OpenVPN
init.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#ifdef ENABLE_SYSTEMD
30#include <systemd/sd-daemon.h>
31#endif
32
33#include "win32.h"
34#include "init.h"
35#include "run_command.h"
36#include "sig.h"
37#include "occ.h"
38#include "list.h"
39#include "otime.h"
40#include "pool.h"
41#include "gremlin.h"
42#include "occ.h"
43#include "pkcs11.h"
44#include "ps.h"
45#include "lladdr.h"
46#include "ping.h"
47#include "ssl_verify.h"
48#include "ssl_ncp.h"
49#include "tls_crypt.h"
50#include "forward.h"
51#include "auth_token.h"
52#include "mss.h"
53#include "mudp.h"
54#include "dco.h"
55#include "tun_afunix.h"
56
57#include "memdbg.h"
58
59
60static struct context *static_context; /* GLOBAL */
61static const char *saved_pid_file_name; /* GLOBAL */
62
63/*
64 * Crypto initialization flags
65 */
66#define CF_LOAD_PERSISTED_PACKET_ID (1 << 0)
67#define CF_INIT_TLS_MULTI (1 << 1)
68#define CF_INIT_TLS_AUTH_STANDALONE (1 << 2)
69
70static void do_init_first_time(struct context *c);
71
72static bool do_deferred_p2p_ncp(struct context *c);
73
74static void
75context_clear(struct context *c)
76{
77 CLEAR(*c);
78}
79
80static void
81context_clear_1(struct context *c)
82{
83 CLEAR(c->c1);
84}
85
86void
87context_clear_2(struct context *c)
88{
89 CLEAR(c->c2);
90}
91
92void
93context_clear_all_except_first_time(struct context *c)
94{
95 const bool first_time_save = c->first_time;
96 const struct context_persist cpsave = c->persist;
97 context_clear(c);
98 c->first_time = first_time_save;
99 c->persist = cpsave;
100}
101
102/*
103 * Pass tunnel endpoint and MTU parms to a user-supplied script.
104 * Used to execute the up/down script/plugins.
105 */
106static void
107run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type,
108 const char *arg,
109#ifdef _WIN32
110 DWORD adapter_index,
111#endif
112 const char *dev_type, int tun_mtu, const char *ifconfig_local,
113 const char *ifconfig_remote, const char *context, const char *signal_text,
114 const char *script_type, struct env_set *es)
115{
116 struct gc_arena gc = gc_new();
117
118 if (signal_text)
119 {
120 setenv_str(es, "signal", signal_text);
121 }
122 setenv_str(es, "script_context", context);
123 setenv_int(es, "tun_mtu", tun_mtu);
124 setenv_str(es, "dev", arg);
125 if (dev_type)
126 {
127 setenv_str(es, "dev_type", dev_type);
128 }
129#ifdef _WIN32
130 setenv_int(es, "dev_idx", adapter_index);
131#endif
132
133 if (!ifconfig_local)
134 {
135 ifconfig_local = "";
136 }
137 if (!ifconfig_remote)
138 {
139 ifconfig_remote = "";
140 }
141 if (!context)
142 {
143 context = "";
144 }
145
146 if (plugin_defined(plugins, plugin_type))
147 {
148 struct argv argv = argv_new();
149 ASSERT(arg);
150 argv_printf(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
151 context);
152
153 if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
154 {
155 msg(M_FATAL, "ERROR: up/down plugin call failed");
156 }
157
158 argv_free(&argv);
159 }
160
161 if (command)
162 {
163 struct argv argv = argv_new();
164 ASSERT(arg);
165 setenv_str(es, "script_type", script_type);
166 argv_parse_cmd(&argv, command);
167 argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
168 context);
169 argv_msg(M_INFO, &argv);
170 openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
171 argv_free(&argv);
172 }
173
174 gc_free(&gc);
175}
176
177/*
178 * Should be called after options->ce is modified at the top
179 * of a SIGUSR1 restart.
180 */
181static void
182update_options_ce_post(struct options *options)
183{
184 /*
185 * In pull mode, we usually import --ping/--ping-restart parameters from
186 * the server. However we should also set an initial default --ping-restart
187 * for the period of time before we pull the --ping-restart parameter
188 * from the server.
189 */
190 if (options->pull && options->ping_rec_timeout_action == PING_UNDEF
191 && proto_is_dgram(options->ce.proto))
192 {
193 options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
194 options->ping_rec_timeout_action = PING_RESTART;
195 }
196}
197
198#ifdef ENABLE_MANAGEMENT
199static bool
200management_callback_proxy_cmd(void *arg, const char **p)
201{
202 struct context *c = arg;
203 struct connection_entry *ce = &c->options.ce;
204 struct gc_arena *gc = &c->c2.gc;
205 bool ret = false;
206
207 update_time();
208 if (streq(p[1], "NONE"))
209 {
210 ret = true;
211 }
212 else if (p[2] && p[3])
213 {
214 if (streq(p[1], "HTTP"))
215 {
216 struct http_proxy_options *ho;
217 if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
218 {
219 msg(M_WARN, "HTTP proxy support only works for TCP based connections");
220 return false;
221 }
222 ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
223 ho->server = string_alloc(p[2], gc);
224 ho->port = string_alloc(p[3], gc);
225 ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
226 ret = true;
227 }
228 else if (streq(p[1], "SOCKS"))
229 {
230 ce->socks_proxy_server = string_alloc(p[2], gc);
231 ce->socks_proxy_port = string_alloc(p[3], gc);
232 ret = true;
233 }
234 }
235 else
236 {
237 msg(M_WARN, "Bad proxy command");
238 }
239
240 ce->flags &= ~CE_MAN_QUERY_PROXY;
241
242 return ret;
243}
244
245static bool
246ce_management_query_proxy(struct context *c)
247{
248 const struct connection_list *l = c->options.connection_list;
249 struct connection_entry *ce = &c->options.ce;
250 struct gc_arena gc;
251 bool ret = true;
252
253 update_time();
254 if (management)
255 {
256 gc = gc_new();
257 {
258 struct buffer out = alloc_buf_gc(256, &gc);
259 buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
260 (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
261 management_notify_generic(management, BSTR(&out));
262 management->persist.special_state_msg = BSTR(&out);
263 }
264 ce->flags |= CE_MAN_QUERY_PROXY;
265 while (ce->flags & CE_MAN_QUERY_PROXY)
266 {
267 management_event_loop_n_seconds(management, 1);
268 if (IS_SIG(c))
269 {
270 ret = false;
271 break;
272 }
273 }
274 management->persist.special_state_msg = NULL;
275 gc_free(&gc);
276 }
277
278 return ret;
279}
280
295static bool
296management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
297{
298 struct context *c = (struct context *)arg;
299 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
300 if (len > PUSH_BUNDLE_SIZE)
301 {
302 return false;
303 }
304
305 struct gc_arena gc = gc_new();
306 struct buffer buf = alloc_buf_gc(len, &gc);
307 ASSERT(buf_printf(&buf, "%s", command));
308 if (parameters)
309 {
310 ASSERT(buf_printf(&buf, ",%s", parameters));
311 }
312 bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
313
314 gc_free(&gc);
315 return status;
316}
317
318static unsigned int
319management_callback_remote_entry_count(void *arg)
320{
321 ASSERT(arg);
322 struct context *c = (struct context *)arg;
323 struct connection_list *l = c->options.connection_list;
324
325 return l->len;
326}
327
328static bool
329management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
330{
331 ASSERT(arg);
332 ASSERT(remote);
333
334 struct context *c = (struct context *)arg;
335 struct connection_list *l = c->options.connection_list;
336 bool ret = true;
337
338 if (index < l->len)
339 {
340 struct connection_entry *ce = l->array[index];
341 const char *proto = proto2ascii(ce->proto, ce->af, false);
342 const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
343
344 /* space for output including 3 commas and a nul */
345 size_t len =
346 strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + strlen(status) + 3 + 1;
347 char *out = malloc(len);
348 check_malloc_return(out);
349
350 snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
351 *remote = out;
352 }
353 else
354 {
355 ret = false;
356 msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
357 }
358
359 return ret;
360}
361
362static bool
363management_callback_remote_cmd(void *arg, const char **p)
364{
365 struct context *c = (struct context *)arg;
366 struct connection_entry *ce = &c->options.ce;
367 int ret = false;
368 if (p[1]
369 && ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK)
370 == CE_MAN_QUERY_REMOTE_QUERY)
371 {
372 unsigned int flags = 0;
373 if (!strcmp(p[1], "ACCEPT"))
374 {
375 flags = CE_MAN_QUERY_REMOTE_ACCEPT;
376 ret = true;
377 }
378 else if (!strcmp(p[1], "SKIP"))
379 {
380 flags = CE_MAN_QUERY_REMOTE_SKIP;
381 ret = true;
382 c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
383 }
384 else if (!strcmp(p[1], "MOD") && p[2] && p[3])
385 {
386 if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
387 {
388 struct remote_host_store *rhs = c->options.rh_store;
389 if (!rhs)
390 {
391 ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
392 c->options.rh_store = rhs;
393 }
394 strncpynt(rhs->host, p[2], RH_HOST_LEN);
395 strncpynt(rhs->port, p[3], RH_PORT_LEN);
396
397 ce->remote = rhs->host;
398 ce->remote_port = rhs->port;
399 flags = CE_MAN_QUERY_REMOTE_MOD;
400 ret = true;
401 }
402 }
403 if (ret)
404 {
405 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
406 ce->flags |= ((flags & CE_MAN_QUERY_REMOTE_MASK) << CE_MAN_QUERY_REMOTE_SHIFT);
407 }
408 }
409 return ret;
410}
411
412static bool
413ce_management_query_remote(struct context *c)
414{
415 struct gc_arena gc = gc_new();
416 volatile struct connection_entry *ce = &c->options.ce;
417 int ce_changed = true; /* presume the connection entry will be changed */
418
419 update_time();
420 if (management)
421 {
422 struct buffer out = alloc_buf_gc(256, &gc);
423
424 buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
425 proto2ascii(ce->proto, ce->af, false));
426 management_notify_generic(management, BSTR(&out));
427 management->persist.special_state_msg = BSTR(&out);
428
429 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
430 ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
431 while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK)
432 == CE_MAN_QUERY_REMOTE_QUERY)
433 {
434 management_event_loop_n_seconds(management, 1);
435 if (IS_SIG(c))
436 {
437 ce_changed = false; /* connection entry have not been set */
438 break;
439 }
440 }
441 management->persist.special_state_msg = NULL;
442 }
443 gc_free(&gc);
444
445 if (ce_changed)
446 {
447 /* If it is likely a connection entry was modified,
448 * check what changed in the flags and that it was not skipped
449 */
450 const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
451 ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
452 }
453 return ce_changed;
454}
455#endif /* ENABLE_MANAGEMENT */
456
457#if defined(__GNUC__) || defined(__clang__)
458#pragma GCC diagnostic push
459#pragma GCC diagnostic ignored "-Wconversion"
460#endif
461
462/*
463 * Initialize and possibly randomize the connection list.
464 *
465 * Applies the Fisher-Yates shuffle algorithm to ensure all permutations
466 * are equally probable, thereby eliminating shuffling bias.
467 *
468 * The algorithm randomly selects an element from the unshuffled portion
469 * and places it at position i. There's only one way to obtain each
470 * permutation through these swaps. This guarantees that each permutation
471 * occurs with equal probability in theory.
472 */
473static void
474init_connection_list(struct context *c)
475{
476 struct connection_list *l = c->options.connection_list;
477
478 l->current = -1;
479 if (c->options.remote_random)
480 {
481 int i;
482 for (i = l->len - 1; i > 0; --i)
483 {
484 const int j = get_random() % (i + 1);
485 if (i != j)
486 {
487 struct connection_entry *tmp;
488 tmp = l->array[i];
489 l->array[i] = l->array[j];
490 l->array[j] = tmp;
491 }
492 }
493 }
494}
495
496/*
497 * Clear the remote address list
498 */
499static void
500clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
501{
502 if (lsa->remote_list && free)
503 {
504 freeaddrinfo(lsa->remote_list);
505 }
506 lsa->remote_list = NULL;
507 lsa->current_remote = NULL;
508}
509
510/*
511 * Increment to next connection entry
512 */
513static void
514next_connection_entry(struct context *c)
515{
516 struct connection_list *l = c->options.connection_list;
517 bool ce_defined;
518 struct connection_entry *ce;
519 int n_cycles = 0;
520
521 do
522 {
523 ce_defined = true;
524 if (c->options.no_advance && l->current >= 0)
525 {
526 c->options.no_advance = false;
527 }
528 else
529 {
530 /* Check if there is another resolved address to try for
531 * the current connection */
532 if (c->c1.link_socket_addrs[0].current_remote
533 && c->c1.link_socket_addrs[0].current_remote->ai_next
534 && !c->options.advance_next_remote)
535 {
536 c->c1.link_socket_addrs[0].current_remote =
537 c->c1.link_socket_addrs[0].current_remote->ai_next;
538 }
539 else
540 {
541 c->options.advance_next_remote = false;
542 /* FIXME (schwabe) fix the persist-remote-ip option for real,
543 * this is broken probably ever since connection lists and multiple
544 * remote existed
545 */
546 if (!c->options.persist_remote_ip)
547 {
548 /* Connection entry addrinfo objects might have been
549 * resolved earlier but the entry itself might have been
550 * skipped by management on the previous loop.
551 * If so, clear the addrinfo objects as close_instance does
552 */
553 if (c->c1.link_socket_addrs[0].remote_list)
554 {
555 clear_remote_addrlist(&c->c1.link_socket_addrs[0],
556 !c->options.resolve_in_advance);
557 }
558
559 /* close_instance should have cleared the addrinfo objects */
560 ASSERT(c->c1.link_socket_addrs[0].current_remote == NULL);
561 ASSERT(c->c1.link_socket_addrs[0].remote_list == NULL);
562 }
563 else
564 {
565 c->c1.link_socket_addrs[0].current_remote =
566 c->c1.link_socket_addrs[0].remote_list;
567 }
568
569 int advance_count = 1;
570
571 /* If previous connection entry was skipped by management client
572 * with a count to advance by, apply it.
573 */
574 if (c->options.ce_advance_count > 0)
575 {
576 advance_count = c->options.ce_advance_count;
577 }
578
579 /*
580 * Increase the number of connection attempts
581 * If this is connect-retry-max * size(l)
582 * OpenVPN will quit
583 */
584
585 c->options.unsuccessful_attempts += advance_count;
586 l->current += advance_count;
587
588 if (l->current >= l->len)
589 {
590 l->current %= l->len;
591 if (++n_cycles >= 2)
592 {
593 msg(M_FATAL, "No usable connection profiles are present");
594 }
595 }
596 }
597 }
598
599 c->options.ce_advance_count = 1;
600 ce = l->array[l->current];
601
602 if (ce->flags & CE_DISABLED)
603 {
604 ce_defined = false;
605 }
606
607 c->options.ce = *ce;
608
609#ifdef ENABLE_MANAGEMENT
610 if (ce_defined && management && management_query_remote_enabled(management))
611 {
612 /* allow management interface to override connection entry details */
613 ce_defined = ce_management_query_remote(c);
614 if (IS_SIG(c))
615 {
616 break;
617 }
618 }
619 else if (ce_defined && management && management_query_proxy_enabled(management))
620 {
621 ce_defined = ce_management_query_proxy(c);
622 if (IS_SIG(c))
623 {
624 break;
625 }
626 }
627#endif
628 } while (!ce_defined);
629
630 /* Check if this connection attempt would bring us over the limit */
631 if (c->options.connect_retry_max > 0
632 && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
633 {
634 msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
635 c->options.connect_retry_max);
636 }
637 update_options_ce_post(&c->options);
638}
639
640/*
641 * Query for private key and auth-user-pass username/passwords
642 */
643void
644init_query_passwords(const struct context *c)
645{
646 /* Certificate password input */
647 if (c->options.key_pass_file)
648 {
649 pem_password_setup(c->options.key_pass_file);
650 }
651
652 /* Auth user/pass input */
653 if (c->options.auth_user_pass_file)
654 {
655 enable_auth_user_pass();
656#ifdef ENABLE_MANAGEMENT
657 auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline,
658 &c->options.sc_info);
659#else
660 auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline,
661 NULL);
662#endif
663 }
664}
665
666/*
667 * Initialize/Uninitialize HTTP or SOCKS proxy
668 */
669
670static void
671uninit_proxy_dowork(struct context *c)
672{
673 if (c->c1.http_proxy_owned && c->c1.http_proxy)
674 {
675 http_proxy_close(c->c1.http_proxy);
676 c->c1.http_proxy = NULL;
677 c->c1.http_proxy_owned = false;
678 }
679 if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
680 {
681 socks_proxy_close(c->c1.socks_proxy);
682 c->c1.socks_proxy = NULL;
683 c->c1.socks_proxy_owned = false;
684 }
685}
686
687static void
688init_proxy_dowork(struct context *c)
689{
690 bool did_http = false;
691
692 uninit_proxy_dowork(c);
693
694 if (c->options.ce.http_proxy_options)
695 {
696 c->options.ce.http_proxy_options->first_time = c->first_time;
697
698 /* Possible HTTP proxy user/pass input */
699 c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
700 if (c->c1.http_proxy)
701 {
702 did_http = true;
703 c->c1.http_proxy_owned = true;
704 }
705 }
706
707 if (!did_http && c->options.ce.socks_proxy_server)
708 {
709 c->c1.socks_proxy =
710 socks_proxy_new(c->options.ce.socks_proxy_server, c->options.ce.socks_proxy_port,
711 c->options.ce.socks_proxy_authfile);
712 if (c->c1.socks_proxy)
713 {
714 c->c1.socks_proxy_owned = true;
715 }
716 }
717}
718
719static void
720init_proxy(struct context *c)
721{
722 init_proxy_dowork(c);
723}
724
725static void
726uninit_proxy(struct context *c)
727{
728 uninit_proxy_dowork(c);
729}
730
731static void
737
738void
739context_init_1(struct context *c)
740{
741 context_clear_1(c);
742
743 packet_id_persist_init(&c->c1.pid_persist);
744
745 init_connection_list(c);
746
747 c->c1.link_sockets_num = c->options.ce.local_list->len;
748
749 do_link_socket_addr_new(c);
750
751#if defined(ENABLE_PKCS11)
752 if (c->first_time)
753 {
754 int i;
755 pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
756 for (i = 0; i < MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
757 {
758 pkcs11_addProvider(
759 c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
760 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
761 }
762 }
763#endif
764
765#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
766 {
767 /*
768 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
769 */
770 struct user_pass up;
771 CLEAR(up);
772 strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
773 get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
774 msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
775 * 'needok' command, usually 'ok' or 'cancel'. */
776 }
777#endif
778
779#ifdef ENABLE_SYSTEMD
780 /* We can report the PID via getpid() to systemd here as OpenVPN will not
781 * do any fork due to daemon() a future call.
782 * See possibly_become_daemon() [init.c] for more details.
783 */
784 sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
785 (unsigned long)getpid());
786#endif
787}
788
789void
790context_gc_free(struct context *c)
791{
792 gc_free(&c->c2.gc);
793 gc_free(&c->options.gc);
794 gc_free(&c->gc);
795}
796
797#if PORT_SHARE
798
799static void
800close_port_share(void)
801{
802 if (port_share)
803 {
804 port_share_close(port_share);
805 port_share = NULL;
806 }
807}
808
809static void
810init_port_share(struct context *c)
811{
812 if (!port_share && (c->options.port_share_host && c->options.port_share_port))
813 {
814 port_share =
815 port_share_open(c->options.port_share_host, c->options.port_share_port,
816 c->c2.frame.buf.payload_size, c->options.port_share_journal_dir);
817 if (port_share == NULL)
818 {
819 msg(M_FATAL, "Fatal error: Port sharing failed");
820 }
821 }
822}
823
824#endif /* if PORT_SHARE */
825
826
827bool
828init_static(void)
829{
830#if defined(DMALLOC)
831 crypto_init_dmalloc();
832#endif
833
834
835 /*
836 * Initialize random number seed. random() is only used
837 * when "weak" random numbers are acceptable.
838 * SSL library routines are always used when cryptographically
839 * strong random numbers are required.
840 */
841 struct timeval tv;
842 if (!gettimeofday(&tv, NULL))
843 {
844 const unsigned int seed = (unsigned int)tv.tv_sec ^ tv.tv_usec;
845 srandom(seed);
846 }
847
848 error_reset(); /* initialize error.c */
849 reset_check_status(); /* initialize status check code in socket.c */
850
851#ifdef _WIN32
852 init_win32();
853#endif
854
855#ifdef OPENVPN_DEBUG_COMMAND_LINE
856 {
857 int i;
858 for (i = 0; i < argc; ++i)
859 {
860 msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
861 }
862 }
863#endif
864
865 update_time();
866
867 init_ssl_lib();
868
869#ifdef SCHEDULE_TEST
870 schedule_test();
871 return false;
872#endif
873
874#ifdef IFCONFIG_POOL_TEST
875 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
876 return false;
877#endif
878
879#ifdef TIME_TEST
880 time_test();
881 return false;
882#endif
883
884#ifdef GEN_PATH_TEST
885 {
886 struct gc_arena gc = gc_new();
887 const char *fn = gen_path("foo", "bar", &gc);
888 printf("%s\n", fn);
889 gc_free(&gc);
890 }
891 return false;
892#endif
893
894#ifdef STATUS_PRINTF_TEST
895 {
896 struct gc_arena gc = gc_new();
897 const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
898 struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
899 status_printf(so, "%s", "foo");
900 status_printf(so, "%s", "bar");
901 if (!status_close(so))
902 {
903 msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
904 }
905 gc_free(&gc);
906 }
907 return false;
908#endif
909
910 return true;
911}
912
913void
914uninit_static(void)
915{
916 free_ssl_lib();
917
918#ifdef ENABLE_PKCS11
919 pkcs11_terminate();
920#endif
921
922#if PORT_SHARE
923 close_port_share();
924#endif
925
926#if defined(MEASURE_TLS_HANDSHAKE_STATS)
927 show_tls_performance_stats();
928#endif
929}
930
931void
932init_verb_mute(struct context *c, unsigned int flags)
933{
934 if (flags & IVM_LEVEL_1)
935 {
936 /* set verbosity and mute levels */
937 set_check_status(D_LINK_ERRORS, D_READ_WRITE);
938 set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
939 set_mute_cutoff(c->options.mute);
940 }
941
942 /* special D_LOG_RW mode */
943 if (flags & IVM_LEVEL_2)
944 {
945 c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
946 }
947}
948
949/*
950 * Possibly set --dev based on --dev-node.
951 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
952 * set --dev to tun.
953 */
954void
955init_options_dev(struct options *options)
956{
957 if (!options->dev && options->dev_node)
958 {
959 /* POSIX basename() implementations may modify its arguments */
960 char *dev_node = string_alloc(options->dev_node, NULL);
961 options->dev = basename(dev_node);
962 }
963}
964
965bool
966print_openssl_info(const struct options *options)
967{
968 /*
969 * OpenSSL info print mode?
970 */
971 if (options->show_ciphers || options->show_digests || options->show_engines
972 || options->show_tls_ciphers || options->show_curves)
973 {
974 if (options->show_ciphers)
975 {
976 show_available_ciphers();
977 }
978 if (options->show_digests)
979 {
980 show_available_digests();
981 }
982 if (options->show_engines)
983 {
984 show_available_engines();
985 }
986 if (options->show_tls_ciphers)
987 {
988 show_available_tls_ciphers(options->cipher_list, options->cipher_list_tls13,
989 options->tls_cert_profile);
990 }
991 if (options->show_curves)
992 {
993 show_available_curves();
994 }
995 return true;
996 }
997 return false;
998}
999
1000/*
1001 * Static pre-shared key generation mode?
