OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #ifdef ENABLE_SYSTEMD
31 #include <systemd/sd-daemon.h>
32 #endif
33 
34 #include "win32.h"
35 #include "init.h"
36 #include "run_command.h"
37 #include "sig.h"
38 #include "occ.h"
39 #include "list.h"
40 #include "otime.h"
41 #include "pool.h"
42 #include "gremlin.h"
43 #include "occ.h"
44 #include "pkcs11.h"
45 #include "ps.h"
46 #include "lladdr.h"
47 #include "ping.h"
48 #include "mstats.h"
49 #include "ssl_verify.h"
50 #include "ssl_ncp.h"
51 #include "tls_crypt.h"
52 #include "forward.h"
53 #include "auth_token.h"
54 #include "mss.h"
55 #include "mudp.h"
56 #include "dco.h"
57 #include "tun_afunix.h"
58 
59 #include "memdbg.h"
60 
61 
62 static struct context *static_context; /* GLOBAL */
63 static const char *saved_pid_file_name; /* GLOBAL */
64 
65 /*
66  * Crypto initialization flags
67  */
68 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
69 #define CF_INIT_TLS_MULTI (1<<1)
70 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
71 
72 static void do_init_first_time(struct context *c);
73 
74 static bool do_deferred_p2p_ncp(struct context *c);
75 
76 void
77 context_clear(struct context *c)
78 {
79  CLEAR(*c);
80 }
81 
82 void
83 context_clear_1(struct context *c)
84 {
85  CLEAR(c->c1);
86 }
87 
88 void
89 context_clear_2(struct context *c)
90 {
91  CLEAR(c->c2);
92 }
93 
94 void
95 context_clear_all_except_first_time(struct context *c)
96 {
97  const bool first_time_save = c->first_time;
98  const struct context_persist cpsave = c->persist;
99  context_clear(c);
100  c->first_time = first_time_save;
101  c->persist = cpsave;
102 }
103 
104 /*
105  * Pass tunnel endpoint and MTU parms to a user-supplied script.
106  * Used to execute the up/down script/plugins.
107  */
108 static void
109 run_up_down(const char *command,
110  const struct plugin_list *plugins,
111  int plugin_type,
112  const char *arg,
113 #ifdef _WIN32
114  DWORD adapter_index,
115 #endif
116  const char *dev_type,
117  int tun_mtu,
118  const char *ifconfig_local,
119  const char *ifconfig_remote,
120  const char *context,
121  const char *signal_text,
122  const char *script_type,
123  struct env_set *es)
124 {
125  struct gc_arena gc = gc_new();
126 
127  if (signal_text)
128  {
129  setenv_str(es, "signal", signal_text);
130  }
131  setenv_str(es, "script_context", context);
132  setenv_int(es, "tun_mtu", tun_mtu);
133  setenv_str(es, "dev", arg);
134  if (dev_type)
135  {
136  setenv_str(es, "dev_type", dev_type);
137  }
138 #ifdef _WIN32
139  setenv_int(es, "dev_idx", adapter_index);
140 #endif
141 
142  if (!ifconfig_local)
143  {
144  ifconfig_local = "";
145  }
146  if (!ifconfig_remote)
147  {
148  ifconfig_remote = "";
149  }
150  if (!context)
151  {
152  context = "";
153  }
154 
155  if (plugin_defined(plugins, plugin_type))
156  {
157  struct argv argv = argv_new();
158  ASSERT(arg);
159  argv_printf(&argv,
160  "%s %d 0 %s %s %s",
161  arg, tun_mtu, ifconfig_local, ifconfig_remote, context);
162 
163  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
164  {
165  msg(M_FATAL, "ERROR: up/down plugin call failed");
166  }
167 
168  argv_free(&argv);
169  }
170 
171  if (command)
172  {
173  struct argv argv = argv_new();
174  ASSERT(arg);
175  setenv_str(es, "script_type", script_type);
176  argv_parse_cmd(&argv, command);
177  argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu,
178  ifconfig_local, ifconfig_remote, context);
179  argv_msg(M_INFO, &argv);
180  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
181  argv_free(&argv);
182  }
183 
184  gc_free(&gc);
185 }
186 
187 /*
188  * Should be called after options->ce is modified at the top
189  * of a SIGUSR1 restart.
190  */
191 static void
192 update_options_ce_post(struct options *options)
193 {
194  /*
195  * In pull mode, we usually import --ping/--ping-restart parameters from
196  * the server. However we should also set an initial default --ping-restart
197  * for the period of time before we pull the --ping-restart parameter
198  * from the server.
199  */
200  if (options->pull
201  && options->ping_rec_timeout_action == PING_UNDEF
202  && proto_is_dgram(options->ce.proto))
203  {
204  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
205  options->ping_rec_timeout_action = PING_RESTART;
206  }
207 }
208 
209 #ifdef ENABLE_MANAGEMENT
210 static bool
211 management_callback_proxy_cmd(void *arg, const char **p)
212 {
213  struct context *c = arg;
214  struct connection_entry *ce = &c->options.ce;
215  struct gc_arena *gc = &c->c2.gc;
216  bool ret = false;
217 
218  update_time();
219  if (streq(p[1], "NONE"))
220  {
221  ret = true;
222  }
223  else if (p[2] && p[3])
224  {
225  if (streq(p[1], "HTTP"))
226  {
227  struct http_proxy_options *ho;
228  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
229  {
230  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231  return false;
232  }
233  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
234  ho->server = string_alloc(p[2], gc);
235  ho->port = string_alloc(p[3], gc);
236  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237  ret = true;
238  }
239  else if (streq(p[1], "SOCKS"))
240  {
241  ce->socks_proxy_server = string_alloc(p[2], gc);
242  ce->socks_proxy_port = string_alloc(p[3], gc);
243  ret = true;
244  }
245  }
246  else
247  {
248  msg(M_WARN, "Bad proxy command");
249  }
250 
251  ce->flags &= ~CE_MAN_QUERY_PROXY;
252 
253  return ret;
254 }
255 
256 static bool
257 ce_management_query_proxy(struct context *c)
258 {
259  const struct connection_list *l = c->options.connection_list;
260  struct connection_entry *ce = &c->options.ce;
261  struct gc_arena gc;
262  bool ret = true;
263 
264  update_time();
265  if (management)
266  {
267  gc = gc_new();
268  {
269  struct buffer out = alloc_buf_gc(256, &gc);
270  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272  management_notify_generic(management, BSTR(&out));
273  management->persist.special_state_msg = BSTR(&out);
274  }
275  ce->flags |= CE_MAN_QUERY_PROXY;
276  while (ce->flags & CE_MAN_QUERY_PROXY)
277  {
278  management_event_loop_n_seconds(management, 1);
279  if (IS_SIG(c))
280  {
281  ret = false;
282  break;
283  }
284  }
285  management->persist.special_state_msg = NULL;
286  gc_free(&gc);
287  }
288 
289  return ret;
290 }
291 
306 static bool
307 management_callback_send_cc_message(void *arg,
308  const char *command,
309  const char *parameters)
310 {
311  struct context *c = (struct context *) arg;
312  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
313  if (len > PUSH_BUNDLE_SIZE)
314  {
315  return false;
316  }
317 
318  struct gc_arena gc = gc_new();
319  struct buffer buf = alloc_buf_gc(len, &gc);
320  ASSERT(buf_printf(&buf, "%s", command));
321  if (parameters)
322  {
323  ASSERT(buf_printf(&buf, ",%s", parameters));
324  }
325  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
326 
327  gc_free(&gc);
328  return status;
329 }
330 
331 static unsigned int
332 management_callback_remote_entry_count(void *arg)
333 {
334  assert(arg);
335  struct context *c = (struct context *) arg;
336  struct connection_list *l = c->options.connection_list;
337 
338  return l->len;
339 }
340 
341 static bool
342 management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
343 {
344  assert(arg);
345  assert(remote);
346 
347  struct context *c = (struct context *) arg;
348  struct connection_list *l = c->options.connection_list;
349  bool ret = true;
350 
351  if (index < l->len)
352  {
353  struct connection_entry *ce = l->array[index];
354  const char *proto = proto2ascii(ce->proto, ce->af, false);
355  const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
356 
357  /* space for output including 3 commas and a nul */
358  int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto)
359  + strlen(status) + 3 + 1;
360  char *out = malloc(len);
361  check_malloc_return(out);
362 
363  snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
364  *remote = out;
365  }
366  else
367  {
368  ret = false;
369  msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
370  }
371 
372  return ret;
373 }
374 
375 static bool
376 management_callback_remote_cmd(void *arg, const char **p)
377 {
378  struct context *c = (struct context *) arg;
379  struct connection_entry *ce = &c->options.ce;
380  int ret = false;
381  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
382  {
383  int flags = 0;
384  if (!strcmp(p[1], "ACCEPT"))
385  {
386  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
387  ret = true;
388  }
389  else if (!strcmp(p[1], "SKIP"))
390  {
391  flags = CE_MAN_QUERY_REMOTE_SKIP;
392  ret = true;
393  c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
394  }
395  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
396  {
397  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
398  {
399  struct remote_host_store *rhs = c->options.rh_store;
400  if (!rhs)
401  {
402  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
403  c->options.rh_store = rhs;
404  }
405  strncpynt(rhs->host, p[2], RH_HOST_LEN);
406  strncpynt(rhs->port, p[3], RH_PORT_LEN);
407 
408  ce->remote = rhs->host;
409  ce->remote_port = rhs->port;
410  flags = CE_MAN_QUERY_REMOTE_MOD;
411  ret = true;
412  }
413  }
414  if (ret)
415  {
416  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
417  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
418  }
419  }
420  return ret;
421 }
422 
423 static bool
424 ce_management_query_remote(struct context *c)
425 {
426  struct gc_arena gc = gc_new();
427  volatile struct connection_entry *ce = &c->options.ce;
428  int ce_changed = true; /* presume the connection entry will be changed */
429 
430  update_time();
431  if (management)
432  {
433  struct buffer out = alloc_buf_gc(256, &gc);
434 
435  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
436  proto2ascii(ce->proto, ce->af, false));
437  management_notify_generic(management, BSTR(&out));
438  management->persist.special_state_msg = BSTR(&out);
439 
440  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
441  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
442  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
443  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
444  {
445  management_event_loop_n_seconds(management, 1);
446  if (IS_SIG(c))
447  {
448  ce_changed = false; /* connection entry have not been set */
449  break;
450  }
451  }
452  management->persist.special_state_msg = NULL;
453  }
454  gc_free(&gc);
455 
456  if (ce_changed)
457  {
458  /* If it is likely a connection entry was modified,
459  * check what changed in the flags and that it was not skipped
460  */
461  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
462  & CE_MAN_QUERY_REMOTE_MASK);
463  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
464  }
465  return ce_changed;
466 }
467 #endif /* ENABLE_MANAGEMENT */
468 
469 /*
470  * Initialize and possibly randomize the connection list.
471  *
472  * Applies the Fisher-Yates shuffle algorithm to ensure all permutations
473  * are equally probable, thereby eliminating shuffling bias.
474  *
475  * The algorithm randomly selects an element from the unshuffled portion
476  * and places it at position i. There's only one way to obtain each
477  * permutation through these swaps. This guarantees that each permutation
478  * occurs with equal probability in theory.
479  */
480 static void
481 init_connection_list(struct context *c)
482 {
483  struct connection_list *l = c->options.connection_list;
484 
485  l->current = -1;
486  if (c->options.remote_random)
487  {
488  int i;
489  for (i = l->len - 1; i > 0; --i)
490  {
491  const int j = get_random() % (i + 1);
492  if (i != j)
493  {
494  struct connection_entry *tmp;
495  tmp = l->array[i];
496  l->array[i] = l->array[j];
497  l->array[j] = tmp;
498  }
499  }
500  }
501 }
502 
503 /*
504  * Clear the remote address list
505  */
506 static void
507 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
508 {
509  if (lsa->remote_list && free)
510  {
511  freeaddrinfo(lsa->remote_list);
512  }
513  lsa->remote_list = NULL;
514  lsa->current_remote = NULL;
515 }
516 
517 /*
518  * Increment to next connection entry
519  */
520 static void
521 next_connection_entry(struct context *c)
522 {
523  struct connection_list *l = c->options.connection_list;
524  bool ce_defined;
525  struct connection_entry *ce;
526  int n_cycles = 0;
527 
528  do
529  {
530  ce_defined = true;
531  if (c->options.no_advance && l->current >= 0)
532  {
533  c->options.no_advance = false;
534  }
535  else
536  {
537  /* Check if there is another resolved address to try for
538  * the current connection */
539  if (c->c1.link_socket_addrs[0].current_remote
540  && c->c1.link_socket_addrs[0].current_remote->ai_next
541  && !c->options.advance_next_remote)
542  {
543  c->c1.link_socket_addrs[0].current_remote =
544  c->c1.link_socket_addrs[0].current_remote->ai_next;
545  }
546  else
547  {
548  c->options.advance_next_remote = false;
549  /* FIXME (schwabe) fix the persist-remote-ip option for real,
550  * this is broken probably ever since connection lists and multiple
551  * remote existed
552  */
553  if (!c->options.persist_remote_ip)
554  {
555  /* Connection entry addrinfo objects might have been
556  * resolved earlier but the entry itself might have been
557  * skipped by management on the previous loop.
558  * If so, clear the addrinfo objects as close_instance does
559  */
560  if (c->c1.link_socket_addrs[0].remote_list)
561  {
562  clear_remote_addrlist(&c->c1.link_socket_addrs[0],
563  !c->options.resolve_in_advance);
564  }
565 
566  /* close_instance should have cleared the addrinfo objects */
567  ASSERT(c->c1.link_socket_addrs[0].current_remote == NULL);
568  ASSERT(c->c1.link_socket_addrs[0].remote_list == NULL);
569  }
570  else
571  {
572  c->c1.link_socket_addrs[0].current_remote =
573  c->c1.link_socket_addrs[0].remote_list;
574  }
575 
576  int advance_count = 1;
577 
578  /* If previous connection entry was skipped by management client
579  * with a count to advance by, apply it.
580  */
581  if (c->options.ce_advance_count > 0)
582  {
583  advance_count = c->options.ce_advance_count;
584  }
585 
586  /*
587  * Increase the number of connection attempts
588  * If this is connect-retry-max * size(l)
589  * OpenVPN will quit
590  */
591 
592  c->options.unsuccessful_attempts += advance_count;
593  l->current += advance_count;
594 
595  if (l->current >= l->len)
596  {
597  l->current %= l->len;
598  if (++n_cycles >= 2)
599  {
600  msg(M_FATAL, "No usable connection profiles are present");
601  }
602  }
603  }
604  }
605 
606  c->options.ce_advance_count = 1;
607  ce = l->array[l->current];
608 
609  if (ce->flags & CE_DISABLED)
610  {
611  ce_defined = false;
612  }
613 
614  c->options.ce = *ce;
615 
616 #ifdef ENABLE_MANAGEMENT
617  if (ce_defined && management && management_query_remote_enabled(management))
618  {
619  /* allow management interface to override connection entry details */
620  ce_defined = ce_management_query_remote(c);
621  if (IS_SIG(c))
622  {
623  break;
624  }
625  }
626  else if (ce_defined && management && management_query_proxy_enabled(management))
627  {
628  ce_defined = ce_management_query_proxy(c);
629  if (IS_SIG(c))
630  {
631  break;
632  }
633  }
634 #endif
635  } while (!ce_defined);
636 
637  /* Check if this connection attempt would bring us over the limit */
638  if (c->options.connect_retry_max > 0
639  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
640  {
641  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
642  c->options.connect_retry_max);
643  }
644  update_options_ce_post(&c->options);
645 }
646 
647 /*
648  * Query for private key and auth-user-pass username/passwords
649  */
650 void
651 init_query_passwords(const struct context *c)
652 {
653  /* Certificate password input */
654  if (c->options.key_pass_file)
655  {
656  pem_password_setup(c->options.key_pass_file);
657  }
658 
659  /* Auth user/pass input */
660  if (c->options.auth_user_pass_file)
661  {
662  enable_auth_user_pass();
663 #ifdef ENABLE_MANAGEMENT
664  auth_user_pass_setup(c->options.auth_user_pass_file,
665  c->options.auth_user_pass_file_inline,
666  &c->options.sc_info);
667 #else
668  auth_user_pass_setup(c->options.auth_user_pass_file,
669  c->options.auth_user_pass_file_inline, NULL);
670 #endif
671  }
672 }
673 
674 /*
675  * Initialize/Uninitialize HTTP or SOCKS proxy
676  */
677 
678 static void
679 uninit_proxy_dowork(struct context *c)
680 {
681  if (c->c1.http_proxy_owned && c->c1.http_proxy)
682  {
683  http_proxy_close(c->c1.http_proxy);
684  c->c1.http_proxy = NULL;
685  c->c1.http_proxy_owned = false;
686  }
687  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
688  {
689  socks_proxy_close(c->c1.socks_proxy);
690  c->c1.socks_proxy = NULL;
691  c->c1.socks_proxy_owned = false;
692  }
693 }
694 
695 static void
696 init_proxy_dowork(struct context *c)
697 {
698  bool did_http = false;
699 
700  uninit_proxy_dowork(c);
701 
702  if (c->options.ce.http_proxy_options)
703  {
704  c->options.ce.http_proxy_options->first_time = c->first_time;
705 
706  /* Possible HTTP proxy user/pass input */
707  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
708  if (c->c1.http_proxy)
709  {
710  did_http = true;
711  c->c1.http_proxy_owned = true;
712  }
713  }
714 
715  if (!did_http && c->options.ce.socks_proxy_server)
716  {
717  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
718  c->options.ce.socks_proxy_port,
719  c->options.ce.socks_proxy_authfile);
720  if (c->c1.socks_proxy)
721  {
722  c->c1.socks_proxy_owned = true;
723  }
724  }
725 }
726 
727 static void
728 init_proxy(struct context *c)
729 {
730  init_proxy_dowork(c);
731 }
732 
733 static void
734 uninit_proxy(struct context *c)
735 {
736  uninit_proxy_dowork(c);
737 }
738 
739 static void
740 do_link_socket_addr_new(struct context *c)
741 {
742  ALLOC_ARRAY_CLEAR_GC(c->c1.link_socket_addrs, struct link_socket_addr,
743  c->c1.link_sockets_num, &c->gc);
744 }
745 
746 void
747 context_init_1(struct context *c)
748 {
749  context_clear_1(c);
750 
751  packet_id_persist_init(&c->c1.pid_persist);
752 
753  init_connection_list(c);
754 
755  c->c1.link_sockets_num = c->options.ce.local_list->len;
756 
757  do_link_socket_addr_new(c);
758 
759 #if defined(ENABLE_PKCS11)
760  if (c->first_time)
761  {
762  int i;
763  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
764  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
765  {
766  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
767  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
768  }
769  }
770 #endif
771 
772 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
773  {
774  /*
775  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
776  */
777  struct user_pass up;
778  CLEAR(up);
779  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
780  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
781  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
782  * 'needok' command, usually 'ok' or 'cancel'. */
783  }
784 #endif
785 
786 #ifdef ENABLE_SYSTEMD
787  /* We can report the PID via getpid() to systemd here as OpenVPN will not
788  * do any fork due to daemon() a future call.
789  * See possibly_become_daemon() [init.c] for more details.
790  */
791  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
792  (unsigned long) getpid());
793 #endif
794 
795 }
796 
797 void
798 context_gc_free(struct context *c)
799 {
800  gc_free(&c->c2.gc);
801  gc_free(&c->options.gc);
802  gc_free(&c->gc);
803 }
804 
805 #if PORT_SHARE
806 
807 static void
808 close_port_share(void)
809 {
810  if (port_share)
811  {
812  port_share_close(port_share);
813  port_share = NULL;
814  }
815 }
816 
817 static void
818 init_port_share(struct context *c)
819 {
820  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
821  {
822  port_share = port_share_open(c->options.port_share_host,
823  c->options.port_share_port,
824  c->c2.frame.buf.payload_size,
825  c->options.port_share_journal_dir);
826  if (port_share == NULL)
827  {
828  msg(M_FATAL, "Fatal error: Port sharing failed");
829  }
830  }
831 }
832 
833 #endif /* if PORT_SHARE */
834 
835 
836 bool
837 init_static(void)
838 {
839 #if defined(DMALLOC)
840  crypto_init_dmalloc();
841 #endif
842 
843 
844  /*
845  * Initialize random number seed. random() is only used
846  * when "weak" random numbers are acceptable.
847  * SSL library routines are always used when cryptographically
848  * strong random numbers are required.
849  */
850  struct timeval tv;
851  if (!gettimeofday(&tv, NULL))
852  {
853  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
854  srandom(seed);
855  }
856 
857  error_reset(); /* initialize error.c */
858  reset_check_status(); /* initialize status check code in socket.c */
859 
860 #ifdef _WIN32
861  init_win32();
862 #endif
863 
864 #ifdef OPENVPN_DEBUG_COMMAND_LINE
865  {
866  int i;
867  for (i = 0; i < argc; ++i)
868  {
869  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
870  }
871  }
872 #endif
873 
874  update_time();
875 
876  init_ssl_lib();
877 
878 #ifdef SCHEDULE_TEST
879  schedule_test();
880  return false;
881 #endif
882 
883 #ifdef IFCONFIG_POOL_TEST
884  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
885  return false;
886 #endif
887 
888 #ifdef TIME_TEST
889  time_test();
890  return false;
891 #endif
892 
893 #ifdef GEN_PATH_TEST
894  {
895  struct gc_arena gc = gc_new();
896  const char *fn = gen_path("foo",
897  "bar",
898  &gc);
899  printf("%s\n", fn);
900  gc_free(&gc);
901  }
902  return false;
903 #endif
904 
905 #ifdef STATUS_PRINTF_TEST
906  {
907  struct gc_arena gc = gc_new();
908  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
909  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
910  status_printf(so, "%s", "foo");
911  status_printf(so, "%s", "bar");
912  if (!status_close(so))
913  {
914  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
915  }
916  gc_free(&gc);
917  }
918  return false;
919 #endif
920 
921 #ifdef MSTATS_TEST
922  {
923  int i;
924  mstats_open("/dev/shm/mstats.dat");
925  for (i = 0; i < 30; ++i)
926  {
927  mmap_stats->n_clients += 1;
928  mmap_stats->link_write_bytes += 8;
929  mmap_stats->link_read_bytes += 16;
930  sleep(1);
931  }
932  mstats_close();
933  return false;
934  }
935 #endif
936 
937  return true;
938 }
939 
940 void
941 uninit_static(void)
942 {
943  free_ssl_lib();
944 
945 #ifdef ENABLE_PKCS11
946  pkcs11_terminate();
947 #endif
948 
949 #if PORT_SHARE
950  close_port_share();
951 #endif
952 
953 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
954  show_tls_performance_stats();
955 #endif
956 }
957 
958 void
959 init_verb_mute(struct context *c, unsigned int flags)
960 {
961  if (flags & IVM_LEVEL_1)
962  {
963  /* set verbosity and mute levels */
964  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
965  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
966  set_mute_cutoff(c->options.mute);
967  }
968 
969  /* special D_LOG_RW mode */
970  if (flags & IVM_LEVEL_2)
971  {
972  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
973  }
974 }
975 
976 /*
977  * Possibly set --dev based on --dev-node.
978  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
979  * set --dev to tun.
980  */
981 void
982 init_options_dev(struct options *options)
983 {
984  if (!options->dev && options->dev_node)
985  {
986  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
987  options->dev = basename(dev_node);
988  }
989 }
990 
991 bool
992 print_openssl_info(const struct options *options)
993 {
994  /*
995  * OpenSSL info print mode?
