c:4146
do_init_buffers
static void do_init_buffers(struct context *c)
Definition init.c:3721
init_proxy
static void init_proxy(struct context *c)
Definition init.c:716
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition init.c:4338
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition init.c:4276
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition init.c:297
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1668
do_inherit_env
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition init.c:4138
context_clear_all_except_first_time
void context_clear_all_except_first_time(struct context *c)
Definition init.c:94
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3671
do_open_tun
static bool do_open_tun(struct context *c, int *error_flags)
Definition init.c:1864
do_close_tls
static void do_close_tls(struct context *c)
Definition init.c:3907
close_management
void close_management(void)
Definition init.c:4413
ISC_ERRORS
#define ISC_ERRORS
Definition init.h:126
CC_GC_FREE
#define CC_GC_FREE
Definition init.h:115
IVM_LEVEL_2
#define IVM_LEVEL_2
Definition init.h:49
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition init.h:128
IVM_LEVEL_1
#define IVM_LEVEL_1
Definition init.h:48
CC_USR1_TO_HUP
#define CC_USR1_TO_HUP
Definition init.h:116
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition init.h:32
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition init.h:117
ISC_SERVER
#define ISC_SERVER
Definition init.h:127
CC_NO_CLOSE
#define CC_NO_CLOSE
Definition init.h:118
min_int
static int min_int(int x, int y)
Definition integer.h:105
max_int
static int max_int(int x, int y)
Definition integer.h:92
status
static SERVICE_STATUS status
Definition interactive.c:51
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition interval.c:34
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition lladdr.c:17
management_pre_tunnel_close
void management_pre_tunnel_close(struct management *man)
Definition manage.c:3097
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3015
management_clear_callback
void management_clear_callback(struct management *man)
Definition manage.c:2769
management_hold
bool management_hold(struct management *man, int holdtime)
Definition manage.c:3823
management_init
struct management * management_init(void)
Definition manage.c:2699
management_event_loop_n_seconds
void management_event_loop_n_seconds(struct management *man, int sec)
Definition manage.c:3452
management_close
void management_close(struct management *man)
Definition manage.c:2752
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2778
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2713
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2929
man_persist_client_stats
void man_persist_client_stats(struct management *man, struct context *c)
Definition manage.c:4219
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2762
management_up_down
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition manage.c:2913
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4129
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition manage.c:3074
management_query_remote_enabled
static bool management_query_remote_enabled(const struct management *man)
Definition manage.h:425
OPENVPN_STATE_CONNECTING
#define OPENVPN_STATE_CONNECTING
Definition manage.h:449
management_query_proxy_enabled
static bool management_query_proxy_enabled(const struct management *man)
Definition manage.h:431
OPENVPN_STATE_CONNECTED
#define OPENVPN_STATE_CONNECTED
Definition manage.h:452
MF_SERVER
#define MF_SERVER
Definition manage.h:27
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition misc.c:55
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
GET_USER_PASS_NEED_OK
#define GET_USER_PASS_NEED_OK
Definition misc.h:113
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:322
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition mtu.c:190
frame_calculate_protocol_header_size
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition mtu.c:61
TUN_MTU_MAX_MIN
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:178
TUN_MTU_MIN
#define TUN_MTU_MIN
Definition mtu.h:59
np
static const char * np(const char *str)
Definition multi-auth.c:146
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition occ.h:61
occ_reset_op
static int occ_reset_op(void)
Definition occ.h:101
OCC_INTERVAL_SECONDS
#define OCC_INTERVAL_SECONDS
Definition occ.h:45
CLEAR
#define CLEAR(x)
Definition basic.h:32
error_reset
void error_reset(void)
Definition error.c:160
set_mute_cutoff
bool set_mute_cutoff(const int cutoff)
Definition error.c:122
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition error.c:614
reset_check_status
void reset_check_status(void)
Definition error.c:607
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:104
M_OPTERR
#define M_OPTERR
Definition error.h:99
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:199
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:96
M_USAGE
#define M_USAGE
Definition error.h:105
M_FATAL
#define M_FATAL
Definition error.h:88
check_debug_level
static bool check_debug_level(unsigned int level)
Definition error.h:257
set_check_status_error_delay
static void set_check_status_error_delay(unsigned int milliseconds)
Definition error.h:321
M_NONFATAL
#define M_NONFATAL
Definition error.h:89
M_ERR
#define M_ERR
Definition error.h:104
msg
#define msg(flags,...)