1002 */
1003bool
1004do_genkey(const struct options *options)
1005{
1006 /* should we disable paging? */
1007 if (options->mlock && (options->genkey))
1008 {
1009 platform_mlockall(true);
1010 }
1011
1012 /*
1013 * We do not want user to use --genkey with --secret. In the transistion
1014 * phase we for secret.
1015 */
1016 if (options->genkey && options->genkey_type != GENKEY_SECRET && options->shared_secret_file)
1017 {
1018 msg(M_USAGE, "Using --genkey type with --secret filename is "
1019 "not supported. Use --genkey type filename instead.");
1020 }
1021 if (options->genkey && options->genkey_type == GENKEY_SECRET)
1022 {
1023 int nbits_written;
1024 const char *genkey_filename = options->genkey_filename;
1025 if (options->shared_secret_file && options->genkey_filename)
1026 {
1027 msg(M_USAGE, "You must provide a filename to either --genkey "
1028 "or --secret, not both");
1029 }
1030
1031 /*
1032 * Copy filename from shared_secret_file to genkey_filename to support
1033 * the old --genkey --secret foo.file syntax.
1034 */
1035 if (options->shared_secret_file)
1036 {
1037 msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1038 "DEPRECATED. Use --genkey secret filename instead.");
1039 genkey_filename = options->shared_secret_file;
1040 }
1041
1042 nbits_written = write_key_file(2, genkey_filename);
1043 if (nbits_written < 0)
1044 {
1045 msg(M_FATAL, "Failed to write key file");
1046 }
1047
1048 msg(D_GENKEY | M_NOPREFIX, "Randomly generated %d bit key written to %s", nbits_written,
1049 options->shared_secret_file);
1050 return true;
1051 }
1052 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1053 {
1054 tls_crypt_v2_write_server_key_file(options->genkey_filename);
1055 return true;
1056 }
1057 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1058 {
1059 if (!options->tls_crypt_v2_file)
1060 {
1061 msg(M_USAGE,
1062 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1063 }
1064
1065 tls_crypt_v2_write_client_key_file(options->genkey_filename, options->genkey_extra_data,
1066 options->tls_crypt_v2_file,
1067 options->tls_crypt_v2_file_inline);
1068 return true;
1069 }
1070 else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1071 {
1072 auth_token_write_server_key_file(options->genkey_filename);
1073 return true;
1074 }
1075 else
1076 {
1077 return false;
1078 }
1079}
1080
1081/*
1082 * Persistent TUN/TAP device management mode?
1083 */
1084bool
1085do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
1086{
1087 if (!options->persist_config)
1088 {
1089 return false;
1090 }
1091
1092 /* sanity check on options for --mktun or --rmtun */
1093 notnull(options->dev, "TUN/TAP device (--dev)");
1094 if (options->ce.remote || options->ifconfig_local || options->ifconfig_remote_netmask
1095 || options->shared_secret_file || options->tls_server || options->tls_client)
1096 {
1097 msg(M_FATAL | M_OPTERR,
1098 "options --mktun or --rmtun should only be used together with --dev");
1099 }
1100
1101#if defined(ENABLE_DCO)
1102 if (dco_enabled(options))
1103 {
1104 /* creating a DCO interface via --mktun is not supported as it does not
1105 * make much sense. Since DCO is enabled by default, people may run into
1106 * this without knowing, therefore this case should be properly handled.
1107 *
1108 * Disable DCO if --mktun was provided and print a message to let
1109 * user know.
1110 */
1111 if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN)
1112 {
1113 msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1114 }
1115
1116 options->disable_dco = true;
1117 }
1118#endif
1119
1120#ifdef ENABLE_FEATURE_TUN_PERSIST
1121 tuncfg(options->dev, options->dev_type, options->dev_node, options->persist_mode,
1122 options->username, options->groupname, &options->tuntap_options, ctx);
1123 if (options->persist_mode && options->lladdr)
1124 {
1125 set_lladdr(ctx, options->dev, options->lladdr, NULL);
1126 }
1127 return true;
1128#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1129 msg(M_FATAL | M_OPTERR,
1130 "options --mktun and --rmtun are not available on your operating "
1131 "system. Please check 'man tun' (or 'tap'), whether your system "
1132 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1133 "persistent tunnel interfaces.",
1134 options->dev);
1135#endif
1136 return false;
1137}
1138
1139/*
1140 * Should we become a daemon?
1141 * Return true if we did it.
1142 */
1143bool
1144possibly_become_daemon(const struct options *options)
1145{
1146 bool ret = false;
1147
1148#ifdef ENABLE_SYSTEMD
1149 /* return without forking if we are running from systemd */
1150 if (sd_notify(0, "READY=0") > 0)
1151 {
1152 return ret;
1153 }
1154#endif
1155
1156 if (options->daemon)
1157 {
1158 /* Don't chdir immediately, but the end of the init sequence, if needed */
1159
1160#if defined(__APPLE__) && defined(__clang__)
1161#pragma clang diagnostic push
1162#pragma clang diagnostic ignored "-Wdeprecated-declarations"
1163#endif
1164 if (daemon(1, options->log) < 0)
1165 {
1166 msg(M_ERR, "daemon() failed or unsupported");
1167 }
1168#if defined(__APPLE__) && defined(__clang__)
1169#pragma clang diagnostic pop
1170#endif
1171 restore_signal_state();
1172 if (options->log)
1173 {
1174 set_std_files_to_null(true);
1175 }
1176
1177 ret = true;
1178 }
1179 return ret;
1180}
1181
1182/*
1183 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1184 */
1185static void
1186do_uid_gid_chroot(struct context *c, bool no_delay)
1187{
1188 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1189 struct context_0 *c0 = c->c0;
1190
1191 if (c0 && !c0->uid_gid_chroot_set)
1192 {
1193 /* chroot if requested */
1194 if (c->options.chroot_dir)
1195 {
1196 if (no_delay)
1197 {
1198 platform_chroot(c->options.chroot_dir);
1199 }
1200 else if (c->first_time)
1201 {
1202 msg(M_INFO, "NOTE: chroot %s", why_not);
1203 }
1204 }
1205
1206 /* set user and/or group if we want to setuid/setgid */
1207 if (c0->uid_gid_specified)
1208 {
1209 if (no_delay)
1210 {
1211 platform_user_group_set(&c0->platform_state_user, &c0->platform_state_group, c);
1212 }
1213 else if (c->first_time)
1214 {
1215 msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1216 }
1217 }
1218
1219#ifdef ENABLE_SELINUX
1220 /* Apply a SELinux context in order to restrict what OpenVPN can do
1221 * to _only_ what it is supposed to do after initialization is complete
1222 * (basically just network I/O operations). Doing it after chroot
1223 * requires /proc to be mounted in the chroot (which is annoying indeed
1224 * but doing it before requires more complex SELinux policies.
1225 */
1226 if (c->options.selinux_context)
1227 {
1228 if (no_delay)
1229 {
1230 if (-1 == setcon(c->options.selinux_context))
1231 {
1232 msg(M_ERR, "setcon to '%s' failed; is /proc accessible?",
1233 c->options.selinux_context);
1234 }
1235 else
1236 {
1237 msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1238 }
1239 }
1240 else if (c->first_time)
1241 {
1242 msg(M_INFO, "NOTE: setcon %s", why_not);
1243 }
1244 }
1245#endif
1246
1247 /* Privileges are going to be dropped by now (if requested), be sure
1248 * to prevent any future privilege dropping attempts from now on.
1249 */
1250 if (no_delay)
1251 {
1252 c0->uid_gid_chroot_set = true;
1253 }
1254 }
1255}
1256
1257/*
1258 * Return common name in a way that is formatted for
1259 * prepending to msg() output.
1260 */
1261const char *
1262format_common_name(struct context *c, struct gc_arena *gc)
1263{
1264 struct buffer out = alloc_buf_gc(256, gc);
1265 if (c->c2.tls_multi)
1266 {
1267 buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1268 }
1269 return BSTR(&out);
1270}
1271
1272void
1273pre_setup(const struct options *options)
1274{
1275#ifdef _WIN32
1276 if (options->exit_event_name)
1277 {
1278 win32_signal_open(&win32_signal, WSO_FORCE_SERVICE, options->exit_event_name,
1279 options->exit_event_initial_state);
1280 }
1281 else
1282 {
1283 win32_signal_open(&win32_signal, WSO_FORCE_CONSOLE, NULL, false);
1284
1285 /* put a title on the top window bar */
1286 if (win32_signal.mode == WSO_MODE_CONSOLE)
1287 {
1288 window_title_save(&window_title);
1289 window_title_generate(options->config);
1290 }
1291 }
1292#endif /* ifdef _WIN32 */
1293}
1294
1295void
1296reset_coarse_timers(struct context *c)
1297{
1298 c->c2.coarse_timer_wakeup = 0;
1299}
1300
1301/*
1302 * Initialise the server poll timeout timer
1303 * This timer is used in the http/socks proxy setup so it needs to be setup
1304 * before
1305 */
1306static void
1307do_init_server_poll_timeout(struct context *c)
1308{
1309 update_time();
1310 if (c->options.ce.connect_timeout)
1311 {
1312 event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1313 }
1314}
1315
1316/*
1317 * Initialize timers
1318 */
1319static void
1320do_init_timers(struct context *c, bool deferred)
1321{
1322 update_time();
1323 reset_coarse_timers(c);
1324
1325 /* initialize inactivity timeout */
1326 if (c->options.inactivity_timeout)
1327 {
1328 event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1329 }
1330
1331 /* initialize inactivity timeout */
1332 if (c->options.session_timeout)
1333 {
1334 event_timeout_init(&c->c2.session_interval, c->options.session_timeout, now);
1335 }
1336
1337 /* initialize pings */
1338 if (dco_enabled(&c->options))
1339 {
1340 /* The DCO kernel module will send the pings instead of user space */
1341 event_timeout_clear(&c->c2.ping_rec_interval);
1342 event_timeout_clear(&c->c2.ping_send_interval);
1343 }
1344 else
1345 {
1346 if (c->options.ping_send_timeout)
1347 {
1348 event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1349 }
1350
1351 if (c->options.ping_rec_timeout)
1352 {
1353 event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1354 }
1355 }
1356
1357 /* If the auth-token renewal interval is shorter than reneg-sec, arm
1358 * "auth-token renewal" timer to send additional auth-token to update the
1359 * token on the client more often. If not, this happens automatically
1360 * at renegotiation time, without needing an extra event.
1361 */
1362 if (c->options.auth_token_generate
1363 && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1364 {
1365 event_timeout_init(&c->c2.auth_token_renewal_interval, c->options.auth_token_renewal, now);
1366 }
1367
1368 if (!deferred)
1369 {
1370 /* initialize connection establishment timer */
1371 event_timeout_init(&c->c2.wait_for_connect, 1, now);
1372
1373 /* initialize occ timers */
1374
1375 if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_local
1376 && c->c2.options_string_remote)
1377 {
1378 event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1379 }
1380
1381 if (c->options.mtu_test)
1382 {
1383 event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS,
1384 now);
1385 }
1386
1387 /* initialize packet_id persistence timer */
1388 if (c->options.packet_id_file)
1389 {
1390 event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1391 }
1392
1393 /* initialize tmp_int optimization that limits the number of times we call
1394 * tls_multi_process in the main event loop */
1395 interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1396 }
1397}
1398
1399/*
1400 * Initialize traffic shaper.
1401 */
1402static void
1403do_init_traffic_shaper(struct context *c)
1404{
1405 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1406 if (c->options.shaper)
1407 {
1408 shaper_init(&c->c2.shaper, c->options.shaper);
1409 shaper_msg(&c->c2.shaper);
1410 }
1411}
1412
1413/*
1414 * Allocate route list structures for IPv4 and IPv6
1415 * (we do this for IPv4 even if no --route option has been seen, as other
1416 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1417 */
1418static void
1419do_alloc_route_list(struct context *c)
1420{
1421 if (!c->c1.route_list)
1422 {
1423 ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1424 }
1425 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1426 {
1427 ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1428 }
1429}
1430
1431
1432/*
1433 * Initialize the route list, resolving any DNS names in route
1434 * options and saving routes in the environment.
1435 */
1436static void
1437do_init_route_list(const struct options *options, struct route_list *route_list,
1438 const struct link_socket_info *link_socket_info, struct env_set *es,
1439 openvpn_net_ctx_t *ctx)
1440{
1441 const char *gw = NULL;
1442 int dev = dev_type_enum(options->dev, options->dev_type);
1443 int metric = 0;
1444
1445 /* if DCO is enabled we have both regular routes and iroutes in the system
1446 * routing table, and normal routes must have a higher metric for that to
1447 * work so that iroutes are always matched first
1448 */
1449 if (dco_enabled(options))
1450 {
1451 metric = DCO_DEFAULT_METRIC;
1452 }
1453
1454 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1455 {
1456 gw = options->ifconfig_remote_netmask;
1457 }
1458 if (options->route_default_gateway)
1459 {
1460 gw = options->route_default_gateway;
1461 }
1462 if (options->route_default_metric)
1463 {
1464 metric = options->route_default_metric;
1465 }
1466
1467 if (init_route_list(route_list, options->routes, gw, metric,
1468 link_socket_current_remote(link_socket_info), es, ctx))
1469 {
1470 /* copy routes to environment */
1471 setenv_routes(es, route_list);
1472 }
1473}
1474
1475static void
1476do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list,
1477 const struct link_socket_info *link_socket_info, struct env_set *es,
1478 openvpn_net_ctx_t *ctx)
1479{
1480 const char *gw = NULL;
1481 int metric = -1; /* no metric set */
1482
1483 /* see explanation in do_init_route_list() */
1484 if (dco_enabled(options))
1485 {
1486 metric = DCO_DEFAULT_METRIC;
1487 }
1488
1489 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1490 if (options->route_ipv6_default_gateway)
1491 {
1492 gw = options->route_ipv6_default_gateway;
1493 }
1494
1495 if (options->route_default_metric)
1496 {
1497 metric = options->route_default_metric;
1498 }
1499
1500 /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1501 */
1502 if (options->routes_ipv6->flags & RG_REROUTE_GW && options->ifconfig_ipv6_local)
1503 {
1504 char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1505 int i;
1506
1507 for (i = 0; opt_list[i]; i++)
1508 {
1509 add_route_ipv6_to_option_list(options->routes_ipv6,
1510 string_alloc(opt_list[i], options->routes_ipv6->gc), NULL,
1511 NULL, options->route_default_table_id);
1512 }
1513 }
1514
1515 if (init_route_ipv6_list(route_ipv6_list, options->routes_ipv6, gw, metric,
1516 link_socket_current_remote_ipv6(link_socket_info), es, ctx))
1517 {
1518 /* copy routes to environment */
1519 setenv_routes_ipv6(es, route_ipv6_list);
1520 }
1521}
1522
1523
1524/*
1525 * Called after all initialization has been completed.
1526 */
1527void
1528initialization_sequence_completed(struct context *c, const unsigned int flags)
1529{
1530 static const char message[] = "Initialization Sequence Completed";
1531
1532 /* Reset the unsuccessful connection counter on complete initialisation */
1533 c->options.unsuccessful_attempts = 0;
1534
1535 /* If we delayed UID/GID downgrade or chroot, do it now */
1536 do_uid_gid_chroot(c, true);
1537
1538 /* Test if errors */
1539 if (flags & ISC_ERRORS)
1540 {
1541#ifdef _WIN32
1542 show_routes(M_INFO | M_NOPREFIX);
1543 show_adapters(M_INFO | M_NOPREFIX);
1544 msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1545#else
1546#ifdef ENABLE_SYSTEMD
1547 sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1548#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1549 msg(M_INFO, "%s With Errors", message);
1550#endif
1551 }
1552 else
1553 {
1554#ifdef ENABLE_SYSTEMD
1555 sd_notifyf(0, "STATUS=%s", message);
1556#endif
1557 msg(M_INFO, "%s", message);
1558 }
1559
1560 /* Flag that we initialized */
1561 if ((flags & (ISC_ERRORS | ISC_SERVER)) == 0)
1562 {
1563 c->options.no_advance = true;
1564 }
1565
1566#ifdef _WIN32
1567 fork_register_dns_action(c->c1.tuntap);
1568#endif
1569
1570#ifdef ENABLE_MANAGEMENT
1571 /* Tell management interface that we initialized */
1572 if (management)
1573 {
1574 in_addr_t *tun_local = NULL;
1575 struct in6_addr *tun_local6 = NULL;
1576 struct openvpn_sockaddr local, remote;
1577 struct link_socket_actual *actual;
1578 socklen_t sa_len = sizeof(local);
1579 const char *detail = "SUCCESS";
1580 if (flags & ISC_ERRORS)
1581 {
1582 detail = "ERROR";
1583 }
1584 /* Flag route error only on platforms where trivial "already exists" errors
1585 * are filtered out. Currently this is the case on Windows or if usng netlink.
1586 */
1587#if defined(_WIN32) || defined(ENABLE_SITNL)
1588 else if (flags & ISC_ROUTE_ERRORS)
1589 {
1590 detail = "ROUTE_ERROR";
1591 }
1592#endif
1593
1594 CLEAR(local);
1595 actual = &get_link_socket_info(c)->lsa->actual;
1596 remote = actual->dest;
1597 getsockname(c->c2.link_sockets[0]->sd, &local.addr.sa, &sa_len);
1598#if ENABLE_IP_PKTINFO
1599 if (!addr_defined(&local))
1600 {
1601 switch (local.addr.sa.sa_family)
1602 {
1603 case AF_INET:
1604#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1605 local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1606#else
1607 local.addr.in4.sin_addr = actual->pi.in4;
1608#endif
1609 break;
1610
1611 case AF_INET6:
1612 local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1613 break;
1614 }
1615 }
1616#endif
1617
1618 if (c->c1.tuntap)
1619 {
1620 tun_local = &c->c1.tuntap->local;
1621 tun_local6 = &c->c1.tuntap->local_ipv6;
1622 }
1623 management_set_state(management, OPENVPN_STATE_CONNECTED, detail, tun_local, tun_local6,
1624 &local, &remote);
1625 if (tun_local)
1626 {
1627 management_post_tunnel_open(management, *tun_local);
1628 }
1629 }
1630#endif /* ifdef ENABLE_MANAGEMENT */
1631}
1632
1637static bool
1638route_noexec_enabled(const struct options *o, const struct tuntap *tt)
1639{
1640 return o->route_noexec || (tt && tt->backend_driver == DRIVER_AFUNIX)
1641 || (tt && tt->backend_driver == DRIVER_NULL);
1642}
1643
1644/*
1645 * Possibly add routes and/or call route-up script
1646 * based on options.
1647 */
1648bool
1649do_route(const struct options *options, struct route_list *route_list,
1650 struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt,
1651 const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
1652{
1653 bool ret = true;
1654 if (!route_noexec_enabled(options, tt) && (route_list || route_ipv6_list))
1655 {
1656 ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es, ctx);
1657 setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1658 }
1659#ifdef ENABLE_MANAGEMENT
1660 if (management)
1661 {
1662 management_up_down(management, "UP", es);
1663 }
1664#endif
1665
1666 if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1667 {
1668 if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es)
1669 != OPENVPN_PLUGIN_FUNC_SUCCESS)
1670 {
1671 msg(M_WARN, "WARNING: route-up plugin call failed");
1672 }
1673 }
1674
1675 if (options->route_script)
1676 {
1677 struct argv argv = argv_new();
1678 setenv_str(es, "script_type", "route-up");
1679 argv_parse_cmd(&argv, options->route_script);
1680 openvpn_run_script(&argv, es, 0, "--route-up");
1681 argv_free(&argv);
1682 }
1683
1684#ifdef _WIN32
1685 if (options->show_net_up)
1686 {
1687 show_routes(M_INFO | M_NOPREFIX);
1688 show_adapters(M_INFO | M_NOPREFIX);
1689 }
1690 else if (check_debug_level(D_SHOW_NET))
1691 {
1692 show_routes(D_SHOW_NET | M_NOPREFIX);
1693 show_adapters(D_SHOW_NET | M_NOPREFIX);
1694 }
1695#endif
1696 return ret;
1697}
1698
1699/*
1700 * initialize tun/tap device object
1701 */
1702static void
1703do_init_tun(struct context *c)
1704{
1705 c->c1.tuntap = init_tun(c->options.dev, c->options.dev_type, c->options.topology,
1706 c->options.ifconfig_local, c->options.ifconfig_remote_netmask,
1707 c->options.ifconfig_ipv6_local, c->options.ifconfig_ipv6_netbits,
1708 c->options.ifconfig_ipv6_remote, c->c1.link_socket_addrs[0].bind_local,
1709 c->c1.link_socket_addrs[0].remote_list, !c->options.ifconfig_nowarn,
1710 c->c2.es, &c->net_ctx, c->c1.tuntap);
1711
1712 if (is_tun_afunix(c->options.dev_node))
1713 {
1714 /* Using AF_UNIX trumps using DCO */
1715 c->c1.tuntap->backend_driver = DRIVER_AFUNIX;
1716 }
1717 else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
1718 {
1719 c->c1.tuntap->backend_driver = DRIVER_NULL;
1720 }
1721#ifdef _WIN32
1722 else
1723 {
1724 c->c1.tuntap->backend_driver = c->options.windows_driver;
1725 }
1726#else
1727 else if (dco_enabled(&c->options))
1728 {
1729 c->c1.tuntap->backend_driver = DRIVER_DCO;
1730 }
1731 else
1732 {
1733 c->c1.tuntap->backend_driver = DRIVER_GENERIC_TUNTAP;
1734 }
1735#endif
1736
1737 init_tun_post(c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options);
1738
1739 c->c1.tuntap_owned = true;
1740}
1741
1742/*
1743 * Open tun/tap device, ifconfig, call up script, etc.