996  */
997  if (options->show_ciphers || options->show_digests || options->show_engines
998  || options->show_tls_ciphers || options->show_curves)
999  {
1000  if (options->show_ciphers)
1001  {
1002  show_available_ciphers();
1003  }
1004  if (options->show_digests)
1005  {
1006  show_available_digests();
1007  }
1008  if (options->show_engines)
1009  {
1010  show_available_engines();
1011  }
1012  if (options->show_tls_ciphers)
1013  {
1014  show_available_tls_ciphers(options->cipher_list,
1015  options->cipher_list_tls13,
1016  options->tls_cert_profile);
1017  }
1018  if (options->show_curves)
1019  {
1020  show_available_curves();
1021  }
1022  return true;
1023  }
1024  return false;
1025 }
1026 
1027 /*
1028  * Static pre-shared key generation mode?
1029  */
1030 bool
1031 do_genkey(const struct options *options)
1032 {
1033  /* should we disable paging? */
1034  if (options->mlock && (options->genkey))
1035  {
1036  platform_mlockall(true);
1037  }
1038 
1039  /*
1040  * We do not want user to use --genkey with --secret. In the transistion
1041  * phase we for secret.
1042  */
1043  if (options->genkey && options->genkey_type != GENKEY_SECRET
1044  && options->shared_secret_file)
1045  {
1046  msg(M_USAGE, "Using --genkey type with --secret filename is "
1047  "not supported. Use --genkey type filename instead.");
1048  }
1049  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1050  {
1051  int nbits_written;
1052  const char *genkey_filename = options->genkey_filename;
1053  if (options->shared_secret_file && options->genkey_filename)
1054  {
1055  msg(M_USAGE, "You must provide a filename to either --genkey "
1056  "or --secret, not both");
1057  }
1058 
1059  /*
1060  * Copy filename from shared_secret_file to genkey_filename to support
1061  * the old --genkey --secret foo.file syntax.
1062  */
1063  if (options->shared_secret_file)
1064  {
1065  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1066  "DEPRECATED. Use --genkey secret filename instead.");
1067  genkey_filename = options->shared_secret_file;
1068  }
1069 
1070  nbits_written = write_key_file(2, genkey_filename);
1071  if (nbits_written < 0)
1072  {
1073  msg(M_FATAL, "Failed to write key file");
1074  }
1075 
1076  msg(D_GENKEY | M_NOPREFIX,
1077  "Randomly generated %d bit key written to %s", nbits_written,
1078  options->shared_secret_file);
1079  return true;
1080  }
1081  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1082  {
1083  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1084  return true;
1085  }
1086  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1087  {
1088  if (!options->tls_crypt_v2_file)
1089  {
1090  msg(M_USAGE,
1091  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1092  }
1093 
1094  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1095  options->genkey_extra_data, options->tls_crypt_v2_file,
1096  options->tls_crypt_v2_file_inline);
1097  return true;
1098  }
1099  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1100  {
1101  auth_token_write_server_key_file(options->genkey_filename);
1102  return true;
1103  }
1104  else
1105  {
1106  return false;
1107  }
1108 }
1109 
1110 /*
1111  * Persistent TUN/TAP device management mode?
1112  */
1113 bool
1114 do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
1115 {
1116  if (!options->persist_config)
1117  {
1118  return false;
1119  }
1120 
1121  /* sanity check on options for --mktun or --rmtun */
1122  notnull(options->dev, "TUN/TAP device (--dev)");
1123  if (options->ce.remote || options->ifconfig_local
1124  || options->ifconfig_remote_netmask
1125  || options->shared_secret_file
1126  || options->tls_server || options->tls_client
1127  )
1128  {
1129  msg(M_FATAL|M_OPTERR,
1130  "options --mktun or --rmtun should only be used together with --dev");
1131  }
1132 
1133 #if defined(ENABLE_DCO)
1134  if (dco_enabled(options))
1135  {
1136  /* creating a DCO interface via --mktun is not supported as it does not
1137  * make much sense. Since DCO is enabled by default, people may run into
1138  * this without knowing, therefore this case should be properly handled.
1139  *
1140  * Disable DCO if --mktun was provided and print a message to let
1141  * user know.
1142  */
1143  if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN)
1144  {
1145  msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1146  }
1147 
1148  options->disable_dco = true;
1149  }
1150 #endif
1151 
1152 #ifdef ENABLE_FEATURE_TUN_PERSIST
1153  tuncfg(options->dev, options->dev_type, options->dev_node,
1154  options->persist_mode,
1155  options->username, options->groupname, &options->tuntap_options,
1156  ctx);
1157  if (options->persist_mode && options->lladdr)
1158  {
1159  set_lladdr(ctx, options->dev, options->lladdr, NULL);
1160  }
1161  return true;
1162 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1163  msg(M_FATAL|M_OPTERR,
1164  "options --mktun and --rmtun are not available on your operating "
1165  "system. Please check 'man tun' (or 'tap'), whether your system "
1166  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1167  "persistent tunnel interfaces.", options->dev );
1168 #endif
1169  return false;
1170 }
1171 
1172 /*
1173  * Should we become a daemon?
1174  * Return true if we did it.
1175  */
1176 bool
1177 possibly_become_daemon(const struct options *options)
1178 {
1179  bool ret = false;
1180 
1181 #ifdef ENABLE_SYSTEMD
1182  /* return without forking if we are running from systemd */
1183  if (sd_notify(0, "READY=0") > 0)
1184  {
1185  return ret;
1186  }
1187 #endif
1188 
1189  if (options->daemon)
1190  {
1191  /* Don't chdir immediately, but the end of the init sequence, if needed */
1192 
1193 #if defined(__APPLE__) && defined(__clang__)
1194 #pragma clang diagnostic push
1195 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1196 #endif
1197  if (daemon(1, options->log) < 0)
1198  {
1199  msg(M_ERR, "daemon() failed or unsupported");
1200  }
1201 #if defined(__APPLE__) && defined(__clang__)
1202 #pragma clang diagnostic pop
1203 #endif
1204  restore_signal_state();
1205  if (options->log)
1206  {
1207  set_std_files_to_null(true);
1208  }
1209 
1210  ret = true;
1211  }
1212  return ret;
1213 }
1214 
1215 /*
1216  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1217  */
1218 static void
1219 do_uid_gid_chroot(struct context *c, bool no_delay)
1220 {
1221  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1222  struct context_0 *c0 = c->c0;
1223 
1224  if (c0 && !c0->uid_gid_chroot_set)
1225  {
1226  /* chroot if requested */
1227  if (c->options.chroot_dir)
1228  {
1229  if (no_delay)
1230  {
1231  platform_chroot(c->options.chroot_dir);
1232  }
1233  else if (c->first_time)
1234  {
1235  msg(M_INFO, "NOTE: chroot %s", why_not);
1236  }
1237  }
1238 
1239  /* set user and/or group if we want to setuid/setgid */
1240  if (c0->uid_gid_specified)
1241  {
1242  if (no_delay)
1243  {
1244  platform_user_group_set(&c0->platform_state_user,
1245  &c0->platform_state_group,
1246  c);
1247  }
1248  else if (c->first_time)
1249  {
1250  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1251  }
1252  }
1253 
1254 #ifdef ENABLE_MEMSTATS
1255  if (c->first_time && c->options.memstats_fn)
1256  {
1257  mstats_open(c->options.memstats_fn);
1258  }
1259 #endif
1260 
1261 #ifdef ENABLE_SELINUX
1262  /* Apply a SELinux context in order to restrict what OpenVPN can do
1263  * to _only_ what it is supposed to do after initialization is complete
1264  * (basically just network I/O operations). Doing it after chroot
1265  * requires /proc to be mounted in the chroot (which is annoying indeed
1266  * but doing it before requires more complex SELinux policies.
1267  */
1268  if (c->options.selinux_context)
1269  {
1270  if (no_delay)
1271  {
1272  if (-1 == setcon(c->options.selinux_context))
1273  {
1274  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1275  }
1276  else
1277  {
1278  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1279  }
1280  }
1281  else if (c->first_time)
1282  {
1283  msg(M_INFO, "NOTE: setcon %s", why_not);
1284  }
1285  }
1286 #endif
1287 
1288  /* Privileges are going to be dropped by now (if requested), be sure
1289  * to prevent any future privilege dropping attempts from now on.
1290  */
1291  if (no_delay)
1292  {
1293  c0->uid_gid_chroot_set = true;
1294  }
1295  }
1296 }
1297 
1298 /*
1299  * Return common name in a way that is formatted for
1300  * prepending to msg() output.
1301  */
1302 const char *
1303 format_common_name(struct context *c, struct gc_arena *gc)
1304 {
1305  struct buffer out = alloc_buf_gc(256, gc);
1306  if (c->c2.tls_multi)
1307  {
1308  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1309  }
1310  return BSTR(&out);
1311 }
1312 
1313 void
1314 pre_setup(const struct options *options)
1315 {
1316 #ifdef _WIN32
1317  if (options->exit_event_name)
1318  {
1319  win32_signal_open(&win32_signal,
1320  WSO_FORCE_SERVICE,
1321  options->exit_event_name,
1322  options->exit_event_initial_state);
1323  }
1324  else
1325  {
1326  win32_signal_open(&win32_signal,
1327  WSO_FORCE_CONSOLE,
1328  NULL,
1329  false);
1330 
1331  /* put a title on the top window bar */
1332  if (win32_signal.mode == WSO_MODE_CONSOLE)
1333  {
1334  window_title_save(&window_title);
1335  window_title_generate(options->config);
1336  }
1337  }
1338 #endif /* ifdef _WIN32 */
1339 }
1340 
1341 void
1342 reset_coarse_timers(struct context *c)
1343 {
1344  c->c2.coarse_timer_wakeup = 0;
1345 }
1346 
1347 /*
1348  * Initialise the server poll timeout timer
1349  * This timer is used in the http/socks proxy setup so it needs to be setup
1350  * before
1351  */
1352 static void
1353 do_init_server_poll_timeout(struct context *c)
1354 {
1355  update_time();
1356  if (c->options.ce.connect_timeout)
1357  {
1358  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1359  }
1360 }
1361 
1362 /*
1363  * Initialize timers
1364  */
1365 static void
1366 do_init_timers(struct context *c, bool deferred)
1367 {
1368  update_time();
1369  reset_coarse_timers(c);
1370 
1371  /* initialize inactivity timeout */
1372  if (c->options.inactivity_timeout)
1373  {
1374  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1375  }
1376 
1377  /* initialize inactivity timeout */
1378  if (c->options.session_timeout)
1379  {
1380  event_timeout_init(&c->c2.session_interval, c->options.session_timeout,
1381  now);
1382  }
1383 
1384  /* initialize pings */
1385  if (dco_enabled(&c->options))
1386  {
1387  /* The DCO kernel module will send the pings instead of user space */
1388  event_timeout_clear(&c->c2.ping_rec_interval);
1389  event_timeout_clear(&c->c2.ping_send_interval);
1390  }
1391  else
1392  {
1393  if (c->options.ping_send_timeout)
1394  {
1395  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1396  }
1397 
1398  if (c->options.ping_rec_timeout)
1399  {
1400  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1401  }
1402  }
1403 
1404  /* If the auth-token renewal interval is shorter than reneg-sec, arm
1405  * "auth-token renewal" timer to send additional auth-token to update the
1406  * token on the client more often. If not, this happens automatically
1407  * at renegotiation time, without needing an extra event.
1408  */
1409  if (c->options.auth_token_generate
1410  && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1411  {
1412  event_timeout_init(&c->c2.auth_token_renewal_interval,
1413  c->options.auth_token_renewal, now);
1414  }
1415 
1416  if (!deferred)
1417  {
1418  /* initialize connection establishment timer */
1419  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1420 
1421  /* initialize occ timers */
1422 
1423  if (c->options.occ
1424  && !TLS_MODE(c)
1425  && c->c2.options_string_local && c->c2.options_string_remote)
1426  {
1427  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1428  }
1429 
1430  if (c->options.mtu_test)
1431  {
1432  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1433  }
1434 
1435  /* initialize packet_id persistence timer */
1436  if (c->options.packet_id_file)
1437  {
1438  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1439  }
1440 
1441  /* initialize tmp_int optimization that limits the number of times we call
1442  * tls_multi_process in the main event loop */
1443  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1444  }
1445 }
1446 
1447 /*
1448  * Initialize traffic shaper.
1449  */
1450 static void
1451 do_init_traffic_shaper(struct context *c)
1452 {
1453  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1454  if (c->options.shaper)
1455  {
1456  shaper_init(&c->c2.shaper, c->options.shaper);
1457  shaper_msg(&c->c2.shaper);
1458  }
1459 }
1460 
1461 /*
1462  * Allocate route list structures for IPv4 and IPv6
1463  * (we do this for IPv4 even if no --route option has been seen, as other
1464  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1465  */
1466 static void
1467 do_alloc_route_list(struct context *c)
1468 {
1469  if (!c->c1.route_list)
1470  {
1471  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1472  }
1473  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1474  {
1475  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1476  }
1477 }
1478 
1479 
1480 /*
1481  * Initialize the route list, resolving any DNS names in route
1482  * options and saving routes in the environment.
1483  */
1484 static void
1485 do_init_route_list(const struct options *options,
1486  struct route_list *route_list,
1487  const struct link_socket_info *link_socket_info,
1488  struct env_set *es,
1489  openvpn_net_ctx_t *ctx)
1490 {
1491  const char *gw = NULL;
1492  int dev = dev_type_enum(options->dev, options->dev_type);
1493  int metric = 0;
1494 
1495  /* if DCO is enabled we have both regular routes and iroutes in the system
1496  * routing table, and normal routes must have a higher metric for that to
1497  * work so that iroutes are always matched first
1498  */
1499  if (dco_enabled(options))
1500  {
1501  metric = DCO_DEFAULT_METRIC;
1502  }
1503 
1504  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1505  {
1506  gw = options->ifconfig_remote_netmask;
1507  }
1508  if (options->route_default_gateway)
1509  {
1510  gw = options->route_default_gateway;
1511  }
1512  if (options->route_default_metric)
1513  {
1514  metric = options->route_default_metric;
1515  }
1516 
1517  if (init_route_list(route_list,
1518  options->routes,
1519  gw,
1520  metric,
1521  link_socket_current_remote(link_socket_info),
1522  es,
1523  ctx))
1524  {
1525  /* copy routes to environment */
1526  setenv_routes(es, route_list);
1527  }
1528 }
1529 
1530 static void
1531 do_init_route_ipv6_list(const struct options *options,
1532  struct route_ipv6_list *route_ipv6_list,
1533  const struct link_socket_info *link_socket_info,
1534  struct env_set *es,
1535  openvpn_net_ctx_t *ctx)
1536 {
1537  const char *gw = NULL;
1538  int metric = -1; /* no metric set */
1539 
1540  /* see explanation in do_init_route_list() */
1541  if (dco_enabled(options))
1542  {
1543  metric = DCO_DEFAULT_METRIC;
1544  }
1545 
1546  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1547  if (options->route_ipv6_default_gateway)
1548  {
1549  gw = options->route_ipv6_default_gateway;
1550  }
1551 
1552  if (options->route_default_metric)
1553  {
1554  metric = options->route_default_metric;
1555  }
1556 
1557  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1558  */
1559  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1560  {
1561  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1562  int i;
1563 
1564  for (i = 0; opt_list[i]; i++)
1565  {
1566  add_route_ipv6_to_option_list( options->routes_ipv6,
1567  string_alloc(opt_list[i], options->routes_ipv6->gc),
1568  NULL, NULL );
1569  }
1570  }
1571 
1572  if (init_route_ipv6_list(route_ipv6_list,
1573  options->routes_ipv6,
1574  gw,
1575  metric,
1576  link_socket_current_remote_ipv6(link_socket_info),
1577  es,
1578  ctx))
1579  {
1580  /* copy routes to environment */
1581  setenv_routes_ipv6(es, route_ipv6_list);
1582  }
1583 }
1584 
1585 
1586 /*
1587  * Called after all initialization has been completed.
1588  */
1589 void
1590 initialization_sequence_completed(struct context *c, const unsigned int flags)
1591 {
1592  static const char message[] = "Initialization Sequence Completed";
1593 
1594  /* Reset the unsuccessful connection counter on complete initialisation */
1595  c->options.unsuccessful_attempts = 0;
1596 
1597  /* If we delayed UID/GID downgrade or chroot, do it now */
1598  do_uid_gid_chroot(c, true);
1599 
1600  /* Test if errors */
1601  if (flags & ISC_ERRORS)
1602  {
1603 #ifdef _WIN32
1604  show_routes(M_INFO|M_NOPREFIX);
1605  show_adapters(M_INFO|M_NOPREFIX);
1606  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1607 #else
1608 #ifdef ENABLE_SYSTEMD
1609  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1610 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1611  msg(M_INFO, "%s With Errors", message);
1612 #endif
1613  }
1614  else
1615  {
1616 #ifdef ENABLE_SYSTEMD
1617  sd_notifyf(0, "STATUS=%s", message);
1618 #endif
1619  msg(M_INFO, "%s", message);
1620  }
1621 
1622  /* Flag that we initialized */
1623  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1624  {
1625  c->options.no_advance = true;
1626  }
1627 
1628 #ifdef _WIN32
1629  fork_register_dns_action(c->c1.tuntap);
1630 #endif
1631 
1632 #ifdef ENABLE_MANAGEMENT
1633  /* Tell management interface that we initialized */
1634  if (management)
1635  {
1636  in_addr_t *tun_local = NULL;
1637  struct in6_addr *tun_local6 = NULL;
1638  struct openvpn_sockaddr local, remote;
1639  struct link_socket_actual *actual;
1640  socklen_t sa_len = sizeof(local);
1641  const char *detail = "SUCCESS";
1642  if (flags & ISC_ERRORS)
1643  {
1644  detail = "ERROR";
1645  }
1646  /* Flag route error only on platforms where trivial "already exists" errors
1647  * are filtered out. Currently this is the case on Windows or if usng netlink.
1648  */
1649 #if defined(_WIN32) || defined(ENABLE_SITNL)
1650  else if (flags & ISC_ROUTE_ERRORS)
1651  {
1652  detail = "ROUTE_ERROR";
1653  }
1654 #endif
1655 
1656  CLEAR(local);
1657  actual = &get_link_socket_info(c)->lsa->actual;
1658  remote = actual->dest;
1659  getsockname(c->c2.link_sockets[0]->sd, &local.addr.sa, &sa_len);
1660 #if ENABLE_IP_PKTINFO
1661  if (!addr_defined(&local))
1662  {
1663  switch (local.addr.sa.sa_family)
1664  {
1665  case AF_INET:
1666 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1667  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1668 #else
1669  local.addr.in4.sin_addr = actual->pi.in4;
1670 #endif
1671  break;
1672 
1673  case AF_INET6:
1674  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1675  break;
1676  }
1677  }
1678 #endif
1679 
1680  if (c->c1.tuntap)
1681  {
1682  tun_local = &c->c1.tuntap->local;
1683  tun_local6 = &c->c1.tuntap->local_ipv6;
1684  }
1685  management_set_state(management,
1686  OPENVPN_STATE_CONNECTED,
1687  detail,
1688  tun_local,
1689  tun_local6,
1690  &local,
1691  &remote);
1692  if (tun_local)
1693  {
1694  management_post_tunnel_open(management, *tun_local);
1695  }
1696  }
1697 #endif /* ifdef ENABLE_MANAGEMENT */
1698 }
1699 
1704 static bool
1705 route_noexec_enabled(const struct options *o, const struct tuntap *tt)
1706 {
1707  return o->route_noexec
1708  || (tt && tt->backend_driver == DRIVER_AFUNIX)
1709  || (tt && tt->backend_driver == DRIVER_NULL);
1710 }
1711 
1712 /*
1713  * Possibly add routes and/or call route-up script
1714  * based on options.
1715  */
1716 bool
1717 do_route(const struct options *options,
1718  struct route_list *route_list,
1719  struct route_ipv6_list *route_ipv6_list,
1720  const struct tuntap *tt,
1721  const struct plugin_list *plugins,
1722  struct env_set *es,
1723  openvpn_net_ctx_t *ctx)
1724 {
1725  bool ret = true;
1726  if (!route_noexec_enabled(options, tt) && ( route_list || route_ipv6_list ) )
1727  {
1728  ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1729  es, ctx);
1730  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1731  }
1732 #ifdef ENABLE_MANAGEMENT
1733  if (management)
1734  {
1735  management_up_down(management, "UP", es);
1736  }
1737 #endif
1738 
1739  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1740  {
1741  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1742  {
1743  msg(M_WARN, "WARNING: route-up plugin call failed");
1744  }
1745  }
1746 
1747  if (options->route_script)
1748  {
1749  struct argv argv = argv_new();
1750  setenv_str(es, "script_type", "route-up");
1751  argv_parse_cmd(&argv, options->route_script);
1752  openvpn_run_script(&argv, es, 0, "--route-up");
1753  argv_free(&argv);
1754  }
1755 
1756 #ifdef _WIN32
1757  if (options->show_net_up)
1758  {
1759  show_routes(M_INFO|M_NOPREFIX);
1760  show_adapters(M_INFO|M_NOPREFIX);
1761  }
1762  else if (check_debug_level(D_SHOW_NET))
1763  {
1764  show_routes(D_SHOW_NET|M_NOPREFIX);
1765  show_adapters(D_SHOW_NET|M_NOPREFIX);
1766  }
1767 #endif
1768  return ret;
1769 }
1770 
1771 /*
1772  * initialize tun/tap device object
1773  */
1774 static void
1775 do_init_tun(struct context *c)
1776 {
1777  c->c1.tuntap = init_tun(c->options.dev,
1778  c->options.dev_type,
1779  c->options.topology,
1780  c->options.ifconfig_local,
1781  c->options.ifconfig_remote_netmask,
1782  c->options.ifconfig_ipv6_local,
1783  c->options.ifconfig_ipv6_netbits,
1784  c->options.ifconfig_ipv6_remote,
1785  c->c1.link_socket_addrs[0].bind_local,
1786  c->c1.link_socket_addrs[0].remote_list,
1787  !c->options.ifconfig_nowarn,
1788  c->c2.es,
1789  &c->net_ctx,
1790  c->c1.tuntap);
1791 
1792  if (is_tun_afunix(c->options.dev_node))
1793  {
1794  /* Using AF_UNIX trumps using DCO */
1795  c->c1.tuntap->backend_driver = DRIVER_AFUNIX;
1796  }
1797  else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
1798  {
1799  c->c1.tuntap->backend_driver = DRIVER_NULL;
1800  }
1801 #ifdef _WIN32
1802  else
1803  {
1804  c->c1.tuntap->backend_driver = c->options.windows_driver;
1805  }
1806 #else
1807  else if (dco_enabled(&c->options))
1808  {
1809  c->c1.tuntap->backend_driver = DRIVER_DCO;
1810  }
1811  else
1812  {
1813  c->c1.tuntap->backend_driver = DRIVER_GENERIC_TUNTAP;
1814  }
1815 #endif
1816 
1817  init_tun_post(c->c1.tuntap,
1818  &c->c2.frame,
1819  &c->options.tuntap_options);
1820 
1821  c->c1.tuntap_owned = true;
1822 }
1823 
1824 /*
1825  * Open tun/tap device, ifconfig, call up script, etc.
