OpenVPN
init.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#ifdef ENABLE_SYSTEMD
30#include <systemd/sd-daemon.h>
31#endif
32
33#include "win32.h"
34#include "init.h"
35#include "run_command.h"
36#include "sig.h"
37#include "occ.h"
38#include "list.h"
39#include "otime.h"
40#include "pool.h"
41#include "gremlin.h"
42#include "occ.h"
43#include "pkcs11.h"
44#include "ps.h"
45#include "lladdr.h"
46#include "ping.h"
47#include "mstats.h"
48#include "ssl_verify.h"
49#include "ssl_ncp.h"
50#include "tls_crypt.h"
51#include "forward.h"
52#include "auth_token.h"
53#include "mss.h"
54#include "mudp.h"
55#include "dco.h"
56#include "tun_afunix.h"
57
58#include "memdbg.h"
59
60
61static struct context *static_context; /* GLOBAL */
62static const char *saved_pid_file_name; /* GLOBAL */
63
64/*
65 * Crypto initialization flags
66 */
67#define CF_LOAD_PERSISTED_PACKET_ID (1 << 0)
68#define CF_INIT_TLS_MULTI (1 << 1)
69#define CF_INIT_TLS_AUTH_STANDALONE (1 << 2)
70
71static void do_init_first_time(struct context *c);
72
73static bool do_deferred_p2p_ncp(struct context *c);
74
75void
77{
78 CLEAR(*c);
79}
80
81void
83{
84 CLEAR(c->c1);
85}
86
87void
89{
90 CLEAR(c->c2);
91}
92
93void
95{
96 const bool first_time_save = c->first_time;
97 const struct context_persist cpsave = c->persist;
99 c->first_time = first_time_save;
100 c->persist = cpsave;
101}
102
103/*
104 * Pass tunnel endpoint and MTU parms to a user-supplied script.
105 * Used to execute the up/down script/plugins.
106 */
107static void
108run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type,
109 const char *arg,
110#ifdef _WIN32
111 DWORD adapter_index,
112#endif
113 const char *dev_type, int tun_mtu, const char *ifconfig_local,
114 const char *ifconfig_remote, const char *context, const char *signal_text,
115 const char *script_type, struct env_set *es)
116{
117 struct gc_arena gc = gc_new();
118
119 if (signal_text)
120 {
121 setenv_str(es, "signal", signal_text);
122 }
123 setenv_str(es, "script_context", context);
124 setenv_int(es, "tun_mtu", tun_mtu);
125 setenv_str(es, "dev", arg);
126 if (dev_type)
127 {
128 setenv_str(es, "dev_type", dev_type);
129 }
130#ifdef _WIN32
131 setenv_int(es, "dev_idx", adapter_index);
132#endif
133
134 if (!ifconfig_local)
135 {
136 ifconfig_local = "";
137 }
138 if (!ifconfig_remote)
139 {
140 ifconfig_remote = "";
141 }
142 if (!context)
143 {
144 context = "";
145 }
146
147 if (plugin_defined(plugins, plugin_type))
148 {
149 struct argv argv = argv_new();
150 ASSERT(arg);
151 argv_printf(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
152 context);
153
154 if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
155 {
156 msg(M_FATAL, "ERROR: up/down plugin call failed");
157 }
158
159 argv_free(&argv);
160 }
161
162 if (command)
163 {
164 struct argv argv = argv_new();
165 ASSERT(arg);
166 setenv_str(es, "script_type", script_type);
167 argv_parse_cmd(&argv, command);
168 argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
169 context);
171 openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
172 argv_free(&argv);
173 }
174
175 gc_free(&gc);
176}
177
178/*
179 * Should be called after options->ce is modified at the top
180 * of a SIGUSR1 restart.
181 */
182static void
184{
185 /*
186 * In pull mode, we usually import --ping/--ping-restart parameters from
187 * the server. However we should also set an initial default --ping-restart
188 * for the period of time before we pull the --ping-restart parameter
189 * from the server.
190 */
193 {
196 }
197}
198
199#ifdef ENABLE_MANAGEMENT
200static bool
201management_callback_proxy_cmd(void *arg, const char **p)
202{
203 struct context *c = arg;
204 struct connection_entry *ce = &c->options.ce;
205 struct gc_arena *gc = &c->c2.gc;
206 bool ret = false;
207
208 update_time();
209 if (streq(p[1], "NONE"))
210 {
211 ret = true;
212 }
213 else if (p[2] && p[3])
214 {
215 if (streq(p[1], "HTTP"))
216 {
217 struct http_proxy_options *ho;
218 if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
219 {
220 msg(M_WARN, "HTTP proxy support only works for TCP based connections");
221 return false;
222 }
224 ho->server = string_alloc(p[2], gc);
225 ho->port = string_alloc(p[3], gc);
226 ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
227 ret = true;
228 }
229 else if (streq(p[1], "SOCKS"))
230 {
232 ce->socks_proxy_port = string_alloc(p[3], gc);
233 ret = true;
234 }
235 }
236 else
237 {
238 msg(M_WARN, "Bad proxy command");
239 }
240
241 ce->flags &= ~CE_MAN_QUERY_PROXY;
242
243 return ret;
244}
245
246static bool
248{
249 const struct connection_list *l = c->options.connection_list;
250 struct connection_entry *ce = &c->options.ce;
251 struct gc_arena gc;
252 bool ret = true;
253
254 update_time();
255 if (management)
256 {
257 gc = gc_new();
258 {
259 struct buffer out = alloc_buf_gc(256, &gc);
260 buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
261 (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
264 }
266 while (ce->flags & CE_MAN_QUERY_PROXY)
267 {
269 if (IS_SIG(c))
270 {
271 ret = false;
272 break;
273 }
274 }
276 gc_free(&gc);
277 }
278
279 return ret;
280}
281
296static bool
297management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
298{
299 struct context *c = (struct context *)arg;
300 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
301 if (len > PUSH_BUNDLE_SIZE)
302 {
303 return false;
304 }
305
306 struct gc_arena gc = gc_new();
307 struct buffer buf = alloc_buf_gc(len, &gc);
308 ASSERT(buf_printf(&buf, "%s", command));
309 if (parameters)
310 {
311 ASSERT(buf_printf(&buf, ",%s", parameters));
312 }
314
315 gc_free(&gc);
316 return status;
317}
318
319static unsigned int
321{
322 ASSERT(arg);
323 struct context *c = (struct context *)arg;
324 struct connection_list *l = c->options.connection_list;
325
326 return l->len;
327}
328
329static bool
330management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
331{
332 ASSERT(arg);
333 ASSERT(remote);
334
335 struct context *c = (struct context *)arg;
336 struct connection_list *l = c->options.connection_list;
337 bool ret = true;
338
339 if (index < l->len)
340 {
341 struct connection_entry *ce = l->array[index];
342 const char *proto = proto2ascii(ce->proto, ce->af, false);
343 const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
344
345 /* space for output including 3 commas and a nul */
346 size_t len =
347 strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + strlen(status) + 3 + 1;
348 char *out = malloc(len);
350
351 snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
352 *remote = out;
353 }
354 else
355 {
356 ret = false;
357 msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
358 }
359
360 return ret;
361}
362
363static bool
364management_callback_remote_cmd(void *arg, const char **p)
365{
366 struct context *c = (struct context *)arg;
367 struct connection_entry *ce = &c->options.ce;
368 int ret = false;
369 if (p[1]
372 {
373 unsigned int flags = 0;
374 if (!strcmp(p[1], "ACCEPT"))
375 {
377 ret = true;
378 }
379 else if (!strcmp(p[1], "SKIP"))
380 {
382 ret = true;
383 c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
384 }
385 else if (!strcmp(p[1], "MOD") && p[2] && p[3])
386 {
387 if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
388 {
389 struct remote_host_store *rhs = c->options.rh_store;
390 if (!rhs)
391 {
393 c->options.rh_store = rhs;
394 }
395 strncpynt(rhs->host, p[2], RH_HOST_LEN);
396 strncpynt(rhs->port, p[3], RH_PORT_LEN);
397
398 ce->remote = rhs->host;
399 ce->remote_port = rhs->port;
401 ret = true;
402 }
403 }
404 if (ret)
405 {
408 }
409 }
410 return ret;
411}
412
413static bool
415{
416 struct gc_arena gc = gc_new();
417 volatile struct connection_entry *ce = &c->options.ce;
418 int ce_changed = true; /* presume the connection entry will be changed */
419
420 update_time();
421 if (management)
422 {
423 struct buffer out = alloc_buf_gc(256, &gc);
424
425 buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
426 proto2ascii(ce->proto, ce->af, false));
429
434 {
436 if (IS_SIG(c))
437 {
438 ce_changed = false; /* connection entry have not been set */
439 break;
440 }
441 }
443 }
444 gc_free(&gc);
445
446 if (ce_changed)
447 {
448 /* If it is likely a connection entry was modified,
449 * check what changed in the flags and that it was not skipped
450 */
451 const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
453 }
454 return ce_changed;
455}
456#endif /* ENABLE_MANAGEMENT */
457
458#if defined(__GNUC__) || defined(__clang__)
459#pragma GCC diagnostic push
460#pragma GCC diagnostic ignored "-Wconversion"
461#endif
462
463/*
464 * Initialize and possibly randomize the connection list.
465 *
466 * Applies the Fisher-Yates shuffle algorithm to ensure all permutations
467 * are equally probable, thereby eliminating shuffling bias.
468 *
469 * The algorithm randomly selects an element from the unshuffled portion
470 * and places it at position i. There's only one way to obtain each
471 * permutation through these swaps. This guarantees that each permutation
472 * occurs with equal probability in theory.
473 */
474static void
476{
477 struct connection_list *l = c->options.connection_list;
478
479 l->current = -1;
480 if (c->options.remote_random)
481 {
482 int i;
483 for (i = l->len - 1; i > 0; --i)
484 {
485 const int j = get_random() % (i + 1);
486 if (i != j)
487 {
488 struct connection_entry *tmp;
489 tmp = l->array[i];
490 l->array[i] = l->array[j];
491 l->array[j] = tmp;
492 }
493 }
494 }
495}
496
497/*
498 * Clear the remote address list
499 */
500static void
502{
503 if (lsa->remote_list && free)
504 {
505 freeaddrinfo(lsa->remote_list);
506 }
507 lsa->remote_list = NULL;
508 lsa->current_remote = NULL;
509}
510
511/*
512 * Increment to next connection entry
513 */
514static void
516{
517 struct connection_list *l = c->options.connection_list;
518 bool ce_defined;
519 struct connection_entry *ce;
520 int n_cycles = 0;
521
522 do
523 {
524 ce_defined = true;
525 if (c->options.no_advance && l->current >= 0)
526 {
527 c->options.no_advance = false;
528 }
529 else
530 {
531 /* Check if there is another resolved address to try for
532 * the current connection */
534 && c->c1.link_socket_addrs[0].current_remote->ai_next
536 {
538 c->c1.link_socket_addrs[0].current_remote->ai_next;
539 }
540 else
541 {
542 c->options.advance_next_remote = false;
543 /* FIXME (schwabe) fix the persist-remote-ip option for real,
544 * this is broken probably ever since connection lists and multiple
545 * remote existed
546 */
548 {
549 /* Connection entry addrinfo objects might have been
550 * resolved earlier but the entry itself might have been
551 * skipped by management on the previous loop.
552 * If so, clear the addrinfo objects as close_instance does
553 */
555 {
558 }
559
560 /* close_instance should have cleared the addrinfo objects */
562 ASSERT(c->c1.link_socket_addrs[0].remote_list == NULL);
563 }
564 else
565 {
568 }
569
570 int advance_count = 1;
571
572 /* If previous connection entry was skipped by management client
573 * with a count to advance by, apply it.
574 */
575 if (c->options.ce_advance_count > 0)
576 {
577 advance_count = c->options.ce_advance_count;
578 }
579
580 /*
581 * Increase the number of connection attempts
582 * If this is connect-retry-max * size(l)
583 * OpenVPN will quit
584 */
585
586 c->options.unsuccessful_attempts += advance_count;
587 l->current += advance_count;
588
589 if (l->current >= l->len)
590 {
591 l->current %= l->len;
592 if (++n_cycles >= 2)
593 {
594 msg(M_FATAL, "No usable connection profiles are present");
595 }
596 }
597 }
598 }
599
601 ce = l->array[l->current];
602
603 if (ce->flags & CE_DISABLED)
604 {
605 ce_defined = false;
606 }
607
608 c->options.ce = *ce;
609
610#ifdef ENABLE_MANAGEMENT
612 {
613 /* allow management interface to override connection entry details */
614 ce_defined = ce_management_query_remote(c);
615 if (IS_SIG(c))
616 {
617 break;
618 }
619 }
620 else if (ce_defined && management && management_query_proxy_enabled(management))
621 {
622 ce_defined = ce_management_query_proxy(c);
623 if (IS_SIG(c))
624 {
625 break;
626 }
627 }
628#endif
629 } while (!ce_defined);
630
631 /* Check if this connection attempt would bring us over the limit */
632 if (c->options.connect_retry_max > 0
634 {
635 msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
637 }
639}
640
641/*
642 * Query for private key and auth-user-pass username/passwords
643 */
644void
646{
647 /* Certificate password input */
648 if (c->options.key_pass_file)
649 {
651 }
652
653 /* Auth user/pass input */
655 {
657#ifdef ENABLE_MANAGEMENT
659 &c->options.sc_info);
660#else
662 NULL);
663#endif
664 }
665}
666
667/*
668 * Initialize/Uninitialize HTTP or SOCKS proxy
669 */
670
671static void
673{
674 if (c->c1.http_proxy_owned && c->c1.http_proxy)
675 {
677 c->c1.http_proxy = NULL;
678 c->c1.http_proxy_owned = false;
679 }
680 if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
681 {
683 c->c1.socks_proxy = NULL;
684 c->c1.socks_proxy_owned = false;
685 }
686}
687
688static void
690{
691 bool did_http = false;
692
694
696 {
698
699 /* Possible HTTP proxy user/pass input */
701 if (c->c1.http_proxy)
702 {
703 did_http = true;
704 c->c1.http_proxy_owned = true;
705 }
706 }
707
708 if (!did_http && c->options.ce.socks_proxy_server)
709 {
710 c->c1.socks_proxy =
713 if (c->c1.socks_proxy)
714 {
715 c->c1.socks_proxy_owned = true;
716 }
717 }
718}
719
720static void
722{
724}
725
726static void
728{
730}
731
732static void
738
739void
741{
743
745
747
749
751
752#if defined(ENABLE_PKCS11)
753 if (c->first_time)
754 {
755 int i;
756 pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
757 for (i = 0; i < MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
758 {
759 pkcs11_addProvider(
760 c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
761 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
762 }
763 }
764#endif
765
766#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
767 {
768 /*
769 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
770 */
771 struct user_pass up;
772 CLEAR(up);
773 strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
774 get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
775 msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
776 * 'needok' command, usually 'ok' or 'cancel'. */
777 }
778#endif
779
780#ifdef ENABLE_SYSTEMD
781 /* We can report the PID via getpid() to systemd here as OpenVPN will not
782 * do any fork due to daemon() a future call.
783 * See possibly_become_daemon() [init.c] for more details.
784 */
785 sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
786 (unsigned long)getpid());
787#endif
788}
789
790void
792{
793 gc_free(&c->c2.gc);
794 gc_free(&c->options.gc);
795 gc_free(&c->gc);
796}
797
798#if PORT_SHARE
799
800static void
801close_port_share(void)
802{
803 if (port_share)
804 {
805 port_share_close(port_share);
806 port_share = NULL;
807 }
808}
809
810static void
811init_port_share(struct context *c)
812{
813 if (!port_share && (c->options.port_share_host && c->options.port_share_port))
814 {
815 port_share =
816 port_share_open(c->options.port_share_host, c->options.port_share_port,
817 c->c2.frame.buf.payload_size, c->options.port_share_journal_dir);
818 if (port_share == NULL)
819 {
820 msg(M_FATAL, "Fatal error: Port sharing failed");
821 }
822 }
823}
824
825#endif /* if PORT_SHARE */
826
827
828bool
830{
831#if defined(DMALLOC)
832 crypto_init_dmalloc();
833#endif
834
835
836 /*
837 * Initialize random number seed. random() is only used
838 * when "weak" random numbers are acceptable.
839 * SSL library routines are always used when cryptographically
840 * strong random numbers are required.
841 */
842 struct timeval tv;
843 if (!gettimeofday(&tv, NULL))
844 {
845 const unsigned int seed = (unsigned int)tv.tv_sec ^ tv.tv_usec;
846 srandom(seed);
847 }
848
849 error_reset(); /* initialize error.c */
850 reset_check_status(); /* initialize status check code in socket.c */
851
852#ifdef _WIN32
853 init_win32();
854#endif
855
856#ifdef OPENVPN_DEBUG_COMMAND_LINE
857 {
858 int i;
859 for (i = 0; i < argc; ++i)
860 {
861 msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
862 }
863 }
864#endif
865
866 update_time();
867
868 init_ssl_lib();
869
870#ifdef SCHEDULE_TEST
871 schedule_test();
872 return false;
873#endif
874
875#ifdef IFCONFIG_POOL_TEST
876 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
877 return false;
878#endif
879
880#ifdef TIME_TEST
881 time_test();
882 return false;
883#endif
884
885#ifdef GEN_PATH_TEST
886 {
887 struct gc_arena gc = gc_new();
888 const char *fn = gen_path("foo", "bar", &gc);
889 printf("%s\n", fn);
890 gc_free(&gc);
891 }
892 return false;
893#endif
894
895#ifdef STATUS_PRINTF_TEST
896 {
897 struct gc_arena gc = gc_new();
898 const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
899 struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
900 status_printf(so, "%s", "foo");
901 status_printf(so, "%s", "bar");
902 if (!status_close(so))
903 {
904 msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
905 }
906 gc_free(&gc);
907 }
908 return false;
909#endif
910
911#ifdef MSTATS_TEST
912 {
913 int i;
914 mstats_open("/dev/shm/mstats.dat");
915 for (i = 0; i < 30; ++i)
916 {
917 mmap_stats->n_clients += 1;
918 mmap_stats->link_write_bytes += 8;
919 mmap_stats->link_read_bytes += 16;
920 sleep(1);
921 }
922 mstats_close();
923 return false;
924 }
925#endif
926
927 return true;
928}
929
930void
932{
933 free_ssl_lib();
934
935#ifdef ENABLE_PKCS11
936 pkcs11_terminate();
937#endif
938
939#if PORT_SHARE
940 close_port_share();
941#endif
942
943#if defined(MEASURE_TLS_HANDSHAKE_STATS)
944 show_tls_performance_stats();
945#endif
946}
947
948void
949init_verb_mute(struct context *c, unsigned int flags)
950{
951 if (flags & IVM_LEVEL_1)
952 {
953 /* set verbosity and mute levels */
957 }
958
959 /* special D_LOG_RW mode */
960 if (flags & IVM_LEVEL_2)
961 {
963 }
964}
965
966/*
967 * Possibly set --dev based on --dev-node.
968 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
969 * set --dev to tun.
970 */
971void
973{
974 if (!options->dev && options->dev_node)
975 {
976 /* POSIX basename() implementations may modify its arguments */
977 char *dev_node = string_alloc(options->dev_node, NULL);
978 options->dev = basename(dev_node);
979 }
980}
981
982bool
984{
985 /*
986 * OpenSSL info print mode?