1744 */
1745
1746
1747static bool
1748can_preserve_tun(struct tuntap *tt)
1749{
1750 if (tt && tt->backend_driver == DRIVER_AFUNIX)
1751 {
1752 return false;
1753 }
1754#ifdef TARGET_ANDROID
1755 return false;
1756#else
1757 return is_tun_type_set(tt);
1758#endif
1759}
1760
1769static void
1770add_wfp_block(struct context *c)
1771{
1772#if defined(_WIN32)
1773 /* Fortify 'redirect-gateway block-local' with firewall rules? */
1774 bool block_local = block_local_needed(c->c1.route_list);
1775
1776 if (c->options.block_outside_dns || block_local)
1777 {
1778 BOOL dns_only = !block_local;
1779 if (!win_wfp_block(c->c1.tuntap->adapter_index, c->options.msg_channel, dns_only))
1780 {
1781 msg(M_FATAL, "WFP: initialization failed");
1782 }
1783 }
1784#endif
1785}
1786
1795static void
1796del_wfp_block(struct context *c, unsigned long adapter_index)
1797{
1798#if defined(_WIN32)
1799 if (c->options.block_outside_dns || block_local_needed(c->c1.route_list))
1800 {
1801 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1802 {
1803 msg(M_FATAL, "WFP: deinitialization failed");
1804 }
1805 }
1806#endif
1807}
1808
1814static bool
1815ifconfig_noexec_enabled(const struct context *c)
1816{
1817 return c->options.ifconfig_noexec
1818 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1819 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_NULL);
1820}
1821
1822static void
1823open_tun_backend(struct context *c)
1824{
1825 struct tuntap *tt = c->c1.tuntap;
1826
1827 if (tt->backend_driver == DRIVER_NULL)
1828 {
1829 open_tun_null(c->c1.tuntap);
1830 }
1831 else if (tt->backend_driver == DRIVER_AFUNIX)
1832 {
1833 open_tun_afunix(&c->options, c->c2.frame.tun_mtu, tt, c->c2.es);
1834 }
1835 else
1836 {
1837 open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, tt, &c->net_ctx);
1838 }
1839 msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver),
1840 tt->actual_name);
1841}
1842
1843
1844static bool
1845do_open_tun(struct context *c, int *error_flags)
1846{
1847 struct gc_arena gc = gc_new();
1848 bool ret = false;
1849 *error_flags = 0;
1850
1851 if (!can_preserve_tun(c->c1.tuntap))
1852 {
1853#ifdef TARGET_ANDROID
1854 /* If we emulate persist-tun on android we still have to open a new tun and
1855 * then close the old */
1856 int oldtunfd = -1;
1857 if (c->c1.tuntap)
1858 {
1859 oldtunfd = c->c1.tuntap->fd;
1860 free(c->c1.tuntap);
1861 c->c1.tuntap = NULL;
1862 c->c1.tuntap_owned = false;
1863 }
1864#endif
1865
1866 /* initialize (but do not open) tun/tap object, this also sets
1867 * the backend driver type */
1868 do_init_tun(c);
1869
1870 /* inherit the dco context from the tuntap object */
1871 if (c->c2.tls_multi)
1872 {
1873 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1874 }
1875
1876#ifdef _WIN32
1877 /* store (hide) interactive service handle in tuntap_options */
1878 c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1879 msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, (intptr_t)c->options.msg_channel);
1880#endif
1881
1882 /* allocate route list structure */
1883 do_alloc_route_list(c);
1884
1885 /* parse and resolve the route option list */
1886 ASSERT(c->c2.link_sockets[0]);
1887 if (c->options.routes && c->c1.route_list)
1888 {
1889 do_init_route_list(&c->options, c->c1.route_list, &c->c2.link_sockets[0]->info,
1890 c->c2.es, &c->net_ctx);
1891 }
1892 if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1893 {
1894 do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1895 &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1896 }
1897
1898 /* do ifconfig */
1899 if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN)
1900 {
1901 /* guess actual tun/tap unit number that will be returned
1902 * by open_tun */
1903 const char *guess =
1904 guess_tuntap_dev(c->options.dev, c->options.dev_type, c->options.dev_node, &gc);
1905 do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1906 }
1907
1908 /* possibly add routes */
1909 if (route_order(c->c1.tuntap) == ROUTE_BEFORE_TUN)
1910 {
1911 /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1912 bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1913 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1914 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1915 }
1916#ifdef TARGET_ANDROID
1917 /* Store the old fd inside the fd so open_tun can use it */
1918 c->c1.tuntap->fd = oldtunfd;
1919#endif
1920
1921 if (dco_enabled(&c->options))
1922 {
1923 ovpn_dco_init(c);
1924 }
1925
1926 /* open the tun device */
1927 open_tun_backend(c);
1928
1929 /* set the hardware address */
1930 if (c->options.lladdr)
1931 {
1932 set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1933 }
1934
1935 /* do ifconfig */
1936 if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN)
1937 {
1938 do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, c->c2.frame.tun_mtu, c->c2.es,
1939 &c->net_ctx);
1940 }
1941
1942 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1943
1944 /* run the up script */
1945 run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name,
1946#ifdef _WIN32
1947 c->c1.tuntap->adapter_index,
1948#endif
1949 dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu,
1950 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1951 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
1952 NULL, "up", c->c2.es);
1953
1954 add_wfp_block(c);
1955
1956 /* possibly add routes */
1957 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1958 {
1959 bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1960 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1961 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1962 }
1963
1964 ret = true;
1965 static_context = c;
1966 }
1967 else
1968 {
1969 msg(M_INFO, "Preserving previous TUN/TAP instance: %s", c->c1.tuntap->actual_name);
1970
1971 /* explicitly set the ifconfig_* env vars */
1972 do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1973
1974 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1975
1976 /* run the up script if user specified --up-restart */
1977 if (c->options.up_restart)
1978 {
1979 run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP,
1980 c->c1.tuntap->actual_name,
1981#ifdef _WIN32
1982 c->c1.tuntap->adapter_index,
1983#endif
1984 dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu,
1985 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1986 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1987 "restart", NULL, "up", c->c2.es);
1988 }
1989
1990 add_wfp_block(c);
1991 }
1992 gc_free(&gc);
1993 return ret;
1994}
1995
1996/*
1997 * Close TUN/TAP device
1998 */
1999
2000static void
2001do_close_tun_simple(struct context *c)
2002{
2003 msg(D_CLOSE, "Closing %s interface", print_tun_backend_driver(c->c1.tuntap->backend_driver));
2004
2005 if (c->c1.tuntap)
2006 {
2007 if (!ifconfig_noexec_enabled(c))
2008 {
2009 undo_ifconfig(c->c1.tuntap, &c->net_ctx);
2010 }
2011 if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
2012 {
2013 close_tun_afunix(c->c1.tuntap);
2014 }
2015 else if (c->c1.tuntap->backend_driver == DRIVER_NULL)
2016 {
2017 free(c->c1.tuntap->actual_name);
2018 free(c->c1.tuntap);
2019 }
2020 else
2021 {
2022 close_tun(c->c1.tuntap, &c->net_ctx);
2023 }
2024 c->c1.tuntap = NULL;
2025 }
2026 c->c1.tuntap_owned = false;
2027 CLEAR(c->c1.pulled_options_digest_save);
2028}
2029
2030static void
2031do_close_tun(struct context *c, bool force)
2032{
2033 /* With dco-win we open tun handle in the very beginning.
2034 * In case when tun wasn't opened - like we haven't connected,
2035 * we still need to close tun handle
2036 */
2037 if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
2038 {
2039 do_close_tun_simple(c);
2040 return;
2041 }
2042
2043 if (!c->c1.tuntap || !c->c1.tuntap_owned)
2044 {
2045 return;
2046 }
2047
2048 struct gc_arena gc = gc_new();
2049 const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2050 const in_addr_t local = c->c1.tuntap->local;
2051 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2052 unsigned long adapter_index = 0;
2053#ifdef _WIN32
2054 adapter_index = c->c1.tuntap->adapter_index;
2055#endif
2056
2057 run_dns_up_down(false, &c->options, c->c1.tuntap, &c->persist.duri);
2058
2059 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2060 {
2061 static_context = NULL;
2062
2063#ifdef ENABLE_MANAGEMENT
2064 /* tell management layer we are about to close the TUN/TAP device */
2065 if (management)
2066 {
2067 management_pre_tunnel_close(management);
2068 management_up_down(management, "DOWN", c->c2.es);
2069 }
2070#endif
2071
2072 /* delete any routes we added */
2073 if (c->c1.route_list || c->c1.route_ipv6_list)
2074 {
2075 run_up_down(c->options.route_predown_script, c->plugins, OPENVPN_PLUGIN_ROUTE_PREDOWN,
2076 tuntap_actual,
2077#ifdef _WIN32
2078 adapter_index,
2079#endif
2080 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2081 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2082 signal_description(c->sig->signal_received, c->sig->signal_text),
2083 "route-pre-down", c->c2.es);
2084
2085 delete_routes(c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap,
2086 ROUTE_OPTION_FLAGS(&c->options), c->c2.es, &c->net_ctx);
2087 }
2088
2089 /* actually close tun/tap device based on --down-pre flag */
2090 if (!c->options.down_pre)
2091 {
2092 do_close_tun_simple(c);
2093 }
2094
2095 /* Run the down script -- note that it will run at reduced
2096 * privilege if, for example, "--user" was used. */
2097 run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
2098#ifdef _WIN32
2099 adapter_index,
2100#endif
2101 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2102 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2103 signal_description(c->sig->signal_received, c->sig->signal_text), "down",
2104 c->c2.es);
2105
2106 del_wfp_block(c, adapter_index);
2107
2108 /* actually close tun/tap device based on --down-pre flag */
2109 if (c->options.down_pre)
2110 {
2111 do_close_tun_simple(c);
2112 }
2113 }
2114 else
2115 {
2116 /* run the down script on this restart if --up-restart was specified */
2117 if (c->options.up_restart)
2118 {
2119 run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
2120#ifdef _WIN32
2121 adapter_index,
2122#endif
2123 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2124 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart",
2125 signal_description(c->sig->signal_received, c->sig->signal_text), "down",
2126 c->c2.es);
2127 }
2128
2129 del_wfp_block(c, adapter_index);
2130 }
2131 gc_free(&gc);
2132}
2133
2134void
2135tun_abort(void)
2136{
2137 struct context *c = static_context;
2138 if (c)
2139 {
2140 static_context = NULL;
2141 do_close_tun(c, true);
2142 }
2143}
2144
2145/*
2146 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2147 */
2148
2153static bool
2154options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
2155{
2156 const struct sha256_digest zero = { { 0 } };
2157 return memcmp(a, b, sizeof(struct sha256_digest))
2158 || !memcmp(a, &zero, sizeof(struct sha256_digest));
2159}
2160
2166static void
2167add_delim_if_non_empty(struct buffer *buf, const char *header)
2168{
2169 if (buf_len(buf) > strlen(header))
2170 {
2171 buf_printf(buf, ", ");
2172 }
2173}
2174
2175
2180static void
2181tls_print_deferred_options_results(struct context *c)
2182{
2183 struct options *o = &c->options;
2184
2185 struct buffer out;
2186 uint8_t line[1024] = { 0 };
2187 buf_set_write(&out, line, sizeof(line));
2188
2189
2190 if (cipher_kt_mode_aead(o->ciphername))
2191 {
2192 buf_printf(&out, "Data Channel: cipher '%s'", cipher_kt_name(o->ciphername));
2193 }
2194 else
2195 {
2196 buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", cipher_kt_name(o->ciphername),
2197 md_kt_name(o->authname));
2198 }
2199
2200 if (o->use_peer_id)
2201 {
2202 buf_printf(&out, ", peer-id: %d", o->peer_id);
2203 }
2204
2205#ifdef USE_COMP
2206 if (c->c2.comp_context)
2207 {
2208 buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2209 }
2210#endif
2211
2212 msg(D_HANDSHAKE, "%s", BSTR(&out));
2213
2214 buf_clear(&out);
2215
2216 const char *header = "Timers: ";
2217
2218 buf_printf(&out, "%s", header);
2219
2220 if (o->ping_send_timeout)
2221 {
2222 buf_printf(&out, "ping %d", o->ping_send_timeout);
2223 }
2224
2225 if (o->ping_rec_timeout_action != PING_UNDEF)
2226 {
2227 /* yes unidirectional ping is possible .... */
2228 add_delim_if_non_empty(&out, header);
2229
2230 if (o->ping_rec_timeout_action == PING_EXIT)
2231 {
2232 buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2233 }
2234 else
2235 {
2236 buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2237 }
2238 }
2239
2240 if (o->inactivity_timeout)
2241 {
2242 add_delim_if_non_empty(&out, header);
2243
2244 buf_printf(&out, "inactive %d", o->inactivity_timeout);
2245 if (o->inactivity_minimum_bytes)
2246 {
2247 buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2248 }
2249 }
2250
2251 if (o->session_timeout)
2252 {
2253 add_delim_if_non_empty(&out, header);
2254 buf_printf(&out, "session-timeout %d", o->session_timeout);
2255 }
2256
2257 if (buf_len(&out) > strlen(header))
2258 {
2259 msg(D_HANDSHAKE, "%s", BSTR(&out));
2260 }
2261
2262 buf_clear(&out);
2263 header = "Protocol options: ";
2264 buf_printf(&out, "%s", header);
2265
2266 if (c->options.ce.explicit_exit_notification)
2267 {
2268 buf_printf(&out, "explicit-exit-notify %d", c->options.ce.explicit_exit_notification);
2269 }
2270 if (c->options.imported_protocol_flags)
2271 {
2272 add_delim_if_non_empty(&out, header);
2273
2274 buf_printf(&out, "protocol-flags");
2275
2276 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2277 {
2278 buf_printf(&out, " cc-exit");
2279 }
2280 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2281 {
2282 buf_printf(&out, " tls-ekm");
2283 }
2284 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2285 {
2286 buf_printf(&out, " dyn-tls-crypt");
2287 }
2288 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
2289 {
2290 buf_printf(&out, " aead-epoch");
2291 }
2292 }
2293
2294 if (buf_len(&out) > strlen(header))
2295 {
2296 msg(D_HANDSHAKE, "%s", BSTR(&out));
2297 }
2298}
2299
2300
2308static bool
2309do_deferred_options_part2(struct context *c)
2310{
2311 struct frame *frame_fragment = NULL;
2312#ifdef ENABLE_FRAGMENT
2313 if (c->options.ce.fragment)
2314 {
2315 frame_fragment = &c->c2.frame_fragment;
2316 }
2317#endif
2318
2319 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2320 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
2321 frame_fragment, get_link_socket_info(c),
2322 &c->c1.tuntap->dco))
2323 {
2324 msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2325 return false;
2326 }
2327
2328 return true;
2329}
2330
2331bool
2332do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2333{
2334 int error_flags = 0;
2335 if (!c->c2.do_up_ran)
2336 {
2337 reset_coarse_timers(c);
2338
2339 if (pulled_options)
2340 {
2341 if (!do_deferred_options(c, option_types_found, false))
2342 {
2343 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2344 return false;
2345 }
2346 }
2347
2348 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2349 if (c->options.up_delay || PULL_DEFINED(&c->options))
2350 {
2351 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2352 update_time();
2353
2354 /*
2355 * Was tun interface object persisted from previous restart iteration,
2356 * and if so did pulled options string change from previous iteration?
2357 */
2358 if (!c->c2.did_open_tun && PULL_DEFINED(&c->options) && c->c1.tuntap
2359 && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2360 &c->c2.pulled_options_digest))
2361 {
2362 /* if so, close tun, delete routes, then reinitialize tun and add routes */
2363 msg(M_INFO,
2364 "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2365
2366 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2367 do_close_tun(c, true);
2368
2369 if (tt_dco_win)
2370 {
2371 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2372 /* prevent link_socket_close() from closing handle with WinSock API */
2373 c->c2.link_sockets[0]->sd = SOCKET_UNDEFINED;
2374 return false;
2375 }
2376 else
2377 {
2378 management_sleep(1);
2379 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2380 update_time();
2381 }
2382 }
2383 }
2384 }
2385
2386 /* This part needs to be run in p2p mode (without pull) when the client
2387 * reconnects to setup various things (like DCO and NCP cipher) that
2388 * might have changed from the previous connection.
2389 */
2390 if (!c->c2.do_up_ran
2391 || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
2392 {
2393 if (c->mode == MODE_POINT_TO_POINT)
2394 {
2395 /* ovpn-dco requires adding the peer now, before any option can be set,
2396 * but *after* having parsed the pushed peer-id in do_deferred_options()
2397 */
2398 int ret = dco_p2p_add_new_peer(c);
2399 if (ret < 0)
2400 {
2401 msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2402 return false;
2403 }
2404 }
2405
2406 /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2407 * invoked after open_tun().
2408 * This is required by DCO because we must have created the interface
2409 * and added the peer before we can fiddle with the keys or any other
2410 * data channel per-peer setting.
2411 */
2412 if (pulled_options)
2413 {
2414 if (!do_deferred_options_part2(c))
2415 {
2416 return false;
2417 }
2418 }
2419 else
2420 {
2421 if (c->mode == MODE_POINT_TO_POINT)
2422 {
2423 if (!do_deferred_p2p_ncp(c))
2424 {
2425 msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2426 return false;
2427 }
2428 }
2429 }
2430
2431 if (c->c2.did_open_tun)
2432 {
2433 c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2434
2435 /* if --route-delay was specified, start timer */
2436 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2437 {
2438 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2439 event_timeout_init(&c->c2.route_wakeup_expire,
2440 c->options.route_delay + c->options.route_delay_window, now);
2441 tun_standby_init(c->c1.tuntap);
2442 }
2443 else
2444 {
2445 /* client/p2p --route-delay undefined */
2446 initialization_sequence_completed(c, error_flags);
2447 }
2448 }
2449 else if (c->options.mode == MODE_POINT_TO_POINT)
2450 {
2451 /* client/p2p restart with --persist-tun */
2452 initialization_sequence_completed(c, error_flags);
2453 }
2454
2455 tls_print_deferred_options_results(c);
2456
2457 c->c2.do_up_ran = true;
2458 if (c->c2.tls_multi)
2459 {
2460 c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2461 }
2462 }
2463 return true;
2464}
2465
2466bool
2467do_update(struct context *c, unsigned int option_types_found)
2468{
2469 /* Not necessary since to receive the update the openvpn
2470 * instance must be up and running but just in case
2471 */
2472 if (!c->c2.do_up_ran)
2473 {
2474 return false;
2475 }
2476
2477 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2478 if (tt_dco_win)
2479 {
2480 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2481 return false;
2482 }
2483
2484 if (!do_deferred_options(c, option_types_found, true))
2485 {
2486 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2487 return false;
2488 }
2489
2490 do_close_tun(c, true);
2491
2492 management_sleep(1);
2493 int error_flags = 0;
2494 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2495 update_time();
2496
2497 if (c->c2.did_open_tun)
2498 {
2499 /* if --route-delay was specified, start timer */
2500 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2501 {
2502 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2503 event_timeout_init(&c->c2.route_wakeup_expire,
2504 c->options.route_delay + c->options.route_delay_window, now);
2505 tun_standby_init(c->c1.tuntap);
2506 }
2507
2508 initialization_sequence_completed(c, error_flags);
2509 }
2510
2511 CLEAR(c->c1.pulled_options_digest_save);
2512
2513 return true;
2514}
2515
2516/*
2517 * These are the option categories which will be accepted by pull.
2518 */
2519unsigned int
2520pull_permission_mask(const struct context *c)
2521{
2522 unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS
2523 | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_COMP | OPT_P_PERSIST
2524 | OPT_P_MESSAGES | OPT_P_EXPLICIT_NOTIFY | OPT_P_ECHO | OPT_P_PULL_MODE
2525 | OPT_P_PEER_ID | OPT_P_NCP | OPT_P_PUSH_MTU;
2526
2527 if (!c->options.route_nopull)
2528 {
2529 flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2530 }
2531
2532 return flags;
2533}
2534
2535static bool
2536do_deferred_p2p_ncp(struct context *c)
2537{
2538 if (!c->c2.tls_multi)
2539 {
2540 return true;
2541 }
2542
2543 c->options.use_peer_id = c->c2.tls_multi->use_peer_id;
2544
2545 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2546
2547 const char *ncp_cipher =
2548 get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, &c->options.gc);
2549
2550 if (ncp_cipher)
2551 {
2552 c->options.ciphername = ncp_cipher;
2553 }
2554 else if (!c->options.enable_ncp_fallback)
2555 {
2556 msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2557 "--data-ciphers-fallback not enabled. No usable "
2558 "data channel cipher");
2559 return false;
2560 }
2561
2562 struct frame *frame_fragment = NULL;
2563#ifdef ENABLE_FRAGMENT
2564 if (c->options.ce.fragment)
2565 {
2566 frame_fragment = &c->c2.frame_fragment;
2567 }
2568#endif
2569
2570 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
2571 frame_fragment, get_link_socket_info(c),
2572 &c->c1.tuntap->dco))
2573 {
2574 msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2575 return false;
2576 }
2577 return true;
2578}
2579
2580bool
2581do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
2582{
2583 if (found & OPT_P_MESSAGES)
2584 {
2585 init_verb_mute(c, IVM_LEVEL_1 | IVM_LEVEL_2);
2586 msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2587 }
2588 if (found & OPT_P_TIMER)
2589 {
2590 do_init_timers(c, true);
2591 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
2592 }
2593
2594 if (found & OPT_P_EXPLICIT_NOTIFY)
2595 {
2596 /* Client side, so just check the first link_socket */
2597 if (!proto_is_udp(c->c2.link_sockets[0]->info.proto)
2598 && c->options.ce.explicit_exit_notification)
2599 {
2600 msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2601 c->options.ce.explicit_exit_notification = 0;
2602 }
2603 else
2604 {
2605 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
2606 }
2607 }
2608
2609 if (found & OPT_P_COMP)
2610 {
2611 if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
2612 {
2613 msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2614 "settings that are not allowed and will result "
2615 "in a non-working connection. "
2616 "See also allow-compression in the manual.");
2617 return false;
2618 }
2619#ifdef USE_COMP
2620 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
2621 comp_uninit(c->c2.comp_context);
2622 c->c2.comp_context = comp_init(&c->options.comp);
2623#endif
2624 }
2625
2626 if (found & OPT_P_SHAPER)
2627 {
2628 msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2629 do_init_traffic_shaper(c);
2630 }
2631
2632 if (found & OPT_P_SOCKBUF)
2633 {
2634 msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2635
2636 for (int i = 0; i < c->c1.link_sockets_num; i++)
2637 {
2638 link_socket_update_buffer_sizes(c->c2.link_sockets[i], c->options.rcvbuf,
2639 c->options.sndbuf);
2640 }
2641 }
2642
2643 if (found & OPT_P_SOCKFLAGS)
2644 {
2645 msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2646 for (int i = 0; i < c->c1.link_sockets_num; i++)
2647 {
2648 link_socket_update_flags(c->c2.link_sockets[i], c->options.sockflags);
2649 }
2650 }
2651
2652 if (found & OPT_P_PERSIST)
2653 {
2654 msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2655 }
2656 if (found & OPT_P_UP)
2657 {
2658 msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2659 }
2660 if (found & OPT_P_ROUTE)
2661 {
2662 msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2663 }
2664 if (found & OPT_P_ROUTE_EXTRAS)
2665 {
2666 msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2667 }
2668 if (found & OPT_P_DHCPDNS)
2669 {
2670 msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2671 }
2672 if (found & OPT_P_SETENV)
2673 {
2674 msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2675 }
2676
2677 if (found & OPT_P_PEER_ID)
2678 {
2679 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
2680 c->c2.tls_multi->use_peer_id = true;
2681 c->c2.tls_multi->peer_id = c->options.peer_id;
2682 }
2683
2684 /* process (potentially) pushed options */
2685 if (c->options.pull)
2686 {
2687 /* On PUSH_UPDATE, NCP related flags are never updated, and so the code
2688 * would assume "no cipher pushed = NCP failed" - so, don't call it on
2689 * updates */
2690 if (!is_update && !check_pull_client_ncp(c, found))
2691 {
2692 return false;
2693 }
2694
2695 /* Check if pushed options are compatible with DCO, if enabled */
2696 if (dco_enabled(&c->options) && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
2697 {
2698 msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2699 "with data channel offload. Use --disable-dco to connect to "
2700 "this server");
2701 return false;
2702 }
2703 }
2704
2705 /* Ensure that for epoch data format is only enabled if also data v2
2706 * is enabled */
2707 bool epoch_data = c->options.imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT;
2708 bool datav2_enabled = c->options.use_peer_id && c->options.peer_id < MAX_PEER_ID;
2709
2710 if (epoch_data && !datav2_enabled)
2711 {
2712 msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires "
2713 "data v2 (peer-id) to be enabled.");
2714 return false;
2715 }
2716
2717
2718 if (found & OPT_P_PUSH_MTU)
2719 {
2720 /* MTU has changed, check that the pushed MTU is small enough to
2721 * be able to change it */
2722 msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2723
2724 struct frame *frame = &c->c2.frame;
2725
2726 if (c->options.ce.tun_mtu > frame->tun_max_mtu)
2727 {
2728 msg(D_PUSH_ERRORS,
2729 "Server-pushed tun-mtu is too large, please add "
2730 "tun-mtu-max %d in the client configuration",
2731 c->options.ce.tun_mtu);
2732 }
2733 frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
2734 }
2735
2736 return true;
2737}
2738
2739/*
2740 * Possible hold on initialization, holdtime is the
2741 * time OpenVPN would wait without management
2742 */
2743static bool
2744do_hold(int holdtime)
2745{
2746#ifdef ENABLE_MANAGEMENT
2747 if (management)
2748 {
2749 /* block until management hold is released */
2750 if (management_hold(management, holdtime))
2751 {
2752 return true;
2753 }
2754 }
2755#endif
2756 return false;
2757}
2758
2759/*
2760 * Sleep before restart.