1826  */
1827 
1828 
1829 static bool
1830 can_preserve_tun(struct tuntap *tt)
1831 {
1832  if (tt && tt->backend_driver == DRIVER_AFUNIX)
1833  {
1834  return false;
1835  }
1836 #ifdef TARGET_ANDROID
1837  return false;
1838 #else
1839  return is_tun_type_set(tt);
1840 #endif
1841 }
1842 
1851 static void
1852 add_wfp_block(struct context *c)
1853 {
1854 #if defined(_WIN32)
1855  /* Fortify 'redirect-gateway block-local' with firewall rules? */
1856  bool block_local = block_local_needed(c->c1.route_list);
1857 
1858  if (c->options.block_outside_dns || block_local)
1859  {
1860  BOOL dns_only = !block_local;
1861  if (!win_wfp_block(c->c1.tuntap->adapter_index, c->options.msg_channel, dns_only))
1862  {
1863  msg(M_FATAL, "WFP: initialization failed");
1864  }
1865  }
1866 #endif
1867 }
1868 
1877 static void
1878 del_wfp_block(struct context *c, unsigned long adapter_index)
1879 {
1880 #if defined(_WIN32)
1881  if (c->options.block_outside_dns || block_local_needed(c->c1.route_list))
1882  {
1883  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1884  {
1885  msg(M_FATAL, "WFP: deinitialization failed");
1886  }
1887  }
1888 #endif
1889 }
1890 
1896 static bool
1897 ifconfig_noexec_enabled(const struct context *c)
1898 {
1899  return c->options.ifconfig_noexec
1900  || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1901  || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_NULL);
1902 }
1903 
1904 static void
1905 open_tun_backend(struct context *c)
1906 {
1907  struct tuntap *tt = c->c1.tuntap;
1908 
1909  if (tt->backend_driver == DRIVER_NULL)
1910  {
1911  open_tun_null(c->c1.tuntap);
1912  }
1913  else if (tt->backend_driver == DRIVER_AFUNIX)
1914  {
1915  open_tun_afunix(&c->options, c->c2.frame.tun_mtu, tt, c->c2.es);
1916  }
1917  else
1918  {
1919  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1920  tt, &c->net_ctx);
1921  }
1922  msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver), tt->actual_name);
1923 }
1924 
1925 
1926 static bool
1927 do_open_tun(struct context *c, int *error_flags)
1928 {
1929  struct gc_arena gc = gc_new();
1930  bool ret = false;
1931  *error_flags = 0;
1932 
1933  if (!can_preserve_tun(c->c1.tuntap))
1934  {
1935 #ifdef TARGET_ANDROID
1936  /* If we emulate persist-tun on android we still have to open a new tun and
1937  * then close the old */
1938  int oldtunfd = -1;
1939  if (c->c1.tuntap)
1940  {
1941  oldtunfd = c->c1.tuntap->fd;
1942  free(c->c1.tuntap);
1943  c->c1.tuntap = NULL;
1944  c->c1.tuntap_owned = false;
1945  }
1946 #endif
1947 
1948  /* initialize (but do not open) tun/tap object, this also sets
1949  * the backend driver type */
1950  do_init_tun(c);
1951 
1952  /* inherit the dco context from the tuntap object */
1953  if (c->c2.tls_multi)
1954  {
1955  c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1956  }
1957 
1958 #ifdef _WIN32
1959  /* store (hide) interactive service handle in tuntap_options */
1960  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1961  msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR,
1962  (intptr_t) c->options.msg_channel);
1963 #endif
1964 
1965  /* allocate route list structure */
1966  do_alloc_route_list(c);
1967 
1968  /* parse and resolve the route option list */
1969  ASSERT(c->c2.link_sockets[0]);
1970  if (c->options.routes && c->c1.route_list)
1971  {
1972  do_init_route_list(&c->options, c->c1.route_list,
1973  &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1974  }
1975  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1976  {
1977  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1978  &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1979  }
1980 
1981  /* do ifconfig */
1982  if (!ifconfig_noexec_enabled(c)
1983  && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN)
1984  {
1985  /* guess actual tun/tap unit number that will be returned
1986  * by open_tun */
1987  const char *guess = guess_tuntap_dev(c->options.dev,
1988  c->options.dev_type,
1989  c->options.dev_node,
1990  &gc);
1991  do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1992  }
1993 
1994  /* possibly add routes */
1995  if (route_order(c->c1.tuntap) == ROUTE_BEFORE_TUN)
1996  {
1997  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1998  bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1999  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
2000  *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
2001  }
2002 #ifdef TARGET_ANDROID
2003  /* Store the old fd inside the fd so open_tun can use it */
2004  c->c1.tuntap->fd = oldtunfd;
2005 #endif
2006 
2007  if (dco_enabled(&c->options))
2008  {
2009  ovpn_dco_init(c->mode, &c->c1.tuntap->dco, c->options.dev_node);
2010  }
2011 
2012  /* open the tun device */
2013  open_tun_backend(c);
2014 
2015  /* set the hardware address */
2016  if (c->options.lladdr)
2017  {
2018  set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
2019  }
2020 
2021  /* do ifconfig */
2022  if (!ifconfig_noexec_enabled(c)
2023  && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN)
2024  {
2025  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
2026  c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
2027  }
2028 
2029  /* run the up script */
2030  run_up_down(c->options.up_script,
2031  c->plugins,
2032  OPENVPN_PLUGIN_UP,
2033  c->c1.tuntap->actual_name,
2034 #ifdef _WIN32
2035  c->c1.tuntap->adapter_index,
2036 #endif
2037  dev_type_string(c->options.dev, c->options.dev_type),
2038  c->c2.frame.tun_mtu,
2039  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
2040  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2041  "init",
2042  NULL,
2043  "up",
2044  c->c2.es);
2045 
2046  add_wfp_block(c);
2047 
2048  /* possibly add routes */
2049  if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
2050  {
2051  int status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
2052  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
2053  *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
2054  }
2055 
2056  ret = true;
2057  static_context = c;
2058  }
2059  else
2060  {
2061  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
2062  c->c1.tuntap->actual_name);
2063 
2064  /* explicitly set the ifconfig_* env vars */
2065  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
2066 
2067  /* run the up script if user specified --up-restart */
2068  if (c->options.up_restart)
2069  {
2070  run_up_down(c->options.up_script,
2071  c->plugins,
2072  OPENVPN_PLUGIN_UP,
2073  c->c1.tuntap->actual_name,
2074 #ifdef _WIN32
2075  c->c1.tuntap->adapter_index,
2076 #endif
2077  dev_type_string(c->options.dev, c->options.dev_type),
2078  c->c2.frame.tun_mtu,
2079  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
2080  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2081  "restart",
2082  NULL,
2083  "up",
2084  c->c2.es);
2085  }
2086 
2087  add_wfp_block(c);
2088  }
2089  gc_free(&gc);
2090  return ret;
2091 }
2092 
2093 /*
2094  * Close TUN/TAP device
2095  */
2096 
2097 static void
2098 do_close_tun_simple(struct context *c)
2099 {
2100  msg(D_CLOSE, "Closing %s interface",
2101  print_tun_backend_driver(c->c1.tuntap->backend_driver));
2102 
2103  if (c->c1.tuntap)
2104  {
2105  if (!ifconfig_noexec_enabled(c))
2106  {
2107  undo_ifconfig(c->c1.tuntap, &c->net_ctx);
2108  }
2109  if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
2110  {
2111  close_tun_afunix(c->c1.tuntap);
2112  }
2113  else if (c->c1.tuntap->backend_driver == DRIVER_NULL)
2114  {
2115  free(c->c1.tuntap->actual_name);
2116  free(c->c1.tuntap);
2117  }
2118  else
2119  {
2120  close_tun(c->c1.tuntap, &c->net_ctx);
2121  }
2122  c->c1.tuntap = NULL;
2123  }
2124  c->c1.tuntap_owned = false;
2125  CLEAR(c->c1.pulled_options_digest_save);
2126 }
2127 
2128 static void
2129 do_close_tun(struct context *c, bool force)
2130 {
2131  /* With dco-win we open tun handle in the very beginning.
2132  * In case when tun wasn't opened - like we haven't connected,
2133  * we still need to close tun handle
2134  */
2135  if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
2136  {
2137  do_close_tun_simple(c);
2138  return;
2139  }
2140 
2141  if (!c->c1.tuntap || !c->c1.tuntap_owned)
2142  {
2143  return;
2144  }
2145 
2146  struct gc_arena gc = gc_new();
2147  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2148  const in_addr_t local = c->c1.tuntap->local;
2149  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2150  unsigned long adapter_index = 0;
2151 #ifdef _WIN32
2152  adapter_index = c->c1.tuntap->adapter_index;
2153 #endif
2154 
2155  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2156  {
2157  static_context = NULL;
2158 
2159 #ifdef ENABLE_MANAGEMENT
2160  /* tell management layer we are about to close the TUN/TAP device */
2161  if (management)
2162  {
2163  management_pre_tunnel_close(management);
2164  management_up_down(management, "DOWN", c->c2.es);
2165  }
2166 #endif
2167 
2168  /* delete any routes we added */
2169  if (c->c1.route_list || c->c1.route_ipv6_list)
2170  {
2171  run_up_down(c->options.route_predown_script,
2172  c->plugins,
2173  OPENVPN_PLUGIN_ROUTE_PREDOWN,
2174  tuntap_actual,
2175 #ifdef _WIN32
2176  adapter_index,
2177 #endif
2178  NULL,
2179  c->c2.frame.tun_mtu,
2180  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2181  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2182  "init",
2183  signal_description(c->sig->signal_received,
2184  c->sig->signal_text),
2185  "route-pre-down",
2186  c->c2.es);
2187 
2188  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2189  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2190  c->c2.es, &c->net_ctx);
2191  }
2192 
2193  /* actually close tun/tap device based on --down-pre flag */
2194  if (!c->options.down_pre)
2195  {
2196  do_close_tun_simple(c);
2197  }
2198 
2199  /* Run the down script -- note that it will run at reduced
2200  * privilege if, for example, "--user" was used. */
2201  run_up_down(c->options.down_script,
2202  c->plugins,
2203  OPENVPN_PLUGIN_DOWN,
2204  tuntap_actual,
2205 #ifdef _WIN32
2206  adapter_index,
2207 #endif
2208  NULL,
2209  c->c2.frame.tun_mtu,
2210  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2211  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2212  "init",
2213  signal_description(c->sig->signal_received,
2214  c->sig->signal_text),
2215  "down",
2216  c->c2.es);
2217 
2218  del_wfp_block(c, adapter_index);
2219 
2220  /* actually close tun/tap device based on --down-pre flag */
2221  if (c->options.down_pre)
2222  {
2223  do_close_tun_simple(c);
2224  }
2225  }
2226  else
2227  {
2228  /* run the down script on this restart if --up-restart was specified */
2229  if (c->options.up_restart)
2230  {
2231  run_up_down(c->options.down_script,
2232  c->plugins,
2233  OPENVPN_PLUGIN_DOWN,
2234  tuntap_actual,
2235 #ifdef _WIN32
2236  adapter_index,
2237 #endif
2238  NULL,
2239  c->c2.frame.tun_mtu,
2240  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2241  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2242  "restart",
2243  signal_description(c->sig->signal_received,
2244  c->sig->signal_text),
2245  "down",
2246  c->c2.es);
2247  }
2248 
2249  del_wfp_block(c, adapter_index);
2250  }
2251  gc_free(&gc);
2252 }
2253 
2254 void
2255 tun_abort(void)
2256 {
2257  struct context *c = static_context;
2258  if (c)
2259  {
2260  static_context = NULL;
2261  do_close_tun(c, true);
2262  }
2263 }
2264 
2265 /*
2266  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2267  */
2268 
2273 static bool
2274 options_hash_changed_or_zero(const struct sha256_digest *a,
2275  const struct sha256_digest *b)
2276 {
2277  const struct sha256_digest zero = {{0}};
2278  return memcmp(a, b, sizeof(struct sha256_digest))
2279  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2280 }
2281 
2287 static void
2288 add_delim_if_non_empty(struct buffer *buf, const char *header)
2289 {
2290  if (buf_len(buf) > strlen(header))
2291  {
2292  buf_printf(buf, ", ");
2293  }
2294 }
2295 
2296 
2301 static void
2302 tls_print_deferred_options_results(struct context *c)
2303 {
2304  struct options *o = &c->options;
2305 
2306  struct buffer out;
2307  uint8_t line[1024] = { 0 };
2308  buf_set_write(&out, line, sizeof(line));
2309 
2310 
2311  if (cipher_kt_mode_aead(o->ciphername))
2312  {
2313  buf_printf(&out, "Data Channel: cipher '%s'",
2314  cipher_kt_name(o->ciphername));
2315  }
2316  else
2317  {
2318  buf_printf(&out, "Data Channel: cipher '%s', auth '%s'",
2319  cipher_kt_name(o->ciphername), md_kt_name(o->authname));
2320  }
2321 
2322  if (o->use_peer_id)
2323  {
2324  buf_printf(&out, ", peer-id: %d", o->peer_id);
2325  }
2326 
2327 #ifdef USE_COMP
2328  if (c->c2.comp_context)
2329  {
2330  buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2331  }
2332 #endif
2333 
2334  msg(D_HANDSHAKE, "%s", BSTR(&out));
2335 
2336  buf_clear(&out);
2337 
2338  const char *header = "Timers: ";
2339 
2340  buf_printf(&out, "%s", header);
2341 
2342  if (o->ping_send_timeout)
2343  {
2344  buf_printf(&out, "ping %d", o->ping_send_timeout);
2345  }
2346 
2347  if (o->ping_rec_timeout_action != PING_UNDEF)
2348  {
2349  /* yes unidirectional ping is possible .... */
2350  add_delim_if_non_empty(&out, header);
2351 
2352  if (o->ping_rec_timeout_action == PING_EXIT)
2353  {
2354  buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2355  }
2356  else
2357  {
2358  buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2359  }
2360  }
2361 
2362  if (o->inactivity_timeout)
2363  {
2364  add_delim_if_non_empty(&out, header);
2365 
2366  buf_printf(&out, "inactive %d", o->inactivity_timeout);
2367  if (o->inactivity_minimum_bytes)
2368  {
2369  buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2370  }
2371  }
2372 
2373  if (o->session_timeout)
2374  {
2375  add_delim_if_non_empty(&out, header);
2376  buf_printf(&out, "session-timeout %d", o->session_timeout);
2377  }
2378 
2379  if (buf_len(&out) > strlen(header))
2380  {
2381  msg(D_HANDSHAKE, "%s", BSTR(&out));
2382  }
2383 
2384  buf_clear(&out);
2385  header = "Protocol options: ";
2386  buf_printf(&out, "%s", header);
2387 
2388  if (c->options.ce.explicit_exit_notification)
2389  {
2390  buf_printf(&out, "explicit-exit-notify %d",
2391  c->options.ce.explicit_exit_notification);
2392  }
2393  if (c->options.imported_protocol_flags)
2394  {
2395  add_delim_if_non_empty(&out, header);
2396 
2397  buf_printf(&out, "protocol-flags");
2398 
2399  if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2400  {
2401  buf_printf(&out, " cc-exit");
2402  }
2403  if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2404  {
2405  buf_printf(&out, " tls-ekm");
2406  }
2407  if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2408  {
2409  buf_printf(&out, " dyn-tls-crypt");
2410  }
2411  if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
2412  {
2413  buf_printf(&out, " aead-epoch");
2414  }
2415  }
2416 
2417  if (buf_len(&out) > strlen(header))
2418  {
2419  msg(D_HANDSHAKE, "%s", BSTR(&out));
2420  }
2421 }
2422 
2423 
2431 static bool
2432 do_deferred_options_part2(struct context *c)
2433 {
2434  struct frame *frame_fragment = NULL;
2435 #ifdef ENABLE_FRAGMENT
2436  if (c->options.ce.fragment)
2437  {
2438  frame_fragment = &c->c2.frame_fragment;
2439  }
2440 #endif
2441 
2442  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2443  if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
2444  &c->options, &c->c2.frame,
2445  frame_fragment,
2446  get_link_socket_info(c),
2447  &c->c1.tuntap->dco))
2448  {
2449  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2450  return false;
2451  }
2452 
2453  return true;
2454 }
2455 
2456 bool
2457 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2458 {
2459  int error_flags = 0;
2460  if (!c->c2.do_up_ran)
2461  {
2462  reset_coarse_timers(c);
2463 
2464  if (pulled_options)
2465  {
2466  if (!do_deferred_options(c, option_types_found))
2467  {
2468  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2469  return false;
2470  }
2471  }
2472 
2473  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2474  if (c->options.up_delay || PULL_DEFINED(&c->options))
2475  {
2476  c->c2.did_open_tun = do_open_tun(c, &error_flags);
2477  update_time();
2478 
2479  /*
2480  * Was tun interface object persisted from previous restart iteration,
2481  * and if so did pulled options string change from previous iteration?
2482  */
2483  if (!c->c2.did_open_tun
2484  && PULL_DEFINED(&c->options)
2485  && c->c1.tuntap
2486  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2487  &c->c2.pulled_options_digest))
2488  {
2489  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2490  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2491 
2492  bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2493  do_close_tun(c, true);
2494 
2495  if (tt_dco_win)
2496  {
2497  msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2498  /* prevent link_socket_close() from closing handle with WinSock API */
2499  c->c2.link_sockets[0]->sd = SOCKET_UNDEFINED;
2500  return false;
2501  }
2502  else
2503  {
2504  management_sleep(1);
2505  c->c2.did_open_tun = do_open_tun(c, &error_flags);
2506  update_time();
2507  }
2508  }
2509  }
2510  }
2511 
2512  /* This part needs to be run in p2p mode (without pull) when the client
2513  * reconnects to setup various things (like DCO and NCP cipher) that
2514  * might have changed from the previous connection.
2515  */
2516  if (!c->c2.do_up_ran || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
2517  {
2518  if (c->mode == MODE_POINT_TO_POINT)
2519  {
2520  /* ovpn-dco requires adding the peer now, before any option can be set,
2521  * but *after* having parsed the pushed peer-id in do_deferred_options()
2522  */
2523  int ret = dco_p2p_add_new_peer(c);
2524  if (ret < 0)
2525  {
2526  msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2527  return false;
2528  }
2529  }
2530 
2531  /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2532  * invoked after open_tun().
2533  * This is required by DCO because we must have created the interface
2534  * and added the peer before we can fiddle with the keys or any other
2535  * data channel per-peer setting.
2536  */
2537  if (pulled_options)
2538  {
2539  if (!do_deferred_options_part2(c))
2540  {
2541  return false;
2542  }
2543  }
2544  else
2545  {
2546  if (c->mode == MODE_POINT_TO_POINT)
2547  {
2548  if (!do_deferred_p2p_ncp(c))
2549  {
2550  msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2551  return false;
2552  }
2553  }
2554  }
2555 
2556  if (c->c2.did_open_tun)
2557  {
2558  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2559 
2560  /* if --route-delay was specified, start timer */
2561  if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2562  {
2563  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2564  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2565  tun_standby_init(c->c1.tuntap);
2566  }
2567  else
2568  {
2569  initialization_sequence_completed(c, error_flags); /* client/p2p --route-delay undefined */
2570  }
2571  }
2572  else if (c->options.mode == MODE_POINT_TO_POINT)
2573  {
2574  initialization_sequence_completed(c, error_flags); /* client/p2p restart with --persist-tun */
2575  }
2576 
2577  tls_print_deferred_options_results(c);
2578 
2579  c->c2.do_up_ran = true;
2580  if (c->c2.tls_multi)
2581  {
2582  c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2583  }
2584  }
2585  return true;
2586 }
2587 
2588 /*
2589  * These are the option categories which will be accepted by pull.
2590  */
2591 unsigned int
2592 pull_permission_mask(const struct context *c)
2593 {
2594  unsigned int flags =
2595  OPT_P_UP
2596  | OPT_P_ROUTE_EXTRAS
2597  | OPT_P_SOCKBUF
2598  | OPT_P_SOCKFLAGS
2599  | OPT_P_SETENV
2600  | OPT_P_SHAPER
2601  | OPT_P_TIMER
2602  | OPT_P_COMP
2603  | OPT_P_PERSIST
2604  | OPT_P_MESSAGES
2605  | OPT_P_EXPLICIT_NOTIFY
2606  | OPT_P_ECHO
2607  | OPT_P_PULL_MODE
2608  | OPT_P_PEER_ID
2609  | OPT_P_NCP
2610  | OPT_P_PUSH_MTU;
2611 
2612  if (!c->options.route_nopull)
2613  {
2614  flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2615  }
2616 
2617  return flags;
2618 }
2619 
2620 static bool
2621 do_deferred_p2p_ncp(struct context *c)
2622 {
2623  if (!c->c2.tls_multi)
2624  {
2625  return true;
2626  }
2627 
2628  c->options.use_peer_id = c->c2.tls_multi->use_peer_id;
2629 
2630  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2631 
2632  const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2633  &c->options.gc);
2634 
2635  if (ncp_cipher)
2636  {
2637  c->options.ciphername = ncp_cipher;
2638  }
2639  else if (!c->options.enable_ncp_fallback)
2640  {
2641  msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2642  "--data-ciphers-fallback not enabled. No usable "
2643  "data channel cipher");
2644  return false;
2645  }
2646 
2647  struct frame *frame_fragment = NULL;
2648 #ifdef ENABLE_FRAGMENT
2649  if (c->options.ce.fragment)
2650  {
2651  frame_fragment = &c->c2.frame_fragment;
2652  }
2653 #endif
2654 
2655  if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2656  &c->c2.frame, frame_fragment,
2657  get_link_socket_info(c),
2658  &c->c1.tuntap->dco))
2659  {
2660  msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2661  return false;
2662  }
2663  return true;
2664 }
2665 
2666 /*
2667  * Handle non-tun-related pulled options.
2668  */
2669 bool
2670 do_deferred_options(struct context *c, const unsigned int found)
2671 {
2672  if (found & OPT_P_MESSAGES)
2673  {
2674  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2675  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2676  }
2677  if (found & OPT_P_TIMER)
2678  {
2679  do_init_timers(c, true);
2680  msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
2681  }
2682 
2683  if (found & OPT_P_EXPLICIT_NOTIFY)
2684  {
2685  /* Client side, so just check the first link_socket */
2686  if (!proto_is_udp(c->c2.link_sockets[0]->info.proto)
2687  && c->options.ce.explicit_exit_notification)
2688  {
2689  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2690  c->options.ce.explicit_exit_notification = 0;
2691  }
2692  else
2693  {
2694  msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
2695  }
2696  }
2697 
2698  if (found & OPT_P_COMP)
2699  {
2700  if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
2701  {
2702  msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2703  "settings that are not allowed and will result "
2704  "in a non-working connection. "
2705  "See also allow-compression in the manual.");
2706  return false;
2707  }
2708 #ifdef USE_COMP
2709  msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
2710  comp_uninit(c->c2.comp_context);
2711  c->c2.comp_context = comp_init(&c->options.comp);
2712 #endif
2713  }
2714 
2715  if (found & OPT_P_SHAPER)
2716  {
2717  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2718  do_init_traffic_shaper(c);
2719  }
2720 
2721  if (found & OPT_P_SOCKBUF)
2722  {
2723  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2724 
2725  for (int i = 0; i < c->c1.link_sockets_num; i++)
2726  {
2727  link_socket_update_buffer_sizes(c->c2.link_sockets[i],
2728  c->options.rcvbuf,
2729  c->options.sndbuf);
2730  }
2731  }
2732 
2733  if (found & OPT_P_SOCKFLAGS)
2734  {
2735  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2736  for (int i = 0; i < c->c1.link_sockets_num; i++)
2737  {
2738  link_socket_update_flags(c->c2.link_sockets[i],
2739  c->options.sockflags);
2740  }
2741  }
2742 
2743  if (found & OPT_P_PERSIST)
2744  {
2745  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2746  }
2747  if (found & OPT_P_UP)
2748  {
2749  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2750  }
2751  if (found & OPT_P_ROUTE)
2752  {
2753  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2754  }
2755  if (found & OPT_P_ROUTE_EXTRAS)
2756  {
2757  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2758  }
2759  if (found & OPT_P_DHCPDNS)
2760  {
2761  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2762  }
2763  if (found & OPT_P_SETENV)
2764  {
2765  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2766  }
2767 
2768  if (found & OPT_P_PEER_ID)
2769  {
2770  msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
2771  c->c2.tls_multi->use_peer_id = true;
2772  c->c2.tls_multi->peer_id = c->options.peer_id;
2773  }
2774 
2775  /* process (potentially) pushed options */
2776  if (c->options.pull)
2777  {
2778  if (!check_pull_client_ncp(c, found))
2779  {
2780  return false;
2781  }
2782 
2783  /* Check if pushed options are compatible with DCO, if enabled */
2784  if (dco_enabled(&c->options)
2785  && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
2786  {
2787  msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2788  "with data channel offload. Use --disable-dco to connect to "
2789  "this server");
2790  return false;
2791  }
2792  }
2793 
2794  /* Ensure that for epoch data format is only enabled if also data v2
2795  * is enabled */
2796  bool epoch_data = (c->options.imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT);
2797  bool datav2_enabled = (c->options.peer_id >= 0 && c->options.peer_id < MAX_PEER_ID);
2798 
2799  if (epoch_data && !datav2_enabled)
2800  {
2801  msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires "
2802  "data v2 (peer-id) to be enabled.");
2803  return false;
2804  }
2805 
2806 
2807  if (found & OPT_P_PUSH_MTU)
2808  {
2809  /* MTU has changed, check that the pushed MTU is small enough to
2810  * be able to change it */
2811  msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2812 
2813  struct frame *frame = &c->c2.frame;
2814 
2815  if (c->options.ce.tun_mtu > frame->tun_max_mtu)
2816  {
2817  msg(D_PUSH_ERRORS, "Server-pushed tun-mtu is too large, please add "
2818  "tun-mtu-max %d in the client configuration",
2819  c->options.ce.tun_mtu);
2820  }
2821  frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
2822  }
2823 
2824  return true;
2825 }
2826 
2827 /*
2828  * Possible hold on initialization, holdtime is the
2829  * time OpenVPN would wait without management
2830  */
2831 static bool
2832 do_hold(int holdtime)
2833 {
2834 #ifdef ENABLE_MANAGEMENT
2835  if (management)
2836  {
2837  /* block until management hold is released */
2838  if (management_hold(management, holdtime))
2839  {
2840  return true;
2841  }
2842  }
2843 #endif
2844  return false;
2845 }
2846 
2847 /*
2848  * Sleep before restart.
