OpenVPN
init.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "syshead.h"
29
30#ifdef ENABLE_SYSTEMD
31#include <systemd/sd-daemon.h>
32#endif
33
34#include "win32.h"
35#include "init.h"
36#include "run_command.h"
37#include "sig.h"
38#include "occ.h"
39#include "list.h"
40#include "otime.h"
41#include "pool.h"
42#include "gremlin.h"
43#include "occ.h"
44#include "pkcs11.h"
45#include "ps.h"
46#include "lladdr.h"
47#include "ping.h"
48#include "mstats.h"
49#include "ssl_verify.h"
50#include "ssl_ncp.h"
51#include "tls_crypt.h"
52#include "forward.h"
53#include "auth_token.h"
54#include "mss.h"
55#include "mudp.h"
56#include "dco.h"
57#include "tun_afunix.h"
58
59#include "memdbg.h"
60
61
62static struct context *static_context; /* GLOBAL */
63static const char *saved_pid_file_name; /* GLOBAL */
64
65/*
66 * Crypto initialization flags
67 */
68#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
69#define CF_INIT_TLS_MULTI (1<<1)
70#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
71
72static void do_init_first_time(struct context *c);
73
74static bool do_deferred_p2p_ncp(struct context *c);
75
76void
77context_clear(struct context *c)
78{
79 CLEAR(*c);
80}
81
82void
83context_clear_1(struct context *c)
84{
85 CLEAR(c->c1);
86}
87
88void
89context_clear_2(struct context *c)
90{
91 CLEAR(c->c2);
92}
93
94void
95context_clear_all_except_first_time(struct context *c)
96{
97 const bool first_time_save = c->first_time;
98 const struct context_persist cpsave = c->persist;
99 context_clear(c);
100 c->first_time = first_time_save;
101 c->persist = cpsave;
102}
103
104/*
105 * Pass tunnel endpoint and MTU parms to a user-supplied script.
106 * Used to execute the up/down script/plugins.
107 */
108static void
109run_up_down(const char *command,
110 const struct plugin_list *plugins,
111 int plugin_type,
112 const char *arg,
113#ifdef _WIN32
114 DWORD adapter_index,
115#endif
116 const char *dev_type,
117 int tun_mtu,
118 const char *ifconfig_local,
119 const char *ifconfig_remote,
120 const char *context,
121 const char *signal_text,
122 const char *script_type,
123 struct env_set *es)
124{
125 struct gc_arena gc = gc_new();
126
127 if (signal_text)
128 {
129 setenv_str(es, "signal", signal_text);
130 }
131 setenv_str(es, "script_context", context);
132 setenv_int(es, "tun_mtu", tun_mtu);
133 setenv_str(es, "dev", arg);
134 if (dev_type)
135 {
136 setenv_str(es, "dev_type", dev_type);
137 }
138#ifdef _WIN32
139 setenv_int(es, "dev_idx", adapter_index);
140#endif
141
142 if (!ifconfig_local)
143 {
144 ifconfig_local = "";
145 }
146 if (!ifconfig_remote)
147 {
148 ifconfig_remote = "";
149 }
150 if (!context)
151 {
152 context = "";
153 }
154
155 if (plugin_defined(plugins, plugin_type))
156 {
157 struct argv argv = argv_new();
158 ASSERT(arg);
159 argv_printf(&argv,
160 "%s %d 0 %s %s %s",
161 arg, tun_mtu, ifconfig_local, ifconfig_remote, context);
162
163 if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
164 {
165 msg(M_FATAL, "ERROR: up/down plugin call failed");
166 }
167
168 argv_free(&argv);
169 }
170
171 if (command)
172 {
173 struct argv argv = argv_new();
174 ASSERT(arg);
175 setenv_str(es, "script_type", script_type);
176 argv_parse_cmd(&argv, command);
177 argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu,
178 ifconfig_local, ifconfig_remote, context);
179 argv_msg(M_INFO, &argv);
180 openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
181 argv_free(&argv);
182 }
183
184 gc_free(&gc);
185}
186
187/*
188 * Should be called after options->ce is modified at the top
189 * of a SIGUSR1 restart.
190 */
191static void
192update_options_ce_post(struct options *options)
193{
194 /*
195 * In pull mode, we usually import --ping/--ping-restart parameters from
196 * the server. However we should also set an initial default --ping-restart
197 * for the period of time before we pull the --ping-restart parameter
198 * from the server.
199 */
200 if (options->pull
201 && options->ping_rec_timeout_action == PING_UNDEF
202 && proto_is_dgram(options->ce.proto))
203 {
204 options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
205 options->ping_rec_timeout_action = PING_RESTART;
206 }
207}
208
209#ifdef ENABLE_MANAGEMENT
210static bool
211management_callback_proxy_cmd(void *arg, const char **p)
212{
213 struct context *c = arg;
214 struct connection_entry *ce = &c->options.ce;
215 struct gc_arena *gc = &c->c2.gc;
216 bool ret = false;
217
218 update_time();
219 if (streq(p[1], "NONE"))
220 {
221 ret = true;
222 }
223 else if (p[2] && p[3])
224 {
225 if (streq(p[1], "HTTP"))
226 {
227 struct http_proxy_options *ho;
228 if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
229 {
230 msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231 return false;
232 }
233 ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
234 ho->server = string_alloc(p[2], gc);
235 ho->port = string_alloc(p[3], gc);
236 ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237 ret = true;
238 }
239 else if (streq(p[1], "SOCKS"))
240 {
241 ce->socks_proxy_server = string_alloc(p[2], gc);
242 ce->socks_proxy_port = string_alloc(p[3], gc);
243 ret = true;
244 }
245 }
246 else
247 {
248 msg(M_WARN, "Bad proxy command");
249 }
250
251 ce->flags &= ~CE_MAN_QUERY_PROXY;
252
253 return ret;
254}
255
256static bool
257ce_management_query_proxy(struct context *c)
258{
259 const struct connection_list *l = c->options.connection_list;
260 struct connection_entry *ce = &c->options.ce;
261 struct gc_arena gc;
262 bool ret = true;
263
264 update_time();
265 if (management)
266 {
267 gc = gc_new();
268 {
269 struct buffer out = alloc_buf_gc(256, &gc);
270 buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271 (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272 management_notify_generic(management, BSTR(&out));
273 management->persist.special_state_msg = BSTR(&out);
274 }
275 ce->flags |= CE_MAN_QUERY_PROXY;
276 while (ce->flags & CE_MAN_QUERY_PROXY)
277 {
278 management_event_loop_n_seconds(management, 1);
279 if (IS_SIG(c))
280 {
281 ret = false;
282 break;
283 }
284 }
285 management->persist.special_state_msg = NULL;
286 gc_free(&gc);
287 }
288
289 return ret;
290}
291
306static bool
307management_callback_send_cc_message(void *arg,
308 const char *command,
309 const char *parameters)
310{
311 struct context *c = (struct context *) arg;
312 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
313 if (len > PUSH_BUNDLE_SIZE)
314 {
315 return false;
316 }
317
318 struct gc_arena gc = gc_new();
319 struct buffer buf = alloc_buf_gc(len, &gc);
320 ASSERT(buf_printf(&buf, "%s", command));
321 if (parameters)
322 {
323 ASSERT(buf_printf(&buf, ",%s", parameters));
324 }
325 bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
326
327 gc_free(&gc);
328 return status;
329}
330
331static unsigned int
332management_callback_remote_entry_count(void *arg)
333{
334 assert(arg);
335 struct context *c = (struct context *) arg;
336 struct connection_list *l = c->options.connection_list;
337
338 return l->len;
339}
340
341static bool
342management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
343{
344 assert(arg);
345 assert(remote);
346
347 struct context *c = (struct context *) arg;
348 struct connection_list *l = c->options.connection_list;
349 bool ret = true;
350
351 if (index < l->len)
352 {
353 struct connection_entry *ce = l->array[index];
354 const char *proto = proto2ascii(ce->proto, ce->af, false);
355 const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
356
357 /* space for output including 3 commas and a nul */
358 int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto)
359 + strlen(status) + 3 + 1;
360 char *out = malloc(len);
361 check_malloc_return(out);
362
363 snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
364 *remote = out;
365 }
366 else
367 {
368 ret = false;
369 msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
370 }
371
372 return ret;
373}
374
375static bool
376management_callback_remote_cmd(void *arg, const char **p)
377{
378 struct context *c = (struct context *) arg;
379 struct connection_entry *ce = &c->options.ce;
380 int ret = false;
381 if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
382 {
383 int flags = 0;
384 if (!strcmp(p[1], "ACCEPT"))
385 {
386 flags = CE_MAN_QUERY_REMOTE_ACCEPT;
387 ret = true;
388 }
389 else if (!strcmp(p[1], "SKIP"))
390 {
391 flags = CE_MAN_QUERY_REMOTE_SKIP;
392 ret = true;
393 c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
394 }
395 else if (!strcmp(p[1], "MOD") && p[2] && p[3])
396 {
397 if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
398 {
399 struct remote_host_store *rhs = c->options.rh_store;
400 if (!rhs)
401 {
402 ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
403 c->options.rh_store = rhs;
404 }
405 strncpynt(rhs->host, p[2], RH_HOST_LEN);
406 strncpynt(rhs->port, p[3], RH_PORT_LEN);
407
408 ce->remote = rhs->host;
409 ce->remote_port = rhs->port;
410 flags = CE_MAN_QUERY_REMOTE_MOD;
411 ret = true;
412 }
413 }
414 if (ret)
415 {
416 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
417 ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
418 }
419 }
420 return ret;
421}
422
423static bool
424ce_management_query_remote(struct context *c)
425{
426 struct gc_arena gc = gc_new();
427 volatile struct connection_entry *ce = &c->options.ce;
428 int ce_changed = true; /* presume the connection entry will be changed */
429
430 update_time();
431 if (management)
432 {
433 struct buffer out = alloc_buf_gc(256, &gc);
434
435 buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
436 proto2ascii(ce->proto, ce->af, false));
437 management_notify_generic(management, BSTR(&out));
438 management->persist.special_state_msg = BSTR(&out);
439
440 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
441 ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
442 while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
443 & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
444 {
445 management_event_loop_n_seconds(management, 1);
446 if (IS_SIG(c))
447 {
448 ce_changed = false; /* connection entry have not been set */
449 break;
450 }
451 }
452 management->persist.special_state_msg = NULL;
453 }
454 gc_free(&gc);
455
456 if (ce_changed)
457 {
458 /* If it is likely a connection entry was modified,
459 * check what changed in the flags and that it was not skipped
460 */
461 const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
462 & CE_MAN_QUERY_REMOTE_MASK);
463 ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
464 }
465 return ce_changed;
466}
467#endif /* ENABLE_MANAGEMENT */
468
469/*
470 * Initialize and possibly randomize the connection list.
471 *
472 * Applies the Fisher-Yates shuffle algorithm to ensure all permutations
473 * are equally probable, thereby eliminating shuffling bias.
474 *
475 * The algorithm randomly selects an element from the unshuffled portion
476 * and places it at position i. There's only one way to obtain each
477 * permutation through these swaps. This guarantees that each permutation
478 * occurs with equal probability in theory.
479 */
480static void
481init_connection_list(struct context *c)
482{
483 struct connection_list *l = c->options.connection_list;
484
485 l->current = -1;
486 if (c->options.remote_random)
487 {
488 int i;
489 for (i = l->len - 1; i > 0; --i)
490 {
491 const int j = get_random() % (i + 1);
492 if (i != j)
493 {
494 struct connection_entry *tmp;
495 tmp = l->array[i];
496 l->array[i] = l->array[j];
497 l->array[j] = tmp;
498 }
499 }
500 }
501}
502
503/*
504 * Clear the remote address list
505 */
506static void
507clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
508{
509 if (lsa->remote_list && free)
510 {
511 freeaddrinfo(lsa->remote_list);
512 }
513 lsa->remote_list = NULL;
514 lsa->current_remote = NULL;
515}
516
517/*
518 * Increment to next connection entry
519 */
520static void
521next_connection_entry(struct context *c)
522{
523 struct connection_list *l = c->options.connection_list;
524 bool ce_defined;
525 struct connection_entry *ce;
526 int n_cycles = 0;
527
528 do
529 {
530 ce_defined = true;
531 if (c->options.no_advance && l->current >= 0)
532 {
533 c->options.no_advance = false;
534 }
535 else
536 {
537 /* Check if there is another resolved address to try for
538 * the current connection */
539 if (c->c1.link_socket_addrs[0].current_remote
540 && c->c1.link_socket_addrs[0].current_remote->ai_next
541 && !c->options.advance_next_remote)
542 {
543 c->c1.link_socket_addrs[0].current_remote =
544 c->c1.link_socket_addrs[0].current_remote->ai_next;
545 }
546 else
547 {
548 c->options.advance_next_remote = false;
549 /* FIXME (schwabe) fix the persist-remote-ip option for real,
550 * this is broken probably ever since connection lists and multiple
551 * remote existed
552 */
553 if (!c->options.persist_remote_ip)
554 {
555 /* Connection entry addrinfo objects might have been
556 * resolved earlier but the entry itself might have been
557 * skipped by management on the previous loop.
558 * If so, clear the addrinfo objects as close_instance does
559 */
560 if (c->c1.link_socket_addrs[0].remote_list)
561 {
562 clear_remote_addrlist(&c->c1.link_socket_addrs[0],
563 !c->options.resolve_in_advance);
564 }
565
566 /* close_instance should have cleared the addrinfo objects */
567 ASSERT(c->c1.link_socket_addrs[0].current_remote == NULL);
568 ASSERT(c->c1.link_socket_addrs[0].remote_list == NULL);
569 }
570 else
571 {
572 c->c1.link_socket_addrs[0].current_remote =
573 c->c1.link_socket_addrs[0].remote_list;
574 }
575
576 int advance_count = 1;
577
578 /* If previous connection entry was skipped by management client
579 * with a count to advance by, apply it.
580 */
581 if (c->options.ce_advance_count > 0)
582 {
583 advance_count = c->options.ce_advance_count;
584 }
585
586 /*
587 * Increase the number of connection attempts
588 * If this is connect-retry-max * size(l)
589 * OpenVPN will quit
590 */
591
592 c->options.unsuccessful_attempts += advance_count;
593 l->current += advance_count;
594
595 if (l->current >= l->len)
596 {
597 l->current %= l->len;
598 if (++n_cycles >= 2)
599 {
600 msg(M_FATAL, "No usable connection profiles are present");
601 }
602 }
603 }
604 }
605
606 c->options.ce_advance_count = 1;
607 ce = l->array[l->current];
608
609 if (ce->flags & CE_DISABLED)
610 {
611 ce_defined = false;
612 }
613
614 c->options.ce = *ce;
615
616#ifdef ENABLE_MANAGEMENT
617 if (ce_defined && management && management_query_remote_enabled(management))
618 {
619 /* allow management interface to override connection entry details */
620 ce_defined = ce_management_query_remote(c);
621 if (IS_SIG(c))
622 {
623 break;
624 }
625 }
626 else if (ce_defined && management && management_query_proxy_enabled(management))
627 {
628 ce_defined = ce_management_query_proxy(c);
629 if (IS_SIG(c))
630 {
631 break;
632 }
633 }
634#endif
635 } while (!ce_defined);
636
637 /* Check if this connection attempt would bring us over the limit */
638 if (c->options.connect_retry_max > 0
639 && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
640 {
641 msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
642 c->options.connect_retry_max);
643 }
644 update_options_ce_post(&c->options);
645}
646
647/*
648 * Query for private key and auth-user-pass username/passwords
649 */
650void
651init_query_passwords(const struct context *c)
652{
653 /* Certificate password input */
654 if (c->options.key_pass_file)
655 {
656 pem_password_setup(c->options.key_pass_file);
657 }
658
659 /* Auth user/pass input */
660 if (c->options.auth_user_pass_file)
661 {
662 enable_auth_user_pass();
663#ifdef ENABLE_MANAGEMENT
664 auth_user_pass_setup(c->options.auth_user_pass_file,
665 c->options.auth_user_pass_file_inline,
666 &c->options.sc_info);
667#else
668 auth_user_pass_setup(c->options.auth_user_pass_file,
669 c->options.auth_user_pass_file_inline, NULL);
670#endif
671 }
672}
673
674/*
675 * Initialize/Uninitialize HTTP or SOCKS proxy
676 */
677
678static void
679uninit_proxy_dowork(struct context *c)
680{
681 if (c->c1.http_proxy_owned && c->c1.http_proxy)
682 {
683 http_proxy_close(c->c1.http_proxy);
684 c->c1.http_proxy = NULL;
685 c->c1.http_proxy_owned = false;
686 }
687 if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
688 {
689 socks_proxy_close(c->c1.socks_proxy);
690 c->c1.socks_proxy = NULL;
691 c->c1.socks_proxy_owned = false;
692 }
693}
694
695static void
696init_proxy_dowork(struct context *c)
697{
698 bool did_http = false;
699
700 uninit_proxy_dowork(c);
701
702 if (c->options.ce.http_proxy_options)
703 {
704 c->options.ce.http_proxy_options->first_time = c->first_time;
705
706 /* Possible HTTP proxy user/pass input */
707 c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
708 if (c->c1.http_proxy)
709 {
710 did_http = true;
711 c->c1.http_proxy_owned = true;
712 }
713 }
714
715 if (!did_http && c->options.ce.socks_proxy_server)
716 {
717 c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
718 c->options.ce.socks_proxy_port,
719 c->options.ce.socks_proxy_authfile);
720 if (c->c1.socks_proxy)
721 {
722 c->c1.socks_proxy_owned = true;
723 }
724 }
725}
726
727static void
728init_proxy(struct context *c)
729{
730 init_proxy_dowork(c);
731}
732
733static void
734uninit_proxy(struct context *c)
735{
736 uninit_proxy_dowork(c);
737}
738
739static void
745
746void
747context_init_1(struct context *c)
748{
749 context_clear_1(c);
750
751 packet_id_persist_init(&c->c1.pid_persist);
752
753 init_connection_list(c);
754
755 c->c1.link_sockets_num = c->options.ce.local_list->len;
756
757 do_link_socket_addr_new(c);
758
759#if defined(ENABLE_PKCS11)
760 if (c->first_time)
761 {
762 int i;
763 pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
764 for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
765 {
766 pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
767 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
768 }
769 }
770#endif
771
772#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
773 {
774 /*
775 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
776 */
777 struct user_pass up;
778 CLEAR(up);
779 strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
780 get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
781 msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
782 * 'needok' command, usually 'ok' or 'cancel'. */
783 }
784#endif
785
786#ifdef ENABLE_SYSTEMD
787 /* We can report the PID via getpid() to systemd here as OpenVPN will not
788 * do any fork due to daemon() a future call.
789 * See possibly_become_daemon() [init.c] for more details.
790 */
791 sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
792 (unsigned long) getpid());
793#endif
794
795}
796
797void
798context_gc_free(struct context *c)
799{
800 gc_free(&c->c2.gc);
801 gc_free(&c->options.gc);
802 gc_free(&c->gc);
803}
804
805#if PORT_SHARE
806
807static void
808close_port_share(void)
809{
810 if (port_share)
811 {
812 port_share_close(port_share);
813 port_share = NULL;
814 }
815}
816
817static void
818init_port_share(struct context *c)
819{
820 if (!port_share && (c->options.port_share_host && c->options.port_share_port))
821 {
822 port_share = port_share_open(c->options.port_share_host,
823 c->options.port_share_port,
824 c->c2.frame.buf.payload_size,
825 c->options.port_share_journal_dir);
826 if (port_share == NULL)
827 {
828 msg(M_FATAL, "Fatal error: Port sharing failed");
829 }
830 }
831}
832
833#endif /* if PORT_SHARE */
834
835
836bool
837init_static(void)
838{
839#if defined(DMALLOC)
840 crypto_init_dmalloc();
841#endif
842
843
844 /*
845 * Initialize random number seed. random() is only used
846 * when "weak" random numbers are acceptable.
847 * SSL library routines are always used when cryptographically
848 * strong random numbers are required.
849 */
850 struct timeval tv;
851 if (!gettimeofday(&tv, NULL))
852 {
853 const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
854 srandom(seed);
855 }
856
857 error_reset(); /* initialize error.c */
858 reset_check_status(); /* initialize status check code in socket.c */
859
860#ifdef _WIN32
861 init_win32();
862#endif
863
864#ifdef OPENVPN_DEBUG_COMMAND_LINE
865 {
866 int i;
867 for (i = 0; i < argc; ++i)
868 {
869 msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
870 }
871 }
872#endif
873
874 update_time();
875
876 init_ssl_lib();
877
878#ifdef SCHEDULE_TEST
879 schedule_test();
880 return false;
881#endif
882
883#ifdef IFCONFIG_POOL_TEST
884 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
885 return false;
886#endif
887
888#ifdef TIME_TEST
889 time_test();
890 return false;
891#endif
892
893#ifdef GEN_PATH_TEST
894 {
895 struct gc_arena gc = gc_new();
896 const char *fn = gen_path("foo",
897 "bar",
898 &gc);
899 printf("%s\n", fn);
900 gc_free(&gc);
901 }
902 return false;
903#endif
904
905#ifdef STATUS_PRINTF_TEST
906 {
907 struct gc_arena gc = gc_new();
908 const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
909 struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
910 status_printf(so, "%s", "foo");
911 status_printf(so, "%s", "bar");
912 if (!status_close(so))
913 {
914 msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
915 }
916 gc_free(&gc);
917 }
918 return false;
919#endif
920
921#ifdef MSTATS_TEST
922 {
923 int i;
924 mstats_open("/dev/shm/mstats.dat");
925 for (i = 0; i < 30; ++i)
926 {
927 mmap_stats->n_clients += 1;
928 mmap_stats->link_write_bytes += 8;
929 mmap_stats->link_read_bytes += 16;
930 sleep(1);
931 }
932 mstats_close();
933 return false;
934 }
935#endif
936
937 return true;
938}
939
940void
941uninit_static(void)
942{
943 free_ssl_lib();
944
945#ifdef ENABLE_PKCS11
946 pkcs11_terminate();
947#endif
948
949#if PORT_SHARE
950 close_port_share();
951#endif
952
953#if defined(MEASURE_TLS_HANDSHAKE_STATS)
954 show_tls_performance_stats();
955#endif
956}
957
958void
959init_verb_mute(struct context *c, unsigned int flags)
960{
961 if (flags & IVM_LEVEL_1)
962 {
963 /* set verbosity and mute levels */
964 set_check_status(D_LINK_ERRORS, D_READ_WRITE);
965 set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
966 set_mute_cutoff(c->options.mute);
967 }
968
969 /* special D_LOG_RW mode */
970 if (flags & IVM_LEVEL_2)
971 {
972 c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
973 }
974}
975
976/*
977 * Possibly set --dev based on --dev-node.
978 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
979 * set --dev to tun.
980 */
981void
982init_options_dev(struct options *options)
983{
984 if (!options->dev && options->dev_node)
985 {
986 char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
987 options->dev = basename(dev_node);
988 }
989}
990
991bool
992print_openssl_info(const struct options *options)
993{
994 /*
995 * OpenSSL info print mode?
996 */
997 if (options->show_ciphers || options->show_digests || options->show_engines
998 || options->show_tls_ciphers || options->show_curves)
999 {
1000 if (options->show_ciphers)
1001 {
1002 show_available_ciphers();
1003 }
1004 if (options->show_digests)
1005 {
1006 show_available_digests();
1007 }
1008 if (options->show_engines)
1009 {
1010 show_available_engines();
1011 }
1012 if (options->show_tls_ciphers)
1013 {
1014 show_available_tls_ciphers(options->cipher_list,
1015 options->cipher_list_tls13,
1016 options->tls_cert_profile);
1017 }
1018 if (options->show_curves)
1019 {
1020 show_available_curves();
1021 }
1022 return true;
1023 }
1024 return false;
1025}
1026
1027/*
1028 * Static pre-shared key generation mode?