2761 */
2762static void
2763socket_restart_pause(struct context *c)
2764{
2765 int sec = 2;
2766 int backoff = 0;
2767
2768 switch (c->mode)
2769 {
2770 case CM_TOP:
2771 sec = 1;
2772 break;
2773
2774 case CM_CHILD_UDP:
2775 case CM_CHILD_TCP:
2776 sec = c->options.ce.connect_retry_seconds;
2777 break;
2778 }
2779
2780#ifdef ENABLE_DEBUG
2781 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2782 {
2783 sec = 0;
2784 }
2785#endif
2786
2787 if (auth_retry_get() == AR_NOINTERACT)
2788 {
2789 sec = 10;
2790 }
2791
2792 /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2793 if (c->mode == CM_CHILD_TCP || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2794 {
2795 backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2796 if (backoff > 0)
2797 {
2798 /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2799 sec = max_int(sec, 1) << min_int(backoff, 15);
2800 }
2801 if (c->options.server_backoff_time)
2802 {
2803 sec = max_int(sec, c->options.server_backoff_time);
2804 c->options.server_backoff_time = 0;
2805 }
2806
2807 if (sec > c->options.ce.connect_retry_seconds_max)
2808 {
2809 sec = c->options.ce.connect_retry_seconds_max;
2810 }
2811 }
2812
2813 if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2814 {
2815 sec = c->persist.restart_sleep_seconds;
2816 }
2817 else if (c->persist.restart_sleep_seconds == -1)
2818 {
2819 sec = 0;
2820 }
2821 c->persist.restart_sleep_seconds = 0;
2822
2823 /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2824 if (do_hold(sec))
2825 {
2826 sec = 0;
2827 }
2828
2829 if (sec)
2830 {
2831 msg(D_RESTART, "Restart pause, %d second(s)", sec);
2832 management_sleep(sec);
2833 }
2834}
2835
2836/*
2837 * Do a possible pause on context_2 initialization.
2838 */
2839static void
2840do_startup_pause(struct context *c)
2841{
2842 if (!c->first_time)
2843 {
2844 socket_restart_pause(c);
2845 }
2846 else
2847 {
2848 do_hold(0); /* do management hold on first context initialization */
2849 }
2850}
2851
2852static size_t
2853get_frame_mtu(struct context *c, const struct options *o)
2854{
2855 size_t mtu;
2856
2857 if (o->ce.link_mtu_defined)
2858 {
2859 ASSERT(o->ce.link_mtu_defined);
2860 /* if we have a link mtu defined we calculate what the old code
2861 * would have come up with as tun-mtu */
2862 size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, o, true);
2863 mtu = o->ce.link_mtu - overhead;
2864 }
2865 else
2866 {
2867 ASSERT(o->ce.tun_mtu_defined);
2868 mtu = o->ce.tun_mtu;
2869 }
2870
2871 if (mtu < TUN_MTU_MIN)
2872 {
2873 msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2874 frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2875 }
2876 return mtu;
2877}
2878
2879/*
2880 * Finalize MTU parameters based on command line or config file options.
2881 */
2882static void
2883frame_finalize_options(struct context *c, const struct options *o)
2884{
2885 if (!o)
2886 {
2887 o = &c->options;
2888 }
2889
2890 struct frame *frame = &c->c2.frame;
2891
2892 frame->tun_mtu = get_frame_mtu(c, o);
2893 frame->tun_max_mtu = o->ce.tun_mtu_max;
2894
2895 /* max mtu needs to be at least as large as the tun mtu */
2896 frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
2897
2898 /* We always allow at least 1600 MTU packets to be received in our buffer
2899 * space to allow server to push "baby giant" MTU sizes */
2900 frame->tun_max_mtu = max_int(TUN_MTU_MAX_MIN, frame->tun_max_mtu);
2901
2902 size_t payload_size = frame->tun_max_mtu;
2903
2904 /* we need to be also large enough to hold larger control channel packets
2905 * if configured */
2906 payload_size = max_int(payload_size, o->ce.tls_mtu);
2907
2908 /* The extra tun needs to be added to the payload size */
2909 if (o->ce.tun_mtu_defined)
2910 {
2911 payload_size += o->ce.tun_mtu_extra;
2912 }
2913
2914 /* Add 32 byte of extra space in the buffer to account for small errors
2915 * in the calculation */
2916 payload_size += 32;
2917
2918
2919 /* the space that is reserved before the payload to add extra headers to it
2920 * we always reserve the space for the worst case */
2921 size_t headroom = 0;
2922
2923 /* includes IV and packet ID */
2924 headroom += crypto_max_overhead();
2925
2926 /* peer id + opcode */
2927 headroom += 4;
2928
2929 /* socks proxy header */
2930 headroom += 10;
2931
2932 /* compression header and fragment header (part of the encrypted payload) */
2933 headroom += 1 + 1;
2934
2935 /* Round up headroom to the next multiple of 4 to ensure alignment */
2936 headroom = (headroom + 3) & ~3;
2937
2938 /* Add the headroom to the payloadsize as a received (IP) packet can have
2939 * all the extra headers in it */
2940 payload_size += headroom;
2941
2942 /* the space after the payload, this needs some extra buffer space for
2943 * encryption so headroom is probably too much but we do not really care
2944 * the few extra bytes */
2945 size_t tailroom = headroom;
2946
2947#ifdef USE_COMP
2948 msg(D_MTU_DEBUG,
2949 "MTU: adding %zu buffer tailroom for compression for %zu "
2950 "bytes of payload",
2951 COMP_EXTRA_BUFFER(payload_size), payload_size);
2952 tailroom += COMP_EXTRA_BUFFER(payload_size);
2953#endif
2954
2955 frame->buf.payload_size = payload_size;
2956 frame->buf.headroom = headroom;
2957 frame->buf.tailroom = tailroom;
2958}
2959
2960/*
2961 * Free a key schedule, including OpenSSL components.
2962 */
2963static void
2964key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2965{
2966 free_key_ctx_bi(&ks->static_key);
2967 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2968 {
2969 tls_ctx_free(&ks->ssl_ctx);
2970 free_key_ctx(&ks->auth_token_key);
2971 }
2972 CLEAR(*ks);
2973}
2974
2975static void
2976init_crypto_pre(struct context *c, const unsigned int flags)
2977{
2978 if (c->options.engine)
2979 {
2980 crypto_init_lib_engine(c->options.engine);
2981 }
2982
2983 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2984 {
2985 /* load a persisted packet-id for cross-session replay-protection */
2986 if (c->options.packet_id_file)
2987 {
2988 packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2989 }
2990 }
2991
2992#ifdef ENABLE_PREDICTION_RESISTANCE
2993 if (c->options.use_prediction_resistance)
2994 {
2995 rand_ctx_enable_prediction_resistance();
2996 }
2997#endif
2998}
2999
3000/*
3001 * Static Key Mode (using a pre-shared key)
3002 */
3003static void
3004do_init_crypto_static(struct context *c, const unsigned int flags)
3005{
3006 const struct options *options = &c->options;
3007 ASSERT(options->shared_secret_file);
3008
3009 init_crypto_pre(c, flags);
3010
3011 /* Initialize flags */
3012 if (c->options.mute_replay_warnings)
3013 {
3014 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
3015 }
3016
3017 /* Initialize packet ID tracking */
3018 packet_id_init(&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time,
3019 "STATIC", 0);
3020 c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
3021 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
3022 packet_id_persist_load_obj(&c->c1.pid_persist, &c->c2.crypto_options.packet_id);
3023
3024 if (!key_ctx_bi_defined(&c->c1.ks.static_key))
3025 {
3026 /* Get cipher & hash algorithms */
3027 init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
3028 options->test_crypto, true);
3029
3030 /* Read cipher and hmac keys from shared secret file */
3031 crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
3032 options->shared_secret_file, options->shared_secret_file_inline,
3033 options->key_direction, "Static Key Encryption", "secret", NULL);
3034 }
3035 else
3036 {
3037 msg(M_INFO, "Re-using pre-shared static key");
3038 }
3039
3040 /* Get key schedule */
3041 c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
3042}
3043
3044/*
3045 * Initialize the tls-auth/crypt key context
3046 */
3047static void
3048do_init_tls_wrap_key(struct context *c)
3049{
3050 const struct options *options = &c->options;
3051
3052 /* TLS handshake authentication (--tls-auth) */
3053 if (options->ce.tls_auth_file)
3054 {
3055 /* Initialize key_type for tls-auth with auth only */
3056 CLEAR(c->c1.ks.tls_auth_key_type);
3057 c->c1.ks.tls_auth_key_type.cipher = "none";
3058 c->c1.ks.tls_auth_key_type.digest = options->authname;
3059 if (!md_valid(options->authname))
3060 {
3061 msg(M_FATAL,
3062 "ERROR: tls-auth enabled, but no valid --auth "
3063 "algorithm specified ('%s')",
3064 options->authname);
3065 }
3066
3067 crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, &c->c1.ks.tls_wrap_key,
3068 options->ce.tls_auth_file, options->ce.tls_auth_file_inline,
3069 options->ce.key_direction, "Control Channel Authentication",
3070 "tls-auth", &c->c1.ks.original_wrap_keydata);
3071 }
3072
3073 /* TLS handshake encryption+authentication (--tls-crypt) */
3074 if (options->ce.tls_crypt_file)
3075 {
3076 tls_crypt_init_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata,
3077 options->ce.tls_crypt_file, options->ce.tls_crypt_file_inline,
3078 options->tls_server);
3079 }
3080
3081 /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3082 if (options->ce.tls_crypt_v2_file)
3083 {
3084 if (options->tls_server)
3085 {
3086 tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key, true,
3087 options->ce.tls_crypt_v2_file,
3088 options->ce.tls_crypt_v2_file_inline);
3089 }
3090 else
3091 {
3092 tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata,
3093 &c->c1.ks.tls_crypt_v2_wkc, options->ce.tls_crypt_v2_file,
3094 options->ce.tls_crypt_v2_file_inline);
3095 }
3096 /* We have to ensure that the loaded tls-crypt key is small enough
3097 * to fit into the initial hard reset v3 packet */
3098 int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3099
3100 /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3101 int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3102
3103 if (required_size > c->options.ce.tls_mtu)
3104 {
3105 msg(M_WARN,
3106 "ERROR: tls-crypt-v2 client key too large to work with "
3107 "requested --max-packet-size %d, requires at least "
3108 "--max-packet-size %d. Packets will ignore requested "
3109 "maximum packet size",
3110 c->options.ce.tls_mtu, required_size);
3111 }
3112 }
3113}
3114
3115/*
3116 * Initialize the persistent component of OpenVPN's TLS mode,
3117 * which is preserved across SIGUSR1 resets.
3118 */
3119static void
3120do_init_crypto_tls_c1(struct context *c)
3121{
3122 const struct options *options = &c->options;
3123
3124 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3125 {
3126 /*
3127 * Initialize the OpenSSL library's global
3128 * SSL context.
3129 */
3130 init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
3131 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3132 {
3133 switch (auth_retry_get())
3134 {
3135 case AR_NONE:
3136 msg(M_FATAL, "Error: private key password verification failed");
3137 break;
3138
3139 case AR_INTERACT:
3140 ssl_purge_auth(false);
3141 /* Intentional [[fallthrough]]; */
3142
3143 case AR_NOINTERACT:
3144 /* SOFT-SIGUSR1 -- Password failure error */
3145 register_signal(c->sig, SIGUSR1, "private-key-password-failure");
3146 break;
3147
3148 default:
3149 ASSERT(0);
3150 }
3151 return;
3152 }
3153
3154 /*
3155 * BF-CBC is allowed to be used only when explicitly configured
3156 * as NCP-fallback or when NCP has been disabled or explicitly
3157 * allowed in the in ncp_ciphers list.
3158 * In all other cases do not attempt to initialize BF-CBC as it
3159 * may not even be supported by the underlying SSL library.
3160 *
3161 * Therefore, the key structure has to be initialized when:
3162 * - any non-BF-CBC cipher was selected; or
3163 * - BF-CBC is selected, NCP is enabled and fallback is enabled
3164 * (BF-CBC will be the fallback).
3165 * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3166 * If the negotiated cipher and options->ciphername are the
3167 * same we do not reinit the cipher
3168 *
3169 * Note that BF-CBC will still be part of the OCC string to retain
3170 * backwards compatibility with older clients.
3171 */
3172 const char *ciphername = options->ciphername;
3173 if (streq(options->ciphername, "BF-CBC")
3174 && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
3175 && !options->enable_ncp_fallback)
3176 {
3177 ciphername = "none";
3178 }
3179
3180 /* Do not warn if the cipher is used only in OCC */
3181 bool warn = options->enable_ncp_fallback;
3182 init_key_type(&c->c1.ks.key_type, ciphername, options->authname, true, warn);
3183
3184 /* initialize tls-auth/crypt/crypt-v2 key */
3185 do_init_tls_wrap_key(c);
3186
3187 /* initialise auth-token crypto support */
3188 if (c->options.auth_token_generate)
3189 {
3190 auth_token_init_secret(&c->c1.ks.auth_token_key, c->options.auth_token_secret_file,
3191 c->options.auth_token_secret_file_inline);
3192 }
3193
3194#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
3195 if (options->priv_key_file_inline)
3196 {
3197 string_clear(c->options.priv_key_file_inline);
3198 c->options.priv_key_file_inline = NULL;
3199 }
3200#endif
3201 }
3202 else
3203 {
3204 msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
3205
3206 /*
3207 * tls-auth/crypt key can be configured per connection block, therefore
3208 * we must reload it as it may have changed
3209 */
3210 do_init_tls_wrap_key(c);
3211 }
3212}
3213
3214static void
3215do_init_crypto_tls(struct context *c, const unsigned int flags)
3216{
3217 const struct options *options = &c->options;
3218 struct tls_options to;
3219 bool packet_id_long_form;
3220
3221 ASSERT(options->tls_server || options->tls_client);
3222 ASSERT(!options->test_crypto);
3223
3224 init_crypto_pre(c, flags);
3225
3226 /* Make sure we are either a TLS client or server but not both */
3227 ASSERT(options->tls_server == !options->tls_client);
3228
3229 /* initialize persistent component */
3230 do_init_crypto_tls_c1(c);
3231 if (IS_SIG(c))
3232 {
3233 return;
3234 }
3235
3236 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3237 packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3238
3239 /* Set all command-line TLS-related options */
3240 CLEAR(to);
3241
3242 if (options->mute_replay_warnings)
3243 {
3244 to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
3245 }
3246
3247 to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
3248 if (packet_id_long_form)
3249 {
3250 to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
3251 }
3252
3253 to.ssl_ctx = c->c1.ks.ssl_ctx;
3254 to.key_type = c->c1.ks.key_type;
3255 to.server = options->tls_server;
3256 to.replay_window = options->replay_window;
3257 to.replay_time = options->replay_time;
3258 to.config_ciphername = c->options.ciphername;
3259 to.config_ncp_ciphers = c->options.ncp_ciphers;
3260 to.transition_window = options->transition_window;
3261 to.handshake_window = options->handshake_window;
3262 to.packet_timeout = options->tls_timeout;
3263 to.renegotiate_bytes = options->renegotiate_bytes;
3264 to.renegotiate_packets = options->renegotiate_packets;
3265 if (options->renegotiate_seconds_min < 0)
3266 {
3267 /* Add 10% jitter to reneg-sec by default (server side only) */
3268 int auto_jitter = options->mode != MODE_SERVER
3269 ? 0
3270 : get_random() % max_int(options->renegotiate_seconds / 10, 1);
3271 to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
3272 }
3273 else
3274 {
3275 /* Add user-specified jitter to reneg-sec */
3276 to.renegotiate_seconds =
3277 options->renegotiate_seconds
3278 - (get_random()
3279 % max_int(options->renegotiate_seconds - options->renegotiate_seconds_min, 1));
3280 }
3281 to.single_session = options->single_session;
3282 to.mode = options->mode;
3283 to.pull = options->pull;
3284 if (options->push_peer_info) /* all there is */
3285 {
3286 to.push_peer_info_detail = 3;
3287 }
3288 else if (options->pull) /* pull clients send some details */
3289 {
3290 to.push_peer_info_detail = 2;
3291 }
3292 else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3293 {
3294 to.push_peer_info_detail = 0;
3295 }
3296 else /* default: minimal info to allow NCP in P2P mode */
3297 {
3298 to.push_peer_info_detail = 1;
3299 }
3300
3301 /* Check if the DCO drivers support the epoch data format */
3302 if (dco_enabled(options))
3303 {
3304 to.data_epoch_supported = dco_supports_epoch_data(c);
3305 }
3306 else
3307 {
3308 to.data_epoch_supported = true;
3309 }
3310
3311 /* should we not xmit any packets until we get an initial
3312 * response from client? */
3313 if (to.server && c->mode == CM_CHILD_TCP)
3314 {
3315 to.xmit_hold = true;
3316 }
3317
3318 to.verify_command = options->tls_verify;
3319 to.verify_x509_type = (options->verify_x509_type & 0xff);
3320 to.verify_x509_name = options->verify_x509_name;
3321 to.crl_file = options->crl_file;
3322 to.crl_file_inline = options->crl_file_inline;
3323 to.ssl_flags = options->ssl_flags;
3324 to.ns_cert_type = options->ns_cert_type;
3325 memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3326 to.remote_cert_eku = options->remote_cert_eku;
3327 to.verify_hash = options->verify_hash;
3328 to.verify_hash_algo = options->verify_hash_algo;
3329 to.verify_hash_depth = options->verify_hash_depth;
3330 to.verify_hash_no_ca = options->verify_hash_no_ca;
3331#ifdef ENABLE_X509ALTUSERNAME
3332 memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3333#else
3334 to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
3335#endif
3336 to.es = c->c2.es;
3337 to.net_ctx = &c->net_ctx;
3338
3339#ifdef ENABLE_DEBUG
3340 to.gremlin = c->options.gremlin;
3341#endif
3342
3343 to.plugins = c->plugins;
3344
3345#ifdef ENABLE_MANAGEMENT
3346 to.mda_context = &c->c2.mda_context;
3347#endif
3348
3349 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
3350 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
3351 to.client_crresponse_script = options->client_crresponse_script;
3352 to.tmp_dir = options->tmp_dir;
3353 to.export_peer_cert_dir = options->tls_export_peer_cert_dir;
3354 if (options->ccd_exclusive)
3355 {
3356 to.client_config_dir_exclusive = options->client_config_dir;
3357 }
3358 to.auth_user_pass_file = options->auth_user_pass_file;
3359 to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
3360 to.auth_token_generate = options->auth_token_generate;
3361 to.auth_token_lifetime = options->auth_token_lifetime;
3362 to.auth_token_renewal = options->auth_token_renewal;
3363 to.auth_token_call_auth = options->auth_token_call_auth;
3364 to.auth_token_key = c->c1.ks.auth_token_key;
3365
3366 to.x509_track = options->x509_track;
3367
3368#ifdef ENABLE_MANAGEMENT
3369 to.sci = &options->sc_info;
3370#endif
3371
3372#ifdef USE_COMP
3373 to.comp_options = options->comp;
3374#endif
3375
3376 if (options->keying_material_exporter_label)
3377 {
3378 to.ekm_size = options->keying_material_exporter_length;
3379 if (to.ekm_size < 16 || to.ekm_size > 4095)
3380 {
3381 to.ekm_size = 0;
3382 }
3383
3384 to.ekm_label = options->keying_material_exporter_label;
3385 to.ekm_label_size = strlen(to.ekm_label);
3386 }
3387 else
3388 {
3389 to.ekm_size = 0;
3390 }
3391
3392 /* TLS handshake authentication (--tls-auth) */
3393 if (options->ce.tls_auth_file)
3394 {
3395 to.tls_wrap.mode = TLS_WRAP_AUTH;
3396 }
3397
3398 /* TLS handshake encryption (--tls-crypt) */
3399 if (options->ce.tls_crypt_file || (options->ce.tls_crypt_v2_file && options->tls_client))
3400 {
3401 to.tls_wrap.mode = TLS_WRAP_CRYPT;
3402 }
3403
3404 if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3405 {
3406 to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3407 to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3408 to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3409 to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata;
3410 }
3411
3412 if (options->ce.tls_crypt_v2_file)
3413 {
3414 to.tls_crypt_v2 = true;
3415 to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3416
3417 if (options->tls_server)
3418 {
3419 to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3420 to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3421 if (options->ce.tls_crypt_v2_force_cookie)
3422 {
3423 to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
3424 }
3425 }
3426 }
3427
3428 /* let the TLS engine know if keys have to be installed in DCO or not */
3429 to.dco_enabled = dco_enabled(options);
3430
3431 /*
3432 * Initialize OpenVPN's master TLS-mode object.
3433 */
3434 if (flags & CF_INIT_TLS_MULTI)
3435 {
3436 c->c2.tls_multi = tls_multi_init(&to);
3437 /* inherit the dco context from the tuntap object */
3438 if (c->c1.tuntap)
3439 {
3440 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3441 }
3442 }
3443
3444 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3445 {
3446 c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3447 c->c2.session_id_hmac = session_id_hmac_init();
3448 }
3449}
3450
3451static void
3452do_init_frame_tls(struct context *c)
3453{
3454 if (c->c2.tls_multi)
3455 {
3456 tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
3457 ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= c->c2.frame.buf.payload_size);
3458 frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms");
3459
3460 /* Keep the max mtu also in the frame of tls multi so it can access
3461 * it in push_peer_info */
3462 c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
3463 }
3464 if (c->c2.tls_auth_standalone)
3465 {
3466 tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame,
3467 c->options.ce.tls_mtu);
3468 frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, "TLS-Auth MTU parms");
3469 c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3470 c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3471 }
3472}
3473
3474#if defined(__GNUC__) || defined(__clang__)
3475#pragma GCC diagnostic pop
3476#endif
3477
3478/*
3479 * No encryption or authentication.
