OpenVPN
init.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#ifdef ENABLE_SYSTEMD
30#include <systemd/sd-daemon.h>
31#endif
32
33#include "win32.h"
34#include "init.h"
35#include "run_command.h"
36#include "sig.h"
37#include "occ.h"
38#include "list.h"
39#include "otime.h"
40#include "pool.h"
41#include "gremlin.h"
42#include "occ.h"
43#include "pkcs11.h"
44#include "ps.h"
45#include "lladdr.h"
46#include "ping.h"
47#include "mstats.h"
48#include "ssl_verify.h"
49#include "ssl_ncp.h"
50#include "tls_crypt.h"
51#include "forward.h"
52#include "auth_token.h"
53#include "mss.h"
54#include "mudp.h"
55#include "dco.h"
56#include "tun_afunix.h"
57
58#include "memdbg.h"
59
60
61static struct context *static_context; /* GLOBAL */
62static const char *saved_pid_file_name; /* GLOBAL */
63
64/*
65 * Crypto initialization flags
66 */
67#define CF_LOAD_PERSISTED_PACKET_ID (1 << 0)
68#define CF_INIT_TLS_MULTI (1 << 1)
69#define CF_INIT_TLS_AUTH_STANDALONE (1 << 2)
70
71static void do_init_first_time(struct context *c);
72
73static bool do_deferred_p2p_ncp(struct context *c);
74
75void
76context_clear(struct context *c)
77{
78 CLEAR(*c);
79}
80
81void
82context_clear_1(struct context *c)
83{
84 CLEAR(c->c1);
85}
86
87void
88context_clear_2(struct context *c)
89{
90 CLEAR(c->c2);
91}
92
93void
94context_clear_all_except_first_time(struct context *c)
95{
96 const bool first_time_save = c->first_time;
97 const struct context_persist cpsave = c->persist;
98 context_clear(c);
99 c->first_time = first_time_save;
100 c->persist = cpsave;
101}
102
103/*
104 * Pass tunnel endpoint and MTU parms to a user-supplied script.
105 * Used to execute the up/down script/plugins.
106 */
107static void
108run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type,
109 const char *arg,
110#ifdef _WIN32
111 DWORD adapter_index,
112#endif
113 const char *dev_type, int tun_mtu, const char *ifconfig_local,
114 const char *ifconfig_remote, const char *context, const char *signal_text,
115 const char *script_type, struct env_set *es)
116{
117 struct gc_arena gc = gc_new();
118
119 if (signal_text)
120 {
121 setenv_str(es, "signal", signal_text);
122 }
123 setenv_str(es, "script_context", context);
124 setenv_int(es, "tun_mtu", tun_mtu);
125 setenv_str(es, "dev", arg);
126 if (dev_type)
127 {
128 setenv_str(es, "dev_type", dev_type);
129 }
130#ifdef _WIN32
131 setenv_int(es, "dev_idx", adapter_index);
132#endif
133
134 if (!ifconfig_local)
135 {
136 ifconfig_local = "";
137 }
138 if (!ifconfig_remote)
139 {
140 ifconfig_remote = "";
141 }
142 if (!context)
143 {
144 context = "";
145 }
146
147 if (plugin_defined(plugins, plugin_type))
148 {
149 struct argv argv = argv_new();
150 ASSERT(arg);
151 argv_printf(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
152 context);
153
154 if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
155 {
156 msg(M_FATAL, "ERROR: up/down plugin call failed");
157 }
158
159 argv_free(&argv);
160 }
161
162 if (command)
163 {
164 struct argv argv = argv_new();
165 ASSERT(arg);
166 setenv_str(es, "script_type", script_type);
167 argv_parse_cmd(&argv, command);
168 argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, ifconfig_local, ifconfig_remote,
169 context);
170 argv_msg(M_INFO, &argv);
171 openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
172 argv_free(&argv);
173 }
174
175 gc_free(&gc);
176}
177
178/*
179 * Should be called after options->ce is modified at the top
180 * of a SIGUSR1 restart.
181 */
182static void
183update_options_ce_post(struct options *options)
184{
185 /*
186 * In pull mode, we usually import --ping/--ping-restart parameters from
187 * the server. However we should also set an initial default --ping-restart
188 * for the period of time before we pull the --ping-restart parameter
189 * from the server.
190 */
191 if (options->pull && options->ping_rec_timeout_action == PING_UNDEF
192 && proto_is_dgram(options->ce.proto))
193 {
194 options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
195 options->ping_rec_timeout_action = PING_RESTART;
196 }
197}
198
199#ifdef ENABLE_MANAGEMENT
200static bool
201management_callback_proxy_cmd(void *arg, const char **p)
202{
203 struct context *c = arg;
204 struct connection_entry *ce = &c->options.ce;
205 struct gc_arena *gc = &c->c2.gc;
206 bool ret = false;
207
208 update_time();
209 if (streq(p[1], "NONE"))
210 {
211 ret = true;
212 }
213 else if (p[2] && p[3])
214 {
215 if (streq(p[1], "HTTP"))
216 {
217 struct http_proxy_options *ho;
218 if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
219 {
220 msg(M_WARN, "HTTP proxy support only works for TCP based connections");
221 return false;
222 }
223 ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
224 ho->server = string_alloc(p[2], gc);
225 ho->port = string_alloc(p[3], gc);
226 ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
227 ret = true;
228 }
229 else if (streq(p[1], "SOCKS"))
230 {
231 ce->socks_proxy_server = string_alloc(p[2], gc);
232 ce->socks_proxy_port = string_alloc(p[3], gc);
233 ret = true;
234 }
235 }
236 else
237 {
238 msg(M_WARN, "Bad proxy command");
239 }
240
241 ce->flags &= ~CE_MAN_QUERY_PROXY;
242
243 return ret;
244}
245
246static bool
247ce_management_query_proxy(struct context *c)
248{
249 const struct connection_list *l = c->options.connection_list;
250 struct connection_entry *ce = &c->options.ce;
251 struct gc_arena gc;
252 bool ret = true;
253
254 update_time();
255 if (management)
256 {
257 gc = gc_new();
258 {
259 struct buffer out = alloc_buf_gc(256, &gc);
260 buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
261 (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
262 management_notify_generic(management, BSTR(&out));
263 management->persist.special_state_msg = BSTR(&out);
264 }
265 ce->flags |= CE_MAN_QUERY_PROXY;
266 while (ce->flags & CE_MAN_QUERY_PROXY)
267 {
268 management_event_loop_n_seconds(management, 1);
269 if (IS_SIG(c))
270 {
271 ret = false;
272 break;
273 }
274 }
275 management->persist.special_state_msg = NULL;
276 gc_free(&gc);
277 }
278
279 return ret;
280}
281
296static bool
297management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
298{
299 struct context *c = (struct context *)arg;
300 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
301 if (len > PUSH_BUNDLE_SIZE)
302 {
303 return false;
304 }
305
306 struct gc_arena gc = gc_new();
307 struct buffer buf = alloc_buf_gc(len, &gc);
308 ASSERT(buf_printf(&buf, "%s", command));
309 if (parameters)
310 {
311 ASSERT(buf_printf(&buf, ",%s", parameters));
312 }
313 bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
314
315 gc_free(&gc);
316 return status;
317}
318
319static unsigned int
320management_callback_remote_entry_count(void *arg)
321{
322 ASSERT(arg);
323 struct context *c = (struct context *)arg;
324 struct connection_list *l = c->options.connection_list;
325