1029 */
1030bool
1031do_genkey(const struct options *options)
1032{
1033 /* should we disable paging? */
1034 if (options->mlock && (options->genkey))
1035 {
1036 platform_mlockall(true);
1037 }
1038
1039 /*
1040 * We do not want user to use --genkey with --secret. In the transistion
1041 * phase we for secret.
1042 */
1043 if (options->genkey && options->genkey_type != GENKEY_SECRET
1044 && options->shared_secret_file)
1045 {
1046 msg(M_USAGE, "Using --genkey type with --secret filename is "
1047 "not supported. Use --genkey type filename instead.");
1048 }
1049 if (options->genkey && options->genkey_type == GENKEY_SECRET)
1050 {
1051 int nbits_written;
1052 const char *genkey_filename = options->genkey_filename;
1053 if (options->shared_secret_file && options->genkey_filename)
1054 {
1055 msg(M_USAGE, "You must provide a filename to either --genkey "
1056 "or --secret, not both");
1057 }
1058
1059 /*
1060 * Copy filename from shared_secret_file to genkey_filename to support
1061 * the old --genkey --secret foo.file syntax.
1062 */
1063 if (options->shared_secret_file)
1064 {
1065 msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1066 "DEPRECATED. Use --genkey secret filename instead.");
1067 genkey_filename = options->shared_secret_file;
1068 }
1069
1070 nbits_written = write_key_file(2, genkey_filename);
1071 if (nbits_written < 0)
1072 {
1073 msg(M_FATAL, "Failed to write key file");
1074 }
1075
1076 msg(D_GENKEY | M_NOPREFIX,
1077 "Randomly generated %d bit key written to %s", nbits_written,
1078 options->shared_secret_file);
1079 return true;
1080 }
1081 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1082 {
1083 tls_crypt_v2_write_server_key_file(options->genkey_filename);
1084 return true;
1085 }
1086 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1087 {
1088 if (!options->tls_crypt_v2_file)
1089 {
1090 msg(M_USAGE,
1091 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1092 }
1093
1094 tls_crypt_v2_write_client_key_file(options->genkey_filename,
1095 options->genkey_extra_data, options->tls_crypt_v2_file,
1096 options->tls_crypt_v2_file_inline);
1097 return true;
1098 }
1099 else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1100 {
1101 auth_token_write_server_key_file(options->genkey_filename);
1102 return true;
1103 }
1104 else
1105 {
1106 return false;
1107 }
1108}
1109
1110/*
1111 * Persistent TUN/TAP device management mode?
1112 */
1113bool
1114do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
1115{
1116 if (!options->persist_config)
1117 {
1118 return false;
1119 }
1120
1121 /* sanity check on options for --mktun or --rmtun */
1122 notnull(options->dev, "TUN/TAP device (--dev)");
1123 if (options->ce.remote || options->ifconfig_local
1124 || options->ifconfig_remote_netmask
1125 || options->shared_secret_file
1126 || options->tls_server || options->tls_client
1127 )
1128 {
1129 msg(M_FATAL|M_OPTERR,
1130 "options --mktun or --rmtun should only be used together with --dev");
1131 }
1132
1133#if defined(ENABLE_DCO)
1134 if (dco_enabled(options))
1135 {
1136 /* creating a DCO interface via --mktun is not supported as it does not
1137 * make much sense. Since DCO is enabled by default, people may run into
1138 * this without knowing, therefore this case should be properly handled.
1139 *
1140 * Disable DCO if --mktun was provided and print a message to let
1141 * user know.
1142 */
1143 if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN)
1144 {
1145 msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1146 }
1147
1148 options->disable_dco = true;
1149 }
1150#endif
1151
1152#ifdef ENABLE_FEATURE_TUN_PERSIST
1153 tuncfg(options->dev, options->dev_type, options->dev_node,
1154 options->persist_mode,
1155 options->username, options->groupname, &options->tuntap_options,
1156 ctx);
1157 if (options->persist_mode && options->lladdr)
1158 {
1159 set_lladdr(ctx, options->dev, options->lladdr, NULL);
1160 }
1161 return true;
1162#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1163 msg(M_FATAL|M_OPTERR,
1164 "options --mktun and --rmtun are not available on your operating "
1165 "system. Please check 'man tun' (or 'tap'), whether your system "
1166 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1167 "persistent tunnel interfaces.", options->dev );
1168#endif
1169 return false;
1170}
1171
1172/*
1173 * Should we become a daemon?
1174 * Return true if we did it.
1175 */
1176bool
1177possibly_become_daemon(const struct options *options)
1178{
1179 bool ret = false;
1180
1181#ifdef ENABLE_SYSTEMD
1182 /* return without forking if we are running from systemd */
1183 if (sd_notify(0, "READY=0") > 0)
1184 {
1185 return ret;
1186 }
1187#endif
1188
1189 if (options->daemon)
1190 {
1191 /* Don't chdir immediately, but the end of the init sequence, if needed */
1192
1193#if defined(__APPLE__) && defined(__clang__)
1194#pragma clang diagnostic push
1195#pragma clang diagnostic ignored "-Wdeprecated-declarations"
1196#endif
1197 if (daemon(1, options->log) < 0)
1198 {
1199 msg(M_ERR, "daemon() failed or unsupported");
1200 }
1201#if defined(__APPLE__) && defined(__clang__)
1202#pragma clang diagnostic pop
1203#endif
1204 restore_signal_state();
1205 if (options->log)
1206 {
1207 set_std_files_to_null(true);
1208 }
1209
1210 ret = true;
1211 }
1212 return ret;
1213}
1214
1215/*
1216 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1217 */
1218static void
1219do_uid_gid_chroot(struct context *c, bool no_delay)
1220{
1221 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1222 struct context_0 *c0 = c->c0;
1223
1224 if (c0 && !c0->uid_gid_chroot_set)
1225 {
1226 /* chroot if requested */
1227 if (c->options.chroot_dir)
1228 {
1229 if (no_delay)
1230 {
1231 platform_chroot(c->options.chroot_dir);
1232 }
1233 else if (c->first_time)
1234 {
1235 msg(M_INFO, "NOTE: chroot %s", why_not);
1236 }
1237 }
1238
1239 /* set user and/or group if we want to setuid/setgid */
1240 if (c0->uid_gid_specified)
1241 {
1242 if (no_delay)
1243 {
1244 platform_user_group_set(&c0->platform_state_user,
1245 &c0->platform_state_group,
1246 c);
1247 }
1248 else if (c->first_time)
1249 {
1250 msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1251 }
1252 }
1253
1254#ifdef ENABLE_MEMSTATS
1255 if (c->first_time && c->options.memstats_fn)
1256 {
1257 mstats_open(c->options.memstats_fn);
1258 }
1259#endif
1260
1261#ifdef ENABLE_SELINUX
1262 /* Apply a SELinux context in order to restrict what OpenVPN can do
1263 * to _only_ what it is supposed to do after initialization is complete
1264 * (basically just network I/O operations). Doing it after chroot
1265 * requires /proc to be mounted in the chroot (which is annoying indeed
1266 * but doing it before requires more complex SELinux policies.
1267 */
1268 if (c->options.selinux_context)
1269 {
1270 if (no_delay)
1271 {
1272 if (-1 == setcon(c->options.selinux_context))
1273 {
1274 msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1275 }
1276 else
1277 {
1278 msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1279 }
1280 }
1281 else if (c->first_time)
1282 {
1283 msg(M_INFO, "NOTE: setcon %s", why_not);
1284 }
1285 }
1286#endif
1287
1288 /* Privileges are going to be dropped by now (if requested), be sure
1289 * to prevent any future privilege dropping attempts from now on.
1290 */
1291 if (no_delay)
1292 {
1293 c0->uid_gid_chroot_set = true;
1294 }
1295 }
1296}
1297
1298/*
1299 * Return common name in a way that is formatted for
1300 * prepending to msg() output.
1301 */
1302const char *
1303format_common_name(struct context *c, struct gc_arena *gc)
1304{
1305 struct buffer out = alloc_buf_gc(256, gc);
1306 if (c->c2.tls_multi)
1307 {
1308 buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1309 }
1310 return BSTR(&out);
1311}
1312
1313void
1314pre_setup(const struct options *options)
1315{
1316#ifdef _WIN32
1317 if (options->exit_event_name)
1318 {
1319 win32_signal_open(&win32_signal,
1320 WSO_FORCE_SERVICE,
1321 options->exit_event_name,
1322 options->exit_event_initial_state);
1323 }
1324 else
1325 {
1326 win32_signal_open(&win32_signal,
1327 WSO_FORCE_CONSOLE,
1328 NULL,
1329 false);
1330
1331 /* put a title on the top window bar */
1332 if (win32_signal.mode == WSO_MODE_CONSOLE)
1333 {
1334 window_title_save(&window_title);
1335 window_title_generate(options->config);
1336 }
1337 }
1338#endif /* ifdef _WIN32 */
1339}
1340
1341void
1342reset_coarse_timers(struct context *c)
1343{
1344 c->c2.coarse_timer_wakeup = 0;
1345}
1346
1347/*
1348 * Initialise the server poll timeout timer
1349 * This timer is used in the http/socks proxy setup so it needs to be setup
1350 * before
1351 */
1352static void
1353do_init_server_poll_timeout(struct context *c)
1354{
1355 update_time();
1356 if (c->options.ce.connect_timeout)
1357 {
1358 event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1359 }
1360}
1361
1362/*
1363 * Initialize timers
1364 */
1365static void
1366do_init_timers(struct context *c, bool deferred)
1367{
1368 update_time();
1369 reset_coarse_timers(c);
1370
1371 /* initialize inactivity timeout */
1372 if (c->options.inactivity_timeout)
1373 {
1374 event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1375 }
1376
1377 /* initialize inactivity timeout */
1378 if (c->options.session_timeout)
1379 {
1380 event_timeout_init(&c->c2.session_interval, c->options.session_timeout,
1381 now);
1382 }
1383
1384 /* initialize pings */
1385 if (dco_enabled(&c->options))
1386 {
1387 /* The DCO kernel module will send the pings instead of user space */
1388 event_timeout_clear(&c->c2.ping_rec_interval);
1389 event_timeout_clear(&c->c2.ping_send_interval);
1390 }
1391 else
1392 {
1393 if (c->options.ping_send_timeout)
1394 {
1395 event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1396 }
1397
1398 if (c->options.ping_rec_timeout)
1399 {
1400 event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1401 }
1402 }
1403
1404 /* If the auth-token renewal interval is shorter than reneg-sec, arm
1405 * "auth-token renewal" timer to send additional auth-token to update the
1406 * token on the client more often. If not, this happens automatically
1407 * at renegotiation time, without needing an extra event.
1408 */
1409 if (c->options.auth_token_generate
1410 && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1411 {
1412 event_timeout_init(&c->c2.auth_token_renewal_interval,
1413 c->options.auth_token_renewal, now);
1414 }
1415
1416 if (!deferred)
1417 {
1418 /* initialize connection establishment timer */
1419 event_timeout_init(&c->c2.wait_for_connect, 1, now);
1420
1421 /* initialize occ timers */
1422
1423 if (c->options.occ
1424 && !TLS_MODE(c)
1425 && c->c2.options_string_local && c->c2.options_string_remote)
1426 {
1427 event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1428 }
1429
1430 if (c->options.mtu_test)
1431 {
1432 event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1433 }
1434
1435 /* initialize packet_id persistence timer */
1436 if (c->options.packet_id_file)
1437 {
1438 event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1439 }
1440
1441 /* initialize tmp_int optimization that limits the number of times we call
1442 * tls_multi_process in the main event loop */
1443 interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1444 }
1445}
1446
1447/*
1448 * Initialize traffic shaper.
1449 */
1450static void
1451do_init_traffic_shaper(struct context *c)
1452{
1453 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1454 if (c->options.shaper)
1455 {
1456 shaper_init(&c->c2.shaper, c->options.shaper);
1457 shaper_msg(&c->c2.shaper);
1458 }
1459}
1460
1461/*
1462 * Allocate route list structures for IPv4 and IPv6
1463 * (we do this for IPv4 even if no --route option has been seen, as other
1464 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1465 */
1466static void
1467do_alloc_route_list(struct context *c)
1468{
1469 if (!c->c1.route_list)
1470 {
1471 ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1472 }
1473 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1474 {
1475 ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1476 }
1477}
1478
1479
1480/*
1481 * Initialize the route list, resolving any DNS names in route
1482 * options and saving routes in the environment.
1483 */
1484static void
1485do_init_route_list(const struct options *options,
1486 struct route_list *route_list,
1487 const struct link_socket_info *link_socket_info,
1488 struct env_set *es,
1489 openvpn_net_ctx_t *ctx)
1490{
1491 const char *gw = NULL;
1492 int dev = dev_type_enum(options->dev, options->dev_type);
1493 int metric = 0;
1494
1495 /* if DCO is enabled we have both regular routes and iroutes in the system
1496 * routing table, and normal routes must have a higher metric for that to
1497 * work so that iroutes are always matched first
1498 */
1499 if (dco_enabled(options))
1500 {
1501 metric = DCO_DEFAULT_METRIC;
1502 }
1503
1504 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1505 {
1506 gw = options->ifconfig_remote_netmask;
1507 }
1508 if (options->route_default_gateway)
1509 {
1510 gw = options->route_default_gateway;
1511 }
1512 if (options->route_default_metric)
1513 {
1514 metric = options->route_default_metric;
1515 }
1516
1517 if (init_route_list(route_list,
1518 options->routes,
1519 gw,
1520 metric,
1521 link_socket_current_remote(link_socket_info),
1522 es,
1523 ctx))
1524 {
1525 /* copy routes to environment */
1526 setenv_routes(es, route_list);
1527 }
1528}
1529
1530static void
1531do_init_route_ipv6_list(const struct options *options,
1532 struct route_ipv6_list *route_ipv6_list,
1533 const struct link_socket_info *link_socket_info,
1534 struct env_set *es,
1535 openvpn_net_ctx_t *ctx)
1536{
1537 const char *gw = NULL;
1538 int metric = -1; /* no metric set */
1539
1540 /* see explanation in do_init_route_list() */
1541 if (dco_enabled(options))
1542 {
1543 metric = DCO_DEFAULT_METRIC;
1544 }
1545
1546 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1547 if (options->route_ipv6_default_gateway)
1548 {
1549 gw = options->route_ipv6_default_gateway;
1550 }
1551
1552 if (options->route_default_metric)
1553 {
1554 metric = options->route_default_metric;
1555 }
1556
1557 /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1558 */
1559 if (options->routes_ipv6->flags & RG_REROUTE_GW)
1560 {
1561 char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1562 int i;
1563
1564 for (i = 0; opt_list[i]; i++)
1565 {
1566 add_route_ipv6_to_option_list( options->routes_ipv6,
1567 string_alloc(opt_list[i], options->routes_ipv6->gc),
1568 NULL, NULL );
1569 }
1570 }
1571
1572 if (init_route_ipv6_list(route_ipv6_list,
1573 options->routes_ipv6,
1574 gw,
1575 metric,
1576 link_socket_current_remote_ipv6(link_socket_info),
1577 es,
1578 ctx))
1579 {
1580 /* copy routes to environment */
1581 setenv_routes_ipv6(es, route_ipv6_list);
1582 }
1583}
1584
1585
1586/*
1587 * Called after all initialization has been completed.
1588 */
1589void
1590initialization_sequence_completed(struct context *c, const unsigned int flags)
1591{
1592 static const char message[] = "Initialization Sequence Completed";
1593
1594 /* Reset the unsuccessful connection counter on complete initialisation */
1595 c->options.unsuccessful_attempts = 0;
1596
1597 /* If we delayed UID/GID downgrade or chroot, do it now */
1598 do_uid_gid_chroot(c, true);
1599
1600 /* Test if errors */
1601 if (flags & ISC_ERRORS)
1602 {
1603#ifdef _WIN32
1604 show_routes(M_INFO|M_NOPREFIX);
1605 show_adapters(M_INFO|M_NOPREFIX);
1606 msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1607#else
1608#ifdef ENABLE_SYSTEMD
1609 sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1610#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1611 msg(M_INFO, "%s With Errors", message);
1612#endif
1613 }
1614 else
1615 {
1616#ifdef ENABLE_SYSTEMD
1617 sd_notifyf(0, "STATUS=%s", message);
1618#endif
1619 msg(M_INFO, "%s", message);
1620 }
1621
1622 /* Flag that we initialized */
1623 if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1624 {
1625 c->options.no_advance = true;
1626 }
1627
1628#ifdef _WIN32
1629 fork_register_dns_action(c->c1.tuntap);
1630#endif
1631
1632#ifdef ENABLE_MANAGEMENT
1633 /* Tell management interface that we initialized */
1634 if (management)
1635 {
1636 in_addr_t *tun_local = NULL;
1637 struct in6_addr *tun_local6 = NULL;
1638 struct openvpn_sockaddr local, remote;
1639 struct link_socket_actual *actual;
1640 socklen_t sa_len = sizeof(local);
1641 const char *detail = "SUCCESS";
1642 if (flags & ISC_ERRORS)
1643 {
1644 detail = "ERROR";
1645 }
1646 /* Flag route error only on platforms where trivial "already exists" errors
1647 * are filtered out. Currently this is the case on Windows or if usng netlink.
1648 */
1649#if defined(_WIN32) || defined(ENABLE_SITNL)
1650 else if (flags & ISC_ROUTE_ERRORS)
1651 {
1652 detail = "ROUTE_ERROR";
1653 }
1654#endif
1655
1656 CLEAR(local);
1657 actual = &get_link_socket_info(c)->lsa->actual;
1658 remote = actual->dest;
1659 getsockname(c->c2.link_sockets[0]->sd, &local.addr.sa, &sa_len);
1660#if ENABLE_IP_PKTINFO
1661 if (!addr_defined(&local))
1662 {
1663 switch (local.addr.sa.sa_family)
1664 {
1665 case AF_INET:
1666#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1667 local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1668#else
1669 local.addr.in4.sin_addr = actual->pi.in4;
1670#endif
1671 break;
1672
1673 case AF_INET6:
1674 local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1675 break;
1676 }
1677 }
1678#endif
1679
1680 if (c->c1.tuntap)
1681 {
1682 tun_local = &c->c1.tuntap->local;
1683 tun_local6 = &c->c1.tuntap->local_ipv6;
1684 }
1685 management_set_state(management,
1686 OPENVPN_STATE_CONNECTED,
1687 detail,
1688 tun_local,
1689 tun_local6,
1690 &local,
1691 &remote);
1692 if (tun_local)
1693 {
1694 management_post_tunnel_open(management, *tun_local);
1695 }
1696 }
1697#endif /* ifdef ENABLE_MANAGEMENT */
1698}
1699
1704static bool
1705route_noexec_enabled(const struct options *o, const struct tuntap *tt)
1706{
1707 return o->route_noexec
1708 || (tt && tt->backend_driver == DRIVER_AFUNIX)
1709 || (tt && tt->backend_driver == DRIVER_NULL);
1710}
1711
1712/*
1713 * Possibly add routes and/or call route-up script
1714 * based on options.
1715 */
1716bool
1717do_route(const struct options *options,
1718 struct route_list *route_list,
1719 struct route_ipv6_list *route_ipv6_list,
1720 const struct tuntap *tt,
1721 const struct plugin_list *plugins,
1722 struct env_set *es,
1723 openvpn_net_ctx_t *ctx)
1724{
1725 bool ret = true;
1726 if (!route_noexec_enabled(options, tt) && ( route_list || route_ipv6_list ) )
1727 {
1728 ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1729 es, ctx);
1730 setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1731 }
1732#ifdef ENABLE_MANAGEMENT
1733 if (management)
1734 {
1735 management_up_down(management, "UP", es);
1736 }
1737#endif
1738
1739 if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1740 {
1741 if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1742 {
1743 msg(M_WARN, "WARNING: route-up plugin call failed");
1744 }
1745 }
1746
1747 if (options->route_script)
1748 {
1749 struct argv argv = argv_new();
1750 setenv_str(es, "script_type", "route-up");
1751 argv_parse_cmd(&argv, options->route_script);
1752 openvpn_run_script(&argv, es, 0, "--route-up");
1753 argv_free(&argv);
1754 }
1755
1756#ifdef _WIN32
1757 if (options->show_net_up)
1758 {
1759 show_routes(M_INFO|M_NOPREFIX);
1760 show_adapters(M_INFO|M_NOPREFIX);
1761 }
1762 else if (check_debug_level(D_SHOW_NET))
1763 {
1764 show_routes(D_SHOW_NET|M_NOPREFIX);
1765 show_adapters(D_SHOW_NET|M_NOPREFIX);
1766 }
1767#endif
1768 return ret;
1769}
1770
1771/*
1772 * initialize tun/tap device object
1773 */
1774static void
1775do_init_tun(struct context *c)
1776{
1777 c->c1.tuntap = init_tun(c->options.dev,
1778 c->options.dev_type,
1779 c->options.topology,
1780 c->options.ifconfig_local,
1781 c->options.ifconfig_remote_netmask,
1782 c->options.ifconfig_ipv6_local,
1783 c->options.ifconfig_ipv6_netbits,
1784 c->options.ifconfig_ipv6_remote,
1785 c->c1.link_socket_addrs[0].bind_local,
1786 c->c1.link_socket_addrs[0].remote_list,
1787 !c->options.ifconfig_nowarn,
1788 c->c2.es,
1789 &c->net_ctx,
1790 c->c1.tuntap);
1791
1792 if (is_tun_afunix(c->options.dev_node))
1793 {
1794 /* Using AF_UNIX trumps using DCO */
1795 c->c1.tuntap->backend_driver = DRIVER_AFUNIX;
1796 }
1797 else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
1798 {
1799 c->c1.tuntap->backend_driver = DRIVER_NULL;
1800 }
1801#ifdef _WIN32
1802 else
1803 {
1804 c->c1.tuntap->backend_driver = c->options.windows_driver;
1805 }
1806#else
1807 else if (dco_enabled(&c->options))
1808 {
1809 c->c1.tuntap->backend_driver = DRIVER_DCO;
1810 }
1811 else
1812 {
1813 c->c1.tuntap->backend_driver = DRIVER_GENERIC_TUNTAP;
1814 }
1815#endif
1816
1817 init_tun_post(c->c1.tuntap,
1818 &c->c2.frame,
1819 &c->options.tuntap_options);
1820
1821 c->c1.tuntap_owned = true;
1822}
1823
1824/*
1825 * Open tun/tap device, ifconfig, call up script, etc.