2849  */
2850 static void
2851 socket_restart_pause(struct context *c)
2852 {
2853  int sec = 2;
2854  int backoff = 0;
2855 
2856  switch (c->mode)
2857  {
2858  case CM_TOP:
2859  sec = 1;
2860  break;
2861 
2862  case CM_CHILD_UDP:
2863  case CM_CHILD_TCP:
2864  sec = c->options.ce.connect_retry_seconds;
2865  break;
2866  }
2867 
2868 #ifdef ENABLE_DEBUG
2869  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2870  {
2871  sec = 0;
2872  }
2873 #endif
2874 
2875  if (auth_retry_get() == AR_NOINTERACT)
2876  {
2877  sec = 10;
2878  }
2879 
2880  /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2881  if (c->mode == CM_CHILD_TCP
2882  || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2883  {
2884  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2885  if (backoff > 0)
2886  {
2887  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2888  sec = max_int(sec, 1) << min_int(backoff, 15);
2889  }
2890  if (c->options.server_backoff_time)
2891  {
2892  sec = max_int(sec, c->options.server_backoff_time);
2893  c->options.server_backoff_time = 0;
2894  }
2895 
2896  if (sec > c->options.ce.connect_retry_seconds_max)
2897  {
2898  sec = c->options.ce.connect_retry_seconds_max;
2899  }
2900  }
2901 
2902  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2903  {
2904  sec = c->persist.restart_sleep_seconds;
2905  }
2906  else if (c->persist.restart_sleep_seconds == -1)
2907  {
2908  sec = 0;
2909  }
2910  c->persist.restart_sleep_seconds = 0;
2911 
2912  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2913  if (do_hold(sec))
2914  {
2915  sec = 0;
2916  }
2917 
2918  if (sec)
2919  {
2920  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2921  management_sleep(sec);
2922  }
2923 }
2924 
2925 /*
2926  * Do a possible pause on context_2 initialization.
2927  */
2928 static void
2929 do_startup_pause(struct context *c)
2930 {
2931  if (!c->first_time)
2932  {
2933  socket_restart_pause(c);
2934  }
2935  else
2936  {
2937  do_hold(0); /* do management hold on first context initialization */
2938  }
2939 }
2940 
2941 static size_t
2942 get_frame_mtu(struct context *c, const struct options *o)
2943 {
2944  size_t mtu;
2945 
2946  if (o->ce.link_mtu_defined)
2947  {
2948  ASSERT(o->ce.link_mtu_defined);
2949  /* if we have a link mtu defined we calculate what the old code
2950  * would have come up with as tun-mtu */
2951  size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type,
2952  o, true);
2953  mtu = o->ce.link_mtu - overhead;
2954 
2955  }
2956  else
2957  {
2958  ASSERT(o->ce.tun_mtu_defined);
2959  mtu = o->ce.tun_mtu;
2960  }
2961 
2962  if (mtu < TUN_MTU_MIN)
2963  {
2964  msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2965  frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2966  }
2967  return mtu;
2968 }
2969 
2970 /*
2971  * Finalize MTU parameters based on command line or config file options.
2972  */
2973 static void
2974 frame_finalize_options(struct context *c, const struct options *o)
2975 {
2976  if (!o)
2977  {
2978  o = &c->options;
2979  }
2980 
2981  struct frame *frame = &c->c2.frame;
2982 
2983  frame->tun_mtu = get_frame_mtu(c, o);
2984  frame->tun_max_mtu = o->ce.tun_mtu_max;
2985 
2986  /* max mtu needs to be at least as large as the tun mtu */
2987  frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
2988 
2989  /* We always allow at least 1600 MTU packets to be received in our buffer
2990  * space to allow server to push "baby giant" MTU sizes */
2991  frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu);
2992 
2993  size_t payload_size = frame->tun_max_mtu;
2994 
2995  /* we need to be also large enough to hold larger control channel packets
2996  * if configured */
2997  payload_size = max_int(payload_size, o->ce.tls_mtu);
2998 
2999  /* The extra tun needs to be added to the payload size */
3000  if (o->ce.tun_mtu_defined)
3001  {
3002  payload_size += o->ce.tun_mtu_extra;
3003  }
3004 
3005  /* Add 32 byte of extra space in the buffer to account for small errors
3006  * in the calculation */
3007  payload_size += 32;
3008 
3009 
3010  /* the space that is reserved before the payload to add extra headers to it
3011  * we always reserve the space for the worst case */
3012  size_t headroom = 0;
3013 
3014  /* includes IV and packet ID */
3015  headroom += crypto_max_overhead();
3016 
3017  /* peer id + opcode */
3018  headroom += 4;
3019 
3020  /* socks proxy header */
3021  headroom += 10;
3022 
3023  /* compression header and fragment header (part of the encrypted payload) */
3024  headroom += 1 + 1;
3025 
3026  /* Round up headroom to the next multiple of 4 to ensure alignment */
3027  headroom = (headroom + 3) & ~3;
3028 
3029  /* Add the headroom to the payloadsize as a received (IP) packet can have
3030  * all the extra headers in it */
3031  payload_size += headroom;
3032 
3033  /* the space after the payload, this needs some extra buffer space for
3034  * encryption so headroom is probably too much but we do not really care
3035  * the few extra bytes */
3036  size_t tailroom = headroom;
3037 
3038 #ifdef USE_COMP
3039  msg(D_MTU_DEBUG, "MTU: adding %zu buffer tailroom for compression for %zu "
3040  "bytes of payload",
3041  COMP_EXTRA_BUFFER(payload_size), payload_size);
3042  tailroom += COMP_EXTRA_BUFFER(payload_size);
3043 #endif
3044 
3045  frame->buf.payload_size = payload_size;
3046  frame->buf.headroom = headroom;
3047  frame->buf.tailroom = tailroom;
3048 }
3049 
3050 /*
3051  * Free a key schedule, including OpenSSL components.
3052  */
3053 static void
3054 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
3055 {
3056  free_key_ctx_bi(&ks->static_key);
3057  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
3058  {
3059  tls_ctx_free(&ks->ssl_ctx);
3060  free_key_ctx(&ks->auth_token_key);
3061  }
3062  CLEAR(*ks);
3063 }
3064 
3065 static void
3066 init_crypto_pre(struct context *c, const unsigned int flags)
3067 {
3068  if (c->options.engine)
3069  {
3070  crypto_init_lib_engine(c->options.engine);
3071  }
3072 
3073  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
3074  {
3075  /* load a persisted packet-id for cross-session replay-protection */
3076  if (c->options.packet_id_file)
3077  {
3078  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
3079  }
3080  }
3081 
3082 #ifdef ENABLE_PREDICTION_RESISTANCE
3083  if (c->options.use_prediction_resistance)
3084  {
3085  rand_ctx_enable_prediction_resistance();
3086  }
3087 #endif
3088 }
3089 
3090 /*
3091  * Static Key Mode (using a pre-shared key)
3092  */
3093 static void
3094 do_init_crypto_static(struct context *c, const unsigned int flags)
3095 {
3096  const struct options *options = &c->options;
3097  ASSERT(options->shared_secret_file);
3098 
3099  init_crypto_pre(c, flags);
3100 
3101  /* Initialize flags */
3102  if (c->options.mute_replay_warnings)
3103  {
3104  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
3105  }
3106 
3107  /* Initialize packet ID tracking */
3108  packet_id_init(&c->c2.crypto_options.packet_id,
3109  options->replay_window,
3110  options->replay_time,
3111  "STATIC", 0);
3112  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
3113  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
3114  packet_id_persist_load_obj(&c->c1.pid_persist,
3115  &c->c2.crypto_options.packet_id);
3116 
3117  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
3118  {
3119  /* Get cipher & hash algorithms */
3120  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
3121  options->test_crypto, true);
3122 
3123  /* Read cipher and hmac keys from shared secret file */
3124  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
3125  options->shared_secret_file,
3126  options->shared_secret_file_inline,
3127  options->key_direction, "Static Key Encryption",
3128  "secret", NULL);
3129  }
3130  else
3131  {
3132  msg(M_INFO, "Re-using pre-shared static key");
3133  }
3134 
3135  /* Get key schedule */
3136  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
3137 }
3138 
3139 /*
3140  * Initialize the tls-auth/crypt key context
3141  */
3142 static void
3143 do_init_tls_wrap_key(struct context *c)
3144 {
3145  const struct options *options = &c->options;
3146 
3147  /* TLS handshake authentication (--tls-auth) */
3148  if (options->ce.tls_auth_file)
3149  {
3150  /* Initialize key_type for tls-auth with auth only */
3151  CLEAR(c->c1.ks.tls_auth_key_type);
3152  c->c1.ks.tls_auth_key_type.cipher = "none";
3153  c->c1.ks.tls_auth_key_type.digest = options->authname;
3154  if (!md_valid(options->authname))
3155  {
3156  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
3157  "algorithm specified ('%s')", options->authname);
3158  }
3159 
3160  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
3161  &c->c1.ks.tls_wrap_key,
3162  options->ce.tls_auth_file,
3163  options->ce.tls_auth_file_inline,
3164  options->ce.key_direction,
3165  "Control Channel Authentication", "tls-auth",
3166  &c->c1.ks.original_wrap_keydata);
3167  }
3168 
3169  /* TLS handshake encryption+authentication (--tls-crypt) */
3170  if (options->ce.tls_crypt_file)
3171  {
3172  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
3173  &c->c1.ks.original_wrap_keydata,
3174  options->ce.tls_crypt_file,
3175  options->ce.tls_crypt_file_inline,
3176  options->tls_server);
3177  }
3178 
3179  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3180  if (options->ce.tls_crypt_v2_file)
3181  {
3182  if (options->tls_server)
3183  {
3184  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
3185  true, options->ce.tls_crypt_v2_file,
3186  options->ce.tls_crypt_v2_file_inline);
3187  }
3188  else
3189  {
3190  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
3191  &c->c1.ks.original_wrap_keydata,
3192  &c->c1.ks.tls_crypt_v2_wkc,
3193  options->ce.tls_crypt_v2_file,
3194  options->ce.tls_crypt_v2_file_inline);
3195  }
3196  /* We have to ensure that the loaded tls-crypt key is small enough
3197  * to fit into the initial hard reset v3 packet */
3198  int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3199 
3200  /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3201  int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3202 
3203  if (required_size > c->options.ce.tls_mtu)
3204  {
3205  msg(M_WARN, "ERROR: tls-crypt-v2 client key too large to work with "
3206  "requested --max-packet-size %d, requires at least "
3207  "--max-packet-size %d. Packets will ignore requested "
3208  "maximum packet size", c->options.ce.tls_mtu,
3209  required_size);
3210  }
3211  }
3212 
3213 
3214 }
3215 
3216 /*
3217  * Initialize the persistent component of OpenVPN's TLS mode,
3218  * which is preserved across SIGUSR1 resets.
3219  */
3220 static void
3221 do_init_crypto_tls_c1(struct context *c)
3222 {
3223  const struct options *options = &c->options;
3224 
3225  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3226  {
3227  /*
3228  * Initialize the OpenSSL library's global
3229  * SSL context.
3230  */
3231  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
3232  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3233  {
3234  switch (auth_retry_get())
3235  {
3236  case AR_NONE:
3237  msg(M_FATAL, "Error: private key password verification failed");
3238  break;
3239 
3240  case AR_INTERACT:
3241  ssl_purge_auth(false);
3242  /* Intentional [[fallthrough]]; */
3243 
3244  case AR_NOINTERACT:
3245  /* SOFT-SIGUSR1 -- Password failure error */
3246  register_signal(c->sig, SIGUSR1, "private-key-password-failure");
3247  break;
3248 
3249  default:
3250  ASSERT(0);
3251  }
3252  return;
3253  }
3254 
3255  /*
3256  * BF-CBC is allowed to be used only when explicitly configured
3257  * as NCP-fallback or when NCP has been disabled or explicitly
3258  * allowed in the in ncp_ciphers list.
3259  * In all other cases do not attempt to initialize BF-CBC as it
3260  * may not even be supported by the underlying SSL library.
3261  *
3262  * Therefore, the key structure has to be initialized when:
3263  * - any non-BF-CBC cipher was selected; or
3264  * - BF-CBC is selected, NCP is enabled and fallback is enabled
3265  * (BF-CBC will be the fallback).
3266  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3267  * If the negotiated cipher and options->ciphername are the
3268  * same we do not reinit the cipher
3269  *
3270  * Note that BF-CBC will still be part of the OCC string to retain
3271  * backwards compatibility with older clients.
3272  */
3273  const char *ciphername = options->ciphername;
3274  if (streq(options->ciphername, "BF-CBC")
3275  && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
3276  && !options->enable_ncp_fallback)
3277  {
3278  ciphername = "none";
3279  }
3280 
3281  /* Do not warn if the cipher is used only in OCC */
3282  bool warn = options->enable_ncp_fallback;
3283  init_key_type(&c->c1.ks.key_type, ciphername, options->authname,
3284  true, warn);
3285 
3286  /* initialize tls-auth/crypt/crypt-v2 key */
3287  do_init_tls_wrap_key(c);
3288 
3289  /* initialise auth-token crypto support */
3290  if (c->options.auth_token_generate)
3291  {
3292  auth_token_init_secret(&c->c1.ks.auth_token_key,
3293  c->options.auth_token_secret_file,
3294  c->options.auth_token_secret_file_inline);
3295  }
3296 
3297 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
3298  if (options->priv_key_file_inline)
3299  {
3300  string_clear(c->options.priv_key_file_inline);
3301  c->options.priv_key_file_inline = NULL;
3302  }
3303 #endif
3304  }
3305  else
3306  {
3307  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
3308 
3309  /*
3310  * tls-auth/crypt key can be configured per connection block, therefore
3311  * we must reload it as it may have changed
3312  */
3313  do_init_tls_wrap_key(c);
3314  }
3315 }
3316 
3317 static void
3318 do_init_crypto_tls(struct context *c, const unsigned int flags)
3319 {
3320  const struct options *options = &c->options;
3321  struct tls_options to;
3322  bool packet_id_long_form;
3323 
3324  ASSERT(options->tls_server || options->tls_client);
3325  ASSERT(!options->test_crypto);
3326 
3327  init_crypto_pre(c, flags);
3328 
3329  /* Make sure we are either a TLS client or server but not both */
3330  ASSERT(options->tls_server == !options->tls_client);
3331 
3332  /* initialize persistent component */
3333  do_init_crypto_tls_c1(c);
3334  if (IS_SIG(c))
3335  {
3336  return;
3337  }
3338 
3339  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3340  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3341 
3342  /* Set all command-line TLS-related options */
3343  CLEAR(to);
3344 
3345  if (options->mute_replay_warnings)
3346  {
3347  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
3348  }
3349 
3350  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
3351  if (packet_id_long_form)
3352  {
3353  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
3354  }
3355 
3356  to.ssl_ctx = c->c1.ks.ssl_ctx;
3357  to.key_type = c->c1.ks.key_type;
3358  to.server = options->tls_server;
3359  to.replay_window = options->replay_window;
3360  to.replay_time = options->replay_time;
3361  to.config_ciphername = c->options.ciphername;
3362  to.config_ncp_ciphers = c->options.ncp_ciphers;
3363  to.transition_window = options->transition_window;
3364  to.handshake_window = options->handshake_window;
3365  to.packet_timeout = options->tls_timeout;
3366  to.renegotiate_bytes = options->renegotiate_bytes;
3367  to.renegotiate_packets = options->renegotiate_packets;
3368  if (options->renegotiate_seconds_min < 0)
3369  {
3370  /* Add 10% jitter to reneg-sec by default (server side only) */
3371  int auto_jitter = options->mode != MODE_SERVER ? 0 :
3372  get_random() % max_int(options->renegotiate_seconds / 10, 1);
3373  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
3374  }
3375  else
3376  {
3377  /* Add user-specified jitter to reneg-sec */
3378  to.renegotiate_seconds = options->renegotiate_seconds
3379  -(get_random() % max_int(options->renegotiate_seconds
3380  - options->renegotiate_seconds_min, 1));
3381  }
3382  to.single_session = options->single_session;
3383  to.mode = options->mode;
3384  to.pull = options->pull;
3385  if (options->push_peer_info) /* all there is */
3386  {
3387  to.push_peer_info_detail = 3;
3388  }
3389  else if (options->pull) /* pull clients send some details */
3390  {
3391  to.push_peer_info_detail = 2;
3392  }
3393  else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3394  {
3395  to.push_peer_info_detail = 0;
3396  }
3397  else /* default: minimal info to allow NCP in P2P mode */
3398  {
3399  to.push_peer_info_detail = 1;
3400  }
3401 
3402  /* Check if the DCO drivers support the epoch data format */
3403  if (dco_enabled(options))
3404  {
3405  to.data_epoch_supported = dco_supports_epoch_data(c);
3406  }
3407  else
3408  {
3409  to.data_epoch_supported = true;
3410  }
3411 
3412  /* should we not xmit any packets until we get an initial
3413  * response from client? */
3414  if (to.server && c->mode == CM_CHILD_TCP)
3415  {
3416  to.xmit_hold = true;
3417  }
3418 
3419  to.verify_command = options->tls_verify;
3420  to.verify_x509_type = (options->verify_x509_type & 0xff);
3421  to.verify_x509_name = options->verify_x509_name;
3422  to.crl_file = options->crl_file;
3423  to.crl_file_inline = options->crl_file_inline;
3424  to.ssl_flags = options->ssl_flags;
3425  to.ns_cert_type = options->ns_cert_type;
3426  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3427  to.remote_cert_eku = options->remote_cert_eku;
3428  to.verify_hash = options->verify_hash;
3429  to.verify_hash_algo = options->verify_hash_algo;
3430  to.verify_hash_depth = options->verify_hash_depth;
3431  to.verify_hash_no_ca = options->verify_hash_no_ca;
3432 #ifdef ENABLE_X509ALTUSERNAME
3433  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3434 #else
3435  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
3436 #endif
3437  to.es = c->c2.es;
3438  to.net_ctx = &c->net_ctx;
3439 
3440 #ifdef ENABLE_DEBUG
3441  to.gremlin = c->options.gremlin;
3442 #endif
3443 
3444  to.plugins = c->plugins;
3445 
3446 #ifdef ENABLE_MANAGEMENT
3447  to.mda_context = &c->c2.mda_context;
3448 #endif
3449 
3450  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
3451  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
3452  to.client_crresponse_script = options->client_crresponse_script;
3453  to.tmp_dir = options->tmp_dir;
3454  to.export_peer_cert_dir = options->tls_export_peer_cert_dir;
3455  if (options->ccd_exclusive)
3456  {
3457  to.client_config_dir_exclusive = options->client_config_dir;
3458  }
3459  to.auth_user_pass_file = options->auth_user_pass_file;
3460  to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
3461  to.auth_token_generate = options->auth_token_generate;
3462  to.auth_token_lifetime = options->auth_token_lifetime;
3463  to.auth_token_renewal = options->auth_token_renewal;
3464  to.auth_token_call_auth = options->auth_token_call_auth;
3465  to.auth_token_key = c->c1.ks.auth_token_key;
3466 
3467  to.x509_track = options->x509_track;
3468 
3469 #ifdef ENABLE_MANAGEMENT
3470  to.sci = &options->sc_info;
3471 #endif
3472 
3473 #ifdef USE_COMP
3474  to.comp_options = options->comp;
3475 #endif
3476 
3477 #ifdef HAVE_EXPORT_KEYING_MATERIAL
3478  if (options->keying_material_exporter_label)
3479  {
3480  to.ekm_size = options->keying_material_exporter_length;
3481  if (to.ekm_size < 16 || to.ekm_size > 4095)
3482  {
3483  to.ekm_size = 0;
3484  }
3485 
3486  to.ekm_label = options->keying_material_exporter_label;
3487  to.ekm_label_size = strlen(to.ekm_label);
3488  }
3489  else
3490  {
3491  to.ekm_size = 0;
3492  }
3493 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
3494 
3495  /* TLS handshake authentication (--tls-auth) */
3496  if (options->ce.tls_auth_file)
3497  {
3498  to.tls_wrap.mode = TLS_WRAP_AUTH;
3499  }
3500 
3501  /* TLS handshake encryption (--tls-crypt) */
3502  if (options->ce.tls_crypt_file
3503  || (options->ce.tls_crypt_v2_file && options->tls_client))
3504  {
3505  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3506  }
3507 
3508  if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3509  {
3510  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3511  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3512  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3513  to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata;
3514  }
3515 
3516  if (options->ce.tls_crypt_v2_file)
3517  {
3518  to.tls_crypt_v2 = true;
3519  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3520 
3521  if (options->tls_server)
3522  {
3523  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3524  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3525  if (options->ce.tls_crypt_v2_force_cookie)
3526  {
3527  to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
3528  }
3529  }
3530  }
3531 
3532  /* let the TLS engine know if keys have to be installed in DCO or not */
3533  to.dco_enabled = dco_enabled(options);
3534 
3535  /*
3536  * Initialize OpenVPN's master TLS-mode object.
3537  */
3538  if (flags & CF_INIT_TLS_MULTI)
3539  {
3540  c->c2.tls_multi = tls_multi_init(&to);
3541  /* inherit the dco context from the tuntap object */
3542  if (c->c1.tuntap)
3543  {
3544  c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3545  }
3546  }
3547 
3548  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3549  {
3550  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3551  c->c2.session_id_hmac = session_id_hmac_init();
3552  }
3553 }
3554 
3555 static void
3556 do_init_frame_tls(struct context *c)
3557 {
3558  if (c->c2.tls_multi)
3559  {
3560  tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
3561  ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <=
3562  c->c2.frame.buf.payload_size);
3563  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3564  "Control Channel MTU parms");
3565 
3566  /* Keep the max mtu also in the frame of tls multi so it can access
3567  * it in push_peer_info */
3568  c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
3569  }
3570  if (c->c2.tls_auth_standalone)
3571  {
3572  tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, c->options.ce.tls_mtu);
3573  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3574  "TLS-Auth MTU parms");
3575  c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3576  c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3577  }
3578 }
3579 
3580 /*
3581  * No encryption or authentication.