987 */
990 {
992 {
994 }
996 {
998 }
1000 {
1002 }
1004 {
1007 }
1008 if (options->show_curves)
1009 {
1011 }
1012 return true;
1013 }
1014 return false;
1015}
1016
1017/*
1018 * Static pre-shared key generation mode?
1019 */
1020bool
1022{
1023 /* should we disable paging? */
1024 if (options->mlock && (options->genkey))
1025 {
1026 platform_mlockall(true);
1027 }
1028
1029 /*
1030 * We do not want user to use --genkey with --secret. In the transistion
1031 * phase we for secret.
1032 */
1034 {
1035 msg(M_USAGE, "Using --genkey type with --secret filename is "
1036 "not supported. Use --genkey type filename instead.");
1037 }
1039 {
1040 int nbits_written;
1041 const char *genkey_filename = options->genkey_filename;
1043 {
1044 msg(M_USAGE, "You must provide a filename to either --genkey "
1045 "or --secret, not both");
1046 }
1047
1048 /*
1049 * Copy filename from shared_secret_file to genkey_filename to support
1050 * the old --genkey --secret foo.file syntax.
1051 */
1053 {
1054 msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1055 "DEPRECATED. Use --genkey secret filename instead.");
1056 genkey_filename = options->shared_secret_file;
1057 }
1058
1059 nbits_written = write_key_file(2, genkey_filename);
1060 if (nbits_written < 0)
1061 {
1062 msg(M_FATAL, "Failed to write key file");
1063 }
1064
1065 msg(D_GENKEY | M_NOPREFIX, "Randomly generated %d bit key written to %s", nbits_written,
1067 return true;
1068 }
1070 {
1072 return true;
1073 }
1075 {
1077 {
1078 msg(M_USAGE,
1079 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1080 }
1081
1085 return true;
1086 }
1088 {
1090 return true;
1091 }
1092 else
1093 {
1094 return false;
1095 }
1096}
1097
1098/*
1099 * Persistent TUN/TAP device management mode?
1100 */
1101bool
1103{
1104 if (!options->persist_config)
1105 {
1106 return false;
1107 }
1108
1109 /* sanity check on options for --mktun or --rmtun */
1110 notnull(options->dev, "TUN/TAP device (--dev)");
1113 {
1115 "options --mktun or --rmtun should only be used together with --dev");
1116 }
1117
1118#if defined(ENABLE_DCO)
1119 if (dco_enabled(options))
1120 {
1121 /* creating a DCO interface via --mktun is not supported as it does not
1122 * make much sense. Since DCO is enabled by default, people may run into
1123 * this without knowing, therefore this case should be properly handled.
1124 *
1125 * Disable DCO if --mktun was provided and print a message to let
1126 * user know.
1127 */
1129 {
1130 msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1131 }
1132
1133 options->disable_dco = true;
1134 }
1135#endif
1136
1137#ifdef ENABLE_FEATURE_TUN_PERSIST
1141 {
1142 set_lladdr(ctx, options->dev, options->lladdr, NULL);
1143 }
1144 return true;
1145#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1147 "options --mktun and --rmtun are not available on your operating "
1148 "system. Please check 'man tun' (or 'tap'), whether your system "
1149 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1150 "persistent tunnel interfaces.",
1151 options->dev);
1152#endif
1153 return false;
1154}
1155
1156/*
1157 * Should we become a daemon?
1158 * Return true if we did it.
1159 */
1160bool
1162{
1163 bool ret = false;
1164
1165#ifdef ENABLE_SYSTEMD
1166 /* return without forking if we are running from systemd */
1167 if (sd_notify(0, "READY=0") > 0)
1168 {
1169 return ret;
1170 }
1171#endif
1172
1173 if (options->daemon)
1174 {
1175 /* Don't chdir immediately, but the end of the init sequence, if needed */
1176
1177#if defined(__APPLE__) && defined(__clang__)
1178#pragma clang diagnostic push
1179#pragma clang diagnostic ignored "-Wdeprecated-declarations"
1180#endif
1181 if (daemon(1, options->log) < 0)
1182 {
1183 msg(M_ERR, "daemon() failed or unsupported");
1184 }
1185#if defined(__APPLE__) && defined(__clang__)
1186#pragma clang diagnostic pop
1187#endif
1189 if (options->log)
1190 {
1192 }
1193
1194 ret = true;
1195 }
1196 return ret;
1197}
1198
1199/*
1200 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1201 */
1202static void
1203do_uid_gid_chroot(struct context *c, bool no_delay)
1204{
1205 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1206 struct context_0 *c0 = c->c0;
1207
1208 if (c0 && !c0->uid_gid_chroot_set)
1209 {
1210 /* chroot if requested */
1211 if (c->options.chroot_dir)
1212 {
1213 if (no_delay)
1214 {
1216 }
1217 else if (c->first_time)
1218 {
1219 msg(M_INFO, "NOTE: chroot %s", why_not);
1220 }
1221 }
1222
1223 /* set user and/or group if we want to setuid/setgid */
1224 if (c0->uid_gid_specified)
1225 {
1226 if (no_delay)
1227 {
1229 }
1230 else if (c->first_time)
1231 {
1232 msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1233 }
1234 }
1235
1236#ifdef ENABLE_MEMSTATS
1237 if (c->first_time && c->options.memstats_fn)
1238 {
1239 mstats_open(c->options.memstats_fn);
1240 }
1241#endif
1242
1243#ifdef ENABLE_SELINUX
1244 /* Apply a SELinux context in order to restrict what OpenVPN can do
1245 * to _only_ what it is supposed to do after initialization is complete
1246 * (basically just network I/O operations). Doing it after chroot
1247 * requires /proc to be mounted in the chroot (which is annoying indeed
1248 * but doing it before requires more complex SELinux policies.
1249 */
1250 if (c->options.selinux_context)
1251 {
1252 if (no_delay)
1253 {
1254 if (-1 == setcon(c->options.selinux_context))
1255 {
1256 msg(M_ERR, "setcon to '%s' failed; is /proc accessible?",
1257 c->options.selinux_context);
1258 }
1259 else
1260 {
1261 msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1262 }
1263 }
1264 else if (c->first_time)
1265 {
1266 msg(M_INFO, "NOTE: setcon %s", why_not);
1267 }
1268 }
1269#endif
1270
1271 /* Privileges are going to be dropped by now (if requested), be sure
1272 * to prevent any future privilege dropping attempts from now on.
1273 */
1274 if (no_delay)
1275 {
1276 c0->uid_gid_chroot_set = true;
1277 }
1278 }
1279}
1280
1281/*
1282 * Return common name in a way that is formatted for
1283 * prepending to msg() output.
1284 */
1285const char *
1287{
1288 struct buffer out = alloc_buf_gc(256, gc);
1289 if (c->c2.tls_multi)
1290 {
1291 buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1292 }
1293 return BSTR(&out);
1294}
1295
1296void
1298{
1299#ifdef _WIN32
1301 {
1304 }
1305 else
1306 {
1308
1309 /* put a title on the top window bar */
1311 {
1314 }
1315 }
1316#endif /* ifdef _WIN32 */
1317}
1318
1319void
1321{
1322 c->c2.coarse_timer_wakeup = 0;
1323}
1324
1325/*
1326 * Initialise the server poll timeout timer
1327 * This timer is used in the http/socks proxy setup so it needs to be setup
1328 * before
1329 */
1330static void
1332{
1333 update_time();
1334 if (c->options.ce.connect_timeout)
1335 {
1336 event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1337 }
1338}
1339
1340/*
1341 * Initialize timers
1342 */
1343static void
1345{
1346 update_time();
1348
1349 /* initialize inactivity timeout */
1350 if (c->options.inactivity_timeout)
1351 {
1352 event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1353 }
1354
1355 /* initialize inactivity timeout */
1356 if (c->options.session_timeout)
1357 {
1358 event_timeout_init(&c->c2.session_interval, c->options.session_timeout, now);
1359 }
1360
1361 /* initialize pings */
1362 if (dco_enabled(&c->options))
1363 {
1364 /* The DCO kernel module will send the pings instead of user space */
1365 event_timeout_clear(&c->c2.ping_rec_interval);
1366 event_timeout_clear(&c->c2.ping_send_interval);
1367 }
1368 else
1369 {
1370 if (c->options.ping_send_timeout)
1371 {
1372 event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1373 }
1374
1375 if (c->options.ping_rec_timeout)
1376 {
1377 event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1378 }
1379 }
1380
1381 /* If the auth-token renewal interval is shorter than reneg-sec, arm
1382 * "auth-token renewal" timer to send additional auth-token to update the
1383 * token on the client more often. If not, this happens automatically
1384 * at renegotiation time, without needing an extra event.
1385 */
1386 if (c->options.auth_token_generate
1387 && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1388 {
1389 event_timeout_init(&c->c2.auth_token_renewal_interval, c->options.auth_token_renewal, now);
1390 }
1391
1392 if (!deferred)
1393 {
1394 /* initialize connection establishment timer */
1395 event_timeout_init(&c->c2.wait_for_connect, 1, now);
1396
1397 /* initialize occ timers */
1398
1399 if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_local
1400 && c->c2.options_string_remote)
1401 {
1402 event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1403 }
1404
1405 if (c->options.mtu_test)
1406 {
1407 event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS,
1408 now);
1409 }
1410
1411 /* initialize packet_id persistence timer */
1412 if (c->options.packet_id_file)
1413 {
1414 event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1415 }
1416
1417 /* initialize tmp_int optimization that limits the number of times we call
1418 * tls_multi_process in the main event loop */
1420 }
1421}
1422
1423/*
1424 * Initialize traffic shaper.
1425 */
1426static void
1428{
1429 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1430 if (c->options.shaper)
1431 {
1432 shaper_init(&c->c2.shaper, c->options.shaper);
1433 shaper_msg(&c->c2.shaper);
1434 }
1435}
1436
1437/*
1438 * Allocate route list structures for IPv4 and IPv6
1439 * (we do this for IPv4 even if no --route option has been seen, as other
1440 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1441 */
1442static void
1444{
1445 if (!c->c1.route_list)
1446 {
1447 ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1448 }
1449 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1450 {
1451 ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1452 }
1453}
1454
1455
1456/*
1457 * Initialize the route list, resolving any DNS names in route
1458 * options and saving routes in the environment.
1459 */
1460static void
1462 const struct link_socket_info *link_socket_info, struct env_set *es,
1463 openvpn_net_ctx_t *ctx)
1464{
1465 const char *gw = NULL;
1467 int metric = 0;
1468
1469 /* if DCO is enabled we have both regular routes and iroutes in the system
1470 * routing table, and normal routes must have a higher metric for that to
1471 * work so that iroutes are always matched first
1472 */
1473 if (dco_enabled(options))
1474 {
1475 metric = DCO_DEFAULT_METRIC;
1476 }
1477
1478 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1479 {
1481 }
1483 {
1485 }
1487 {
1488 metric = options->route_default_metric;
1489 }
1490
1493 {
1494 /* copy routes to environment */
1496 }
1497}
1498
1499static void
1501 const struct link_socket_info *link_socket_info, struct env_set *es,
1502 openvpn_net_ctx_t *ctx)
1503{
1504 const char *gw = NULL;
1505 int metric = -1; /* no metric set */
1506
1507 /* see explanation in do_init_route_list() */
1508 if (dco_enabled(options))
1509 {
1510 metric = DCO_DEFAULT_METRIC;
1511 }
1512
1513 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1515 {
1517 }
1518
1520 {
1521 metric = options->route_default_metric;
1522 }
1523
1524 /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1525 */
1527 {
1528 char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1529 int i;
1530
1531 for (i = 0; opt_list[i]; i++)
1532 {
1536 }
1537 }
1538
1541 {
1542 /* copy routes to environment */
1544 }
1545}
1546
1547
1548/*
1549 * Called after all initialization has been completed.
1550 */
1551void
1552initialization_sequence_completed(struct context *c, const unsigned int flags)
1553{
1554 static const char message[] = "Initialization Sequence Completed";
1555
1556 /* Reset the unsuccessful connection counter on complete initialisation */
1557 c->options.unsuccessful_attempts = 0;
1558
1559 /* If we delayed UID/GID downgrade or chroot, do it now */
1560 do_uid_gid_chroot(c, true);
1561
1562 /* Test if errors */
1563 if (flags & ISC_ERRORS)
1564 {
1565#ifdef _WIN32
1568 msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1569#else
1570#ifdef ENABLE_SYSTEMD
1571 sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1572#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1573 msg(M_INFO, "%s With Errors", message);
1574#endif
1575 }
1576 else
1577 {
1578#ifdef ENABLE_SYSTEMD
1579 sd_notifyf(0, "STATUS=%s", message);
1580#endif
1581 msg(M_INFO, "%s", message);
1582 }
1583
1584 /* Flag that we initialized */
1585 if ((flags & (ISC_ERRORS | ISC_SERVER)) == 0)
1586 {
1587 c->options.no_advance = true;
1588 }
1589
1590#ifdef _WIN32
1591 fork_register_dns_action(c->c1.tuntap);
1592#endif
1593
1594#ifdef ENABLE_MANAGEMENT
1595 /* Tell management interface that we initialized */
1596 if (management)
1597 {
1599 struct in6_addr *tun_local6 = NULL;
1600 struct openvpn_sockaddr local, remote;
1601 struct link_socket_actual *actual;
1602 socklen_t sa_len = sizeof(local);
1603 const char *detail = "SUCCESS";
1604 if (flags & ISC_ERRORS)
1605 {
1606 detail = "ERROR";
1607 }
1608 /* Flag route error only on platforms where trivial "already exists" errors
1609 * are filtered out. Currently this is the case on Windows or if usng netlink.
1610 */
1611#if defined(_WIN32) || defined(ENABLE_SITNL)
1612 else if (flags & ISC_ROUTE_ERRORS)
1613 {
1614 detail = "ROUTE_ERROR";
1615 }
1616#endif
1617
1618 CLEAR(local);
1619 actual = &get_link_socket_info(c)->lsa->actual;
1620 remote = actual->dest;
1621 getsockname(c->c2.link_sockets[0]->sd, &local.addr.sa, &sa_len);
1622#if ENABLE_IP_PKTINFO
1623 if (!addr_defined(&local))
1624 {
1625 switch (local.addr.sa.sa_family)
1626 {
1627 case AF_INET:
1628#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1629 local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1630#else
1631 local.addr.in4.sin_addr = actual->pi.in4;
1632#endif
1633 break;
1634
1635 case AF_INET6:
1636 local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1637 break;
1638 }
1639 }
1640#endif
1641
1642 if (c->c1.tuntap)
1643 {
1644 tun_local = &c->c1.tuntap->local;
1645 tun_local6 = &c->c1.tuntap->local_ipv6;
1646 }
1647 management_set_state(management, OPENVPN_STATE_CONNECTED, detail, tun_local, tun_local6,
1648 &local, &remote);
1649 if (tun_local)
1650 {
1652 }
1653 }
1654#endif /* ifdef ENABLE_MANAGEMENT */
1655}
1656
1661static bool
1662route_noexec_enabled(const struct options *o, const struct tuntap *tt)
1663{
1664 return o->route_noexec || (tt && tt->backend_driver == DRIVER_AFUNIX)
1665 || (tt && tt->backend_driver == DRIVER_NULL);
1666}
1667
1668/*
1669 * Possibly add routes and/or call route-up script
1670 * based on options.
1671 */
1672bool
1674 struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt,
1675 const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
1676{
1677 bool ret = true;
1679 {
1682 }
1683#ifdef ENABLE_MANAGEMENT
1684 if (management)
1685 {
1687 }
1688#endif
1689
1691 {
1692 if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es)
1694 {
1695 msg(M_WARN, "WARNING: route-up plugin call failed");
1696 }
1697 }
1698
1699 if (options->route_script)
1700 {
1701 struct argv argv = argv_new();
1702 setenv_str(es, "script_type", "route-up");
1704 openvpn_run_script(&argv, es, 0, "--route-up");
1705 argv_free(&argv);
1706 }
1707
1708#ifdef _WIN32
1709 if (options->show_net_up)
1710 {
1713 }
1714 else if (check_debug_level(D_SHOW_NET))
1715 {
1718 }
1719#endif
1720 return ret;
1721}
1722
1723/*
1724 * initialize tun/tap device object
1725 */
1726static void
1728{
1734 c->c2.es, &c->net_ctx, c->c1.tuntap);
1735
1737 {
1738 /* Using AF_UNIX trumps using DCO */
1740 }
1741 else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
1742 {
1744 }
1745#ifdef _WIN32
1746 else
1747 {
1749 }
1750#else
1751 else if (dco_enabled(&c->options))
1752 {
1754 }
1755 else
1756 {
1758 }
1759#endif
1760
1762
1763 c->c1.tuntap_owned = true;
1764}
1765
1766/*
1767 * Open tun/tap device, ifconfig, call up script, etc.