Definition error.h:150
ASSERT
#define ASSERT(x)
Definition error.h:217
M_WARN
#define M_WARN
Definition error.h:90
TLS_MODE
#define TLS_MODE(c)
Definition openvpn.h:543
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition openvpn.h:86
CM_P2P
#define CM_P2P
Definition openvpn.h:482
CM_TOP_CLONE
#define CM_TOP_CLONE
Definition openvpn.h:484
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition openvpn.h:486
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition openvpn.h:485
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:554
CM_TOP
#define CM_TOP
Definition openvpn.h:483
options_detach
void options_detach(struct options *o)
Definition options.c:1557
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3157
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5527
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4691
title_string
const char title_string[]
Definition options.c:70
auth_retry_get
int auth_retry_get(void)
Definition options.c:4782
notnull
void notnull(const char *arg, const char *description)
Definition options.c:4922
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4342
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:260
OPT_P_UP
#define OPT_P_UP
Definition options.h:733
CE_MAN_QUERY_REMOTE_QUERY
#define CE_MAN_QUERY_REMOTE_QUERY
Definition options.h:153
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:744
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:752
MODE_SERVER
#define MODE_SERVER
Definition options.h:261
streq
#define streq(x, y)
Definition options.h:727
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:751
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition options.h:156
AR_INTERACT
#define AR_INTERACT
Definition options.h:915
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:738
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:758
SHAPER_DEFINED
#define SHAPER_DEFINED(opt)
Definition options.h:784
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition options.h:155
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition options.h:151
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:743
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:737
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:757
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition options.h:157
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:756
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:739
PING_RESTART
#define PING_RESTART
Definition options.h:356
RH_PORT_LEN
#define RH_PORT_LEN
Definition options.h:230
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition options.h:765
CE_MAN_QUERY_REMOTE_SHIFT
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition options.h:158
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:735
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:755
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:239
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:236
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:238
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:237
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:762
AR_NONE
#define AR_NONE
Definition options.h:914
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:916
RH_HOST_LEN
#define RH_HOST_LEN
Definition options.h:228
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:740
MAX_PARMS
#define MAX_PARMS
Definition options.h:51
PING_UNDEF
#define PING_UNDEF
Definition options.h:354
CE_MAN_QUERY_REMOTE_ACCEPT
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition options.h:154
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:767
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:779
PING_EXIT
#define PING_EXIT
Definition options.h:355
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:742
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:754
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:760
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:734
CE_DISABLED
#define CE_DISABLED
Definition options.h:150
now
time_t now
Definition otime.c:33
update_time
static void update_time(void)
Definition otime.h:76
time_test
void time_test(void)
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:503
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:543
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:91
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition packet_id.c:445
packet_id_free
void packet_id_free(struct packet_id *p)
Definition packet_id.c:121
packet_id_persist_load
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition packet_id.c:459
PRE_PULL_INITIAL_PING_RESTART
#define PRE_PULL_INITIAL_PING_RESTART
Definition ping.h:32
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:337
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:544
platform_user_group_set
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition platform.c:222
platform_nice
void platform_nice(int niceval)
Definition platform.c:315
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition platform.c:80
platform_unlink
bool platform_unlink(const char *filename)
Definition platform.c:491
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:504
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:396
platform_mlockall
void platform_mlockall(bool print_msg)
Definition platform.c:348
platform_chroot
void platform_chroot(const char *path)
Definition platform.c:54
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition platform.c:126
plugin_list_close
void plugin_list_close(struct plugin_list *pl)
Definition plugin.c:869
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:986
plugin_list_inherit
struct plugin_list * plugin_list_inherit(const struct plugin_list *src)
Definition plugin.c:690
plugin_list_init
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition plugin.c:764
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:972
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition plugin.c:774
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:163
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:157
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition pool.c:538
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition pool.c:560
TOP_NET30
#define TOP_NET30
Definition proto.h:41
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
TOP_P2P
#define TOP_P2P
Definition proto.h:42
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition proxy.c:553
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition proxy.c:488
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:45
PAR_NCT
#define PAR_NCT
Definition proxy.h:51
PAR_ALL
#define PAR_ALL
Definition proxy.h:50
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1101
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1404
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:596
show_routes
void show_routes(int msglev)
Definition route.c:3062
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:753
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:604
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1166
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1367
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition route.h:424
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
script_security
int script_security(void)
Definition run_command.c:42
run_command.h
S_FATAL
#define S_FATAL
Definition run_command.h:50
SSEC_SCRIPTS
#define SSEC_SCRIPTS
allow calling of built-in programs and user-defined scripts
Definition run_command.h:35
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
SSEC_PW_ENV
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
shaper_msg
void shaper_msg(struct shaper *s)
Definition shaper.c:87
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition shaper.h:85
post_init_signal_catch
void post_init_signal_catch(void)
Definition sig.c:421
print_status
void print_status(struct context *c, struct status_output *so)