3480 */
3481static void
3482do_init_crypto_none(struct context *c)
3483{
3484 ASSERT(!c->options.test_crypto);
3485
3486 /* Initialise key_type with auth/cipher "none", so the key_type struct is
3487 * valid */
3488 init_key_type(&c->c1.ks.key_type, "none", "none", c->options.test_crypto, true);
3489
3490 msg(M_WARN, "******* WARNING *******: All encryption and authentication features "
3491 "disabled -- All data will be tunnelled as clear text and will not be "
3492 "protected against man-in-the-middle changes. "
3493 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3494}
3495
3496static void
3497do_init_crypto(struct context *c, const unsigned int flags)
3498{
3499 if (c->options.shared_secret_file)
3500 {
3501 do_init_crypto_static(c, flags);
3502 }
3503 else if (c->options.tls_server || c->options.tls_client)
3504 {
3505 do_init_crypto_tls(c, flags);
3506 }
3507 else /* no encryption or authentication. */
3508 {
3509 do_init_crypto_none(c);
3510 }
3511}
3512
3513static void
3514do_init_frame(struct context *c)
3515{
3516 /*
3517 * Adjust frame size based on the --tun-mtu-extra parameter.
3518 */
3519 if (c->options.ce.tun_mtu_extra_defined)
3520 {
3521 c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra;
3522 }
3523
3524 /*
3525 * Fill in the blanks in the frame parameters structure,
3526 * make sure values are rational, etc.
3527 */
3528 frame_finalize_options(c, NULL);
3529
3530
3531#if defined(ENABLE_FRAGMENT)
3532 /*
3533 * MTU advisories
3534 */
3535 if (c->options.ce.fragment && c->options.mtu_test)
3536 {
3537 msg(M_WARN,
3538 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3539 }
3540#endif
3541
3542#ifdef ENABLE_FRAGMENT
3543 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3544 {
3545 msg(M_WARN,
3546 "WARNING: if you use --mssfix and --fragment, you should "
3547 "set --fragment (%d) larger or equal than --mssfix (%d)",
3548 c->options.ce.fragment, c->options.ce.mssfix);
3549 }
3550 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3551 && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3552 {
3553 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3554 "use the \"mtu\" flag for both or none of of them.");
3555 }
3556#endif
3557}
3558
3559static void
3560do_option_warnings(struct context *c)
3561{
3562 const struct options *o = &c->options;
3563
3564 if (o->ping_send_timeout && !o->ping_rec_timeout)
3565 {
3566 msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3567 }
3568
3569 if (o->username || o->groupname || o->chroot_dir
3570#ifdef ENABLE_SELINUX
3571 || o->selinux_context
3572#endif
3573 )
3574 {
3575 if (!o->persist_tun)
3576 {
3577 msg(M_WARN,
3578 "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3579 }
3580 }
3581
3582 if (o->chroot_dir && !(o->username && o->groupname))
3583 {
3584 msg(M_WARN,
3585 "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3586 }
3587
3588 if (o->pull && o->ifconfig_local && c->first_time)
3589 {
3590 msg(M_WARN,
3591 "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3592 }
3593
3594 if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3595 {
3596 msg(M_WARN,
3597 "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3598 }
3599
3600 if (o->mode == MODE_SERVER)
3601 {
3602 if (o->duplicate_cn && o->client_config_dir)
3603 {
3604 msg(M_WARN,
3605 "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3606 }
3607 if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3608 {
3609 msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3610 }
3611 if (!o->keepalive_ping || !o->keepalive_timeout)
3612 {
3613 msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3614 }
3615 }
3616
3617 if (o->tls_server)
3618 {
3619 warn_on_use_of_common_subnets(&c->net_ctx);
3620 }
3621 if (o->tls_client && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE
3622 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) && !o->remote_cert_eku
3623 && !(o->verify_hash_depth == 0 && o->verify_hash))
3624 {
3625 msg(M_WARN,
3626 "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3627 }
3628 if (o->ns_cert_type)
3629 {
3630 msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3631 }
3632
3633 /* If a script is used, print appropriate warnings */
3634 if (o->user_script_used)
3635 {
3636 if (script_security() >= SSEC_SCRIPTS)
3637 {
3638 msg(M_WARN,
3639 "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3640 }
3641 else if (script_security() >= SSEC_PW_ENV)
3642 {
3643 msg(M_WARN,
3644 "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3645 }
3646 else
3647 {
3648 msg(M_WARN,
3649 "NOTE: starting with " PACKAGE_NAME
3650 " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3651 }
3652 }
3653}
3654
3655struct context_buffers *
3656init_context_buffers(const struct frame *frame)
3657{
3658 struct context_buffers *b;
3659
3660 ALLOC_OBJ_CLEAR(b, struct context_buffers);
3661
3662 size_t buf_size = BUF_SIZE(frame);
3663
3664 b->read_link_buf = alloc_buf(buf_size);
3665 b->read_tun_buf = alloc_buf(buf_size);
3666
3667 b->aux_buf = alloc_buf(buf_size);
3668
3669 b->encrypt_buf = alloc_buf(buf_size);
3670 b->decrypt_buf = alloc_buf(buf_size);
3671
3672#ifdef USE_COMP
3673 b->compress_buf = alloc_buf(buf_size);
3674 b->decompress_buf = alloc_buf(buf_size);
3675#endif
3676
3677 return b;
3678}
3679
3680void
3681free_context_buffers(struct context_buffers *b)
3682{
3683 if (b)
3684 {
3685 free_buf(&b->read_link_buf);
3686 free_buf(&b->read_tun_buf);
3687 free_buf(&b->aux_buf);
3688
3689#ifdef USE_COMP
3690 free_buf(&b->compress_buf);
3691 free_buf(&b->decompress_buf);
3692#endif
3693
3694 free_buf(&b->encrypt_buf);
3695 free_buf(&b->decrypt_buf);
3696
3697 free(b);
3698 }
3699}
3700
3701/*
3702 * Now that we know all frame parameters, initialize
3703 * our buffers.
3704 */
3705static void
3706do_init_buffers(struct context *c)
3707{
3708 c->c2.buffers = init_context_buffers(&c->c2.frame);
3709 c->c2.buffers_owned = true;
3710}
3711
3712#ifdef ENABLE_FRAGMENT
3713/*
3714 * Fragmenting code has buffers to initialize
3715 * once frame parameters are known.
3716 */
3717static void
3718do_init_fragment(struct context *c)
3719{
3720 ASSERT(c->options.ce.fragment);
3721
3722 /*
3723 * Set frame parameter for fragment code. This is necessary because
3724 * the fragmentation code deals with payloads which have already been
3725 * passed through the compression code.
3726 */
3727 c->c2.frame_fragment = c->c2.frame;
3728
3729 frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, &c->options,
3730 get_link_socket_info(c));
3731 fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3732}
3733#endif
3734
3735/*
3736 * Allocate our socket object.
3737 */
3738static void
3739do_link_socket_new(struct context *c)
3740{
3741 ASSERT(!c->c2.link_sockets);
3742
3743 ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *, c->c1.link_sockets_num, &c->c2.gc);
3744
3745 for (int i = 0; i < c->c1.link_sockets_num; i++)
3746 {
3747 c->c2.link_sockets[i] = link_socket_new();
3748 }
3749 c->c2.link_socket_owned = true;
3750}
3751
3752/*
3753 * bind TCP/UDP sockets
3754 */
3755static void
3756do_init_socket_phase1(struct context *c)
3757{
3758 for (int i = 0; i < c->c1.link_sockets_num; i++)
3759 {
3760 int mode = LS_MODE_DEFAULT;
3761
3762 /* mode allows CM_CHILD_TCP
3763 * instances to inherit acceptable fds
3764 * from a top-level parent */
3765 if (c->options.mode == MODE_SERVER)
3766 {
3767 /* initializing listening socket */
3768 if (c->mode == CM_TOP)
3769 {
3770 mode = LS_MODE_TCP_LISTEN;
3771 }
3772 /* initializing socket to client */
3773 else if (c->mode == CM_CHILD_TCP)
3774 {
3775 mode = LS_MODE_TCP_ACCEPT_FROM;
3776 }
3777 }
3778
3779 /* init each socket with its specific args */
3780 link_socket_init_phase1(c, i, mode);
3781 }
3782}
3783
3784/*
3785 * finalize TCP/UDP sockets
3786 */
3787static void
3788do_init_socket_phase2(struct context *c)
3789{
3790 for (int i = 0; i < c->c1.link_sockets_num; i++)
3791 {
3792 link_socket_init_phase2(c, c->c2.link_sockets[i]);
3793 }
3794}
3795
3796/*
3797 * Print MTU INFO
3798 */
3799static void
3800do_print_data_channel_mtu_parms(struct context *c)
3801{
3802 frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3803#ifdef ENABLE_FRAGMENT
3804 if (c->c2.fragment)
3805 {
3806 frame_print(&c->c2.frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
3807 }
3808#endif
3809}
3810
3811/*
3812 * Get local and remote options compatibility strings.
3813 */
3814static void
3815do_compute_occ_strings(struct context *c)
3816{
3817 struct gc_arena gc = gc_new();
3818
3819 c->c2.options_string_local =
3820 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, false, &gc);
3821 c->c2.options_string_remote =
3822 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, true, &gc);
3823
3824 msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3825 options_string_version(c->c2.options_string_local, &gc), c->c2.options_string_local);
3826 msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3827 options_string_version(c->c2.options_string_remote, &gc), c->c2.options_string_remote);
3828
3829 if (c->c2.tls_multi)
3830 {
3831 tls_multi_init_set_options(c->c2.tls_multi, c->c2.options_string_local,
3832 c->c2.options_string_remote);
3833 }
3834
3835 gc_free(&gc);
3836}
3837
3838/*
3839 * These things can only be executed once per program instantiation.
3840 * Set up for possible UID/GID downgrade, but don't do it yet.
3841 * Daemonize if requested.
3842 */
3843static void
3844do_init_first_time(struct context *c)
3845{
3846 if (c->first_time && !c->c0)
3847 {
3848 struct context_0 *c0;
3849
3850 ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3851 c0 = c->c0;
3852
3853 /* get user and/or group that we want to setuid/setgid to,
3854 * sets also platform_x_state */
3855 bool group_defined = platform_group_get(c->options.groupname, &c0->platform_state_group);
3856 bool user_defined = platform_user_get(c->options.username, &c0->platform_state_user);
3857
3858 c0->uid_gid_specified = user_defined || group_defined;
3859
3860 /* fork the dns script runner to preserve root? */
3861 c->persist.duri.required = user_defined;
3862
3863 /* perform postponed chdir if --daemon */
3864 if (c->did_we_daemonize && c->options.cd_dir == NULL)
3865 {
3866 platform_chdir("/");
3867 }
3868
3869 /* should we change scheduling priority? */
3870 platform_nice(c->options.nice);
3871 }
3872}
3873
3874/*
3875 * free buffers
3876 */
3877static void
3878do_close_free_buf(struct context *c)
3879{
3880 if (c->c2.buffers_owned)
3881 {
3882 free_context_buffers(c->c2.buffers);
3883 c->c2.buffers = NULL;
3884 c->c2.buffers_owned = false;
3885 }
3886}
3887
3888/*
3889 * close TLS
3890 */
3891static void
3892do_close_tls(struct context *c)
3893{
3894 if (c->c2.tls_multi)
3895 {
3896 tls_multi_free(c->c2.tls_multi, true);
3897 c->c2.tls_multi = NULL;
3898 }
3899
3900 /* free options compatibility strings */
3901 free(c->c2.options_string_local);
3902 free(c->c2.options_string_remote);
3903
3904 c->c2.options_string_local = c->c2.options_string_remote = NULL;
3905
3906 if (c->c2.pulled_options_state)
3907 {
3908 md_ctx_cleanup(c->c2.pulled_options_state);
3909 md_ctx_free(c->c2.pulled_options_state);
3910 }
3911
3912 tls_auth_standalone_free(c->c2.tls_auth_standalone);
3913}
3914
3915/*
3916 * Free key schedules
3917 */
3918static void
3919do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3920{
3921 /*
3922 * always free the tls_auth/crypt key. The key will
3923 * be reloaded from memory (pre-cached)
3924 */
3925 free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3926 free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3927 CLEAR(c->c1.ks.tls_wrap_key);
3928 buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3929 free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3930
3931 if (!(c->sig->signal_received == SIGUSR1))
3932 {
3933 key_schedule_free(&c->c1.ks, free_ssl_ctx);
3934 }
3935}
3936
3937/*
3938 * Close TCP/UDP connection
3939 */
3940static void
3941do_close_link_socket(struct context *c)
3942{
3943 if (c->c2.link_sockets && c->c2.link_socket_owned)
3944 {
3945 for (int i = 0; i < c->c1.link_sockets_num; i++)
3946 {
3947 /* in dco-win case, link socket is a tun handle which is
3948 * closed in do_close_tun(). Set it to UNDEFINED so
3949 * we won't use WinSock API to close it. */
3950 if (tuntap_is_dco_win(c->c1.tuntap))
3951 {
3952 c->c2.link_sockets[i]->sd = SOCKET_UNDEFINED;
3953 }
3954
3955 link_socket_close(c->c2.link_sockets[i]);
3956 }
3957 c->c2.link_sockets = NULL;
3958 }
3959
3960
3961 /* Preserve the resolved list of remote if the user request to or if we want
3962 * reconnect to the same host again or there are still addresses that need
3963 * to be tried */
3964 if (!(c->sig->signal_received == SIGUSR1
3965 && ((c->options.persist_remote_ip)
3966 || (c->sig->source != SIG_SOURCE_HARD
3967 && ((c->c1.link_socket_addrs[0].current_remote
3968 && c->c1.link_socket_addrs[0].current_remote->ai_next)
3969 || c->options.no_advance)))))
3970 {
3971 clear_remote_addrlist(&c->c1.link_socket_addrs[0], !c->options.resolve_in_advance);
3972 }
3973
3974 /* Clear the remote actual address when persist_remote_ip is not in use */
3975 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3976 {
3977 for (int i = 0; i < c->c1.link_sockets_num; i++)
3978 {
3979 CLEAR(c->c1.link_socket_addrs[i].actual);
3980 }
3981 }
3982
3983 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3984 {
3985 for (int i = 0; i < c->c1.link_sockets_num; i++)
3986 {
3987 if (c->c1.link_socket_addrs[i].bind_local && !c->options.resolve_in_advance)
3988 {
3989 freeaddrinfo(c->c1.link_socket_addrs[i].bind_local);
3990 }
3991
3992 c->c1.link_socket_addrs[i].bind_local = NULL;
3993 }
3994 }
3995}
3996
3997/*
3998 * Close packet-id persistence file
3999 */
4000static void
4001do_close_packet_id(struct context *c)
4002{
4003 packet_id_free(&c->c2.crypto_options.packet_id);
4004 packet_id_persist_save(&c->c1.pid_persist);
4005 if (!(c->sig->signal_received == SIGUSR1))
4006 {
4007 packet_id_persist_close(&c->c1.pid_persist);
4008 }
4009}
4010
4011#ifdef ENABLE_FRAGMENT
4012/*
4013 * Close fragmentation handler.
4014 */
4015static void
4016do_close_fragment(struct context *c)
4017{
4018 if (c->c2.fragment)
4019 {
4020 fragment_free(c->c2.fragment);
4021 c->c2.fragment = NULL;
4022 }
4023}
4024#endif
4025
4026/*
4027 * Open and close our event objects.
4028 */
4029
4030static void
4031do_event_set_init(struct context *c, bool need_us_timeout)
4032{
4033 unsigned int flags = 0;
4034
4035 c->c2.event_set_max = BASE_N_EVENTS;
4036
4037 flags |= EVENT_METHOD_FAST;
4038
4039 if (need_us_timeout)
4040 {
4041 flags |= EVENT_METHOD_US_TIMEOUT;
4042 }
4043
4044 c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
4045 c->c2.event_set_owned = true;
4046}
4047
4048static void
4049do_close_event_set(struct context *c)
4050{
4051 if (c->c2.event_set && c->c2.event_set_owned)
4052 {
4053 event_free(c->c2.event_set);
4054 c->c2.event_set = NULL;
4055 c->c2.event_set_owned = false;
4056 }
4057}
4058
4059/*
4060 * Open and close --status file
4061 */
4062
4063static void
4064do_open_status_output(struct context *c)
4065{
4066 if (!c->c1.status_output)
4067 {
4068 c->c1.status_output =
4069 status_open(c->options.status_file, c->options.status_file_update_freq, -1, NULL,
4070 STATUS_OUTPUT_WRITE);
4071 c->c1.status_output_owned = true;
4072 }
4073}
4074
4075static void
4076do_close_status_output(struct context *c)
4077{
4078 if (!(c->sig->signal_received == SIGUSR1))
4079 {
4080 if (c->c1.status_output_owned && c->c1.status_output)
4081 {
4082 status_close(c->c1.status_output);
4083 c->c1.status_output = NULL;
4084 c->c1.status_output_owned = false;
4085 }
4086 }
4087}
4088
4089/*
4090 * Handle ifconfig-pool persistence object.
4091 */
4092static void
4103
4104static void
4105do_close_ifconfig_pool_persist(struct context *c)
4106{
4107 if (!(c->sig->signal_received == SIGUSR1))
4108 {
4109 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
4110 {
4111 ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
4112 c->c1.ifconfig_pool_persist = NULL;
4113 c->c1.ifconfig_pool_persist_owned = false;
4114 }
4115 }
4116}
4117
4118/*
4119 * Inherit environmental variables
4120 */
4121
4122static void
4123do_inherit_env(struct context *c, const struct env_set *src)
4124{
4125 c->c2.es = env_set_create(NULL);
4126 c->c2.es_owned = true;
4127 env_set_inherit(c->c2.es, src);
4128}
4129
4130static void
4131do_env_set_destroy(struct context *c)
4132{
4133 if (c->c2.es && c->c2.es_owned)
4134 {
4135 env_set_destroy(c->c2.es);
4136 c->c2.es = NULL;
4137 c->c2.es_owned = false;
4138 }
4139}
4140
4141/*
4142 * Fast I/O setup. Fast I/O is an optimization which only works
4143 * if all of the following are true:
4144 *
4145 * (1) The platform is not Windows
4146 * (2) --proto udp is enabled
4147 * (3) --shaper is disabled
4148 */
4149static void
4150do_setup_fast_io(struct context *c)
4151{
4152 if (c->options.fast_io)
4153 {
4154#ifdef _WIN32
4155 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
4156#else
4157 if (c->options.shaper)
4158 {
4159 msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4160 }
4161 else
4162 {
4163 c->c2.fast_io = true;
4164 }
4165#endif
4166 }
4167}
4168
4169static void
4170do_signal_on_tls_errors(struct context *c)
4171{
4172 if (c->options.tls_exit)
4173 {
4174 c->c2.tls_exit_signal = SIGTERM;
4175 }
4176 else
4177 {
4178 c->c2.tls_exit_signal = SIGUSR1;
4179 }
4180}
4181
4182#ifdef ENABLE_PLUGIN
4183
4184void
4185init_plugins(struct context *c)
4186{
4187 if (c->options.plugin_list && !c->plugins)
4188 {
4189 c->plugins = plugin_list_init(c->options.plugin_list);
4190 c->plugins_owned = true;
4191 }
4192}
4193
4194void
4195open_plugins(struct context *c, const bool import_options, int init_point)
4196{
4197 if (c->plugins && c->plugins_owned)
4198 {
4199 if (import_options)
4200 {
4201 struct plugin_return pr, config;
4202 plugin_return_init(&pr);
4203 plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4204 plugin_return_get_column(&pr, &config, "config");
4205 if (plugin_return_defined(&config))
4206 {
4207 int i;
4208 for (i = 0; i < config.n; ++i)
4209 {
4210 unsigned int option_types_found = 0;
4211 if (config.list[i] && config.list[i]->value)
4212 {
4213 options_string_import(
4214 &c->options, config.list[i]->value, D_IMPORT_ERRORS | M_OPTERR,
4215 OPT_P_DEFAULT & ~OPT_P_PLUGIN, &option_types_found, c->es);
4216 }
4217 }
4218 }
4219 plugin_return_free(&pr);
4220 }
4221 else
4222 {
4223 plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4224 }
4225 }
4226}
4227
4228static void
4229do_close_plugins(struct context *c)
4230{
4231 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
4232 {
4233 plugin_list_close(c->plugins);
4234 c->plugins = NULL;
4235 c->plugins_owned = false;
4236 }
4237}
4238
4239static void
4240do_inherit_plugins(struct context *c, const struct context *src)
4241{
4242 if (!c->plugins && src->plugins)
4243 {
4244 c->plugins = plugin_list_inherit(src->plugins);
4245 c->plugins_owned = true;
4246 }
4247}
4248
4249#endif /* ifdef ENABLE_PLUGIN */
4250
4251#ifdef ENABLE_MANAGEMENT
4252
4253static void
4254management_callback_status_p2p(void *arg, const int version, struct status_output *so)
4255{
4256 struct context *c = (struct context *)arg;
4257 print_status(c, so);
4258}
4259
4260void
4261management_show_net_callback(void *arg, const msglvl_t msglevel)
4262{
4263#ifdef _WIN32
4264 show_routes(msglevel);
4265 show_adapters(msglevel);
4266 msg(msglevel, "END");
4267#else
4268 msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4269#endif
4270}
4271
4272#ifdef TARGET_ANDROID
4273int
4274management_callback_network_change(void *arg, bool samenetwork)
4275{
4276 /* Check if the client should translate the network change to a SIGUSR1 to
4277 * reestablish the connection or just reprotect the socket
4278 *
4279 * At the moment just assume that, for all settings that use pull (not
4280 * --static) and are not using peer-id reestablishing the connection is
4281 * required (unless the network is the same)
4282 *
4283 * The function returns -1 on invalid fd and -2 if the socket cannot be
4284 * reused. On the -2 return value the man_network_change function triggers
4285 * a SIGUSR1 to force a reconnect.
4286 */
4287
4288 int socketfd = -1;
4289 struct context *c = (struct context *)arg;
4290 if (!c->c2.link_sockets || !c->c2.link_sockets[0])
4291 {
4292 return -1;
4293 }
4294 if (c->c2.link_sockets[0]->sd == SOCKET_UNDEFINED)
4295 {
4296 return -1;
4297 }
4298
4299 /* On some newer Android handsets, changing to a different network
4300 * often does not trigger a TCP reset but continue using the old
4301 * connection (e.g. using mobile connection when WiFi becomes available */
4302 struct link_socket_info *lsi = get_link_socket_info(c);
4303 if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
4304 {
4305 return -2;
4306 }
4307
4308 socketfd = c->c2.link_sockets[0]->sd;
4309 if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4310 {
4311 return socketfd;
4312 }
4313 else
4314 {
4315 return -2;
4316 }
4317}
4318#endif /* ifdef TARGET_ANDROID */
4319
4320#endif /* ifdef ENABLE_MANAGEMENT */
4321
4322void
4323init_management_callback_p2p(struct context *c)
4324{
4325#ifdef ENABLE_MANAGEMENT
4326 if (management)
4327 {
4328 struct management_callback cb;
4329 CLEAR(cb);
4330 cb.arg = c;
4331 cb.status = management_callback_status_p2p;
4332 cb.show_net = management_show_net_callback;
4333 cb.proxy_cmd = management_callback_proxy_cmd;
4334 cb.remote_cmd = management_callback_remote_cmd;
4335 cb.send_cc_message = management_callback_send_cc_message;
4336#ifdef TARGET_ANDROID
4337 cb.network_change = management_callback_network_change;
4338#endif
4339 cb.remote_entry_count = management_callback_remote_entry_count;
4340 cb.remote_entry_get = management_callback_remote_entry_get;
4341 management_set_callback(management, &cb);
4342 }
4343#endif
4344}
4345
4346#ifdef ENABLE_MANAGEMENT
4347
4348void
4349init_management(void)
4350{
4351 if (!management)
4352 {
4353 management = management_init();
4354 }
4355}
4356
4357bool
4358open_management(struct context *c)
4359{
4360 /* initialize management layer */
4361 if (management)
4362 {
4363 if (c->options.management_addr)
4364 {
4365 unsigned int flags = c->options.management_flags;
4366 if (c->options.mode == MODE_SERVER)
4367 {
4368 flags |= MF_SERVER;
4369 }
4370 if (management_open(
4371 management, c->options.management_addr, c->options.management_port,
4372 c->options.management_user_pass, c->options.management_client_user,
4373 c->options.management_client_group, c->options.management_log_history_cache,
4374 c->options.management_echo_buffer_size, c->options.management_state_buffer_size,
4375 c->options.remap_sigusr1, flags))
4376 {
4377 management_set_state(management, OPENVPN_STATE_CONNECTING, NULL, NULL, NULL, NULL,
4378 NULL);
4379 }
4380
4381 /* initial management hold, called early, before first context initialization */
4382 do_hold(0);
4383 if (IS_SIG(c))
4384 {
4385 msg(M_WARN, "Signal received from management interface, exiting");
4386 return false;
4387 }
4388 }
4389 else
4390 {
4391 close_management();
4392 }
4393 }
4394 return true;
4395}
4396
4397void
4398close_management(void)
4399{
4400 if (management)
4401 {
4402 management_close(management);
4403 management = NULL;
4404 }
4405}
4406
4407#endif /* ifdef ENABLE_MANAGEMENT */
4408
4409
4410void
4411uninit_management_callback(void)
4412{
4413#ifdef ENABLE_MANAGEMENT
4414 if (management)
4415 {
4416 management_clear_callback(management);
4417 }
4418#endif
4419}
4420
4421void
4422persist_client_stats(struct context *c)
4423{
4424#ifdef ENABLE_MANAGEMENT
4425 if (management)
4426 {
4427 man_persist_client_stats(management, c);
4428 }
4429#endif
4430}
4431
4432/*
4433 * Initialize a tunnel instance.