1768 */
1769
1770
1771static bool
1773{
1774 if (tt && tt->backend_driver == DRIVER_AFUNIX)
1775 {
1776 return false;
1777 }
1778#ifdef TARGET_ANDROID
1779 return false;
1780#else
1781 return is_tun_type_set(tt);
1782#endif
1783}
1784
1793static void
1795{
1796#if defined(_WIN32)
1797 /* Fortify 'redirect-gateway block-local' with firewall rules? */
1798 bool block_local = block_local_needed(c->c1.route_list);
1799
1800 if (c->options.block_outside_dns || block_local)
1801 {
1802 BOOL dns_only = !block_local;
1803 if (!win_wfp_block(c->c1.tuntap->adapter_index, c->options.msg_channel, dns_only))
1804 {
1805 msg(M_FATAL, "WFP: initialization failed");
1806 }
1807 }
1808#endif
1809}
1810
1819static void
1820del_wfp_block(struct context *c, unsigned long adapter_index)
1821{
1822#if defined(_WIN32)
1824 {
1825 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1826 {
1827 msg(M_FATAL, "WFP: deinitialization failed");
1828 }
1829 }
1830#endif
1831}
1832
1838static bool
1840{
1841 return c->options.ifconfig_noexec
1842 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1843 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_NULL);
1844}
1845
1846static void
1848{
1849 struct tuntap *tt = c->c1.tuntap;
1850
1851 if (tt->backend_driver == DRIVER_NULL)
1852 {
1854 }
1855 else if (tt->backend_driver == DRIVER_AFUNIX)
1856 {
1857 open_tun_afunix(&c->options, c->c2.frame.tun_mtu, tt, c->c2.es);
1858 }
1859 else
1860 {
1862 }
1863 msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver),
1864 tt->actual_name);
1865}
1866
1867
1868static bool
1869do_open_tun(struct context *c, int *error_flags)
1870{
1871 struct gc_arena gc = gc_new();
1872 bool ret = false;
1873 *error_flags = 0;
1874
1875 if (!can_preserve_tun(c->c1.tuntap))
1876 {
1877#ifdef TARGET_ANDROID
1878 /* If we emulate persist-tun on android we still have to open a new tun and
1879 * then close the old */
1880 int oldtunfd = -1;
1881 if (c->c1.tuntap)
1882 {
1883 oldtunfd = c->c1.tuntap->fd;
1884 free(c->c1.tuntap);
1885 c->c1.tuntap = NULL;
1886 c->c1.tuntap_owned = false;
1887 }
1888#endif
1889
1890 /* initialize (but do not open) tun/tap object, this also sets
1891 * the backend driver type */
1892 do_init_tun(c);
1893
1894 /* inherit the dco context from the tuntap object */
1895 if (c->c2.tls_multi)
1896 {
1897 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1898 }
1899
1900#ifdef _WIN32
1901 /* store (hide) interactive service handle in tuntap_options */
1903 msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, (intptr_t)c->options.msg_channel);
1904#endif
1905
1906 /* allocate route list structure */
1908
1909 /* parse and resolve the route option list */
1910 ASSERT(c->c2.link_sockets[0]);
1911 if (c->options.routes && c->c1.route_list)
1912 {
1914 c->c2.es, &c->net_ctx);
1915 }
1917 {
1919 &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1920 }
1921
1922 /* do ifconfig */
1924 {
1925 /* guess actual tun/tap unit number that will be returned
1926 * by open_tun */
1927 const char *guess =
1929 do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1930 }
1931
1932 /* possibly add routes */
1934 {
1935 /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1937 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1938 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1939 }
1940#ifdef TARGET_ANDROID
1941 /* Store the old fd inside the fd so open_tun can use it */
1942 c->c1.tuntap->fd = oldtunfd;
1943#endif
1944
1945 if (dco_enabled(&c->options))
1946 {
1947 ovpn_dco_init(c);
1948 }
1949
1950 /* open the tun device */
1952
1953 /* set the hardware address */
1954 if (c->options.lladdr)
1955 {
1957 }
1958
1959 /* do ifconfig */
1961 {
1963 &c->net_ctx);
1964 }
1965
1966 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1967
1968 /* run the up script */
1970#ifdef _WIN32
1972#endif
1976 NULL, "up", c->c2.es);
1977
1978 add_wfp_block(c);
1979
1980 /* possibly add routes */
1982 {
1984 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1985 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1986 }
1987
1988 ret = true;
1989 static_context = c;
1990 }
1991 else
1992 {
1993 msg(M_INFO, "Preserving previous TUN/TAP instance: %s", c->c1.tuntap->actual_name);
1994
1995 /* explicitly set the ifconfig_* env vars */
1997
1998 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1999
2000 /* run the up script if user specified --up-restart */
2001 if (c->options.up_restart)
2002 {
2004 c->c1.tuntap->actual_name,
2005#ifdef _WIN32
2007#endif
2011 "restart", NULL, "up", c->c2.es);
2012 }
2013
2014 add_wfp_block(c);
2015 }
2016 gc_free(&gc);
2017 return ret;
2018}
2019
2020/*
2021 * Close TUN/TAP device
2022 */
2023
2024static void
2026{
2027 msg(D_CLOSE, "Closing %s interface", print_tun_backend_driver(c->c1.tuntap->backend_driver));
2028
2029 if (c->c1.tuntap)
2030 {
2032 {
2033 undo_ifconfig(c->c1.tuntap, &c->net_ctx);
2034 }
2036 {
2038 }
2039 else if (c->c1.tuntap->backend_driver == DRIVER_NULL)
2040 {
2041 free(c->c1.tuntap->actual_name);
2042 free(c->c1.tuntap);
2043 }
2044 else
2045 {
2046 close_tun(c->c1.tuntap, &c->net_ctx);
2047 }
2048 c->c1.tuntap = NULL;
2049 }
2050 c->c1.tuntap_owned = false;
2052}
2053
2054static void
2055do_close_tun(struct context *c, bool force)
2056{
2057 /* With dco-win we open tun handle in the very beginning.
2058 * In case when tun wasn't opened - like we haven't connected,
2059 * we still need to close tun handle
2060 */
2062 {
2064 return;
2065 }
2066
2067 if (!c->c1.tuntap || !c->c1.tuntap_owned)
2068 {
2069 return;
2070 }
2071
2072 struct gc_arena gc = gc_new();
2073 const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2074 const in_addr_t local = c->c1.tuntap->local;
2075 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2076 unsigned long adapter_index = 0;
2077#ifdef _WIN32
2078 adapter_index = c->c1.tuntap->adapter_index;
2079#endif
2080
2081 run_dns_up_down(false, &c->options, c->c1.tuntap, &c->persist.duri);
2082
2083 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2084 {
2085 static_context = NULL;
2086
2087#ifdef ENABLE_MANAGEMENT
2088 /* tell management layer we are about to close the TUN/TAP device */
2089 if (management)
2090 {
2092 management_up_down(management, "DOWN", c->c2.es);
2093 }
2094#endif
2095
2096 /* delete any routes we added */
2097 if (c->c1.route_list || c->c1.route_ipv6_list)
2098 {
2100 tuntap_actual,
2101#ifdef _WIN32
2102 adapter_index,
2103#endif
2104 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2105 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2107 "route-pre-down", c->c2.es);
2108
2110 ROUTE_OPTION_FLAGS(&c->options), c->c2.es, &c->net_ctx);
2111 }
2112
2113 /* actually close tun/tap device based on --down-pre flag */
2114 if (!c->options.down_pre)
2115 {
2117 }
2118
2119 /* Run the down script -- note that it will run at reduced
2120 * privilege if, for example, "--user" was used. */
2122#ifdef _WIN32
2123 adapter_index,
2124#endif
2125 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2126 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2128 c->c2.es);
2129
2130 del_wfp_block(c, adapter_index);
2131
2132 /* actually close tun/tap device based on --down-pre flag */
2133 if (c->options.down_pre)
2134 {
2136 }
2137 }
2138 else
2139 {
2140 /* run the down script on this restart if --up-restart was specified */
2141 if (c->options.up_restart)
2142 {
2144#ifdef _WIN32
2145 adapter_index,
2146#endif
2147 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2148 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart",
2150 c->c2.es);
2151 }
2152
2153 del_wfp_block(c, adapter_index);
2154 }
2155 gc_free(&gc);
2156}
2157
2158void
2160{
2161 struct context *c = static_context;
2162 if (c)
2163 {
2164 static_context = NULL;
2165 do_close_tun(c, true);
2166 }
2167}
2168
2169/*
2170 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2171 */
2172
2177static bool
2179{
2180 const struct sha256_digest zero = { { 0 } };
2181 return memcmp(a, b, sizeof(struct sha256_digest))
2182 || !memcmp(a, &zero, sizeof(struct sha256_digest));
2183}
2184
2190static void
2191add_delim_if_non_empty(struct buffer *buf, const char *header)
2192{
2193 if (buf_len(buf) > strlen(header))
2194 {
2195 buf_printf(buf, ", ");
2196 }
2197}
2198
2199
2204static void
2206{
2207 struct options *o = &c->options;
2208
2209 struct buffer out;
2210 uint8_t line[1024] = { 0 };
2211 buf_set_write(&out, line, sizeof(line));
2212
2213
2214 if (cipher_kt_mode_aead(o->ciphername))
2215 {
2216 buf_printf(&out, "Data Channel: cipher '%s'", cipher_kt_name(o->ciphername));
2217 }
2218 else
2219 {
2220 buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", cipher_kt_name(o->ciphername),
2221 md_kt_name(o->authname));
2222 }
2223
2224 if (o->use_peer_id)
2225 {
2226 buf_printf(&out, ", peer-id: %d", o->peer_id);
2227 }
2228
2229#ifdef USE_COMP
2230 if (c->c2.comp_context)
2231 {
2232 buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2233 }
2234#endif
2235
2236 msg(D_HANDSHAKE, "%s", BSTR(&out));
2237
2238 buf_clear(&out);
2239
2240 const char *header = "Timers: ";
2241
2242 buf_printf(&out, "%s", header);
2243
2244 if (o->ping_send_timeout)
2245 {
2246 buf_printf(&out, "ping %d", o->ping_send_timeout);
2247 }
2248
2249 if (o->ping_rec_timeout_action != PING_UNDEF)
2250 {
2251 /* yes unidirectional ping is possible .... */
2252 add_delim_if_non_empty(&out, header);
2253
2254 if (o->ping_rec_timeout_action == PING_EXIT)
2255 {
2256 buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2257 }
2258 else
2259 {
2260 buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2261 }
2262 }
2263
2264 if (o->inactivity_timeout)
2265 {
2266 add_delim_if_non_empty(&out, header);
2267
2268 buf_printf(&out, "inactive %d", o->inactivity_timeout);
2269 if (o->inactivity_minimum_bytes)
2270 {
2271 buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2272 }
2273 }
2274
2275 if (o->session_timeout)
2276 {
2277 add_delim_if_non_empty(&out, header);
2278 buf_printf(&out, "session-timeout %d", o->session_timeout);
2279 }
2280
2281 if (buf_len(&out) > strlen(header))
2282 {
2283 msg(D_HANDSHAKE, "%s", BSTR(&out));
2284 }
2285
2286 buf_clear(&out);
2287 header = "Protocol options: ";
2288 buf_printf(&out, "%s", header);
2289
2290 if (c->options.ce.explicit_exit_notification)
2291 {
2292 buf_printf(&out, "explicit-exit-notify %d", c->options.ce.explicit_exit_notification);
2293 }
2294 if (c->options.imported_protocol_flags)
2295 {
2296 add_delim_if_non_empty(&out, header);
2297
2298 buf_printf(&out, "protocol-flags");
2299
2300 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2301 {
2302 buf_printf(&out, " cc-exit");
2303 }
2304 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2305 {
2306 buf_printf(&out, " tls-ekm");
2307 }
2308 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2309 {
2310 buf_printf(&out, " dyn-tls-crypt");
2311 }
2312 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
2313 {
2314 buf_printf(&out, " aead-epoch");
2315 }
2316 }
2317
2318 if (buf_len(&out) > strlen(header))
2319 {
2320 msg(D_HANDSHAKE, "%s", BSTR(&out));
2321 }
2322}
2323
2324
2332static bool
2334{
2335 struct frame *frame_fragment = NULL;
2336#ifdef ENABLE_FRAGMENT
2337 if (c->options.ce.fragment)
2338 {
2339 frame_fragment = &c->c2.frame_fragment;
2340 }
2341#endif
2342
2345 frame_fragment, get_link_socket_info(c),
2346 &c->c1.tuntap->dco))
2347 {
2348 msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2349 return false;
2350 }
2351
2352 return true;
2353}
2354
2355bool
2356do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2357{
2358 int error_flags = 0;
2359 if (!c->c2.do_up_ran)
2360 {
2362
2363 if (pulled_options)
2364 {
2365 if (!do_deferred_options(c, option_types_found, false))
2366 {
2367 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2368 return false;
2369 }
2370 }
2371
2372 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2373 if (c->options.up_delay || PULL_DEFINED(&c->options))
2374 {
2375 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2376 update_time();
2377
2378 /*
2379 * Was tun interface object persisted from previous restart iteration,
2380 * and if so did pulled options string change from previous iteration?
2381 */
2382 if (!c->c2.did_open_tun && PULL_DEFINED(&c->options) && c->c1.tuntap
2385 {
2386 /* if so, close tun, delete routes, then reinitialize tun and add routes */
2387 msg(M_INFO,
2388 "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2389
2390 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2391 do_close_tun(c, true);
2392
2393 if (tt_dco_win)
2394 {
2395 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2396 /* prevent link_socket_close() from closing handle with WinSock API */
2398 return false;
2399 }
2400 else
2401 {
2403 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2404 update_time();
2405 }
2406 }
2407 }
2408 }
2409
2410 /* This part needs to be run in p2p mode (without pull) when the client
2411 * reconnects to setup various things (like DCO and NCP cipher) that
2412 * might have changed from the previous connection.
2413 */
2414 if (!c->c2.do_up_ran
2416 {
2417 if (c->mode == MODE_POINT_TO_POINT)
2418 {
2419 /* ovpn-dco requires adding the peer now, before any option can be set,
2420 * but *after* having parsed the pushed peer-id in do_deferred_options()
2421 */
2422 int ret = dco_p2p_add_new_peer(c);
2423 if (ret < 0)
2424 {
2425 msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2426 return false;
2427 }
2428 }
2429
2430 /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2431 * invoked after open_tun().
2432 * This is required by DCO because we must have created the interface
2433 * and added the peer before we can fiddle with the keys or any other
2434 * data channel per-peer setting.
2435 */
2436 if (pulled_options)
2437 {
2439 {
2440 return false;
2441 }
2442 }
2443 else
2444 {
2445 if (c->mode == MODE_POINT_TO_POINT)
2446 {
2447 if (!do_deferred_p2p_ncp(c))
2448 {
2449 msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2450 return false;
2451 }
2452 }
2453 }
2454
2455 if (c->c2.did_open_tun)
2456 {
2458
2459 /* if --route-delay was specified, start timer */
2461 {
2466 }
2467 else
2468 {
2469 /* client/p2p --route-delay undefined */
2470 initialization_sequence_completed(c, error_flags);
2471 }
2472 }
2473 else if (c->options.mode == MODE_POINT_TO_POINT)
2474 {
2475 /* client/p2p restart with --persist-tun */
2476 initialization_sequence_completed(c, error_flags);
2477 }
2478
2480
2481 c->c2.do_up_ran = true;
2482 if (c->c2.tls_multi)
2483 {
2485 }
2486 }
2487 return true;
2488}
2489
2490bool
2491do_update(struct context *c, unsigned int option_types_found)
2492{
2493 /* Not necessary since to receive the update the openvpn
2494 * instance must be up and running but just in case
2495 */
2496 if (!c->c2.do_up_ran)
2497 {
2498 return false;
2499 }
2500
2501 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2502 if (tt_dco_win)
2503 {
2504 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2505 return false;
2506 }
2507
2508 if (!do_deferred_options(c, option_types_found, true))
2509 {
2510 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2511 return false;
2512 }
2513
2514 do_close_tun(c, true);
2515
2517 int error_flags = 0;
2518 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2519 update_time();
2520
2521 if (c->c2.did_open_tun)
2522 {
2523 /* if --route-delay was specified, start timer */
2525 {
2530 }
2531
2532 initialization_sequence_completed(c, error_flags);
2533 }
2534
2536
2537 return true;
2538}
2539
2540/*
2541 * These are the option categories which will be accepted by pull.
2542 */
2543unsigned int
2545{
2546 unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS
2550
2551 if (!c->options.route_nopull)
2552 {
2553 flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2554 }
2555
2556 return flags;
2557}
2558
2559static bool
2561{
2562 if (!c->c2.tls_multi)
2563 {
2564 return true;
2565 }
2566
2568
2570
2571 const char *ncp_cipher =
2573
2574 if (ncp_cipher)
2575 {
2576 c->options.ciphername = ncp_cipher;
2577 }
2578 else if (!c->options.enable_ncp_fallback)
2579 {
2580 msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2581 "--data-ciphers-fallback not enabled. No usable "
2582 "data channel cipher");
2583 return false;
2584 }
2585
2586 struct frame *frame_fragment = NULL;
2587#ifdef ENABLE_FRAGMENT
2588 if (c->options.ce.fragment)
2589 {
2590 frame_fragment = &c->c2.frame_fragment;
2591 }
2592#endif
2593
2595 frame_fragment, get_link_socket_info(c),
2596 &c->c1.tuntap->dco))
2597 {
2598 msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2599 return false;
2600 }
2601 return true;
2602}
2603
2604bool
2605do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
2606{
2607 if (found & OPT_P_MESSAGES)
2608 {
2610 msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2611 }
2612 if (found & OPT_P_TIMER)
2613 {
2614 do_init_timers(c, true);
2615 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
2616 }
2617
2618 if (found & OPT_P_EXPLICIT_NOTIFY)
2619 {
2620 /* Client side, so just check the first link_socket */
2623 {
2624 msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2626 }
2627 else
2628 {
2629 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
2630 }
2631 }
2632
2633 if (found & OPT_P_COMP)
2634 {
2636 {
2637 msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2638 "settings that are not allowed and will result "
2639 "in a non-working connection. "
2640 "See also allow-compression in the manual.");
2641 return false;
2642 }
2643#ifdef USE_COMP
2644 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
2645 comp_uninit(c->c2.comp_context);
2646 c->c2.comp_context = comp_init(&c->options.comp);
2647#endif
2648 }
2649
2650 if (found & OPT_P_SHAPER)
2651 {
2652 msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2654 }
2655
2656 if (found & OPT_P_SOCKBUF)
2657 {
2658 msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2659
2660 for (int i = 0; i < c->c1.link_sockets_num; i++)
2661 {
2663 c->options.sndbuf);
2664 }
2665 }
2666
2667 if (found & OPT_P_SOCKFLAGS)
2668 {
2669 msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2670 for (int i = 0; i < c->c1.link_sockets_num; i++)
2671 {
2673 }
2674 }
2675
2676 if (found & OPT_P_PERSIST)
2677 {
2678 msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2679 }
2680 if (found & OPT_P_UP)
2681 {
2682 msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2683 }
2684 if (found & OPT_P_ROUTE)
2685 {
2686 msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2687 }
2688 if (found & OPT_P_ROUTE_EXTRAS)
2689 {
2690 msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2691 }
2692 if (found & OPT_P_DHCPDNS)
2693 {
2694 msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2695 }
2696 if (found & OPT_P_SETENV)
2697 {
2698 msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2699 }
2700
2701 if (found & OPT_P_PEER_ID)
2702 {
2703 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
2704 c->c2.tls_multi->use_peer_id = true;
2706 }
2707
2708 /* process (potentially) pushed options */
2709 if (c->options.pull)
2710 {
2711 /* On PUSH_UPDATE, NCP related flags are never updated, and so the code
2712 * would assume "no cipher pushed = NCP failed" - so, don't call it on
2713 * updates */
2714 if (!is_update && !check_pull_client_ncp(c, found))
2715 {
2716 return false;
2717 }
2718
2719 /* Check if pushed options are compatible with DCO, if enabled */
2721 {
2722 msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2723 "with data channel offload. Use --disable-dco to connect to "
2724 "this server");
2725 return false;
2726 }
2727 }
2728
2729 /* Ensure that for epoch data format is only enabled if also data v2
2730 * is enabled */
2732 bool datav2_enabled = (c->options.peer_id >= 0 && c->options.peer_id < MAX_PEER_ID);
2733
2734 if (epoch_data && !datav2_enabled)
2735 {
2736 msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires "
2737 "data v2 (peer-id) to be enabled.");
2738 return false;
2739 }
2740
2741
2742 if (found & OPT_P_PUSH_MTU)
2743 {
2744 /* MTU has changed, check that the pushed MTU is small enough to
2745 * be able to change it */
2746 msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2747
2748 struct frame *frame = &c->c2.frame;
2749
2751 {
2753 "Server-pushed tun-mtu is too large, please add "
2754 "tun-mtu-max %d in the client configuration",
2755 c->options.ce.tun_mtu);
2756 }
2758 }
2759
2760 return true;
2761}
2762
2763/*
2764 * Possible hold on initialization, holdtime is the
2765 * time OpenVPN would wait without management
2766 */
2767static bool
2768do_hold(int holdtime)
2769{
2770#ifdef ENABLE_MANAGEMENT
2771 if (management)
2772 {
2773 /* block until management hold is released */
2774 if (management_hold(management, holdtime))
2775 {
2776 return true;
2777 }
2778 }
2779#endif
2780 return false;
2781}
2782
2783/*
2784 * Sleep before restart.