Definition sig.c:478
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition sig.c:392
remap_signal
void remap_signal(struct context *c)
Definition sig.c:588
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition sig.c:105
restore_signal_state
void restore_signal_state(void)
Definition sig.c:460
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
IS_SIG
#define IS_SIG(c)
Definition sig.h:47
SIG_SOURCE_HARD
#define SIG_SOURCE_HARD
Definition sig.h:30
link_socket_init_phase1
void link_socket_init_phase1(struct context *c, int sock_index, int mode)
Definition socket.c:1361
link_socket_init_phase2
void link_socket_init_phase2(struct context *c, struct link_socket *sock)
Definition socket.c:1704
link_socket_update_buffer_sizes
void link_socket_update_buffer_sizes(struct link_socket *sock, int rcvbuf, int sndbuf)
Definition socket.c:551
link_socket_current_remote_ipv6
const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info)
Definition socket.c:2018
link_socket_close
void link_socket_close(struct link_socket *sock)
Definition socket.c:1825
link_socket_current_remote
in_addr_t link_socket_current_remote(const struct link_socket_info *info)
Definition socket.c:1984
do_preresolve
void do_preresolve(struct context *c)
Definition socket.c:314
link_socket_new
struct link_socket * link_socket_new(void)
Definition socket.c:1347
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *sock, unsigned int sockflags)
Definition socket.c:537
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition socket.h:181
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition socket.h:179
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition socket.h:180
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket_util.c:409
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket_util.h:195
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
PROTO_TCP
@ PROTO_TCP
Definition socket_util.h:178
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket_util.h:180
proto_is_tcp
static bool proto_is_tcp(int proto)
returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
Definition socket_util.h:215
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket_util.h:206
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition socket_util.h:234
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition socks.c:51
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition socks.c:78
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:382
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:512
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition ssl.c:249
init_ssl_lib
void init_ssl_lib(void)
Definition ssl.c:226
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1637
free_ssl_lib
void free_ssl_lib(void)
Definition ssl.c:234
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:294
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition ssl.c:288
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4102
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
TLS_MULTI_HORIZON
#define TLS_MULTI_HORIZON
Definition ssl.h:61
TLS_MULTI_REFRESH
#define TLS_MULTI_REFRESH
Definition ssl.h:60
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:139
show_available_curves
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
Definition ssl_openssl.c:2588
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition ssl_openssl.c:148
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:593
check_pull_client_ncp
bool check_pull_client_ncp(struct context *c, const unsigned int found)
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should ...
Definition ssl_ncp.c:310
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
get_p2p_ncp_cipher
const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
Determines the best common cipher from both peers IV_CIPHER lists.
Definition ssl_ncp.c:355
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition ssl_pkt.c:445
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
ssl_verify.h
Control Channel Verification Module.
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition ssl_verify.h:68
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:213
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:60
status_close
bool status_close(struct status_output *so)
Definition status.c:179
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition status.h:51
argv
Definition argv.h:35
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
connection_entry
Definition options.h:104
connection_entry::local_list
struct local_list * local_list
Definition options.h:105
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:126
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:116
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:176
connection_entry::link_mtu
int link_mtu
Definition options.h:131
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:132
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:129
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:117
connection_entry::mssfix
int mssfix
Definition options.h:141
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:167
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:172
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:130
connection_entry::remote
const char * remote
Definition options.h:111
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:121
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:143
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:119
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:168
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:163
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:128
connection_entry::tls_mtu
int tls_mtu
Definition options.h:133
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:147
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:122
connection_entry::remote_port
const char * remote_port
Definition options.h:110
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:139
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:120
connection_entry::fragment
int fragment
Definition options.h:138
connection_entry::proto
int proto
Definition options.h:106
connection_entry::af
sa_family_t af
Definition options.h:107
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:162
connection_entry::tun_mtu
int tun_mtu
Definition options.h:124
connection_entry::key_direction
int key_direction
Definition options.h:164
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:173
connection_entry::flags
unsigned int flags
Definition options.h:159
connection_list
Definition options.h:197
connection_list::array
struct connection_entry ** array
Definition options.h:201
connection_list::current
int current
Definition options.h:200
connection_list::len
int len
Definition options.h:199
context_0
Level 0 context containing information related to the OpenVPN process.
Definition openvpn.h:137
context_0::platform_state_group
struct platform_state_group platform_state_group
Definition openvpn.h:143
context_0::platform_state_user
struct platform_state_user platform_state_user
Definition openvpn.h:142
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition openvpn.h:141
context_0::uid_gid_specified
bool uid_gid_specified
Definition openvpn.h:139
context_1::ks
struct key_schedule ks
Definition openvpn.h:164
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:197
context_1::http_proxy_owned
bool http_proxy_owned
Definition openvpn.h:190
context_1::status_output
struct status_output * status_output
Definition openvpn.h:185
context_1::route_list
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
context_1::link_socket_addrs
struct link_socket_addr * link_socket_addrs
Local and remote addresses on the external network.
Definition openvpn.h:159
context_1::pulled_options_digest_save
struct sha256_digest pulled_options_digest_save
Hash of option strings received from the remote OpenVPN server.