3582  */
3583 static void
3584 do_init_crypto_none(struct context *c)
3585 {
3586  ASSERT(!c->options.test_crypto);
3587 
3588  /* Initialise key_type with auth/cipher "none", so the key_type struct is
3589  * valid */
3590  init_key_type(&c->c1.ks.key_type, "none", "none",
3591  c->options.test_crypto, true);
3592 
3593  msg(M_WARN,
3594  "******* WARNING *******: All encryption and authentication features "
3595  "disabled -- All data will be tunnelled as clear text and will not be "
3596  "protected against man-in-the-middle changes. "
3597  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3598 }
3599 
3600 static void
3601 do_init_crypto(struct context *c, const unsigned int flags)
3602 {
3603  if (c->options.shared_secret_file)
3604  {
3605  do_init_crypto_static(c, flags);
3606  }
3607  else if (c->options.tls_server || c->options.tls_client)
3608  {
3609  do_init_crypto_tls(c, flags);
3610  }
3611  else /* no encryption or authentication. */
3612  {
3613  do_init_crypto_none(c);
3614  }
3615 }
3616 
3617 static void
3618 do_init_frame(struct context *c)
3619 {
3620  /*
3621  * Adjust frame size based on the --tun-mtu-extra parameter.
3622  */
3623  if (c->options.ce.tun_mtu_extra_defined)
3624  {
3625  c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra;
3626  }
3627 
3628  /*
3629  * Fill in the blanks in the frame parameters structure,
3630  * make sure values are rational, etc.
3631  */
3632  frame_finalize_options(c, NULL);
3633 
3634 
3635 #if defined(ENABLE_FRAGMENT)
3636  /*
3637  * MTU advisories
3638  */
3639  if (c->options.ce.fragment && c->options.mtu_test)
3640  {
3641  msg(M_WARN,
3642  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3643  }
3644 #endif
3645 
3646 #ifdef ENABLE_FRAGMENT
3647  if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3648  {
3649  msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3650  "set --fragment (%d) larger or equal than --mssfix (%d)",
3651  c->options.ce.fragment, c->options.ce.mssfix);
3652  }
3653  if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3654  && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3655  {
3656  msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3657  "use the \"mtu\" flag for both or none of of them.");
3658  }
3659 #endif
3660 }
3661 
3662 static void
3663 do_option_warnings(struct context *c)
3664 {
3665  const struct options *o = &c->options;
3666 
3667  if (o->ping_send_timeout && !o->ping_rec_timeout)
3668  {
3669  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3670  }
3671 
3672  if (o->username || o->groupname || o->chroot_dir
3673 #ifdef ENABLE_SELINUX
3674  || o->selinux_context
3675 #endif
3676  )
3677  {
3678  if (!o->persist_tun)
3679  {
3680  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3681  }
3682  }
3683 
3684  if (o->chroot_dir && !(o->username && o->groupname))
3685  {
3686  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3687  }
3688 
3689  if (o->pull && o->ifconfig_local && c->first_time)
3690  {
3691  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3692  }
3693 
3694  if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3695  {
3696  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3697  }
3698 
3699  if (o->mode == MODE_SERVER)
3700  {
3701  if (o->duplicate_cn && o->client_config_dir)
3702  {
3703  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3704  }
3705  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3706  {
3707  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3708  }
3709  if (!o->keepalive_ping || !o->keepalive_timeout)
3710  {
3711  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3712  }
3713  }
3714 
3715  if (o->tls_server)
3716  {
3717  warn_on_use_of_common_subnets(&c->net_ctx);
3718  }
3719  if (o->tls_client
3720  && !o->tls_verify
3721  && o->verify_x509_type == VERIFY_X509_NONE
3722  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3723  && !o->remote_cert_eku
3724  && !(o->verify_hash_depth == 0 && o->verify_hash))
3725  {
3726  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3727  }
3728  if (o->ns_cert_type)
3729  {
3730  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3731  }
3732 
3733  /* If a script is used, print appropriate warnings */
3734  if (o->user_script_used)
3735  {
3736  if (script_security() >= SSEC_SCRIPTS)
3737  {
3738  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3739  }
3740  else if (script_security() >= SSEC_PW_ENV)
3741  {
3742  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3743  }
3744  else
3745  {
3746  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3747  }
3748  }
3749 }
3750 
3751 struct context_buffers *
3752 init_context_buffers(const struct frame *frame)
3753 {
3754  struct context_buffers *b;
3755 
3756  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3757 
3758  size_t buf_size = BUF_SIZE(frame);
3759 
3760  b->read_link_buf = alloc_buf(buf_size);
3761  b->read_tun_buf = alloc_buf(buf_size);
3762 
3763  b->aux_buf = alloc_buf(buf_size);
3764 
3765  b->encrypt_buf = alloc_buf(buf_size);
3766  b->decrypt_buf = alloc_buf(buf_size);
3767 
3768 #ifdef USE_COMP
3769  b->compress_buf = alloc_buf(buf_size);
3770  b->decompress_buf = alloc_buf(buf_size);
3771 #endif
3772 
3773  return b;
3774 }
3775 
3776 void
3777 free_context_buffers(struct context_buffers *b)
3778 {
3779  if (b)
3780  {
3781  free_buf(&b->read_link_buf);
3782  free_buf(&b->read_tun_buf);
3783  free_buf(&b->aux_buf);
3784 
3785 #ifdef USE_COMP
3786  free_buf(&b->compress_buf);
3787  free_buf(&b->decompress_buf);
3788 #endif
3789 
3790  free_buf(&b->encrypt_buf);
3791  free_buf(&b->decrypt_buf);
3792 
3793  free(b);
3794  }
3795 }
3796 
3797 /*
3798  * Now that we know all frame parameters, initialize
3799  * our buffers.
3800  */
3801 static void
3802 do_init_buffers(struct context *c)
3803 {
3804  c->c2.buffers = init_context_buffers(&c->c2.frame);
3805  c->c2.buffers_owned = true;
3806 }
3807 
3808 #ifdef ENABLE_FRAGMENT
3809 /*
3810  * Fragmenting code has buffers to initialize
3811  * once frame parameters are known.
3812  */
3813 static void
3814 do_init_fragment(struct context *c)
3815 {
3816  ASSERT(c->options.ce.fragment);
3817 
3818  /*
3819  * Set frame parameter for fragment code. This is necessary because
3820  * the fragmentation code deals with payloads which have already been
3821  * passed through the compression code.
3822  */
3823  c->c2.frame_fragment = c->c2.frame;
3824 
3825  frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
3826  &c->options, get_link_socket_info(c));
3827  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3828 }
3829 #endif
3830 
3831 /*
3832  * Allocate our socket object.
3833  */
3834 static void
3835 do_link_socket_new(struct context *c)
3836 {
3837  ASSERT(!c->c2.link_sockets);
3838 
3839  ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *,
3840  c->c1.link_sockets_num, &c->c2.gc);
3841 
3842  for (int i = 0; i < c->c1.link_sockets_num; i++)
3843  {
3844  c->c2.link_sockets[i] = link_socket_new();
3845  }
3846  c->c2.link_socket_owned = true;
3847 }
3848 
3849 /*
3850  * bind TCP/UDP sockets
3851  */
3852 static void
3853 do_init_socket_phase1(struct context *c)
3854 {
3855  for (int i = 0; i < c->c1.link_sockets_num; i++)
3856  {
3857  int mode = LS_MODE_DEFAULT;
3858 
3859  /* mode allows CM_CHILD_TCP
3860  * instances to inherit acceptable fds
3861  * from a top-level parent */
3862  if (c->options.mode == MODE_SERVER)
3863  {
3864  /* initializing listening socket */
3865  if (c->mode == CM_TOP)
3866  {
3867  mode = LS_MODE_TCP_LISTEN;
3868  }
3869  /* initializing socket to client */
3870  else if (c->mode == CM_CHILD_TCP)
3871  {
3872  mode = LS_MODE_TCP_ACCEPT_FROM;
3873  }
3874  }
3875 
3876  /* init each socket with its specific args */
3877  link_socket_init_phase1(c, i, mode);
3878  }
3879 }
3880 
3881 /*
3882  * finalize TCP/UDP sockets
3883  */
3884 static void
3885 do_init_socket_phase2(struct context *c)
3886 {
3887  for (int i = 0; i < c->c1.link_sockets_num; i++)
3888  {
3889  link_socket_init_phase2(c, c->c2.link_sockets[i]);
3890  }
3891 }
3892 
3893 /*
3894  * Print MTU INFO
3895  */
3896 static void
3897 do_print_data_channel_mtu_parms(struct context *c)
3898 {
3899  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3900 #ifdef ENABLE_FRAGMENT
3901  if (c->c2.fragment)
3902  {
3903  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3904  "Fragmentation MTU parms");
3905  }
3906 #endif
3907 }
3908 
3909 /*
3910  * Get local and remote options compatibility strings.
3911  */
3912 static void
3913 do_compute_occ_strings(struct context *c)
3914 {
3915  struct gc_arena gc = gc_new();
3916 
3917  c->c2.options_string_local =
3918  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3919  false, &gc);
3920  c->c2.options_string_remote =
3921  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3922  true, &gc);
3923 
3924  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3925  options_string_version(c->c2.options_string_local, &gc),
3926  c->c2.options_string_local);
3927  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3928  options_string_version(c->c2.options_string_remote, &gc),
3929  c->c2.options_string_remote);
3930 
3931  if (c->c2.tls_multi)
3932  {
3933  tls_multi_init_set_options(c->c2.tls_multi,
3934  c->c2.options_string_local,
3935  c->c2.options_string_remote);
3936  }
3937 
3938  gc_free(&gc);
3939 }
3940 
3941 /*
3942  * These things can only be executed once per program instantiation.
3943  * Set up for possible UID/GID downgrade, but don't do it yet.
3944  * Daemonize if requested.
3945  */
3946 static void
3947 do_init_first_time(struct context *c)
3948 {
3949  if (c->first_time && !c->c0)
3950  {
3951  struct context_0 *c0;
3952 
3953  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3954  c0 = c->c0;
3955 
3956  /* get user and/or group that we want to setuid/setgid to,
3957  * sets also platform_x_state */
3958  bool group_defined = platform_group_get(c->options.groupname,
3959  &c0->platform_state_group);
3960  bool user_defined = platform_user_get(c->options.username,
3961  &c0->platform_state_user);
3962 
3963  c0->uid_gid_specified = user_defined || group_defined;
3964 
3965  /* perform postponed chdir if --daemon */
3966  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3967  {
3968  platform_chdir("/");
3969  }
3970 
3971  /* should we change scheduling priority? */
3972  platform_nice(c->options.nice);
3973  }
3974 }
3975 
3976 /*
3977  * free buffers
3978  */
3979 static void
3980 do_close_free_buf(struct context *c)
3981 {
3982  if (c->c2.buffers_owned)
3983  {
3984  free_context_buffers(c->c2.buffers);
3985  c->c2.buffers = NULL;
3986  c->c2.buffers_owned = false;
3987  }
3988 }
3989 
3990 /*
3991  * close TLS
3992  */
3993 static void
3994 do_close_tls(struct context *c)
3995 {
3996  if (c->c2.tls_multi)
3997  {
3998  tls_multi_free(c->c2.tls_multi, true);
3999  c->c2.tls_multi = NULL;
4000  }
4001 
4002  /* free options compatibility strings */
4003  free(c->c2.options_string_local);
4004  free(c->c2.options_string_remote);
4005 
4006  c->c2.options_string_local = c->c2.options_string_remote = NULL;
4007 
4008  if (c->c2.pulled_options_state)
4009  {
4010  md_ctx_cleanup(c->c2.pulled_options_state);
4011  md_ctx_free(c->c2.pulled_options_state);
4012  }
4013 
4014  tls_auth_standalone_free(c->c2.tls_auth_standalone);
4015 }
4016 
4017 /*
4018  * Free key schedules
4019  */
4020 static void
4021 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
4022 {
4023  /*
4024  * always free the tls_auth/crypt key. The key will
4025  * be reloaded from memory (pre-cached)
4026  */
4027  free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
4028  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
4029  CLEAR(c->c1.ks.tls_wrap_key);
4030  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
4031  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
4032 
4033  if (!(c->sig->signal_received == SIGUSR1))
4034  {
4035  key_schedule_free(&c->c1.ks, free_ssl_ctx);
4036  }
4037 }
4038 
4039 /*
4040  * Close TCP/UDP connection
4041  */
4042 static void
4043 do_close_link_socket(struct context *c)
4044 {
4045  if (c->c2.link_sockets && c->c2.link_socket_owned)
4046  {
4047  for (int i = 0; i < c->c1.link_sockets_num; i++)
4048  {
4049  /* in dco-win case, link socket is a tun handle which is
4050  * closed in do_close_tun(). Set it to UNDEFINED so
4051  * we won't use WinSock API to close it. */
4052  if (tuntap_is_dco_win(c->c1.tuntap))
4053  {
4054  c->c2.link_sockets[i]->sd = SOCKET_UNDEFINED;
4055  }
4056 
4057  link_socket_close(c->c2.link_sockets[i]);
4058  }
4059  c->c2.link_sockets = NULL;
4060  }
4061 
4062 
4063  /* Preserve the resolved list of remote if the user request to or if we want
4064  * reconnect to the same host again or there are still addresses that need
4065  * to be tried */
4066  if (!(c->sig->signal_received == SIGUSR1
4067  && ( (c->options.persist_remote_ip)
4068  ||
4069  ( c->sig->source != SIG_SOURCE_HARD
4070  && ((c->c1.link_socket_addrs[0].current_remote
4071  && c->c1.link_socket_addrs[0].current_remote->ai_next)
4072  || c->options.no_advance))
4073  )))
4074  {
4075  clear_remote_addrlist(&c->c1.link_socket_addrs[0],
4076  !c->options.resolve_in_advance);
4077  }
4078 
4079  /* Clear the remote actual address when persist_remote_ip is not in use */
4080  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
4081  {
4082  for (int i = 0; i < c->c1.link_sockets_num; i++)
4083  {
4084  CLEAR(c->c1.link_socket_addrs[i].actual);
4085  }
4086  }
4087 
4088  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
4089  {
4090  for (int i = 0; i < c->c1.link_sockets_num; i++)
4091  {
4092  if (c->c1.link_socket_addrs[i].bind_local
4093  && !c->options.resolve_in_advance)
4094  {
4095  freeaddrinfo(c->c1.link_socket_addrs[i].bind_local);
4096  }
4097 
4098  c->c1.link_socket_addrs[i].bind_local = NULL;
4099  }
4100  }
4101 }
4102 
4103 /*
4104  * Close packet-id persistence file
4105  */
4106 static void
4107 do_close_packet_id(struct context *c)
4108 {
4109  packet_id_free(&c->c2.crypto_options.packet_id);
4110  packet_id_persist_save(&c->c1.pid_persist);
4111  if (!(c->sig->signal_received == SIGUSR1))
4112  {
4113  packet_id_persist_close(&c->c1.pid_persist);
4114  }
4115 }
4116 
4117 #ifdef ENABLE_FRAGMENT
4118 /*
4119  * Close fragmentation handler.
4120  */
4121 static void
4122 do_close_fragment(struct context *c)
4123 {
4124  if (c->c2.fragment)
4125  {
4126  fragment_free(c->c2.fragment);
4127  c->c2.fragment = NULL;
4128  }
4129 }
4130 #endif
4131 
4132 /*
4133  * Open and close our event objects.
4134  */
4135 
4136 static void
4137 do_event_set_init(struct context *c,
4138  bool need_us_timeout)
4139 {
4140  unsigned int flags = 0;
4141 
4142  c->c2.event_set_max = BASE_N_EVENTS;
4143 
4144  flags |= EVENT_METHOD_FAST;
4145 
4146  if (need_us_timeout)
4147  {
4148  flags |= EVENT_METHOD_US_TIMEOUT;
4149  }
4150 
4151  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
4152  c->c2.event_set_owned = true;
4153 }
4154 
4155 static void
4156 do_close_event_set(struct context *c)
4157 {
4158  if (c->c2.event_set && c->c2.event_set_owned)
4159  {
4160  event_free(c->c2.event_set);
4161  c->c2.event_set = NULL;
4162  c->c2.event_set_owned = false;
4163  }
4164 }
4165 
4166 /*
4167  * Open and close --status file
4168  */
4169 
4170 static void
4171 do_open_status_output(struct context *c)
4172 {
4173  if (!c->c1.status_output)
4174  {
4175  c->c1.status_output = status_open(c->options.status_file,
4176  c->options.status_file_update_freq,
4177  -1,
4178  NULL,
4179  STATUS_OUTPUT_WRITE);
4180  c->c1.status_output_owned = true;
4181  }
4182 }
4183 
4184 static void
4185 do_close_status_output(struct context *c)
4186 {
4187  if (!(c->sig->signal_received == SIGUSR1))
4188  {
4189  if (c->c1.status_output_owned && c->c1.status_output)
4190  {
4191  status_close(c->c1.status_output);
4192  c->c1.status_output = NULL;
4193  c->c1.status_output_owned = false;
4194  }
4195  }
4196 }
4197 
4198 /*
4199  * Handle ifconfig-pool persistence object.
4200  */
4201 static void
4202 do_open_ifconfig_pool_persist(struct context *c)
4203 {
4204  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
4205  {
4206  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
4207  c->options.ifconfig_pool_persist_refresh_freq);
4208  c->c1.ifconfig_pool_persist_owned = true;
4209  }
4210 }
4211 
4212 static void
4213 do_close_ifconfig_pool_persist(struct context *c)
4214 {
4215  if (!(c->sig->signal_received == SIGUSR1))
4216  {
4217  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
4218  {
4219  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
4220  c->c1.ifconfig_pool_persist = NULL;
4221  c->c1.ifconfig_pool_persist_owned = false;
4222  }
4223  }
4224 }
4225 
4226 /*
4227  * Inherit environmental variables
4228  */
4229 
4230 static void
4231 do_inherit_env(struct context *c, const struct env_set *src)
4232 {
4233  c->c2.es = env_set_create(NULL);
4234  c->c2.es_owned = true;
4235  env_set_inherit(c->c2.es, src);
4236 }
4237 
4238 static void
4239 do_env_set_destroy(struct context *c)
4240 {
4241  if (c->c2.es && c->c2.es_owned)
4242  {
4243  env_set_destroy(c->c2.es);
4244  c->c2.es = NULL;
4245  c->c2.es_owned = false;
4246  }
4247 }
4248 
4249 /*
4250  * Fast I/O setup. Fast I/O is an optimization which only works
4251  * if all of the following are true:
4252  *
4253  * (1) The platform is not Windows
4254  * (2) --proto udp is enabled
4255  * (3) --shaper is disabled
4256  */
4257 static void
4258 do_setup_fast_io(struct context *c)
4259 {
4260  if (c->options.fast_io)
4261  {
4262 #ifdef _WIN32
4263  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
4264 #else
4265  if (c->options.shaper)
4266  {
4267  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4268  }
4269  else
4270  {
4271  c->c2.fast_io = true;
4272  }
4273 #endif
4274  }
4275 }
4276 
4277 static void
4278 do_signal_on_tls_errors(struct context *c)
4279 {
4280  if (c->options.tls_exit)
4281  {
4282  c->c2.tls_exit_signal = SIGTERM;
4283  }
4284  else
4285  {
4286  c->c2.tls_exit_signal = SIGUSR1;
4287  }
4288 }
4289 
4290 #ifdef ENABLE_PLUGIN
4291 
4292 void
4293 init_plugins(struct context *c)
4294 {
4295  if (c->options.plugin_list && !c->plugins)
4296  {
4297  c->plugins = plugin_list_init(c->options.plugin_list);
4298  c->plugins_owned = true;
4299  }
4300 }
4301 
4302 void
4303 open_plugins(struct context *c, const bool import_options, int init_point)
4304 {
4305  if (c->plugins && c->plugins_owned)
4306  {
4307  if (import_options)
4308  {
4309  struct plugin_return pr, config;
4310  plugin_return_init(&pr);
4311  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4312  plugin_return_get_column(&pr, &config, "config");
4313  if (plugin_return_defined(&config))
4314  {
4315  int i;
4316  for (i = 0; i < config.n; ++i)
4317  {
4318  unsigned int option_types_found = 0;
4319  if (config.list[i] && config.list[i]->value)
4320  {
4321  options_string_import(&c->options,
4322  config.list[i]->value,
4323  D_IMPORT_ERRORS|M_OPTERR,
4324  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
4325  &option_types_found,
4326  c->es);
4327  }
4328  }
4329  }
4330  plugin_return_free(&pr);
4331  }
4332  else
4333  {
4334  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4335  }
4336  }
4337 }
4338 
4339 static void
4340 do_close_plugins(struct context *c)
4341 {
4342  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
4343  {
4344  plugin_list_close(c->plugins);
4345  c->plugins = NULL;
4346  c->plugins_owned = false;
4347  }
4348 }
4349 
4350 static void
4351 do_inherit_plugins(struct context *c, const struct context *src)
4352 {
4353  if (!c->plugins && src->plugins)
4354  {
4355  c->plugins = plugin_list_inherit(src->plugins);
4356  c->plugins_owned = true;
4357  }
4358 }
4359 
4360 #endif /* ifdef ENABLE_PLUGIN */
4361 
4362 #ifdef ENABLE_MANAGEMENT
4363 
4364 static void
4365 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
4366 {
4367  struct context *c = (struct context *) arg;
4368  print_status(c, so);
4369 }
4370 
4371 void
4372 management_show_net_callback(void *arg, const int msglevel)
4373 {
4374 #ifdef _WIN32
4375  show_routes(msglevel);
4376  show_adapters(msglevel);
4377  msg(msglevel, "END");
4378 #else
4379  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4380 #endif
4381 }
4382 
4383 #ifdef TARGET_ANDROID
4384 int
4385 management_callback_network_change(void *arg, bool samenetwork)
4386 {
4387  /* Check if the client should translate the network change to a SIGUSR1 to
4388  * reestablish the connection or just reprotect the socket
4389  *
4390  * At the moment just assume that, for all settings that use pull (not
4391  * --static) and are not using peer-id reestablishing the connection is
4392  * required (unless the network is the same)
4393  *
4394  * The function returns -1 on invalid fd and -2 if the socket cannot be
4395  * reused. On the -2 return value the man_network_change function triggers
4396  * a SIGUSR1 to force a reconnect.