326 return l->len;
327}
328
329static bool
330management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
331{
332 ASSERT(arg);
333 ASSERT(remote);
334
335 struct context *c = (struct context *)arg;
336 struct connection_list *l = c->options.connection_list;
337 bool ret = true;
338
339 if (index < l->len)
340 {
341 struct connection_entry *ce = l->array[index];
342 const char *proto = proto2ascii(ce->proto, ce->af, false);
343 const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
344
345 /* space for output including 3 commas and a nul */
346 size_t len =
347 strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + strlen(status) + 3 + 1;
348 char *out = malloc(len);
349 check_malloc_return(out);
350
351 snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
352 *remote = out;
353 }
354 else
355 {
356 ret = false;
357 msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
358 }
359
360 return ret;
361}
362
363static bool
364management_callback_remote_cmd(void *arg, const char **p)
365{
366 struct context *c = (struct context *)arg;
367 struct connection_entry *ce = &c->options.ce;
368 int ret = false;
369 if (p[1]
370 && ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK)
371 == CE_MAN_QUERY_REMOTE_QUERY)
372 {
373 unsigned int flags = 0;
374 if (!strcmp(p[1], "ACCEPT"))
375 {
376 flags = CE_MAN_QUERY_REMOTE_ACCEPT;
377 ret = true;
378 }
379 else if (!strcmp(p[1], "SKIP"))
380 {
381 flags = CE_MAN_QUERY_REMOTE_SKIP;
382 ret = true;
383 c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
384 }
385 else if (!strcmp(p[1], "MOD") && p[2] && p[3])
386 {
387 if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
388 {
389 struct remote_host_store *rhs = c->options.rh_store;
390 if (!rhs)
391 {
392 ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
393 c->options.rh_store = rhs;
394 }
395 strncpynt(rhs->host, p[2], RH_HOST_LEN);
396 strncpynt(rhs->port, p[3], RH_PORT_LEN);
397
398 ce->remote = rhs->host;
399 ce->remote_port = rhs->port;
400 flags = CE_MAN_QUERY_REMOTE_MOD;
401 ret = true;
402 }
403 }
404 if (ret)
405 {
406 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
407 ce->flags |= ((flags & CE_MAN_QUERY_REMOTE_MASK) << CE_MAN_QUERY_REMOTE_SHIFT);
408 }
409 }
410 return ret;
411}
412
413static bool
414ce_management_query_remote(struct context *c)
415{
416 struct gc_arena gc = gc_new();
417 volatile struct connection_entry *ce = &c->options.ce;
418 int ce_changed = true; /* presume the connection entry will be changed */
419
420 update_time();
421 if (management)
422 {
423 struct buffer out = alloc_buf_gc(256, &gc);
424
425 buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
426 proto2ascii(ce->proto, ce->af, false));
427 management_notify_generic(management, BSTR(&out));
428 management->persist.special_state_msg = BSTR(&out);
429
430 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
431 ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
432 while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK)
433 == CE_MAN_QUERY_REMOTE_QUERY)
434 {
435 management_event_loop_n_seconds(management, 1);
436 if (IS_SIG(c))
437 {
438 ce_changed = false; /* connection entry have not been set */
439 break;
440 }
441 }
442 management->persist.special_state_msg = NULL;
443 }
444 gc_free(&gc);
445
446 if (ce_changed)
447 {
448 /* If it is likely a connection entry was modified,
449 * check what changed in the flags and that it was not skipped
450 */
451 const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
452 ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
453 }
454 return ce_changed;
455}
456#endif /* ENABLE_MANAGEMENT */
457
458#if defined(__GNUC__) || defined(__clang__)
459#pragma GCC diagnostic push
460#pragma GCC diagnostic ignored "-Wconversion"
461#endif
462
463/*
464 * Initialize and possibly randomize the connection list.
465 *
466 * Applies the Fisher-Yates shuffle algorithm to ensure all permutations
467 * are equally probable, thereby eliminating shuffling bias.
468 *
469 * The algorithm randomly selects an element from the unshuffled portion
470 * and places it at position i. There's only one way to obtain each
471 * permutation through these swaps. This guarantees that each permutation
472 * occurs with equal probability in theory.
473 */
474static void
475init_connection_list(struct context *c)
476{
477 struct connection_list *l = c->options.connection_list;
478
479 l->current = -1;
480 if (c->options.remote_random)
481 {
482 int i;
483 for (i = l->len - 1; i > 0; --i)
484 {
485 const int j = get_random() % (i + 1);
486 if (i != j)
487 {
488 struct connection_entry *tmp;
489 tmp = l->array[i];
490 l->array[i] = l->array[j];
491 l->array[j] = tmp;
492 }
493 }
494 }
495}
496
497/*
498 * Clear the remote address list
499 */
500static void
501clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
502{
503 if (lsa->remote_list && free)
504 {
505 freeaddrinfo(lsa->remote_list);
506 }
507 lsa->remote_list = NULL;
508 lsa->current_remote = NULL;
509}
510
511/*
512 * Increment to next connection entry
513 */
514static void
515next_connection_entry(struct context *c)
516{
517 struct connection_list *l = c->options.connection_list;
518 bool ce_defined;
519 struct connection_entry *ce;
520 int n_cycles = 0;
521
522 do
523 {
524 ce_defined = true;
525 if (c->options.no_advance && l->current >= 0)
526 {
527 c->options.no_advance = false;
528 }
529 else
530 {
531 /* Check if there is another resolved address to try for
532 * the current connection */
533 if (c->c1.link_socket_addrs[0].current_remote
534 && c->c1.link_socket_addrs[0].current_remote->ai_next
535 && !c->options.advance_next_remote)
536 {
537 c->c1.link_socket_addrs[0].current_remote =
538 c->c1.link_socket_addrs[0].current_remote->ai_next;
539 }
540 else
541 {
542 c->options.advance_next_remote = false;
543 /* FIXME (schwabe) fix the persist-remote-ip option for real,
544 * this is broken probably ever since connection lists and multiple
545 * remote existed
546 */
547 if (!c->options.persist_remote_ip)
548 {
549 /* Connection entry addrinfo objects might have been
550 * resolved earlier but the entry itself might have been
551 * skipped by management on the previous loop.
552 * If so, clear the addrinfo objects as close_instance does
553 */
554 if (c->c1.link_socket_addrs[0].remote_list)
555 {
556 clear_remote_addrlist(&c->c1.link_socket_addrs[0],
557 !c->options.resolve_in_advance);
558 }
559
560 /* close_instance should have cleared the addrinfo objects */
561 ASSERT(c->c1.link_socket_addrs[0].current_remote == NULL);
562 ASSERT(c->c1.link_socket_addrs[0].remote_list == NULL);
563 }
564 else
565 {
566 c->c1.link_socket_addrs[0].current_remote =
567 c->c1.link_socket_addrs[0].remote_list;
568 }
569
570 int advance_count = 1;
571
572 /* If previous connection entry was skipped by management client
573 * with a count to advance by, apply it.