Definition openvpn.h:201
context_1::link_sockets_num
int link_sockets_num
Definition openvpn.h:158
context_1::status_output_owned
bool status_output_owned
Definition openvpn.h:186
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
context_1::pid_persist
struct packet_id_persist pid_persist
Definition openvpn.h:170
context_1::http_proxy
struct http_proxy_info * http_proxy
Definition openvpn.h:189
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition openvpn.h:194
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition openvpn.h:173
context_1::ifconfig_pool_persist_owned
bool ifconfig_pool_persist_owned
Definition openvpn.h:198
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition openvpn.h:193
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context_2::options_string_local
char * options_string_local
Definition openvpn.h:296
context_2::fragment
struct fragment_master * fragment
Definition openvpn.h:252
context_2::do_up_ran
bool do_up_ran
Definition openvpn.h:411
context_2::options_string_remote
char * options_string_remote
Definition openvpn.h:297
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
context_2::did_open_tun
bool did_open_tun
Definition openvpn.h:387
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition openvpn.h:444
context_2::es_owned
bool es_owned
Definition openvpn.h:421
context_2::mda_context
struct man_def_auth_context mda_context
Definition openvpn.h:453
context_2::session_id_hmac
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition openvpn.h:338
context_2::accept_from
const struct link_socket * accept_from
Definition openvpn.h:242
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition openvpn.h:326
context_2::occ_op
int occ_op
Definition openvpn.h:299
context_2::es
struct env_set * es
Definition openvpn.h:420
context_2::link_socket_owned
bool link_socket_owned
Definition openvpn.h:240
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context_2::frame
struct frame frame
Definition openvpn.h:248
context_2::frame_fragment
struct frame frame_fragment
Definition openvpn.h:253
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
context_2::buffers_owned
bool buffers_owned
Definition openvpn.h:368
context_2::link_sockets
struct link_socket ** link_sockets
Definition openvpn.h:237
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
context_2::log_rw
bool log_rw
Definition openvpn.h:380
context_2::event_set_max
int event_set_max
Definition openvpn.h:231
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition openvpn.h:225
context_2::fast_io
bool fast_io
Definition openvpn.h:424
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition openvpn.h:445
context_2::event_set
struct event_set * event_set
Definition openvpn.h:230
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:367
context_2::route_wakeup
struct event_timeout route_wakeup
Definition openvpn.h:383
context_2::tls_exit_signal
int tls_exit_signal
Definition openvpn.h:347
context_2::event_set_owned
bool event_set_owned
Definition openvpn.h:232
context_buffers
Definition openvpn.h:95
context_buffers::read_link_buf
struct buffer read_link_buf
Definition openvpn.h:113
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition openvpn.h:100
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition openvpn.h:114
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition openvpn.h:101
context_buffers::aux_buf
struct buffer aux_buf
Definition openvpn.h:97
context_persist
Definition openvpn.h:121
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition openvpn.h:122
context_persist::duri
struct dns_updown_runner_info duri
Definition openvpn.h:123
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::mode
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
context::c0
struct context_0 * c0
Level 0 context.
Definition openvpn.h:515
context::did_we_daemonize
bool did_we_daemonize
Whether demonization has already taken place.
Definition openvpn.h:510
context::first_time
bool first_time
True on the first iteration of OpenVPN's main loop.
Definition openvpn.h:478
context::sig
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:505
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
context::es
struct env_set * es
Set of environment variables.
Definition openvpn.h:499
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::plugins_owned
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition openvpn.h:506
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition openvpn.h:495
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
context::persist
struct context_persist persist
Persistent context.
Definition openvpn.h:513
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:384
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:340
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:331
dns_updown_runner_info::required
bool required
Definition dns.h:84
env_set
Definition env_set.h:43
frame
Packet geometry parameters.
Definition mtu.h:103
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
frame::tun_max_mtu
int tun_max_mtu
the maximum tun-mtu size the buffers are are sized for.
Definition mtu.h:147
frame::extra_tun
int extra_tun
Maximum number of bytes in excess of the tun/tap MTU that might be read from or written to the virtua...