1826 */
1827
1828
1829static bool
1830can_preserve_tun(struct tuntap *tt)
1831{
1832 if (tt && tt->backend_driver == DRIVER_AFUNIX)
1833 {
1834 return false;
1835 }
1836#ifdef TARGET_ANDROID
1837 return false;
1838#else
1839 return is_tun_type_set(tt);
1840#endif
1841}
1842
1851static void
1852add_wfp_block(struct context *c)
1853{
1854#if defined(_WIN32)
1855 /* Fortify 'redirect-gateway block-local' with firewall rules? */
1856 bool block_local = block_local_needed(c->c1.route_list);
1857
1858 if (c->options.block_outside_dns || block_local)
1859 {
1860 BOOL dns_only = !block_local;
1861 if (!win_wfp_block(c->c1.tuntap->adapter_index, c->options.msg_channel, dns_only))
1862 {
1863 msg(M_FATAL, "WFP: initialization failed");
1864 }
1865 }
1866#endif
1867}
1868
1877static void
1878del_wfp_block(struct context *c, unsigned long adapter_index)
1879{
1880#if defined(_WIN32)
1881 if (c->options.block_outside_dns || block_local_needed(c->c1.route_list))
1882 {
1883 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1884 {
1885 msg(M_FATAL, "WFP: deinitialization failed");
1886 }
1887 }
1888#endif
1889}
1890
1896static bool
1897ifconfig_noexec_enabled(const struct context *c)
1898{
1899 return c->options.ifconfig_noexec
1900 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1901 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_NULL);
1902}
1903
1904static void
1905open_tun_backend(struct context *c)
1906{
1907 struct tuntap *tt = c->c1.tuntap;
1908
1909 if (tt->backend_driver == DRIVER_NULL)
1910 {
1911 open_tun_null(c->c1.tuntap);
1912 }
1913 else if (tt->backend_driver == DRIVER_AFUNIX)
1914 {
1915 open_tun_afunix(&c->options, c->c2.frame.tun_mtu, tt, c->c2.es);
1916 }
1917 else
1918 {
1919 open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1920 tt, &c->net_ctx);
1921 }
1922 msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver), tt->actual_name);
1923}
1924
1925
1926static bool
1927do_open_tun(struct context *c, int *error_flags)
1928{
1929 struct gc_arena gc = gc_new();
1930 bool ret = false;
1931 *error_flags = 0;
1932
1933 if (!can_preserve_tun(c->c1.tuntap))
1934 {
1935#ifdef TARGET_ANDROID
1936 /* If we emulate persist-tun on android we still have to open a new tun and
1937 * then close the old */
1938 int oldtunfd = -1;
1939 if (c->c1.tuntap)
1940 {
1941 oldtunfd = c->c1.tuntap->fd;
1942 free(c->c1.tuntap);
1943 c->c1.tuntap = NULL;
1944 c->c1.tuntap_owned = false;
1945 }
1946#endif
1947
1948 /* initialize (but do not open) tun/tap object, this also sets
1949 * the backend driver type */
1950 do_init_tun(c);
1951
1952 /* inherit the dco context from the tuntap object */
1953 if (c->c2.tls_multi)
1954 {
1955 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1956 }
1957
1958#ifdef _WIN32
1959 /* store (hide) interactive service handle in tuntap_options */
1960 c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1961 msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR,
1962 (intptr_t) c->options.msg_channel);
1963#endif
1964
1965 /* allocate route list structure */
1966 do_alloc_route_list(c);
1967
1968 /* parse and resolve the route option list */
1969 ASSERT(c->c2.link_sockets[0]);
1970 if (c->options.routes && c->c1.route_list)
1971 {
1972 do_init_route_list(&c->options, c->c1.route_list,
1973 &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1974 }
1975 if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1976 {
1977 do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1978 &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1979 }
1980
1981 /* do ifconfig */
1982 if (!ifconfig_noexec_enabled(c)
1983 && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN)
1984 {
1985 /* guess actual tun/tap unit number that will be returned
1986 * by open_tun */
1987 const char *guess = guess_tuntap_dev(c->options.dev,
1988 c->options.dev_type,
1989 c->options.dev_node,
1990 &gc);
1991 do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1992 }
1993
1994 /* possibly add routes */
1995 if (route_order(c->c1.tuntap) == ROUTE_BEFORE_TUN)
1996 {
1997 /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1998 bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1999 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
2000 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
2001 }
2002#ifdef TARGET_ANDROID
2003 /* Store the old fd inside the fd so open_tun can use it */
2004 c->c1.tuntap->fd = oldtunfd;
2005#endif
2006
2007 if (dco_enabled(&c->options))
2008 {
2009 ovpn_dco_init(c->mode, &c->c1.tuntap->dco, c->options.dev_node);
2010 }
2011
2012 /* open the tun device */
2013 open_tun_backend(c);
2014
2015 /* set the hardware address */
2016 if (c->options.lladdr)
2017 {
2018 set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
2019 }
2020
2021 /* do ifconfig */
2022 if (!ifconfig_noexec_enabled(c)
2023 && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN)
2024 {
2025 do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
2026 c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
2027 }
2028
2029 /* run the up script */
2030 run_up_down(c->options.up_script,
2031 c->plugins,
2032 OPENVPN_PLUGIN_UP,
2033 c->c1.tuntap->actual_name,
2034#ifdef _WIN32
2035 c->c1.tuntap->adapter_index,
2036#endif
2037 dev_type_string(c->options.dev, c->options.dev_type),
2038 c->c2.frame.tun_mtu,
2039 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
2040 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2041 "init",
2042 NULL,
2043 "up",
2044 c->c2.es);
2045
2046 add_wfp_block(c);
2047
2048 /* possibly add routes */
2049 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
2050 {
2051 int status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
2052 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
2053 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
2054 }
2055
2056 ret = true;
2057 static_context = c;
2058 }
2059 else
2060 {
2061 msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
2062 c->c1.tuntap->actual_name);
2063
2064 /* explicitly set the ifconfig_* env vars */
2065 do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
2066
2067 /* run the up script if user specified --up-restart */
2068 if (c->options.up_restart)
2069 {
2070 run_up_down(c->options.up_script,
2071 c->plugins,
2072 OPENVPN_PLUGIN_UP,
2073 c->c1.tuntap->actual_name,
2074#ifdef _WIN32
2075 c->c1.tuntap->adapter_index,
2076#endif
2077 dev_type_string(c->options.dev, c->options.dev_type),
2078 c->c2.frame.tun_mtu,
2079 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
2080 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2081 "restart",
2082 NULL,
2083 "up",
2084 c->c2.es);
2085 }
2086
2087 add_wfp_block(c);
2088 }
2089 gc_free(&gc);
2090 return ret;
2091}
2092
2093/*
2094 * Close TUN/TAP device
2095 */
2096
2097static void
2098do_close_tun_simple(struct context *c)
2099{
2100 msg(D_CLOSE, "Closing %s interface",
2101 print_tun_backend_driver(c->c1.tuntap->backend_driver));
2102
2103 if (c->c1.tuntap)
2104 {
2105 if (!ifconfig_noexec_enabled(c))
2106 {
2107 undo_ifconfig(c->c1.tuntap, &c->net_ctx);
2108 }
2109 if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
2110 {
2111 close_tun_afunix(c->c1.tuntap);
2112 }
2113 else if (c->c1.tuntap->backend_driver == DRIVER_NULL)
2114 {
2115 free(c->c1.tuntap->actual_name);
2116 free(c->c1.tuntap);
2117 }
2118 else
2119 {
2120 close_tun(c->c1.tuntap, &c->net_ctx);
2121 }
2122 c->c1.tuntap = NULL;
2123 }
2124 c->c1.tuntap_owned = false;
2125 CLEAR(c->c1.pulled_options_digest_save);
2126}
2127
2128static void
2129do_close_tun(struct context *c, bool force)
2130{
2131 /* With dco-win we open tun handle in the very beginning.
2132 * In case when tun wasn't opened - like we haven't connected,
2133 * we still need to close tun handle
2134 */
2135 if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
2136 {
2137 do_close_tun_simple(c);
2138 return;
2139 }
2140
2141 if (!c->c1.tuntap || !c->c1.tuntap_owned)
2142 {
2143 return;
2144 }
2145
2146 struct gc_arena gc = gc_new();
2147 const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2148 const in_addr_t local = c->c1.tuntap->local;
2149 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2150 unsigned long adapter_index = 0;
2151#ifdef _WIN32
2152 adapter_index = c->c1.tuntap->adapter_index;
2153#endif
2154
2155 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2156 {
2157 static_context = NULL;
2158
2159#ifdef ENABLE_MANAGEMENT
2160 /* tell management layer we are about to close the TUN/TAP device */
2161 if (management)
2162 {
2163 management_pre_tunnel_close(management);
2164 management_up_down(management, "DOWN", c->c2.es);
2165 }
2166#endif
2167
2168 /* delete any routes we added */
2169 if (c->c1.route_list || c->c1.route_ipv6_list)
2170 {
2171 run_up_down(c->options.route_predown_script,
2172 c->plugins,
2173 OPENVPN_PLUGIN_ROUTE_PREDOWN,
2174 tuntap_actual,
2175#ifdef _WIN32
2176 adapter_index,
2177#endif
2178 NULL,
2179 c->c2.frame.tun_mtu,
2180 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2181 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2182 "init",
2183 signal_description(c->sig->signal_received,
2184 c->sig->signal_text),
2185 "route-pre-down",
2186 c->c2.es);
2187
2188 delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2189 c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2190 c->c2.es, &c->net_ctx);
2191 }
2192
2193 /* actually close tun/tap device based on --down-pre flag */
2194 if (!c->options.down_pre)
2195 {
2196 do_close_tun_simple(c);
2197 }
2198
2199 /* Run the down script -- note that it will run at reduced
2200 * privilege if, for example, "--user" was used. */
2201 run_up_down(c->options.down_script,
2202 c->plugins,
2203 OPENVPN_PLUGIN_DOWN,
2204 tuntap_actual,
2205#ifdef _WIN32
2206 adapter_index,
2207#endif
2208 NULL,
2209 c->c2.frame.tun_mtu,
2210 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2211 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2212 "init",
2213 signal_description(c->sig->signal_received,
2214 c->sig->signal_text),
2215 "down",
2216 c->c2.es);
2217
2218 del_wfp_block(c, adapter_index);
2219
2220 /* actually close tun/tap device based on --down-pre flag */
2221 if (c->options.down_pre)
2222 {
2223 do_close_tun_simple(c);
2224 }
2225 }
2226 else
2227 {
2228 /* run the down script on this restart if --up-restart was specified */
2229 if (c->options.up_restart)
2230 {
2231 run_up_down(c->options.down_script,
2232 c->plugins,
2233 OPENVPN_PLUGIN_DOWN,
2234 tuntap_actual,
2235#ifdef _WIN32
2236 adapter_index,
2237#endif
2238 NULL,
2239 c->c2.frame.tun_mtu,
2240 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2241 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2242 "restart",
2243 signal_description(c->sig->signal_received,
2244 c->sig->signal_text),
2245 "down",
2246 c->c2.es);
2247 }
2248
2249 del_wfp_block(c, adapter_index);
2250 }
2251 gc_free(&gc);
2252}
2253
2254void
2255tun_abort(void)
2256{
2257 struct context *c = static_context;
2258 if (c)
2259 {
2260 static_context = NULL;
2261 do_close_tun(c, true);
2262 }
2263}
2264
2265/*
2266 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2267 */
2268
2273static bool
2274options_hash_changed_or_zero(const struct sha256_digest *a,
2275 const struct sha256_digest *b)
2276{
2277 const struct sha256_digest zero = {{0}};
2278 return memcmp(a, b, sizeof(struct sha256_digest))
2279 || !memcmp(a, &zero, sizeof(struct sha256_digest));
2280}
2281
2287static void
2288add_delim_if_non_empty(struct buffer *buf, const char *header)
2289{
2290 if (buf_len(buf) > strlen(header))
2291 {
2292 buf_printf(buf, ", ");
2293 }
2294}
2295
2296
2301static void
2302tls_print_deferred_options_results(struct context *c)
2303{
2304 struct options *o = &c->options;
2305
2306 struct buffer out;
2307 uint8_t line[1024] = { 0 };
2308 buf_set_write(&out, line, sizeof(line));
2309
2310
2311 if (cipher_kt_mode_aead(o->ciphername))
2312 {
2313 buf_printf(&out, "Data Channel: cipher '%s'",
2314 cipher_kt_name(o->ciphername));
2315 }
2316 else
2317 {
2318 buf_printf(&out, "Data Channel: cipher '%s', auth '%s'",
2319 cipher_kt_name(o->ciphername), md_kt_name(o->authname));
2320 }
2321
2322 if (o->use_peer_id)
2323 {
2324 buf_printf(&out, ", peer-id: %d", o->peer_id);
2325 }
2326
2327#ifdef USE_COMP
2328 if (c->c2.comp_context)
2329 {
2330 buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2331 }
2332#endif
2333
2334 msg(D_HANDSHAKE, "%s", BSTR(&out));
2335
2336 buf_clear(&out);
2337
2338 const char *header = "Timers: ";
2339
2340 buf_printf(&out, "%s", header);
2341
2342 if (o->ping_send_timeout)
2343 {
2344 buf_printf(&out, "ping %d", o->ping_send_timeout);
2345 }
2346
2347 if (o->ping_rec_timeout_action != PING_UNDEF)
2348 {
2349 /* yes unidirectional ping is possible .... */
2350 add_delim_if_non_empty(&out, header);
2351
2352 if (o->ping_rec_timeout_action == PING_EXIT)
2353 {
2354 buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2355 }
2356 else
2357 {
2358 buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2359 }
2360 }
2361
2362 if (o->inactivity_timeout)
2363 {
2364 add_delim_if_non_empty(&out, header);
2365
2366 buf_printf(&out, "inactive %d", o->inactivity_timeout);
2367 if (o->inactivity_minimum_bytes)
2368 {
2369 buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2370 }
2371 }
2372
2373 if (o->session_timeout)
2374 {
2375 add_delim_if_non_empty(&out, header);
2376 buf_printf(&out, "session-timeout %d", o->session_timeout);
2377 }
2378
2379 if (buf_len(&out) > strlen(header))
2380 {
2381 msg(D_HANDSHAKE, "%s", BSTR(&out));
2382 }
2383
2384 buf_clear(&out);
2385 header = "Protocol options: ";
2386 buf_printf(&out, "%s", header);
2387
2388 if (c->options.ce.explicit_exit_notification)
2389 {
2390 buf_printf(&out, "explicit-exit-notify %d",
2391 c->options.ce.explicit_exit_notification);
2392 }
2393 if (c->options.imported_protocol_flags)
2394 {
2395 add_delim_if_non_empty(&out, header);
2396
2397 buf_printf(&out, "protocol-flags");
2398
2399 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2400 {
2401 buf_printf(&out, " cc-exit");
2402 }
2403 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2404 {
2405 buf_printf(&out, " tls-ekm");
2406 }
2407 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2408 {
2409 buf_printf(&out, " dyn-tls-crypt");
2410 }
2411 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
2412 {
2413 buf_printf(&out, " aead-epoch");
2414 }
2415 }
2416
2417 if (buf_len(&out) > strlen(header))
2418 {
2419 msg(D_HANDSHAKE, "%s", BSTR(&out));
2420 }
2421}
2422
2423
2431static bool
2432do_deferred_options_part2(struct context *c)
2433{
2434 struct frame *frame_fragment = NULL;
2435#ifdef ENABLE_FRAGMENT
2436 if (c->options.ce.fragment)
2437 {
2438 frame_fragment = &c->c2.frame_fragment;
2439 }
2440#endif
2441
2442 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2443 if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
2444 &c->options, &c->c2.frame,
2445 frame_fragment,
2446 get_link_socket_info(c),
2447 &c->c1.tuntap->dco))
2448 {
2449 msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2450 return false;
2451 }
2452
2453 return true;
2454}
2455
2456bool
2457do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2458{
2459 int error_flags = 0;
2460 if (!c->c2.do_up_ran)
2461 {
2462 reset_coarse_timers(c);
2463
2464 if (pulled_options)
2465 {
2466 if (!do_deferred_options(c, option_types_found))
2467 {
2468 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2469 return false;
2470 }
2471 }
2472
2473 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2474 if (c->options.up_delay || PULL_DEFINED(&c->options))
2475 {
2476 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2477 update_time();
2478
2479 /*
2480 * Was tun interface object persisted from previous restart iteration,
2481 * and if so did pulled options string change from previous iteration?
2482 */
2483 if (!c->c2.did_open_tun
2484 && PULL_DEFINED(&c->options)
2485 && c->c1.tuntap
2486 && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2487 &c->c2.pulled_options_digest))
2488 {
2489 /* if so, close tun, delete routes, then reinitialize tun and add routes */
2490 msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2491
2492 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2493 do_close_tun(c, true);
2494
2495 if (tt_dco_win)
2496 {
2497 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2498 /* prevent link_socket_close() from closing handle with WinSock API */
2499 c->c2.link_sockets[0]->sd = SOCKET_UNDEFINED;
2500 return false;
2501 }
2502 else
2503 {
2504 management_sleep(1);
2505 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2506 update_time();
2507 }
2508 }
2509 }
2510 }
2511
2512 /* This part needs to be run in p2p mode (without pull) when the client
2513 * reconnects to setup various things (like DCO and NCP cipher) that
2514 * might have changed from the previous connection.
2515 */
2516 if (!c->c2.do_up_ran || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
2517 {
2518 if (c->mode == MODE_POINT_TO_POINT)
2519 {
2520 /* ovpn-dco requires adding the peer now, before any option can be set,
2521 * but *after* having parsed the pushed peer-id in do_deferred_options()
2522 */
2523 int ret = dco_p2p_add_new_peer(c);
2524 if (ret < 0)
2525 {
2526 msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2527 return false;
2528 }
2529 }
2530
2531 /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2532 * invoked after open_tun().
2533 * This is required by DCO because we must have created the interface
2534 * and added the peer before we can fiddle with the keys or any other
2535 * data channel per-peer setting.
2536 */
2537 if (pulled_options)
2538 {
2539 if (!do_deferred_options_part2(c))
2540 {
2541 return false;
2542 }
2543 }
2544 else
2545 {
2546 if (c->mode == MODE_POINT_TO_POINT)
2547 {
2548 if (!do_deferred_p2p_ncp(c))
2549 {
2550 msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2551 return false;
2552 }
2553 }
2554 }
2555
2556 if (c->c2.did_open_tun)
2557 {
2558 c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2559
2560 /* if --route-delay was specified, start timer */
2561 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2562 {
2563 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2564 event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2565 tun_standby_init(c->c1.tuntap);
2566 }
2567 else
2568 {
2569 initialization_sequence_completed(c, error_flags); /* client/p2p --route-delay undefined */
2570 }
2571 }
2572 else if (c->options.mode == MODE_POINT_TO_POINT)
2573 {
2574 initialization_sequence_completed(c, error_flags); /* client/p2p restart with --persist-tun */
2575 }
2576
2577 tls_print_deferred_options_results(c);
2578
2579 c->c2.do_up_ran = true;
2580 if (c->c2.tls_multi)
2581 {
2582 c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2583 }
2584 }
2585 return true;
2586}
2587
2588/*
2589 * These are the option categories which will be accepted by pull.
2590 */
2591unsigned int
2592pull_permission_mask(const struct context *c)
2593{
2594 unsigned int flags =
2595 OPT_P_UP
2596 | OPT_P_ROUTE_EXTRAS
2597 | OPT_P_SOCKBUF
2598 | OPT_P_SOCKFLAGS
2599 | OPT_P_SETENV
2600 | OPT_P_SHAPER
2601 | OPT_P_TIMER
2602 | OPT_P_COMP
2603 | OPT_P_PERSIST
2604 | OPT_P_MESSAGES
2605 | OPT_P_EXPLICIT_NOTIFY
2606 | OPT_P_ECHO
2607 | OPT_P_PULL_MODE
2608 | OPT_P_PEER_ID
2609 | OPT_P_NCP
2610 | OPT_P_PUSH_MTU;
2611
2612 if (!c->options.route_nopull)
2613 {
2614 flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2615 }
2616
2617 return flags;
2618}
2619
2620static bool
2621do_deferred_p2p_ncp(struct context *c)
2622{
2623 if (!c->c2.tls_multi)
2624 {
2625 return true;
2626 }
2627
2628 c->options.use_peer_id = c->c2.tls_multi->use_peer_id;
2629
2630 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2631
2632 const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2633 &c->options.gc);
2634
2635 if (ncp_cipher)
2636 {
2637 c->options.ciphername = ncp_cipher;
2638 }
2639 else if (!c->options.enable_ncp_fallback)
2640 {
2641 msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2642 "--data-ciphers-fallback not enabled. No usable "
2643 "data channel cipher");
2644 return false;
2645 }
2646
2647 struct frame *frame_fragment = NULL;
2648#ifdef ENABLE_FRAGMENT
2649 if (c->options.ce.fragment)
2650 {
2651 frame_fragment = &c->c2.frame_fragment;
2652 }
2653#endif
2654
2655 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2656 &c->c2.frame, frame_fragment,
2657 get_link_socket_info(c),
2658 &c->c1.tuntap->dco))
2659 {
2660 msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2661 return false;
2662 }
2663 return true;
2664}
2665
2666/*
2667 * Handle non-tun-related pulled options.
2668 */
2669bool
2670do_deferred_options(struct context *c, const unsigned int found)
2671{
2672 if (found & OPT_P_MESSAGES)
2673 {
2674 init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2675 msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2676 }
2677 if (found & OPT_P_TIMER)
2678 {
2679 do_init_timers(c, true);
2680 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
2681 }
2682
2683 if (found & OPT_P_EXPLICIT_NOTIFY)
2684 {
2685 /* Client side, so just check the first link_socket */
2686 if (!proto_is_udp(c->c2.link_sockets[0]->info.proto)
2687 && c->options.ce.explicit_exit_notification)
2688 {
2689 msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2690 c->options.ce.explicit_exit_notification = 0;
2691 }
2692 else
2693 {
2694 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
2695 }
2696 }
2697
2698 if (found & OPT_P_COMP)
2699 {
2700 if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
2701 {
2702 msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2703 "settings that are not allowed and will result "
2704 "in a non-working connection. "
2705 "See also allow-compression in the manual.");
2706 return false;
2707 }
2708#ifdef USE_COMP
2709 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
2710 comp_uninit(c->c2.comp_context);
2711 c->c2.comp_context = comp_init(&c->options.comp);
2712#endif
2713 }
2714
2715 if (found & OPT_P_SHAPER)
2716 {
2717 msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2718 do_init_traffic_shaper(c);
2719 }
2720
2721 if (found & OPT_P_SOCKBUF)
2722 {
2723 msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2724
2725 for (int i = 0; i < c->c1.link_sockets_num; i++)
2726 {
2727 link_socket_update_buffer_sizes(c->c2.link_sockets[i],
2728 c->options.rcvbuf,
2729 c->options.sndbuf);
2730 }
2731 }
2732
2733 if (found & OPT_P_SOCKFLAGS)
2734 {
2735 msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2736 for (int i = 0; i < c->c1.link_sockets_num; i++)
2737 {
2738 link_socket_update_flags(c->c2.link_sockets[i],
2739 c->options.sockflags);
2740 }
2741 }
2742
2743 if (found & OPT_P_PERSIST)
2744 {
2745 msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2746 }
2747 if (found & OPT_P_UP)
2748 {
2749 msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2750 }
2751 if (found & OPT_P_ROUTE)
2752 {
2753 msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2754 }
2755 if (found & OPT_P_ROUTE_EXTRAS)
2756 {
2757 msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2758 }
2759 if (found & OPT_P_DHCPDNS)
2760 {
2761 msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2762 }
2763 if (found & OPT_P_SETENV)
2764 {
2765 msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2766 }
2767
2768 if (found & OPT_P_PEER_ID)
2769 {
2770 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
2771 c->c2.tls_multi->use_peer_id = true;
2772 c->c2.tls_multi->peer_id = c->options.peer_id;
2773 }
2774
2775 /* process (potentially) pushed options */
2776 if (c->options.pull)
2777 {
2778 if (!check_pull_client_ncp(c, found))
2779 {
2780 return false;
2781 }
2782
2783 /* Check if pushed options are compatible with DCO, if enabled */
2784 if (dco_enabled(&c->options)
2785 && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
2786 {
2787 msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2788 "with data channel offload. Use --disable-dco to connect to "
2789 "this server");
2790 return false;
2791 }
2792 }
2793
2794 /* Ensure that for epoch data format is only enabled if also data v2
2795 * is enabled */
2796 bool epoch_data = (c->options.imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT);
2797 bool datav2_enabled = (c->options.peer_id >= 0 && c->options.peer_id < MAX_PEER_ID);
2798
2799 if (epoch_data && !datav2_enabled)
2800 {
2801 msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires "
2802 "data v2 (peer-id) to be enabled.");
2803 return false;
2804 }
2805
2806
2807 if (found & OPT_P_PUSH_MTU)
2808 {
2809 /* MTU has changed, check that the pushed MTU is small enough to
2810 * be able to change it */
2811 msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2812
2813 struct frame *frame = &c->c2.frame;
2814
2815 if (c->options.ce.tun_mtu > frame->tun_max_mtu)
2816 {
2817 msg(D_PUSH_ERRORS, "Server-pushed tun-mtu is too large, please add "
2818 "tun-mtu-max %d in the client configuration",
2819 c->options.ce.tun_mtu);
2820 }
2821 frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
2822 }
2823
2824 return true;
2825}
2826
2827/*
2828 * Possible hold on initialization, holdtime is the
2829 * time OpenVPN would wait without management
2830 */
2831static bool
2832do_hold(int holdtime)
2833{
2834#ifdef ENABLE_MANAGEMENT
2835 if (management)
2836 {
2837 /* block until management hold is released */
2838 if (management_hold(management, holdtime))
2839 {
2840 return true;
2841 }
2842 }
2843#endif
2844 return false;
2845}
2846
2847/*
2848 * Sleep before restart.