2785 */
2786static void
2788{
2789 int sec = 2;
2790 int backoff = 0;
2791
2792 switch (c->mode)
2793 {
2794 case CM_TOP:
2795 sec = 1;
2796 break;
2797
2798 case CM_CHILD_UDP:
2799 case CM_CHILD_TCP:
2801 break;
2802 }
2803
2804#ifdef ENABLE_DEBUG
2805 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2806 {
2807 sec = 0;
2808 }
2809#endif
2810
2812 {
2813 sec = 10;
2814 }
2815
2816 /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2817 if (c->mode == CM_CHILD_TCP || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2818 {
2819 backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2820 if (backoff > 0)
2821 {
2822 /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2823 sec = max_int(sec, 1) << min_int(backoff, 15);
2824 }
2826 {
2827 sec = max_int(sec, c->options.server_backoff_time);
2829 }
2830
2832 {
2834 }
2835 }
2836
2838 {
2840 }
2841 else if (c->persist.restart_sleep_seconds == -1)
2842 {
2843 sec = 0;
2844 }
2846
2847 /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2848 if (do_hold(sec))
2849 {
2850 sec = 0;
2851 }
2852
2853 if (sec)
2854 {
2855 msg(D_RESTART, "Restart pause, %d second(s)", sec);
2856 management_sleep(sec);
2857 }
2858}
2859
2860/*
2861 * Do a possible pause on context_2 initialization.
2862 */
2863static void
2865{
2866 if (!c->first_time)
2867 {
2869 }
2870 else
2871 {
2872 do_hold(0); /* do management hold on first context initialization */
2873 }
2874}
2875
2876static size_t
2877get_frame_mtu(struct context *c, const struct options *o)
2878{
2879 size_t mtu;
2880
2881 if (o->ce.link_mtu_defined)
2882 {
2884 /* if we have a link mtu defined we calculate what the old code
2885 * would have come up with as tun-mtu */
2886 size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, o, true);
2887 mtu = o->ce.link_mtu - overhead;
2888 }
2889 else
2890 {
2892 mtu = o->ce.tun_mtu;
2893 }
2894
2895 if (mtu < TUN_MTU_MIN)
2896 {
2897 msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2898 frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2899 }
2900 return mtu;
2901}
2902
2903/*
2904 * Finalize MTU parameters based on command line or config file options.
2905 */
2906static void
2907frame_finalize_options(struct context *c, const struct options *o)
2908{
2909 if (!o)
2910 {
2911 o = &c->options;
2912 }
2913
2914 struct frame *frame = &c->c2.frame;
2915
2916 frame->tun_mtu = get_frame_mtu(c, o);
2918
2919 /* max mtu needs to be at least as large as the tun mtu */
2921
2922 /* We always allow at least 1600 MTU packets to be received in our buffer
2923 * space to allow server to push "baby giant" MTU sizes */
2925
2926 size_t payload_size = frame->tun_max_mtu;
2927
2928 /* we need to be also large enough to hold larger control channel packets
2929 * if configured */
2931
2932 /* The extra tun needs to be added to the payload size */
2933 if (o->ce.tun_mtu_defined)
2934 {
2936 }
2937
2938 /* Add 32 byte of extra space in the buffer to account for small errors
2939 * in the calculation */
2940 payload_size += 32;
2941
2942
2943 /* the space that is reserved before the payload to add extra headers to it
2944 * we always reserve the space for the worst case */
2945 size_t headroom = 0;
2946
2947 /* includes IV and packet ID */
2949
2950 /* peer id + opcode */
2951 headroom += 4;
2952
2953 /* socks proxy header */
2954 headroom += 10;
2955
2956 /* compression header and fragment header (part of the encrypted payload) */
2957 headroom += 1 + 1;
2958
2959 /* Round up headroom to the next multiple of 4 to ensure alignment */
2960 headroom = (headroom + 3) & ~3;
2961
2962 /* Add the headroom to the payloadsize as a received (IP) packet can have
2963 * all the extra headers in it */
2965
2966 /* the space after the payload, this needs some extra buffer space for
2967 * encryption so headroom is probably too much but we do not really care
2968 * the few extra bytes */
2969 size_t tailroom = headroom;
2970
2971#ifdef USE_COMP
2973 "MTU: adding %zu buffer tailroom for compression for %zu "
2974 "bytes of payload",
2975 COMP_EXTRA_BUFFER(payload_size), payload_size);
2976 tailroom += COMP_EXTRA_BUFFER(payload_size);
2977#endif
2978
2982}
2983
2984/*
2985 * Free a key schedule, including OpenSSL components.
2986 */
2987static void
2988key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2989{
2991 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2992 {
2993 tls_ctx_free(&ks->ssl_ctx);
2995 }
2996 CLEAR(*ks);
2997}
2998
2999static void
3000init_crypto_pre(struct context *c, const unsigned int flags)
3001{
3002 if (c->options.engine)
3003 {
3005 }
3006
3007 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
3008 {
3009 /* load a persisted packet-id for cross-session replay-protection */
3010 if (c->options.packet_id_file)
3011 {
3013 }
3014 }
3015
3016#ifdef ENABLE_PREDICTION_RESISTANCE
3017 if (c->options.use_prediction_resistance)
3018 {
3019 rand_ctx_enable_prediction_resistance();
3020 }
3021#endif
3022}
3023
3024/*
3025 * Static Key Mode (using a pre-shared key)
3026 */
3027static void
3028do_init_crypto_static(struct context *c, const unsigned int flags)
3029{
3030 const struct options *options = &c->options;
3032
3033 init_crypto_pre(c, flags);
3034
3035 /* Initialize flags */
3037 {
3039 }
3040
3041 /* Initialize packet ID tracking */
3043 "STATIC", 0);
3047
3049 {
3050 /* Get cipher & hash algorithms */
3052 options->test_crypto, true);
3053
3054 /* Read cipher and hmac keys from shared secret file */
3057 options->key_direction, "Static Key Encryption", "secret", NULL);
3058 }
3059 else
3060 {
3061 msg(M_INFO, "Re-using pre-shared static key");
3062 }
3063
3064 /* Get key schedule */
3066}
3067
3068/*
3069 * Initialize the tls-auth/crypt key context
3070 */
3071static void
3073{
3074 const struct options *options = &c->options;
3075
3076 /* TLS handshake authentication (--tls-auth) */
3078 {
3079 /* Initialize key_type for tls-auth with auth only */
3081 c->c1.ks.tls_auth_key_type.cipher = "none";
3083 if (!md_valid(options->authname))
3084 {
3085 msg(M_FATAL,
3086 "ERROR: tls-auth enabled, but no valid --auth "
3087 "algorithm specified ('%s')",
3088 options->authname);
3089 }
3090
3093 options->ce.key_direction, "Control Channel Authentication",
3094 "tls-auth", &c->c1.ks.original_wrap_keydata);
3095 }
3096
3097 /* TLS handshake encryption+authentication (--tls-crypt) */
3099 {
3103 }
3104
3105 /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3107 {
3108 if (options->tls_server)
3109 {
3113 }
3114 else
3115 {
3119 }
3120 /* We have to ensure that the loaded tls-crypt key is small enough
3121 * to fit into the initial hard reset v3 packet */
3122 int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3123
3124 /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3125 int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3126
3127 if (required_size > c->options.ce.tls_mtu)
3128 {
3129 msg(M_WARN,
3130 "ERROR: tls-crypt-v2 client key too large to work with "
3131 "requested --max-packet-size %d, requires at least "
3132 "--max-packet-size %d. Packets will ignore requested "
3133 "maximum packet size",
3134 c->options.ce.tls_mtu, required_size);
3135 }
3136 }
3137}
3138
3139/*
3140 * Initialize the persistent component of OpenVPN's TLS mode,
3141 * which is preserved across SIGUSR1 resets.
3142 */
3143static void
3145{
3146 const struct options *options = &c->options;
3147
3148 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3149 {
3150 /*
3151 * Initialize the OpenSSL library's global
3152 * SSL context.
3153 */
3154 init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
3155 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3156 {
3157 switch (auth_retry_get())
3158 {
3159 case AR_NONE:
3160 msg(M_FATAL, "Error: private key password verification failed");
3161 break;
3162
3163 case AR_INTERACT:
3164 ssl_purge_auth(false);
3165 /* Intentional [[fallthrough]]; */
3166
3167 case AR_NOINTERACT:
3168 /* SOFT-SIGUSR1 -- Password failure error */
3169 register_signal(c->sig, SIGUSR1, "private-key-password-failure");
3170 break;
3171
3172 default:
3173 ASSERT(0);
3174 }
3175 return;
3176 }
3177
3178 /*
3179 * BF-CBC is allowed to be used only when explicitly configured
3180 * as NCP-fallback or when NCP has been disabled or explicitly
3181 * allowed in the in ncp_ciphers list.
3182 * In all other cases do not attempt to initialize BF-CBC as it
3183 * may not even be supported by the underlying SSL library.
3184 *
3185 * Therefore, the key structure has to be initialized when:
3186 * - any non-BF-CBC cipher was selected; or
3187 * - BF-CBC is selected, NCP is enabled and fallback is enabled
3188 * (BF-CBC will be the fallback).
3189 * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3190 * If the negotiated cipher and options->ciphername are the
3191 * same we do not reinit the cipher
3192 *
3193 * Note that BF-CBC will still be part of the OCC string to retain
3194 * backwards compatibility with older clients.
3195 */
3196 const char *ciphername = options->ciphername;
3197 if (streq(options->ciphername, "BF-CBC")
3200 {
3201 ciphername = "none";
3202 }
3203
3204 /* Do not warn if the cipher is used only in OCC */
3205 bool warn = options->enable_ncp_fallback;
3207
3208 /* initialize tls-auth/crypt/crypt-v2 key */
3210
3211 /* initialise auth-token crypto support */
3213 {
3216 }
3217
3218#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
3220 {
3222 c->options.priv_key_file_inline = NULL;
3223 }
3224#endif
3225 }
3226 else
3227 {
3228 msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
3229
3230 /*
3231 * tls-auth/crypt key can be configured per connection block, therefore
3232 * we must reload it as it may have changed
3233 */
3235 }
3236}
3237
3238static void
3239do_init_crypto_tls(struct context *c, const unsigned int flags)
3240{
3241 const struct options *options = &c->options;
3242 struct tls_options to;
3243 bool packet_id_long_form;
3244
3247
3248 init_crypto_pre(c, flags);
3249
3250 /* Make sure we are either a TLS client or server but not both */
3252
3253 /* initialize persistent component */
3255 if (IS_SIG(c))
3256 {
3257 return;
3258 }
3259
3260 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3261 packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3262
3263 /* Set all command-line TLS-related options */
3264 CLEAR(to);
3265
3267 {
3269 }
3270
3272 if (packet_id_long_form)
3273 {
3275 }
3276
3277 to.ssl_ctx = c->c1.ks.ssl_ctx;
3278 to.key_type = c->c1.ks.key_type;
3290 {
3291 /* Add 10% jitter to reneg-sec by default (server side only) */
3292 int auto_jitter = options->mode != MODE_SERVER
3293 ? 0
3296 }
3297 else
3298 {
3299 /* Add user-specified jitter to reneg-sec */
3302 - (get_random()
3304 }
3306 to.mode = options->mode;
3307 to.pull = options->pull;
3308 if (options->push_peer_info) /* all there is */
3309 {
3310 to.push_peer_info_detail = 3;
3311 }
3312 else if (options->pull) /* pull clients send some details */
3313 {
3314 to.push_peer_info_detail = 2;
3315 }
3316 else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3317 {
3318 to.push_peer_info_detail = 0;
3319 }
3320 else /* default: minimal info to allow NCP in P2P mode */
3321 {
3322 to.push_peer_info_detail = 1;
3323 }
3324
3325 /* Check if the DCO drivers support the epoch data format */
3326 if (dco_enabled(options))
3327 {
3329 }
3330 else
3331 {
3332 to.data_epoch_supported = true;
3333 }
3334
3335 /* should we not xmit any packets until we get an initial
3336 * response from client? */
3337 if (to.server && c->mode == CM_CHILD_TCP)
3338 {
3339 to.xmit_hold = true;
3340 }
3341
3349 memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3355#ifdef ENABLE_X509ALTUSERNAME
3356 memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3357#else
3359#endif
3360 to.es = c->c2.es;
3361 to.net_ctx = &c->net_ctx;
3362
3363#ifdef ENABLE_DEBUG
3364 to.gremlin = c->options.gremlin;
3365#endif
3366
3367 to.plugins = c->plugins;
3368
3369#ifdef ENABLE_MANAGEMENT
3370 to.mda_context = &c->c2.mda_context;
3371#endif
3372
3376 to.tmp_dir = options->tmp_dir;
3379 {
3381 }
3389
3391
3392#ifdef ENABLE_MANAGEMENT
3393 to.sci = &options->sc_info;
3394#endif
3395
3396#ifdef USE_COMP
3397 to.comp_options = options->comp;
3398#endif
3399
3401 {
3403 if (to.ekm_size < 16 || to.ekm_size > 4095)
3404 {
3405 to.ekm_size = 0;
3406 }
3407
3409 to.ekm_label_size = strlen(to.ekm_label);
3410 }
3411 else
3412 {
3413 to.ekm_size = 0;
3414 }
3415
3416 /* TLS handshake authentication (--tls-auth) */
3418 {
3419 to.tls_wrap.mode = TLS_WRAP_AUTH;
3420 }
3421
3422 /* TLS handshake encryption (--tls-crypt) */
3424 {
3425 to.tls_wrap.mode = TLS_WRAP_CRYPT;
3426 }
3427
3428 if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3429 {
3434 }
3435
3437 {
3438 to.tls_crypt_v2 = true;
3440
3441 if (options->tls_server)
3442 {
3446 {
3448 }
3449 }
3450 }
3451
3452 /* let the TLS engine know if keys have to be installed in DCO or not */
3454
3455 /*
3456 * Initialize OpenVPN's master TLS-mode object.
3457 */
3458 if (flags & CF_INIT_TLS_MULTI)
3459 {
3460 c->c2.tls_multi = tls_multi_init(&to);
3461 /* inherit the dco context from the tuntap object */
3462 if (c->c1.tuntap)
3463 {
3464 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3465 }
3466 }
3467
3468 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3469 {
3472 }
3473}
3474
3475static void
3477{
3478 if (c->c2.tls_multi)
3479 {
3482 frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms");
3483
3484 /* Keep the max mtu also in the frame of tls multi so it can access
3485 * it in push_peer_info */
3487 }
3488 if (c->c2.tls_auth_standalone)
3489 {
3491 c->options.ce.tls_mtu);
3492 frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, "TLS-Auth MTU parms");
3495 }
3496}
3497
3498#if defined(__GNUC__) || defined(__clang__)
3499#pragma GCC diagnostic pop
3500#endif
3501
3502/*
3503 * No encryption or authentication.
3504 */
3505static void
3507{
3509
3510 /* Initialise key_type with auth/cipher "none", so the key_type struct is
3511 * valid */
3512 init_key_type(&c->c1.ks.key_type, "none", "none", c->options.test_crypto, true);
3513
3514 msg(M_WARN, "******* WARNING *******: All encryption and authentication features "
3515 "disabled -- All data will be tunnelled as clear text and will not be "
3516 "protected against man-in-the-middle changes. "
3517 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3518}
3519
3520static void
3521do_init_crypto(struct context *c, const unsigned int flags)
3522{
3524 {
3525 do_init_crypto_static(c, flags);
3526 }
3527 else if (c->options.tls_server || c->options.tls_client)
3528 {
3529 do_init_crypto_tls(c, flags);
3530 }
3531 else /* no encryption or authentication. */
3532 {
3534 }
3535}
3536
3537static void
3539{
3540 /*
3541 * Adjust frame size based on the --tun-mtu-extra parameter.
3542 */
3544 {
3546 }
3547
3548 /*
3549 * Fill in the blanks in the frame parameters structure,
3550 * make sure values are rational, etc.
3551 */
3552 frame_finalize_options(c, NULL);
3553
3554
3555#if defined(ENABLE_FRAGMENT)
3556 /*
3557 * MTU advisories
3558 */
3559 if (c->options.ce.fragment && c->options.mtu_test)
3560 {
3561 msg(M_WARN,
3562 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3563 }
3564#endif
3565
3566#ifdef ENABLE_FRAGMENT
3567 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3568 {
3569 msg(M_WARN,
3570 "WARNING: if you use --mssfix and --fragment, you should "
3571 "set --fragment (%d) larger or equal than --mssfix (%d)",
3573 }
3574 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3576 {
3577 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3578 "use the \"mtu\" flag for both or none of of them.");
3579 }
3580#endif
3581}
3582
3583static void
3585{
3586 const struct options *o = &c->options;
3587
3588 if (o->ping_send_timeout && !o->ping_rec_timeout)
3589 {
3590 msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3591 }
3592
3593 if (o->username || o->groupname || o->chroot_dir
3594#ifdef ENABLE_SELINUX
3595 || o->selinux_context
3596#endif
3597 )
3598 {
3599 if (!o->persist_tun)
3600 {
3601 msg(M_WARN,
3602 "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3603 }
3604 }
3605
3606 if (o->chroot_dir && !(o->username && o->groupname))
3607 {
3608 msg(M_WARN,
3609 "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3610 }
3611
3612 if (o->pull && o->ifconfig_local && c->first_time)
3613 {
3614 msg(M_WARN,
3615 "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3616 }
3617
3619 {
3620 msg(M_WARN,
3621 "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3622 }
3623
3624 if (o->mode == MODE_SERVER)
3625 {
3626 if (o->duplicate_cn && o->client_config_dir)
3627 {
3628 msg(M_WARN,
3629 "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3630 }
3632 {
3633 msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3634 }
3635 if (!o->keepalive_ping || !o->keepalive_timeout)
3636 {
3637 msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3638 }
3639 }
3640
3641 if (o->tls_server)
3642 {
3644 }
3647 && !(o->verify_hash_depth == 0 && o->verify_hash))
3648 {
3649 msg(M_WARN,
3650 "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3651 }
3652 if (o->ns_cert_type)
3653 {
3654 msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3655 }
3656
3657 /* If a script is used, print appropriate warnings */
3658 if (o->user_script_used)
3659 {
3661 {
3662 msg(M_WARN,
3663 "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3664 }
3665 else if (script_security() >= SSEC_PW_ENV)
3666 {
3667 msg(M_WARN,
3668 "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3669 }
3670 else
3671 {
3672 msg(M_WARN,
3673 "NOTE: starting with " PACKAGE_NAME
3674 " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3675 }
3676 }
3677}
3678
3679struct context_buffers *
3681{
3682 struct context_buffers *b;
3683
3685
3686 size_t buf_size = BUF_SIZE(frame);
3687
3688 b->read_link_buf = alloc_buf(buf_size);
3689 b->read_tun_buf = alloc_buf(buf_size);
3690
3691 b->aux_buf = alloc_buf(buf_size);
3692
3693 b->encrypt_buf = alloc_buf(buf_size);
3694 b->decrypt_buf = alloc_buf(buf_size);
3695
3696#ifdef USE_COMP
3697 b->compress_buf = alloc_buf(buf_size);
3698 b->decompress_buf = alloc_buf(buf_size);
3699#endif
3700
3701 return b;
3702}
3703
3704void
3706{
3707 if (b)
3708 {
3711 free_buf(&b->aux_buf);
3712
3713#ifdef USE_COMP
3714 free_buf(&b->compress_buf);
3715 free_buf(&b->decompress_buf);
3716#endif
3717
3718 free_buf(&b->encrypt_buf);
3719 free_buf(&b->decrypt_buf);
3720
3721 free(b);
3722 }
3723}
3724
3725/*
3726 * Now that we know all frame parameters, initialize
3727 * our buffers.