Definition mtu.h:151
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
frame::buf
struct frame::@8 buf
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition mtu.h:118
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
http_proxy_options
Definition proxy.h:45
http_proxy_options::first_time
bool first_time
Definition proxy.h:61
http_proxy_options::port
const char * port
Definition proxy.h:47
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:52
http_proxy_options::server
const char * server
Definition proxy.h:46
key_schedule
Definition openvpn.h:55
key_schedule::tls_crypt_v2_wkc
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition openvpn.h:72
key_schedule::original_wrap_keydata
struct key2 original_wrap_keydata
original tls-crypt key preserved to xored into the tls_crypt renegotiation key
Definition openvpn.h:70
key_schedule::key_type
struct key_type key_type
Definition openvpn.h:57
key_schedule::auth_token_key
struct key_ctx auth_token_key
Definition openvpn.h:73
key_schedule::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition openvpn.h:63
key_schedule::tls_auth_key_type
struct key_type tls_auth_key_type
Definition openvpn.h:66
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition openvpn.h:67
key_schedule::static_key
struct key_ctx_bi static_key
Definition openvpn.h:60
key_schedule::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Definition openvpn.h:71
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
link_socket_actual
Definition socket_util.h:50
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket_util.h:53
link_socket_addr
Definition socket.h:77
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:82
link_socket_addr::remote_list
struct addrinfo * remote_list
Definition socket.h:79
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition socket.h:78
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition socket.h:80
link_socket_info
Definition socket.h:86
link_socket_info::connection_established
bool connection_established
Definition socket.h:88
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:87
link_socket_info::proto
int proto
Definition socket.h:92
link_socket
Definition socket.h:148
link_socket::info
struct link_socket_info info
Definition socket.h:149
link_socket::sd
socket_descriptor_t sd
Definition socket.h:156
local_list::len
int len
Definition options.h:192
man_persist::special_state_msg
const char * special_state_msg
Definition manage.h:232
management_callback
Definition manage.h:172
management_callback::arg
void * arg
Definition manage.h:173
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
management_callback::remote_entry_get
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition manage.h:198
management_callback::remote_entry_count
unsigned int(* remote_entry_count)(void *arg)
Definition manage.h:197
management_callback::send_cc_message
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition manage.h:184
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition manage.h:192
management_callback::flags
unsigned int flags
Definition manage.h:176
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition manage.h:193
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition manage.h:179
management::persist
struct man_persist persist
Definition manage.h:333
openvpn_sockaddr
Definition socket_util.h:38
openvpn_sockaddr::addr
union openvpn_sockaddr::@27 addr
openvpn_sockaddr::sa
struct sockaddr sa
Definition socket_util.h:42
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket_util.h:43
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition socket_util.h:44
options::rcvbuf
int rcvbuf
Definition options.h:416
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:368
options::route_nopull
bool route_nopull
Definition options.h:440
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:286
options::comp
struct compress_options comp
Definition options.h:413
options::persist_config
bool persist_config
Definition options.h:274
options::connection_list
struct connection_list * connection_list
Definition options.h:291
options::management_port
const char * management_port
Definition options.h:450
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:327
options::server_backoff_time
int server_backoff_time
Definition options.h:306
options::auth_token_renewal
int auth_token_renewal
Definition options.h:548
options::tmp_dir
const char * tmp_dir
Definition options.h:469
options::push_peer_info
bool push_peer_info
Definition options.h:685
options::daemon
bool daemon
Definition options.h:391
options::route_default_metric
int route_default_metric
Definition options.h:432
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:651
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:549
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:724
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:616
options::crl_file_inline
bool crl_file_inline
Definition options.h:620
options::down_script
const char * down_script
Definition options.h:386
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:626
options::replay_time
int replay_time
Definition options.h:587
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:454
options::duplicate_cn
bool duplicate_cn
Definition options.h:530
options::shaper
int shaper
Definition options.h:330
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:453
options::show_net_up
bool show_net_up
Definition options.h:698
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:628
options::use_peer_id
bool use_peer_id
Definition options.h:704
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:623
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:484
options::keying_material_exporter_label
const char * keying_material_exporter_label
Definition options.h:708
options::status_file
const char * status_file
Definition options.h:406
options::ssl_flags
unsigned int ssl_flags
Definition options.h:629
options::route_noexec
bool route_noexec
Definition options.h:433
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:329
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:624
options::tls_timeout
int tls_timeout
Definition options.h:645
options::test_crypto
bool test_crypto
Definition options.h:589
options::up_delay
bool up_delay
Definition options.h:389
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:482
options::authname
const char * authname
Definition options.h:582
options::exit_event_name
const char * exit_event_name
Definition options.h:696
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:325
options::replay_window
int replay_window
Definition options.h:586
options::mute
int mute
Definition options.h:400
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:544
options::dev_type
const char * dev_type
Definition options.h:319
options::persist_mode
int persist_mode
Definition options.h:275
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:496
options::show_digests
bool show_digests
Definition options.h:279
options::up_script
const char * up_script
Definition options.h:385
options::ce_advance_count
int ce_advance_count
Definition options.h:302
options::single_session
bool single_session
Definition options.h:683
options::rh_store
struct remote_host_store * rh_store
Definition options.h:312
options::verify_hash_depth
int verify_hash_depth
Definition options.h:627
options::route_delay_defined
bool route_delay_defined
Definition options.h:436
options::packet_id_file
const char * packet_id_file
Definition options.h:588
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:675
options::management_log_history_cache
int management_log_history_cache
Definition options.h:452
options::peer_id
uint32_t peer_id
Definition options.h:705
options::routes
struct route_option_list * routes
Definition options.h:437
options::keepalive_timeout
int keepalive_timeout
Definition options.h:343
options::fast_io
bool fast_io
Definition options.h:411
options::block_outside_dns