2849 */
2850static void
2851socket_restart_pause(struct context *c)
2852{
2853 int sec = 2;
2854 int backoff = 0;
2855
2856 switch (c->mode)
2857 {
2858 case CM_TOP:
2859 sec = 1;
2860 break;
2861
2862 case CM_CHILD_UDP:
2863 case CM_CHILD_TCP:
2864 sec = c->options.ce.connect_retry_seconds;
2865 break;
2866 }
2867
2868#ifdef ENABLE_DEBUG
2869 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2870 {
2871 sec = 0;
2872 }
2873#endif
2874
2875 if (auth_retry_get() == AR_NOINTERACT)
2876 {
2877 sec = 10;
2878 }
2879
2880 /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2881 if (c->mode == CM_CHILD_TCP
2882 || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2883 {
2884 backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2885 if (backoff > 0)
2886 {
2887 /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2888 sec = max_int(sec, 1) << min_int(backoff, 15);
2889 }
2890 if (c->options.server_backoff_time)
2891 {
2892 sec = max_int(sec, c->options.server_backoff_time);
2893 c->options.server_backoff_time = 0;
2894 }
2895
2896 if (sec > c->options.ce.connect_retry_seconds_max)
2897 {
2898 sec = c->options.ce.connect_retry_seconds_max;
2899 }
2900 }
2901
2902 if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2903 {
2904 sec = c->persist.restart_sleep_seconds;
2905 }
2906 else if (c->persist.restart_sleep_seconds == -1)
2907 {
2908 sec = 0;
2909 }
2910 c->persist.restart_sleep_seconds = 0;
2911
2912 /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2913 if (do_hold(sec))
2914 {
2915 sec = 0;
2916 }
2917
2918 if (sec)
2919 {
2920 msg(D_RESTART, "Restart pause, %d second(s)", sec);
2921 management_sleep(sec);
2922 }
2923}
2924
2925/*
2926 * Do a possible pause on context_2 initialization.
2927 */
2928static void
2929do_startup_pause(struct context *c)
2930{
2931 if (!c->first_time)
2932 {
2933 socket_restart_pause(c);
2934 }
2935 else
2936 {
2937 do_hold(0); /* do management hold on first context initialization */
2938 }
2939}
2940
2941static size_t
2942get_frame_mtu(struct context *c, const struct options *o)
2943{
2944 size_t mtu;
2945
2946 if (o->ce.link_mtu_defined)
2947 {
2948 ASSERT(o->ce.link_mtu_defined);
2949 /* if we have a link mtu defined we calculate what the old code
2950 * would have come up with as tun-mtu */
2951 size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type,
2952 o, true);
2953 mtu = o->ce.link_mtu - overhead;
2954
2955 }
2956 else
2957 {
2958 ASSERT(o->ce.tun_mtu_defined);
2959 mtu = o->ce.tun_mtu;
2960 }
2961
2962 if (mtu < TUN_MTU_MIN)
2963 {
2964 msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2965 frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2966 }
2967 return mtu;
2968}
2969
2970/*
2971 * Finalize MTU parameters based on command line or config file options.
2972 */
2973static void
2974frame_finalize_options(struct context *c, const struct options *o)
2975{
2976 if (!o)
2977 {
2978 o = &c->options;
2979 }
2980
2981 struct frame *frame = &c->c2.frame;
2982
2983 frame->tun_mtu = get_frame_mtu(c, o);
2984 frame->tun_max_mtu = o->ce.tun_mtu_max;
2985
2986 /* max mtu needs to be at least as large as the tun mtu */
2987 frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
2988
2989 /* We always allow at least 1600 MTU packets to be received in our buffer
2990 * space to allow server to push "baby giant" MTU sizes */
2991 frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu);
2992
2993 size_t payload_size = frame->tun_max_mtu;
2994
2995 /* we need to be also large enough to hold larger control channel packets
2996 * if configured */
2997 payload_size = max_int(payload_size, o->ce.tls_mtu);
2998
2999 /* The extra tun needs to be added to the payload size */
3000 if (o->ce.tun_mtu_defined)
3001 {
3002 payload_size += o->ce.tun_mtu_extra;
3003 }
3004
3005 /* Add 32 byte of extra space in the buffer to account for small errors
3006 * in the calculation */
3007 payload_size += 32;
3008
3009
3010 /* the space that is reserved before the payload to add extra headers to it
3011 * we always reserve the space for the worst case */
3012 size_t headroom = 0;
3013
3014 /* includes IV and packet ID */
3015 headroom += crypto_max_overhead();
3016
3017 /* peer id + opcode */
3018 headroom += 4;
3019
3020 /* socks proxy header */
3021 headroom += 10;
3022
3023 /* compression header and fragment header (part of the encrypted payload) */
3024 headroom += 1 + 1;
3025
3026 /* Round up headroom to the next multiple of 4 to ensure alignment */
3027 headroom = (headroom + 3) & ~3;
3028
3029 /* Add the headroom to the payloadsize as a received (IP) packet can have
3030 * all the extra headers in it */
3031 payload_size += headroom;
3032
3033 /* the space after the payload, this needs some extra buffer space for
3034 * encryption so headroom is probably too much but we do not really care
3035 * the few extra bytes */
3036 size_t tailroom = headroom;
3037
3038#ifdef USE_COMP
3039 msg(D_MTU_DEBUG, "MTU: adding %zu buffer tailroom for compression for %zu "
3040 "bytes of payload",
3041 COMP_EXTRA_BUFFER(payload_size), payload_size);
3042 tailroom += COMP_EXTRA_BUFFER(payload_size);
3043#endif
3044
3045 frame->buf.payload_size = payload_size;
3046 frame->buf.headroom = headroom;
3047 frame->buf.tailroom = tailroom;
3048}
3049
3050/*
3051 * Free a key schedule, including OpenSSL components.
3052 */
3053static void
3054key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
3055{
3056 free_key_ctx_bi(&ks->static_key);
3057 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
3058 {
3059 tls_ctx_free(&ks->ssl_ctx);
3060 free_key_ctx(&ks->auth_token_key);
3061 }
3062 CLEAR(*ks);
3063}
3064
3065static void
3066init_crypto_pre(struct context *c, const unsigned int flags)
3067{
3068 if (c->options.engine)
3069 {
3070 crypto_init_lib_engine(c->options.engine);
3071 }
3072
3073 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
3074 {
3075 /* load a persisted packet-id for cross-session replay-protection */
3076 if (c->options.packet_id_file)
3077 {
3078 packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
3079 }
3080 }
3081
3082#ifdef ENABLE_PREDICTION_RESISTANCE
3083 if (c->options.use_prediction_resistance)
3084 {
3085 rand_ctx_enable_prediction_resistance();
3086 }
3087#endif
3088}
3089
3090/*
3091 * Static Key Mode (using a pre-shared key)
3092 */
3093static void
3094do_init_crypto_static(struct context *c, const unsigned int flags)
3095{
3096 const struct options *options = &c->options;
3097 ASSERT(options->shared_secret_file);
3098
3099 init_crypto_pre(c, flags);
3100
3101 /* Initialize flags */
3102 if (c->options.mute_replay_warnings)
3103 {
3104 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
3105 }
3106
3107 /* Initialize packet ID tracking */
3108 packet_id_init(&c->c2.crypto_options.packet_id,
3109 options->replay_window,
3110 options->replay_time,
3111 "STATIC", 0);
3112 c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
3113 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
3114 packet_id_persist_load_obj(&c->c1.pid_persist,
3115 &c->c2.crypto_options.packet_id);
3116
3117 if (!key_ctx_bi_defined(&c->c1.ks.static_key))
3118 {
3119 /* Get cipher & hash algorithms */
3120 init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
3121 options->test_crypto, true);
3122
3123 /* Read cipher and hmac keys from shared secret file */
3124 crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
3125 options->shared_secret_file,
3126 options->shared_secret_file_inline,
3127 options->key_direction, "Static Key Encryption",
3128 "secret", NULL);
3129 }
3130 else
3131 {
3132 msg(M_INFO, "Re-using pre-shared static key");
3133 }
3134
3135 /* Get key schedule */
3136 c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
3137}
3138
3139/*
3140 * Initialize the tls-auth/crypt key context
3141 */
3142static void
3143do_init_tls_wrap_key(struct context *c)
3144{
3145 const struct options *options = &c->options;
3146
3147 /* TLS handshake authentication (--tls-auth) */
3148 if (options->ce.tls_auth_file)
3149 {
3150 /* Initialize key_type for tls-auth with auth only */
3151 CLEAR(c->c1.ks.tls_auth_key_type);
3152 c->c1.ks.tls_auth_key_type.cipher = "none";
3153 c->c1.ks.tls_auth_key_type.digest = options->authname;
3154 if (!md_valid(options->authname))
3155 {
3156 msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
3157 "algorithm specified ('%s')", options->authname);
3158 }
3159
3160 crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
3161 &c->c1.ks.tls_wrap_key,
3162 options->ce.tls_auth_file,
3163 options->ce.tls_auth_file_inline,
3164 options->ce.key_direction,
3165 "Control Channel Authentication", "tls-auth",
3166 &c->c1.ks.original_wrap_keydata);
3167 }
3168
3169 /* TLS handshake encryption+authentication (--tls-crypt) */
3170 if (options->ce.tls_crypt_file)
3171 {
3172 tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
3173 &c->c1.ks.original_wrap_keydata,
3174 options->ce.tls_crypt_file,
3175 options->ce.tls_crypt_file_inline,
3176 options->tls_server);
3177 }
3178
3179 /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3180 if (options->ce.tls_crypt_v2_file)
3181 {
3182 if (options->tls_server)
3183 {
3184 tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
3185 true, options->ce.tls_crypt_v2_file,
3186 options->ce.tls_crypt_v2_file_inline);
3187 }
3188 else
3189 {
3190 tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
3191 &c->c1.ks.original_wrap_keydata,
3192 &c->c1.ks.tls_crypt_v2_wkc,
3193 options->ce.tls_crypt_v2_file,
3194 options->ce.tls_crypt_v2_file_inline);
3195 }
3196 /* We have to ensure that the loaded tls-crypt key is small enough
3197 * to fit into the initial hard reset v3 packet */
3198 int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3199
3200 /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3201 int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3202
3203 if (required_size > c->options.ce.tls_mtu)
3204 {
3205 msg(M_WARN, "ERROR: tls-crypt-v2 client key too large to work with "
3206 "requested --max-packet-size %d, requires at least "
3207 "--max-packet-size %d. Packets will ignore requested "
3208 "maximum packet size", c->options.ce.tls_mtu,
3209 required_size);
3210 }
3211 }
3212
3213
3214}
3215
3216/*
3217 * Initialize the persistent component of OpenVPN's TLS mode,
3218 * which is preserved across SIGUSR1 resets.
3219 */
3220static void
3221do_init_crypto_tls_c1(struct context *c)
3222{
3223 const struct options *options = &c->options;
3224
3225 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3226 {
3227 /*
3228 * Initialize the OpenSSL library's global
3229 * SSL context.
3230 */
3231 init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
3232 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3233 {
3234 switch (auth_retry_get())
3235 {
3236 case AR_NONE:
3237 msg(M_FATAL, "Error: private key password verification failed");
3238 break;
3239
3240 case AR_INTERACT:
3241 ssl_purge_auth(false);
3242 /* Intentional [[fallthrough]]; */
3243
3244 case AR_NOINTERACT:
3245 /* SOFT-SIGUSR1 -- Password failure error */
3246 register_signal(c->sig, SIGUSR1, "private-key-password-failure");
3247 break;
3248
3249 default:
3250 ASSERT(0);
3251 }
3252 return;
3253 }
3254
3255 /*
3256 * BF-CBC is allowed to be used only when explicitly configured
3257 * as NCP-fallback or when NCP has been disabled or explicitly
3258 * allowed in the in ncp_ciphers list.
3259 * In all other cases do not attempt to initialize BF-CBC as it
3260 * may not even be supported by the underlying SSL library.
3261 *
3262 * Therefore, the key structure has to be initialized when:
3263 * - any non-BF-CBC cipher was selected; or
3264 * - BF-CBC is selected, NCP is enabled and fallback is enabled
3265 * (BF-CBC will be the fallback).
3266 * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3267 * If the negotiated cipher and options->ciphername are the
3268 * same we do not reinit the cipher
3269 *
3270 * Note that BF-CBC will still be part of the OCC string to retain
3271 * backwards compatibility with older clients.
3272 */
3273 const char *ciphername = options->ciphername;
3274 if (streq(options->ciphername, "BF-CBC")
3275 && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
3276 && !options->enable_ncp_fallback)
3277 {
3278 ciphername = "none";
3279 }
3280
3281 /* Do not warn if the cipher is used only in OCC */
3282 bool warn = options->enable_ncp_fallback;
3283 init_key_type(&c->c1.ks.key_type, ciphername, options->authname,
3284 true, warn);
3285
3286 /* initialize tls-auth/crypt/crypt-v2 key */
3287 do_init_tls_wrap_key(c);
3288
3289 /* initialise auth-token crypto support */
3290 if (c->options.auth_token_generate)
3291 {
3292 auth_token_init_secret(&c->c1.ks.auth_token_key,
3293 c->options.auth_token_secret_file,
3294 c->options.auth_token_secret_file_inline);
3295 }
3296
3297#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
3298 if (options->priv_key_file_inline)
3299 {
3300 string_clear(c->options.priv_key_file_inline);
3301 c->options.priv_key_file_inline = NULL;
3302 }
3303#endif
3304 }
3305 else
3306 {
3307 msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
3308
3309 /*
3310 * tls-auth/crypt key can be configured per connection block, therefore
3311 * we must reload it as it may have changed
3312 */
3313 do_init_tls_wrap_key(c);
3314 }
3315}
3316
3317static void
3318do_init_crypto_tls(struct context *c, const unsigned int flags)
3319{
3320 const struct options *options = &c->options;
3321 struct tls_options to;
3322 bool packet_id_long_form;
3323
3324 ASSERT(options->tls_server || options->tls_client);
3325 ASSERT(!options->test_crypto);
3326
3327 init_crypto_pre(c, flags);
3328
3329 /* Make sure we are either a TLS client or server but not both */
3330 ASSERT(options->tls_server == !options->tls_client);
3331
3332 /* initialize persistent component */
3333 do_init_crypto_tls_c1(c);
3334 if (IS_SIG(c))
3335 {
3336 return;
3337 }
3338
3339 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3340 packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3341
3342 /* Set all command-line TLS-related options */
3343 CLEAR(to);
3344
3345 if (options->mute_replay_warnings)
3346 {
3347 to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
3348 }
3349
3350 to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
3351 if (packet_id_long_form)
3352 {
3353 to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
3354 }
3355
3356 to.ssl_ctx = c->c1.ks.ssl_ctx;
3357 to.key_type = c->c1.ks.key_type;
3358 to.server = options->tls_server;
3359 to.replay_window = options->replay_window;
3360 to.replay_time = options->replay_time;
3361 to.config_ciphername = c->options.ciphername;
3362 to.config_ncp_ciphers = c->options.ncp_ciphers;
3363 to.transition_window = options->transition_window;
3364 to.handshake_window = options->handshake_window;
3365 to.packet_timeout = options->tls_timeout;
3366 to.renegotiate_bytes = options->renegotiate_bytes;
3367 to.renegotiate_packets = options->renegotiate_packets;
3368 if (options->renegotiate_seconds_min < 0)
3369 {
3370 /* Add 10% jitter to reneg-sec by default (server side only) */
3371 int auto_jitter = options->mode != MODE_SERVER ? 0 :
3372 get_random() % max_int(options->renegotiate_seconds / 10, 1);
3373 to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
3374 }
3375 else
3376 {
3377 /* Add user-specified jitter to reneg-sec */
3378 to.renegotiate_seconds = options->renegotiate_seconds
3379 -(get_random() % max_int(options->renegotiate_seconds
3380 - options->renegotiate_seconds_min, 1));
3381 }
3382 to.single_session = options->single_session;
3383 to.mode = options->mode;
3384 to.pull = options->pull;
3385 if (options->push_peer_info) /* all there is */
3386 {
3387 to.push_peer_info_detail = 3;
3388 }
3389 else if (options->pull) /* pull clients send some details */
3390 {
3391 to.push_peer_info_detail = 2;
3392 }
3393 else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3394 {
3395 to.push_peer_info_detail = 0;
3396 }
3397 else /* default: minimal info to allow NCP in P2P mode */
3398 {
3399 to.push_peer_info_detail = 1;
3400 }
3401
3402 /* Check if the DCO drivers support the epoch data format */
3403 if (dco_enabled(options))
3404 {
3405 to.data_epoch_supported = dco_supports_epoch_data(c);
3406 }
3407 else
3408 {
3409 to.data_epoch_supported = true;
3410 }
3411
3412 /* should we not xmit any packets until we get an initial
3413 * response from client? */
3414 if (to.server && c->mode == CM_CHILD_TCP)
3415 {
3416 to.xmit_hold = true;
3417 }
3418
3419 to.verify_command = options->tls_verify;
3420 to.verify_x509_type = (options->verify_x509_type & 0xff);
3421 to.verify_x509_name = options->verify_x509_name;
3422 to.crl_file = options->crl_file;
3423 to.crl_file_inline = options->crl_file_inline;
3424 to.ssl_flags = options->ssl_flags;
3425 to.ns_cert_type = options->ns_cert_type;
3426 memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3427 to.remote_cert_eku = options->remote_cert_eku;
3428 to.verify_hash = options->verify_hash;
3429 to.verify_hash_algo = options->verify_hash_algo;
3430 to.verify_hash_depth = options->verify_hash_depth;
3431 to.verify_hash_no_ca = options->verify_hash_no_ca;
3432#ifdef ENABLE_X509ALTUSERNAME
3433 memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3434#else
3435 to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
3436#endif
3437 to.es = c->c2.es;
3438 to.net_ctx = &c->net_ctx;
3439
3440#ifdef ENABLE_DEBUG
3441 to.gremlin = c->options.gremlin;
3442#endif
3443
3444 to.plugins = c->plugins;
3445
3446#ifdef ENABLE_MANAGEMENT
3447 to.mda_context = &c->c2.mda_context;
3448#endif
3449
3450 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
3451 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
3452 to.client_crresponse_script = options->client_crresponse_script;
3453 to.tmp_dir = options->tmp_dir;
3454 to.export_peer_cert_dir = options->tls_export_peer_cert_dir;
3455 if (options->ccd_exclusive)
3456 {
3457 to.client_config_dir_exclusive = options->client_config_dir;
3458 }
3459 to.auth_user_pass_file = options->auth_user_pass_file;
3460 to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
3461 to.auth_token_generate = options->auth_token_generate;
3462 to.auth_token_lifetime = options->auth_token_lifetime;
3463 to.auth_token_renewal = options->auth_token_renewal;
3464 to.auth_token_call_auth = options->auth_token_call_auth;
3465 to.auth_token_key = c->c1.ks.auth_token_key;
3466
3467 to.x509_track = options->x509_track;
3468
3469#ifdef ENABLE_MANAGEMENT
3470 to.sci = &options->sc_info;
3471#endif
3472
3473#ifdef USE_COMP
3474 to.comp_options = options->comp;
3475#endif
3476
3477#ifdef HAVE_EXPORT_KEYING_MATERIAL
3478 if (options->keying_material_exporter_label)
3479 {
3480 to.ekm_size = options->keying_material_exporter_length;
3481 if (to.ekm_size < 16 || to.ekm_size > 4095)
3482 {
3483 to.ekm_size = 0;
3484 }
3485
3486 to.ekm_label = options->keying_material_exporter_label;
3487 to.ekm_label_size = strlen(to.ekm_label);
3488 }
3489 else
3490 {
3491 to.ekm_size = 0;
3492 }
3493#endif /* HAVE_EXPORT_KEYING_MATERIAL */
3494
3495 /* TLS handshake authentication (--tls-auth) */
3496 if (options->ce.tls_auth_file)
3497 {
3498 to.tls_wrap.mode = TLS_WRAP_AUTH;
3499 }
3500
3501 /* TLS handshake encryption (--tls-crypt) */
3502 if (options->ce.tls_crypt_file
3503 || (options->ce.tls_crypt_v2_file && options->tls_client))
3504 {
3505 to.tls_wrap.mode = TLS_WRAP_CRYPT;
3506 }
3507
3508 if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3509 {
3510 to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3511 to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3512 to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3513 to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata;
3514 }
3515
3516 if (options->ce.tls_crypt_v2_file)
3517 {
3518 to.tls_crypt_v2 = true;
3519 to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3520
3521 if (options->tls_server)
3522 {
3523 to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3524 to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3525 if (options->ce.tls_crypt_v2_force_cookie)
3526 {
3527 to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
3528 }
3529 }
3530 }
3531
3532 /* let the TLS engine know if keys have to be installed in DCO or not */
3533 to.dco_enabled = dco_enabled(options);
3534
3535 /*
3536 * Initialize OpenVPN's master TLS-mode object.
3537 */
3538 if (flags & CF_INIT_TLS_MULTI)
3539 {
3540 c->c2.tls_multi = tls_multi_init(&to);
3541 /* inherit the dco context from the tuntap object */
3542 if (c->c1.tuntap)
3543 {
3544 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3545 }
3546 }
3547
3548 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3549 {
3550 c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3551 c->c2.session_id_hmac = session_id_hmac_init();
3552 }
3553}
3554
3555static void
3556do_init_frame_tls(struct context *c)
3557{
3558 if (c->c2.tls_multi)
3559 {
3560 tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
3561 ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <=
3562 c->c2.frame.buf.payload_size);
3563 frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3564 "Control Channel MTU parms");
3565
3566 /* Keep the max mtu also in the frame of tls multi so it can access
3567 * it in push_peer_info */
3568 c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
3569 }
3570 if (c->c2.tls_auth_standalone)
3571 {
3572 tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, c->options.ce.tls_mtu);
3573 frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3574 "TLS-Auth MTU parms");
3575 c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3576 c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3577 }
3578}
3579
3580/*
3581 * No encryption or authentication.