3728 */
3729static void
3731{
3733 c->c2.buffers_owned = true;
3734}
3735
3736#ifdef ENABLE_FRAGMENT
3737/*
3738 * Fragmenting code has buffers to initialize
3739 * once frame parameters are known.
3740 */
3741static void
3743{
3745
3746 /*
3747 * Set frame parameter for fragment code. This is necessary because
3748 * the fragmentation code deals with payloads which have already been
3749 * passed through the compression code.
3750 */
3751 c->c2.frame_fragment = c->c2.frame;
3752
3756}
3757#endif
3758
3759/*
3760 * Allocate our socket object.
3761 */
3762static void
3764{
3765 ASSERT(!c->c2.link_sockets);
3766
3768
3769 for (int i = 0; i < c->c1.link_sockets_num; i++)
3770 {
3772 }
3773 c->c2.link_socket_owned = true;
3774}
3775
3776/*
3777 * bind TCP/UDP sockets
3778 */
3779static void
3781{
3782 for (int i = 0; i < c->c1.link_sockets_num; i++)
3783 {
3784 int mode = LS_MODE_DEFAULT;
3785
3786 /* mode allows CM_CHILD_TCP
3787 * instances to inherit acceptable fds
3788 * from a top-level parent */
3789 if (c->options.mode == MODE_SERVER)
3790 {
3791 /* initializing listening socket */
3792 if (c->mode == CM_TOP)
3793 {
3794 mode = LS_MODE_TCP_LISTEN;
3795 }
3796 /* initializing socket to client */
3797 else if (c->mode == CM_CHILD_TCP)
3798 {
3800 }
3801 }
3802
3803 /* init each socket with its specific args */
3804 link_socket_init_phase1(c, i, mode);
3805 }
3806}
3807
3808/*
3809 * finalize TCP/UDP sockets
3810 */
3811static void
3813{
3814 for (int i = 0; i < c->c1.link_sockets_num; i++)
3815 {
3817 }
3818}
3819
3820/*
3821 * Print MTU INFO
3822 */
3823static void
3825{
3826 frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3827#ifdef ENABLE_FRAGMENT
3828 if (c->c2.fragment)
3829 {
3830 frame_print(&c->c2.frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
3831 }
3832#endif
3833}
3834
3835/*
3836 * Get local and remote options compatibility strings.
3837 */
3838static void
3840{
3841 struct gc_arena gc = gc_new();
3842
3844 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, false, &gc);
3846 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, true, &gc);
3847
3848 msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3850 msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3852
3853 if (c->c2.tls_multi)
3854 {
3857 }
3858
3859 gc_free(&gc);
3860}
3861
3862/*
3863 * These things can only be executed once per program instantiation.
3864 * Set up for possible UID/GID downgrade, but don't do it yet.
3865 * Daemonize if requested.
3866 */
3867static void
3869{
3870 if (c->first_time && !c->c0)
3871 {
3872 struct context_0 *c0;
3873
3874 ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3875 c0 = c->c0;
3876
3877 /* get user and/or group that we want to setuid/setgid to,
3878 * sets also platform_x_state */
3879 bool group_defined = platform_group_get(c->options.groupname, &c0->platform_state_group);
3880 bool user_defined = platform_user_get(c->options.username, &c0->platform_state_user);
3881
3882 c0->uid_gid_specified = user_defined || group_defined;
3883
3884 /* fork the dns script runner to preserve root? */
3885 c->persist.duri.required = user_defined;
3886
3887 /* perform postponed chdir if --daemon */
3888 if (c->did_we_daemonize && c->options.cd_dir == NULL)
3889 {
3890 platform_chdir("/");
3891 }
3892
3893 /* should we change scheduling priority? */
3895 }
3896}
3897
3898/*
3899 * free buffers
3900 */
3901static void
3903{
3904 if (c->c2.buffers_owned)
3905 {
3907 c->c2.buffers = NULL;
3908 c->c2.buffers_owned = false;
3909 }
3910}
3911
3912/*
3913 * close TLS
3914 */
3915static void
3917{
3918 if (c->c2.tls_multi)
3919 {
3920 tls_multi_free(c->c2.tls_multi, true);
3921 c->c2.tls_multi = NULL;
3922 }
3923
3924 /* free options compatibility strings */
3925 free(c->c2.options_string_local);
3926 free(c->c2.options_string_remote);
3927
3929
3930 if (c->c2.pulled_options_state)
3931 {
3934 }
3935
3937}
3938
3939/*
3940 * Free key schedules
3941 */
3942static void
3943do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3944{
3945 /*
3946 * always free the tls_auth/crypt key. The key will
3947 * be reloaded from memory (pre-cached)
3948 */
3951 CLEAR(c->c1.ks.tls_wrap_key);
3954
3955 if (!(c->sig->signal_received == SIGUSR1))
3956 {
3957 key_schedule_free(&c->c1.ks, free_ssl_ctx);
3958 }
3959}
3960
3961/*
3962 * Close TCP/UDP connection
3963 */
3964static void
3966{
3967 if (c->c2.link_sockets && c->c2.link_socket_owned)
3968 {
3969 for (int i = 0; i < c->c1.link_sockets_num; i++)
3970 {
3971 /* in dco-win case, link socket is a tun handle which is
3972 * closed in do_close_tun(). Set it to UNDEFINED so
3973 * we won't use WinSock API to close it. */
3974 if (tuntap_is_dco_win(c->c1.tuntap))
3975 {
3977 }
3978
3980 }
3981 c->c2.link_sockets = NULL;
3982 }
3983
3984
3985 /* Preserve the resolved list of remote if the user request to or if we want
3986 * reconnect to the same host again or there are still addresses that need
3987 * to be tried */
3988 if (!(c->sig->signal_received == SIGUSR1
3989 && ((c->options.persist_remote_ip)
3990 || (c->sig->source != SIG_SOURCE_HARD
3992 && c->c1.link_socket_addrs[0].current_remote->ai_next)
3993 || c->options.no_advance)))))
3994 {
3996 }
3997
3998 /* Clear the remote actual address when persist_remote_ip is not in use */
3999 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
4000 {
4001 for (int i = 0; i < c->c1.link_sockets_num; i++)
4002 {
4004 }
4005 }
4006
4007 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
4008 {
4009 for (int i = 0; i < c->c1.link_sockets_num; i++)
4010 {
4012 {
4013 freeaddrinfo(c->c1.link_socket_addrs[i].bind_local);
4014 }
4015
4016 c->c1.link_socket_addrs[i].bind_local = NULL;
4017 }
4018 }
4019}
4020
4021/*
4022 * Close packet-id persistence file
4023 */
4024static void
4026{
4029 if (!(c->sig->signal_received == SIGUSR1))
4030 {
4032 }
4033}
4034
4035#ifdef ENABLE_FRAGMENT
4036/*
4037 * Close fragmentation handler.
4038 */
4039static void
4041{
4042 if (c->c2.fragment)
4043 {
4045 c->c2.fragment = NULL;
4046 }
4047}
4048#endif
4049
4050/*
4051 * Open and close our event objects.
4052 */
4053
4054static void
4055do_event_set_init(struct context *c, bool need_us_timeout)
4056{
4057 unsigned int flags = 0;
4058
4060
4061 flags |= EVENT_METHOD_FAST;
4062
4063 if (need_us_timeout)
4064 {
4065 flags |= EVENT_METHOD_US_TIMEOUT;
4066 }
4067
4068 c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
4069 c->c2.event_set_owned = true;
4070}
4071
4072static void
4074{
4075 if (c->c2.event_set && c->c2.event_set_owned)
4076 {
4078 c->c2.event_set = NULL;
4079 c->c2.event_set_owned = false;
4080 }
4081}
4082
4083/*
4084 * Open and close --status file
4085 */
4086
4087static void
4089{
4090 if (!c->c1.status_output)
4091 {
4092 c->c1.status_output =
4095 c->c1.status_output_owned = true;
4096 }
4097}
4098
4099static void
4101{
4102 if (!(c->sig->signal_received == SIGUSR1))
4103 {
4105 {
4107 c->c1.status_output = NULL;
4108 c->c1.status_output_owned = false;
4109 }
4110 }
4111}
4112
4113/*
4114 * Handle ifconfig-pool persistence object.
4115 */
4116static void
4127
4128static void
4130{
4131 if (!(c->sig->signal_received == SIGUSR1))
4132 {
4134 {
4136 c->c1.ifconfig_pool_persist = NULL;
4138 }
4139 }
4140}
4141
4142/*
4143 * Inherit environmental variables
4144 */
4145
4146static void
4147do_inherit_env(struct context *c, const struct env_set *src)
4148{
4149 c->c2.es = env_set_create(NULL);
4150 c->c2.es_owned = true;
4151 env_set_inherit(c->c2.es, src);
4152}
4153
4154static void
4156{
4157 if (c->c2.es && c->c2.es_owned)
4158 {
4159 env_set_destroy(c->c2.es);
4160 c->c2.es = NULL;
4161 c->c2.es_owned = false;
4162 }
4163}
4164
4165/*
4166 * Fast I/O setup. Fast I/O is an optimization which only works
4167 * if all of the following are true:
4168 *
4169 * (1) The platform is not Windows
4170 * (2) --proto udp is enabled
4171 * (3) --shaper is disabled
4172 */
4173static void
4175{
4176 if (c->options.fast_io)
4177 {
4178#ifdef _WIN32
4179 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
4180#else
4181 if (c->options.shaper)
4182 {
4183 msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4184 }
4185 else
4186 {
4187 c->c2.fast_io = true;
4188 }
4189#endif
4190 }
4191}
4192
4193static void
4195{
4196 if (c->options.tls_exit)
4197 {
4198 c->c2.tls_exit_signal = SIGTERM;
4199 }
4200 else
4201 {
4202 c->c2.tls_exit_signal = SIGUSR1;
4203 }
4204}
4205
4206#ifdef ENABLE_PLUGIN
4207
4208void
4210{
4211 if (c->options.plugin_list && !c->plugins)
4212 {
4214 c->plugins_owned = true;
4215 }
4216}
4217
4218void
4219open_plugins(struct context *c, const bool import_options, int init_point)
4220{
4221 if (c->plugins && c->plugins_owned)
4222 {
4223 if (import_options)
4224 {
4225 struct plugin_return pr, config;
4226 plugin_return_init(&pr);
4227 plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4228 plugin_return_get_column(&pr, &config, "config");
4229 if (plugin_return_defined(&config))
4230 {
4231 int i;
4232 for (i = 0; i < config.n; ++i)
4233 {
4234 unsigned int option_types_found = 0;
4235 if (config.list[i] && config.list[i]->value)
4236 {
4238 &c->options, config.list[i]->value, D_IMPORT_ERRORS | M_OPTERR,
4239 OPT_P_DEFAULT & ~OPT_P_PLUGIN, &option_types_found, c->es);
4240 }
4241 }
4242 }
4243 plugin_return_free(&pr);
4244 }
4245 else
4246 {
4247 plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4248 }
4249 }
4250}
4251
4252static void
4254{
4255 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
4256 {
4258 c->plugins = NULL;
4259 c->plugins_owned = false;
4260 }
4261}
4262
4263static void
4264do_inherit_plugins(struct context *c, const struct context *src)
4265{
4266 if (!c->plugins && src->plugins)
4267 {
4269 c->plugins_owned = true;
4270 }
4271}
4272
4273#endif /* ifdef ENABLE_PLUGIN */
4274
4275#ifdef ENABLE_MANAGEMENT
4276
4277static void
4278management_callback_status_p2p(void *arg, const int version, struct status_output *so)
4279{
4280 struct context *c = (struct context *)arg;
4281 print_status(c, so);
4282}
4283
4284void
4285management_show_net_callback(void *arg, const msglvl_t msglevel)
4286{
4287#ifdef _WIN32
4288 show_routes(msglevel);
4289 show_adapters(msglevel);
4290 msg(msglevel, "END");
4291#else
4292 msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4293#endif
4294}
4295
4296#ifdef TARGET_ANDROID
4297int
4298management_callback_network_change(void *arg, bool samenetwork)
4299{
4300 /* Check if the client should translate the network change to a SIGUSR1 to
4301 * reestablish the connection or just reprotect the socket
4302 *
4303 * At the moment just assume that, for all settings that use pull (not
4304 * --static) and are not using peer-id reestablishing the connection is
4305 * required (unless the network is the same)
4306 *
4307 * The function returns -1 on invalid fd and -2 if the socket cannot be
4308 * reused. On the -2 return value the man_network_change function triggers
4309 * a SIGUSR1 to force a reconnect.
4310 */
4311
4312 int socketfd = -1;
4313 struct context *c = (struct context *)arg;
4314 if (!c->c2.link_sockets || !c->c2.link_sockets[0])
4315 {
4316 return -1;
4317 }
4318 if (c->c2.link_sockets[0]->sd == SOCKET_UNDEFINED)
4319 {
4320 return -1;
4321 }
4322
4323 /* On some newer Android handsets, changing to a different network
4324 * often does not trigger a TCP reset but continue using the old
4325 * connection (e.g. using mobile connection when WiFi becomes available */
4326 struct link_socket_info *lsi = get_link_socket_info(c);
4327 if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
4328 {
4329 return -2;
4330 }
4331
4332 socketfd = c->c2.link_sockets[0]->sd;
4333 if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4334 {
4335 return socketfd;
4336 }
4337 else
4338 {
4339 return -2;
4340 }
4341}
4342#endif /* ifdef TARGET_ANDROID */
4343
4344#endif /* ifdef ENABLE_MANAGEMENT */
4345
4346void
4348{
4349#ifdef ENABLE_MANAGEMENT
4350 if (management)
4351 {
4352 struct management_callback cb;
4353 CLEAR(cb);
4354 cb.arg = c;
4360#ifdef TARGET_ANDROID
4361 cb.network_change = management_callback_network_change;
4362#endif
4366 }
4367#endif
4368}
4369
4370#ifdef ENABLE_MANAGEMENT
4371
4372void
4374{
4375 if (!management)
4376 {
4378 }
4379}
4380
4381bool
4383{
4384 /* initialize management layer */
4385 if (management)
4386 {
4387 if (c->options.management_addr)
4388 {
4389 unsigned int flags = c->options.management_flags;
4390 if (c->options.mode == MODE_SERVER)
4391 {
4392 flags |= MF_SERVER;
4393 }
4394 if (management_open(
4400 {
4402 NULL);
4403 }
4404
4405 /* initial management hold, called early, before first context initialization */
4406 do_hold(0);
4407 if (IS_SIG(c))
4408 {
4409 msg(M_WARN, "Signal received from management interface, exiting");
4410 return false;
4411 }
4412 }
4413 else
4414 {
4416 }
4417 }
4418 return true;
4419}
4420
4421void
4423{
4424 if (management)
4425 {
4427 management = NULL;
4428 }
4429}
4430
4431#endif /* ifdef ENABLE_MANAGEMENT */
4432
4433
4434void
4436{
4437#ifdef ENABLE_MANAGEMENT
4438 if (management)
4439 {
4441 }
4442#endif
4443}
4444
4445void
4447{
4448#ifdef ENABLE_MANAGEMENT
4449 if (management)
4450 {
4452 }
4453#endif
4454}
4455
4456/*
4457 * Initialize a tunnel instance, handle pre and post-init
4458 * signal settings.
4459 */
4460void
4461init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4462{
4464 init_instance(c, env, flags);
4466
4467 /*
4468 * This is done so that signals thrown during
4469 * initialization can bring us back to
4470 * a management hold.
4471 */
4472 if (IS_SIG(c))
4473 {
4474 remap_signal(c);
4476 }
4477}
4478
4479/*
4480 * Initialize a tunnel instance.
4481 */
4482void
4483init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4484{
4485 const struct options *options = &c->options;
4486 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4487
4488 /* init garbage collection level */
4489 gc_init(&c->c2.gc);
4490
4491 /* inherit environmental variables */
4492 if (env)
4493 {
4494 do_inherit_env(c, env);
4495 }
4496
4497 if (c->mode == CM_P2P)
4498 {
4500 }
4501
4502 /* possible sleep or management hold if restart */
4503 if (c->mode == CM_P2P || c->mode == CM_TOP)
4504 {
4506 if (IS_SIG(c))
4507 {
4508 goto sig;
4509 }
4510 }
4511
4513 {
4514 do_preresolve(c);
4515 if (IS_SIG(c))
4516 {
4517 goto sig;
4518 }
4519 }
4520
4521 /* Resets all values to the initial values from the config where needed */
4522 pre_connect_restore(&c->options, &c->c2.gc);
4523
4524 /* map in current connection entry */
4526
4527 /* should we disable paging? */
4528 if (c->first_time && options->mlock)
4529 {
4530 platform_mlockall(true);
4531 }
4532
4533 /* get passwords if undefined */
4534 if (auth_retry_get() == AR_INTERACT)
4535 {
4537 }
4538
4539 /* initialize context level 2 --verb/--mute parms */
4541
4542 /* set error message delay for non-server modes */
4543 if (c->mode == CM_P2P)
4544 {
4546 }
4547
4548 /* warn about inconsistent options */
4549 if (c->mode == CM_P2P || c->mode == CM_TOP)
4550 {
4552 }
4553
4554#ifdef ENABLE_PLUGIN
4555 /* initialize plugins */
4556 if (c->mode == CM_P2P || c->mode == CM_TOP)
4557 {
4559 }
4560#endif
4561
4562 /* should we enable fast I/O? */
4563 if (c->mode == CM_P2P || c->mode == CM_TOP)
4564 {
4566 }
4567
4568 /* should we throw a signal on TLS errors? */
4570
4571 /* open --status file */
4572 if (c->mode == CM_P2P || c->mode == CM_TOP)
4573 {
4575 }
4576
4577 /* open --ifconfig-pool-persist file */
4578 if (c->mode == CM_TOP)
4579 {
4581 }
4582
4583 /* reset OCC state */
4584 if (c->mode == CM_P2P || child)
4585 {
4586 c->c2.occ_op = occ_reset_op();
4587 }
4588
4589 /* our wait-for-i/o objects, different for posix vs. win32 */
4590 if (c->mode == CM_P2P || c->mode == CM_TOP)
4591 {
4593 }
4594 else if (c->mode == CM_CHILD_TCP)
4595 {
4596 do_event_set_init(c, false);
4597 }
4598
4599 /* initialize HTTP or SOCKS proxy object at scope level 2 */
4600 init_proxy(c);
4601
4602 /* allocate our socket object */
4603 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4604 {
4606 }
4607
4608#ifdef ENABLE_FRAGMENT
4609 /* initialize internal fragmentation object */
4610 if (options->ce.fragment && (c->mode == CM_P2P || child))
4611 {
4612 c->c2.fragment = fragment_init(&c->c2.frame);
4613 }
4614#endif
4615
4616 /* init crypto layer */
4617 {
4618 unsigned int crypto_flags = 0;
4619 if (c->mode == CM_TOP)
4620 {
4621 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4622 }
4623 else if (c->mode == CM_P2P)
4624 {
4626 }
4627 else if (child)
4628 {
4629 crypto_flags = CF_INIT_TLS_MULTI;
4630 }
4631 do_init_crypto(c, crypto_flags);
4632 if (IS_SIG(c) && !child)
4633 {
4634 goto sig;
4635 }
4636 }
4637
4638#ifdef USE_COMP
4639 /* initialize compression library. */
4640 if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4641 {
4642 c->c2.comp_context = comp_init(&options->comp);
4643 }
4644#endif
4645
4646 /* initialize MTU variables */
4647 do_init_frame(c);
4648
4649 /* initialize TLS MTU variables */
4651
4652 /* init workspace buffers whose size is derived from frame size */
4653 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4654 {
4655 do_init_buffers(c);
4656 }
4657
4658#ifdef ENABLE_FRAGMENT
4659 /* initialize internal fragmentation capability with known frame size */
4660 if (options->ce.fragment && (c->mode == CM_P2P || child))
4661 {
4663 }
4664#endif
4665
4666 /* bind the TCP/UDP socket */
4667 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4668 {
4670 }
4671
4672 /* initialize tun/tap device object,
4673 * open tun/tap device, ifconfig, run up script, etc. */
4674 if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4675 {
4676 int error_flags = 0;
4677 c->c2.did_open_tun = do_open_tun(c, &error_flags);
4678 }
4679
4680 /* print MTU info */
4682
4683 /* get local and remote options compatibility strings */
4684 if (c->mode == CM_P2P || child)
4685 {
4687 }
4688
4689 /* initialize output speed limiter */
4690 if (c->mode == CM_P2P)
4691 {
4693 }
4694
4695 /* do one-time inits, and possibly become a daemon here */
4697
4698#ifdef ENABLE_PLUGIN
4699 /* initialize plugins */
4700 if (c->mode == CM_P2P || c->mode == CM_TOP)
4701 {
4703 }
4704#endif
4705
4706 /* initialise connect timeout timer */
4708
4709 /* finalize the TCP/UDP socket */
4710 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4711 {
4713
4714
4715 /* Update dynamic frame calculation as exact transport socket information
4716 * (IP vs IPv6) may be only available after socket phase2 has finished.