574 */
575 if (c->options.ce_advance_count > 0)
576 {
577 advance_count = c->options.ce_advance_count;
578 }
579
580 /*
581 * Increase the number of connection attempts
582 * If this is connect-retry-max * size(l)
583 * OpenVPN will quit
584 */
585
586 c->options.unsuccessful_attempts += advance_count;
587 l->current += advance_count;
588
589 if (l->current >= l->len)
590 {
591 l->current %= l->len;
592 if (++n_cycles >= 2)
593 {
594 msg(M_FATAL, "No usable connection profiles are present");
595 }
596 }
597 }
598 }
599
600 c->options.ce_advance_count = 1;
601 ce = l->array[l->current];
602
603 if (ce->flags & CE_DISABLED)
604 {
605 ce_defined = false;
606 }
607
608 c->options.ce = *ce;
609
610#ifdef ENABLE_MANAGEMENT
611 if (ce_defined && management && management_query_remote_enabled(management))
612 {
613 /* allow management interface to override connection entry details */
614 ce_defined = ce_management_query_remote(c);
615 if (IS_SIG(c))
616 {
617 break;
618 }
619 }
620 else if (ce_defined && management && management_query_proxy_enabled(management))
621 {
622 ce_defined = ce_management_query_proxy(c);
623 if (IS_SIG(c))
624 {
625 break;
626 }
627 }
628#endif
629 } while (!ce_defined);
630
631 /* Check if this connection attempt would bring us over the limit */
632 if (c->options.connect_retry_max > 0
633 && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
634 {
635 msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
636 c->options.connect_retry_max);
637 }
638 update_options_ce_post(&c->options);
639}
640
641/*
642 * Query for private key and auth-user-pass username/passwords
643 */
644void
645init_query_passwords(const struct context *c)
646{
647 /* Certificate password input */
648 if (c->options.key_pass_file)
649 {
650 pem_password_setup(c->options.key_pass_file);
651 }
652
653 /* Auth user/pass input */
654 if (c->options.auth_user_pass_file)
655 {
656 enable_auth_user_pass();
657#ifdef ENABLE_MANAGEMENT
658 auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline,
659 &c->options.sc_info);
660#else
661 auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline,
662 NULL);
663#endif
664 }
665}
666
667/*
668 * Initialize/Uninitialize HTTP or SOCKS proxy
669 */
670
671static void
672uninit_proxy_dowork(struct context *c)
673{
674 if (c->c1.http_proxy_owned && c->c1.http_proxy)
675 {
676 http_proxy_close(c->c1.http_proxy);
677 c->c1.http_proxy = NULL;
678 c->c1.http_proxy_owned = false;
679 }
680 if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
681 {
682 socks_proxy_close(c->c1.socks_proxy);
683 c->c1.socks_proxy = NULL;
684 c->c1.socks_proxy_owned = false;
685 }
686}
687
688static void
689init_proxy_dowork(struct context *c)
690{
691 bool did_http = false;
692
693 uninit_proxy_dowork(c);
694
695 if (c->options.ce.http_proxy_options)
696 {
697 c->options.ce.http_proxy_options->first_time = c->first_time;
698
699 /* Possible HTTP proxy user/pass input */
700 c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
701 if (c->c1.http_proxy)
702 {
703 did_http = true;
704 c->c1.http_proxy_owned = true;
705 }
706 }
707
708 if (!did_http && c->options.ce.socks_proxy_server)
709 {
710 c->c1.socks_proxy =
711 socks_proxy_new(c->options.ce.socks_proxy_server, c->options.ce.socks_proxy_port,
712 c->options.ce.socks_proxy_authfile);
713 if (c->c1.socks_proxy)
714 {
715 c->c1.socks_proxy_owned = true;
716 }
717 }
718}
719
720static void
721init_proxy(struct context *c)
722{
723 init_proxy_dowork(c);
724}
725
726static void
727uninit_proxy(struct context *c)
728{
729 uninit_proxy_dowork(c);
730}
731
732static void
738
739void
740context_init_1(struct context *c)
741{
742 context_clear_1(c);
743
744 packet_id_persist_init(&c->c1.pid_persist);
745
746 init_connection_list(c);
747
748 c->c1.link_sockets_num = c->options.ce.local_list->len;
749
750 do_link_socket_addr_new(c);
751
752#if defined(ENABLE_PKCS11)
753 if (c->first_time)
754 {
755 int i;
756 pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
757 for (i = 0; i < MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
758 {
759 pkcs11_addProvider(
760 c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
761 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
762 }
763 }
764#endif
765
766#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
767 {
768 /*
769 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
770 */
771 struct user_pass up;
772 CLEAR(up);
773 strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
774 get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
775 msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
776 * 'needok' command, usually 'ok' or 'cancel'. */
777 }
778#endif
779
780#ifdef ENABLE_SYSTEMD
781 /* We can report the PID via getpid() to systemd here as OpenVPN will not
782 * do any fork due to daemon() a future call.
783 * See possibly_become_daemon() [init.c] for more details.
784 */
785 sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
786 (unsigned long)getpid());
787#endif
788}
789
790void
791context_gc_free(struct context *c)
792{
793 gc_free(&c->c2.gc);
794 gc_free(&c->options.gc);
795 gc_free(&c->gc);
796}
797
798#if PORT_SHARE
799
800static void
801close_port_share(void)
802{
803 if (port_share)
804 {
805 port_share_close(port_share);
806 port_share = NULL;
807 }
808}
809
810static void
811init_port_share(struct context *c)
812{
813 if (!port_share && (c->options.port_share_host && c->options.port_share_port))
814 {
815 port_share =
816 port_share_open(c->options.port_share_host, c->options.port_share_port,
817 c->c2.frame.buf.payload_size, c->options.port_share_journal_dir);
818 if (port_share == NULL)
819 {
820 msg(M_FATAL, "Fatal error: Port sharing failed");
821 }
822 }
823}
824
825#endif /* if PORT_SHARE */
826
827
828bool
829init_static(void)
830{
831#if defined(DMALLOC)
832 crypto_init_dmalloc();
833#endif
834
835
836 /*
837 * Initialize random number seed. random() is only used
838 * when "weak" random numbers are acceptable.
839 * SSL library routines are always used when cryptographically
840 * strong random numbers are required.
841 */
842 struct timeval tv;
843 if (!gettimeofday(&tv, NULL))
844 {
845 const unsigned int seed = (unsigned int)tv.tv_sec ^ tv.tv_usec;
846 srandom(seed);
847 }
848
849 error_reset(); /* initialize error.c */
850 reset_check_status(); /* initialize status check code in socket.c */
851
852#ifdef _WIN32
853 init_win32();
854#endif
855
856#ifdef OPENVPN_DEBUG_COMMAND_LINE
857 {
858 int i;
859 for (i = 0; i < argc; ++i)
860 {
861 msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
862 }
863 }
864#endif
865
866 update_time();
867
868 init_ssl_lib();
869
870#ifdef SCHEDULE_TEST
871 schedule_test();
872 return false;
873#endif
874
875#ifdef IFCONFIG_POOL_TEST
876 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
877 return false;
878#endif
879
880#ifdef TIME_TEST
881 time_test();
882 return false;
883#endif
884
885#ifdef GEN_PATH_TEST
886 {
887 struct gc_arena gc = gc_new();
888 const char *fn = gen_path("foo", "bar", &gc);
889 printf("%s\n", fn);
890 gc_free(&gc);
891 }
892 return false;
893#endif
894
895#ifdef STATUS_PRINTF_TEST
896 {
897 struct gc_arena gc = gc_new();
898 const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
899 struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
900 status_printf(so, "%s", "foo");
901 status_printf(so, "%s", "bar");
902 if (!status_close(so))
903 {
904 msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
905 }
906 gc_free(&gc);
907 }
908 return false;
909#endif
910
911#ifdef MSTATS_TEST
912 {
913 int i;
914 mstats_open("/dev/shm/mstats.dat");
915 for (i = 0; i < 30; ++i)
916 {
917 mmap_stats->n_clients += 1;
918 mmap_stats->link_write_bytes += 8;
919 mmap_stats->link_read_bytes += 16;
920 sleep(1);
921 }
922 mstats_close();
923 return false;
924 }
925#endif
926
927 return true;
928}
929
930void
931uninit_static(void)
932{
933 free_ssl_lib();
934
935#ifdef ENABLE_PKCS11
936 pkcs11_terminate();
937#endif
938
939#if PORT_SHARE
940 close_port_share();
941#endif
942
943#if defined(MEASURE_TLS_HANDSHAKE_STATS)
944 show_tls_performance_stats();
945#endif
946}
947
948void
949init_verb_mute(struct context *c, unsigned int flags)
950{
951 if (flags & IVM_LEVEL_1)
952 {
953 /* set verbosity and mute levels */
954 set_check_status(D_LINK_ERRORS, D_READ_WRITE);
955 set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
956 set_mute_cutoff(c->options.mute);
957 }
958
959 /* special D_LOG_RW mode */
960 if (flags & IVM_LEVEL_2)
961 {
962 c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
963 }
964}
965
966/*
967 * Possibly set --dev based on --dev-node.
968 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
969 * set --dev to tun.