bool block_outside_dns
Definition options.h:700
options::tls_exit
bool tls_exit
Definition options.h:687
options::show_engines
bool show_engines
Definition options.h:280
options::msg_channel
HANDLE msg_channel
Definition options.h:695
options::key_pass_file
const char * key_pass_file
Definition options.h:277
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:585
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition options.h:300
options::handshake_window
int handshake_window
Definition options.h:655
options::ifconfig_local
const char * ifconfig_local
Definition options.h:323
options::ce
struct connection_entry ce
Definition options.h:290
options::user_script_used
bool user_script_used
Definition options.h:387
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:281
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:371
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:625
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:613
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:649
options::management_flags
unsigned int management_flags
Definition options.h:462
options::route_default_gateway
const char * route_default_gateway
Definition options.h:429
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:697
options::sc_info
struct static_challenge_info sc_info
Definition options.h:569
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:546
options::topology
int topology
Definition options.h:322
options::disable_dco
bool disable_dco
Definition options.h:374
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:581
options::genkey
bool genkey
Definition options.h:283
options::ciphername
const char * ciphername
Definition options.h:576
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:562
options::username
const char * username
Definition options.h:377
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:465
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:547
options::ns_cert_type
int ns_cert_type
Definition options.h:622
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:680
options::mode
int mode
Definition options.h:262
options::tls_server
bool tls_server
Definition options.h:595
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:543
options::connect_retry_max
int connect_retry_max
Definition options.h:289
options::pull
bool pull
Definition options.h:559
options::show_curves
bool show_curves
Definition options.h:282
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:430
options::tls_client
bool tls_client
Definition options.h:596
options::auth_token_generate
bool auth_token_generate
Definition options.h:545
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:607
options::tls_verify
const char * tls_verify
Definition options.h:615
options::crl_file
const char * crl_file
Definition options.h:619
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:357
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:563
options::show_ciphers
bool show_ciphers
Definition options.h:278
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:577
options::route_predown_script
const char * route_predown_script
Definition options.h:428
options::route_delay_window
int route_delay_window
Definition options.h:435
options::mlock
bool mlock
Definition options.h:340
options::sndbuf
int sndbuf
Definition options.h:417
options::gc
struct gc_arena gc
Definition options.h:253
options::down_pre
bool down_pre
Definition options.h:388
options::persist_tun
bool persist_tun
Definition options.h:359
options::route_default_table_id
int route_default_table_id
Definition options.h:431
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:550
options::config
const char * config
Definition options.h:257
options::keying_material_exporter_length
int keying_material_exporter_length
Definition options.h:709
options::mtu_test
bool mtu_test
Definition options.h:334
options::verify_x509_type
int verify_x509_type
Definition options.h:617
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:611
options::status_file_update_freq
int status_file_update_freq
Definition options.h:408
options::management_client_user
const char * management_client_user
Definition options.h:456
options::cipher_list
const char * cipher_list
Definition options.h:610
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:509
options::genkey_filename
const char * genkey_filename
Definition options.h:285
options::x509_track
const struct x509_track * x509_track
Definition options.h:689
options::chroot_dir
const char * chroot_dir
Definition options.h:379
options::log
bool log
Definition options.h:395
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:573
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:650
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:351
options::sockflags
unsigned int sockflags
Definition options.h:424
options::engine
const char * engine
Definition options.h:583
options::management_addr
const char * management_addr
Definition options.h:449
options::verify_x509_name
const char * verify_x509_name
Definition options.h:618
options::ping_send_timeout
int ping_send_timeout
Definition options.h:350
options::route_delay
int route_delay
Definition options.h:434
options::dev_node
const char * dev_node
Definition options.h:320
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:507
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:438
options::key_direction
int key_direction
Definition options.h:575
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:361
options::up_restart
bool up_restart
Definition options.h:390
options::keepalive_ping
int keepalive_ping
Definition options.h:342
options::no_advance
bool no_advance
Definition options.h:295
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:676
options::groupname
const char * groupname
Definition options.h:378
options::cd_dir
const char * cd_dir
Definition options.h:380
options::nice
int nice
Definition options.h:398
options::transition_window
int transition_window
Definition options.h:663
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:324
options::lladdr
const char * lladdr
Definition options.h:321
options::verbosity
int verbosity
Definition options.h:399
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:701
options::remap_sigusr1
int remap_sigusr1
Definition options.h:393
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:648
options::route_script
const char * route_script
Definition options.h:427
options::management_user_pass
const char * management_user_pass
Definition options.h:451
options::shared_secret_file
const char * shared_secret_file
Definition options.h:572
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:328
options::dev
const char * dev
Definition options.h:318
options::management_client_group
const char * management_client_group
Definition options.h:457
options::client_config_dir
const char * client_config_dir
Definition options.h:508
options::genkey_type
enum genkey_type genkey_type
Definition options.h:284
options::advance_next_remote
bool advance_next_remote
Definition options.h:298
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:495
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:326
options::persist_local_ip
bool persist_local_ip
Definition options.h:360
plugin_list
Definition plugin.h:97
plugin_return
Definition plugin.h:104
plugin_return::n
int n
Definition plugin.h:105
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:106
remote_host_store
Definition options.h:227
remote_host_store::port
char port[RH_PORT_LEN]
Definition options.h:231
remote_host_store::host
char host[RH_HOST_LEN]
Definition options.h:229
route_ipv6_list
Definition route.h:243
route_ipv6_list::gc
struct gc_arena gc
Definition route.h:254
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_ipv6_option_list::gc
struct gc_arena * gc
Definition route.h:115
route_list
Definition route.h:229
route_list::gc
struct gc_arena gc
Definition route.h:239
sha256_digest
Wrapper struct to pass around SHA256 digests.