4397  */
4398 
4399  int socketfd = -1;
4400  struct context *c = (struct context *) arg;
4401  if (!c->c2.link_sockets || !c->c2.link_sockets[0])
4402  {
4403  return -1;
4404  }
4405  if (c->c2.link_sockets[0]->sd == SOCKET_UNDEFINED)
4406  {
4407  return -1;
4408  }
4409 
4410  /* On some newer Android handsets, changing to a different network
4411  * often does not trigger a TCP reset but continue using the old
4412  * connection (e.g. using mobile connection when WiFi becomes available */
4413  struct link_socket_info *lsi = get_link_socket_info(c);
4414  if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
4415  {
4416  return -2;
4417  }
4418 
4419  socketfd = c->c2.link_sockets[0]->sd;
4420  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4421  {
4422  return socketfd;
4423  }
4424  else
4425  {
4426  return -2;
4427  }
4428 }
4429 #endif /* ifdef TARGET_ANDROID */
4430 
4431 #endif /* ifdef ENABLE_MANAGEMENT */
4432 
4433 void
4434 init_management_callback_p2p(struct context *c)
4435 {
4436 #ifdef ENABLE_MANAGEMENT
4437  if (management)
4438  {
4439  struct management_callback cb;
4440  CLEAR(cb);
4441  cb.arg = c;
4442  cb.status = management_callback_status_p2p;
4443  cb.show_net = management_show_net_callback;
4444  cb.proxy_cmd = management_callback_proxy_cmd;
4445  cb.remote_cmd = management_callback_remote_cmd;
4446  cb.send_cc_message = management_callback_send_cc_message;
4447 #ifdef TARGET_ANDROID
4448  cb.network_change = management_callback_network_change;
4449 #endif
4450  cb.remote_entry_count = management_callback_remote_entry_count;
4451  cb.remote_entry_get = management_callback_remote_entry_get;
4452  management_set_callback(management, &cb);
4453  }
4454 #endif
4455 }
4456 
4457 #ifdef ENABLE_MANAGEMENT
4458 
4459 void
4460 init_management(void)
4461 {
4462  if (!management)
4463  {
4464  management = management_init();
4465  }
4466 }
4467 
4468 bool
4469 open_management(struct context *c)
4470 {
4471  /* initialize management layer */
4472  if (management)
4473  {
4474  if (c->options.management_addr)
4475  {
4476  unsigned int flags = c->options.management_flags;
4477  if (c->options.mode == MODE_SERVER)
4478  {
4479  flags |= MF_SERVER;
4480  }
4481  if (management_open(management,
4482  c->options.management_addr,
4483  c->options.management_port,
4484  c->options.management_user_pass,
4485  c->options.management_client_user,
4486  c->options.management_client_group,
4487  c->options.management_log_history_cache,
4488  c->options.management_echo_buffer_size,
4489  c->options.management_state_buffer_size,
4490  c->options.remap_sigusr1,
4491  flags))
4492  {
4493  management_set_state(management,
4494  OPENVPN_STATE_CONNECTING,
4495  NULL,
4496  NULL,
4497  NULL,
4498  NULL,
4499  NULL);
4500  }
4501 
4502  /* initial management hold, called early, before first context initialization */
4503  do_hold(0);
4504  if (IS_SIG(c))
4505  {
4506  msg(M_WARN, "Signal received from management interface, exiting");
4507  return false;
4508  }
4509  }
4510  else
4511  {
4512  close_management();
4513  }
4514  }
4515  return true;
4516 }
4517 
4518 void
4519 close_management(void)
4520 {
4521  if (management)
4522  {
4523  management_close(management);
4524  management = NULL;
4525  }
4526 }
4527 
4528 #endif /* ifdef ENABLE_MANAGEMENT */
4529 
4530 
4531 void
4532 uninit_management_callback(void)
4533 {
4534 #ifdef ENABLE_MANAGEMENT
4535  if (management)
4536  {
4537  management_clear_callback(management);
4538  }
4539 #endif
4540 }
4541 
4542 void
4543 persist_client_stats(struct context *c)
4544 {
4545 #ifdef ENABLE_MANAGEMENT
4546  if (management)
4547  {
4548  man_persist_client_stats(management, c);
4549  }
4550 #endif
4551 }
4552 
4553 /*
4554  * Initialize a tunnel instance, handle pre and post-init
4555  * signal settings.
4556  */
4557 void
4558 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4559 {
4560  pre_init_signal_catch();
4561  init_instance(c, env, flags);
4562  post_init_signal_catch();
4563 
4564  /*
4565  * This is done so that signals thrown during
4566  * initialization can bring us back to
4567  * a management hold.
4568  */
4569  if (IS_SIG(c))
4570  {
4571  remap_signal(c);
4572  uninit_management_callback();
4573  }
4574 }
4575 
4576 /*
4577  * Initialize a tunnel instance.
4578  */
4579 void
4580 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4581 {
4582  const struct options *options = &c->options;
4583  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4584 
4585  /* init garbage collection level */
4586  gc_init(&c->c2.gc);
4587 
4588  /* inherit environmental variables */
4589  if (env)
4590  {
4591  do_inherit_env(c, env);
4592  }
4593 
4594  if (c->mode == CM_P2P)
4595  {
4596  init_management_callback_p2p(c);
4597  }
4598 
4599  /* possible sleep or management hold if restart */
4600  if (c->mode == CM_P2P || c->mode == CM_TOP)
4601  {
4602  do_startup_pause(c);
4603  if (IS_SIG(c))
4604  {
4605  goto sig;
4606  }
4607  }
4608 
4609  if (c->options.resolve_in_advance)
4610  {
4611  do_preresolve(c);
4612  if (IS_SIG(c))
4613  {
4614  goto sig;
4615  }
4616  }
4617 
4618  /* Resets all values to the initial values from the config where needed */
4619  pre_connect_restore(&c->options, &c->c2.gc);
4620 
4621  /* map in current connection entry */
4622  next_connection_entry(c);
4623 
4624  /* should we disable paging? */
4625  if (c->first_time && options->mlock)
4626  {
4627  platform_mlockall(true);
4628  }
4629 
4630  /* get passwords if undefined */
4631  if (auth_retry_get() == AR_INTERACT)
4632  {
4633  init_query_passwords(c);
4634  }
4635 
4636  /* initialize context level 2 --verb/--mute parms */
4637  init_verb_mute(c, IVM_LEVEL_2);
4638 
4639  /* set error message delay for non-server modes */
4640  if (c->mode == CM_P2P)
4641  {
4642  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4643  }
4644 
4645  /* warn about inconsistent options */
4646  if (c->mode == CM_P2P || c->mode == CM_TOP)
4647  {
4648  do_option_warnings(c);
4649  }
4650 
4651 #ifdef ENABLE_PLUGIN
4652  /* initialize plugins */
4653  if (c->mode == CM_P2P || c->mode == CM_TOP)
4654  {
4655  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4656  }
4657 #endif
4658 
4659  /* should we enable fast I/O? */
4660  if (c->mode == CM_P2P || c->mode == CM_TOP)
4661  {
4662  do_setup_fast_io(c);
4663  }
4664 
4665  /* should we throw a signal on TLS errors? */
4666  do_signal_on_tls_errors(c);
4667 
4668  /* open --status file */
4669  if (c->mode == CM_P2P || c->mode == CM_TOP)
4670  {
4671  do_open_status_output(c);
4672  }
4673 
4674  /* open --ifconfig-pool-persist file */
4675  if (c->mode == CM_TOP)
4676  {
4677  do_open_ifconfig_pool_persist(c);
4678  }
4679 
4680  /* reset OCC state */
4681  if (c->mode == CM_P2P || child)
4682  {
4683  c->c2.occ_op = occ_reset_op();
4684  }
4685 
4686  /* our wait-for-i/o objects, different for posix vs. win32 */
4687  if (c->mode == CM_P2P || c->mode == CM_TOP)
4688  {
4689  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4690  }
4691  else if (c->mode == CM_CHILD_TCP)
4692  {
4693  do_event_set_init(c, false);
4694  }
4695 
4696  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4697  init_proxy(c);
4698 
4699  /* allocate our socket object */
4700  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4701  {
4702  do_link_socket_new(c);
4703  }
4704 
4705 #ifdef ENABLE_FRAGMENT
4706  /* initialize internal fragmentation object */
4707  if (options->ce.fragment && (c->mode == CM_P2P || child))
4708  {
4709  c->c2.fragment = fragment_init(&c->c2.frame);
4710  }
4711 #endif
4712 
4713  /* init crypto layer */
4714  {
4715  unsigned int crypto_flags = 0;
4716  if (c->mode == CM_TOP)
4717  {
4718  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4719  }
4720  else if (c->mode == CM_P2P)
4721  {
4722  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4723  }
4724  else if (child)
4725  {
4726  crypto_flags = CF_INIT_TLS_MULTI;
4727  }
4728  do_init_crypto(c, crypto_flags);
4729  if (IS_SIG(c) && !child)
4730  {
4731  goto sig;
4732  }
4733  }
4734 
4735 #ifdef USE_COMP
4736  /* initialize compression library. */
4737  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4738  {
4739  c->c2.comp_context = comp_init(&options->comp);
4740  }
4741 #endif
4742 
4743  /* initialize MTU variables */
4744  do_init_frame(c);
4745 
4746  /* initialize TLS MTU variables */
4747  do_init_frame_tls(c);
4748 
4749  /* init workspace buffers whose size is derived from frame size */
4750  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4751  {
4752  do_init_buffers(c);
4753  }
4754 
4755 #ifdef ENABLE_FRAGMENT
4756  /* initialize internal fragmentation capability with known frame size */
4757  if (options->ce.fragment && (c->mode == CM_P2P || child))
4758  {
4759  do_init_fragment(c);
4760  }
4761 #endif
4762 
4763  /* bind the TCP/UDP socket */
4764  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4765  {
4766  do_init_socket_phase1(c);
4767  }
4768 
4769  /* initialize tun/tap device object,
4770  * open tun/tap device, ifconfig, run up script, etc. */
4771  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4772  {
4773  int error_flags = 0;
4774  c->c2.did_open_tun = do_open_tun(c, &error_flags);
4775  }
4776 
4777  /* print MTU info */
4778  do_print_data_channel_mtu_parms(c);
4779 
4780  /* get local and remote options compatibility strings */
4781  if (c->mode == CM_P2P || child)
4782  {
4783  do_compute_occ_strings(c);
4784  }
4785 
4786  /* initialize output speed limiter */
4787  if (c->mode == CM_P2P)
4788  {
4789  do_init_traffic_shaper(c);
4790  }
4791 
4792  /* do one-time inits, and possibly become a daemon here */
4793  do_init_first_time(c);
4794 
4795 #ifdef ENABLE_PLUGIN
4796  /* initialize plugins */
4797  if (c->mode == CM_P2P || c->mode == CM_TOP)
4798  {
4799  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4800  }
4801 #endif
4802 
4803  /* initialise connect timeout timer */
4804  do_init_server_poll_timeout(c);
4805 
4806  /* finalize the TCP/UDP socket */
4807  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4808  {
4809  do_init_socket_phase2(c);
4810 
4811 
4812  /* Update dynamic frame calculation as exact transport socket information
4813  * (IP vs IPv6) may be only available after socket phase2 has finished.
4814  * This is only needed for --static or no crypto, NCP will recalculate this
4815  * in tls_session_update_crypto_params (P2MP) */
4816  for (int i = 0; i < c->c1.link_sockets_num; i++)
4817  {
4818  frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4819  &c->c2.link_sockets[i]->info);
4820  }
4821  }
4822 
4823  /*
4824  * Actually do UID/GID downgrade, and chroot, if requested.
4825  * May be delayed by --client, --pull, or --up-delay.
4826  */
4827  do_uid_gid_chroot(c, c->c2.did_open_tun);
4828 
4829  /* initialize timers */
4830  if (c->mode == CM_P2P || child)
4831  {
4832  do_init_timers(c, false);
4833  }
4834 
4835 #ifdef ENABLE_PLUGIN
4836  /* initialize plugins */
4837  if (c->mode == CM_P2P || c->mode == CM_TOP)
4838  {
4839  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4840  }
4841 #endif
4842 
4843 #if PORT_SHARE
4844  /* share OpenVPN port with foreign (such as HTTPS) server */
4845  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4846  {
4847  init_port_share(c);
4848  }
4849 #endif
4850 
4851  /* Check for signals */
4852  if (IS_SIG(c))
4853  {
4854  goto sig;
4855  }
4856 
4857  return;
4858 
4859 sig:
4860  if (!c->sig->signal_text)
4861  {
4862  c->sig->signal_text = "init_instance";
4863  }
4864  close_context(c, -1, flags);
4865  return;
4866 }
4867 
4868 /*
4869  * Close a tunnel instance.
4870  */
4871 void
4872 close_instance(struct context *c)
4873 {
4874  /* close event objects */
4875  do_close_event_set(c);
4876 
4877  if (c->mode == CM_P2P
4878  || c->mode == CM_CHILD_TCP
4879  || c->mode == CM_CHILD_UDP
4880  || c->mode == CM_TOP)
4881  {
4882 #ifdef USE_COMP
4883  if (c->c2.comp_context)
4884  {
4885  comp_uninit(c->c2.comp_context);
4886  c->c2.comp_context = NULL;
4887  }
4888 #endif
4889 
4890  /* free buffers */
4891  do_close_free_buf(c);
4892 
4893  /* close peer for DCO if enabled, needs peer-id so must be done before
4894  * closing TLS contexts */
4895  dco_remove_peer(c);
4896 
4897  /* close TLS */
4898  do_close_tls(c);
4899 
4900  /* free key schedules */
4901  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4902 
4903  /* close TCP/UDP connection */
4904  do_close_link_socket(c);
4905 
4906  /* close TUN/TAP device */
4907  do_close_tun(c, false);
4908 
4909 #ifdef ENABLE_MANAGEMENT
4910  if (management)
4911  {
4912  management_notify_client_close(management, &c->c2.mda_context, NULL);
4913  }
4914 #endif
4915 
4916 #ifdef ENABLE_PLUGIN
4917  /* call plugin close functions and unload */
4918  do_close_plugins(c);
4919 #endif
4920 
4921  /* close packet-id persistence file */
4922  do_close_packet_id(c);
4923 
4924  /* close --status file */
4925  do_close_status_output(c);
4926 
4927 #ifdef ENABLE_FRAGMENT
4928  /* close fragmentation handler */
4929  do_close_fragment(c);
4930 #endif
4931 
4932  /* close --ifconfig-pool-persist obj */
4933  do_close_ifconfig_pool_persist(c);
4934 
4935  /* free up environmental variable store */
4936  do_env_set_destroy(c);
4937 
4938  /* close HTTP or SOCKS proxy */
4939  uninit_proxy(c);
4940 
4941  /* garbage collect */
4942  gc_free(&c->c2.gc);
4943  }
4944 }
4945 
4946 void
4947 inherit_context_child(struct context *dest,
4948  const struct context *src,
4949  struct link_socket *sock)
4950 {
4951  CLEAR(*dest);
4952 
4953  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4954  dest->mode = proto_is_dgram(sock->info.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4955 
4956  dest->gc = gc_new();
4957 
4958  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4959 
4960  /* c1 init */
4961  packet_id_persist_init(&dest->c1.pid_persist);
4962  dest->c1.link_sockets_num = 1;
4963  do_link_socket_addr_new(dest);
4964 
4965  dest->c1.ks.key_type = src->c1.ks.key_type;
4966  /* inherit SSL context */
4967  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4968  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4969  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4970  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4971  /* inherit pre-NCP ciphers */
4972  dest->options.ciphername = src->options.ciphername;
4973  dest->options.authname = src->options.authname;
4974 
4975  /* inherit auth-token */
4976  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4977 
4978  /* options */
4979  dest->options = src->options;
4980  dest->options.ce.proto = sock->info.proto;
4981  options_detach(&dest->options);
4982 
4983  dest->c2.event_set = src->c2.event_set;
4984 
4985  if (dest->mode == CM_CHILD_TCP)
4986  {
4987  /*
4988  * The CM_TOP context does the socket listen(),
4989  * and the CM_CHILD_TCP context does the accept().
4990  */
4991  dest->c2.accept_from = sock;
4992  }
4993 
4994 #ifdef ENABLE_PLUGIN
4995  /* inherit plugins */
4996  do_inherit_plugins(dest, src);
4997 #endif
4998 
4999  /* context init */
5000 
5001  /* inherit tun/tap interface object now as it may be required
5002  * to initialize the DCO context in init_instance()
5003  */
5004  dest->c1.tuntap = src->c1.tuntap;
5005 
5006  /* UDP inherits some extra things which TCP does not */
5007  if (dest->mode == CM_CHILD_UDP)
5008  {
5009  ASSERT(!dest->c2.link_sockets);
5010  ASSERT(dest->options.ce.local_list);
5011 
5012  /* inherit buffers */
5013  dest->c2.buffers = src->c2.buffers;
5014 
5015  ALLOC_ARRAY_GC(dest->c2.link_sockets, struct link_socket *, 1, &dest->gc);
5016 
5017  /* inherit parent link_socket and tuntap */
5018  dest->c2.link_sockets[0] = sock;
5019 
5020  ALLOC_ARRAY_GC(dest->c2.link_socket_infos, struct link_socket_info *, 1, &dest->gc);
5021  ALLOC_OBJ_GC(dest->c2.link_socket_infos[0], struct link_socket_info, &dest->gc);
5022  *dest->c2.link_socket_infos[0] = sock->info;
5023 
5024  /* locally override some link_socket_info fields */
5025  dest->c2.link_socket_infos[0]->lsa = &dest->c1.link_socket_addrs[0];
5026  dest->c2.link_socket_infos[0]->connection_established = false;
5027  }
5028 
5029  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
5030  if (IS_SIG(dest))
5031  {
5032  return;
5033  }
5034 }
5035 
5036 void
5037 inherit_context_top(struct context *dest,
5038  const struct context *src)
5039 {
5040  /* copy parent */
5041  *dest = *src;
5042 
5043  /*
5044  * CM_TOP_CLONE will prevent close_instance from freeing or closing
5045  * resources owned by the parent.
5046  *
5047  * Also note that CM_TOP_CLONE context objects are
5048  * closed by multi_top_free in multi.c.
5049  */
5050  dest->mode = CM_TOP_CLONE;
5051 
5052  dest->first_time = false;
5053  dest->c0 = NULL;
5054 
5055  options_detach(&dest->options);
5056  gc_detach(&dest->gc);
5057  gc_detach(&dest->c2.gc);
5058 
5059  /* detach plugins */
5060  dest->plugins_owned = false;
5061 
5062  dest->c2.tls_multi = NULL;
5063 
5064  /* detach c1 ownership */
5065  dest->c1.tuntap_owned = false;
5066  dest->c1.status_output_owned = false;
5067  dest->c1.ifconfig_pool_persist_owned = false;
5068 
5069  /* detach c2 ownership */
5070  dest->c2.event_set_owned = false;
5071  dest->c2.link_socket_owned = false;
5072  dest->c2.buffers_owned = false;
5073  dest->c2.es_owned = false;
5074 
5075  dest->c2.event_set = NULL;
5076  do_event_set_init(dest, false);
5077 
5078 #ifdef USE_COMP
5079  dest->c2.comp_context = NULL;
5080 #endif
5081 }
5082 
5083 void
5084 close_context(struct context *c, int sig, unsigned int flags)
5085 {
5086  ASSERT(c);
5087  ASSERT(c->sig);
5088 
5089  if (sig >= 0)
5090  {
5091  register_signal(c->sig, sig, "close_context");
5092  }
5093 
5094  if (c->sig->signal_received == SIGUSR1)
5095  {
5096  if ((flags & CC_USR1_TO_HUP)
5097  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
5098  {
5099  register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
5100  }
5101  }
5102 
5103  if (!(flags & CC_NO_CLOSE))
5104  {
5105  close_instance(c);
5106  }
5107 
5108  if (flags & CC_GC_FREE)
5109  {
5110  context_gc_free(c);
5111  }
5112 }
5113 
5114 /* Write our PID to a file */
5115 void
5116 write_pid_file(const char *filename, const char *chroot_dir)
5117 {
5118  if (filename)
5119  {
5120  unsigned int pid = 0;
5121  FILE *fp = platform_fopen(filename, "w");
5122  if (!fp)
5123  {
5124  msg(M_ERR, "Open error on pid file %s", filename);
5125  return;
5126  }
5127 
5128  pid = platform_getpid();
5129  fprintf(fp, "%u\n", pid);
5130  if (fclose(fp))
5131  {
5132  msg(M_ERR, "Close error on pid file %s", filename);
5133  }
5134 
5135  /* remember file name so it can be deleted "out of context" later */
5136  /* (the chroot case is more complex and not handled today) */
5137  if (!chroot_dir)
5138  {
5139  saved_pid_file_name = strdup(filename);
5140  if (!saved_pid_file_name)
5141  {
5142  msg(M_FATAL, "Failed allocate memory saved_pid_file_name");
5143  }
5144  }
5145  }
5146 }
5147 
5148 /* remove PID file on exit, called from openvpn_exit() */
5149 void
5150 remove_pid_file(void)
5151 {
5152  if (saved_pid_file_name)
5153  {
5154  platform_unlink(saved_pid_file_name);
5155  }
5156 }
5157 
5158 
5159 /*
5160  * Do a loopback test
5161  * on the crypto subsystem.
5162  */
5163 static void *
5164 test_crypto_thread(void *arg)
5165 {
5166  struct context *c = (struct context *) arg;
5167  const struct options *options = &c->options;
5168 
5169  ASSERT(options->test_crypto);
5170  init_verb_mute(c, IVM_LEVEL_1);
5171  context_init_1(c);
5172  next_connection_entry(c);
5173  do_init_crypto_static(c, 0);
5174 
5175  frame_finalize_options(c, options);
5176 
5177  test_crypto(&c->c2.crypto_options, &c->c2.frame);
5178 
5179  key_schedule_free(&c->c1.ks, true);
5180  packet_id_free(&c->c2.crypto_options.packet_id);
5181 
5182  context_gc_free(c);
5183  return NULL;
5184 }
5185 
5186 bool
5187 do_test_crypto(const struct options *o)
5188 {
5189  if (o->test_crypto)
5190  {
5191  struct context c;
5192 
5193  /* print version number */
5194  msg(M_INFO, "%s", title_string);
5195 
5196  context_clear(&c);
5197  c.options = *o;
5198  options_detach(&c.options);
5199  c.first_time = true;
5200  test_crypto_thread((void *) &c);
5201  return true;
5202  }
5203  return false;
5204 }
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:167
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1708
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:61
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:341
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition: tun.c:816
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:4213
local_list::len
int len
Definition: options.h:191
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition: init.c:2592
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:383
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5756
options::disable_dco
bool disable_dco
Definition: options.h:372
options::replay_time
int replay_time
Definition: options.h:584
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition: options.h:237
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:541
do_test_crypto
bool do_test_crypto(const struct options *o)
Definition: init.c:5187
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition: openvpn.h:326
options::genkey_type
enum genkey_type genkey_type
Definition: options.h:282
plugin_list_init
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition: plugin.c:776
link_socket
Definition: socket.h:177
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2749
options::show_engines
bool show_engines
Definition: options.h:278
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:4340
write_key_file
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition: crypto.c:1577
signal_info::signal_received
volatile int signal_received
Definition: sig.h:43
options::ssl_flags
unsigned int ssl_flags
Definition: options.h:626
options::verbosity
int verbosity
Definition: options.h:397
do_ifconfig_setenv
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition: tun.c:772
context_1::link_sockets_num
int link_sockets_num
Definition: openvpn.h:157
DRIVER_NULL
@ DRIVER_NULL
Definition: tun.h:54
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:156
do_init_server_poll_timeout
static void do_init_server_poll_timeout(struct context *c)
Definition: init.c:1353
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition: ssl.c:142
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:521
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:155
options::verify_hash
struct verify_hash_list * verify_hash
Definition: options.h:622
OPENVPN_PLUGIN_UP
#define OPENVPN_PLUGIN_UP
Definition: openvpn-plugin.h:117
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:360
connection_entry::mssfix_encap
bool mssfix_encap
Definition: options.h:144
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:367
platform_user_group_set
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition: platform.c:217
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:142
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition: manage.c:3058
options::show_digests
bool show_digests
Definition: options.h:277
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3994
connection_entry::link_mtu
int link_mtu
Definition: options.h:132
route_ipv6_option_list::flags
unsigned int flags
Definition: route.h:107
fragment_frame_init
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition: fragment.c:122
options::use_peer_id
bool use_peer_id
Definition: options.h:701
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4902
M_OPTERR
#define M_OPTERR
Definition: error.h:100
tls_options::verify_x509_name
const char * verify_x509_name
Definition: ssl_common.h:344
options::sc_info
struct static_challenge_info sc_info
Definition: options.h:566
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:118
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition: ssl_common.h:290
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:242
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:574
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:528
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1025
GENKEY_SECRET
@ GENKEY_SECRET
Definition: options.h:234
fragment_init
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition: fragment.c:89
options::nice
int nice
Definition: options.h:396
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1628
run_command.h
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:36
auth_token.h
tls_options::frame
struct frame frame
Definition: ssl_common.h:381
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:117
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:148
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:323
forward.h
open_management
bool open_management(struct context *c)
Definition: init.c:4469
plugin_return
Definition: plugin.h:101
ROUTE_BEFORE_TUN
#define ROUTE_BEFORE_TUN
Definition: tun.h:401
fragment_free
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition: fragment.c:113
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:657
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition: init.c:4947
signal_info::signal_text
const char * signal_text
Definition: sig.h:45
route_list
Definition: route.h:213
gremlin.h
context_1::status_output_owned
bool status_output_owned
Definition: openvpn.h:185
link_socket_init_phase2
void link_socket_init_phase2(struct context *c, struct link_socket *sock)
Definition: socket.c:2261
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:492
options::up_script
const char * up_script
Definition: options.h:383
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:510
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:466
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:195
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:763
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition: options.h:761
options::keepalive_ping
int keepalive_ping
Definition: options.h:340
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:121
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition: lladdr.c:17
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6753
init_connection_list
static void init_connection_list(struct context *c)
Definition: init.c:481
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:96
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition: errlevel.h:57
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3816
M_FATAL
#define M_FATAL
Definition: error.h:89
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:210
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:651
win32.h
options::ce_advance_count
int ce_advance_count
Definition: options.h:300
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition: env_set.c:166
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:546
EVENT_METHOD_US_TIMEOUT
#define EVENT_METHOD_US_TIMEOUT
Definition: event.h:82
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:4240
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:171
options::show_ciphers
bool show_ciphers
Definition: options.h:276
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:229
argv
Definition: argv.h:35
context_2::es_owned
bool es_owned
Definition: openvpn.h:421
options::duplicate_cn
bool duplicate_cn
Definition: options.h:527
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:168
do_link_socket_addr_new
static void do_link_socket_addr_new(struct context *c)
Definition: init.c:740
streq
#define streq(x, y)
Definition: options.h:726
set_check_status_error_delay
static void set_check_status_error_delay(unsigned int milliseconds)
Definition: error.h:286
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3213
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition: options.h:344
packet_id_persist_load
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition: packet_id.c:470
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:536
M_NONFATAL
#define M_NONFATAL
Definition: error.h:90
do_close_free_buf
static void do_close_free_buf(struct context *c)
Definition: init.c:3980
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:277
occ_reset_op
static int occ_reset_op(void)
Definition: occ.h:101
connection_entry::remote_port
const char * remote_port
Definition: options.h:111
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition: manage.c:4117
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:172
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:402
lladdr.h
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:4171
context
Contains all state information for one tunnel.