4717 * This is only needed for --static or no crypto, NCP will recalculate this
4718 * in tls_session_update_crypto_params (P2MP) */
4719 for (int i = 0; i < c->c1.link_sockets_num; i++)
4720 {
4722 &c->c2.link_sockets[i]->info);
4723 }
4724 }
4725
4726 /*
4727 * Actually do UID/GID downgrade, and chroot, if requested.
4728 * May be delayed by --client, --pull, or --up-delay.
4729 */
4731
4732 /* initialize timers */
4733 if (c->mode == CM_P2P || child)
4734 {
4735 do_init_timers(c, false);
4736 }
4737
4738#ifdef ENABLE_PLUGIN
4739 /* initialize plugins */
4740 if (c->mode == CM_P2P || c->mode == CM_TOP)
4741 {
4743 }
4744#endif
4745
4746#if PORT_SHARE
4747 /* share OpenVPN port with foreign (such as HTTPS) server */
4748 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4749 {
4750 init_port_share(c);
4751 }
4752#endif
4753
4754 /* Check for signals */
4755 if (IS_SIG(c))
4756 {
4757 goto sig;
4758 }
4759
4760 return;
4761
4762sig:
4763 if (!c->sig->signal_text)
4764 {
4765 c->sig->signal_text = "init_instance";
4766 }
4767 close_context(c, -1, flags);
4768 return;
4769}
4770
4771/*
4772 * Close a tunnel instance.
4773 */
4774void
4776{
4777 /* close event objects */
4779
4780 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP
4781 || c->mode == CM_TOP)
4782 {
4783#ifdef USE_COMP
4784 if (c->c2.comp_context)
4785 {
4786 comp_uninit(c->c2.comp_context);
4787 c->c2.comp_context = NULL;
4788 }
4789#endif
4790
4791 /* free buffers */
4793
4794 /* close peer for DCO if enabled, needs peer-id so must be done before
4795 * closing TLS contexts */
4796 dco_remove_peer(c);
4797
4798 /* close TLS */
4799 do_close_tls(c);
4800
4801 /* free key schedules */
4802 do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4803
4804 /* close TCP/UDP connection */
4806
4807 /* close TUN/TAP device */
4808 do_close_tun(c, false);
4809
4810#ifdef ENABLE_MANAGEMENT
4811 if (management)
4812 {
4814 }
4815#endif
4816
4817#ifdef ENABLE_PLUGIN
4818 /* call plugin close functions and unload */
4820#endif
4821
4822 /* close packet-id persistence file */
4824
4825 /* close --status file */
4827
4828#ifdef ENABLE_FRAGMENT
4829 /* close fragmentation handler */
4831#endif
4832
4833 /* close --ifconfig-pool-persist obj */
4835
4836 /* free up environmental variable store */
4838
4839 /* close HTTP or SOCKS proxy */
4840 uninit_proxy(c);
4841
4842 /* garbage collect */
4843 gc_free(&c->c2.gc);
4844 }
4845}
4846
4847void
4848inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
4849{
4850 CLEAR(*dest);
4851
4852 /* proto_is_dgram will ASSERT(0) if proto is invalid */
4854
4855 dest->gc = gc_new();
4856
4857 ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4858
4859 /* c1 init */
4861 dest->c1.link_sockets_num = 1;
4863
4864 dest->c1.ks.key_type = src->c1.ks.key_type;
4865 /* inherit SSL context */
4866 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4867 dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4870 /* inherit pre-NCP ciphers */
4871 dest->options.ciphername = src->options.ciphername;
4872 dest->options.authname = src->options.authname;
4873
4874 /* inherit auth-token */
4875 dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4876
4877 /* options */
4878 dest->options = src->options;
4879 dest->options.ce.proto = sock->info.proto;
4880 options_detach(&dest->options);
4881
4882 dest->c2.event_set = src->c2.event_set;
4883
4884 if (dest->mode == CM_CHILD_TCP)
4885 {
4886 /*
4887 * The CM_TOP context does the socket listen(),
4888 * and the CM_CHILD_TCP context does the accept().
4889 */
4890 dest->c2.accept_from = sock;
4891 }
4892
4893#ifdef ENABLE_PLUGIN
4894 /* inherit plugins */
4895 do_inherit_plugins(dest, src);
4896#endif
4897
4898 /* context init */
4899
4900 /* inherit tun/tap interface object now as it may be required
4901 * to initialize the DCO context in init_instance()
4902 */
4903 dest->c1.tuntap = src->c1.tuntap;
4904
4905 /* UDP inherits some extra things which TCP does not */
4906 if (dest->mode == CM_CHILD_UDP)
4907 {
4908 ASSERT(!dest->c2.link_sockets);
4909 ASSERT(dest->options.ce.local_list);
4910
4911 /* inherit buffers */
4912 dest->c2.buffers = src->c2.buffers;
4913
4914 ALLOC_ARRAY_GC(dest->c2.link_sockets, struct link_socket *, 1, &dest->gc);
4915
4916 /* inherit parent link_socket and tuntap */
4917 dest->c2.link_sockets[0] = sock;
4918
4919 ALLOC_ARRAY_GC(dest->c2.link_socket_infos, struct link_socket_info *, 1, &dest->gc);
4920 ALLOC_OBJ_GC(dest->c2.link_socket_infos[0], struct link_socket_info, &dest->gc);
4921 *dest->c2.link_socket_infos[0] = sock->info;
4922
4923 /* locally override some link_socket_info fields */
4924 dest->c2.link_socket_infos[0]->lsa = &dest->c1.link_socket_addrs[0];
4926 }
4927
4929 if (IS_SIG(dest))
4930 {
4931 return;
4932 }
4933}
4934
4935void
4936inherit_context_top(struct context *dest, const struct context *src)
4937{
4938 /* copy parent */
4939 *dest = *src;
4940
4941 /*
4942 * CM_TOP_CLONE will prevent close_instance from freeing or closing
4943 * resources owned by the parent.
4944 *
4945 * Also note that CM_TOP_CLONE context objects are
4946 * closed by multi_top_free in multi.c.
4947 */
4948 dest->mode = CM_TOP_CLONE;
4949
4950 dest->first_time = false;
4951 dest->c0 = NULL;
4952
4953 options_detach(&dest->options);
4954 gc_detach(&dest->gc);
4955 gc_detach(&dest->c2.gc);
4956
4957 /* detach plugins */
4958 dest->plugins_owned = false;
4959
4960 dest->c2.tls_multi = NULL;
4961
4962 /* detach c1 ownership */
4963 dest->c1.tuntap_owned = false;
4964 dest->c1.status_output_owned = false;
4965 dest->c1.ifconfig_pool_persist_owned = false;
4966
4967 /* detach c2 ownership */
4968 dest->c2.event_set_owned = false;
4969 dest->c2.link_socket_owned = false;
4970 dest->c2.buffers_owned = false;
4971 dest->c2.es_owned = false;
4972
4973 dest->c2.event_set = NULL;
4974 do_event_set_init(dest, false);
4975
4976#ifdef USE_COMP
4977 dest->c2.comp_context = NULL;
4978#endif
4979}
4980
4981void
4982close_context(struct context *c, int sig, unsigned int flags)
4983{
4984 ASSERT(c);
4985 ASSERT(c->sig);
4986
4987 if (sig >= 0)
4988 {
4989 register_signal(c->sig, sig, "close_context");
4990 }
4991
4992 if (c->sig->signal_received == SIGUSR1)
4993 {
4994 if ((flags & CC_USR1_TO_HUP)
4995 || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4996 {
4997 register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
4998 }
4999 }
5000
5001 if (!(flags & CC_NO_CLOSE))
5002 {
5003 close_instance(c);
5004 }
5005
5006 if (flags & CC_GC_FREE)
5007 {
5008 context_gc_free(c);
5009 }
5010}
5011
5012/* Write our PID to a file */
5013void
5014write_pid_file(const char *filename, const char *chroot_dir)
5015{
5016 if (filename)
5017 {
5018 unsigned int pid = 0;
5019 FILE *fp = platform_fopen(filename, "w");
5020 if (!fp)
5021 {
5022 msg(M_ERR, "Open error on pid file %s", filename);
5023 return;
5024 }
5025
5026 pid = platform_getpid();
5027 fprintf(fp, "%u\n", pid);
5028 if (fclose(fp))
5029 {
5030 msg(M_ERR, "Close error on pid file %s", filename);
5031 }
5032
5033 /* remember file name so it can be deleted "out of context" later */
5034 /* (the chroot case is more complex and not handled today) */
5035 if (!chroot_dir)
5036 {
5037 saved_pid_file_name = strdup(filename);
5039 {
5040 msg(M_FATAL, "Failed allocate memory saved_pid_file_name");
5041 }
5042 }
5043 }
5044}
5045
5046/* remove PID file on exit, called from openvpn_exit() */
5047void
5049{
5051 {
5053 }
5054}
5055
5056
5057/*
5058 * Do a loopback test
5059 * on the crypto subsystem.
5060 */
5061static void *
5063{
5064 struct context *c = (struct context *)arg;
5065 const struct options *options = &c->options;
5066
5069 context_init_1(c);
5072
5074
5076
5077 key_schedule_free(&c->c1.ks, true);
5079
5080 context_gc_free(c);
5081 return NULL;
5082}
5083
5084bool
5085do_test_crypto(const struct options *o)
5086{
5087 if (o->test_crypto)
5088 {
5089 struct context c;
5090
5091 /* print version number */
5092 msg(M_INFO, "%s", title_string);
5093
5094 context_clear(&c);
5095 c.options = *o;
5097 c.first_time = true;
5098 test_crypto_thread((void *)&c);
5099 return true;
5100 }
5101 return false;
5102}
void argv_msg(const msglvl_t msglevel, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition auth_token.c:118
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition auth_token.c:124
void free_buf(struct buffer *buf)
Definition buffer.c:184
void buf_clear(struct buffer *buf)
Definition buffer.c:163
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
void string_clear(char *str)
Definition buffer.c:691
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1001
#define BSTR(buf)
Definition buffer.h:128
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1053
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1064
static void gc_init(struct gc_arena *a)
Definition buffer.h:994
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1074
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void check_malloc_return(void *p)
Definition buffer.h:1085
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
static struct gc_arena gc_new(void)
Definition buffer.h:1007
#define PUSH_BUNDLE_SIZE
Definition common.h:87
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
char * basename(char *filename)
int daemon(int nochdir, int noclose)
#define PACKAGE_NAME
Definition config.h:492
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1099
long int get_random(void)
Definition crypto.c:1725
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:874
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition crypto.c:1545
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition crypto.c:849
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1198
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition crypto.c:1289
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1080
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:345
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
#define CO_MUTE_REPLAY_WARNINGS
Bit-flag indicating not to display replay warnings.
Definition crypto.h:354
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition crypto.h:365
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition crypto.h:644
void show_available_engines(void)
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
void show_available_ciphers(void)
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
void crypto_init_lib_engine(const char *engine_name)
void md_ctx_cleanup(md_ctx_t *ctx)
void show_available_digests(void)
void md_ctx_free(md_ctx_t *ctx)
#define DCO_DEFAULT_METRIC
Definition dco.h:47
static bool dco_supports_epoch_data(struct context *c)
Definition dco.h:389
static void dco_remove_peer(struct context *c)
Definition dco.h:350
static bool dco_check_pull_options(msglvl_t msglevel, const struct options *o)
Definition dco.h:288
static bool ovpn_dco_init(struct context *c)
Definition dco.h:294
static int dco_p2p_add_new_peer(struct context *c)
Definition dco.h:337
void run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *duri)
Invokes the action associated with bringing DNS up or down.
Definition dns.c:857
void env_set_destroy(struct env_set *es)
Definition env_set.c:166
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition env_set.c:262
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
#define D_MTU_DEBUG
Definition errlevel.h:125
#define D_SHOW_OCC
Definition errlevel.h:150
#define D_PUSH
Definition errlevel.h:82
#define D_SHOW_NET
Definition errlevel.h:131
#define P2P_ERROR_DELAY_MS
Definition errlevel.h:40
#define D_RESTART
Definition errlevel.h:81
#define D_IMPORT_ERRORS
Definition errlevel.h:63
#define D_CLOSE
Definition errlevel.h:72
#define D_PUSH_DEBUG
Definition errlevel.h:149
#define D_DCO
Definition errlevel.h:93
#define D_HANDSHAKE
Definition errlevel.h:71
#define D_GENKEY
Definition errlevel.h:78
#define D_MTU_INFO
Definition errlevel.h:104
#define D_PUSH_ERRORS
Definition errlevel.h:66
#define D_INIT_MEDIUM
Definition errlevel.h:103
#define D_TLS_ERRORS
Definition errlevel.h:58
#define D_READ_WRITE
Definition errlevel.h:166
#define M_INFO
Definition errlevel.h:54
#define D_LOG_RW
Definition errlevel.h:109
#define D_ROUTE
Definition errlevel.h:79
#define D_LINK_ERRORS
Definition errlevel.h:56
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1177
#define EVENT_METHOD_FAST
Definition event.h:82
#define EVENT_METHOD_US_TIMEOUT
Definition event.h:81
static void event_free(struct event_set *es)
Definition event.h:162
bool send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
Definition forward.c:404
Interface functions to the internal and external multiplexers.
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:333
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1198
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:142
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1250
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1169
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1184
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1223
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1239
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition fragment.c:125
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition fragment.c:92
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition fragment.c:116
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with --tls-crypt.
Definition tls_crypt.c:60
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition tls_crypt.c:343
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition tls_crypt.c:670
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition tls_crypt.c:664
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:54
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition tls_crypt.c:320
void uninit_management_callback(void)
Definition init.c:4435
static void uninit_proxy(struct context *c)
Definition init.c:727
bool open_management(struct context *c)
Definition init.c:4382
static void do_init_first_time(struct context *c)
Definition init.c:3868
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1461
static void do_init_tls_wrap_key(struct context *c)
Definition init.c:3072
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition init.c:364
bool do_genkey(const struct options *options)
Definition init.c:1021
static void next_connection_entry(struct context *c)
Definition init.c:515
static bool can_preserve_tun(struct tuntap *tt)
Definition init.c:1772
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1552
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition init.c:4219
static void do_setup_fast_io(struct context *c)
Definition init.c:4174
static void tls_print_deferred_options_results(struct context *c)
Prints the results of options imported for the data channel.
Definition init.c:2205
static const char * saved_pid_file_name
Definition init.c:62
void init_verb_mute(struct context *c, unsigned int flags)
Definition init.c:949
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition init.c:1203
const char * format_common_name(struct context *c, struct gc_arena *gc)
Definition init.c:1286
static void do_close_link_socket(struct context *c)
Definition init.c:3965
static unsigned int management_callback_remote_entry_count(void *arg)
Definition init.c:320
static void do_signal_on_tls_errors(struct context *c)
Definition init.c:4194
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition init.c:3028
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition init.c:2988
static void do_init_tun(struct context *c)
Definition init.c:1727
static void do_option_warnings(struct context *c)
Definition init.c:3584
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4483
static void do_link_socket_addr_new(struct context *c)
Definition init.c:733
void close_instance(struct context *c)
Definition init.c:4775
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1500
static void do_init_frame(struct context *c)
Definition init.c:3538
void persist_client_stats(struct context *c)
Definition init.c:4446
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:4936
void context_clear_1(struct context *c)
Definition init.c:82
static bool ce_management_query_proxy(struct context *c)
Definition init.c:247
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition init.c:3521
static void do_init_frame_tls(struct context *c)
Definition init.c:3476
static void do_init_traffic_shaper(struct context *c)
Definition init.c:1427
static bool route_noexec_enabled(const struct options *o, const struct tuntap *tt)
Determine if external route commands should be executed based on configured options and backend drive...
Definition init.c:1662
static bool ifconfig_noexec_enabled(const struct context *c)
Determines if ifconfig execution should be disabled because of a.
Definition init.c:1839
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition init.c:501
bool do_test_crypto(const struct options *o)
Definition init.c:5085
static void do_print_data_channel_mtu_parms(struct context *c)
Definition init.c:3824
void init_plugins(struct context *c)
Definition init.c:4209
void free_context_buffers(struct context_buffers *b)
Definition init.c:3705
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition init.c:3000
static void do_init_timers(struct context *c, bool deferred)
Definition init.c:1344
#define CF_LOAD_PERSISTED_PACKET_ID
Definition init.c:67
static void do_alloc_route_list(struct context *c)
Definition init.c:1443
static void do_close_status_output(struct context *c)
Definition init.c:4100
static void do_event_set_init(struct context *c, bool need_us_timeout)
Definition init.c:4055
static struct context * static_context
Definition init.c:61
static void do_init_fragment(struct context *c)
Definition init.c:3742
#define CF_INIT_TLS_MULTI
Definition init.c:68
void context_init_1(struct context *c)
Definition init.c:740
static void * test_crypto_thread(void *arg)
Definition init.c:5062
void pre_setup(const struct options *options)
Definition init.c:1297
static void do_link_socket_new(struct context *c)
Definition init.c:3763
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition init.c:3943
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition init.c:201
static void del_wfp_block(struct context *c, unsigned long adapter_index)
Remove any WFP block filters previously added.
Definition init.c:1820
void reset_coarse_timers(struct context *c)
Definition init.c:1320
static void do_open_ifconfig_pool_persist(struct context *c)
Definition init.c:4117
static void do_close_ifconfig_pool_persist(struct context *c)
Definition init.c:4129
static void do_close_tun(struct context *c, bool force)
Definition init.c:2055
void init_management(void)
Definition init.c:4373
void uninit_static(void)
Definition init.c:931
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4461
bool do_update(struct context *c, unsigned int option_types_found)
A simplified version of the do_up() function.