Definition crypto.h:133
signal_info
Definition sig.h:41
signal_info::signal_text
const char * signal_text
Definition sig.h:44
signal_info::signal_received
volatile int signal_received
Definition sig.h:42
signal_info::source
volatile int source
Definition sig.h:43
status_output
Definition status.h:49
status_output::flags
unsigned int flags
Definition status.h:52
tls_auth_standalone::frame
struct frame frame
Definition ssl_pkt.h:81
tls_auth_standalone::workbuf
struct buffer workbuf
Definition ssl_pkt.h:80
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
tls_multi::dco
dco_context_t * dco
Definition ssl_common.h:726
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:633
tls_multi::opt
struct tls_options opt
Definition ssl_common.h:617
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:700
tls_multi::use_peer_id
bool use_peer_id
Definition ssl_common.h:701
tls_options
Definition ssl_common.h:307
tls_options::renegotiate_bytes
int64_t renegotiate_bytes
Definition ssl_common.h:343
tls_options::auth_token_key
struct key_ctx auth_token_key
Definition ssl_common.h:408
tls_options::mode
int mode
Definition ssl_common.h:327
tls_options::auth_token_renewal
unsigned int auth_token_renewal
Definition ssl_common.h:406
tls_options::es
struct env_set * es
Definition ssl_common.h:414
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition ssl_common.h:405
tls_options::gremlin
int gremlin
Definition ssl_common.h:448
tls_options::server
bool server
Definition ssl_common.h:315
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:388
tls_options::ekm_label_size
size_t ekm_label_size
Definition ssl_common.h:452
tls_options::crypto_flags
unsigned int crypto_flags
Definition ssl_common.h:370
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition ssl_common.h:357
tls_options::packet_timeout
interval_t packet_timeout
Definition ssl_common.h:342
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition ssl_common.h:398
tls_options::client_crresponse_script
const char * client_crresponse_script
Definition ssl_common.h:394
tls_options::sci
const struct static_challenge_info * sci
Definition ssl_common.h:444
tls_options::net_ctx
openvpn_net_ctx_t * net_ctx
Definition ssl_common.h:415
tls_options::tmp_dir
const char * tmp_dir
Definition ssl_common.h:396
tls_options::replay_time
int replay_time
Definition ssl_common.h:373
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition ssl_common.h:348
tls_options::frame
struct frame frame
Definition ssl_common.h:390
tls_options::renegotiate_packets
int64_t renegotiate_packets
Definition ssl_common.h:344
tls_options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition ssl_common.h:399
tls_options::verify_hash_depth
int verify_hash_depth
Definition ssl_common.h:360
tls_options::plugins
const struct plugin_list * plugins
Definition ssl_common.h:416
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition ssl_common.h:411
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition ssl_common.h:384
tls_options::export_peer_cert_dir
const char * export_peer_cert_dir
Definition ssl_common.h:397
tls_options::verify_command
const char * verify_command
Definition ssl_common.h:351
tls_options::verify_hash
struct verify_hash_list * verify_hash
Definition ssl_common.h:359
tls_options::ekm_label
const char * ekm_label
Definition ssl_common.h:451
tls_options::ekm_size
size_t ekm_size
Definition ssl_common.h:453
tls_options::x509_username_field
char * x509_username_field[2]
Definition ssl_common.h:366
tls_options::transition_window
int transition_window
Definition ssl_common.h:340
tls_options::config_ciphername
const char * config_ciphername
Definition ssl_common.h:375
tls_options::verify_x509_type
int verify_x509_type
Definition ssl_common.h:352
tls_options::single_session
bool single_session
Definition ssl_common.h:326
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:382
tls_options::verify_x509_name
const char * verify_x509_name
Definition ssl_common.h:353
tls_options::crl_file_inline
bool crl_file_inline
Definition ssl_common.h:355
tls_options::x509_track
const struct x509_track * x509_track
Definition ssl_common.h:441
tls_options::verify_hash_no_ca
bool verify_hash_no_ca
Definition ssl_common.h:361
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition ssl_common.h:438
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition ssl_common.h:385
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition ssl_common.h:309
tls_options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition ssl_common.h:395
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition ssl_common.h:376
tls_options::xmit_hold
bool xmit_hold
Definition ssl_common.h:318
tls_options::ssl_flags
unsigned int ssl_flags
Definition ssl_common.h:435
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition ssl_common.h:401
tls_options::key_type
struct key_type key_type
Definition ssl_common.h:312
tls_options::push_peer_info_detail
int push_peer_info_detail
The detail of info we push in peer info.