4434 */
4435static void
4436init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4437{
4438 const struct options *options = &c->options;
4439 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4440
4441 /* init garbage collection level */
4442 gc_init(&c->c2.gc);
4443
4444 /* inherit environmental variables */
4445 if (env)
4446 {
4447 do_inherit_env(c, env);
4448 }
4449
4450 if (c->mode == CM_P2P)
4451 {
4452 init_management_callback_p2p(c);
4453 }
4454
4455 /* possible sleep or management hold if restart */
4456 if (c->mode == CM_P2P || c->mode == CM_TOP)
4457 {
4458 do_startup_pause(c);
4459 if (IS_SIG(c))
4460 {
4461 goto sig;
4462 }
4463 }
4464
4465 if (c->options.resolve_in_advance)
4466 {
4467 do_preresolve(c);
4468 if (IS_SIG(c))
4469 {
4470 goto sig;
4471 }
4472 }
4473
4474 /* Resets all values to the initial values from the config where needed */
4475 pre_connect_restore(&c->options, &c->c2.gc);
4476
4477 /* map in current connection entry */
4478 next_connection_entry(c);
4479
4480 /* should we disable paging? */
4481 if (c->first_time && options->mlock)
4482 {
4483 platform_mlockall(true);
4484 }
4485
4486 /* get passwords if undefined */
4487 if (auth_retry_get() == AR_INTERACT)
4488 {
4489 init_query_passwords(c);
4490 }
4491
4492 /* initialize context level 2 --verb/--mute parms */
4493 init_verb_mute(c, IVM_LEVEL_2);
4494
4495 /* set error message delay for non-server modes */
4496 if (c->mode == CM_P2P)
4497 {
4498 set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4499 }
4500
4501 /* warn about inconsistent options */
4502 if (c->mode == CM_P2P || c->mode == CM_TOP)
4503 {
4504 do_option_warnings(c);
4505 }
4506
4507#ifdef ENABLE_PLUGIN
4508 /* initialize plugins */
4509 if (c->mode == CM_P2P || c->mode == CM_TOP)
4510 {
4511 open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4512 }
4513#endif
4514
4515 /* should we enable fast I/O? */
4516 if (c->mode == CM_P2P || c->mode == CM_TOP)
4517 {
4518 do_setup_fast_io(c);
4519 }
4520
4521 /* should we throw a signal on TLS errors? */
4522 do_signal_on_tls_errors(c);
4523
4524 /* open --status file */
4525 if (c->mode == CM_P2P || c->mode == CM_TOP)
4526 {
4527 do_open_status_output(c);
4528 }
4529
4530 /* open --ifconfig-pool-persist file */
4531 if (c->mode == CM_TOP)
4532 {
4533 do_open_ifconfig_pool_persist(c);
4534 }
4535
4536 /* reset OCC state */
4537 if (c->mode == CM_P2P || child)
4538 {
4539 c->c2.occ_op = occ_reset_op();
4540 }
4541
4542 /* our wait-for-i/o objects, different for posix vs. win32 */
4543 if (c->mode == CM_P2P || c->mode == CM_TOP)
4544 {
4545 do_event_set_init(c, SHAPER_DEFINED(&c->options));
4546 }
4547 else if (c->mode == CM_CHILD_TCP)
4548 {
4549 do_event_set_init(c, false);
4550 }
4551
4552 /* initialize HTTP or SOCKS proxy object at scope level 2 */
4553 init_proxy(c);
4554
4555 /* allocate our socket object */
4556 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4557 {
4558 do_link_socket_new(c);
4559 }
4560
4561#ifdef ENABLE_FRAGMENT
4562 /* initialize internal fragmentation object */
4563 if (options->ce.fragment && (c->mode == CM_P2P || child))
4564 {
4565 c->c2.fragment = fragment_init(&c->c2.frame);
4566 }
4567#endif
4568
4569 /* init crypto layer */
4570 {
4571 unsigned int crypto_flags = 0;
4572 if (c->mode == CM_TOP)
4573 {
4574 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4575 }
4576 else if (c->mode == CM_P2P)
4577 {
4578 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4579 }
4580 else if (child)
4581 {
4582 crypto_flags = CF_INIT_TLS_MULTI;
4583 }
4584 do_init_crypto(c, crypto_flags);
4585 if (IS_SIG(c) && !child)
4586 {
4587 goto sig;
4588 }
4589 }
4590
4591#ifdef USE_COMP
4592 /* initialize compression library. */
4593 if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4594 {
4595 c->c2.comp_context = comp_init(&options->comp);
4596 }
4597#endif
4598
4599 /* initialize MTU variables */
4600 do_init_frame(c);
4601
4602 /* initialize TLS MTU variables */
4603 do_init_frame_tls(c);
4604
4605 /* init workspace buffers whose size is derived from frame size */
4606 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4607 {
4608 do_init_buffers(c);
4609 }
4610
4611#ifdef ENABLE_FRAGMENT
4612 /* initialize internal fragmentation capability with known frame size */
4613 if (options->ce.fragment && (c->mode == CM_P2P || child))
4614 {
4615 do_init_fragment(c);
4616 }
4617#endif
4618
4619 /* bind the TCP/UDP socket */
4620 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4621 {
4622 do_init_socket_phase1(c);
4623 }
4624
4625 /* initialize tun/tap device object,
4626 * open tun/tap device, ifconfig, run up script, etc. */
4627 if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4628 {
4629 int error_flags = 0;
4630 c->c2.did_open_tun = do_open_tun(c, &error_flags);
4631 }
4632
4633 /* print MTU info */
4634 do_print_data_channel_mtu_parms(c);
4635
4636 /* get local and remote options compatibility strings */
4637 if (c->mode == CM_P2P || child)
4638 {
4639 do_compute_occ_strings(c);
4640 }
4641
4642 /* initialize output speed limiter */
4643 if (c->mode == CM_P2P)
4644 {
4645 do_init_traffic_shaper(c);
4646 }
4647
4648 /* do one-time inits, and possibly become a daemon here */
4649 do_init_first_time(c);
4650
4651#ifdef ENABLE_PLUGIN
4652 /* initialize plugins */
4653 if (c->mode == CM_P2P || c->mode == CM_TOP)
4654 {
4655 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4656 }
4657#endif
4658
4659 /* initialise connect timeout timer */
4660 do_init_server_poll_timeout(c);
4661
4662 /* finalize the TCP/UDP socket */
4663 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4664 {
4665 do_init_socket_phase2(c);
4666
4667
4668 /* Update dynamic frame calculation as exact transport socket information
4669 * (IP vs IPv6) may be only available after socket phase2 has finished.
4670 * This is only needed for --static or no crypto, NCP will recalculate this
4671 * in tls_session_update_crypto_params (P2MP) */
4672 for (int i = 0; i < c->c1.link_sockets_num; i++)
4673 {
4674 frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4675 &c->c2.link_sockets[i]->info);
4676 }
4677 }
4678
4679 /*
4680 * Actually do UID/GID downgrade, and chroot, if requested.
4681 * May be delayed by --client, --pull, or --up-delay.
4682 */
4683 do_uid_gid_chroot(c, c->c2.did_open_tun);
4684
4685 /* initialize timers */
4686 if (c->mode == CM_P2P || child)
4687 {
4688 do_init_timers(c, false);
4689 }
4690
4691#ifdef ENABLE_PLUGIN
4692 /* initialize plugins */
4693 if (c->mode == CM_P2P || c->mode == CM_TOP)
4694 {
4695 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4696 }
4697#endif
4698
4699#if PORT_SHARE
4700 /* share OpenVPN port with foreign (such as HTTPS) server */
4701 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4702 {
4703 init_port_share(c);
4704 }
4705#endif
4706
4707 /* Check for signals */
4708 if (IS_SIG(c))
4709 {
4710 goto sig;
4711 }
4712
4713 return;
4714
4715sig:
4716 if (!c->sig->signal_text)
4717 {
4718 c->sig->signal_text = "init_instance";
4719 }
4720 close_context(c, -1, flags);
4721 return;
4722}
4723
4724/*
4725 * Initialize a tunnel instance, handle pre and post-init
4726 * signal settings.
4727 */
4728void
4729init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4730{
4731 pre_init_signal_catch();
4732 init_instance(c, env, flags);
4733 post_init_signal_catch();
4734
4735 /*
4736 * This is done so that signals thrown during
4737 * initialization can bring us back to
4738 * a management hold.
4739 */
4740 if (IS_SIG(c))
4741 {
4742 remap_signal(c);
4743 uninit_management_callback();
4744 }
4745}
4746
4747/*
4748 * Close a tunnel instance.
4749 */
4750void
4751close_instance(struct context *c)
4752{
4753 /* close event objects */
4754 do_close_event_set(c);
4755
4756 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP
4757 || c->mode == CM_TOP)
4758 {
4759#ifdef USE_COMP
4760 if (c->c2.comp_context)
4761 {
4762 comp_uninit(c->c2.comp_context);
4763 c->c2.comp_context = NULL;
4764 }
4765#endif
4766
4767 /* free buffers */
4768 do_close_free_buf(c);
4769
4770 /* close peer for DCO if enabled, needs peer-id so must be done before
4771 * closing TLS contexts */
4772 dco_remove_peer(c);
4773
4774 /* close TLS */
4775 do_close_tls(c);
4776
4777 /* free key schedules */
4778 do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4779
4780 /* close TCP/UDP connection */
4781 do_close_link_socket(c);
4782
4783 /* close TUN/TAP device */
4784 do_close_tun(c, false);
4785
4786#ifdef ENABLE_MANAGEMENT
4787 if (management)
4788 {
4789 management_notify_client_close(management, &c->c2.mda_context, NULL);
4790 }
4791#endif
4792
4793#ifdef ENABLE_PLUGIN
4794 /* call plugin close functions and unload */
4795 do_close_plugins(c);
4796#endif
4797
4798 /* close packet-id persistence file */
4799 do_close_packet_id(c);
4800
4801 /* close --status file */
4802 do_close_status_output(c);
4803
4804#ifdef ENABLE_FRAGMENT
4805 /* close fragmentation handler */
4806 do_close_fragment(c);
4807#endif
4808
4809 /* close --ifconfig-pool-persist obj */
4810 do_close_ifconfig_pool_persist(c);
4811
4812 /* free up environmental variable store */
4813 do_env_set_destroy(c);
4814
4815 /* close HTTP or SOCKS proxy */
4816 uninit_proxy(c);
4817
4818 /* garbage collect */
4819 gc_free(&c->c2.gc);
4820 }
4821}
4822
4823void
4824inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
4825{
4826 CLEAR(*dest);
4827
4828 /* proto_is_dgram will ASSERT(0) if proto is invalid */
4829 dest->mode = proto_is_dgram(sock->info.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4830
4831 dest->gc = gc_new();
4832
4833 ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4834
4835 /* c1 init */
4836 packet_id_persist_init(&dest->c1.pid_persist);
4837 dest->c1.link_sockets_num = 1;
4838 do_link_socket_addr_new(dest);
4839
4840 dest->c1.ks.key_type = src->c1.ks.key_type;
4841 /* inherit SSL context */
4842 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4843 dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4844 dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4845 dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4846 /* inherit pre-NCP ciphers */
4847 dest->options.ciphername = src->options.ciphername;
4848 dest->options.authname = src->options.authname;
4849
4850 /* inherit auth-token */
4851 dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4852
4853 /* options */
4854 dest->options = src->options;
4855 dest->options.ce.proto = sock->info.proto;
4856 options_detach(&dest->options);
4857
4858 dest->c2.event_set = src->c2.event_set;
4859
4860 if (dest->mode == CM_CHILD_TCP)
4861 {
4862 /*
4863 * The CM_TOP context does the socket listen(),
4864 * and the CM_CHILD_TCP context does the accept().
4865 */
4866 dest->c2.accept_from = sock;
4867 }
4868
4869#ifdef ENABLE_PLUGIN
4870 /* inherit plugins */
4871 do_inherit_plugins(dest, src);
4872#endif
4873
4874 /* context init */
4875
4876 /* inherit tun/tap interface object now as it may be required
4877 * to initialize the DCO context in init_instance()
4878 */
4879 dest->c1.tuntap = src->c1.tuntap;
4880
4881 /* UDP inherits some extra things which TCP does not */
4882 if (dest->mode == CM_CHILD_UDP)
4883 {
4884 ASSERT(!dest->c2.link_sockets);
4885 ASSERT(dest->options.ce.local_list);
4886
4887 /* inherit buffers */
4888 dest->c2.buffers = src->c2.buffers;
4889
4890 ALLOC_ARRAY_GC(dest->c2.link_sockets, struct link_socket *, 1, &dest->gc);
4891
4892 /* inherit parent link_socket and tuntap */
4893 dest->c2.link_sockets[0] = sock;
4894
4895 ALLOC_ARRAY_GC(dest->c2.link_socket_infos, struct link_socket_info *, 1, &dest->gc);
4896 ALLOC_OBJ_GC(dest->c2.link_socket_infos[0], struct link_socket_info, &dest->gc);
4897 *dest->c2.link_socket_infos[0] = sock->info;
4898
4899 /* locally override some link_socket_info fields */
4900 dest->c2.link_socket_infos[0]->lsa = &dest->c1.link_socket_addrs[0];
4901 dest->c2.link_socket_infos[0]->connection_established = false;
4902 }
4903
4904 init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4905 if (IS_SIG(dest))
4906 {
4907 return;
4908 }
4909}
4910
4911void
4912inherit_context_top(struct context *dest, const struct context *src)
4913{
4914 /* copy parent */
4915 *dest = *src;
4916
4917 /*
4918 * CM_TOP_CLONE will prevent close_instance from freeing or closing
4919 * resources owned by the parent.
4920 *
4921 * Also note that CM_TOP_CLONE context objects are
4922 * closed by multi_top_free in multi.c.
4923 */
4924 dest->mode = CM_TOP_CLONE;
4925
4926 dest->first_time = false;
4927 dest->c0 = NULL;
4928
4929 options_detach(&dest->options);
4930 gc_detach(&dest->gc);
4931 gc_detach(&dest->c2.gc);
4932
4933 /* detach plugins */
4934 dest->plugins_owned = false;
4935
4936 dest->c2.tls_multi = NULL;
4937
4938 /* detach c1 ownership */
4939 dest->c1.tuntap_owned = false;
4940 dest->c1.status_output_owned = false;
4941 dest->c1.ifconfig_pool_persist_owned = false;
4942
4943 /* detach c2 ownership */
4944 dest->c2.event_set_owned = false;
4945 dest->c2.link_socket_owned = false;
4946 dest->c2.buffers_owned = false;
4947 dest->c2.es_owned = false;
4948
4949 dest->c2.event_set = NULL;
4950 do_event_set_init(dest, false);
4951
4952#ifdef USE_COMP
4953 dest->c2.comp_context = NULL;
4954#endif
4955}
4956
4957void
4958close_context(struct context *c, int sig, unsigned int flags)
4959{
4960 ASSERT(c);
4961 ASSERT(c->sig);
4962
4963 if (sig >= 0)
4964 {
4965 register_signal(c->sig, sig, "close_context");
4966 }
4967
4968 if (c->sig->signal_received == SIGUSR1)
4969 {
4970 if ((flags & CC_USR1_TO_HUP)
4971 || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4972 {
4973 register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
4974 }
4975 }
4976
4977 if (!(flags & CC_NO_CLOSE))
4978 {
4979 close_instance(c);
4980 }
4981
4982 if (flags & CC_GC_FREE)
4983 {
4984 context_gc_free(c);
4985 }
4986}
4987
4988/* Write our PID to a file */
4989void
4990write_pid_file(const char *filename, const char *chroot_dir)
4991{
4992 if (filename)
4993 {
4994 unsigned int pid = 0;
4995 FILE *fp = platform_fopen(filename, "w");
4996 if (!fp)
4997 {
4998 msg(M_ERR, "Open error on pid file %s", filename);
4999 return;
5000 }
5001
5002 pid = platform_getpid();
5003 fprintf(fp, "%u\n", pid);
5004 if (fclose(fp))
5005 {
5006 msg(M_ERR, "Close error on pid file %s", filename);
5007 }
5008
5009 /* remember file name so it can be deleted "out of context" later */
5010 /* (the chroot case is more complex and not handled today) */
5011 if (!chroot_dir)
5012 {
5013 saved_pid_file_name = strdup(filename);
5014 if (!saved_pid_file_name)
5015 {
5016 msg(M_FATAL, "Failed allocate memory saved_pid_file_name");
5017 }
5018 }
5019 }
5020}
5021
5022/* remove PID file on exit, called from openvpn_exit() */
5023void
5024remove_pid_file(void)
5025{
5026 if (saved_pid_file_name)
5027 {
5028 platform_unlink(saved_pid_file_name);
5029 }
5030}
5031
5032
5033/*
5034 * Do a loopback test
5035 * on the crypto subsystem.
5036 */
5037static void *
5038test_crypto_thread(void *arg)
5039{
5040 struct context *c = (struct context *)arg;
5041 const struct options *options = &c->options;
5042
5043 ASSERT(options->test_crypto);
5044 init_verb_mute(c, IVM_LEVEL_1);
5045 context_init_1(c);
5046 next_connection_entry(c);
5047 do_init_crypto_static(c, 0);
5048
5049 frame_finalize_options(c, options);
5050
5051 test_crypto(&c->c2.crypto_options, &c->c2.frame);
5052
5053 key_schedule_free(&c->c1.ks, true);
5054 packet_id_free(&c->c2.crypto_options.packet_id);
5055
5056 context_gc_free(c);
5057 return NULL;
5058}
5059
5060bool
5061do_test_crypto(const struct options *o)
5062{
5063 if (o->test_crypto)
5064 {
5065 struct context c;
5066
5067 /* print version number */
5068 msg(M_INFO, "%s", title_string);
5069
5070 context_clear(&c);
5071 c.options = *o;
5072 options_detach(&c.options);
5073 c.first_time = true;
5074 test_crypto_thread((void *)&c);
5075 return true;
5076 }
5077 return false;
5078}
argv_msg
void argv_msg(const msglvl_t msglevel, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
auth_token_write_server_key_file
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition auth_token.c:118
auth_token_init_secret
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition auth_token.c:124
auth_token.h
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:184
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
string_clear
void string_clear(char *str)
Definition buffer.c:691
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1011
BSTR
#define BSTR(buf)
Definition buffer.h:128
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1063
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1074
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:1004
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1089
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1084
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1095
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1025
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1052
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1017
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition common.h:89
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
basename
char * basename(char *filename)
Definition compat-basename.c:36
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:50
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1093
get_random
long int get_random(void)
Definition crypto.c:1717
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:868
write_key_file
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition crypto.c:1537
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition crypto.c:843
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1192
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition crypto.c:1283
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1074
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:345
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
CO_MUTE_REPLAY_WARNINGS
#define CO_MUTE_REPLAY_WARNINGS
Bit-flag indicating not to display replay warnings.
Definition crypto.h:354
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition crypto.h:365
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition crypto.h:644
show_available_engines
void show_available_engines(void)
Definition crypto_openssl.c:473
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:812
show_available_ciphers
void show_available_ciphers(void)
Definition crypto_openssl.c:364
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition crypto_openssl.c:1041
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition crypto_openssl.c:799
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1073
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
crypto_init_lib_engine
void crypto_init_lib_engine(const char *engine_name)
Definition crypto_openssl.c:139
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
show_available_digests
void show_available_digests(void)
Definition crypto_openssl.c:432
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
DCO_DEFAULT_METRIC
#define DCO_DEFAULT_METRIC
Definition dco.h:47
dco_supports_epoch_data
static bool dco_supports_epoch_data(struct context *c)
Definition dco.h:386
dco_remove_peer
static void dco_remove_peer(struct context *c)
Definition dco.h:347
dco_check_pull_options
static bool dco_check_pull_options(msglvl_t msglevel, const struct options *o)
Definition dco.h:285
ovpn_dco_init
static bool ovpn_dco_init(struct context *c)
Definition dco.h:291
dco_p2p_add_new_peer
static int dco_p2p_add_new_peer(struct context *c)
Definition dco.h:334
run_dns_up_down
void run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *duri)
Invokes the action associated with bringing DNS up or down.
Definition dns.c:859
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition env_set.c:166
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
env_set_inherit
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition env_set.c:262
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
D_MTU_DEBUG
#define D_MTU_DEBUG
Definition errlevel.h:125
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:150
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_SHOW_NET
#define D_SHOW_NET
Definition errlevel.h:131
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition errlevel.h:40
D_RESTART
#define D_RESTART
Definition errlevel.h:81
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition errlevel.h:63
D_CLOSE
#define D_CLOSE
Definition errlevel.h:72
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition errlevel.h:149
D_DCO
#define D_DCO
Definition errlevel.h:93
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:71
D_GENKEY
#define D_GENKEY
Definition errlevel.h:78
D_MTU_INFO
#define D_MTU_INFO
Definition errlevel.h:104
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:66
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition errlevel.h:103
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
D_READ_WRITE
#define D_READ_WRITE
Definition errlevel.h:166
M_INFO
#define M_INFO
Definition errlevel.h:54
D_LOG_RW
#define D_LOG_RW
Definition errlevel.h:109
D_ROUTE
#define D_ROUTE
Definition errlevel.h:79
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition errlevel.h:56
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1187
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition event.h:81
EVENT_METHOD_US_TIMEOUT
#define EVENT_METHOD_US_TIMEOUT
Definition event.h:80
event_free
static void event_free(struct event_set *es)
Definition event.h:161
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
Definition forward.c:397
forward.h
Interface functions to the internal and external multiplexers.