3582 */
3583static void
3584do_init_crypto_none(struct context *c)
3585{
3586 ASSERT(!c->options.test_crypto);
3587
3588 /* Initialise key_type with auth/cipher "none", so the key_type struct is
3589 * valid */
3590 init_key_type(&c->c1.ks.key_type, "none", "none",
3591 c->options.test_crypto, true);
3592
3593 msg(M_WARN,
3594 "******* WARNING *******: All encryption and authentication features "
3595 "disabled -- All data will be tunnelled as clear text and will not be "
3596 "protected against man-in-the-middle changes. "
3597 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3598}
3599
3600static void
3601do_init_crypto(struct context *c, const unsigned int flags)
3602{
3603 if (c->options.shared_secret_file)
3604 {
3605 do_init_crypto_static(c, flags);
3606 }
3607 else if (c->options.tls_server || c->options.tls_client)
3608 {
3609 do_init_crypto_tls(c, flags);
3610 }
3611 else /* no encryption or authentication. */
3612 {
3613 do_init_crypto_none(c);
3614 }
3615}
3616
3617static void
3618do_init_frame(struct context *c)
3619{
3620 /*
3621 * Adjust frame size based on the --tun-mtu-extra parameter.
3622 */
3623 if (c->options.ce.tun_mtu_extra_defined)
3624 {
3625 c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra;
3626 }
3627
3628 /*
3629 * Fill in the blanks in the frame parameters structure,
3630 * make sure values are rational, etc.
3631 */
3632 frame_finalize_options(c, NULL);
3633
3634
3635#if defined(ENABLE_FRAGMENT)
3636 /*
3637 * MTU advisories
3638 */
3639 if (c->options.ce.fragment && c->options.mtu_test)
3640 {
3641 msg(M_WARN,
3642 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3643 }
3644#endif
3645
3646#ifdef ENABLE_FRAGMENT
3647 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3648 {
3649 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3650 "set --fragment (%d) larger or equal than --mssfix (%d)",
3651 c->options.ce.fragment, c->options.ce.mssfix);
3652 }
3653 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3654 && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3655 {
3656 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3657 "use the \"mtu\" flag for both or none of of them.");
3658 }
3659#endif
3660}
3661
3662static void
3663do_option_warnings(struct context *c)
3664{
3665 const struct options *o = &c->options;
3666
3667 if (o->ping_send_timeout && !o->ping_rec_timeout)
3668 {
3669 msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3670 }
3671
3672 if (o->username || o->groupname || o->chroot_dir
3673#ifdef ENABLE_SELINUX
3674 || o->selinux_context
3675#endif
3676 )
3677 {
3678 if (!o->persist_tun)
3679 {
3680 msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3681 }
3682 }
3683
3684 if (o->chroot_dir && !(o->username && o->groupname))
3685 {
3686 msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3687 }
3688
3689 if (o->pull && o->ifconfig_local && c->first_time)
3690 {
3691 msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3692 }
3693
3694 if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3695 {
3696 msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3697 }
3698
3699 if (o->mode == MODE_SERVER)
3700 {
3701 if (o->duplicate_cn && o->client_config_dir)
3702 {
3703 msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3704 }
3705 if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3706 {
3707 msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3708 }
3709 if (!o->keepalive_ping || !o->keepalive_timeout)
3710 {
3711 msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3712 }
3713 }
3714
3715 if (o->tls_server)
3716 {
3717 warn_on_use_of_common_subnets(&c->net_ctx);
3718 }
3719 if (o->tls_client
3720 && !o->tls_verify
3721 && o->verify_x509_type == VERIFY_X509_NONE
3722 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3723 && !o->remote_cert_eku
3724 && !(o->verify_hash_depth == 0 && o->verify_hash))
3725 {
3726 msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3727 }
3728 if (o->ns_cert_type)
3729 {
3730 msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3731 }
3732
3733 /* If a script is used, print appropriate warnings */
3734 if (o->user_script_used)
3735 {
3736 if (script_security() >= SSEC_SCRIPTS)
3737 {
3738 msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3739 }
3740 else if (script_security() >= SSEC_PW_ENV)
3741 {
3742 msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3743 }
3744 else
3745 {
3746 msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3747 }
3748 }
3749}
3750
3751struct context_buffers *
3752init_context_buffers(const struct frame *frame)
3753{
3754 struct context_buffers *b;
3755
3756 ALLOC_OBJ_CLEAR(b, struct context_buffers);
3757
3758 size_t buf_size = BUF_SIZE(frame);
3759
3760 b->read_link_buf = alloc_buf(buf_size);
3761 b->read_tun_buf = alloc_buf(buf_size);
3762
3763 b->aux_buf = alloc_buf(buf_size);
3764
3765 b->encrypt_buf = alloc_buf(buf_size);
3766 b->decrypt_buf = alloc_buf(buf_size);
3767
3768#ifdef USE_COMP
3769 b->compress_buf = alloc_buf(buf_size);
3770 b->decompress_buf = alloc_buf(buf_size);
3771#endif
3772
3773 return b;
3774}
3775
3776void
3777free_context_buffers(struct context_buffers *b)
3778{
3779 if (b)
3780 {
3781 free_buf(&b->read_link_buf);
3782 free_buf(&b->read_tun_buf);
3783 free_buf(&b->aux_buf);
3784
3785#ifdef USE_COMP
3786 free_buf(&b->compress_buf);
3787 free_buf(&b->decompress_buf);
3788#endif
3789
3790 free_buf(&b->encrypt_buf);
3791 free_buf(&b->decrypt_buf);
3792
3793 free(b);
3794 }
3795}
3796
3797/*
3798 * Now that we know all frame parameters, initialize
3799 * our buffers.
3800 */
3801static void
3802do_init_buffers(struct context *c)
3803{
3804 c->c2.buffers = init_context_buffers(&c->c2.frame);
3805 c->c2.buffers_owned = true;
3806}
3807
3808#ifdef ENABLE_FRAGMENT
3809/*
3810 * Fragmenting code has buffers to initialize
3811 * once frame parameters are known.
3812 */
3813static void
3814do_init_fragment(struct context *c)
3815{
3816 ASSERT(c->options.ce.fragment);
3817
3818 /*
3819 * Set frame parameter for fragment code. This is necessary because
3820 * the fragmentation code deals with payloads which have already been
3821 * passed through the compression code.
3822 */
3823 c->c2.frame_fragment = c->c2.frame;
3824
3825 frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
3826 &c->options, get_link_socket_info(c));
3827 fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3828}
3829#endif
3830
3831/*
3832 * Allocate our socket object.
3833 */
3834static void
3835do_link_socket_new(struct context *c)
3836{
3837 ASSERT(!c->c2.link_sockets);
3838
3839 ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *,
3840 c->c1.link_sockets_num, &c->c2.gc);
3841
3842 for (int i = 0; i < c->c1.link_sockets_num; i++)
3843 {
3844 c->c2.link_sockets[i] = link_socket_new();
3845 }
3846 c->c2.link_socket_owned = true;
3847}
3848
3849/*
3850 * bind TCP/UDP sockets
3851 */
3852static void
3853do_init_socket_phase1(struct context *c)
3854{
3855 for (int i = 0; i < c->c1.link_sockets_num; i++)
3856 {
3857 int mode = LS_MODE_DEFAULT;
3858
3859 /* mode allows CM_CHILD_TCP
3860 * instances to inherit acceptable fds
3861 * from a top-level parent */
3862 if (c->options.mode == MODE_SERVER)
3863 {
3864 /* initializing listening socket */
3865 if (c->mode == CM_TOP)
3866 {
3867 mode = LS_MODE_TCP_LISTEN;
3868 }
3869 /* initializing socket to client */
3870 else if (c->mode == CM_CHILD_TCP)
3871 {
3872 mode = LS_MODE_TCP_ACCEPT_FROM;
3873 }
3874 }
3875
3876 /* init each socket with its specific args */
3877 link_socket_init_phase1(c, i, mode);
3878 }
3879}
3880
3881/*
3882 * finalize TCP/UDP sockets
3883 */
3884static void
3885do_init_socket_phase2(struct context *c)
3886{
3887 for (int i = 0; i < c->c1.link_sockets_num; i++)
3888 {
3889 link_socket_init_phase2(c, c->c2.link_sockets[i]);
3890 }
3891}
3892
3893/*
3894 * Print MTU INFO
3895 */
3896static void
3897do_print_data_channel_mtu_parms(struct context *c)
3898{
3899 frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3900#ifdef ENABLE_FRAGMENT
3901 if (c->c2.fragment)
3902 {
3903 frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3904 "Fragmentation MTU parms");
3905 }
3906#endif
3907}
3908
3909/*
3910 * Get local and remote options compatibility strings.
3911 */
3912static void
3913do_compute_occ_strings(struct context *c)
3914{
3915 struct gc_arena gc = gc_new();
3916
3917 c->c2.options_string_local =
3918 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3919 false, &gc);
3920 c->c2.options_string_remote =
3921 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3922 true, &gc);
3923
3924 msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3925 options_string_version(c->c2.options_string_local, &gc),
3926 c->c2.options_string_local);
3927 msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3928 options_string_version(c->c2.options_string_remote, &gc),
3929 c->c2.options_string_remote);
3930
3931 if (c->c2.tls_multi)
3932 {
3933 tls_multi_init_set_options(c->c2.tls_multi,
3934 c->c2.options_string_local,
3935 c->c2.options_string_remote);
3936 }
3937
3938 gc_free(&gc);
3939}
3940
3941/*
3942 * These things can only be executed once per program instantiation.
3943 * Set up for possible UID/GID downgrade, but don't do it yet.
3944 * Daemonize if requested.
3945 */
3946static void
3947do_init_first_time(struct context *c)
3948{
3949 if (c->first_time && !c->c0)
3950 {
3951 struct context_0 *c0;
3952
3953 ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3954 c0 = c->c0;
3955
3956 /* get user and/or group that we want to setuid/setgid to,
3957 * sets also platform_x_state */
3958 bool group_defined = platform_group_get(c->options.groupname,
3959 &c0->platform_state_group);
3960 bool user_defined = platform_user_get(c->options.username,
3961 &c0->platform_state_user);
3962
3963 c0->uid_gid_specified = user_defined || group_defined;
3964
3965 /* perform postponed chdir if --daemon */
3966 if (c->did_we_daemonize && c->options.cd_dir == NULL)
3967 {
3968 platform_chdir("/");
3969 }
3970
3971 /* should we change scheduling priority? */
3972 platform_nice(c->options.nice);
3973 }
3974}
3975
3976/*
3977 * free buffers
3978 */
3979static void
3980do_close_free_buf(struct context *c)
3981{
3982 if (c->c2.buffers_owned)
3983 {
3984 free_context_buffers(c->c2.buffers);
3985 c->c2.buffers = NULL;
3986 c->c2.buffers_owned = false;
3987 }
3988}
3989
3990/*
3991 * close TLS
3992 */
3993static void
3994do_close_tls(struct context *c)
3995{
3996 if (c->c2.tls_multi)
3997 {
3998 tls_multi_free(c->c2.tls_multi, true);
3999 c->c2.tls_multi = NULL;
4000 }
4001
4002 /* free options compatibility strings */
4003 free(c->c2.options_string_local);
4004 free(c->c2.options_string_remote);
4005
4006 c->c2.options_string_local = c->c2.options_string_remote = NULL;
4007
4008 if (c->c2.pulled_options_state)
4009 {
4010 md_ctx_cleanup(c->c2.pulled_options_state);
4011 md_ctx_free(c->c2.pulled_options_state);
4012 }
4013
4014 tls_auth_standalone_free(c->c2.tls_auth_standalone);
4015}
4016
4017/*
4018 * Free key schedules
4019 */
4020static void
4021do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
4022{
4023 /*
4024 * always free the tls_auth/crypt key. The key will
4025 * be reloaded from memory (pre-cached)
4026 */
4027 free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
4028 free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
4029 CLEAR(c->c1.ks.tls_wrap_key);
4030 buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
4031 free_buf(&c->c1.ks.tls_crypt_v2_wkc);
4032
4033 if (!(c->sig->signal_received == SIGUSR1))
4034 {
4035 key_schedule_free(&c->c1.ks, free_ssl_ctx);
4036 }
4037}
4038
4039/*
4040 * Close TCP/UDP connection
4041 */
4042static void
4043do_close_link_socket(struct context *c)
4044{
4045 if (c->c2.link_sockets && c->c2.link_socket_owned)
4046 {
4047 for (int i = 0; i < c->c1.link_sockets_num; i++)
4048 {
4049 /* in dco-win case, link socket is a tun handle which is
4050 * closed in do_close_tun(). Set it to UNDEFINED so
4051 * we won't use WinSock API to close it. */
4052 if (tuntap_is_dco_win(c->c1.tuntap))
4053 {
4054 c->c2.link_sockets[i]->sd = SOCKET_UNDEFINED;
4055 }
4056
4057 link_socket_close(c->c2.link_sockets[i]);
4058 }
4059 c->c2.link_sockets = NULL;
4060 }
4061
4062
4063 /* Preserve the resolved list of remote if the user request to or if we want
4064 * reconnect to the same host again or there are still addresses that need
4065 * to be tried */
4066 if (!(c->sig->signal_received == SIGUSR1
4067 && ( (c->options.persist_remote_ip)
4068 ||
4069 ( c->sig->source != SIG_SOURCE_HARD
4070 && ((c->c1.link_socket_addrs[0].current_remote
4071 && c->c1.link_socket_addrs[0].current_remote->ai_next)
4072 || c->options.no_advance))
4073 )))
4074 {
4075 clear_remote_addrlist(&c->c1.link_socket_addrs[0],
4076 !c->options.resolve_in_advance);
4077 }
4078
4079 /* Clear the remote actual address when persist_remote_ip is not in use */
4080 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
4081 {
4082 for (int i = 0; i < c->c1.link_sockets_num; i++)
4083 {
4084 CLEAR(c->c1.link_socket_addrs[i].actual);
4085 }
4086 }
4087
4088 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
4089 {
4090 for (int i = 0; i < c->c1.link_sockets_num; i++)
4091 {
4092 if (c->c1.link_socket_addrs[i].bind_local
4093 && !c->options.resolve_in_advance)
4094 {
4095 freeaddrinfo(c->c1.link_socket_addrs[i].bind_local);
4096 }
4097
4098 c->c1.link_socket_addrs[i].bind_local = NULL;
4099 }
4100 }
4101}
4102
4103/*
4104 * Close packet-id persistence file
4105 */
4106static void
4107do_close_packet_id(struct context *c)
4108{
4109 packet_id_free(&c->c2.crypto_options.packet_id);
4110 packet_id_persist_save(&c->c1.pid_persist);
4111 if (!(c->sig->signal_received == SIGUSR1))
4112 {
4113 packet_id_persist_close(&c->c1.pid_persist);
4114 }
4115}
4116
4117#ifdef ENABLE_FRAGMENT
4118/*
4119 * Close fragmentation handler.
4120 */
4121static void
4122do_close_fragment(struct context *c)
4123{
4124 if (c->c2.fragment)
4125 {
4126 fragment_free(c->c2.fragment);
4127 c->c2.fragment = NULL;
4128 }
4129}
4130#endif
4131
4132/*
4133 * Open and close our event objects.
4134 */
4135
4136static void
4137do_event_set_init(struct context *c,
4138 bool need_us_timeout)
4139{
4140 unsigned int flags = 0;
4141
4142 c->c2.event_set_max = BASE_N_EVENTS;
4143
4144 flags |= EVENT_METHOD_FAST;
4145
4146 if (need_us_timeout)
4147 {
4148 flags |= EVENT_METHOD_US_TIMEOUT;
4149 }
4150
4151 c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
4152 c->c2.event_set_owned = true;
4153}
4154
4155static void
4156do_close_event_set(struct context *c)
4157{
4158 if (c->c2.event_set && c->c2.event_set_owned)
4159 {
4160 event_free(c->c2.event_set);
4161 c->c2.event_set = NULL;
4162 c->c2.event_set_owned = false;
4163 }
4164}
4165
4166/*
4167 * Open and close --status file
4168 */
4169
4170static void
4171do_open_status_output(struct context *c)
4172{
4173 if (!c->c1.status_output)
4174 {
4175 c->c1.status_output = status_open(c->options.status_file,
4176 c->options.status_file_update_freq,
4177 -1,
4178 NULL,
4179 STATUS_OUTPUT_WRITE);
4180 c->c1.status_output_owned = true;
4181 }
4182}
4183
4184static void
4185do_close_status_output(struct context *c)
4186{
4187 if (!(c->sig->signal_received == SIGUSR1))
4188 {
4189 if (c->c1.status_output_owned && c->c1.status_output)
4190 {
4191 status_close(c->c1.status_output);
4192 c->c1.status_output = NULL;
4193 c->c1.status_output_owned = false;
4194 }
4195 }
4196}
4197
4198/*
4199 * Handle ifconfig-pool persistence object.
4200 */
4201static void
4211
4212static void
4213do_close_ifconfig_pool_persist(struct context *c)
4214{
4215 if (!(c->sig->signal_received == SIGUSR1))
4216 {
4217 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
4218 {
4219 ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
4220 c->c1.ifconfig_pool_persist = NULL;
4221 c->c1.ifconfig_pool_persist_owned = false;
4222 }
4223 }
4224}
4225
4226/*
4227 * Inherit environmental variables
4228 */
4229
4230static void
4231do_inherit_env(struct context *c, const struct env_set *src)
4232{
4233 c->c2.es = env_set_create(NULL);
4234 c->c2.es_owned = true;
4235 env_set_inherit(c->c2.es, src);
4236}
4237
4238static void
4239do_env_set_destroy(struct context *c)
4240{
4241 if (c->c2.es && c->c2.es_owned)
4242 {
4243 env_set_destroy(c->c2.es);
4244 c->c2.es = NULL;
4245 c->c2.es_owned = false;
4246 }
4247}
4248
4249/*
4250 * Fast I/O setup. Fast I/O is an optimization which only works
4251 * if all of the following are true:
4252 *
4253 * (1) The platform is not Windows
4254 * (2) --proto udp is enabled
4255 * (3) --shaper is disabled
4256 */
4257static void
4258do_setup_fast_io(struct context *c)
4259{
4260 if (c->options.fast_io)
4261 {
4262#ifdef _WIN32
4263 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
4264#else
4265 if (c->options.shaper)
4266 {
4267 msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4268 }
4269 else
4270 {
4271 c->c2.fast_io = true;
4272 }
4273#endif
4274 }
4275}
4276
4277static void
4278do_signal_on_tls_errors(struct context *c)
4279{
4280 if (c->options.tls_exit)
4281 {
4282 c->c2.tls_exit_signal = SIGTERM;
4283 }
4284 else
4285 {
4286 c->c2.tls_exit_signal = SIGUSR1;
4287 }
4288}
4289
4290#ifdef ENABLE_PLUGIN
4291
4292void
4293init_plugins(struct context *c)
4294{
4295 if (c->options.plugin_list && !c->plugins)
4296 {
4297 c->plugins = plugin_list_init(c->options.plugin_list);
4298 c->plugins_owned = true;
4299 }
4300}
4301
4302void
4303open_plugins(struct context *c, const bool import_options, int init_point)
4304{
4305 if (c->plugins && c->plugins_owned)
4306 {
4307 if (import_options)
4308 {
4309 struct plugin_return pr, config;
4310 plugin_return_init(&pr);
4311 plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4312 plugin_return_get_column(&pr, &config, "config");
4313 if (plugin_return_defined(&config))
4314 {
4315 int i;
4316 for (i = 0; i < config.n; ++i)
4317 {
4318 unsigned int option_types_found = 0;
4319 if (config.list[i] && config.list[i]->value)
4320 {
4321 options_string_import(&c->options,
4322 config.list[i]->value,
4323 D_IMPORT_ERRORS|M_OPTERR,
4324 OPT_P_DEFAULT & ~OPT_P_PLUGIN,
4325 &option_types_found,
4326 c->es);
4327 }
4328 }
4329 }
4330 plugin_return_free(&pr);
4331 }
4332 else
4333 {
4334 plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4335 }
4336 }
4337}
4338
4339static void
4340do_close_plugins(struct context *c)
4341{
4342 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
4343 {
4344 plugin_list_close(c->plugins);
4345 c->plugins = NULL;
4346 c->plugins_owned = false;
4347 }
4348}
4349
4350static void
4351do_inherit_plugins(struct context *c, const struct context *src)
4352{
4353 if (!c->plugins && src->plugins)
4354 {
4355 c->plugins = plugin_list_inherit(src->plugins);
4356 c->plugins_owned = true;
4357 }
4358}
4359
4360#endif /* ifdef ENABLE_PLUGIN */
4361
4362#ifdef ENABLE_MANAGEMENT
4363
4364static void
4365management_callback_status_p2p(void *arg, const int version, struct status_output *so)
4366{
4367 struct context *c = (struct context *) arg;
4368 print_status(c, so);
4369}
4370
4371void
4372management_show_net_callback(void *arg, const int msglevel)
4373{
4374#ifdef _WIN32
4375 show_routes(msglevel);
4376 show_adapters(msglevel);
4377 msg(msglevel, "END");
4378#else
4379 msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4380#endif
4381}
4382
4383#ifdef TARGET_ANDROID
4384int
4385management_callback_network_change(void *arg, bool samenetwork)
4386{
4387 /* Check if the client should translate the network change to a SIGUSR1 to
4388 * reestablish the connection or just reprotect the socket
4389 *
4390 * At the moment just assume that, for all settings that use pull (not
4391 * --static) and are not using peer-id reestablishing the connection is
4392 * required (unless the network is the same)
4393 *
4394 * The function returns -1 on invalid fd and -2 if the socket cannot be
4395 * reused. On the -2 return value the man_network_change function triggers
4396 * a SIGUSR1 to force a reconnect.