Definition ssl_common.h:339
tls_options::ns_cert_type
int ns_cert_type
Definition ssl_common.h:356
tls_options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition ssl_common.h:362
tls_options::pull
bool pull
Definition ssl_common.h:328
tls_options::auth_token_call_auth
bool auth_token_call_auth
always call normal authentication
Definition ssl_common.h:404
tls_options::crl_file
const char * crl_file
Definition ssl_common.h:354
tls_options::handshake_window
int handshake_window
Definition ssl_common.h:341
tls_options::dco_enabled
bool dco_enabled
Whether keys have to be installed in DCO or not.
Definition ssl_common.h:455
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition ssl_common.h:393
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition ssl_common.h:358
tls_options::replay_window
int replay_window
Definition ssl_common.h:372
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
tls_wrap_ctx::mode
enum tls_wrap_ctx::@28 mode
Control channel wrapping mode.
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:284
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:285
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition ssl_common.h:286
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:299
tuntap_options::msg_channel
HANDLE msg_channel
Definition tun.h:88
tuntap
Definition tun.h:183
tuntap::local
in_addr_t local
Definition tun.h:210
tuntap::adapter_index
DWORD adapter_index
Definition tun.h:234
tuntap::backend_driver
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:193
tuntap::options
struct tuntap_options options
Definition tun.h:205
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition tun.h:213
tuntap::dco
dco_context_t dco
Definition tun.h:249
tuntap::actual_name
char * actual_name
Definition tun.h:207
tuntap::remote_netmask
in_addr_t remote_netmask
Definition tun.h:211
user_pass
Definition misc.h:52
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:68
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:67
win32_signal
Definition win32.h:156
win32_signal::mode
int mode
Definition win32.h:160
window_title
Definition win32.h:74
srandom
#define srandom
Definition syshead.h:44
SOCKET_UNDEFINED
#define SOCKET_UNDEFINED
Definition syshead.h:438
sleep
#define sleep(x)
Definition syshead.h:42
es
struct env_set * es
Definition test_pkcs11.c:138
i
int i
Definition test_push_update_msg.c:120
gc
struct gc_arena gc
Definition test_ssl.c:131
tls_crypt.h
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6375
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:520
fork_register_dns_action
void fork_register_dns_action(struct tuntap *tt)
Definition tun.c:5763
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:829
show_adapters
void show_adapters(int msglev)
Definition tun.c:4841
is_dev_type
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition tun.c:502
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition tun.c:1565
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:539
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6526
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition tun.c:669
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition tun.c:953
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition tun.c:559
do_ifconfig_setenv
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition tun.c:785
undo_ifconfig
void undo_ifconfig(struct tuntap *tt, openvpn_net_ctx_t *ctx)
undo_ifconfig - undo configuration of the tunnel interface
Definition tun.c:1654
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition tun.c:5494
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:58
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition tun.h:349
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition tun.h:348
tuntap_is_dco_win
static bool tuntap_is_dco_win(struct tuntap *tt)
Definition tun.h:532
DRIVER_NULL
@ DRIVER_NULL
Definition tun.h:52
DRIVER_GENERIC_TUNTAP
@ DRIVER_GENERIC_TUNTAP
Definition tun.h:47
DRIVER_AFUNIX
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:51
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:53
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition tun.h:380
ifconfig_order
static int ifconfig_order(struct tuntap *tt)
Definition tun.h:354
open_tun_null
static void open_tun_null(struct tuntap *tt)
Definition tun.h:634
route_order
static int route_order(struct tuntap *tt)
Definition tun.h:384
ROUTE_BEFORE_TUN
#define ROUTE_BEFORE_TUN
Definition tun.h:379
is_tun_type_set
static bool is_tun_type_set(const struct tuntap *tt)
Definition tun.h:628
tuncfg
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
open_tun_afunix
void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env)
Opens an AF_UNIX based tun device.
Definition tun_afunix.c:71
close_tun_afunix
void close_tun_afunix(struct tuntap *tt)
Closes the socket used for the AF_UNIX based device.
Definition tun_afunix.c:123
tun_afunix.h
is_tun_afunix
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
win32_signal_open
void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state)
Definition win32.c:452
win_wfp_block
bool win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only)
Definition win32.c:1202
window_title_generate
void window_title_generate(const char *title)
Definition win32.c:723
window_title_save
void window_title_save(struct window_title *wt)
Definition win32.c:697
win_wfp_uninit
bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
Definition win32.c:1251
init_win32
void init_win32(void)
Definition win32.c:107
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition win32.h:159
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition win32.h:173
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition win32.h:174
Generated by doxygen 1.9.8