Definition init.c:2491
static void do_init_crypto_tls(struct context *c, const unsigned int flags)
Definition init.c:3239
void write_pid_file(const char *filename, const char *chroot_dir)
Definition init.c:5014
void context_gc_free(struct context *c)
Definition init.c:791
static void socket_restart_pause(struct context *c)
Definition init.c:2787
static void do_open_status_output(struct context *c)
Definition init.c:4088
void init_options_dev(struct options *options)
Definition init.c:972
static void do_close_free_buf(struct context *c)
Definition init.c:3902
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition init.c:645
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
Definition init.c:2605
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4848
static void do_compute_occ_strings(struct context *c)
Definition init.c:3839
void context_clear_2(struct context *c)
Definition init.c:88
static void do_close_fragment(struct context *c)
Definition init.c:4040
void context_clear(struct context *c)
Definition init.c:76
static void update_options_ce_post(struct options *options)
Definition init.c:183
static void do_init_crypto_none(struct context *c)
Definition init.c:3506
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition init.c:4278
void remove_pid_file(void)
Definition init.c:5048
static void add_delim_if_non_empty(struct buffer *buf, const char *header)
Helper function for tls_print_deferred_options_results Adds the ", " delimitor if there already some ...
Definition init.c:2191
bool print_openssl_info(const struct options *options)
Definition init.c:983
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:4982
static bool ce_management_query_remote(struct context *c)
Definition init.c:414
static void open_tun_backend(struct context *c)
Definition init.c:1847
static void do_close_event_set(struct context *c)
Definition init.c:4073
bool do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
Definition init.c:1102
static bool do_hold(int holdtime)
Definition init.c:2768
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2356
void tun_abort(void)
Definition init.c:2159
static void do_init_server_poll_timeout(struct context *c)
Definition init.c:1331
static void do_close_plugins(struct context *c)
Definition init.c:4253
static void do_init_socket_phase1(struct context *c)
Definition init.c:3780
bool init_static(void)
Definition init.c:829
static void do_init_crypto_tls_c1(struct context *c)
Definition init.c:3144
static void frame_finalize_options(struct context *c, const struct options *o)
Definition init.c:2907
static void uninit_proxy_dowork(struct context *c)
Definition init.c:672
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition init.c:2178
static void add_wfp_block(struct context *c)
Add WFP filters to block traffic to local networks.
Definition init.c:1794
static void do_close_tun_simple(struct context *c)
Definition init.c:2025
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition init.c:4264
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es)
Definition init.c:108
static void do_init_socket_phase2(struct context *c)
Definition init.c:3812
bool possibly_become_daemon(const struct options *options)
Definition init.c:1161
static bool management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
Definition init.c:330
static void init_connection_list(struct context *c)
Definition init.c:475
static void init_proxy_dowork(struct context *c)
Definition init.c:689
static void do_close_packet_id(struct context *c)
Definition init.c:4025
static void do_startup_pause(struct context *c)
Definition init.c:2864
static size_t get_frame_mtu(struct context *c, const struct options *o)
Definition init.c:2877
static bool do_deferred_p2p_ncp(struct context *c)
Definition init.c:2560
#define CF_INIT_TLS_AUTH_STANDALONE
Definition init.c:69
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2544
static bool do_deferred_options_part2(struct context *c)
This function is expected to be invoked after open_tun() was performed.
Definition init.c:2333
static void do_env_set_destroy(struct context *c)
Definition init.c:4155
static void do_init_buffers(struct context *c)
Definition init.c:3730
static void init_proxy(struct context *c)
Definition init.c:721
void init_management_callback_p2p(struct context *c)
Definition init.c:4347
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition init.c:297
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1673
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition init.c:4147
void context_clear_all_except_first_time(struct context *c)
Definition init.c:94
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3680
static bool do_open_tun(struct context *c, int *error_flags)
Definition init.c:1869
static void do_close_tls(struct context *c)
Definition init.c:3916
void close_management(void)
Definition init.c:4422
void management_show_net_callback(void *arg, const msglvl_t msglevel)
Definition init.c:4285
#define ISC_ERRORS
Definition init.h:126
#define CC_GC_FREE
Definition init.h:115
#define IVM_LEVEL_2
Definition init.h:49
#define ISC_ROUTE_ERRORS
Definition init.h:128
#define IVM_LEVEL_1
Definition init.h:48
#define CC_USR1_TO_HUP
Definition init.h:116
#define BASE_N_EVENTS
Definition init.h:32
#define CC_HARD_USR1_TO_HUP
Definition init.h:117
#define ISC_SERVER
Definition init.h:127
#define CC_NO_CLOSE
Definition init.h:118
static int min_int(int x, int y)
Definition integer.h:105
static int max_int(int x, int y)
Definition integer.h:92
static SERVICE_STATUS status
Definition interactive.c:51
void interval_init(struct interval *top, int horizon, int refresh)
Definition interval.c:34
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition lladdr.c:17
void management_pre_tunnel_close(struct management *man)
Definition manage.c:3115
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3033
void management_clear_callback(struct management *man)
Definition manage.c:2787
bool management_hold(struct management *man, int holdtime)
Definition manage.c:3841
struct management * management_init(void)
Definition manage.c:2717
void management_event_loop_n_seconds(struct management *man, int sec)
Definition manage.c:3470
void management_close(struct management *man)
Definition manage.c:2770
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2796
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2731
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2947
void man_persist_client_stats(struct management *man, struct context *c)
Definition manage.c:4237
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2780
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition manage.c:2931
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4147
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition manage.c:3092
static bool management_query_remote_enabled(const struct management *man)
Definition manage.h:425
#define OPENVPN_STATE_CONNECTING
Definition manage.h:449
static bool management_query_proxy_enabled(const struct management *man)
Definition manage.h:431
#define OPENVPN_STATE_CONNECTED
Definition manage.h:452
#define MF_SERVER
Definition manage.h:27
void set_std_files_to_null(bool stdin_only)
Definition misc.c:55
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
#define GET_USER_PASS_NEED_OK
Definition misc.h:113
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:331
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition mtu.c:61
void frame_print(const struct frame *frame, msglvl_t msglevel, const char *prefix)
Definition mtu.c:190
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
#define BUF_SIZE(f)
Definition mtu.h:178
#define TUN_MTU_MIN
Definition mtu.h:59
static const char * np(const char *str)
Definition multi-auth.c:146
void * openvpn_net_ctx_t
Definition networking.h:38
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition occ.h:61
static int occ_reset_op(void)
Definition occ.h:101
#define OCC_INTERVAL_SECONDS
Definition occ.h:45
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_PRE_DAEMON
#define OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_ROUTE_PREDOWN
#define OPENVPN_PLUGIN_INIT_POST_UID_CHANGE
#define OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_UP
#define OPENVPN_PLUGIN_ROUTE_UP
#define CLEAR(x)
Definition basic.h:32
void error_reset(void)
Definition error.c:158
bool set_mute_cutoff(const int cutoff)
Definition error.c:120
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition error.c:612
void reset_check_status(void)
Definition error.c:605
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:104
#define M_OPTERR
Definition error.h:101
static bool check_debug_level(msglvl_t level)
Definition error.h:259
#define SDL_CONSTRAIN
Definition error.h:201
#define M_NOPREFIX
Definition error.h:98
#define M_USAGE
Definition error.h:107
#define M_FATAL
Definition error.h:90
static void set_check_status_error_delay(unsigned int milliseconds)
Definition error.h:323
#define M_NONFATAL
Definition error.h:91
#define M_ERR
Definition error.h:106
#define msg(flags,...)
Definition error.h:152
unsigned int msglvl_t
Definition error.h:77
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
#define TLS_MODE(c)
Definition openvpn.h:543
static void packet_id_persist_init(struct packet_id_persist *p)
Definition openvpn.h:86
#define CM_P2P
Definition openvpn.h:482
#define CM_TOP_CLONE
Definition openvpn.h:484
#define CM_CHILD_TCP
Definition openvpn.h:486
#define CM_CHILD_UDP
Definition openvpn.h:485
#define MAX_PEER_ID
Definition openvpn.h:554
#define CM_TOP
Definition openvpn.h:483
void options_string_import(struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5537
void options_detach(struct options *o)
Definition options.c:1565
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3165
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4700
const char title_string[]
Definition options.c:71
int auth_retry_get(void)
Definition options.c:4791
void notnull(const char *arg, const char *description)
Definition options.c:4931
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4350
#define MODE_POINT_TO_POINT
Definition options.h:260
#define OPT_P_UP
Definition options.h:733
#define CE_MAN_QUERY_REMOTE_QUERY
Definition options.h:153
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:744
#define OPT_P_ECHO
Definition options.h:752
#define MODE_SERVER
Definition options.h:261
#define streq(x, y)
Definition options.h:727
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:751
#define CE_MAN_QUERY_REMOTE_SKIP
Definition options.h:156
#define AR_INTERACT
Definition options.h:915
#define OPT_P_SHAPER
Definition options.h:738
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
#define OPT_P_SOCKFLAGS
Definition options.h:758
#define SHAPER_DEFINED(opt)
Definition options.h:784
#define CE_MAN_QUERY_REMOTE_MOD
Definition options.h:155
#define CE_MAN_QUERY_PROXY
Definition options.h:151
#define OPT_P_MESSAGES
Definition options.h:743
#define OPT_P_SETENV
Definition options.h:737
#define OPT_P_SOCKBUF
Definition options.h:757
#define CE_MAN_QUERY_REMOTE_MASK
Definition options.h:157
#define OPT_P_PLUGIN
Definition options.h:756
#define OPT_P_TIMER
Definition options.h:739
#define PING_RESTART
Definition options.h:356
#define RH_PORT_LEN
Definition options.h:230
#define OPT_P_DEFAULT
Definition options.h:765
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition options.h:158
#define OPT_P_DHCPDNS
Definition options.h:735
#define OPT_P_PULL_MODE
Definition options.h:755
@ GENKEY_AUTH_TOKEN
Definition options.h:239
@ GENKEY_SECRET
Definition options.h:236
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:238
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:237
#define OPT_P_PUSH_MTU
Definition options.h:762
#define AR_NONE
Definition options.h:914
#define AR_NOINTERACT
Definition options.h:916
#define RH_HOST_LEN
Definition options.h:228
#define OPT_P_PERSIST
Definition options.h:740
#define MAX_PARMS
Definition options.h:51
#define PING_UNDEF
Definition options.h:354
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition options.h:154
#define PULL_DEFINED(opt)
Definition options.h:767
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:779
#define PING_EXIT
Definition options.h:355
#define OPT_P_COMP
Definition options.h:742
#define OPT_P_ROUTE_EXTRAS
Definition options.h:754
#define OPT_P_PEER_ID
Definition options.h:760
#define OPT_P_ROUTE
Definition options.h:734
#define CE_DISABLED
Definition options.h:150
time_t now
Definition otime.c:33
static void update_time(void)
Definition otime.h:81
void time_test(void)
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:508
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:548
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
void packet_id_persist_close(struct packet_id_persist *p)
Definition packet_id.c:450
void packet_id_free(struct packet_id *p)
Definition packet_id.c:126
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition packet_id.c:464
#define PRE_PULL_INITIAL_PING_RESTART
Definition ping.h:32
unsigned int platform_getpid(void)
Definition platform.c:337
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:544
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition platform.c:222
void platform_nice(int niceval)
Definition platform.c:315
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition platform.c:80
bool platform_unlink(const char *filename)
Definition platform.c:491
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:504
int platform_chdir(const char *dir)
Definition platform.c:396
void platform_mlockall(bool print_msg)
Definition platform.c:348
void platform_chroot(const char *path)
Definition platform.c:54
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition platform.c:126
void plugin_list_close(struct plugin_list *pl)
Definition plugin.c:869
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:986
struct plugin_list * plugin_list_inherit(const struct plugin_list *src)
Definition plugin.c:690
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition plugin.c:764
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:972
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition plugin.c:774
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:163
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:157
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition pool.c:538
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition pool.c:560
#define TOP_NET30
Definition proto.h:41
#define DEV_TYPE_TUN
Definition proto.h:35
#define TOP_P2P
Definition proto.h:42
void http_proxy_close(struct http_proxy_info *hp)
Definition proxy.c:558
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition proxy.c:493
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:45
#define PAR_NCT
Definition proxy.h:51
#define PAR_ALL
Definition proxy.h:50
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1101
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1404
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:596
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:753
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:604
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1166
void show_routes(msglvl_t msglevel)
Definition route.c:3070
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1367
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition route.h:424
#define RG_REROUTE_GW
Definition route.h:91
int script_security(void)
Definition run_command.c:42
#define S_FATAL
Definition run_command.h:50
#define SSEC_SCRIPTS
allow calling of built-in programs and user-defined scripts
Definition run_command.h:35
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
void shaper_msg(struct shaper *s)
Definition shaper.c:87
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition shaper.h:85
void post_init_signal_catch(void)
Definition sig.c:421
void print_status(struct context *c, struct status_output *so)
Definition sig.c:478
void pre_init_signal_catch(void)
Definition sig.c:392
void remap_signal(struct context *c)
Definition sig.c:588
const char * signal_description(const int signum, const char *sigtext)
Definition sig.c:105
void restore_signal_state(void)
Definition sig.c:460
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
#define IS_SIG(c)
Definition sig.h:47
#define SIG_SOURCE_HARD
Definition sig.h:30
void link_socket_init_phase1(struct context *c, int sock_index, int mode)
Definition socket.c:1367
void link_socket_init_phase2(struct context *c, struct link_socket *sock)
Definition socket.c:1710
void link_socket_update_buffer_sizes(struct link_socket *sock, int rcvbuf, int sndbuf)
Definition socket.c:557
const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info)
Definition socket.c:2024
void link_socket_close(struct link_socket *sock)
Definition socket.c:1831
in_addr_t link_socket_current_remote(const struct link_socket_info *info)
Definition socket.c:1990
void do_preresolve(struct context *c)
Definition socket.c:320
struct link_socket * link_socket_new(void)
Definition socket.c:1353
bool link_socket_update_flags(struct link_socket *sock, unsigned int sockflags)
Definition socket.c:543
#define LS_MODE_TCP_ACCEPT_FROM
Definition socket.h:181
#define LS_MODE_DEFAULT
Definition socket.h:179
#define LS_MODE_TCP_LISTEN
Definition socket.h:180
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
@ PROTO_UDP
@ PROTO_TCP
@ PROTO_TCP_CLIENT
static bool proto_is_tcp(int proto)
returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
static bool addr_defined(const struct openvpn_sockaddr *addr)
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition socks.c:51
void socks_proxy_close(struct socks_proxy_info *sp)
Definition socks.c:78
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:391
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:521
void pem_password_setup(const char *auth_file)
Definition ssl.c:258
void init_ssl_lib(void)
Definition ssl.c:235
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1651
void free_ssl_lib(void)
Definition ssl.c:243
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:303
void enable_auth_user_pass(void)
Definition ssl.c:297
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4120
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
#define TLS_MULTI_HORIZON
Definition ssl.h:61
#define TLS_MULTI_REFRESH
Definition ssl.h:60
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:593
bool check_pull_client_ncp(struct context *c, const unsigned int found)
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should ...
Definition ssl_ncp.c:310
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
Determines the best common cipher from both peers IV_CIPHER lists.
Definition ssl_ncp.c:355
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
hmac_ctx_t * session_id_hmac_init(void)
Definition ssl_pkt.c:450
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
Control Channel Verification Module.
#define VERIFY_X509_NONE
Definition ssl_verify.h:68
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:218
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:60
bool status_close(struct status_output *so)
Definition status.c:179
#define STATUS_OUTPUT_WRITE
Definition status.h:51
Definition argv.h:35
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
Definition options.h:104
struct local_list * local_list
Definition options.h:105
int tun_mtu_max
Definition options.h:126
int connect_retry_seconds
Definition options.h:116
bool tls_crypt_v2_force_cookie
Definition options.h:176
int link_mtu
Definition options.h:131
bool link_mtu_defined
Definition options.h:132
int tun_mtu_extra
Definition options.h:129
int connect_retry_seconds_max
Definition options.h:117
int mssfix
Definition options.h:141
const char * tls_crypt_file
Definition options.h:167
const char * tls_crypt_v2_file
Definition options.h:172
bool tun_mtu_extra_defined
Definition options.h:130
const char * remote
Definition options.h:111
const char * socks_proxy_port
Definition options.h:121
bool mssfix_encap
Definition options.h:143
struct http_proxy_options * http_proxy_options
Definition options.h:119
bool tls_crypt_file_inline
Definition options.h:168
bool tls_auth_file_inline
Definition options.h:163
bool tun_mtu_defined
Definition options.h:128
int tls_mtu
Definition options.h:133
int explicit_exit_notification
Definition options.h:147
const char * socks_proxy_authfile
Definition options.h:122
const char * remote_port
Definition options.h:110
bool fragment_encap
Definition options.h:139
const char * socks_proxy_server
Definition options.h:120
int fragment
Definition options.h:138
int proto
Definition options.h:106
sa_family_t af
Definition options.h:107
const char * tls_auth_file
Definition options.h:162
int tun_mtu
Definition options.h:124
int key_direction
Definition options.h:164
bool tls_crypt_v2_file_inline
Definition options.h:173
unsigned int flags
Definition options.h:159
struct connection_entry ** array
Definition options.h:201
Level 0 context containing information related to the OpenVPN process.
Definition openvpn.h:137
struct platform_state_group platform_state_group
Definition openvpn.h:143
struct platform_state_user platform_state_user
Definition openvpn.h:142
bool uid_gid_chroot_set
Definition openvpn.h:141
bool uid_gid_specified
Definition openvpn.h:139
struct key_schedule ks
Definition openvpn.h:164
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:197
bool http_proxy_owned
Definition openvpn.h:190
struct status_output * status_output
Definition openvpn.h:185
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
struct link_socket_addr * link_socket_addrs
Local and remote addresses on the external network.
Definition openvpn.h:159
struct sha256_digest pulled_options_digest_save
Hash of option strings received from the remote OpenVPN server.