Definition: openvpn.h:473
do_setup_fast_io
static void do_setup_fast_io(struct context *c)
Definition: init.c:4258
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2667
es
struct env_set * es
Definition: test_pkcs11.c:141
tls_options::transition_window
int transition_window
Definition: ssl_common.h:331
options::route_nopull
bool route_nopull
Definition: options.h:437
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:790
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:690
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:419
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:104
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:129
key_schedule::auth_token_key
struct key_ctx auth_token_key
Definition: openvpn.h:73
options::key_direction
int key_direction
Definition: options.h:572
options::topology
int topology
Definition: options.h:320
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition: run_command.h:33
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:115
context_2::auth_token_renewal_interval
struct event_timeout auth_token_renewal_interval
Definition: openvpn.h:293
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:178
options::authname
const char * authname
Definition: options.h:579
options::dev_type
const char * dev_type
Definition: options.h:317
tls_options::auth_token_key
struct key_ctx auth_token_key
Definition: ssl_common.h:399
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:72
get_random
long int get_random(void)
Definition: crypto.c:1757
do_init_crypto_none
static void do_init_crypto_none(struct context *c)
Definition: init.c:3584
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:344
AR_NONE
#define AR_NONE
Definition: options.h:903
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:333
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:105
do_print_data_channel_mtu_parms
static void do_print_data_channel_mtu_parms(struct context *c)
Definition: init.c:3897
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:406
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition: socket.h:106
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:485
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:502
D_HANDSHAKE
#define D_HANDSHAKE
Definition: errlevel.h:72
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:334
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:652
options::tls_client
bool tls_client
Definition: options.h:593
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:569
context_2::log_rw
bool log_rw
Definition: openvpn.h:380
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:444
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:464
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition: options.h:176
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:87
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:992
context_2::es
struct env_set * es
Definition: openvpn.h:420
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:683
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:119
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:117
tls_options::client_crresponse_script
const char * client_crresponse_script
Definition: ssl_common.h:385
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:193
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:105
man_persist::special_state_msg
const char * special_state_msg
Definition: manage.h:238
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:4122
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition: options.h:235
tls_options::replay_time
int replay_time
Definition: ssl_common.h:364
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:755
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition: crypto.h:376
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition: ssl_pkt.c:473
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition: tun.c:508
options::cipher_list
const char * cipher_list
Definition: options.h:607
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition: plugin.c:786
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4580
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition: manage.h:202
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition: ssl_common.h:349
options::mode
int mode
Definition: options.h:260
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition: mtu.h:112
options::session_timeout
int session_timeout
Definition: options.h:346
tls_options::single_session
bool single_session
Definition: ssl_common.h:317
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition: init.c:1342
route_ipv6_list
Definition: route.h:226
options::mute
int mute
Definition: options.h:398
tls_options::verify_hash_depth
int verify_hash_depth
Definition: ssl_common.h:351
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:86
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:123
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:287
SSEC_PW_ENV
#define SSEC_PW_ENV
Definition: run_command.h:34
MF_SERVER
#define MF_SERVER
Definition: manage.h:28
show_available_ciphers
void show_available_ciphers(void)
Definition: crypto_openssl.c:370
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:230
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
context::c0
struct context_0 * c0
Level 0 context.
Definition: openvpn.h:512
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:162
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:151
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:133
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:2129
time_test
void time_test(void)
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition: crypto.h:364
options::ce
struct connection_entry ce
Definition: options.h:288
options::msg_channel
HANDLE msg_channel
Definition: options.h:692
tls_options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: ssl_common.h:352
tls_options::crl_file_inline
bool crl_file_inline
Definition: ssl_common.h:346
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:140
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition: socket.h:108
DRIVER_AFUNIX
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition: tun.h:53
openvpn_sockaddr
Definition: socket.h:65
env_set_inherit
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition: env_set.c:238
do_close_free_key_schedule
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition: init.c:4021
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:367
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: options.h:623
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:798
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:28
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:387
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition: error.c:637
frame_calculate_protocol_header_size
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition: mtu.c:63
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:284
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:97
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition: init.c:307
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3752
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:384
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:101
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2274
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:597
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:444
SIG_SOURCE_HARD
#define SIG_SOURCE_HARD
Definition: sig.h:31
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:81
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:379
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:375
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:366
options::shaper
int shaper
Definition: options.h:328
window_title_save
void window_title_save(struct window_title *wt)
Definition: win32.c:704
window_title
Definition: win32.h:73
tls_crypt.h
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:4351
do_close_packet_id
static void do_close_packet_id(struct context *c)
Definition: init.c:4107
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition: crypto_openssl.c:660
connection_entry::local_list
struct local_list * local_list
Definition: options.h:106
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition: options.h:613
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:339
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context::mode
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:487
reset_check_status
void reset_check_status(void)
Definition: error.c:630
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2457
options::cd_dir
const char * cd_dir
Definition: options.h:378
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition: tls_crypt.c:55
tls_auth_standalone::workbuf
struct buffer workbuf
Definition: ssl_pkt.h:81
MODE_SERVER
#define MODE_SERVER
Definition: options.h:259
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:227
tun_abort
void tun_abort(void)
Definition: init.c:2255
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
options::remote_random
bool remote_random
Definition: options.h:314
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:326
frame
Packet geometry parameters.
Definition: mtu.h:98
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition: tun.h:371
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1489
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:387
key_schedule_free
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition: init.c:3054
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:546
connection_entry::fragment_encap
bool fragment_encap
Definition: options.h:140
status_output::flags
unsigned int flags
Definition: status.h:52
options::tls_server
bool tls_server
Definition: options.h:592
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:267
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:35
options::auth_token_renewal
int auth_token_renewal
Definition: options.h:545
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition: route.c:621
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:4372
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:109
del_wfp_block
static void del_wfp_block(struct context *c, unsigned long adapter_index)
Remove any WFP block filters previously added.
Definition: init.c:1878
srandom
#define srandom
Definition: syshead.h:45
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:71
connection_entry
Definition: options.h:104
tls_multi::dco
dco_context_t * dco
Definition: ssl_common.h:707
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition: crypto.c:1321
do_inherit_env
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition: init.c:4231
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2906
sleep
#define sleep(x)
Definition: syshead.h:43
tls_options::auth_token_renewal
unsigned int auth_token_renewal
Definition: ssl_common.h:397
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:435
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:736
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1531
options::tls_exit
bool tls_exit
Definition: options.h:684
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:4245
context_2::occ_interval
struct event_timeout occ_interval
Definition: openvpn.h:301
np
static const char * np(const char *str)
Definition: multi-auth.c:146
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:67
options::route_noexec
bool route_noexec
Definition: options.h:430
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:610
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:3094
tuntap::backend_driver
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition: tun.h:191
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:392
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
link_socket::sd
socket_descriptor_t sd
Definition: socket.h:186
context_persist
Definition: openvpn.h:120
options::windows_driver
enum tun_driver_type windows_driver
Definition: options.h:698
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:647
context_0
Level 0 context containing information related to the OpenVPN process.
Definition: openvpn.h:135
context_1::route_list
struct route_list * route_list
List of routing information.
Definition: openvpn.h:176
PING_RESTART
#define PING_RESTART
Definition: options.h:354
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:282
options::persist_local_ip
bool persist_local_ip
Definition: options.h:358
tuntap::actual_name
char * actual_name
Definition: tun.h:205
is_tun_type_set
static bool is_tun_type_set(const struct tuntap *tt)
Definition: tun.h:782
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1229
CLEAR
#define CLEAR(x)
Definition: basic.h:33
tls_options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition: ssl_common.h:390
options::verify_hash_depth
int verify_hash_depth
Definition: options.h:624
win32_signal
Definition: win32.h:153
man_persist_client_stats
void man_persist_client_stats(struct management *man, struct context *c)
Definition: manage.c:4172
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:756
do_init_first_time
static void do_init_first_time(struct context *c)
Definition: init.c:3947
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:618
D_MTU_DEBUG
#define D_MTU_DEBUG
Definition: errlevel.h:126
options::show_curves
bool show_curves
Definition: options.h:280
tls_auth_standalone::frame
struct frame frame
Definition: ssl_pkt.h:82
connection_list::len
int len
Definition: options.h:198
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:514
options::cipher_list_tls13
const char * cipher_list_tls13
Definition: options.h:608
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:551
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:1125
do_close_tun_simple
static void do_close_tun_simple(struct context *c)
Definition: init.c:2098
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
options::up_delay
bool up_delay
Definition: options.h:387
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:535
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:300
do_init_route_list
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1485
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:649
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition: openvpn.h:225
do_compute_occ_strings
static void do_compute_occ_strings(struct context *c)
Definition: init.c:3913
tls_wrap_ctx::mode
enum tls_wrap_ctx::@23 mode
Control channel wrapping mode.
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:122
options::resolve_in_advance
bool resolve_in_advance
Definition: options.h:366
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:209
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:274
ssl_verify.h
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition: options.h:327
tls_options::ekm_label_size
size_t ekm_label_size
Definition: ssl_common.h:443
options::dev
const char * dev
Definition: options.h:316
connection_list::current
int current
Definition: options.h:199
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition: ssl_common.h:575
ASSERT
#define ASSERT(x)
Definition: error.h:195
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:768
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition: tun.h:211
options::management_port
const char * management_port
Definition: options.h:447
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:276
string_clear
void string_clear(char *str)
Definition: buffer.c:691
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:310
options::groupname
const char * groupname
Definition: options.h:376
D_SHOW_OCC
#define D_SHOW_OCC
Definition: errlevel.h:151
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition: options.h:118
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:424
frame::buf
struct frame::@8 buf
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition: socket.h:571
options::single_session
bool single_session
Definition: options.h:680
options::auth_user_pass_file
const char * auth_user_pass_file
Definition: options.h:559
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:765
key_schedule::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: openvpn.h:63
link_socket_actual
Definition: socket.h:86
D_DCO
#define D_DCO
Definition: errlevel.h:94
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:442
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition: openvpn.h:486
tls_options::verify_hash
struct verify_hash_list * verify_hash
Definition: ssl_common.h:350
key_schedule::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Definition: openvpn.h:71
connection_list
Definition: options.h:195
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition: openvpn.h:492
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition: route.h:89
OPENVPN_PLUGIN_INIT_PRE_DAEMON
#define OPENVPN_PLUGIN_INIT_PRE_DAEMON
Definition: openvpn-plugin.h:767
ping.h
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition: crypto_openssl.c:1071
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:348
tls_options::net_ctx
openvpn_net_ctx_t * net_ctx
Definition: ssl_common.h:406
tls_options
Definition: ssl_common.h:297
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:519
context_2::event_set_max
int event_set_max
Definition: openvpn.h:231
tls_options::x509_track
const struct x509_track * x509_track
Definition: ssl_common.h:432
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:156
options::x509_track
const struct x509_track * x509_track
Definition: options.h:686
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition: options.h:570
init_proxy
static void init_proxy(struct context *c)
Definition: init.c:728
options::management_client_group
const char * management_client_group
Definition: options.h:454
do_link_socket_new
static void do_link_socket_new(struct context *c)
Definition: init.c:3835
openvpn_sockaddr::sa
struct sockaddr sa
Definition: socket.h:69
key_schedule::tls_auth_key_type
struct key_type tls_auth_key_type
Definition: openvpn.h:66
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1256
context::plugins_owned
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition: openvpn.h:503
options::test_crypto
bool test_crypto
Definition: options.h:586
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:625
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:4303
open_tun_afunix
void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env)
Opens an AF_UNIX based tun device.
Definition: tun_afunix.c:74
options::block_outside_dns
bool block_outside_dns
Definition: options.h:697
key_schedule
Definition: openvpn.h:54
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:192
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition: options.h:742
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:324
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:578
key_schedule::key_type
struct key_type key_type
Definition: openvpn.h:57
tls_options::export_peer_cert_dir
const char * export_peer_cert_dir
Definition: ssl_common.h:388
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:754
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition: options.h:734
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2997
key_type::digest
const char * digest
Message digest static parameters.
Definition: crypto.h:143
frame::extra_tun
int extra_tun
Maximum number of bytes in excess of the tun/tap MTU that might be read from or written to the virtua...
Definition: mtu.h:145
options::comp
struct compress_options comp
Definition: options.h:411
options::persist_config
bool persist_config
Definition: options.h:272
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:102
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:723
management_callback_remote_entry_count
static unsigned int management_callback_remote_entry_count(void *arg)
Definition: init.c:332
tls_options::renegotiate_packets
int64_t renegotiate_packets
Definition: ssl_common.h:335
init_ssl_lib
void init_ssl_lib(void)
Definition: ssl.c:228
options::auth_token_lifetime
int auth_token_lifetime
Definition: options.h:544
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition: options.h:743
tls_options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: ssl_common.h:386
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
plugin_list_close
void plugin_list_close(struct plugin_list *pl)
Definition: plugin.c:897
update_time
static void update_time(void)
Definition: otime.h:77
options::push_peer_info
bool push_peer_info
Definition: options.h:682
context_buffers
Definition: openvpn.h:94
tuntap::options
struct tuntap_options options
Definition: tun.h:203
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:275
tls_options::push_peer_info_detail
int push_peer_info_detail
The detail of info we push in peer info.
Definition: ssl_common.h:330
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition: buffer.h:1082
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition: ssl_openssl.c:149
tls_options::ssl_flags
unsigned int ssl_flags
Definition: ssl_common.h:426
tls_multi::opt
struct tls_options opt
Definition: ssl_common.h:602
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:672
init.h
context::first_time
bool first_time
True on the first iteration of OpenVPN's main loop.
Definition: openvpn.h:478
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:1015
context_2::shaper
struct shaper shaper
Definition: openvpn.h:259
do_open_tun
static bool do_open_tun(struct context *c, int *error_flags)
Definition: init.c:1927
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:4434
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition: mss.c:335
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:451
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition: options.h:157
remote_host_store::host
char host[RH_HOST_LEN]
Definition: options.h:228
CE_MAN_QUERY_REMOTE_ACCEPT
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition: options.h:154
M_WARN
#define M_WARN
Definition: error.h:91
plugin_return::n
int n
Definition: plugin.h:103
close_instance
void close_instance(struct context *c)
Definition: init.c:4872
open_tun_backend
static void open_tun_backend(struct context *c)
Definition: init.c:1905
options::persist_tun
bool persist_tun
Definition: options.h:357
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition: ssl.c:289
plugin_list_inherit
struct plugin_list * plugin_list_inherit(const struct plugin_list *src)
Definition: plugin.c:695
connection_entry::tls_auth_file
const char * tls_auth_file
Definition: options.h:162
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:376
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition: options.h:737
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:673
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1097
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:959
management_init
struct management * management_init(void)
Definition: manage.c:2651
tuntap::adapter_index
DWORD adapter_index
Definition: tun.h:230
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:119
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:211
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:475
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:181
management_callback_remote_entry_get
static bool management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
Definition: init.c:342
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:173
options::route_predown_script
const char * route_predown_script
Definition: options.h:426
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2670
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition: options.h:163
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition: options.h:547
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:283
add_delim_if_non_empty
static void add_delim_if_non_empty(struct buffer *buf, const char *header)
Helper function for tls_print_deferred_options_results Adds the ", " delimitor if there already some ...
Definition: init.c:2288
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:222
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:172
CO_MUTE_REPLAY_WARNINGS
#define CO_MUTE_REPLAY_WARNINGS
Bit-flag indicating not to display replay warnings.
Definition: crypto.h:353
OPENVPN_STATE_CONNECTING
#define OPENVPN_STATE_CONNECTING
Definition: manage.h:470
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:370
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::verify_x509_type
int verify_x509_type
Definition: options.h:614
context_0::uid_gid_specified
bool uid_gid_specified
Definition: openvpn.h:138
options
Definition: options.h:249
pool.h
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition: options.h:560
connection_entry::key_direction
int key_direction
Definition: options.h:164
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2974
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:140
options::log
bool log
Definition: options.h:393
do_init_socket_phase2
static void do_init_socket_phase2(struct context *c)
Definition: init.c:3885
is_tun_afunix
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition: tun_afunix.h:69
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:332
options::gc
struct gc_arena gc
Definition: options.h:251
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:741
management_callback::remote_entry_count
unsigned int(* remote_entry_count)(void *arg)
Definition: manage.h:206
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:4239
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5535
options::mlock
bool mlock
Definition: options.h:338
http_proxy_options::first_time
bool first_time
Definition: proxy.h:60
tls_options::verify_command
const char * verify_command
Definition: ssl_common.h:342
options::tls_timeout
int tls_timeout
Definition: options.h:642
M_ERR
#define M_ERR
Definition: error.h:105
options::management_addr
const char * management_addr
Definition: options.h:446
options::tls_verify
const char * tls_verify
Definition: options.h:612
options::down_script
const char * down_script
Definition: options.h:384
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition: options.h:130
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:376
can_preserve_tun
static bool can_preserve_tun(struct tuntap *tt)
Definition: init.c:1830
PRE_PULL_INITIAL_PING_RESTART
#define PRE_PULL_INITIAL_PING_RESTART
Definition: ping.h:33
status_output
Definition: status.h:48
dco_p2p_add_new_peer
static int dco_p2p_add_new_peer(struct context *c)
Definition: dco.h:344
CF_INIT_TLS_MULTI
#define CF_INIT_TLS_MULTI
Definition: init.c:69
write_pid_file
void write_pid_file(const char *filename, const char *chroot_dir)
Definition: init.c:5116
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:177
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:61
options::no_advance
bool no_advance
Definition: options.h:293
signal_info::source
volatile int source
Definition: sig.h:44
context_0::platform_state_group
struct platform_state_group platform_state_group
Definition: openvpn.h:142
OPENVPN_PLUGIN_INIT_POST_UID_CHANGE
#define OPENVPN_PLUGIN_INIT_POST_UID_CHANGE
Definition: openvpn-plugin.h:769
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition: misc.h:150
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:181
gc_detach
static void gc_detach(struct gc_arena *a)
Definition: buffer.h:1019
management_callback::arg
void * arg
Definition: manage.h:175
IVM_LEVEL_1
#define IVM_LEVEL_1
Definition: init.h:49
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:528
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4755
do_startup_pause
static void do_startup_pause(struct context *c)
Definition: init.c:2929
link_socket_current_remote_ipv6
const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info)
Definition: socket.c:2579
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:253
context::did_we_daemonize
bool did_we_daemonize
Whether demonization has already taken place.
Definition: openvpn.h:507
options::show_tls_ciphers
bool show_tls_ciphers
Definition: options.h:279
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition: crypto_openssl.c:817
OPT_P_ECHO
#define OPT_P_ECHO
Definition: options.h:751
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:648
format_common_name
const char * format_common_name(struct context *c, struct gc_arena *gc)
Definition: init.c:1303
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:359
context_2::session_id_hmac
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition: openvpn.h:338
options::ccd_exclusive
bool ccd_exclusive
Definition: options.h:506
management_up_down
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition: manage.c:2890
win_wfp_block
bool win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only)
Definition: win32.c:1211
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:61
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:349
dco_remove_peer
static void dco_remove_peer(struct context *c)
Definition: dco.h:357
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:321
CE_MAN_QUERY_REMOTE_SHIFT
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition: options.h:158
options::client_crresponse_script
const char * client_crresponse_script
Definition: options.h:504
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:658
tun_afunix.h
auth_token_init_secret
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition: auth_token.c:124
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
context_2::buffers_owned
bool buffers_owned
Definition: openvpn.h:368
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition: options.h:236
pre_setup
void pre_setup(const struct options *options)
Definition: init.c:1314
TLS_MULTI_HORIZON
#define TLS_MULTI_HORIZON
Definition: ssl.h:62
route_order
static int route_order(struct tuntap *tt)
Definition: tun.h:406
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:586
options::genkey
bool genkey
Definition: options.h:281
options::verify_x509_name
const char * verify_x509_name
Definition: options.h:615
options::replay_window
int replay_window
Definition: options.h:583
static_context
static struct context * static_context
Definition: init.c:62
DCO_DEFAULT_METRIC
#define DCO_DEFAULT_METRIC
Definition: dco.h:48
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
tls_options::gremlin
int gremlin
Definition: ssl_common.h:439
do_close_status_output
static void do_close_status_output(struct context *c)
Definition: init.c:4185
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:507
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition: options.h:428
DRIVER_GENERIC_TUNTAP
@ DRIVER_GENERIC_TUNTAP
Definition: tun.h:49
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
http_proxy_options::server
const char * server
Definition: proxy.h:45
openvpn_plugin_string_list::value
char * value
Definition: openvpn-plugin.h:194
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition: socket.h:210
tls_print_deferred_options_results
static void tls_print_deferred_options_results(struct context *c)
Prints the results of options imported for the data channel.