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:333
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1188
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:141
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1240
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1159
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1174
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1213
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1229
fragment_frame_init
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition fragment.c:125
fragment_init
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition fragment.c:92
fragment_free
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition fragment.c:116
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with --tls-crypt.
Definition tls_crypt.c:60
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition tls_crypt.c:343
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition tls_crypt.c:671
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition tls_crypt.c:665
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:54
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition tls_crypt.c:320
uninit_management_callback
void uninit_management_callback(void)
Definition init.c:4411
uninit_proxy
static void uninit_proxy(struct context *c)
Definition init.c:726
open_management
bool open_management(struct context *c)
Definition init.c:4358
do_init_first_time
static void do_init_first_time(struct context *c)
Definition init.c:3844
do_init_route_list
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1437
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition init.c:3048
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition init.c:363
do_genkey
bool do_genkey(const struct options *options)
Definition init.c:1004
next_connection_entry
static void next_connection_entry(struct context *c)
Definition init.c:514
can_preserve_tun
static bool can_preserve_tun(struct tuntap *tt)
Definition init.c:1748
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1528
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition init.c:4195
do_setup_fast_io
static void do_setup_fast_io(struct context *c)
Definition init.c:4150
tls_print_deferred_options_results
static void tls_print_deferred_options_results(struct context *c)
Prints the results of options imported for the data channel.
Definition init.c:2181
saved_pid_file_name
static const char * saved_pid_file_name
Definition init.c:61
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition init.c:932
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition init.c:1186
format_common_name
const char * format_common_name(struct context *c, struct gc_arena *gc)
Definition init.c:1262
do_close_link_socket
static void do_close_link_socket(struct context *c)
Definition init.c:3941
management_callback_remote_entry_count
static unsigned int management_callback_remote_entry_count(void *arg)
Definition init.c:319
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition init.c:4170
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition init.c:3004
key_schedule_free
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition init.c:2964
do_init_tun
static void do_init_tun(struct context *c)
Definition init.c:1703
do_option_warnings
static void do_option_warnings(struct context *c)
Definition init.c:3560
do_link_socket_addr_new
static void do_link_socket_addr_new(struct context *c)
Definition init.c:732
close_instance
void close_instance(struct context *c)
Definition init.c:4751
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1476
do_init_frame
static void do_init_frame(struct context *c)
Definition init.c:3514
persist_client_stats
void persist_client_stats(struct context *c)
Definition init.c:4422
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:4912
ce_management_query_proxy
static bool ce_management_query_proxy(struct context *c)
Definition init.c:246
do_init_crypto
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition init.c:3497
do_init_frame_tls
static void do_init_frame_tls(struct context *c)
Definition init.c:3452
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition init.c:1403
route_noexec_enabled
static bool route_noexec_enabled(const struct options *o, const struct tuntap *tt)
Determine if external route commands should be executed based on configured options and backend drive...
Definition init.c:1638
ifconfig_noexec_enabled
static bool ifconfig_noexec_enabled(const struct context *c)
Determines if ifconfig execution should be disabled because of a.
Definition init.c:1815
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition init.c:500
do_test_crypto
bool do_test_crypto(const struct options *o)
Definition init.c:5061
do_print_data_channel_mtu_parms
static void do_print_data_channel_mtu_parms(struct context *c)
Definition init.c:3800
init_plugins
void init_plugins(struct context *c)
Definition init.c:4185
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition init.c:3681
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition init.c:2976
do_init_timers
static void do_init_timers(struct context *c, bool deferred)
Definition init.c:1320
context_clear
static void context_clear(struct context *c)
Definition init.c:75
context_clear_1
static void context_clear_1(struct context *c)
Definition init.c:81
CF_LOAD_PERSISTED_PACKET_ID
#define CF_LOAD_PERSISTED_PACKET_ID
Definition init.c:66
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition init.c:1419
do_close_status_output
static void do_close_status_output(struct context *c)
Definition init.c:4076
do_event_set_init
static void do_event_set_init(struct context *c, bool need_us_timeout)
Definition init.c:4031
static_context
static struct context * static_context
Definition init.c:60
do_init_fragment
static void do_init_fragment(struct context *c)
Definition init.c:3718
CF_INIT_TLS_MULTI
#define CF_INIT_TLS_MULTI
Definition init.c:67
context_init_1
void context_init_1(struct context *c)
Definition init.c:739
test_crypto_thread
static void * test_crypto_thread(void *arg)
Definition init.c:5038
pre_setup
void pre_setup(const struct options *options)
Definition init.c:1273
do_link_socket_new
static void do_link_socket_new(struct context *c)
Definition init.c:3739
do_close_free_key_schedule
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition init.c:3919
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition init.c:200
del_wfp_block
static void del_wfp_block(struct context *c, unsigned long adapter_index)
Remove any WFP block filters previously added.
Definition init.c:1796
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition init.c:1296
do_open_ifconfig_pool_persist
static void do_open_ifconfig_pool_persist(struct context *c)
Definition init.c:4093
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition init.c:4105
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition init.c:2031
init_management
void init_management(void)
Definition init.c:4349
uninit_static
void uninit_static(void)
Definition init.c:914
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4729
do_update
bool do_update(struct context *c, unsigned int option_types_found)
A simplified version of the do_up() function.
Definition init.c:2467
do_init_crypto_tls
static void do_init_crypto_tls(struct context *c, const unsigned int flags)
Definition init.c:3215
write_pid_file
void write_pid_file(const char *filename, const char *chroot_dir)
Definition init.c:4990
context_gc_free
void context_gc_free(struct context *c)
Definition init.c:790
socket_restart_pause
static void socket_restart_pause(struct context *c)
Definition init.c:2763
do_open_status_output
static void do_open_status_output(struct context *c)
Definition init.c:4064
init_options_dev
void init_options_dev(struct options *options)
Definition init.c:955
do_close_free_buf
static void do_close_free_buf(struct context *c)
Definition init.c:3878
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition init.c:644
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
Definition init.c:2581
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4824
do_compute_occ_strings
static void do_compute_occ_strings(struct context *c)
Definition init.c:3815
context_clear_2
void context_clear_2(struct context *c)
Definition init.c:87
do_close_fragment
static void do_close_fragment(struct context *c)
Definition init.c:4016
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition init.c:182
do_init_crypto_none
static void do_init_crypto_none(struct context *c)
Definition init.c:3482
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition init.c:4254
remove_pid_file
void remove_pid_file(void)
Definition init.c:5024
add_delim_if_non_empty
static void add_delim_if_non_empty(struct buffer *buf, const char *header)
Helper function for tls_print_deferred_options_results Adds the ", " delimitor if there already some ...
Definition init.c:2167
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition init.c:966
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:4958
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition init.c:413
open_tun_backend
static void open_tun_backend(struct context *c)
Definition init.c:1823
do_close_event_set
static void do_close_event_set(struct context *c)
Definition init.c:4049
do_persist_tuntap
bool do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
Definition init.c:1085
do_hold
static bool do_hold(int holdtime)
Definition init.c:2744
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2332
tun_abort
void tun_abort(void)
Definition init.c:2135
do_init_server_poll_timeout
static void do_init_server_poll_timeout(struct context *c)
Definition init.c:1307
do_close_plugins
static void do_close_plugins(struct context *c)
Definition init.c:4229
do_init_socket_phase1
static void do_init_socket_phase1(struct context *c)
Definition init.c:3756
init_instance
static void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4436
init_static
bool init_static(void)
Definition init.c:828
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition init.c:3120
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition init.c:2883
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition init.c:671
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition init.c:2154
add_wfp_block
static void add_wfp_block(struct context *c)
Add WFP filters to block traffic to local networks.
Definition init.c:1770
do_close_tun_simple
static void do_close_tun_simple(struct context *c)
Definition init.c:2001
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition init.c:4240
run_up_down
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es)
Definition init.c:107
do_init_socket_phase2
static void do_init_socket_phase2(struct context *c)
Definition init.c:3788
possibly_become_daemon
bool possibly_become_daemon(const struct options *options)
Definition init.c:1144
management_callback_remote_entry_get
static bool management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
Definition init.c:329
init_connection_list
static void init_connection_list(struct context *c)
Definition init.c:474
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition init.c:688
do_close_packet_id
static void do_close_packet_id(struct context *c)
Definition init.c:4001
do_startup_pause
static void do_startup_pause(struct context *c)
Definition init.c:2840
get_frame_mtu
static size_t get_frame_mtu(struct context *c, const struct options *o)
Definition init.c:2853
do_deferred_p2p_ncp
static bool do_deferred_p2p_ncp(struct context *c)
Definition init.c:2536
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition init.c:68
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2520
do_deferred_options_part2
static bool do_deferred_options_part2(struct context *c)
This function is expected to be invoked after open_tun() was performed.
Definition init.c:2309
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition init.c:4131
do_init_buffers
static void do_init_buffers(struct context *c)
Definition init.c:3706
init_proxy
static void init_proxy(struct context *c)
Definition init.c:720
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition init.c:4323
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition init.c:296
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1649
do_inherit_env
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition init.c:4123
context_clear_all_except_first_time
void context_clear_all_except_first_time(struct context *c)
Definition init.c:93
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3656
do_open_tun
static bool do_open_tun(struct context *c, int *error_flags)
Definition init.c:1845
do_close_tls
static void do_close_tls(struct context *c)
Definition init.c:3892
close_management
void close_management(void)
Definition init.c:4398
management_show_net_callback
void management_show_net_callback(void *arg, const msglvl_t msglevel)
Definition init.c:4261
ISC_ERRORS
#define ISC_ERRORS
Definition init.h:120
CC_GC_FREE
#define CC_GC_FREE
Definition init.h:109
IVM_LEVEL_2
#define IVM_LEVEL_2
Definition init.h:45
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition init.h:122
IVM_LEVEL_1
#define IVM_LEVEL_1
Definition init.h:44
CC_USR1_TO_HUP
#define CC_USR1_TO_HUP
Definition init.h:110
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition init.h:32
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition init.h:111
ISC_SERVER
#define ISC_SERVER
Definition init.h:121
CC_NO_CLOSE
#define CC_NO_CLOSE
Definition init.h:112
min_int
static int min_int(int x, int y)
Definition integer.h:105
max_int
static int max_int(int x, int y)
Definition integer.h:92
status
static SERVICE_STATUS status
Definition interactive.c:51
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition interval.c:34
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition lladdr.c:17
management_pre_tunnel_close
void management_pre_tunnel_close(struct management *man)
Definition manage.c:3108
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3026
management_clear_callback
void management_clear_callback(struct management *man)
Definition manage.c:2780
management_hold
bool management_hold(struct management *man, int holdtime)
Definition manage.c:3834
management_init
struct management * management_init(void)
Definition manage.c:2710
management_event_loop_n_seconds
void management_event_loop_n_seconds(struct management *man, int sec)
Definition manage.c:3463
management_close
void management_close(struct management *man)
Definition manage.c:2763
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2789
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2724
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2940
man_persist_client_stats
void man_persist_client_stats(struct management *man, struct context *c)
Definition manage.c:4228
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2773
management_up_down
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition manage.c:2924
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4140
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition manage.c:3085
management_query_remote_enabled
static bool management_query_remote_enabled(const struct management *man)
Definition manage.h:425
OPENVPN_STATE_CONNECTING
#define OPENVPN_STATE_CONNECTING
Definition manage.h:449
management_query_proxy_enabled
static bool management_query_proxy_enabled(const struct management *man)
Definition manage.h:431
OPENVPN_STATE_CONNECTED
#define OPENVPN_STATE_CONNECTED
Definition manage.h:452
MF_SERVER
#define MF_SERVER
Definition manage.h:27
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition misc.c:55
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
GET_USER_PASS_NEED_OK
#define GET_USER_PASS_NEED_OK
Definition misc.h:113
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:317
frame_calculate_protocol_header_size
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition mtu.c:61
frame_print
void frame_print(const struct frame *frame, msglvl_t msglevel, const char *prefix)
Definition mtu.c:190
TUN_MTU_MAX_MIN
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:178
TUN_MTU_MIN
#define TUN_MTU_MIN
Definition mtu.h:59
np
static const char * np(const char *str)
Definition multi-auth.c:146
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition occ.h:61
occ_reset_op
static int occ_reset_op(void)
Definition occ.h:101
OCC_INTERVAL_SECONDS
#define OCC_INTERVAL_SECONDS
Definition occ.h:45
CLEAR
#define CLEAR(x)
Definition basic.h:32
error_reset
void error_reset(void)
Definition error.c:155
set_mute_cutoff
bool set_mute_cutoff(const int cutoff)
Definition error.c:117
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition error.c:609
reset_check_status
void reset_check_status(void)
Definition error.c:602
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:101
M_OPTERR
#define M_OPTERR
Definition error.h:101
check_debug_level
static bool check_debug_level(msglvl_t level)
Definition error.h:259
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:201
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:98
M_USAGE
#define M_USAGE
Definition error.h:107
M_FATAL
#define M_FATAL
Definition error.h:90
set_check_status_error_delay
static void set_check_status_error_delay(unsigned int milliseconds)
Definition error.h:323
M_NONFATAL
#define M_NONFATAL
Definition error.h:91
M_ERR
#define M_ERR
Definition error.h:106
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
TLS_MODE
#define TLS_MODE(c)
Definition openvpn.h:542
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition openvpn.h:86
CM_P2P
#define CM_P2P
Definition openvpn.h:482
CM_TOP_CLONE
#define CM_TOP_CLONE
Definition openvpn.h:484
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition openvpn.h:486
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition openvpn.h:485
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:553
CM_TOP
#define CM_TOP
Definition openvpn.h:483
options_detach
void options_detach(struct options *o)
Definition options.c:1560
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3169
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4718
title_string
const char title_string[]
Definition options.c:71
auth_retry_get
int auth_retry_get(void)
Definition options.c:4809
notnull
void notnull(const char *arg, const char *description)
Definition options.c:4949
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4368
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:263
OPT_P_UP
#define OPT_P_UP
Definition options.h:732
CE_MAN_QUERY_REMOTE_QUERY
#define CE_MAN_QUERY_REMOTE_QUERY
Definition options.h:156
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:743
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:751
MODE_SERVER
#define MODE_SERVER
Definition options.h:264
streq
#define streq(x, y)
Definition options.h:726
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:750
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition options.h:159
AR_INTERACT
#define AR_INTERACT
Definition options.h:974
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:737
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:995
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:757
SHAPER_DEFINED
#define SHAPER_DEFINED(opt)
Definition options.h:774
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition options.h:158
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition options.h:154
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:742
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:736
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:756
options_string_import
void options_string_import(struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options_parse.c:586
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition options.h:160
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:755
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:738
PING_RESTART
#define PING_RESTART
Definition options.h:355
RH_PORT_LEN
#define RH_PORT_LEN
Definition options.h:233
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition options.h:764
CE_MAN_QUERY_REMOTE_SHIFT
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition options.h:161
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:734
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:754
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:242
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:239
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:241
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:240
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:761
AR_NONE
#define AR_NONE
Definition options.h:973
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:975
RH_HOST_LEN
#define RH_HOST_LEN
Definition options.h:231
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:739
MAX_PARMS
#define MAX_PARMS
Definition options.h:51
PING_UNDEF
#define PING_UNDEF
Definition options.h:353
CE_MAN_QUERY_REMOTE_ACCEPT
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition options.h:157
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:766
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:769
PING_EXIT
#define PING_EXIT
Definition options.h:354
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:741
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:753
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:759
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:733
CE_DISABLED
#define CE_DISABLED
Definition options.h:153
now
time_t now
Definition otime.c:33
update_time
static void update_time(void)
Definition otime.h:81
time_test
void time_test(void)
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:508
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:549
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition packet_id.c:450
packet_id_free
void packet_id_free(struct packet_id *p)
Definition packet_id.c:126
packet_id_persist_load
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition packet_id.c:464
PRE_PULL_INITIAL_PING_RESTART
#define PRE_PULL_INITIAL_PING_RESTART
Definition ping.h:32
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:333
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:540
platform_user_group_set
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition platform.c:218
platform_nice
void platform_nice(int niceval)
Definition platform.c:311
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition platform.c:80
platform_unlink
bool platform_unlink(const char *filename)
Definition platform.c:487
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:500
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:392
platform_mlockall
void platform_mlockall(bool print_msg)
Definition platform.c:344
platform_chroot
void platform_chroot(const char *path)
Definition platform.c:54
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition platform.c:124
plugin_list_close
void plugin_list_close(struct plugin_list *pl)
Definition plugin.c:869
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:986
plugin_list_inherit
struct plugin_list * plugin_list_inherit(const struct plugin_list *src)
Definition plugin.c:690
plugin_list_init
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition plugin.c:764
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:972
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition plugin.c:774
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:163
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:157
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition pool.c:538
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition pool.c:560
TOP_NET30
#define TOP_NET30
Definition proto.h:41
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
TOP_P2P
#define TOP_P2P
Definition proto.h:42
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition proxy.c:553
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition proxy.c:488
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:45
PAR_NCT
#define PAR_NCT
Definition proxy.h:51
PAR_ALL
#define PAR_ALL
Definition proxy.h:50
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1097
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1400
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:596
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:748
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:604
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1162
show_routes
void show_routes(msglvl_t msglevel)
Definition route.c:3067
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1363
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition route.h:424
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
script_security
int script_security(void)
Definition run_command.c:42
run_command.h
S_FATAL
#define S_FATAL
Definition run_command.h:50
SSEC_SCRIPTS
#define SSEC_SCRIPTS
allow calling of built-in programs and user-defined scripts
Definition run_command.h:35
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
SSEC_PW_ENV
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
shaper_msg
void shaper_msg(struct shaper *s)
Definition shaper.c:87
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition shaper.h:85
post_init_signal_catch
void post_init_signal_catch(void)
Definition sig.c:421
print_status
void print_status(struct context *c, struct status_output *so)
Definition sig.c:478
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition sig.c:392
remap_signal
void remap_signal(struct context *c)
Definition sig.c:588
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition sig.c:105
restore_signal_state
void restore_signal_state(void)
Definition sig.c:460
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
IS_SIG
#define IS_SIG(c)
Definition sig.h:47
SIG_SOURCE_HARD
#define SIG_SOURCE_HARD
Definition sig.h:30
link_socket_init_phase1
void link_socket_init_phase1(struct context *c, int sock_index, int mode)
Definition socket.c:1378
link_socket_init_phase2
void link_socket_init_phase2(struct context *c, struct link_socket *sock)
Definition socket.c:1721
link_socket_update_buffer_sizes
void link_socket_update_buffer_sizes(struct link_socket *sock, int rcvbuf, int sndbuf)
Definition socket.c:557
link_socket_current_remote_ipv6
const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info)
Definition socket.c:2035
link_socket_close
void link_socket_close(struct link_socket *sock)
Definition socket.c:1842
link_socket_current_remote
in_addr_t link_socket_current_remote(const struct link_socket_info *info)
Definition socket.c:2001
do_preresolve
void do_preresolve(struct context *c)
Definition socket.c:320
link_socket_new
struct link_socket * link_socket_new(void)
Definition socket.c:1364
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *sock, unsigned int sockflags)
Definition socket.c:543
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition socket.h:181
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition socket.h:179
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition socket.h:180
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket_util.c:409
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket_util.h:195
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
PROTO_TCP
@ PROTO_TCP
Definition socket_util.h:178
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket_util.h:180
proto_is_tcp
static bool proto_is_tcp(int proto)
returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
Definition socket_util.h:215
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket_util.h:206
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition socket_util.h:234
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition socks.c:51
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition socks.c:78
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:381
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:511
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition ssl.c:248
init_ssl_lib
void init_ssl_lib(void)
Definition ssl.c:225
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1641
free_ssl_lib
void free_ssl_lib(void)
Definition ssl.c:233
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:293
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition ssl.c:287
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4104
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
TLS_MULTI_HORIZON
#define TLS_MULTI_HORIZON
Definition ssl.h:61
TLS_MULTI_REFRESH
#define TLS_MULTI_REFRESH
Definition ssl.h:60
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:139
show_available_curves
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
Definition ssl_openssl.c:2588
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition ssl_openssl.c:148
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:593
check_pull_client_ncp
bool check_pull_client_ncp(struct context *c, const unsigned int found)
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should ...
Definition ssl_ncp.c:310
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
get_p2p_ncp_cipher
const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
Determines the best common cipher from both peers IV_CIPHER lists.
Definition ssl_ncp.c:355
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition ssl_pkt.c:451
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
ssl_verify.h
Control Channel Verification Module.
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition ssl_verify.h:68
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:217
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:59
status_close
bool status_close(struct status_output *so)
Definition status.c:178
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition status.h:51
argv
Definition argv.h:35
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
connection_entry
Definition options.h:107
connection_entry::local_list
struct local_list * local_list
Definition options.h:108
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:129
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:119
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:179
connection_entry::link_mtu
int link_mtu
Definition options.h:134
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:135
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:132
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:120
connection_entry::mssfix
int mssfix
Definition options.h:144
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:170
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:175
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:133
connection_entry::remote
const char * remote
Definition options.h:114
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:124
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:146
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:122
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:171
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:166
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:131
connection_entry::tls_mtu
int tls_mtu
Definition options.h:136
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:150
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:125
connection_entry::remote_port
const char * remote_port
Definition options.h:113
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:142
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:123
connection_entry::fragment
int fragment
Definition options.h:141
connection_entry::proto
int proto
Definition options.h:109
connection_entry::af
sa_family_t af
Definition options.h:110
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:165
connection_entry::tun_mtu
int tun_mtu
Definition options.h:127
connection_entry::key_direction
int key_direction
Definition options.h:167
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:176
connection_entry::flags
unsigned int flags
Definition options.h:162
connection_list
Definition options.h:200
connection_list::array
struct connection_entry ** array
Definition options.h:204
connection_list::current
int current
Definition options.h:203
connection_list::len
int len
Definition options.h:202
context_0
Level 0 context containing information related to the OpenVPN process.
Definition openvpn.h:137
context_0::platform_state_group
struct platform_state_group platform_state_group
Definition openvpn.h:143
context_0::platform_state_user
struct platform_state_user platform_state_user
Definition openvpn.h:142
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition openvpn.h:141
context_0::uid_gid_specified
bool uid_gid_specified
Definition openvpn.h:139
context_1::ks
struct key_schedule ks
Definition openvpn.h:164
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:197
context_1::http_proxy_owned
bool http_proxy_owned
Definition openvpn.h:190
context_1::status_output
struct status_output * status_output
Definition openvpn.h:185
context_1::route_list
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
context_1::link_socket_addrs
struct link_socket_addr * link_socket_addrs
Local and remote addresses on the external network.
Definition openvpn.h:159
context_1::pulled_options_digest_save
struct sha256_digest pulled_options_digest_save
Hash of option strings received from the remote OpenVPN server.