4397 */
4398
4399 int socketfd = -1;
4400 struct context *c = (struct context *) arg;
4401 if (!c->c2.link_sockets || !c->c2.link_sockets[0])
4402 {
4403 return -1;
4404 }
4405 if (c->c2.link_sockets[0]->sd == SOCKET_UNDEFINED)
4406 {
4407 return -1;
4408 }
4409
4410 /* On some newer Android handsets, changing to a different network
4411 * often does not trigger a TCP reset but continue using the old
4412 * connection (e.g. using mobile connection when WiFi becomes available */
4413 struct link_socket_info *lsi = get_link_socket_info(c);
4414 if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
4415 {
4416 return -2;
4417 }
4418
4419 socketfd = c->c2.link_sockets[0]->sd;
4420 if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4421 {
4422 return socketfd;
4423 }
4424 else
4425 {
4426 return -2;
4427 }
4428}
4429#endif /* ifdef TARGET_ANDROID */
4430
4431#endif /* ifdef ENABLE_MANAGEMENT */
4432
4433void
4434init_management_callback_p2p(struct context *c)
4435{
4436#ifdef ENABLE_MANAGEMENT
4437 if (management)
4438 {
4439 struct management_callback cb;
4440 CLEAR(cb);
4441 cb.arg = c;
4442 cb.status = management_callback_status_p2p;
4443 cb.show_net = management_show_net_callback;
4444 cb.proxy_cmd = management_callback_proxy_cmd;
4445 cb.remote_cmd = management_callback_remote_cmd;
4446 cb.send_cc_message = management_callback_send_cc_message;
4447#ifdef TARGET_ANDROID
4448 cb.network_change = management_callback_network_change;
4449#endif
4450 cb.remote_entry_count = management_callback_remote_entry_count;
4451 cb.remote_entry_get = management_callback_remote_entry_get;
4452 management_set_callback(management, &cb);
4453 }
4454#endif
4455}
4456
4457#ifdef ENABLE_MANAGEMENT
4458
4459void
4460init_management(void)
4461{
4462 if (!management)
4463 {
4464 management = management_init();
4465 }
4466}
4467
4468bool
4469open_management(struct context *c)
4470{
4471 /* initialize management layer */
4472 if (management)
4473 {
4474 if (c->options.management_addr)
4475 {
4476 unsigned int flags = c->options.management_flags;
4477 if (c->options.mode == MODE_SERVER)
4478 {
4479 flags |= MF_SERVER;
4480 }
4481 if (management_open(management,
4482 c->options.management_addr,
4483 c->options.management_port,
4484 c->options.management_user_pass,
4485 c->options.management_client_user,
4486 c->options.management_client_group,
4487 c->options.management_log_history_cache,
4488 c->options.management_echo_buffer_size,
4489 c->options.management_state_buffer_size,
4490 c->options.remap_sigusr1,
4491 flags))
4492 {
4493 management_set_state(management,
4494 OPENVPN_STATE_CONNECTING,
4495 NULL,
4496 NULL,
4497 NULL,
4498 NULL,
4499 NULL);
4500 }
4501
4502 /* initial management hold, called early, before first context initialization */
4503 do_hold(0);
4504 if (IS_SIG(c))
4505 {
4506 msg(M_WARN, "Signal received from management interface, exiting");
4507 return false;
4508 }
4509 }
4510 else
4511 {
4512 close_management();
4513 }
4514 }
4515 return true;
4516}
4517
4518void
4519close_management(void)
4520{
4521 if (management)
4522 {
4523 management_close(management);
4524 management = NULL;
4525 }
4526}
4527
4528#endif /* ifdef ENABLE_MANAGEMENT */
4529
4530
4531void
4532uninit_management_callback(void)
4533{
4534#ifdef ENABLE_MANAGEMENT
4535 if (management)
4536 {
4537 management_clear_callback(management);
4538 }
4539#endif
4540}
4541
4542void
4543persist_client_stats(struct context *c)
4544{
4545#ifdef ENABLE_MANAGEMENT
4546 if (management)
4547 {
4548 man_persist_client_stats(management, c);
4549 }
4550#endif
4551}
4552
4553/*
4554 * Initialize a tunnel instance, handle pre and post-init
4555 * signal settings.
4556 */
4557void
4558init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4559{
4560 pre_init_signal_catch();
4561 init_instance(c, env, flags);
4562 post_init_signal_catch();
4563
4564 /*
4565 * This is done so that signals thrown during
4566 * initialization can bring us back to
4567 * a management hold.
4568 */
4569 if (IS_SIG(c))
4570 {
4571 remap_signal(c);
4572 uninit_management_callback();
4573 }
4574}
4575
4576/*
4577 * Initialize a tunnel instance.
4578 */
4579void
4580init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4581{
4582 const struct options *options = &c->options;
4583 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4584
4585 /* init garbage collection level */
4586 gc_init(&c->c2.gc);
4587
4588 /* inherit environmental variables */
4589 if (env)
4590 {
4591 do_inherit_env(c, env);
4592 }
4593
4594 if (c->mode == CM_P2P)
4595 {
4596 init_management_callback_p2p(c);
4597 }
4598
4599 /* possible sleep or management hold if restart */
4600 if (c->mode == CM_P2P || c->mode == CM_TOP)
4601 {
4602 do_startup_pause(c);
4603 if (IS_SIG(c))
4604 {
4605 goto sig;
4606 }
4607 }
4608
4609 if (c->options.resolve_in_advance)
4610 {
4611 do_preresolve(c);
4612 if (IS_SIG(c))
4613 {
4614 goto sig;
4615 }
4616 }
4617
4618 /* Resets all values to the initial values from the config where needed */
4619 pre_connect_restore(&c->options, &c->c2.gc);
4620
4621 /* map in current connection entry */
4622 next_connection_entry(c);
4623
4624 /* should we disable paging? */
4625 if (c->first_time && options->mlock)
4626 {
4627 platform_mlockall(true);
4628 }
4629
4630 /* get passwords if undefined */
4631 if (auth_retry_get() == AR_INTERACT)
4632 {
4633 init_query_passwords(c);
4634 }
4635
4636 /* initialize context level 2 --verb/--mute parms */
4637 init_verb_mute(c, IVM_LEVEL_2);
4638
4639 /* set error message delay for non-server modes */
4640 if (c->mode == CM_P2P)
4641 {
4642 set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4643 }
4644
4645 /* warn about inconsistent options */
4646 if (c->mode == CM_P2P || c->mode == CM_TOP)
4647 {
4648 do_option_warnings(c);
4649 }
4650
4651#ifdef ENABLE_PLUGIN
4652 /* initialize plugins */
4653 if (c->mode == CM_P2P || c->mode == CM_TOP)
4654 {
4655 open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4656 }
4657#endif
4658
4659 /* should we enable fast I/O? */
4660 if (c->mode == CM_P2P || c->mode == CM_TOP)
4661 {
4662 do_setup_fast_io(c);
4663 }
4664
4665 /* should we throw a signal on TLS errors? */
4666 do_signal_on_tls_errors(c);
4667
4668 /* open --status file */
4669 if (c->mode == CM_P2P || c->mode == CM_TOP)
4670 {
4671 do_open_status_output(c);
4672 }
4673
4674 /* open --ifconfig-pool-persist file */
4675 if (c->mode == CM_TOP)
4676 {
4677 do_open_ifconfig_pool_persist(c);
4678 }
4679
4680 /* reset OCC state */
4681 if (c->mode == CM_P2P || child)
4682 {
4683 c->c2.occ_op = occ_reset_op();
4684 }
4685
4686 /* our wait-for-i/o objects, different for posix vs. win32 */
4687 if (c->mode == CM_P2P || c->mode == CM_TOP)
4688 {
4689 do_event_set_init(c, SHAPER_DEFINED(&c->options));
4690 }
4691 else if (c->mode == CM_CHILD_TCP)
4692 {
4693 do_event_set_init(c, false);
4694 }
4695
4696 /* initialize HTTP or SOCKS proxy object at scope level 2 */
4697 init_proxy(c);
4698
4699 /* allocate our socket object */
4700 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4701 {
4702 do_link_socket_new(c);
4703 }
4704
4705#ifdef ENABLE_FRAGMENT
4706 /* initialize internal fragmentation object */
4707 if (options->ce.fragment && (c->mode == CM_P2P || child))
4708 {
4709 c->c2.fragment = fragment_init(&c->c2.frame);
4710 }
4711#endif
4712
4713 /* init crypto layer */
4714 {
4715 unsigned int crypto_flags = 0;
4716 if (c->mode == CM_TOP)
4717 {
4718 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4719 }
4720 else if (c->mode == CM_P2P)
4721 {
4722 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4723 }
4724 else if (child)
4725 {
4726 crypto_flags = CF_INIT_TLS_MULTI;
4727 }
4728 do_init_crypto(c, crypto_flags);
4729 if (IS_SIG(c) && !child)
4730 {
4731 goto sig;
4732 }
4733 }
4734
4735#ifdef USE_COMP
4736 /* initialize compression library. */
4737 if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4738 {
4739 c->c2.comp_context = comp_init(&options->comp);
4740 }
4741#endif
4742
4743 /* initialize MTU variables */
4744 do_init_frame(c);
4745
4746 /* initialize TLS MTU variables */
4747 do_init_frame_tls(c);
4748
4749 /* init workspace buffers whose size is derived from frame size */
4750 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4751 {
4752 do_init_buffers(c);
4753 }
4754
4755#ifdef ENABLE_FRAGMENT
4756 /* initialize internal fragmentation capability with known frame size */
4757 if (options->ce.fragment && (c->mode == CM_P2P || child))
4758 {
4759 do_init_fragment(c);
4760 }
4761#endif
4762
4763 /* bind the TCP/UDP socket */
4764 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4765 {
4766 do_init_socket_phase1(c);
4767 }
4768
4769 /* initialize tun/tap device object,
4770 * open tun/tap device, ifconfig, run up script, etc. */
4771 if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4772 {
4773 int error_flags = 0;
4774 c->c2.did_open_tun = do_open_tun(c, &error_flags);
4775 }
4776
4777 /* print MTU info */
4778 do_print_data_channel_mtu_parms(c);
4779
4780 /* get local and remote options compatibility strings */
4781 if (c->mode == CM_P2P || child)
4782 {
4783 do_compute_occ_strings(c);
4784 }
4785
4786 /* initialize output speed limiter */
4787 if (c->mode == CM_P2P)
4788 {
4789 do_init_traffic_shaper(c);
4790 }
4791
4792 /* do one-time inits, and possibly become a daemon here */
4793 do_init_first_time(c);
4794
4795#ifdef ENABLE_PLUGIN
4796 /* initialize plugins */
4797 if (c->mode == CM_P2P || c->mode == CM_TOP)
4798 {
4799 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4800 }
4801#endif
4802
4803 /* initialise connect timeout timer */
4804 do_init_server_poll_timeout(c);
4805
4806 /* finalize the TCP/UDP socket */
4807 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4808 {
4809 do_init_socket_phase2(c);
4810
4811
4812 /* Update dynamic frame calculation as exact transport socket information
4813 * (IP vs IPv6) may be only available after socket phase2 has finished.
4814 * This is only needed for --static or no crypto, NCP will recalculate this
4815 * in tls_session_update_crypto_params (P2MP) */
4816 for (int i = 0; i < c->c1.link_sockets_num; i++)
4817 {
4818 frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4819 &c->c2.link_sockets[i]->info);
4820 }
4821 }
4822
4823 /*
4824 * Actually do UID/GID downgrade, and chroot, if requested.
4825 * May be delayed by --client, --pull, or --up-delay.
4826 */
4827 do_uid_gid_chroot(c, c->c2.did_open_tun);
4828
4829 /* initialize timers */
4830 if (c->mode == CM_P2P || child)
4831 {
4832 do_init_timers(c, false);
4833 }
4834
4835#ifdef ENABLE_PLUGIN
4836 /* initialize plugins */
4837 if (c->mode == CM_P2P || c->mode == CM_TOP)
4838 {
4839 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4840 }
4841#endif
4842
4843#if PORT_SHARE
4844 /* share OpenVPN port with foreign (such as HTTPS) server */
4845 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4846 {
4847 init_port_share(c);
4848 }
4849#endif
4850
4851 /* Check for signals */
4852 if (IS_SIG(c))
4853 {
4854 goto sig;
4855 }
4856
4857 return;
4858
4859sig:
4860 if (!c->sig->signal_text)
4861 {
4862 c->sig->signal_text = "init_instance";
4863 }
4864 close_context(c, -1, flags);
4865 return;
4866}
4867
4868/*
4869 * Close a tunnel instance.
4870 */
4871void
4872close_instance(struct context *c)
4873{
4874 /* close event objects */
4875 do_close_event_set(c);
4876
4877 if (c->mode == CM_P2P
4878 || c->mode == CM_CHILD_TCP
4879 || c->mode == CM_CHILD_UDP
4880 || c->mode == CM_TOP)
4881 {
4882#ifdef USE_COMP
4883 if (c->c2.comp_context)
4884 {
4885 comp_uninit(c->c2.comp_context);
4886 c->c2.comp_context = NULL;
4887 }
4888#endif
4889
4890 /* free buffers */
4891 do_close_free_buf(c);
4892
4893 /* close peer for DCO if enabled, needs peer-id so must be done before
4894 * closing TLS contexts */
4895 dco_remove_peer(c);
4896
4897 /* close TLS */
4898 do_close_tls(c);
4899
4900 /* free key schedules */
4901 do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4902
4903 /* close TCP/UDP connection */
4904 do_close_link_socket(c);
4905
4906 /* close TUN/TAP device */
4907 do_close_tun(c, false);
4908
4909#ifdef ENABLE_MANAGEMENT
4910 if (management)
4911 {
4912 management_notify_client_close(management, &c->c2.mda_context, NULL);
4913 }
4914#endif
4915
4916#ifdef ENABLE_PLUGIN
4917 /* call plugin close functions and unload */
4918 do_close_plugins(c);
4919#endif
4920
4921 /* close packet-id persistence file */
4922 do_close_packet_id(c);
4923
4924 /* close --status file */
4925 do_close_status_output(c);
4926
4927#ifdef ENABLE_FRAGMENT
4928 /* close fragmentation handler */
4929 do_close_fragment(c);
4930#endif
4931
4932 /* close --ifconfig-pool-persist obj */
4933 do_close_ifconfig_pool_persist(c);
4934
4935 /* free up environmental variable store */
4936 do_env_set_destroy(c);
4937
4938 /* close HTTP or SOCKS proxy */
4939 uninit_proxy(c);
4940
4941 /* garbage collect */
4942 gc_free(&c->c2.gc);
4943 }
4944}
4945
4946void
4947inherit_context_child(struct context *dest,
4948 const struct context *src,
4949 struct link_socket *sock)
4950{
4951 CLEAR(*dest);
4952
4953 /* proto_is_dgram will ASSERT(0) if proto is invalid */
4954 dest->mode = proto_is_dgram(sock->info.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4955
4956 dest->gc = gc_new();
4957
4958 ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4959
4960 /* c1 init */
4961 packet_id_persist_init(&dest->c1.pid_persist);
4962 dest->c1.link_sockets_num = 1;
4963 do_link_socket_addr_new(dest);
4964
4965 dest->c1.ks.key_type = src->c1.ks.key_type;
4966 /* inherit SSL context */
4967 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4968 dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4969 dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4970 dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4971 /* inherit pre-NCP ciphers */
4972 dest->options.ciphername = src->options.ciphername;
4973 dest->options.authname = src->options.authname;
4974
4975 /* inherit auth-token */
4976 dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4977
4978 /* options */
4979 dest->options = src->options;
4980 dest->options.ce.proto = sock->info.proto;
4981 options_detach(&dest->options);
4982
4983 dest->c2.event_set = src->c2.event_set;
4984
4985 if (dest->mode == CM_CHILD_TCP)
4986 {
4987 /*
4988 * The CM_TOP context does the socket listen(),
4989 * and the CM_CHILD_TCP context does the accept().
4990 */
4991 dest->c2.accept_from = sock;
4992 }
4993
4994#ifdef ENABLE_PLUGIN
4995 /* inherit plugins */
4996 do_inherit_plugins(dest, src);
4997#endif
4998
4999 /* context init */
5000
5001 /* inherit tun/tap interface object now as it may be required
5002 * to initialize the DCO context in init_instance()
5003 */
5004 dest->c1.tuntap = src->c1.tuntap;
5005
5006 /* UDP inherits some extra things which TCP does not */
5007 if (dest->mode == CM_CHILD_UDP)
5008 {
5009 ASSERT(!dest->c2.link_sockets);
5010 ASSERT(dest->options.ce.local_list);
5011
5012 /* inherit buffers */
5013 dest->c2.buffers = src->c2.buffers;
5014
5015 ALLOC_ARRAY_GC(dest->c2.link_sockets, struct link_socket *, 1, &dest->gc);
5016
5017 /* inherit parent link_socket and tuntap */
5018 dest->c2.link_sockets[0] = sock;
5019
5020 ALLOC_ARRAY_GC(dest->c2.link_socket_infos, struct link_socket_info *, 1, &dest->gc);
5021 ALLOC_OBJ_GC(dest->c2.link_socket_infos[0], struct link_socket_info, &dest->gc);
5022 *dest->c2.link_socket_infos[0] = sock->info;
5023
5024 /* locally override some link_socket_info fields */
5025 dest->c2.link_socket_infos[0]->lsa = &dest->c1.link_socket_addrs[0];
5026 dest->c2.link_socket_infos[0]->connection_established = false;
5027 }
5028
5029 init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
5030 if (IS_SIG(dest))
5031 {
5032 return;
5033 }
5034}
5035
5036void
5037inherit_context_top(struct context *dest,
5038 const struct context *src)
5039{
5040 /* copy parent */
5041 *dest = *src;
5042
5043 /*
5044 * CM_TOP_CLONE will prevent close_instance from freeing or closing
5045 * resources owned by the parent.
5046 *
5047 * Also note that CM_TOP_CLONE context objects are
5048 * closed by multi_top_free in multi.c.
5049 */
5050 dest->mode = CM_TOP_CLONE;
5051
5052 dest->first_time = false;
5053 dest->c0 = NULL;
5054
5055 options_detach(&dest->options);
5056 gc_detach(&dest->gc);
5057 gc_detach(&dest->c2.gc);
5058
5059 /* detach plugins */
5060 dest->plugins_owned = false;
5061
5062 dest->c2.tls_multi = NULL;
5063
5064 /* detach c1 ownership */
5065 dest->c1.tuntap_owned = false;
5066 dest->c1.status_output_owned = false;
5067 dest->c1.ifconfig_pool_persist_owned = false;
5068
5069 /* detach c2 ownership */
5070 dest->c2.event_set_owned = false;
5071 dest->c2.link_socket_owned = false;
5072 dest->c2.buffers_owned = false;
5073 dest->c2.es_owned = false;
5074
5075 dest->c2.event_set = NULL;
5076 do_event_set_init(dest, false);
5077
5078#ifdef USE_COMP
5079 dest->c2.comp_context = NULL;
5080#endif
5081}
5082
5083void
5084close_context(struct context *c, int sig, unsigned int flags)
5085{
5086 ASSERT(c);
5087 ASSERT(c->sig);
5088
5089 if (sig >= 0)
5090 {
5091 register_signal(c->sig, sig, "close_context");
5092 }
5093
5094 if (c->sig->signal_received == SIGUSR1)
5095 {
5096 if ((flags & CC_USR1_TO_HUP)
5097 || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
5098 {
5099 register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
5100 }
5101 }
5102
5103 if (!(flags & CC_NO_CLOSE))
5104 {
5105 close_instance(c);
5106 }
5107
5108 if (flags & CC_GC_FREE)
5109 {
5110 context_gc_free(c);
5111 }
5112}
5113
5114/* Write our PID to a file */
5115void
5116write_pid_file(const char *filename, const char *chroot_dir)
5117{
5118 if (filename)
5119 {
5120 unsigned int pid = 0;
5121 FILE *fp = platform_fopen(filename, "w");
5122 if (!fp)
5123 {
5124 msg(M_ERR, "Open error on pid file %s", filename);
5125 return;
5126 }
5127
5128 pid = platform_getpid();
5129 fprintf(fp, "%u\n", pid);
5130 if (fclose(fp))
5131 {
5132 msg(M_ERR, "Close error on pid file %s", filename);
5133 }
5134
5135 /* remember file name so it can be deleted "out of context" later */
5136 /* (the chroot case is more complex and not handled today) */
5137 if (!chroot_dir)
5138 {
5139 saved_pid_file_name = strdup(filename);
5140 if (!saved_pid_file_name)
5141 {
5142 msg(M_FATAL, "Failed allocate memory saved_pid_file_name");
5143 }
5144 }
5145 }
5146}
5147
5148/* remove PID file on exit, called from openvpn_exit() */
5149void
5150remove_pid_file(void)
5151{
5152 if (saved_pid_file_name)
5153 {
5154 platform_unlink(saved_pid_file_name);
5155 }
5156}
5157
5158
5159/*
5160 * Do a loopback test
5161 * on the crypto subsystem.
5162 */
5163static void *
5164test_crypto_thread(void *arg)
5165{
5166 struct context *c = (struct context *) arg;
5167 const struct options *options = &c->options;
5168
5169 ASSERT(options->test_crypto);
5170 init_verb_mute(c, IVM_LEVEL_1);
5171 context_init_1(c);
5172 next_connection_entry(c);
5173 do_init_crypto_static(c, 0);
5174
5175 frame_finalize_options(c, options);
5176
5177 test_crypto(&c->c2.crypto_options, &c->c2.frame);
5178
5179 key_schedule_free(&c->c1.ks, true);
5180 packet_id_free(&c->c2.crypto_options.packet_id);
5181
5182 context_gc_free(c);
5183 return NULL;
5184}
5185
5186bool
5187do_test_crypto(const struct options *o)
5188{
5189 if (o->test_crypto)
5190 {
5191 struct context c;
5192
5193 /* print version number */
5194 msg(M_INFO, "%s", title_string);
5195
5196 context_clear(&c);
5197 c.options = *o;
5198 options_detach(&c.options);
5199 c.first_time = true;
5200 test_crypto_thread((void *) &c);
5201 return true;
5202 }
5203 return false;
5204}
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:243
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:483
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:102
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:440
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:464
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:88
auth_token_write_server_key_file
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition auth_token.c:118
auth_token_init_secret
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition auth_token.c:124
auth_token.h
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:183
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:162
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
string_clear
void string_clear(char *str)
Definition buffer.c:691
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:62
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1019
BSTR
#define BSTR(buf)
Definition buffer.h:129
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1071
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1082
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:1012
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1097
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1092
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1103
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1060
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition common.h:88
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition comp.c:163
basename
char * basename(char *filename)
Definition compat-basename.c:37
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:51
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1125
get_random
long int get_random(void)
Definition crypto.c:1757
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:893
write_key_file
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition crypto.c:1577
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition crypto.c:868
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1229
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition crypto.c:1321
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1106
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:344
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:356
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:372
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:376
CO_MUTE_REPLAY_WARNINGS
#define CO_MUTE_REPLAY_WARNINGS
Bit-flag indicating not to display replay warnings.
Definition crypto.h:353
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition crypto.h:364
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:368
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition crypto.h:657
show_available_engines
void show_available_engines(void)
Definition crypto_openssl.c:478
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:817
show_available_ciphers
void show_available_ciphers(void)
Definition crypto_openssl.c:370
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition crypto_openssl.c:1039
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition crypto_openssl.c:805
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1071
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:660
crypto_init_lib_engine
void crypto_init_lib_engine(const char *engine_name)
Definition crypto_openssl.c:145
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
show_available_digests
void show_available_digests(void)
Definition crypto_openssl.c:437
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
DCO_DEFAULT_METRIC
#define DCO_DEFAULT_METRIC
Definition dco.h:48
dco_supports_epoch_data
static bool dco_supports_epoch_data(struct context *c)
Definition dco.h:398
dco_remove_peer
static void dco_remove_peer(struct context *c)
Definition dco.h:357
dco_p2p_add_new_peer
static int dco_p2p_add_new_peer(struct context *c)
Definition dco.h:344
ovpn_dco_init
static bool ovpn_dco_init(int mode, dco_context_t *dco, const char *dev_node)
Definition dco.h:300
dco_check_pull_options
static bool dco_check_pull_options(int msglevel, const struct options *o)
Definition dco.h:294
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition env_set.c:166
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:267
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:283
env_set_inherit
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition env_set.c:238
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
D_MTU_DEBUG
#define D_MTU_DEBUG
Definition errlevel.h:126
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:151
D_PUSH
#define D_PUSH
Definition errlevel.h:83
D_SHOW_NET
#define D_SHOW_NET
Definition errlevel.h:132
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition errlevel.h:41
D_RESTART
#define D_RESTART
Definition errlevel.h:82
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition errlevel.h:64
D_CLOSE
#define D_CLOSE
Definition errlevel.h:73
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition errlevel.h:150
D_DCO
#define D_DCO
Definition errlevel.h:94
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:72
D_GENKEY
#define D_GENKEY
Definition errlevel.h:79
D_MTU_INFO
#define D_MTU_INFO
Definition errlevel.h:105
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:67
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition errlevel.h:104
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:59
D_READ_WRITE
#define D_READ_WRITE
Definition errlevel.h:167
M_INFO
#define M_INFO
Definition errlevel.h:55
D_LOG_RW
#define D_LOG_RW
Definition errlevel.h:110
D_ROUTE
#define D_ROUTE
Definition errlevel.h:80
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition errlevel.h:57
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1186
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition event.h:83
EVENT_METHOD_US_TIMEOUT
#define EVENT_METHOD_US_TIMEOUT
Definition event.h:82
event_free
static void event_free(struct event_set *es)
Definition event.h:160
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:410
forward.h
Interface functions to the internal and external multiplexers.