970 */
971void
972init_options_dev(struct options *options)
973{
974 if (!options->dev && options->dev_node)
975 {
976 /* POSIX basename() implementations may modify its arguments */
977 char *dev_node = string_alloc(options->dev_node, NULL);
978 options->dev = basename(dev_node);
979 }
980}
981
982bool
983print_openssl_info(const struct options *options)
984{
985 /*
986 * OpenSSL info print mode?
987 */
988 if (options->show_ciphers || options->show_digests || options->show_engines
989 || options->show_tls_ciphers || options->show_curves)
990 {
991 if (options->show_ciphers)
992 {
993 show_available_ciphers();
994 }
995 if (options->show_digests)
996 {
997 show_available_digests();
998 }
999 if (options->show_engines)
1000 {
1001 show_available_engines();
1002 }
1003 if (options->show_tls_ciphers)
1004 {
1005 show_available_tls_ciphers(options->cipher_list, options->cipher_list_tls13,
1006 options->tls_cert_profile);
1007 }
1008 if (options->show_curves)
1009 {
1010 show_available_curves();
1011 }
1012 return true;
1013 }
1014 return false;
1015}
1016
1017/*
1018 * Static pre-shared key generation mode?
1019 */
1020bool
1021do_genkey(const struct options *options)
1022{
1023 /* should we disable paging? */
1024 if (options->mlock && (options->genkey))
1025 {
1026 platform_mlockall(true);
1027 }
1028
1029 /*
1030 * We do not want user to use --genkey with --secret. In the transistion
1031 * phase we for secret.
1032 */
1033 if (options->genkey && options->genkey_type != GENKEY_SECRET && options->shared_secret_file)
1034 {
1035 msg(M_USAGE, "Using --genkey type with --secret filename is "
1036 "not supported. Use --genkey type filename instead.");
1037 }
1038 if (options->genkey && options->genkey_type == GENKEY_SECRET)
1039 {
1040 int nbits_written;
1041 const char *genkey_filename = options->genkey_filename;
1042 if (options->shared_secret_file && options->genkey_filename)
1043 {
1044 msg(M_USAGE, "You must provide a filename to either --genkey "
1045 "or --secret, not both");
1046 }
1047
1048 /*
1049 * Copy filename from shared_secret_file to genkey_filename to support
1050 * the old --genkey --secret foo.file syntax.
1051 */
1052 if (options->shared_secret_file)
1053 {
1054 msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1055 "DEPRECATED. Use --genkey secret filename instead.");
1056 genkey_filename = options->shared_secret_file;
1057 }
1058
1059 nbits_written = write_key_file(2, genkey_filename);
1060 if (nbits_written < 0)
1061 {
1062 msg(M_FATAL, "Failed to write key file");
1063 }
1064
1065 msg(D_GENKEY | M_NOPREFIX, "Randomly generated %d bit key written to %s", nbits_written,
1066 options->shared_secret_file);
1067 return true;
1068 }
1069 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1070 {
1071 tls_crypt_v2_write_server_key_file(options->genkey_filename);
1072 return true;
1073 }
1074 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1075 {
1076 if (!options->tls_crypt_v2_file)
1077 {
1078 msg(M_USAGE,
1079 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1080 }
1081
1082 tls_crypt_v2_write_client_key_file(options->genkey_filename, options->genkey_extra_data,
1083 options->tls_crypt_v2_file,
1084 options->tls_crypt_v2_file_inline);
1085 return true;
1086 }
1087 else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1088 {
1089 auth_token_write_server_key_file(options->genkey_filename);
1090 return true;
1091 }
1092 else
1093 {
1094 return false;
1095 }
1096}
1097
1098/*
1099 * Persistent TUN/TAP device management mode?
1100 */
1101bool
1102do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
1103{
1104 if (!options->persist_config)
1105 {
1106 return false;
1107 }
1108
1109 /* sanity check on options for --mktun or --rmtun */
1110 notnull(options->dev, "TUN/TAP device (--dev)");
1111 if (options->ce.remote || options->ifconfig_local || options->ifconfig_remote_netmask
1112 || options->shared_secret_file || options->tls_server || options->tls_client)
1113 {
1114 msg(M_FATAL | M_OPTERR,
1115 "options --mktun or --rmtun should only be used together with --dev");
1116 }
1117
1118#if defined(ENABLE_DCO)
1119 if (dco_enabled(options))
1120 {
1121 /* creating a DCO interface via --mktun is not supported as it does not
1122 * make much sense. Since DCO is enabled by default, people may run into
1123 * this without knowing, therefore this case should be properly handled.
1124 *
1125 * Disable DCO if --mktun was provided and print a message to let
1126 * user know.
1127 */
1128 if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN)
1129 {
1130 msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1131 }
1132
1133 options->disable_dco = true;
1134 }
1135#endif
1136
1137#ifdef ENABLE_FEATURE_TUN_PERSIST
1138 tuncfg(options->dev, options->dev_type, options->dev_node, options->persist_mode,
1139 options->username, options->groupname, &options->tuntap_options, ctx);
1140 if (options->persist_mode && options->lladdr)
1141 {
1142 set_lladdr(ctx, options->dev, options->lladdr, NULL);
1143 }
1144 return true;
1145#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1146 msg(M_FATAL | M_OPTERR,
1147 "options --mktun and --rmtun are not available on your operating "
1148 "system. Please check 'man tun' (or 'tap'), whether your system "
1149 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1150 "persistent tunnel interfaces.",
1151 options->dev);
1152#endif
1153 return false;
1154}
1155
1156/*
1157 * Should we become a daemon?
1158 * Return true if we did it.
1159 */
1160bool
1161possibly_become_daemon(const struct options *options)
1162{
1163 bool ret = false;
1164
1165#ifdef ENABLE_SYSTEMD
1166 /* return without forking if we are running from systemd */
1167 if (sd_notify(0, "READY=0") > 0)
1168 {
1169 return ret;
1170 }
1171#endif
1172
1173 if (options->daemon)
1174 {
1175 /* Don't chdir immediately, but the end of the init sequence, if needed */
1176
1177#if defined(__APPLE__) && defined(__clang__)
1178#pragma clang diagnostic push
1179#pragma clang diagnostic ignored "-Wdeprecated-declarations"
1180#endif
1181 if (daemon(1, options->log) < 0)
1182 {
1183 msg(M_ERR, "daemon() failed or unsupported");
1184 }
1185#if defined(__APPLE__) && defined(__clang__)
1186#pragma clang diagnostic pop
1187#endif
1188 restore_signal_state();
1189 if (options->log)
1190 {
1191 set_std_files_to_null(true);
1192 }
1193
1194 ret = true;
1195 }
1196 return ret;
1197}
1198
1199/*
1200 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1201 */
1202static void
1203do_uid_gid_chroot(struct context *c, bool no_delay)
1204{
1205 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1206 struct context_0 *c0 = c->c0;
1207
1208 if (c0 && !c0->uid_gid_chroot_set)
1209 {
1210 /* chroot if requested */
1211 if (c->options.chroot_dir)
1212 {
1213 if (no_delay)
1214 {
1215 platform_chroot(c->options.chroot_dir);
1216 }
1217 else if (c->first_time)
1218 {
1219 msg(M_INFO, "NOTE: chroot %s", why_not);
1220 }
1221 }
1222
1223 /* set user and/or group if we want to setuid/setgid */
1224 if (c0->uid_gid_specified)
1225 {
1226 if (no_delay)
1227 {
1228 platform_user_group_set(&c0->platform_state_user, &c0->platform_state_group, c);
1229 }
1230 else if (c->first_time)
1231 {
1232 msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1233 }
1234 }
1235
1236#ifdef ENABLE_MEMSTATS
1237 if (c->first_time && c->options.memstats_fn)
1238 {
1239 mstats_open(c->options.memstats_fn);
1240 }
1241#endif
1242
1243#ifdef ENABLE_SELINUX
1244 /* Apply a SELinux context in order to restrict what OpenVPN can do
1245 * to _only_ what it is supposed to do after initialization is complete
1246 * (basically just network I/O operations). Doing it after chroot
1247 * requires /proc to be mounted in the chroot (which is annoying indeed
1248 * but doing it before requires more complex SELinux policies.