Definition: init.c:2302
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:171
options::exit_event_name
const char * exit_event_name
Definition: options.h:693
context_2::options_string_remote
char * options_string_remote
Definition: openvpn.h:297
platform_nice
void platform_nice(int niceval)
Definition: platform.c:311
platform_chroot
void platform_chroot(const char *path)
Definition: platform.c:55
ISC_SERVER
#define ISC_SERVER
Definition: init.h:116
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6928
tuntap_options::msg_channel
HANDLE msg_channel
Definition: tun.h:90
set_mute_cutoff
bool set_mute_cutoff(const int cutoff)
Definition: error.c:123
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:372
window_title_generate
void window_title_generate(const char *title)
Definition: win32.c:730
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:343
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
link_socket::info
struct link_socket_info info
Definition: socket.h:179
options::route_delay_defined
bool route_delay_defined
Definition: options.h:433
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2991
options::handshake_window
int handshake_window
Definition: options.h:652
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: options.h:620
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1219
init_management
void init_management(void)
Definition: init.c:4460
tls_options::x509_username_field
char * x509_username_field[2]
Definition: ssl_common.h:357
show_available_engines
void show_available_engines(void)
Definition: crypto_openssl.c:478
options::crl_file_inline
bool crl_file_inline
Definition: options.h:617
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:110
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:398
ps.h
auth_token_write_server_key_file
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition: auth_token.c:118
options::route_default_metric
int route_default_metric
Definition: options.h:429
context_2::event_set
struct event_set * event_set
Definition: openvpn.h:230
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:488
init_static
bool init_static(void)
Definition: init.c:837
context_buffers::read_link_buf
struct buffer read_link_buf
Definition: openvpn.h:113
link_socket_info
Definition: socket.h:113
tls_options::ns_cert_type
int ns_cert_type
Definition: ssl_common.h:347
context_buffers::aux_buf
struct buffer aux_buf
Definition: openvpn.h:97
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:67
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition: options.h:739
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:479
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:156
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:180
link_socket_info::proto
int proto
Definition: socket.h:120
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:83
options::sndbuf
int sndbuf
Definition: options.h:415
management_event_loop_n_seconds
void management_event_loop_n_seconds(struct management *man, int sec)
Definition: manage.c:3442
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:46
show_adapters
void show_adapters(int msglev)
Definition: tun.c:5034
status_close
bool status_close(struct status_output *so)
Definition: status.c:188
context_2::frame
struct frame frame
Definition: openvpn.h:248
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:3066
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:579
options::fast_io
bool fast_io
Definition: options.h:409
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:479
do_init_fragment
static void do_init_fragment(struct context *c)
Definition: init.c:3814
tls_options::sci
const struct static_challenge_info * sci
Definition: ssl_common.h:435
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3618
syshead.h
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:501
pkcs11.h
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition: openvpn.h:122
options::management_flags
unsigned int management_flags
Definition: options.h:459
show_available_digests
void show_available_digests(void)
Definition: crypto_openssl.c:437
options::management_echo_buffer_size
int management_echo_buffer_size
Definition: options.h:450
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:298
connection_list::array
struct connection_entry ** array
Definition: options.h:200
add_wfp_block
static void add_wfp_block(struct context *c)
Add WFP filters to block traffic to local networks.
Definition: init.c:1852
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition: options.h:733
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:805
show_routes
void show_routes(int msglev)
Definition: route.c:3308
CC_NO_CLOSE
#define CC_NO_CLOSE
Definition: init.h:107
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition: ssl.c:1227
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:389
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition: tun.c:59
context_1::ifconfig_pool_persist_owned
bool ifconfig_pool_persist_owned
Definition: openvpn.h:197
tls_options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: ssl_common.h:353
options::client_config_dir
const char * client_config_dir
Definition: options.h:505
close_tun_afunix
void close_tun_afunix(struct tuntap *tt)
Closes the socket used for the AF_UNIX based device.
Definition: tun_afunix.c:129
context_2::link_sockets
struct link_socket ** link_sockets
Definition: openvpn.h:237
context_1::http_proxy
struct http_proxy_info * http_proxy
Definition: openvpn.h:188
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
options::status_file
const char * status_file
Definition: options.h:404
uninit_static
void uninit_static(void)
Definition: init.c:941
options::genkey_filename
const char * genkey_filename
Definition: options.h:283
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:384
occ.h
link_socket_addr
Definition: socket.h:104
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:500
context_clear_2
void context_clear_2(struct context *c)
Definition: init.c:89
management_callback::remote_entry_get
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition: manage.h:207
options::renegotiate_packets
int64_t renegotiate_packets
Definition: options.h:646
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition: options.h:258
CC_USR1_TO_HUP
#define CC_USR1_TO_HUP
Definition: init.h:105
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition: buffer.h:331
key_schedule::tls_crypt_v2_wkc
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition: openvpn.h:72
remote_host_store
Definition: options.h:225
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:167
fork_register_dns_action
void fork_register_dns_action(struct tuntap *tt)
Definition: tun.c:6069
key_type::cipher
const char * cipher
const name of the cipher
Definition: crypto.h:142
do_genkey
bool do_genkey(const struct options *options)
Definition: init.c:1031
daemon
int daemon(int nochdir, int noclose)
Definition: compat-daemon.c:51
PING_UNDEF
#define PING_UNDEF
Definition: options.h:352
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:543
possibly_become_daemon
bool possibly_become_daemon(const struct options *options)
Definition: init.c:1177
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
SOCKET_UNDEFINED
#define SOCKET_UNDEFINED
Definition: syshead.h:437
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition: ssl.c:251
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition: comp.c:163
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition: options.h:120
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:962
ifconfig_order
static int ifconfig_order(struct tuntap *tt)
Definition: tun.h:376
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1201
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition: openvpn.h:238
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
env_set
Definition: env_set.h:42
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1256
context_2::occ_mtu_load_test_interval
struct event_timeout occ_mtu_load_test_interval
Definition: openvpn.h:317
uninit_management_callback
void uninit_management_callback(void)
Definition: init.c:4532
OPT_P_TIMER
#define OPT_P_TIMER
Definition: options.h:738
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1467
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:572
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition: ssl_common.h:429
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:396
TUN_MTU_MIN
#define TUN_MTU_MIN
Definition: mtu.h:60
link_socket_update_buffer_sizes
void link_socket_update_buffer_sizes(struct link_socket *sock, int rcvbuf, int sndbuf)
Definition: socket.c:1037
options::config
const char * config
Definition: options.h:255
CE_MAN_QUERY_REMOTE_QUERY
#define CE_MAN_QUERY_REMOTE_QUERY
Definition: options.h:153
plugin_list
Definition: plugin.h:94
options::plugin_list
struct plugin_option_list * plugin_list
Definition: options.h:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:5037
options::priv_key_file_inline
bool priv_key_file_inline
Definition: options.h:604
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3777
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:192
TOP_P2P
#define TOP_P2P
Definition: proto.h:43
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:930
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:440
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition: ssl_pkt.h:80
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
connection_entry::flags
unsigned int flags
Definition: options.h:159
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:1106
dco.h
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:402
options::connect_retry_max
int connect_retry_max
Definition: options.h:287
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:868
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:3221
PING_EXIT
#define PING_EXIT
Definition: options.h:353
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:220
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:496
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:682
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:1000
error_reset
void error_reset(void)
Definition: error.c:161
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:449
options_detach
void options_detach(struct options *o)
Definition: options.c:1705
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition: init.h:106
shaper_msg
void shaper_msg(struct shaper *s)
Definition: shaper.c:88
options::daemon
bool daemon
Definition: options.h:389
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition: options.h:123
management_pre_tunnel_close
void management_pre_tunnel_close(struct management *man)
Definition: manage.c:3083
event_free
static void event_free(struct event_set *es)
Definition: event.h:160
context_2::packet_id_persist_interval
struct event_timeout packet_id_persist_interval
Definition: openvpn.h:355
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition: ssl.c:1187
management_callback::send_cc_message
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition: manage.h:186
route_noexec_enabled
static bool route_noexec_enabled(const struct options *o, const struct tuntap *tt)
Determine if external route commands should be executed based on configured options and backend drive...
Definition: init.c:1705
management_query_proxy_enabled
static bool management_query_proxy_enabled(const struct management *man)
Definition: manage.h:452
tls_options::pull
bool pull
Definition: ssl_common.h:319
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
run_up_down
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es)
Definition: init.c:109
options::rcvbuf
int rcvbuf
Definition: options.h:414
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1172
buf_len
static int buf_len(const struct buffer *buf)
Definition: buffer.h:253
test_crypto_thread
static void * test_crypto_thread(void *arg)
Definition: init.c:5164
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:391
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:694
do_open_ifconfig_pool_persist
static void do_open_ifconfig_pool_persist(struct context *c)
Definition: init.c:4202
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:70
context_1::link_socket_addrs
struct link_socket_addr * link_socket_addrs
Local and remote addresses on the external network.
Definition: openvpn.h:158
tuntap::local
in_addr_t local
Definition: tun.h:208
link_socket_info::connection_established
bool connection_established
Definition: socket.h:116
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:453
mstats.h
uninit_proxy
static void uninit_proxy(struct context *c)
Definition: init.c:734
IS_SIG
#define IS_SIG(c)
Definition: sig.h:48
options::peer_id
uint32_t peer_id
Definition: options.h:702
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:56
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:661
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4558
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition: manage.h:201
options::advance_next_remote
bool advance_next_remote
Definition: options.h:296
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition: options.h:777
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:252
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:345
max_int
static int max_int(int x, int y)
Definition: integer.h:89
otime.h
connection_entry::remote
const char * remote
Definition: options.h:112
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:679
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:392
tuntap::dco
dco_context_t dco
Definition: tun.h:249
do_init_crypto
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition: init.c:3601
signal_info
Definition: sig.h:41
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:982
context_1::ks
struct key_schedule ks
Definition: openvpn.h:163
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: options.h:677
options::key_pass_file
const char * key_pass_file
Definition: options.h:275
CM_TOP
#define CM_TOP
Definition: openvpn.h:483
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *sock, unsigned int sockflags)
Definition: socket.c:1023
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition: options.h:757
status
static SERVICE_STATUS status
Definition: interactive.c:53
do_init_socket_phase1
static void do_init_socket_phase1(struct context *c)
Definition: init.c:3853
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1717
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition: options.h:131
options::ns_cert_type
int ns_cert_type
Definition: options.h:619
OPENVPN_STATE_CONNECTED
#define OPENVPN_STATE_CONNECTED
Definition: manage.h:473
options::packet_id_file
const char * packet_id_file
Definition: options.h:585
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition: crypto.h:344
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:561
management
Definition: manage.h:335
min_int
static int min_int(int x, int y)
Definition: integer.h:102
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1033
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:303
tls_options::server
bool server
Definition: ssl_common.h:306
key_schedule::original_wrap_keydata
struct key2 original_wrap_keydata
original tls-crypt key preserved to xored into the tls_crypt renegotiation key
Definition: openvpn.h:70
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1186
is_dev_type
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition: tun.c:471
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:170
saved_pid_file_name
static const char * saved_pid_file_name
Definition: init.c:63
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:172
frame::tun_max_mtu
int tun_max_mtu
the maximum tun-mtu size the buffers are are sized for.
Definition: mtu.h:141
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:209
do_close_link_socket
static void do_close_link_socket(struct context *c)
Definition: init.c:4043
check_pull_client_ncp
bool check_pull_client_ncp(struct context *c, const int found)
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should ...
Definition: ssl_ncp.c:317
IVM_LEVEL_2
#define IVM_LEVEL_2
Definition: init.h:50
options::connection_list
struct connection_list * connection_list
Definition: options.h:289
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:52
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:4278
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition: options.h:322
tls_options::replay_window
int replay_window
Definition: ssl_common.h:363
show_available_curves
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
Definition: ssl_openssl.c:2606
options::routes
struct route_option_list * routes
Definition: options.h:434
options::chroot_dir
const char * chroot_dir
Definition: options.h:377
mss.h
GET_USER_PASS_NEED_OK
#define GET_USER_PASS_NEED_OK
Definition: misc.h:112
options::down_pre
bool down_pre
Definition: options.h:386
tuntap
Definition: tun.h:180
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:696
management_close
void management_close(struct management *man)
Definition: manage.c:2722
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:349
tls_options::mode
int mode
Definition: ssl_common.h:318
CM_TOP_CLONE
#define CM_TOP_CLONE
Definition: openvpn.h:484
mudp.h
init_win32
void init_win32(void)
Definition: win32.c:109
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1060
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1880
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:293
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition: openvpn.h:445
context_1::pulled_options_digest_save
struct sha256_digest pulled_options_digest_save
Hash of option strings received from the remote OpenVPN server.
Definition: openvpn.h:200
free_ssl_lib
void free_ssl_lib(void)
Definition: ssl.c:236
now
time_t now
Definition: otime.c:34
ovpn_dco_init
bool ovpn_dco_init(int mode, dco_context_t *dco, const char *dev_node)
Initializes DCO depends on mode
Definition: dco_win.c:191
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition: openvpn.h:100
DRIVER_DCO
@ DRIVER_DCO
Definition: tun.h:55
options::sockflags
unsigned int sockflags
Definition: options.h:422
proto_is_tcp
static bool proto_is_tcp(int proto)
returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
Definition: socket.h:606
options::username
const char * username
Definition: options.h:375
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:243
ifconfig_noexec_enabled
static bool ifconfig_noexec_enabled(const struct context *c)
Determines if ifconfig execution should be disabled because of a.
Definition: init.c:1897
SHAPER_DEFINED
#define SHAPER_DEFINED(opt)
Definition: options.h:782
do_persist_tuntap
bool do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
Definition: init.c:1114
platform_chdir
int platform_chdir(const char *dir)
Definition: platform.c:393
context_0::platform_state_user
struct platform_state_user platform_state_user
Definition: openvpn.h:141
AR_INTERACT
#define AR_INTERACT
Definition: options.h:904
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:184
TOP_NET30
#define TOP_NET30
Definition: proto.h:42
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:148
config.h
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:3143
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition: errlevel.h:150
do_preresolve
void do_preresolve(struct context *c)
Definition: socket.c:343
http_proxy_options
Definition: proxy.h:44
ssl_ncp.h
init_plugins
void init_plugins(struct context *c)
Definition: init.c:4293
connection_entry::fragment
int fragment
Definition: options.h:139
win_wfp_uninit
bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
Definition: win32.c:1260
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:196
options::up_restart
bool up_restart
Definition: options.h:388
tls_options::xmit_hold
bool xmit_hold
Definition: ssl_common.h:309
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:361
dco_supports_epoch_data
static bool dco_supports_epoch_data(struct context *c)
Definition: dco.h:398
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:79
gc_init
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1012
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:492
OCC_INTERVAL_SECONDS
#define OCC_INTERVAL_SECONDS
Definition: occ.h:46
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:681
connection_entry::tls_mtu
int tls_mtu
Definition: options.h:134
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:541
context_1::pid_persist
struct packet_id_persist pid_persist
Definition: openvpn.h:169
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:132
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition: init.h:117
options::transition_window
int transition_window
Definition: options.h:660
context_clear
void context_clear(struct context *c)
Definition: init.c:77
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:344
context_2::tls_exit_signal
int tls_exit_signal
Definition: openvpn.h:347
socket_restart_pause
static void socket_restart_pause(struct context *c)
Definition: init.c:2851
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition: options.c:4630
connection_entry::proto
int proto
Definition: options.h:107
do_deferred_options_part2
static bool do_deferred_options_part2(struct context *c)
This function is expected to be invoked after open_tun() was performed.
Definition: init.c:2432
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2732
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:582
management_clear_callback
void management_clear_callback(struct management *man)
Definition: manage.c:2740
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:401
link_socket_current_remote
in_addr_t link_socket_current_remote(const struct link_socket_info *info)
Definition: socket.c:2544
tls_options::packet_timeout
interval_t packet_timeout
Definition: ssl_common.h:333
do_init_buffers
static void do_init_buffers(struct context *c)
Definition: init.c:3802
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: ssl_common.h:348
options::auth_token_generate
bool auth_token_generate
Definition: options.h:542
OPENVPN_PLUGIN_ROUTE_PREDOWN
#define OPENVPN_PLUGIN_ROUTE_PREDOWN
Definition: openvpn-plugin.h:129
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition: ssl_common.h:373
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition: options.h:323
user_pass::password
char password[USER_PASS_LEN]
Definition: misc.h:73
check_malloc_return
static void check_malloc_return(void *p)
Definition: buffer.h:1103
options::engine
const char * engine
Definition: options.h:580
context_2::server_poll_interval
struct event_timeout server_poll_interval
Definition: openvpn.h:408
print_status
void print_status(struct context *c, struct status_output *so)
Definition: sig.c:484
AR_NOINTERACT
#define AR_NOINTERACT
Definition: options.h:905
OPT_P_UP
#define OPT_P_UP
Definition: options.h:732
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:88
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:893
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1451
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition: options.c:3299
session
Definition: keyingmaterialexporter.c:56
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition: crypto_openssl.c:1039
options::show_net_up
bool show_net_up
Definition: options.h:695
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:932
sha256_digest
Wrapper struct to pass around SHA256 digests.
Definition: crypto.h:133
options::tmp_dir
const char * tmp_dir
Definition: options.h:466
list.h
win32_signal::mode
int mode
Definition: win32.h:157
options::crl_file
const char * crl_file
Definition: options.h:616
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:330
context_2::options_string_local
char * options_string_local
Definition: openvpn.h:296
get_frame_mtu
static size_t get_frame_mtu(struct context *c, const struct options *o)
Definition: init.c:2942
context_2::session_interval
struct event_timeout session_interval
Definition: openvpn.h:290
tuncfg
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
sig.h
CF_LOAD_PERSISTED_PACKET_ID
#define CF_LOAD_PERSISTED_PACKET_ID
Definition: init.c:68
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:211
options::route_delay_window
int route_delay_window
Definition: options.h:432
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
win32_signal_open
void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state)
Definition: win32.c:453
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition: options.h:753
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition: socket.h:90
CE_DISABLED
#define CE_DISABLED
Definition: options.h:150
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition: interval.h:155
options::occ
bool occ
Definition: options.h:443
options::persist_mode
int persist_mode
Definition: options.h:273
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:591
context_2::link_socket_owned
bool link_socket_owned
Definition: openvpn.h:240
do_init_tun
static void do_init_tun(struct context *c)
Definition: init.c:1775
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition: sig.c:231
connection_entry::af
sa_family_t af
Definition: options.h:108
crypto_init_lib_engine
void crypto_init_lib_engine(const char *engine_name)
Definition: crypto_openssl.c:145
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:383
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition: ssl.c:1243
user_pass
Definition: misc.h:56
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition: ssl.c:295
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:114
options::route_script
const char * route_script
Definition: options.h:425
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:356
do_hold
static bool do_hold(int holdtime)
Definition: init.c:2832
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:369
context_clear_1
void context_clear_1(struct context *c)
Definition: init.c:83
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition: options.h:645
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:427
do_event_set_init
static void do_event_set_init(struct context *c, bool need_us_timeout)
Definition: init.c:4137
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:339
options::route_delay
int route_delay
Definition: options.h:431
options::ifconfig_local
const char * ifconfig_local
Definition: options.h:321
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:125
context_2::occ_op
int occ_op
Definition: openvpn.h:299
memdbg.h
options::user_script_used
bool user_script_used
Definition: options.h:385
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:284
connection_entry::tun_mtu_max
int tun_mtu_max
Definition: options.h:127
link_socket_init_phase1
void link_socket_init_phase1(struct context *c, int sock_index, int mode)
Definition: socket.c:1894
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:127
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:355
do_init_crypto_tls
static void do_init_crypto_tls(struct context *c, const unsigned int flags)
Definition: init.c:3318
options::mtu_test
bool mtu_test
Definition: options.h:332
options::management_client_user
const char * management_client_user
Definition: options.h:453
management_callback
Definition: manage.h:173
options::ciphername
const char * ciphername
Definition: options.h:573
options::inactivity_timeout
int inactivity_timeout
Definition: options.h:343
context_2::coarse_timer_wakeup
time_t coarse_timer_wakeup
Definition: openvpn.h:399
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:456
context_clear_all_except_first_time
void context_clear_all_except_first_time(struct context *c)
Definition: init.c:95
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1451
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition: options.h:750
title_string
const char title_string[]
Definition: options.c:69
ce_management_query_proxy
static bool ce_management_query_proxy(struct context *c)
Definition: init.c:257
get_p2p_ncp_cipher
const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
Determines the best common cipher from both peers IV_CIPHER lists.
Definition: ssl_ncp.c:363
tls_options::auth_token_call_auth
bool auth_token_call_auth
always call normal authentication
Definition: ssl_common.h:395
M_USAGE
#define M_USAGE
Definition: error.h:106
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:504
context_2::event_set_owned
bool event_set_owned
Definition: openvpn.h:232
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:368
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1189
options::dev_node
const char * dev_node
Definition: options.h:318
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:4156
options::server_backoff_time
int server_backoff_time
Definition: options.h:304
remove_pid_file
void remove_pid_file(void)
Definition: init.c:5150
msg
#define msg(flags,...)
Definition: error.h:144
tls_options::dco_enabled
bool dco_enabled
Whether keys have to be installed in DCO or not.
Definition: ssl_common.h:446
context_init_1
void context_init_1(struct context *c)
Definition: init.c:747
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: options.h:540
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition: options.h:759
undo_ifconfig
void undo_ifconfig(struct tuntap *tt, openvpn_net_ctx_t *ctx)
undo_ifconfig - undo configuration of the tunnel interface
Definition: tun.c:1727
do_init_frame_tls
static void do_init_frame_tls(struct context *c)
Definition: init.c:3556
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:631
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:493
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition: mtu.h:131
persist_client_stats
void persist_client_stats(struct context *c)
Definition: init.c:4543
ISC_ERRORS
#define ISC_ERRORS
Definition: init.h:115
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition: options.h:325
link_socket_close
void link_socket_close(struct link_socket *sock)
Definition: socket.c:2384
D_CLOSE
#define D_CLOSE
Definition: errlevel.h:73
options::lladdr
const char * lladdr
Definition: options.h:319
dco_check_pull_options
static bool dco_check_pull_options(int msglevel, const struct options *o)
Definition: dco.h:294
tls_options::es
struct env_set * es
Definition: ssl_common.h:405
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
key_schedule::static_key
struct key_ctx_bi static_key
Definition: openvpn.h:60
options::server_bridge_defined
bool server_bridge_defined
Definition: options.h:481
management_query_remote_enabled
static bool management_query_remote_enabled(const struct management *man)
Definition: manage.h:446
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition: buffer.h:1071
do_init_timers
static void do_init_timers(struct context *c, bool deferred)
Definition: init.c:1366
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:523
open_tun_null
static void open_tun_null(struct tuntap *tt)
Definition: tun.h:788
context_2::do_up_ran
bool do_up_ran
Definition: openvpn.h:411
do_option_warnings
static void do_option_warnings(struct context *c)
Definition: init.c:3663
script_security
int script_security(void)
Definition: run_command.c:43
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1590
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition: mtu.h:108
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1092
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition: shaper.h:86
tls_options::plugins
const struct plugin_list * plugins
Definition: ssl_common.h:407
TLS_MULTI_REFRESH
#define TLS_MULTI_REFRESH
Definition: ssl.h:61
tuntap_is_dco_win
static bool tuntap_is_dco_win(struct tuntap *tt)
Definition: tun.h:682
options::management_user_pass
const char * management_user_pass
Definition: options.h:448
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:243
context_1::http_proxy_owned
bool http_proxy_owned
Definition: openvpn.h:189
link_socket_addr::remote_list
struct addrinfo * remote_list
Definition: socket.h:107
options::remote_cert_eku
const char * remote_cert_eku
Definition: options.h:621
options::pull
bool pull
Definition: options.h:556
basename
char * basename(char *filename)
Definition: compat-basename.c:37
openvpn_sockaddr::addr
union openvpn_sockaddr::@20 addr
PROTO_UDP
@ PROTO_UDP
Definition: socket.h:568
PROTO_TCP
@ PROTO_TCP
Definition: socket.h:569
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:513
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition: tls_crypt.c:677
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:108
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:104
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:5084
CM_P2P
#define CM_P2P
Definition: openvpn.h:482
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:489
management::persist
struct man_persist persist
Definition: manage.h:337
gc
struct gc_arena gc
Definition: test_ssl.c:155
route_ipv6_option_list::gc
struct gc_arena * gc
Definition: route.h:109
do_deferred_p2p_ncp
static bool do_deferred_p2p_ncp(struct context *c)
Definition: init.c:2621
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:107
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:568
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:4365
tls_options::renegotiate_bytes
int64_t renegotiate_bytes
Definition: ssl_common.h:334
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:410
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:427
close_management
void close_management(void)
Definition: init.c:4519
context_2::fast_io
bool fast_io
Definition: openvpn.h:424
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:498
Generated by   doxygen 1.8.17