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:321
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1201
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:142
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1256
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1172
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1187
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1227
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:535
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1243
fragment_frame_init
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition fragment.c:122
fragment_init
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition fragment.c:89
fragment_free
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition fragment.c:113
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition tls_crypt.c:61
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition tls_crypt.c:361
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition tls_crypt.c:684
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition tls_crypt.c:678
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:55
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition tls_crypt.c:335
uninit_management_callback
void uninit_management_callback(void)
Definition init.c:4532
uninit_proxy
static void uninit_proxy(struct context *c)
Definition init.c:734
open_management
bool open_management(struct context *c)
Definition init.c:4469
do_init_first_time
static void do_init_first_time(struct context *c)
Definition init.c:3947
do_init_route_list
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1485
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition init.c:3143
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition init.c:376
do_genkey
bool do_genkey(const struct options *options)
Definition init.c:1031
next_connection_entry
static void next_connection_entry(struct context *c)
Definition init.c:521
can_preserve_tun
static bool can_preserve_tun(struct tuntap *tt)
Definition init.c:1830
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1590
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition init.c:4303
do_setup_fast_io
static void do_setup_fast_io(struct context *c)
Definition init.c:4258
tls_print_deferred_options_results
static void tls_print_deferred_options_results(struct context *c)
Prints the results of options imported for the data channel.
Definition init.c:2302
saved_pid_file_name
static const char * saved_pid_file_name
Definition init.c:63
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition init.c:959
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition init.c:1219
format_common_name
const char * format_common_name(struct context *c, struct gc_arena *gc)
Definition init.c:1303
do_close_link_socket
static void do_close_link_socket(struct context *c)
Definition init.c:4043
management_callback_remote_entry_count
static unsigned int management_callback_remote_entry_count(void *arg)
Definition init.c:332
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition init.c:4278
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition init.c:3094
key_schedule_free
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition init.c:3054
do_init_tun
static void do_init_tun(struct context *c)
Definition init.c:1775
do_option_warnings
static void do_option_warnings(struct context *c)
Definition init.c:3663
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4580
do_link_socket_addr_new
static void do_link_socket_addr_new(struct context *c)
Definition init.c:740
close_instance
void close_instance(struct context *c)
Definition init.c:4872
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1531
do_init_frame
static void do_init_frame(struct context *c)
Definition init.c:3618
persist_client_stats
void persist_client_stats(struct context *c)
Definition init.c:4543
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:5037
context_clear_1
void context_clear_1(struct context *c)
Definition init.c:83
ce_management_query_proxy
static bool ce_management_query_proxy(struct context *c)
Definition init.c:257
do_init_crypto
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition init.c:3601
do_init_frame_tls
static void do_init_frame_tls(struct context *c)
Definition init.c:3556
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition init.c:1451
route_noexec_enabled
static bool route_noexec_enabled(const struct options *o, const struct tuntap *tt)
Determine if external route commands should be executed based on configured options and backend drive...
Definition init.c:1705
ifconfig_noexec_enabled
static bool ifconfig_noexec_enabled(const struct context *c)
Determines if ifconfig execution should be disabled because of a.
Definition init.c:1897
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition init.c:507
do_test_crypto
bool do_test_crypto(const struct options *o)
Definition init.c:5187
do_print_data_channel_mtu_parms
static void do_print_data_channel_mtu_parms(struct context *c)
Definition init.c:3897
init_plugins
void init_plugins(struct context *c)
Definition init.c:4293
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition init.c:3777
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition init.c:3066
do_init_timers
static void do_init_timers(struct context *c, bool deferred)
Definition init.c:1366
CF_LOAD_PERSISTED_PACKET_ID
#define CF_LOAD_PERSISTED_PACKET_ID
Definition init.c:68
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition init.c:1467
do_close_status_output
static void do_close_status_output(struct context *c)
Definition init.c:4185
do_event_set_init
static void do_event_set_init(struct context *c, bool need_us_timeout)
Definition init.c:4137
static_context
static struct context * static_context
Definition init.c:62
do_init_fragment
static void do_init_fragment(struct context *c)
Definition init.c:3814
CF_INIT_TLS_MULTI
#define CF_INIT_TLS_MULTI
Definition init.c:69
context_init_1
void context_init_1(struct context *c)
Definition init.c:747
test_crypto_thread
static void * test_crypto_thread(void *arg)
Definition init.c:5164
pre_setup
void pre_setup(const struct options *options)
Definition init.c:1314
do_link_socket_new
static void do_link_socket_new(struct context *c)
Definition init.c:3835
do_close_free_key_schedule
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition init.c:4021
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition init.c:211
del_wfp_block
static void del_wfp_block(struct context *c, unsigned long adapter_index)
Remove any WFP block filters previously added.
Definition init.c:1878
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition init.c:1342
do_open_ifconfig_pool_persist
static void do_open_ifconfig_pool_persist(struct context *c)
Definition init.c:4202
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition init.c:4213
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition init.c:2129
init_management
void init_management(void)
Definition init.c:4460
uninit_static
void uninit_static(void)
Definition init.c:941
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4558
do_init_crypto_tls
static void do_init_crypto_tls(struct context *c, const unsigned int flags)
Definition init.c:3318
write_pid_file
void write_pid_file(const char *filename, const char *chroot_dir)
Definition init.c:5116
context_gc_free
void context_gc_free(struct context *c)
Definition init.c:798
socket_restart_pause
static void socket_restart_pause(struct context *c)
Definition init.c:2851
do_open_status_output
static void do_open_status_output(struct context *c)
Definition init.c:4171
init_options_dev
void init_options_dev(struct options *options)
Definition init.c:982
do_close_free_buf
static void do_close_free_buf(struct context *c)
Definition init.c:3980
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition init.c:651
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4947
do_compute_occ_strings
static void do_compute_occ_strings(struct context *c)
Definition init.c:3913
context_clear_2
void context_clear_2(struct context *c)
Definition init.c:89
do_close_fragment
static void do_close_fragment(struct context *c)
Definition init.c:4122
context_clear
void context_clear(struct context *c)
Definition init.c:77
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition init.c:192
do_init_crypto_none
static void do_init_crypto_none(struct context *c)
Definition init.c:3584
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition init.c:4365
remove_pid_file
void remove_pid_file(void)
Definition init.c:5150
add_delim_if_non_empty
static void add_delim_if_non_empty(struct buffer *buf, const char *header)
Helper function for tls_print_deferred_options_results Adds the ", " delimitor if there already some ...
Definition init.c:2288
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition init.c:992
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:5084
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition init.c:424
open_tun_backend
static void open_tun_backend(struct context *c)
Definition init.c:1905
do_close_event_set
static void do_close_event_set(struct context *c)
Definition init.c:4156
do_persist_tuntap
bool do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
Definition init.c:1114
do_hold
static bool do_hold(int holdtime)
Definition init.c:2832
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2457
tun_abort
void tun_abort(void)
Definition init.c:2255
do_init_server_poll_timeout
static void do_init_server_poll_timeout(struct context *c)
Definition init.c:1353
do_close_plugins
static void do_close_plugins(struct context *c)
Definition init.c:4340
do_init_socket_phase1
static void do_init_socket_phase1(struct context *c)
Definition init.c:3853
init_static
bool init_static(void)
Definition init.c:837
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition init.c:3221
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition init.c:2974
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition init.c:679
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition init.c:2274
add_wfp_block
static void add_wfp_block(struct context *c)
Add WFP filters to block traffic to local networks.
Definition init.c:1852
do_close_tun_simple
static void do_close_tun_simple(struct context *c)
Definition init.c:2098
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition init.c:4351
run_up_down
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es)
Definition init.c:109
do_init_socket_phase2
static void do_init_socket_phase2(struct context *c)
Definition init.c:3885
possibly_become_daemon
bool possibly_become_daemon(const struct options *options)
Definition init.c:1177
management_callback_remote_entry_get
static bool management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
Definition init.c:342
init_connection_list
static void init_connection_list(struct context *c)
Definition init.c:481
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition init.c:696
do_close_packet_id
static void do_close_packet_id(struct context *c)
Definition init.c:4107
do_startup_pause
static void do_startup_pause(struct context *c)
Definition init.c:2929
get_frame_mtu
static size_t get_frame_mtu(struct context *c, const struct options *o)
Definition init.c:2942
do_deferred_p2p_ncp
static bool do_deferred_p2p_ncp(struct context *c)
Definition init.c:2621
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition init.c:70
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2592
do_deferred_options_part2
static bool do_deferred_options_part2(struct context *c)
This function is expected to be invoked after open_tun() was performed.
Definition init.c:2432
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition init.c:4239
do_init_buffers
static void do_init_buffers(struct context *c)
Definition init.c:3802
init_proxy
static void init_proxy(struct context *c)
Definition init.c:728
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition init.c:4434
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition init.c:4372
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition init.c:307
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1717
do_inherit_env
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition init.c:4231
context_clear_all_except_first_time
void context_clear_all_except_first_time(struct context *c)
Definition init.c:95
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3752
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition init.c:2670
do_open_tun
static bool do_open_tun(struct context *c, int *error_flags)
Definition init.c:1927
do_close_tls
static void do_close_tls(struct context *c)
Definition init.c:3994
close_management
void close_management(void)
Definition init.c:4519
ISC_ERRORS
#define ISC_ERRORS
Definition init.h:115
CC_GC_FREE
#define CC_GC_FREE
Definition init.h:104
IVM_LEVEL_2
#define IVM_LEVEL_2
Definition init.h:50
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition init.h:117
IVM_LEVEL_1
#define IVM_LEVEL_1
Definition init.h:49
CC_USR1_TO_HUP
#define CC_USR1_TO_HUP
Definition init.h:105
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition init.h:33
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition init.h:106
ISC_SERVER
#define ISC_SERVER
Definition init.h:116
CC_NO_CLOSE
#define CC_NO_CLOSE
Definition init.h:107
min_int
static int min_int(int x, int y)
Definition integer.h:102
max_int
static int max_int(int x, int y)
Definition integer.h:89
status
static SERVICE_STATUS status
Definition interactive.c:53
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition interval.c:35
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:174
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:155
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition lladdr.c:17
management_pre_tunnel_close
void management_pre_tunnel_close(struct management *man)
Definition manage.c:3083
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:2997
management_clear_callback
void management_clear_callback(struct management *man)
Definition manage.c:2740
management_hold
bool management_hold(struct management *man, int holdtime)
Definition manage.c:3816
management_init
struct management * management_init(void)
Definition manage.c:2651
management_event_loop_n_seconds
void management_event_loop_n_seconds(struct management *man, int sec)
Definition manage.c:3442
management_close
void management_close(struct management *man)
Definition manage.c:2722
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2749
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2667
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2906
man_persist_client_stats
void man_persist_client_stats(struct management *man, struct context *c)
Definition manage.c:4172
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2732
management_up_down
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition manage.c:2890
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4117
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition manage.c:3058
management_query_remote_enabled
static bool management_query_remote_enabled(const struct management *man)
Definition manage.h:446
OPENVPN_STATE_CONNECTING
#define OPENVPN_STATE_CONNECTING
Definition manage.h:470
management_query_proxy_enabled
static bool management_query_proxy_enabled(const struct management *man)
Definition manage.h:452
OPENVPN_STATE_CONNECTED
#define OPENVPN_STATE_CONNECTED
Definition manage.h:473
MF_SERVER
#define MF_SERVER
Definition manage.h:28
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition misc.c:56
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:109
GET_USER_PASS_NEED_OK
#define GET_USER_PASS_NEED_OK
Definition misc.h:112
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:335
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition mtu.c:195
frame_calculate_protocol_header_size
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition mtu.c:63
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:172
TUN_MTU_MIN
#define TUN_MTU_MIN
Definition mtu.h:60
np
static const char * np(const char *str)
Definition multi-auth.c:146
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:39
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition occ.h:61
occ_reset_op
static int occ_reset_op(void)
Definition occ.h:101
OCC_INTERVAL_SECONDS
#define OCC_INTERVAL_SECONDS
Definition occ.h:46
CLEAR
#define CLEAR(x)
Definition basic.h:33
error_reset
void error_reset(void)
Definition error.c:161
set_mute_cutoff
bool set_mute_cutoff(const int cutoff)
Definition error.c:123
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition error.c:637
reset_check_status
void reset_check_status(void)
Definition error.c:630
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:105
M_OPTERR
#define M_OPTERR
Definition error.h:100
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:177
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:97
M_USAGE
#define M_USAGE
Definition error.h:106
M_FATAL
#define M_FATAL
Definition error.h:89
check_debug_level
static bool check_debug_level(unsigned int level)
Definition error.h:220
set_check_status_error_delay
static void set_check_status_error_delay(unsigned int milliseconds)
Definition error.h:286
M_NONFATAL
#define M_NONFATAL
Definition error.h:90
M_ERR
#define M_ERR
Definition error.h:105
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
M_WARN
#define M_WARN
Definition error.h:91
TLS_MODE
#define TLS_MODE(c)
Definition openvpn.h:536
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition openvpn.h:86
CM_P2P
#define CM_P2P
Definition openvpn.h:482
CM_TOP_CLONE
#define CM_TOP_CLONE
Definition openvpn.h:484
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition openvpn.h:486
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition openvpn.h:485
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:546
CM_TOP
#define CM_TOP
Definition openvpn.h:483
options_detach
void options_detach(struct options *o)
Definition options.c:1703
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3427
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5663
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4758
title_string
const char title_string[]
Definition options.c:69
auth_retry_get
int auth_retry_get(void)
Definition options.c:4883
notnull
void notnull(const char *arg, const char *description)
Definition options.c:5030
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4368
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:258
OPT_P_UP
#define OPT_P_UP
Definition options.h:731
CE_MAN_QUERY_REMOTE_QUERY
#define CE_MAN_QUERY_REMOTE_QUERY
Definition options.h:153
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:742
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:750
MODE_SERVER
#define MODE_SERVER
Definition options.h:259
streq
#define streq(x, y)
Definition options.h:725
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:749
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition options.h:156
AR_INTERACT
#define AR_INTERACT
Definition options.h:903
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:736
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:929
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:756
SHAPER_DEFINED
#define SHAPER_DEFINED(opt)
Definition options.h:781
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition options.h:155
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition options.h:151
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:741
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:735
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:755
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition options.h:157
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:754
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:737
PING_RESTART
#define PING_RESTART
Definition options.h:354
RH_PORT_LEN
#define RH_PORT_LEN
Definition options.h:229
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition options.h:762
CE_MAN_QUERY_REMOTE_SHIFT
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition options.h:158
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:733
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:753
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:237
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:234
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:236
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:235
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:760
AR_NONE
#define AR_NONE
Definition options.h:902
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:904
RH_HOST_LEN
#define RH_HOST_LEN
Definition options.h:227
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:738
MAX_PARMS
#define MAX_PARMS
Definition options.h:52
PING_UNDEF
#define PING_UNDEF
Definition options.h:352
CE_MAN_QUERY_REMOTE_ACCEPT
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition options.h:154
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:764
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:776
PING_EXIT
#define PING_EXIT
Definition options.h:353
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:740
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:752
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:758
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:732
CE_DISABLED
#define CE_DISABLED
Definition options.h:150
now
time_t now
Definition otime.c:34
update_time
static void update_time(void)
Definition otime.h:77
time_test
void time_test(void)
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:519
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:561
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition packet_id.c:456
packet_id_free
void packet_id_free(struct packet_id *p)
Definition packet_id.c:127
packet_id_persist_load
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition packet_id.c:470
PRE_PULL_INITIAL_PING_RESTART
#define PRE_PULL_INITIAL_PING_RESTART
Definition ping.h:33
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:333
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:541
platform_user_group_set
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition platform.c:217
platform_nice
void platform_nice(int niceval)
Definition platform.c:311
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition platform.c:79
platform_unlink
bool platform_unlink(const char *filename)
Definition platform.c:488
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:501
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:393
platform_mlockall
void platform_mlockall(bool print_msg)
Definition platform.c:344
platform_chroot
void platform_chroot(const char *path)
Definition platform.c:55
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition platform.c:123
plugin_list_close
void plugin_list_close(struct plugin_list *pl)
Definition plugin.c:897
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:1015
plugin_list_inherit
struct plugin_list * plugin_list_inherit(const struct plugin_list *src)
Definition plugin.c:695
plugin_list_init
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition plugin.c:776
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:1000
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:932
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition plugin.c:786
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:171
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:202
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:165
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition pool.c:551
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition pool.c:572
TOP_NET30
#define TOP_NET30
Definition proto.h:42
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:36
TOP_P2P
#define TOP_P2P
Definition proto.h:43
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition proxy.c:568
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition proxy.c:504
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:46
PAR_NCT
#define PAR_NCT
Definition proxy.h:50
PAR_ALL
#define PAR_ALL
Definition proxy.h:49
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1189
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1489
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition route.c:528
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:621
show_routes
void show_routes(int msglev)
Definition route.c:3308
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:790
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:631
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1256
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1451
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition route.h:419
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:89
script_security
int script_security(void)
Definition run_command.c:43
run_command.h
S_FATAL
#define S_FATAL
Definition run_command.h:46
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition run_command.h:33
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:87
SSEC_PW_ENV
#define SSEC_PW_ENV
Definition run_command.h:34
shaper_msg
void shaper_msg(struct shaper *s)
Definition shaper.c:88
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition shaper.h:86
post_init_signal_catch
void post_init_signal_catch(void)
Definition sig.c:427
print_status
void print_status(struct context *c, struct status_output *so)
Definition sig.c:484
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition sig.c:398
remap_signal
void remap_signal(struct context *c)
Definition sig.c:591
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition sig.c:107
restore_signal_state
void restore_signal_state(void)
Definition sig.c:466
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:231
IS_SIG
#define IS_SIG(c)
Definition sig.h:48
SIG_SOURCE_HARD
#define SIG_SOURCE_HARD
Definition sig.h:31
link_socket_init_phase1
void link_socket_init_phase1(struct context *c, int sock_index, int mode)
Definition socket.c:1877
link_socket_init_phase2
void link_socket_init_phase2(struct context *c, struct link_socket *sock)
Definition socket.c:2244
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket.c:3196
link_socket_update_buffer_sizes
void link_socket_update_buffer_sizes(struct link_socket *sock, int rcvbuf, int sndbuf)
Definition socket.c:1020
link_socket_current_remote_ipv6
const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info)
Definition socket.c:2562
link_socket_close
void link_socket_close(struct link_socket *sock)
Definition socket.c:2367
link_socket_current_remote
in_addr_t link_socket_current_remote(const struct link_socket_info *info)
Definition socket.c:2527
do_preresolve
void do_preresolve(struct context *c)
Definition socket.c:343
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket.c:2974
link_socket_new
struct link_socket * link_socket_new(void)
Definition socket.c:1863
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *sock, unsigned int sockflags)
Definition socket.c:1006
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition socket.h:401
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition socket.h:211
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket.h:586
PROTO_UDP
@ PROTO_UDP
Definition socket.h:568
PROTO_TCP
@ PROTO_TCP
Definition socket.h:569
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket.h:571
proto_is_tcp
static bool proto_is_tcp(int proto)
returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
Definition socket.h:606
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition socket.h:209
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket.h:597
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition socket.h:661
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition socket.h:210
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition socks.c:52
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition socks.c:81
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:392
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:523
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition ssl.c:251
init_ssl_lib
void init_ssl_lib(void)
Definition ssl.c:228
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1707
free_ssl_lib
void free_ssl_lib(void)
Definition ssl.c:236
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:295
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition ssl.c:289
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4244
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:117
TLS_MULTI_HORIZON
#define TLS_MULTI_HORIZON
Definition ssl.h:62
TLS_MULTI_REFRESH
#define TLS_MULTI_REFRESH
Definition ssl.h:61
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:140
show_available_curves
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
Definition ssl_openssl.c:2606
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition ssl_openssl.c:149
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:579
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:575
check_pull_client_ncp
bool check_pull_client_ncp(struct context *c, const int found)
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should ...
Definition ssl_ncp.c:317
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:210
get_p2p_ncp_cipher
const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
Determines the best common cipher from both peers IV_CIPHER lists.
Definition ssl_ncp.c:363
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition ssl_pkt.c:473
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:114
ssl_verify.h
Control Channel Verification Module.
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition ssl_verify.h:64
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:230
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:222
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:61
status_close
bool status_close(struct status_output *so)
Definition status.c:188
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition status.h:51
argv
Definition argv.h:35
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
connection_entry
Definition options.h:105
connection_entry::local_list
struct local_list * local_list
Definition options.h:106
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:127
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:117
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:176
connection_entry::link_mtu
int link_mtu
Definition options.h:132
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:133
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:130
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:118
connection_entry::mssfix
int mssfix
Definition options.h:142
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:167
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:172
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:131
connection_entry::remote
const char * remote
Definition options.h:112
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:122
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:144
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:120
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:168
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:163
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:129
connection_entry::tls_mtu
int tls_mtu
Definition options.h:134
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:148
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:123
connection_entry::remote_port
const char * remote_port
Definition options.h:111
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:140
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:121
connection_entry::fragment
int fragment
Definition options.h:139
connection_entry::proto
int proto
Definition options.h:107
connection_entry::af
sa_family_t af
Definition options.h:108
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:162
connection_entry::tun_mtu
int tun_mtu
Definition options.h:125
connection_entry::key_direction
int key_direction
Definition options.h:164
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:173
connection_entry::flags
unsigned int flags
Definition options.h:159
connection_list
Definition options.h:196
connection_list::array
struct connection_entry ** array
Definition options.h:200
connection_list::current
int current
Definition options.h:199
connection_list::len
int len
Definition options.h:198
context_0
Level 0 context containing information related to the OpenVPN process.
Definition openvpn.h:136
context_0::platform_state_group
struct platform_state_group platform_state_group
Definition openvpn.h:142
context_0::platform_state_user
struct platform_state_user platform_state_user
Definition openvpn.h:141
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition openvpn.h:140
context_0::uid_gid_specified
bool uid_gid_specified
Definition openvpn.h:138
context_1::ks
struct key_schedule ks
Definition openvpn.h:163
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:196
context_1::http_proxy_owned
bool http_proxy_owned
Definition openvpn.h:189
context_1::status_output
struct status_output * status_output
Definition openvpn.h:184
context_1::route_list
struct route_list * route_list
List of routing information.
Definition openvpn.h:176
context_1::link_socket_addrs
struct link_socket_addr * link_socket_addrs
Local and remote addresses on the external network.
Definition openvpn.h:158
context_1::pulled_options_digest_save
struct sha256_digest pulled_options_digest_save
Hash of option strings received from the remote OpenVPN server.