1249 */
1250 if (c->options.selinux_context)
1251 {
1252 if (no_delay)
1253 {
1254 if (-1 == setcon(c->options.selinux_context))
1255 {
1256 msg(M_ERR, "setcon to '%s' failed; is /proc accessible?",
1257 c->options.selinux_context);
1258 }
1259 else
1260 {
1261 msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1262 }
1263 }
1264 else if (c->first_time)
1265 {
1266 msg(M_INFO, "NOTE: setcon %s", why_not);
1267 }
1268 }
1269#endif
1270
1271 /* Privileges are going to be dropped by now (if requested), be sure
1272 * to prevent any future privilege dropping attempts from now on.
1273 */
1274 if (no_delay)
1275 {
1276 c0->uid_gid_chroot_set = true;
1277 }
1278 }
1279}
1280
1281/*
1282 * Return common name in a way that is formatted for
1283 * prepending to msg() output.
1284 */
1285const char *
1286format_common_name(struct context *c, struct gc_arena *gc)
1287{
1288 struct buffer out = alloc_buf_gc(256, gc);
1289 if (c->c2.tls_multi)
1290 {
1291 buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1292 }
1293 return BSTR(&out);
1294}
1295
1296void
1297pre_setup(const struct options *options)
1298{
1299#ifdef _WIN32
1300 if (options->exit_event_name)
1301 {
1302 win32_signal_open(&win32_signal, WSO_FORCE_SERVICE, options->exit_event_name,
1303 options->exit_event_initial_state);
1304 }
1305 else
1306 {
1307 win32_signal_open(&win32_signal, WSO_FORCE_CONSOLE, NULL, false);
1308
1309 /* put a title on the top window bar */
1310 if (win32_signal.mode == WSO_MODE_CONSOLE)
1311 {
1312 window_title_save(&window_title);
1313 window_title_generate(options->config);
1314 }
1315 }
1316#endif /* ifdef _WIN32 */
1317}
1318
1319void
1320reset_coarse_timers(struct context *c)
1321{
1322 c->c2.coarse_timer_wakeup = 0;
1323}
1324
1325/*
1326 * Initialise the server poll timeout timer
1327 * This timer is used in the http/socks proxy setup so it needs to be setup
1328 * before
1329 */
1330static void
1331do_init_server_poll_timeout(struct context *c)
1332{
1333 update_time();
1334 if (c->options.ce.connect_timeout)
1335 {
1336 event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1337 }
1338}
1339
1340/*
1341 * Initialize timers
1342 */
1343static void
1344do_init_timers(struct context *c, bool deferred)
1345{
1346 update_time();
1347 reset_coarse_timers(c);
1348
1349 /* initialize inactivity timeout */
1350 if (c->options.inactivity_timeout)
1351 {
1352 event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1353 }
1354
1355 /* initialize inactivity timeout */
1356 if (c->options.session_timeout)
1357 {
1358 event_timeout_init(&c->c2.session_interval, c->options.session_timeout, now);
1359 }
1360
1361 /* initialize pings */
1362 if (dco_enabled(&c->options))
1363 {
1364 /* The DCO kernel module will send the pings instead of user space */
1365 event_timeout_clear(&c->c2.ping_rec_interval);
1366 event_timeout_clear(&c->c2.ping_send_interval);
1367 }
1368 else
1369 {
1370 if (c->options.ping_send_timeout)
1371 {
1372 event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1373 }
1374
1375 if (c->options.ping_rec_timeout)
1376 {
1377 event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1378 }
1379 }
1380
1381 /* If the auth-token renewal interval is shorter than reneg-sec, arm
1382 * "auth-token renewal" timer to send additional auth-token to update the
1383 * token on the client more often. If not, this happens automatically
1384 * at renegotiation time, without needing an extra event.
1385 */
1386 if (c->options.auth_token_generate
1387 && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1388 {
1389 event_timeout_init(&c->c2.auth_token_renewal_interval, c->options.auth_token_renewal, now);
1390 }
1391
1392 if (!deferred)
1393 {
1394 /* initialize connection establishment timer */
1395 event_timeout_init(&c->c2.wait_for_connect, 1, now);
1396
1397 /* initialize occ timers */
1398
1399 if (c->options.occ && !TLS_MODE(c) && c->c2.options_string_local
1400 && c->c2.options_string_remote)
1401 {
1402 event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1403 }
1404
1405 if (c->options.mtu_test)
1406 {
1407 event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS,
1408 now);
1409 }
1410
1411 /* initialize packet_id persistence timer */
1412 if (c->options.packet_id_file)
1413 {
1414 event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1415 }
1416
1417 /* initialize tmp_int optimization that limits the number of times we call
1418 * tls_multi_process in the main event loop */
1419 interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1420 }
1421}
1422
1423/*
1424 * Initialize traffic shaper.
1425 */
1426static void
1427do_init_traffic_shaper(struct context *c)
1428{
1429 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1430 if (c->options.shaper)
1431 {
1432 shaper_init(&c->c2.shaper, c->options.shaper);
1433 shaper_msg(&c->c2.shaper);
1434 }
1435}
1436
1437/*
1438 * Allocate route list structures for IPv4 and IPv6
1439 * (we do this for IPv4 even if no --route option has been seen, as other
1440 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1441 */
1442static void
1443do_alloc_route_list(struct context *c)
1444{
1445 if (!c->c1.route_list)
1446 {
1447 ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1448 }
1449 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1450 {
1451 ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1452 }
1453}
1454
1455
1456/*
1457 * Initialize the route list, resolving any DNS names in route
1458 * options and saving routes in the environment.
1459 */
1460static void
1461do_init_route_list(const struct options *options, struct route_list *route_list,
1462 const struct link_socket_info *link_socket_info, struct env_set *es,
1463 openvpn_net_ctx_t *ctx)
1464{
1465 const char *gw = NULL;
1466 int dev = dev_type_enum(options->dev, options->dev_type);
1467 int metric = 0;
1468
1469 /* if DCO is enabled we have both regular routes and iroutes in the system
1470 * routing table, and normal routes must have a higher metric for that to
1471 * work so that iroutes are always matched first
1472 */
1473 if (dco_enabled(options))
1474 {
1475 metric = DCO_DEFAULT_METRIC;
1476 }
1477
1478 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1479 {
1480 gw = options->ifconfig_remote_netmask;
1481 }
1482 if (options->route_default_gateway)
1483 {
1484 gw = options->route_default_gateway;
1485 }
1486 if (options->route_default_metric)
1487 {
1488 metric = options->route_default_metric;
1489 }
1490
1491 if (init_route_list(route_list, options->routes, gw, metric,
1492 link_socket_current_remote(link_socket_info), es, ctx))
1493 {
1494 /* copy routes to environment */
1495 setenv_routes(es, route_list);
1496 }
1497}
1498
1499static void
1500do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list,
1501 const struct link_socket_info *link_socket_info, struct env_set *es,
1502 openvpn_net_ctx_t *ctx)
1503{
1504 const char *gw = NULL;
1505 int metric = -1; /* no metric set */
1506
1507 /* see explanation in do_init_route_list() */
1508 if (dco_enabled(options))
1509 {
1510 metric = DCO_DEFAULT_METRIC;
1511 }
1512
1513 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1514 if (options->route_ipv6_default_gateway)
1515 {
1516 gw = options->route_ipv6_default_gateway;
1517 }
1518
1519 if (options->route_default_metric)
1520 {
1521 metric = options->route_default_metric;
1522 }
1523
1524 /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1525 */
1526 if (options->routes_ipv6->flags & RG_REROUTE_GW)
1527 {
1528 char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1529 int i;
1530
1531 for (i = 0; opt_list[i]; i++)
1532 {
1533 add_route_ipv6_to_option_list(options->routes_ipv6,
1534 string_alloc(opt_list[i], options->routes_ipv6->gc), NULL,
1535 NULL, options->route_default_table_id);
1536 }
1537 }
1538
1539 if (init_route_ipv6_list(route_ipv6_list, options->routes_ipv6, gw, metric,
1540 link_socket_current_remote_ipv6(link_socket_info), es, ctx))
1541 {
1542 /* copy routes to environment */
1543 setenv_routes_ipv6(es, route_ipv6_list);
1544 }
1545}
1546
1547
1548/*
1549 * Called after all initialization has been completed.