Definition openvpn.h:201
int link_sockets_num
Definition openvpn.h:158
bool status_output_owned
Definition openvpn.h:186
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
struct packet_id_persist pid_persist
Definition openvpn.h:170
struct http_proxy_info * http_proxy
Definition openvpn.h:189
bool socks_proxy_owned
Definition openvpn.h:194
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition openvpn.h:173
bool ifconfig_pool_persist_owned
Definition openvpn.h:198
struct socks_proxy_info * socks_proxy
Definition openvpn.h:193
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
char * options_string_local
Definition openvpn.h:296
struct fragment_master * fragment
Definition openvpn.h:252
bool do_up_ran
Definition openvpn.h:411
char * options_string_remote
Definition openvpn.h:297
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
bool did_open_tun
Definition openvpn.h:387
md_ctx_t * pulled_options_state
Definition openvpn.h:444
bool es_owned
Definition openvpn.h:421
struct man_def_auth_context mda_context
Definition openvpn.h:453
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition openvpn.h:338
const struct link_socket * accept_from
Definition openvpn.h:242
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition openvpn.h:326
int occ_op
Definition openvpn.h:299
struct env_set * es
Definition openvpn.h:420
bool link_socket_owned
Definition openvpn.h:240
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
struct frame frame
Definition openvpn.h:248
struct frame frame_fragment
Definition openvpn.h:253
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
bool buffers_owned
Definition openvpn.h:368
struct link_socket ** link_sockets
Definition openvpn.h:237
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
bool log_rw
Definition openvpn.h:380
int event_set_max
Definition openvpn.h:231
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition openvpn.h:225
bool fast_io
Definition openvpn.h:424
struct sha256_digest pulled_options_digest
Definition openvpn.h:445
struct event_set * event_set
Definition openvpn.h:230
struct context_buffers * buffers
Definition openvpn.h:367
struct event_timeout route_wakeup
Definition openvpn.h:383
int tls_exit_signal
Definition openvpn.h:347
bool event_set_owned
Definition openvpn.h:232
struct buffer read_link_buf
Definition openvpn.h:113
struct buffer encrypt_buf
Definition openvpn.h:100
struct buffer read_tun_buf
Definition openvpn.h:114
struct buffer decrypt_buf
Definition openvpn.h:101
struct buffer aux_buf
Definition openvpn.h:97
int restart_sleep_seconds
Definition openvpn.h:122
struct dns_updown_runner_info duri
Definition openvpn.h:123
Contains all state information for one tunnel.
Definition openvpn.h:474
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
struct context_0 * c0
Level 0 context.
Definition openvpn.h:515
bool did_we_daemonize
Whether demonization has already taken place.
Definition openvpn.h:510
bool first_time
True on the first iteration of OpenVPN's main loop.
Definition openvpn.h:478
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:505
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct env_set * es
Set of environment variables.
Definition openvpn.h:499
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition openvpn.h:506
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition openvpn.h:495
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
struct context_persist persist
Persistent context.
Definition openvpn.h:513
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:384
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:340
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:331
Packet geometry parameters.
Definition mtu.h:103
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
int tun_max_mtu
the maximum tun-mtu size the buffers are are sized for.
Definition mtu.h:147
int extra_tun
Maximum number of bytes in excess of the tun/tap MTU that might be read from or written to the virtua...
Definition mtu.h:151
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
struct frame::@8 buf
int tailroom
the tailroom in the buffer.
Definition mtu.h:118
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
const char * port
Definition proxy.h:47
const char * server
Definition proxy.h:46
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition openvpn.h:72
struct key2 original_wrap_keydata
original tls-crypt key preserved to xored into the tls_crypt renegotiation key
Definition openvpn.h:70
struct key_type key_type
Definition openvpn.h:57
struct key_ctx auth_token_key
Definition openvpn.h:73
struct tls_root_ctx ssl_ctx
Definition openvpn.h:63
struct key_type tls_auth_key_type
Definition openvpn.h:66
struct key_ctx_bi tls_wrap_key
Definition openvpn.h:67
struct key_ctx_bi static_key
Definition openvpn.h:60
struct key_ctx tls_crypt_v2_server_key
Definition openvpn.h:71
const char * cipher
const name of the cipher
Definition crypto.h:142
const char * digest
Message digest static parameters.
Definition crypto.h:143
const char * special_state_msg
Definition manage.h:232
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition manage.h:198
unsigned int(* remote_entry_count)(void *arg)
Definition manage.h:197
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition manage.h:184
bool(* proxy_cmd)(void *arg, const char **p)
Definition manage.h:192
void(* show_net)(void *arg, const msglvl_t msglevel)
Definition manage.h:179
unsigned int flags
Definition manage.h:176
bool(* remote_cmd)(void *arg, const char **p)
Definition manage.h:193
struct man_persist persist
Definition manage.h:333
union openvpn_sockaddr::@27 addr
struct sockaddr sa
Definition socket_util.h:42
struct sockaddr_in in4
Definition socket_util.h:43
struct sockaddr_in6 in6
Definition socket_util.h:44
int rcvbuf
Definition options.h:416
bool resolve_in_advance
Definition options.h:368
bool route_nopull
Definition options.h:440
const char * genkey_extra_data
Definition options.h:286
struct compress_options comp
Definition options.h:413
bool persist_config
Definition options.h:274
struct connection_list * connection_list
Definition options.h:291
const char * management_port
Definition options.h:450
const char * ifconfig_ipv6_remote
Definition options.h:327
int server_backoff_time
Definition options.h:306
int auth_token_renewal
Definition options.h:548
const char * tmp_dir
Definition options.h:469
bool push_peer_info
Definition options.h:685
bool daemon
Definition options.h:391
int route_default_metric
Definition options.h:432
int renegotiate_seconds_min
Definition options.h:651
const char * auth_token_secret_file
Definition options.h:549
unsigned int imported_protocol_flags
Definition options.h:724
const char * tls_export_peer_cert_dir
Definition options.h:616
bool crl_file_inline
Definition options.h:620
const char * down_script
Definition options.h:386
hash_algo_type verify_hash_algo
Definition options.h:626
int replay_time
Definition options.h:587
int management_state_buffer_size
Definition options.h:454
bool duplicate_cn
Definition options.h:530
int shaper
Definition options.h:330
int management_echo_buffer_size
Definition options.h:453
bool show_net_up
Definition options.h:698
bool verify_hash_no_ca
Definition options.h:628
bool use_peer_id
Definition options.h:704
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:623
bool server_bridge_defined
Definition options.h:484
const char * keying_material_exporter_label
Definition options.h:708
const char * status_file
Definition options.h:406
unsigned int ssl_flags
Definition options.h:629
bool route_noexec
Definition options.h:433
bool ifconfig_nowarn
Definition options.h:329
const char * remote_cert_eku
Definition options.h:624
int tls_timeout
Definition options.h:645
bool test_crypto
Definition options.h:589
bool up_delay
Definition options.h:389
bool server_bridge_proxy_dhcp
Definition options.h:482
const char * authname
Definition options.h:582
const char * exit_event_name
Definition options.h:696
const char * ifconfig_ipv6_local
Definition options.h:325
int replay_window
Definition options.h:586
int mute
Definition options.h:400
bool auth_user_pass_verify_script_via_file
Definition options.h:544
const char * dev_type
Definition options.h:319
int persist_mode
Definition options.h:275
int ifconfig_pool_persist_refresh_freq
Definition options.h:496
bool show_digests
Definition options.h:279
const char * up_script
Definition options.h:385
int ce_advance_count
Definition options.h:302
bool single_session
Definition options.h:683
struct remote_host_store * rh_store
Definition options.h:312
int verify_hash_depth
Definition options.h:627
bool route_delay_defined
Definition options.h:436
const char * packet_id_file
Definition options.h:588
const char * tls_crypt_v2_file
Definition options.h:675
int management_log_history_cache
Definition options.h:452
uint32_t peer_id
Definition options.h:705
struct route_option_list * routes
Definition options.h:437
int keepalive_timeout
Definition options.h:343
bool fast_io
Definition options.h:411
bool block_outside_dns
Definition options.h:700
bool tls_exit
Definition options.h:687
bool show_engines
Definition options.h:280
HANDLE msg_channel
Definition options.h:695
const char * key_pass_file
Definition options.h:277
bool mute_replay_warnings
Definition options.h:585
unsigned int unsuccessful_attempts
Definition options.h:300
int handshake_window
Definition options.h:655
const char * ifconfig_local
Definition options.h:323
struct connection_entry ce
Definition options.h:290
bool user_script_used
Definition options.h:387
bool show_tls_ciphers
Definition options.h:281
struct tuntap_options tuntap_options
Definition options.h:371
struct verify_hash_list * verify_hash
Definition options.h:625
const char * tls_cert_profile
Definition options.h:613
int64_t renegotiate_packets
Definition options.h:649
unsigned int management_flags
Definition options.h:462
const char * route_default_gateway
Definition options.h:429
bool exit_event_initial_state
Definition options.h:697
struct static_challenge_info sc_info
Definition options.h:569
bool auth_token_call_auth
Definition options.h:546
int topology
Definition options.h:322
bool disable_dco
Definition options.h:374
const char * ncp_ciphers
Definition options.h:581
bool genkey
Definition options.h:283
const char * ciphername
Definition options.h:576
const char * auth_user_pass_file
Definition options.h:562
const char * username
Definition options.h:377
struct plugin_option_list * plugin_list
Definition options.h:465
int auth_token_lifetime
Definition options.h:547
int ns_cert_type
Definition options.h:622
const char * tls_crypt_v2_verify_script
Definition options.h:680
int mode
Definition options.h:262
bool tls_server
Definition options.h:595
const char * auth_user_pass_verify_script
Definition options.h:543
int connect_retry_max
Definition options.h:289
bool pull
Definition options.h:559
bool show_curves
Definition options.h:282
const char * route_ipv6_default_gateway
Definition options.h:430
bool tls_client
Definition options.h:596
bool auth_token_generate
Definition options.h:545
bool priv_key_file_inline
Definition options.h:607
const char * tls_verify
Definition options.h:615
const char * crl_file
Definition options.h:619
int ping_rec_timeout_action
Definition options.h:357
bool auth_user_pass_file_inline
Definition options.h:563
bool show_ciphers
Definition options.h:278
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:577
const char * route_predown_script
Definition options.h:428
int route_delay_window
Definition options.h:435
bool mlock
Definition options.h:340
int sndbuf
Definition options.h:417
struct gc_arena gc
Definition options.h:253
bool down_pre
Definition options.h:388
bool persist_tun
Definition options.h:359
int route_default_table_id
Definition options.h:431
bool auth_token_secret_file_inline
Definition options.h:550
const char * config
Definition options.h:257
int keying_material_exporter_length
Definition options.h:709
bool mtu_test
Definition options.h:334
int verify_x509_type
Definition options.h:617
const char * cipher_list_tls13
Definition options.h:611
int status_file_update_freq
Definition options.h:408
const char * management_client_user
Definition options.h:456
const char * cipher_list
Definition options.h:610
bool ccd_exclusive
Definition options.h:509
const char * genkey_filename
Definition options.h:285
const struct x509_track * x509_track
Definition options.h:689
const char * chroot_dir
Definition options.h:379
bool log
Definition options.h:395
bool shared_secret_file_inline
Definition options.h:573
int renegotiate_seconds
Definition options.h:650
int ping_rec_timeout
Definition options.h:351
unsigned int sockflags
Definition options.h:424
const char * engine
Definition options.h:583
const char * management_addr
Definition options.h:449
const char * verify_x509_name
Definition options.h:618
int ping_send_timeout
Definition options.h:350
int route_delay
Definition options.h:434
const char * dev_node
Definition options.h:320
const char * client_crresponse_script
Definition options.h:507
struct route_ipv6_option_list * routes_ipv6
Definition options.h:438
int key_direction
Definition options.h:575
bool persist_remote_ip
Definition options.h:361
bool up_restart
Definition options.h:390
int keepalive_ping
Definition options.h:342
bool no_advance
Definition options.h:295
bool tls_crypt_v2_file_inline
Definition options.h:676
const char * groupname
Definition options.h:378
const char * cd_dir
Definition options.h:380
int nice
Definition options.h:398
int transition_window
Definition options.h:663
const char * ifconfig_remote_netmask
Definition options.h:324
const char * lladdr
Definition options.h:321
int verbosity
Definition options.h:399
enum tun_driver_type windows_driver
Definition options.h:701
int remap_sigusr1
Definition options.h:393
int64_t renegotiate_bytes
Definition options.h:648
const char * route_script
Definition options.h:427
const char * management_user_pass
Definition options.h:451
const char * shared_secret_file
Definition options.h:572
bool ifconfig_noexec
Definition options.h:328
const char * dev
Definition options.h:318
const char * management_client_group
Definition options.h:457
const char * client_config_dir
Definition options.h:508
enum genkey_type genkey_type
Definition options.h:284
bool advance_next_remote
Definition options.h:298
const char * ifconfig_pool_persist_filename
Definition options.h:495
int ifconfig_ipv6_netbits
Definition options.h:326
bool persist_local_ip
Definition options.h:360
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:106
char port[RH_PORT_LEN]
Definition options.h:231
char host[RH_HOST_LEN]
Definition options.h:229
struct gc_arena gc
Definition route.h:254
unsigned int flags
Definition route.h:113
struct gc_arena * gc
Definition route.h:115
struct gc_arena gc
Definition route.h:239
Wrapper struct to pass around SHA256 digests.
Definition crypto.h:133
const char * signal_text
Definition sig.h:44
volatile int signal_received
Definition sig.h:42
volatile int source
Definition sig.h:43
unsigned int flags
Definition status.h:52
struct frame frame
Definition ssl_pkt.h:81
struct buffer workbuf
Definition ssl_pkt.h:80
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
dco_context_t * dco
Definition ssl_common.h:726
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
enum multi_status multi_state
Definition ssl_common.h:633
struct tls_options opt
Definition ssl_common.h:617
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
uint32_t peer_id
Definition ssl_common.h:700
bool use_peer_id
Definition ssl_common.h:701
int64_t renegotiate_bytes
Definition ssl_common.h:343
struct key_ctx auth_token_key
Definition ssl_common.h:408
unsigned int auth_token_renewal
Definition ssl_common.h:406
struct env_set * es
Definition ssl_common.h:414
unsigned int auth_token_lifetime
Definition ssl_common.h:405
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:388
size_t ekm_label_size
Definition ssl_common.h:452
unsigned int crypto_flags
Definition ssl_common.h:370
unsigned remote_cert_ku[MAX_PARMS]
Definition ssl_common.h:357
interval_t packet_timeout
Definition ssl_common.h:342
const char * auth_user_pass_file
Definition ssl_common.h:398
const char * client_crresponse_script
Definition ssl_common.h:394
const struct static_challenge_info * sci
Definition ssl_common.h:444
openvpn_net_ctx_t * net_ctx
Definition ssl_common.h:415
const char * tmp_dir
Definition ssl_common.h:396
interval_t renegotiate_seconds
Definition ssl_common.h:348
struct frame frame
Definition ssl_common.h:390
int64_t renegotiate_packets
Definition ssl_common.h:344
bool auth_user_pass_file_inline
Definition ssl_common.h:399
int verify_hash_depth
Definition ssl_common.h:360
const struct plugin_list * plugins
Definition ssl_common.h:416
const char * client_config_dir_exclusive
Definition ssl_common.h:411
bool tls_crypt_v2
Definition ssl_common.h:384
const char * export_peer_cert_dir
Definition ssl_common.h:397
const char * verify_command
Definition ssl_common.h:351
struct verify_hash_list * verify_hash
Definition ssl_common.h:359
const char * ekm_label
Definition ssl_common.h:451
size_t ekm_size
Definition ssl_common.h:453
char * x509_username_field[2]
Definition ssl_common.h:366
int transition_window
Definition ssl_common.h:340
const char * config_ciphername
Definition ssl_common.h:375
int verify_x509_type
Definition ssl_common.h:352
bool single_session
Definition ssl_common.h:326
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:382
const char * verify_x509_name
Definition ssl_common.h:353
bool crl_file_inline
Definition ssl_common.h:355
const struct x509_track * x509_track
Definition ssl_common.h:441
bool verify_hash_no_ca
Definition ssl_common.h:361
struct man_def_auth_context * mda_context
Definition ssl_common.h:438
const char * tls_crypt_v2_verify_script
Definition ssl_common.h:385
struct tls_root_ctx ssl_ctx
Definition ssl_common.h:309
bool auth_user_pass_verify_script_via_file
Definition ssl_common.h:395
const char * config_ncp_ciphers
Definition ssl_common.h:376
unsigned int ssl_flags
Definition ssl_common.h:435
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition ssl_common.h:401
struct key_type key_type
Definition ssl_common.h:312
int push_peer_info_detail
The detail of info we push in peer info.
Definition ssl_common.h:339
hash_algo_type verify_hash_algo
Definition ssl_common.h:362
bool auth_token_call_auth
always call normal authentication
Definition ssl_common.h:404
const char * crl_file
Definition ssl_common.h:354
int handshake_window
Definition ssl_common.h:341
bool dco_enabled
Whether keys have to be installed in DCO or not.
Definition ssl_common.h:455
const char * auth_user_pass_verify_script
Definition ssl_common.h:393
const char * remote_cert_eku
Definition ssl_common.h:358
int replay_window
Definition ssl_common.h:372
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
enum tls_wrap_ctx::@28 mode
Control channel wrapping mode.
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:284
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:285
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition ssl_common.h:286
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:299
HANDLE msg_channel
Definition tun.h:88
Definition tun.h:183
in_addr_t local
Definition tun.h:210
DWORD adapter_index
Definition tun.h:234
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:193
struct tuntap_options options
Definition tun.h:205
struct in6_addr local_ipv6
Definition tun.h:213
dco_context_t dco
Definition tun.h:249
char * actual_name
Definition tun.h:207
in_addr_t remote_netmask
Definition tun.h:211
char password[USER_PASS_LEN]
Definition misc.h:68
char username[USER_PASS_LEN]
Definition misc.h:67
#define srandom
Definition syshead.h:44
#define SOCKET_UNDEFINED
Definition syshead.h:438
#define sleep(x)
Definition syshead.h:42
struct env_set * es
struct gc_arena gc
Definition test_ssl.c:131
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6421
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:520
void fork_register_dns_action(struct tuntap *tt)
Definition tun.c:5809
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:829
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition tun.c:502
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition tun.c:1565
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:539
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6572
void show_adapters(msglvl_t msglevel)
Definition tun.c:4878
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition tun.c:669
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition tun.c:953
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition tun.c:559
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition tun.c:785
void undo_ifconfig(struct tuntap *tt, openvpn_net_ctx_t *ctx)
undo_ifconfig - undo configuration of the tunnel interface
Definition tun.c:1654
void tun_standby_init(struct tuntap *tt)
Definition tun.c:5531
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:58
#define IFCONFIG_AFTER_TUN_OPEN
Definition tun.h:349
#define IFCONFIG_BEFORE_TUN_OPEN
Definition tun.h:348
static bool tuntap_is_dco_win(struct tuntap *tt)
Definition tun.h:532
@ DRIVER_NULL
Definition tun.h:52
@ DRIVER_GENERIC_TUNTAP
Definition tun.h:47
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:51
@ DRIVER_DCO
Definition tun.h:53
#define ROUTE_AFTER_TUN
Definition tun.h:380
static int ifconfig_order(struct tuntap *tt)
Definition tun.h:354
static void open_tun_null(struct tuntap *tt)
Definition tun.h:634
static int route_order(struct tuntap *tt)
Definition tun.h:384
#define ROUTE_BEFORE_TUN
Definition tun.h:379
static bool is_tun_type_set(const struct tuntap *tt)
Definition tun.h:628
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env)
Opens an AF_UNIX based tun device.
Definition tun_afunix.c:71
void close_tun_afunix(struct tuntap *tt)
Closes the socket used for the AF_UNIX based device.
Definition tun_afunix.c:123
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state)
Definition win32.c:452
bool win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only)
Definition win32.c:1202
void window_title_generate(const char *title)
Definition win32.c:723
void window_title_save(struct window_title *wt)
Definition win32.c:697
bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
Definition win32.c:1251
void init_win32(void)
Definition win32.c:107
#define WSO_MODE_CONSOLE
Definition win32.h:159
#define WSO_FORCE_SERVICE
Definition win32.h:173
#define WSO_FORCE_CONSOLE
Definition win32.h:174