Definition openvpn.h:200
context_1::link_sockets_num
int link_sockets_num
Definition openvpn.h:157
context_1::status_output_owned
bool status_output_owned
Definition openvpn.h:185
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:181
context_1::pid_persist
struct packet_id_persist pid_persist
Definition openvpn.h:169
context_1::http_proxy
struct http_proxy_info * http_proxy
Definition openvpn.h:188
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition openvpn.h:193
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition openvpn.h:172
context_1::ifconfig_pool_persist_owned
bool ifconfig_pool_persist_owned
Definition openvpn.h:197
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition openvpn.h:192
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:171
context_2::options_string_local
char * options_string_local
Definition openvpn.h:296
context_2::fragment
struct fragment_master * fragment
Definition openvpn.h:252
context_2::do_up_ran
bool do_up_ran
Definition openvpn.h:411
context_2::options_string_remote
char * options_string_remote
Definition openvpn.h:297
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
context_2::did_open_tun
bool did_open_tun
Definition openvpn.h:387
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition openvpn.h:444
context_2::es_owned
bool es_owned
Definition openvpn.h:421
context_2::mda_context
struct man_def_auth_context mda_context
Definition openvpn.h:453
context_2::session_id_hmac
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition openvpn.h:338
context_2::accept_from
const struct link_socket * accept_from
Definition openvpn.h:242
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition openvpn.h:326
context_2::occ_op
int occ_op
Definition openvpn.h:299
context_2::es
struct env_set * es
Definition openvpn.h:420
context_2::link_socket_owned
bool link_socket_owned
Definition openvpn.h:240
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context_2::frame
struct frame frame
Definition openvpn.h:248
context_2::frame_fragment
struct frame frame_fragment
Definition openvpn.h:253
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
context_2::buffers_owned
bool buffers_owned
Definition openvpn.h:368
context_2::link_sockets
struct link_socket ** link_sockets
Definition openvpn.h:237
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
context_2::log_rw
bool log_rw
Definition openvpn.h:380
context_2::event_set_max
int event_set_max
Definition openvpn.h:231
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition openvpn.h:225
context_2::fast_io
bool fast_io
Definition openvpn.h:424
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition openvpn.h:445
context_2::event_set
struct event_set * event_set
Definition openvpn.h:230
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:367
context_2::route_wakeup
struct event_timeout route_wakeup
Definition openvpn.h:383
context_2::tls_exit_signal
int tls_exit_signal
Definition openvpn.h:347
context_2::event_set_owned
bool event_set_owned
Definition openvpn.h:232
context_buffers
Definition openvpn.h:95
context_buffers::read_link_buf
struct buffer read_link_buf
Definition openvpn.h:113
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition openvpn.h:100
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition openvpn.h:114
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition openvpn.h:101
context_buffers::aux_buf
struct buffer aux_buf
Definition openvpn.h:97
context_persist
Definition openvpn.h:121
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition openvpn.h:122
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::mode
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
context::c0
struct context_0 * c0
Level 0 context.
Definition openvpn.h:512
context::did_we_daemonize
bool did_we_daemonize
Whether demonization has already taken place.
Definition openvpn.h:507
context::first_time
bool first_time
True on the first iteration of OpenVPN's main loop.
Definition openvpn.h:478
context::sig
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:500
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:498
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:502
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:514
context::es
struct env_set * es
Set of environment variables.
Definition openvpn.h:496
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::plugins_owned
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition openvpn.h:503
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition openvpn.h:492
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:513
context::persist
struct context_persist persist
Persistent context.
Definition openvpn.h:510
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:383
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:339
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:293
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:330
env_set
Definition env_set.h:42
frame
Packet geometry parameters.
Definition mtu.h:98
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:131
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:102
frame::tun_max_mtu
int tun_max_mtu
the maximum tun-mtu size the buffers are are sized for.
Definition mtu.h:141
frame::extra_tun
int extra_tun
Maximum number of bytes in excess of the tun/tap MTU that might be read from or written to the virtua...
Definition mtu.h:145
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:108
frame::buf
struct frame::@8 buf
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition mtu.h:112
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
http_proxy_options
Definition proxy.h:44
http_proxy_options::first_time
bool first_time
Definition proxy.h:60
http_proxy_options::port
const char * port
Definition proxy.h:46
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:51
http_proxy_options::server
const char * server
Definition proxy.h:45
key_schedule
Definition openvpn.h:55
key_schedule::tls_crypt_v2_wkc
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition openvpn.h:72
key_schedule::original_wrap_keydata
struct key2 original_wrap_keydata
original tls-crypt key preserved to xored into the tls_crypt renegotiation key
Definition openvpn.h:70
key_schedule::key_type
struct key_type key_type
Definition openvpn.h:57
key_schedule::auth_token_key
struct key_ctx auth_token_key
Definition openvpn.h:73
key_schedule::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition openvpn.h:63
key_schedule::tls_auth_key_type
struct key_type tls_auth_key_type
Definition openvpn.h:66
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition openvpn.h:67
key_schedule::static_key
struct key_ctx_bi static_key
Definition openvpn.h:60
key_schedule::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Definition openvpn.h:71
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
link_socket_actual
Definition socket.h:87
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket.h:90
link_socket_addr
Definition socket.h:105
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:110
link_socket_addr::remote_list
struct addrinfo * remote_list
Definition socket.h:107
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition socket.h:106
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition socket.h:108
link_socket_info
Definition socket.h:114
link_socket_info::connection_established
bool connection_established
Definition socket.h:116
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:115
link_socket_info::proto
int proto
Definition socket.h:120
link_socket
Definition socket.h:178
link_socket::info
struct link_socket_info info
Definition socket.h:179
link_socket::sd
socket_descriptor_t sd
Definition socket.h:186
local_list::len
int len
Definition options.h:191
man_persist::special_state_msg
const char * special_state_msg
Definition manage.h:238
management_callback
Definition manage.h:174
management_callback::arg
void * arg
Definition manage.h:175
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:180
management_callback::remote_entry_get
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition manage.h:207
management_callback::remote_entry_count
unsigned int(* remote_entry_count)(void *arg)
Definition manage.h:206
management_callback::send_cc_message
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition manage.h:186
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition manage.h:201
management_callback::flags
unsigned int flags
Definition manage.h:178
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition manage.h:202
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition manage.h:181
management::persist
struct man_persist persist
Definition manage.h:337
openvpn_sockaddr
Definition socket.h:66
openvpn_sockaddr::addr
union openvpn_sockaddr::@20 addr
openvpn_sockaddr::sa
struct sockaddr sa
Definition socket.h:69
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket.h:70
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition socket.h:71
options::rcvbuf
int rcvbuf
Definition options.h:414
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:366
options::route_nopull
bool route_nopull
Definition options.h:437
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:284
options::comp
struct compress_options comp
Definition options.h:411
options::persist_config
bool persist_config
Definition options.h:272
options::connection_list
struct connection_list * connection_list
Definition options.h:289
options::management_port
const char * management_port
Definition options.h:447
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:325
options::server_backoff_time
int server_backoff_time
Definition options.h:304
options::auth_token_renewal
int auth_token_renewal
Definition options.h:544
options::tmp_dir
const char * tmp_dir
Definition options.h:466
options::push_peer_info
bool push_peer_info
Definition options.h:681
options::daemon
bool daemon
Definition options.h:389
options::route_default_metric
int route_default_metric
Definition options.h:429
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:647
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:545
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:722
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:612
options::crl_file_inline
bool crl_file_inline
Definition options.h:616
options::down_script
const char * down_script
Definition options.h:384
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:622
options::replay_time
int replay_time
Definition options.h:583
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:451
options::duplicate_cn
bool duplicate_cn
Definition options.h:526
options::shaper
int shaper
Definition options.h:328
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:450
options::show_net_up
bool show_net_up
Definition options.h:694
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:624
options::use_peer_id
bool use_peer_id
Definition options.h:700
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:619
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:481
options::status_file
const char * status_file
Definition options.h:404
options::ssl_flags
unsigned int ssl_flags
Definition options.h:625
options::route_noexec
bool route_noexec
Definition options.h:430
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:327
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:620
options::tls_timeout
int tls_timeout
Definition options.h:641
options::test_crypto
bool test_crypto
Definition options.h:585
options::up_delay
bool up_delay
Definition options.h:387
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:479
options::authname
const char * authname
Definition options.h:578
options::exit_event_name
const char * exit_event_name
Definition options.h:692
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:323
options::replay_window
int replay_window
Definition options.h:582
options::mute
int mute
Definition options.h:398
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:540
options::dev_type
const char * dev_type
Definition options.h:317
options::persist_mode
int persist_mode
Definition options.h:273
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:493
options::show_digests
bool show_digests
Definition options.h:277
options::up_script
const char * up_script
Definition options.h:383
options::ce_advance_count
int ce_advance_count
Definition options.h:300
options::single_session
bool single_session
Definition options.h:679
options::rh_store
struct remote_host_store * rh_store
Definition options.h:310
options::verify_hash_depth
int verify_hash_depth
Definition options.h:623
options::route_delay_defined
bool route_delay_defined
Definition options.h:433
options::packet_id_file
const char * packet_id_file
Definition options.h:584
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:671
options::management_log_history_cache
int management_log_history_cache
Definition options.h:449
options::peer_id
uint32_t peer_id
Definition options.h:701
options::routes
struct route_option_list * routes
Definition options.h:434
options::keepalive_timeout
int keepalive_timeout
Definition options.h:341
options::fast_io
bool fast_io
Definition options.h:409
options::block_outside_dns
bool block_outside_dns
Definition options.h:696
options::tls_exit
bool tls_exit
Definition options.h:683
options::show_engines
bool show_engines
Definition options.h:278
options::msg_channel
HANDLE msg_channel
Definition options.h:691
options::key_pass_file
const char * key_pass_file
Definition options.h:275
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:581
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition options.h:298
options::handshake_window
int handshake_window
Definition options.h:651
options::ifconfig_local
const char * ifconfig_local
Definition options.h:321
options::ce
struct connection_entry ce
Definition options.h:288
options::user_script_used
bool user_script_used
Definition options.h:385
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:279
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:369
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:621
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:609
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:645
options::management_flags
unsigned int management_flags
Definition options.h:459
options::route_default_gateway
const char * route_default_gateway
Definition options.h:427
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:693
options::sc_info
struct static_challenge_info sc_info
Definition options.h:565
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:542
options::topology
int topology
Definition options.h:320
options::disable_dco
bool disable_dco
Definition options.h:372
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:577
options::genkey
bool genkey
Definition options.h:281
options::ciphername
const char * ciphername
Definition options.h:572
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:558
options::username
const char * username
Definition options.h:375
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:462
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:543
options::ns_cert_type
int ns_cert_type
Definition options.h:618
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:676
options::mode
int mode
Definition options.h:260
options::tls_server
bool tls_server
Definition options.h:591
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:539
options::connect_retry_max
int connect_retry_max
Definition options.h:287
options::pull
bool pull
Definition options.h:555
options::show_curves
bool show_curves
Definition options.h:280
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:428
options::tls_client
bool tls_client
Definition options.h:592
options::auth_token_generate
bool auth_token_generate
Definition options.h:541
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:603
options::tls_verify
const char * tls_verify
Definition options.h:611
options::crl_file
const char * crl_file
Definition options.h:615
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:355
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:559
options::show_ciphers
bool show_ciphers
Definition options.h:276
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:573
options::route_predown_script
const char * route_predown_script
Definition options.h:426
options::route_delay_window
int route_delay_window
Definition options.h:432
options::mlock
bool mlock
Definition options.h:338
options::sndbuf
int sndbuf
Definition options.h:415
options::gc
struct gc_arena gc
Definition options.h:251
options::down_pre
bool down_pre
Definition options.h:386
options::persist_tun
bool persist_tun
Definition options.h:357
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:546
options::config
const char * config
Definition options.h:255
options::mtu_test
bool mtu_test
Definition options.h:332
options::verify_x509_type
int verify_x509_type
Definition options.h:613
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:607
options::status_file_update_freq
int status_file_update_freq
Definition options.h:406
options::management_client_user
const char * management_client_user
Definition options.h:453
options::cipher_list
const char * cipher_list
Definition options.h:606
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:506
options::genkey_filename
const char * genkey_filename
Definition options.h:283
options::x509_track
const struct x509_track * x509_track
Definition options.h:685
options::chroot_dir
const char * chroot_dir
Definition options.h:377
options::log
bool log
Definition options.h:393
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:569
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:646
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:349
options::sockflags
unsigned int sockflags
Definition options.h:422
options::engine
const char * engine
Definition options.h:579
options::management_addr
const char * management_addr
Definition options.h:446
options::verify_x509_name
const char * verify_x509_name
Definition options.h:614
options::ping_send_timeout
int ping_send_timeout
Definition options.h:348
options::route_delay
int route_delay
Definition options.h:431
options::dev_node
const char * dev_node
Definition options.h:318
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:504
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:435
options::key_direction
int key_direction
Definition options.h:571
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:359
options::up_restart
bool up_restart
Definition options.h:388
options::keepalive_ping
int keepalive_ping
Definition options.h:340
options::no_advance
bool no_advance
Definition options.h:293
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:672
options::groupname
const char * groupname
Definition options.h:376
options::cd_dir
const char * cd_dir
Definition options.h:378
options::nice
int nice
Definition options.h:396
options::transition_window
int transition_window
Definition options.h:659
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:322
options::lladdr
const char * lladdr
Definition options.h:319
options::verbosity
int verbosity
Definition options.h:397
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:697
options::remap_sigusr1
int remap_sigusr1
Definition options.h:391
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:644
options::route_script
const char * route_script
Definition options.h:425
options::management_user_pass
const char * management_user_pass
Definition options.h:448
options::shared_secret_file
const char * shared_secret_file
Definition options.h:568
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:326
options::dev
const char * dev
Definition options.h:316
options::management_client_group
const char * management_client_group
Definition options.h:454
options::client_config_dir
const char * client_config_dir
Definition options.h:505
options::genkey_type
enum genkey_type genkey_type
Definition options.h:282
options::advance_next_remote
bool advance_next_remote
Definition options.h:296
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:492
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:324
options::persist_local_ip
bool persist_local_ip
Definition options.h:358
plugin_list
Definition plugin.h:95
plugin_return
Definition plugin.h:102
plugin_return::n
int n
Definition plugin.h:103
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:104
remote_host_store
Definition options.h:226
remote_host_store::port
char port[RH_PORT_LEN]
Definition options.h:230
remote_host_store::host
char host[RH_HOST_LEN]
Definition options.h:228
route_ipv6_list
Definition route.h:226
route_ipv6_list::gc
struct gc_arena gc
Definition route.h:237
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:107
route_ipv6_option_list::gc
struct gc_arena * gc
Definition route.h:109
route_list
Definition route.h:213
route_list::gc
struct gc_arena gc
Definition route.h:223
sha256_digest
Wrapper struct to pass around SHA256 digests.
Definition crypto.h:133
signal_info
Definition sig.h:42
signal_info::signal_text
const char * signal_text
Definition sig.h:45
signal_info::signal_received
volatile int signal_received
Definition sig.h:43
signal_info::source
volatile int source
Definition sig.h:44
status_output
Definition status.h:49
status_output::flags
unsigned int flags
Definition status.h:52
tls_auth_standalone::frame
struct frame frame
Definition ssl_pkt.h:82
tls_auth_standalone::workbuf
struct buffer workbuf
Definition ssl_pkt.h:81
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:80
tls_multi::dco
dco_context_t * dco
Definition ssl_common.h:698
tls_multi::peer_info
char * peer_info
Definition ssl_common.h:649
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:618
tls_multi::opt
struct tls_options opt
Definition ssl_common.h:602
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:681
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:672
tls_multi::use_peer_id
bool use_peer_id
Definition ssl_common.h:673
tls_options
Definition ssl_common.h:298
tls_options::renegotiate_bytes
int64_t renegotiate_bytes
Definition ssl_common.h:334
tls_options::auth_token_key
struct key_ctx auth_token_key
Definition ssl_common.h:399
tls_options::mode
int mode
Definition ssl_common.h:318
tls_options::auth_token_renewal
unsigned int auth_token_renewal
Definition ssl_common.h:397
tls_options::es
struct env_set * es
Definition ssl_common.h:405
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition ssl_common.h:396
tls_options::gremlin
int gremlin
Definition ssl_common.h:439
tls_options::server
bool server
Definition ssl_common.h:306
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:379
tls_options::ekm_label_size
size_t ekm_label_size
Definition ssl_common.h:443
tls_options::crypto_flags
unsigned int crypto_flags
Definition ssl_common.h:361
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition ssl_common.h:348
tls_options::packet_timeout
interval_t packet_timeout
Definition ssl_common.h:333
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition ssl_common.h:389
tls_options::client_crresponse_script
const char * client_crresponse_script
Definition ssl_common.h:385
tls_options::sci
const struct static_challenge_info * sci
Definition ssl_common.h:435
tls_options::net_ctx
openvpn_net_ctx_t * net_ctx
Definition ssl_common.h:406
tls_options::tmp_dir
const char * tmp_dir
Definition ssl_common.h:387
tls_options::replay_time
int replay_time
Definition ssl_common.h:364
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition ssl_common.h:339
tls_options::frame
struct frame frame
Definition ssl_common.h:381
tls_options::renegotiate_packets
int64_t renegotiate_packets
Definition ssl_common.h:335
tls_options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition ssl_common.h:390
tls_options::verify_hash_depth
int verify_hash_depth
Definition ssl_common.h:351
tls_options::plugins
const struct plugin_list * plugins
Definition ssl_common.h:407
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition ssl_common.h:402
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition ssl_common.h:375
tls_options::export_peer_cert_dir
const char * export_peer_cert_dir
Definition ssl_common.h:388
tls_options::verify_command
const char * verify_command
Definition ssl_common.h:342
tls_options::verify_hash
struct verify_hash_list * verify_hash
Definition ssl_common.h:350
tls_options::ekm_label
const char * ekm_label
Definition ssl_common.h:442
tls_options::ekm_size
size_t ekm_size
Definition ssl_common.h:444
tls_options::x509_username_field
char * x509_username_field[2]
Definition ssl_common.h:357
tls_options::transition_window
int transition_window
Definition ssl_common.h:331
tls_options::config_ciphername
const char * config_ciphername
Definition ssl_common.h:366
tls_options::verify_x509_type
int verify_x509_type
Definition ssl_common.h:343
tls_options::single_session
bool single_session
Definition ssl_common.h:317
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:373
tls_options::verify_x509_name
const char * verify_x509_name
Definition ssl_common.h:344
tls_options::crl_file_inline
bool crl_file_inline
Definition ssl_common.h:346
tls_options::x509_track
const struct x509_track * x509_track
Definition ssl_common.h:432
tls_options::verify_hash_no_ca
bool verify_hash_no_ca
Definition ssl_common.h:352
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition ssl_common.h:429
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition ssl_common.h:376
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition ssl_common.h:300
tls_options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition ssl_common.h:386
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition ssl_common.h:367
tls_options::xmit_hold
bool xmit_hold
Definition ssl_common.h:309
tls_options::ssl_flags
unsigned int ssl_flags
Definition ssl_common.h:426
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition ssl_common.h:392
tls_options::key_type
struct key_type key_type
Definition ssl_common.h:303
tls_options::push_peer_info_detail
int push_peer_info_detail
The detail of info we push in peer info.
Definition ssl_common.h:330
tls_options::ns_cert_type
int ns_cert_type
Definition ssl_common.h:347
tls_options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition ssl_common.h:353
tls_options::pull
bool pull
Definition ssl_common.h:319
tls_options::auth_token_call_auth
bool auth_token_call_auth
always call normal authentication
Definition ssl_common.h:395
tls_options::crl_file
const char * crl_file
Definition ssl_common.h:345
tls_options::handshake_window
int handshake_window
Definition ssl_common.h:332
tls_options::dco_enabled
bool dco_enabled
Whether keys have to be installed in DCO or not.
Definition ssl_common.h:446
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition ssl_common.h:384
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition ssl_common.h:349
tls_options::replay_window
int replay_window
Definition ssl_common.h:363
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:480
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:274
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:275
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:276
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition ssl_common.h:277
tls_wrap_ctx::mode
enum tls_wrap_ctx::@23 mode
Control channel wrapping mode.
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:290
tuntap_options::msg_channel
HANDLE msg_channel
Definition tun.h:90
tuntap
Definition tun.h:181
tuntap::local
in_addr_t local
Definition tun.h:208
tuntap::adapter_index
DWORD adapter_index
Definition tun.h:230
tuntap::backend_driver
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:191
tuntap::options
struct tuntap_options options
Definition tun.h:203
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition tun.h:211
tuntap::dco
dco_context_t dco
Definition tun.h:249
tuntap::actual_name
char * actual_name
Definition tun.h:205
tuntap::remote_netmask
in_addr_t remote_netmask
Definition tun.h:209
user_pass
Definition misc.h:57
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:73
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:72
win32_signal
Definition win32.h:153
win32_signal::mode
int mode
Definition win32.h:157
window_title
Definition win32.h:74
srandom
#define srandom
Definition syshead.h:45
SOCKET_UNDEFINED
#define SOCKET_UNDEFINED
Definition syshead.h:437
sleep
#define sleep(x)
Definition syshead.h:43
es
struct env_set * es
Definition test_pkcs11.c:141
gc
struct gc_arena gc
Definition test_ssl.c:155
tls_crypt.h
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6731
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:467
fork_register_dns_action
void fork_register_dns_action(struct tuntap *tt)
Definition tun.c:6047
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:794
show_adapters
void show_adapters(int msglev)
Definition tun.c:5012
is_dev_type
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition tun.c:449
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition tun.c:1606
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:486
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6906
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition tun.c:630
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition tun.c:940
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition tun.c:506
do_ifconfig_setenv
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition tun.c:750
undo_ifconfig
void undo_ifconfig(struct tuntap *tt, openvpn_net_ctx_t *ctx)
undo_ifconfig - undo configuration of the tunnel interface
Definition tun.c:1705
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition tun.c:5734
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:59
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition tun.h:371
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition tun.h:370
tuntap_is_dco_win
static bool tuntap_is_dco_win(struct tuntap *tt)
Definition tun.h:682
DRIVER_NULL
@ DRIVER_NULL
Definition tun.h:54
DRIVER_GENERIC_TUNTAP
@ DRIVER_GENERIC_TUNTAP
Definition tun.h:49
DRIVER_AFUNIX
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:53
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:55
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition tun.h:402
ifconfig_order
static int ifconfig_order(struct tuntap *tt)
Definition tun.h:376
open_tun_null
static void open_tun_null(struct tuntap *tt)
Definition tun.h:788
route_order
static int route_order(struct tuntap *tt)
Definition tun.h:406
ROUTE_BEFORE_TUN
#define ROUTE_BEFORE_TUN
Definition tun.h:401
is_tun_type_set
static bool is_tun_type_set(const struct tuntap *tt)
Definition tun.h:782
tuncfg
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
open_tun_afunix
void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env)
Opens an AF_UNIX based tun device.
Definition tun_afunix.c:74
close_tun_afunix
void close_tun_afunix(struct tuntap *tt)
Closes the socket used for the AF_UNIX based device.
Definition tun_afunix.c:129
tun_afunix.h
is_tun_afunix
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:69
win32_signal_open
void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state)
Definition win32.c:453
win_wfp_block
bool win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only)
Definition win32.c:1211
window_title_generate
void window_title_generate(const char *title)
Definition win32.c:730
window_title_save
void window_title_save(struct window_title *wt)
Definition win32.c:704
win_wfp_uninit
bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
Definition win32.c:1260
init_win32
void init_win32(void)
Definition win32.c:109
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition win32.h:156
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition win32.h:170
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition win32.h:171
Generated by doxygen 1.9.8