1550 */
1551void
1552initialization_sequence_completed(struct context *c, const unsigned int flags)
1553{
1554 static const char message[] = "Initialization Sequence Completed";
1555
1556 /* Reset the unsuccessful connection counter on complete initialisation */
1557 c->options.unsuccessful_attempts = 0;
1558
1559 /* If we delayed UID/GID downgrade or chroot, do it now */
1560 do_uid_gid_chroot(c, true);
1561
1562 /* Test if errors */
1563 if (flags & ISC_ERRORS)
1564 {
1565#ifdef _WIN32
1566 show_routes(M_INFO | M_NOPREFIX);
1567 show_adapters(M_INFO | M_NOPREFIX);
1568 msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1569#else
1570#ifdef ENABLE_SYSTEMD
1571 sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1572#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1573 msg(M_INFO, "%s With Errors", message);
1574#endif
1575 }
1576 else
1577 {
1578#ifdef ENABLE_SYSTEMD
1579 sd_notifyf(0, "STATUS=%s", message);
1580#endif
1581 msg(M_INFO, "%s", message);
1582 }
1583
1584 /* Flag that we initialized */
1585 if ((flags & (ISC_ERRORS | ISC_SERVER)) == 0)
1586 {
1587 c->options.no_advance = true;
1588 }
1589
1590#ifdef _WIN32
1591 fork_register_dns_action(c->c1.tuntap);
1592#endif
1593
1594#ifdef ENABLE_MANAGEMENT
1595 /* Tell management interface that we initialized */
1596 if (management)
1597 {
1598 in_addr_t *tun_local = NULL;
1599 struct in6_addr *tun_local6 = NULL;
1600 struct openvpn_sockaddr local, remote;
1601 struct link_socket_actual *actual;
1602 socklen_t sa_len = sizeof(local);
1603 const char *detail = "SUCCESS";
1604 if (flags & ISC_ERRORS)
1605 {
1606 detail = "ERROR";
1607 }
1608 /* Flag route error only on platforms where trivial "already exists" errors
1609 * are filtered out. Currently this is the case on Windows or if usng netlink.
1610 */
1611#if defined(_WIN32) || defined(ENABLE_SITNL)
1612 else if (flags & ISC_ROUTE_ERRORS)
1613 {
1614 detail = "ROUTE_ERROR";
1615 }
1616#endif
1617
1618 CLEAR(local);
1619 actual = &get_link_socket_info(c)->lsa->actual;
1620 remote = actual->dest;
1621 getsockname(c->c2.link_sockets[0]->sd, &local.addr.sa, &sa_len);
1622#if ENABLE_IP_PKTINFO
1623 if (!addr_defined(&local))
1624 {
1625 switch (local.addr.sa.sa_family)
1626 {
1627 case AF_INET:
1628#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1629 local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1630#else
1631 local.addr.in4.sin_addr = actual->pi.in4;
1632#endif
1633 break;
1634
1635 case AF_INET6:
1636 local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1637 break;
1638 }
1639 }
1640#endif
1641
1642 if (c->c1.tuntap)
1643 {
1644 tun_local = &c->c1.tuntap->local;
1645 tun_local6 = &c->c1.tuntap->local_ipv6;
1646 }
1647 management_set_state(management, OPENVPN_STATE_CONNECTED, detail, tun_local, tun_local6,
1648 &local, &remote);
1649 if (tun_local)
1650 {
1651 management_post_tunnel_open(management, *tun_local);
1652 }
1653 }
1654#endif /* ifdef ENABLE_MANAGEMENT */
1655}
1656
1661static bool
1662route_noexec_enabled(const struct options *o, const struct tuntap *tt)
1663{
1664 return o->route_noexec || (tt && tt->backend_driver == DRIVER_AFUNIX)
1665 || (tt && tt->backend_driver == DRIVER_NULL);
1666}
1667
1668/*
1669 * Possibly add routes and/or call route-up script
1670 * based on options.
1671 */
1672bool
1673do_route(const struct options *options, struct route_list *route_list,
1674 struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt,
1675 const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
1676{
1677 bool ret = true;
1678 if (!route_noexec_enabled(options, tt) && (route_list || route_ipv6_list))
1679 {
1680 ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es, ctx);
1681 setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1682 }
1683#ifdef ENABLE_MANAGEMENT
1684 if (management)
1685 {
1686 management_up_down(management, "UP", es);
1687 }
1688#endif
1689
1690 if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1691 {
1692 if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es)
1693 != OPENVPN_PLUGIN_FUNC_SUCCESS)
1694 {
1695 msg(M_WARN, "WARNING: route-up plugin call failed");
1696 }
1697 }
1698
1699 if (options->route_script)
1700 {
1701 struct argv argv = argv_new();
1702 setenv_str(es, "script_type", "route-up");
1703 argv_parse_cmd(&argv, options->route_script);
1704 openvpn_run_script(&argv, es, 0, "--route-up");
1705 argv_free(&argv);
1706 }
1707
1708#ifdef _WIN32
1709 if (options->show_net_up)
1710 {
1711 show_routes(M_INFO | M_NOPREFIX);
1712 show_adapters(M_INFO | M_NOPREFIX);
1713 }
1714 else if (check_debug_level(D_SHOW_NET))
1715 {
1716 show_routes(D_SHOW_NET | M_NOPREFIX);
1717 show_adapters(D_SHOW_NET | M_NOPREFIX);
1718 }
1719#endif
1720 return ret;
1721}
1722
1723/*
1724 * initialize tun/tap device object
1725 */
1726static void
1727do_init_tun(struct context *c)
1728{
1729 c->c1.tuntap = init_tun(c->options.dev, c->options.dev_type, c->options.topology,
1730 c->options.ifconfig_local, c->options.ifconfig_remote_netmask,
1731 c->options.ifconfig_ipv6_local, c->options.ifconfig_ipv6_netbits,
1732 c->options.ifconfig_ipv6_remote, c->c1.link_socket_addrs[0].bind_local,
1733 c->c1.link_socket_addrs[0].remote_list, !c->options.ifconfig_nowarn,
1734 c->c2.es, &c->net_ctx, c->c1.tuntap);
1735
1736 if (is_tun_afunix(c->options.dev_node))
1737 {
1738 /* Using AF_UNIX trumps using DCO */
1739 c->c1.tuntap->backend_driver = DRIVER_AFUNIX;
1740 }
1741 else if (is_dev_type(c->options.dev, c->options.dev_type, "null"))
1742 {
1743 c->c1.tuntap->backend_driver = DRIVER_NULL;
1744 }
1745#ifdef _WIN32
1746 else
1747 {
1748 c->c1.tuntap->backend_driver = c->options.windows_driver;
1749 }
1750#else
1751 else if (dco_enabled(&c->options))
1752 {
1753 c->c1.tuntap->backend_driver = DRIVER_DCO;
1754 }
1755 else
1756 {
1757 c->c1.tuntap->backend_driver = DRIVER_GENERIC_TUNTAP;
1758 }
1759#endif
1760
1761 init_tun_post(c->c1.tuntap, &c->c2.frame, &c->options.tuntap_options);
1762
1763 c->c1.tuntap_owned = true;
1764}
1765
1766/*
1767 * Open tun/tap device, ifconfig, call up script, etc.