Definition openvpn.h:201
context_1::link_sockets_num
int link_sockets_num
Definition openvpn.h:158
context_1::status_output_owned
bool status_output_owned
Definition openvpn.h:186
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
context_1::pid_persist
struct packet_id_persist pid_persist
Definition openvpn.h:170
context_1::http_proxy
struct http_proxy_info * http_proxy
Definition openvpn.h:189
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition openvpn.h:194
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition openvpn.h:173
context_1::ifconfig_pool_persist_owned
bool ifconfig_pool_persist_owned
Definition openvpn.h:198
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition openvpn.h:193
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context_2::options_string_local
char * options_string_local
Definition openvpn.h:296
context_2::fragment
struct fragment_master * fragment
Definition openvpn.h:252
context_2::do_up_ran
bool do_up_ran
Definition openvpn.h:411
context_2::options_string_remote
char * options_string_remote
Definition openvpn.h:297
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
context_2::did_open_tun
bool did_open_tun
Definition openvpn.h:387
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition openvpn.h:444
context_2::es_owned
bool es_owned
Definition openvpn.h:421
context_2::mda_context
struct man_def_auth_context mda_context
Definition openvpn.h:453
context_2::session_id_hmac
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition openvpn.h:338
context_2::accept_from
const struct link_socket * accept_from
Definition openvpn.h:242
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition openvpn.h:326
context_2::occ_op
int occ_op
Definition openvpn.h:299
context_2::es
struct env_set * es
Definition openvpn.h:420
context_2::link_socket_owned
bool link_socket_owned
Definition openvpn.h:240
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context_2::frame
struct frame frame
Definition openvpn.h:248
context_2::frame_fragment
struct frame frame_fragment
Definition openvpn.h:253
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
context_2::buffers_owned
bool buffers_owned
Definition openvpn.h:368
context_2::link_sockets
struct link_socket ** link_sockets
Definition openvpn.h:237
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
context_2::log_rw
bool log_rw
Definition openvpn.h:380
context_2::event_set_max
int event_set_max
Definition openvpn.h:231
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition openvpn.h:225
context_2::fast_io
bool fast_io
Definition openvpn.h:424
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition openvpn.h:445
context_2::event_set
struct event_set * event_set
Definition openvpn.h:230
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:367
context_2::route_wakeup
struct event_timeout route_wakeup
Definition openvpn.h:383
context_2::tls_exit_signal
int tls_exit_signal
Definition openvpn.h:347
context_2::event_set_owned
bool event_set_owned
Definition openvpn.h:232
context_buffers
Definition openvpn.h:95
context_buffers::read_link_buf
struct buffer read_link_buf
Definition openvpn.h:113
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition openvpn.h:100
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition openvpn.h:114
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition openvpn.h:101
context_buffers::aux_buf
struct buffer aux_buf
Definition openvpn.h:97
context_persist
Definition openvpn.h:121
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition openvpn.h:122
context_persist::duri
struct dns_updown_runner_info duri
Definition openvpn.h:123
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::mode
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
context::c0
struct context_0 * c0
Level 0 context.
Definition openvpn.h:515
context::did_we_daemonize
bool did_we_daemonize
Whether demonization has already taken place.
Definition openvpn.h:510
context::first_time
bool first_time
True on the first iteration of OpenVPN's main loop.
Definition openvpn.h:478
context::sig
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:505
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
context::es
struct env_set * es
Set of environment variables.
Definition openvpn.h:499
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::plugins_owned
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition openvpn.h:506
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition openvpn.h:495
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
context::persist
struct context_persist persist
Persistent context.
Definition openvpn.h:513
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:384
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:340
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:331
dns_updown_runner_info::required
bool required
Definition dns.h:84
env_set
Definition env_set.h:43
frame
Packet geometry parameters.
Definition mtu.h:103
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
frame::tun_max_mtu
int tun_max_mtu
the maximum tun-mtu size the buffers are are sized for.
Definition mtu.h:147
frame::extra_tun
int extra_tun
Maximum number of bytes in excess of the tun/tap MTU that might be read from or written to the virtua...
Definition mtu.h:151
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
frame::buf
struct frame::@8 buf
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition mtu.h:118
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
http_proxy_options
Definition proxy.h:45
http_proxy_options::first_time
bool first_time
Definition proxy.h:61
http_proxy_options::port
const char * port
Definition proxy.h:47
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:52
http_proxy_options::server
const char * server
Definition proxy.h:46
key_schedule
Definition openvpn.h:55
key_schedule::tls_crypt_v2_wkc
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition openvpn.h:72
key_schedule::original_wrap_keydata
struct key2 original_wrap_keydata
original tls-crypt key preserved to xored into the tls_crypt renegotiation key
Definition openvpn.h:70
key_schedule::key_type
struct key_type key_type
Definition openvpn.h:57
key_schedule::auth_token_key
struct key_ctx auth_token_key
Definition openvpn.h:73
key_schedule::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition openvpn.h:63
key_schedule::tls_auth_key_type
struct key_type tls_auth_key_type
Definition openvpn.h:66
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition openvpn.h:67
key_schedule::static_key
struct key_ctx_bi static_key
Definition openvpn.h:60
key_schedule::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Definition openvpn.h:71
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
link_socket_actual
Definition socket_util.h:50
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket_util.h:53
link_socket_addr
Definition socket.h:77
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:82
link_socket_addr::remote_list
struct addrinfo * remote_list
Definition socket.h:79
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition socket.h:78
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition socket.h:80
link_socket_info
Definition socket.h:86
link_socket_info::connection_established
bool connection_established
Definition socket.h:88
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:87
link_socket_info::proto
uint8_t proto
Definition socket.h:92
link_socket
Definition socket.h:148
link_socket::info
struct link_socket_info info
Definition socket.h:149
link_socket::sd
socket_descriptor_t sd
Definition socket.h:156
local_list::len
int len
Definition options.h:195
man_persist::special_state_msg
const char * special_state_msg
Definition manage.h:232
management_callback
Definition manage.h:172
management_callback::arg
void * arg
Definition manage.h:173
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
management_callback::remote_entry_get
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition manage.h:198
management_callback::remote_entry_count
unsigned int(* remote_entry_count)(void *arg)
Definition manage.h:197
management_callback::send_cc_message
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition manage.h:184
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition manage.h:192
management_callback::show_net
void(* show_net)(void *arg, const msglvl_t msglevel)
Definition manage.h:179
management_callback::flags
unsigned int flags
Definition manage.h:176
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition manage.h:193
management::persist
struct man_persist persist
Definition manage.h:333
openvpn_sockaddr
Definition socket_util.h:38
openvpn_sockaddr::addr
union openvpn_sockaddr::@27 addr
openvpn_sockaddr::sa
struct sockaddr sa
Definition socket_util.h:42
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket_util.h:43
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition socket_util.h:44
options::rcvbuf
int rcvbuf
Definition options.h:415
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:367
options::route_nopull
bool route_nopull
Definition options.h:439
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:289
options::comp
struct compress_options comp
Definition options.h:412
options::persist_config
bool persist_config
Definition options.h:277
options::connection_list
struct connection_list * connection_list
Definition options.h:294
options::management_port
const char * management_port
Definition options.h:449
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:330
options::server_backoff_time
int server_backoff_time
Definition options.h:309
options::auth_token_renewal
int auth_token_renewal
Definition options.h:547
options::tmp_dir
const char * tmp_dir
Definition options.h:468
options::push_peer_info
bool push_peer_info
Definition options.h:684
options::daemon
bool daemon
Definition options.h:390
options::route_default_metric
int route_default_metric
Definition options.h:431
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:650
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:548
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:723
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:615
options::crl_file_inline
bool crl_file_inline
Definition options.h:619
options::down_script
const char * down_script
Definition options.h:385
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:625
options::replay_time
int replay_time
Definition options.h:586
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:453
options::duplicate_cn
bool duplicate_cn
Definition options.h:529
options::shaper
int shaper
Definition options.h:333
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:452
options::show_net_up
bool show_net_up
Definition options.h:697
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:627
options::use_peer_id
bool use_peer_id
Definition options.h:703
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:622
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:483
options::keying_material_exporter_label
const char * keying_material_exporter_label
Definition options.h:707
options::status_file
const char * status_file
Definition options.h:405
options::ssl_flags
unsigned int ssl_flags
Definition options.h:628
options::route_noexec
bool route_noexec
Definition options.h:432
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:332
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:623
options::tls_timeout
int tls_timeout
Definition options.h:644
options::test_crypto
bool test_crypto
Definition options.h:588
options::up_delay
bool up_delay
Definition options.h:388
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:481
options::authname
const char * authname
Definition options.h:581
options::exit_event_name
const char * exit_event_name
Definition options.h:695
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:328
options::replay_window
int replay_window
Definition options.h:585
options::mute
int mute
Definition options.h:399
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:543
options::dev_type
const char * dev_type
Definition options.h:322
options::persist_mode
int persist_mode
Definition options.h:278
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:495
options::show_digests
bool show_digests
Definition options.h:282
options::up_script
const char * up_script
Definition options.h:384
options::ce_advance_count
int ce_advance_count
Definition options.h:305
options::single_session
bool single_session
Definition options.h:682
options::rh_store
struct remote_host_store * rh_store
Definition options.h:315
options::verify_hash_depth
int verify_hash_depth
Definition options.h:626
options::route_delay_defined
bool route_delay_defined
Definition options.h:435
options::packet_id_file
const char * packet_id_file
Definition options.h:587
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:674
options::management_log_history_cache
int management_log_history_cache
Definition options.h:451
options::peer_id
uint32_t peer_id
Definition options.h:704
options::routes
struct route_option_list * routes
Definition options.h:436
options::keepalive_timeout
int keepalive_timeout
Definition options.h:342
options::fast_io
bool fast_io
Definition options.h:410
options::block_outside_dns
bool block_outside_dns
Definition options.h:699
options::tls_exit
bool tls_exit
Definition options.h:686
options::show_engines
bool show_engines
Definition options.h:283
options::msg_channel
HANDLE msg_channel
Definition options.h:694
options::key_pass_file
const char * key_pass_file
Definition options.h:280
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:584
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition options.h:303
options::handshake_window
int handshake_window
Definition options.h:654
options::ifconfig_local
const char * ifconfig_local
Definition options.h:326
options::ce
struct connection_entry ce
Definition options.h:293
options::user_script_used
bool user_script_used
Definition options.h:386
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:284
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:370
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:624
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:612
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:648
options::management_flags
unsigned int management_flags
Definition options.h:461
options::route_default_gateway
const char * route_default_gateway
Definition options.h:428
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:696
options::sc_info
struct static_challenge_info sc_info
Definition options.h:568
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:545
options::topology
int topology
Definition options.h:325
options::disable_dco
bool disable_dco
Definition options.h:373
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:580
options::genkey
bool genkey
Definition options.h:286
options::ciphername
const char * ciphername
Definition options.h:575
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:561
options::username
const char * username
Definition options.h:376
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:464
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:546
options::ns_cert_type
int ns_cert_type
Definition options.h:621
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:679
options::mode
int mode
Definition options.h:265
options::tls_server
bool tls_server
Definition options.h:594
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:542
options::connect_retry_max
int connect_retry_max
Definition options.h:292
options::pull
bool pull
Definition options.h:558
options::show_curves
bool show_curves
Definition options.h:285
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:429
options::tls_client
bool tls_client
Definition options.h:595
options::auth_token_generate
bool auth_token_generate
Definition options.h:544
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:606
options::tls_verify
const char * tls_verify
Definition options.h:614
options::crl_file
const char * crl_file
Definition options.h:618
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:356
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:562
options::show_ciphers
bool show_ciphers
Definition options.h:281
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:576
options::route_predown_script
const char * route_predown_script
Definition options.h:427
options::route_delay_window
int route_delay_window
Definition options.h:434
options::mlock
bool mlock
Definition options.h:339
options::sndbuf
int sndbuf
Definition options.h:416
options::gc
struct gc_arena gc
Definition options.h:256
options::down_pre
bool down_pre
Definition options.h:387
options::persist_tun
bool persist_tun
Definition options.h:358
options::route_default_table_id
int route_default_table_id
Definition options.h:430
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:549
options::config
const char * config
Definition options.h:260
options::keying_material_exporter_length
int keying_material_exporter_length
Definition options.h:708
options::mtu_test
bool mtu_test
Definition options.h:337
options::verify_x509_type
int verify_x509_type
Definition options.h:616
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:610
options::status_file_update_freq
int status_file_update_freq
Definition options.h:407
options::management_client_user
const char * management_client_user
Definition options.h:455
options::cipher_list
const char * cipher_list
Definition options.h:609
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:508
options::genkey_filename
const char * genkey_filename
Definition options.h:288
options::x509_track
const struct x509_track * x509_track
Definition options.h:688
options::chroot_dir
const char * chroot_dir
Definition options.h:378
options::log
bool log
Definition options.h:394
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:572
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:649
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:350
options::sockflags
unsigned int sockflags
Definition options.h:423
options::engine
const char * engine
Definition options.h:582
options::management_addr
const char * management_addr
Definition options.h:448
options::verify_x509_name
const char * verify_x509_name
Definition options.h:617
options::ping_send_timeout
int ping_send_timeout
Definition options.h:349
options::route_delay
int route_delay
Definition options.h:433
options::dev_node
const char * dev_node
Definition options.h:323
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:506
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:437
options::key_direction
int key_direction
Definition options.h:574
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:360
options::up_restart
bool up_restart
Definition options.h:389
options::keepalive_ping
int keepalive_ping
Definition options.h:341
options::no_advance
bool no_advance
Definition options.h:298
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:675
options::groupname
const char * groupname
Definition options.h:377
options::cd_dir
const char * cd_dir
Definition options.h:379
options::nice
int nice
Definition options.h:397
options::transition_window
int transition_window
Definition options.h:662
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:327
options::lladdr
const char * lladdr
Definition options.h:324
options::verbosity
int verbosity
Definition options.h:398
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:700
options::remap_sigusr1
int remap_sigusr1
Definition options.h:392
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:647
options::route_script
const char * route_script
Definition options.h:426
options::management_user_pass
const char * management_user_pass
Definition options.h:450
options::shared_secret_file
const char * shared_secret_file
Definition options.h:571
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:331
options::dev
const char * dev
Definition options.h:321
options::management_client_group
const char * management_client_group
Definition options.h:456
options::client_config_dir
const char * client_config_dir
Definition options.h:507
options::genkey_type
enum genkey_type genkey_type
Definition options.h:287
options::advance_next_remote
bool advance_next_remote
Definition options.h:301
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:494
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:329
options::persist_local_ip
bool persist_local_ip
Definition options.h:359
plugin_list
Definition plugin.h:97
plugin_return
Definition plugin.h:104
plugin_return::n
int n
Definition plugin.h:105
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:106
remote_host_store
Definition options.h:230
remote_host_store::port
char port[RH_PORT_LEN]
Definition options.h:234
remote_host_store::host
char host[RH_HOST_LEN]
Definition options.h:232
route_ipv6_list
Definition route.h:243
route_ipv6_list::gc
struct gc_arena gc
Definition route.h:254
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_ipv6_option_list::gc
struct gc_arena * gc
Definition route.h:115
route_list
Definition route.h:229
route_list::gc
struct gc_arena gc
Definition route.h:239
sha256_digest
Wrapper struct to pass around SHA256 digests.
Definition crypto.h:133
signal_info
Definition sig.h:41
signal_info::signal_text
const char * signal_text
Definition sig.h:44
signal_info::signal_received
volatile int signal_received
Definition sig.h:42
signal_info::source
volatile int source
Definition sig.h:43
status_output
Definition status.h:49
status_output::flags
unsigned int flags
Definition status.h:52
tls_auth_standalone::frame
struct frame frame
Definition ssl_pkt.h:81
tls_auth_standalone::workbuf
struct buffer workbuf
Definition ssl_pkt.h:80
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
tls_multi::dco
dco_context_t * dco
Definition ssl_common.h:726
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:633
tls_multi::opt
struct tls_options opt
Definition ssl_common.h:617
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:700
tls_multi::use_peer_id
bool use_peer_id
Definition ssl_common.h:701
tls_options
Definition ssl_common.h:307
tls_options::renegotiate_bytes
int64_t renegotiate_bytes
Definition ssl_common.h:343
tls_options::auth_token_key
struct key_ctx auth_token_key
Definition ssl_common.h:408
tls_options::mode
int mode
Definition ssl_common.h:327
tls_options::auth_token_renewal
unsigned int auth_token_renewal
Definition ssl_common.h:406
tls_options::es
struct env_set * es
Definition ssl_common.h:414
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition ssl_common.h:405
tls_options::gremlin
int gremlin
Definition ssl_common.h:448
tls_options::server
bool server
Definition ssl_common.h:315
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:388
tls_options::ekm_label_size
size_t ekm_label_size
Definition ssl_common.h:452
tls_options::crypto_flags
unsigned int crypto_flags
Definition ssl_common.h:370
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition ssl_common.h:357
tls_options::packet_timeout
interval_t packet_timeout
Definition ssl_common.h:342
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition ssl_common.h:398
tls_options::client_crresponse_script
const char * client_crresponse_script
Definition ssl_common.h:394
tls_options::sci
const struct static_challenge_info * sci
Definition ssl_common.h:444
tls_options::net_ctx
openvpn_net_ctx_t * net_ctx
Definition ssl_common.h:415
tls_options::tmp_dir
const char * tmp_dir
Definition ssl_common.h:396
tls_options::replay_time
int replay_time
Definition ssl_common.h:373
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition ssl_common.h:348
tls_options::frame
struct frame frame
Definition ssl_common.h:390
tls_options::renegotiate_packets
int64_t renegotiate_packets
Definition ssl_common.h:344
tls_options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition ssl_common.h:399
tls_options::verify_hash_depth
int verify_hash_depth
Definition ssl_common.h:360
tls_options::plugins
const struct plugin_list * plugins
Definition ssl_common.h:416
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition ssl_common.h:411
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition ssl_common.h:384
tls_options::export_peer_cert_dir
const char * export_peer_cert_dir
Definition ssl_common.h:397
tls_options::verify_command
const char * verify_command
Definition ssl_common.h:351
tls_options::verify_hash
struct verify_hash_list * verify_hash
Definition ssl_common.h:359
tls_options::ekm_label
const char * ekm_label
Definition ssl_common.h:451
tls_options::ekm_size
size_t ekm_size
Definition ssl_common.h:453
tls_options::x509_username_field
char * x509_username_field[2]
Definition ssl_common.h:366
tls_options::transition_window
int transition_window
Definition ssl_common.h:340
tls_options::config_ciphername
const char * config_ciphername
Definition ssl_common.h:375
tls_options::verify_x509_type
int verify_x509_type
Definition ssl_common.h:352
tls_options::single_session
bool single_session
Definition ssl_common.h:326
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:382
tls_options::verify_x509_name
const char * verify_x509_name
Definition ssl_common.h:353
tls_options::crl_file_inline
bool crl_file_inline
Definition ssl_common.h:355
tls_options::x509_track
const struct x509_track * x509_track
Definition ssl_common.h:441
tls_options::verify_hash_no_ca
bool verify_hash_no_ca
Definition ssl_common.h:361
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition ssl_common.h:438
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition ssl_common.h:385
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition ssl_common.h:309
tls_options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition ssl_common.h:395
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition ssl_common.h:376
tls_options::xmit_hold
bool xmit_hold
Definition ssl_common.h:318
tls_options::ssl_flags
unsigned int ssl_flags
Definition ssl_common.h:435
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition ssl_common.h:401
tls_options::key_type
struct key_type key_type
Definition ssl_common.h:312
tls_options::push_peer_info_detail
int push_peer_info_detail
The detail of info we push in peer info.
Definition ssl_common.h:339
tls_options::ns_cert_type
int ns_cert_type
Definition ssl_common.h:356
tls_options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition ssl_common.h:362
tls_options::pull
bool pull
Definition ssl_common.h:328
tls_options::auth_token_call_auth
bool auth_token_call_auth
always call normal authentication
Definition ssl_common.h:404
tls_options::crl_file
const char * crl_file
Definition ssl_common.h:354
tls_options::handshake_window
int handshake_window
Definition ssl_common.h:341
tls_options::dco_enabled
bool dco_enabled
Whether keys have to be installed in DCO or not.
Definition ssl_common.h:455
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition ssl_common.h:393
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition ssl_common.h:358
tls_options::replay_window
int replay_window
Definition ssl_common.h:372
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
tls_wrap_ctx::mode
enum tls_wrap_ctx::@28 mode
Control channel wrapping mode.
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:284
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:285
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition ssl_common.h:286
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:299
tuntap_options::msg_channel
HANDLE msg_channel
Definition tun.h:88
tuntap
Definition tun.h:183
tuntap::local
in_addr_t local
Definition tun.h:210
tuntap::adapter_index
DWORD adapter_index
Definition tun.h:234
tuntap::backend_driver
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:193
tuntap::options
struct tuntap_options options
Definition tun.h:205
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition tun.h:213
tuntap::dco
dco_context_t dco
Definition tun.h:249
tuntap::actual_name
char * actual_name
Definition tun.h:207
tuntap::remote_netmask
in_addr_t remote_netmask
Definition tun.h:211
user_pass
Definition misc.h:52
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:68
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:67
win32_signal
Definition win32.h:156
win32_signal::mode
int mode
Definition win32.h:160
window_title
Definition win32.h:74
srandom
#define srandom
Definition syshead.h:44
SOCKET_UNDEFINED
#define SOCKET_UNDEFINED
Definition syshead.h:438
es
struct env_set * es
Definition test_pkcs11.c:138
gc
struct gc_arena gc
Definition test_ssl.c:131
tls_crypt.h
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6226
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:521
fork_register_dns_action
void fork_register_dns_action(struct tuntap *tt)
Definition tun.c:5614
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:830
is_dev_type
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition tun.c:503
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition tun.c:1566
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:540
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6377
show_adapters
void show_adapters(msglvl_t msglevel)
Definition tun.c:4879
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition tun.c:670
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition tun.c:954
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition tun.c:560
do_ifconfig_setenv
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition tun.c:786
undo_ifconfig
void undo_ifconfig(struct tuntap *tt, openvpn_net_ctx_t *ctx)
undo_ifconfig - undo configuration of the tunnel interface
Definition tun.c:1655
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition tun.c:5532
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:59
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition tun.h:349
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition tun.h:348
tuntap_is_dco_win
static bool tuntap_is_dco_win(struct tuntap *tt)
Definition tun.h:532
DRIVER_NULL
@ DRIVER_NULL
Definition tun.h:52
DRIVER_GENERIC_TUNTAP
@ DRIVER_GENERIC_TUNTAP
Definition tun.h:47
DRIVER_AFUNIX
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:51
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:53
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition tun.h:380
ifconfig_order
static int ifconfig_order(struct tuntap *tt)
Definition tun.h:354
open_tun_null
static void open_tun_null(struct tuntap *tt)
Definition tun.h:634
route_order
static int route_order(struct tuntap *tt)
Definition tun.h:384
ROUTE_BEFORE_TUN
#define ROUTE_BEFORE_TUN
Definition tun.h:379
is_tun_type_set
static bool is_tun_type_set(const struct tuntap *tt)
Definition tun.h:628
tuncfg
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
open_tun_afunix
void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env)
Opens an AF_UNIX based tun device.
Definition tun_afunix.c:73
close_tun_afunix
void close_tun_afunix(struct tuntap *tt)
Closes the socket used for the AF_UNIX based device.
Definition tun_afunix.c:125
tun_afunix.h
is_tun_afunix
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
win32_signal_open
void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state)
Definition win32.c:452
win_wfp_block
bool win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only)
Definition win32.c:1203
window_title_generate
void window_title_generate(const char *title)
Definition win32.c:723
window_title_save
void window_title_save(struct window_title *wt)
Definition win32.c:697
win_wfp_uninit
bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
Definition win32.c:1252
init_win32
void init_win32(void)
Definition win32.c:107
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition win32.h:159
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition win32.h:173
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition win32.h:174
Generated by doxygen 1.9.8