1768 */
1769
1770
1771static bool
1772can_preserve_tun(struct tuntap *tt)
1773{
1774 if (tt && tt->backend_driver == DRIVER_AFUNIX)
1775 {
1776 return false;
1777 }
1778#ifdef TARGET_ANDROID
1779 return false;
1780#else
1781 return is_tun_type_set(tt);
1782#endif
1783}
1784
1793static void
1794add_wfp_block(struct context *c)
1795{
1796#if defined(_WIN32)
1797 /* Fortify 'redirect-gateway block-local' with firewall rules? */
1798 bool block_local = block_local_needed(c->c1.route_list);
1799
1800 if (c->options.block_outside_dns || block_local)
1801 {
1802 BOOL dns_only = !block_local;
1803 if (!win_wfp_block(c->c1.tuntap->adapter_index, c->options.msg_channel, dns_only))
1804 {
1805 msg(M_FATAL, "WFP: initialization failed");
1806 }
1807 }
1808#endif
1809}
1810
1819static void
1820del_wfp_block(struct context *c, unsigned long adapter_index)
1821{
1822#if defined(_WIN32)
1823 if (c->options.block_outside_dns || block_local_needed(c->c1.route_list))
1824 {
1825 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1826 {
1827 msg(M_FATAL, "WFP: deinitialization failed");
1828 }
1829 }
1830#endif
1831}
1832
1838static bool
1839ifconfig_noexec_enabled(const struct context *c)
1840{
1841 return c->options.ifconfig_noexec
1842 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
1843 || (c->c1.tuntap && c->c1.tuntap->backend_driver == DRIVER_NULL);
1844}
1845
1846static void
1847open_tun_backend(struct context *c)
1848{
1849 struct tuntap *tt = c->c1.tuntap;
1850
1851 if (tt->backend_driver == DRIVER_NULL)
1852 {
1853 open_tun_null(c->c1.tuntap);
1854 }
1855 else if (tt->backend_driver == DRIVER_AFUNIX)
1856 {
1857 open_tun_afunix(&c->options, c->c2.frame.tun_mtu, tt, c->c2.es);
1858 }
1859 else
1860 {
1861 open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, tt, &c->net_ctx);
1862 }
1863 msg(M_INFO, "%s device [%s] opened", print_tun_backend_driver(tt->backend_driver),
1864 tt->actual_name);
1865}
1866
1867
1868static bool
1869do_open_tun(struct context *c, int *error_flags)
1870{
1871 struct gc_arena gc = gc_new();
1872 bool ret = false;
1873 *error_flags = 0;
1874
1875 if (!can_preserve_tun(c->c1.tuntap))
1876 {
1877#ifdef TARGET_ANDROID
1878 /* If we emulate persist-tun on android we still have to open a new tun and
1879 * then close the old */
1880 int oldtunfd = -1;
1881 if (c->c1.tuntap)
1882 {
1883 oldtunfd = c->c1.tuntap->fd;
1884 free(c->c1.tuntap);
1885 c->c1.tuntap = NULL;
1886 c->c1.tuntap_owned = false;
1887 }
1888#endif
1889
1890 /* initialize (but do not open) tun/tap object, this also sets
1891 * the backend driver type */
1892 do_init_tun(c);
1893
1894 /* inherit the dco context from the tuntap object */
1895 if (c->c2.tls_multi)
1896 {
1897 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1898 }
1899
1900#ifdef _WIN32
1901 /* store (hide) interactive service handle in tuntap_options */
1902 c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1903 msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, (intptr_t)c->options.msg_channel);
1904#endif
1905
1906 /* allocate route list structure */
1907 do_alloc_route_list(c);
1908
1909 /* parse and resolve the route option list */
1910 ASSERT(c->c2.link_sockets[0]);
1911 if (c->options.routes && c->c1.route_list)
1912 {
1913 do_init_route_list(&c->options, c->c1.route_list, &c->c2.link_sockets[0]->info,
1914 c->c2.es, &c->net_ctx);
1915 }
1916 if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1917 {
1918 do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1919 &c->c2.link_sockets[0]->info, c->c2.es, &c->net_ctx);
1920 }
1921
1922 /* do ifconfig */
1923 if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_BEFORE_TUN_OPEN)
1924 {
1925 /* guess actual tun/tap unit number that will be returned
1926 * by open_tun */
1927 const char *guess =
1928 guess_tuntap_dev(c->options.dev, c->options.dev_type, c->options.dev_node, &gc);
1929 do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1930 }
1931
1932 /* possibly add routes */
1933 if (route_order(c->c1.tuntap) == ROUTE_BEFORE_TUN)
1934 {
1935 /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1936 bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1937 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1938 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1939 }
1940#ifdef TARGET_ANDROID
1941 /* Store the old fd inside the fd so open_tun can use it */
1942 c->c1.tuntap->fd = oldtunfd;
1943#endif
1944
1945 if (dco_enabled(&c->options))
1946 {
1947 ovpn_dco_init(c);
1948 }
1949
1950 /* open the tun device */
1951 open_tun_backend(c);
1952
1953 /* set the hardware address */
1954 if (c->options.lladdr)
1955 {
1956 set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1957 }
1958
1959 /* do ifconfig */
1960 if (!ifconfig_noexec_enabled(c) && ifconfig_order(c->c1.tuntap) == IFCONFIG_AFTER_TUN_OPEN)
1961 {
1962 do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, c->c2.frame.tun_mtu, c->c2.es,
1963 &c->net_ctx);
1964 }
1965
1966 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1967
1968 /* run the up script */
1969 run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP, c->c1.tuntap->actual_name,
1970#ifdef _WIN32
1971 c->c1.tuntap->adapter_index,
1972#endif
1973 dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu,
1974 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1975 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
1976 NULL, "up", c->c2.es);
1977
1978 add_wfp_block(c);
1979
1980 /* possibly add routes */
1981 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1982 {
1983 bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1984 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1985 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1986 }
1987
1988 ret = true;
1989 static_context = c;
1990 }
1991 else
1992 {
1993 msg(M_INFO, "Preserving previous TUN/TAP instance: %s", c->c1.tuntap->actual_name);
1994
1995 /* explicitly set the ifconfig_* env vars */
1996 do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1997
1998 run_dns_up_down(true, &c->options, c->c1.tuntap, &c->persist.duri);
1999
2000 /* run the up script if user specified --up-restart */
2001 if (c->options.up_restart)
2002 {
2003 run_up_down(c->options.up_script, c->plugins, OPENVPN_PLUGIN_UP,
2004 c->c1.tuntap->actual_name,
2005#ifdef _WIN32
2006 c->c1.tuntap->adapter_index,
2007#endif
2008 dev_type_string(c->options.dev, c->options.dev_type), c->c2.frame.tun_mtu,
2009 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
2010 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2011 "restart", NULL, "up", c->c2.es);
2012 }
2013
2014 add_wfp_block(c);
2015 }
2016 gc_free(&gc);
2017 return ret;
2018}
2019
2020/*
2021 * Close TUN/TAP device
2022 */
2023
2024static void
2025do_close_tun_simple(struct context *c)
2026{
2027 msg(D_CLOSE, "Closing %s interface", print_tun_backend_driver(c->c1.tuntap->backend_driver));
2028
2029 if (c->c1.tuntap)
2030 {
2031 if (!ifconfig_noexec_enabled(c))
2032 {
2033 undo_ifconfig(c->c1.tuntap, &c->net_ctx);
2034 }
2035 if (c->c1.tuntap->backend_driver == DRIVER_AFUNIX)
2036 {
2037 close_tun_afunix(c->c1.tuntap);
2038 }
2039 else if (c->c1.tuntap->backend_driver == DRIVER_NULL)
2040 {
2041 free(c->c1.tuntap->actual_name);
2042 free(c->c1.tuntap);
2043 }
2044 else
2045 {
2046 close_tun(c->c1.tuntap, &c->net_ctx);
2047 }
2048 c->c1.tuntap = NULL;
2049 }
2050 c->c1.tuntap_owned = false;
2051 CLEAR(c->c1.pulled_options_digest_save);
2052}
2053
2054static void
2055do_close_tun(struct context *c, bool force)
2056{
2057 /* With dco-win we open tun handle in the very beginning.
2058 * In case when tun wasn't opened - like we haven't connected,
2059 * we still need to close tun handle
2060 */
2061 if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
2062 {
2063 do_close_tun_simple(c);
2064 return;
2065 }
2066
2067 if (!c->c1.tuntap || !c->c1.tuntap_owned)
2068 {
2069 return;
2070 }
2071
2072 struct gc_arena gc = gc_new();
2073 const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2074 const in_addr_t local = c->c1.tuntap->local;
2075 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2076 unsigned long adapter_index = 0;
2077#ifdef _WIN32
2078 adapter_index = c->c1.tuntap->adapter_index;
2079#endif
2080
2081 run_dns_up_down(false, &c->options, c->c1.tuntap, &c->persist.duri);
2082
2083 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2084 {
2085 static_context = NULL;
2086
2087#ifdef ENABLE_MANAGEMENT
2088 /* tell management layer we are about to close the TUN/TAP device */
2089 if (management)
2090 {
2091 management_pre_tunnel_close(management);
2092 management_up_down(management, "DOWN", c->c2.es);
2093 }
2094#endif
2095
2096 /* delete any routes we added */
2097 if (c->c1.route_list || c->c1.route_ipv6_list)
2098 {
2099 run_up_down(c->options.route_predown_script, c->plugins, OPENVPN_PLUGIN_ROUTE_PREDOWN,
2100 tuntap_actual,
2101#ifdef _WIN32
2102 adapter_index,
2103#endif
2104 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2105 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2106 signal_description(c->sig->signal_received, c->sig->signal_text),
2107 "route-pre-down", c->c2.es);
2108
2109 delete_routes(c->c1.route_list, c->c1.route_ipv6_list, c->c1.tuntap,
2110 ROUTE_OPTION_FLAGS(&c->options), c->c2.es, &c->net_ctx);
2111 }
2112
2113 /* actually close tun/tap device based on --down-pre flag */
2114 if (!c->options.down_pre)
2115 {
2116 do_close_tun_simple(c);
2117 }
2118
2119 /* Run the down script -- note that it will run at reduced
2120 * privilege if, for example, "--user" was used. */
2121 run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
2122#ifdef _WIN32
2123 adapter_index,
2124#endif
2125 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2126 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "init",
2127 signal_description(c->sig->signal_received, c->sig->signal_text), "down",
2128 c->c2.es);
2129
2130 del_wfp_block(c, adapter_index);
2131
2132 /* actually close tun/tap device based on --down-pre flag */
2133 if (c->options.down_pre)
2134 {
2135 do_close_tun_simple(c);
2136 }
2137 }
2138 else
2139 {
2140 /* run the down script on this restart if --up-restart was specified */
2141 if (c->options.up_restart)
2142 {
2143 run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN, tuntap_actual,
2144#ifdef _WIN32
2145 adapter_index,
2146#endif
2147 NULL, c->c2.frame.tun_mtu, print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2148 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), "restart",
2149 signal_description(c->sig->signal_received, c->sig->signal_text), "down",
2150 c->c2.es);
2151 }
2152
2153 del_wfp_block(c, adapter_index);
2154 }
2155 gc_free(&gc);
2156}
2157
2158void
2159tun_abort(void)
2160{
2161 struct context *c = static_context;
2162 if (c)
2163 {
2164 static_context = NULL;
2165 do_close_tun(c, true);
2166 }
2167}
2168
2169/*
2170 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2171 */
2172
2177static bool
2178options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
2179{
2180 const struct sha256_digest zero = { { 0 } };
2181 return memcmp(a, b, sizeof(struct sha256_digest))
2182 || !memcmp(a, &zero, sizeof(struct sha256_digest));
2183}
2184
2190static void
2191add_delim_if_non_empty(struct buffer *buf, const char *header)
2192{
2193 if (buf_len(buf) > strlen(header))
2194 {
2195 buf_printf(buf, ", ");
2196 }
2197}
2198
2199
2204static void
2205tls_print_deferred_options_results(struct context *c)
2206{
2207 struct options *o = &c->options;
2208
2209 struct buffer out;
2210 uint8_t line[1024] = { 0 };
2211 buf_set_write(&out, line, sizeof(line));
2212
2213
2214 if (cipher_kt_mode_aead(o->ciphername))
2215 {
2216 buf_printf(&out, "Data Channel: cipher '%s'", cipher_kt_name(o->ciphername));
2217 }
2218 else
2219 {
2220 buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", cipher_kt_name(o->ciphername),
2221 md_kt_name(o->authname));
2222 }
2223
2224 if (o->use_peer_id)
2225 {
2226 buf_printf(&out, ", peer-id: %d", o->peer_id);
2227 }
2228
2229#ifdef USE_COMP
2230 if (c->c2.comp_context)
2231 {
2232 buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2233 }
2234#endif
2235
2236 msg(D_HANDSHAKE, "%s", BSTR(&out));
2237
2238 buf_clear(&out);
2239
2240 const char *header = "Timers: ";
2241
2242 buf_printf(&out, "%s", header);
2243
2244 if (o->ping_send_timeout)
2245 {
2246 buf_printf(&out, "ping %d", o->ping_send_timeout);
2247 }
2248
2249 if (o->ping_rec_timeout_action != PING_UNDEF)
2250 {
2251 /* yes unidirectional ping is possible .... */
2252 add_delim_if_non_empty(&out, header);
2253
2254 if (o->ping_rec_timeout_action == PING_EXIT)
2255 {
2256 buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2257 }
2258 else
2259 {
2260 buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2261 }
2262 }
2263
2264 if (o->inactivity_timeout)
2265 {
2266 add_delim_if_non_empty(&out, header);
2267
2268 buf_printf(&out, "inactive %d", o->inactivity_timeout);
2269 if (o->inactivity_minimum_bytes)
2270 {
2271 buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2272 }
2273 }
2274
2275 if (o->session_timeout)
2276 {
2277 add_delim_if_non_empty(&out, header);
2278 buf_printf(&out, "session-timeout %d", o->session_timeout);
2279 }
2280
2281 if (buf_len(&out) > strlen(header))
2282 {
2283 msg(D_HANDSHAKE, "%s", BSTR(&out));
2284 }
2285
2286 buf_clear(&out);
2287 header = "Protocol options: ";
2288 buf_printf(&out, "%s", header);
2289
2290 if (c->options.ce.explicit_exit_notification)
2291 {
2292 buf_printf(&out, "explicit-exit-notify %d", c->options.ce.explicit_exit_notification);
2293 }
2294 if (c->options.imported_protocol_flags)
2295 {
2296 add_delim_if_non_empty(&out, header);
2297
2298 buf_printf(&out, "protocol-flags");
2299
2300 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2301 {
2302 buf_printf(&out, " cc-exit");
2303 }
2304 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2305 {
2306 buf_printf(&out, " tls-ekm");
2307 }
2308 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2309 {
2310 buf_printf(&out, " dyn-tls-crypt");
2311 }
2312 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
2313 {
2314 buf_printf(&out, " aead-epoch");
2315 }
2316 }
2317
2318 if (buf_len(&out) > strlen(header))
2319 {
2320 msg(D_HANDSHAKE, "%s", BSTR(&out));
2321 }
2322}
2323
2324
2332static bool
2333do_deferred_options_part2(struct context *c)
2334{
2335 struct frame *frame_fragment = NULL;
2336#ifdef ENABLE_FRAGMENT
2337 if (c->options.ce.fragment)
2338 {
2339 frame_fragment = &c->c2.frame_fragment;
2340 }
2341#endif
2342
2343 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2344 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
2345 frame_fragment, get_link_socket_info(c),
2346 &c->c1.tuntap->dco))
2347 {
2348 msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2349 return false;
2350 }
2351
2352 return true;
2353}
2354
2355bool
2356do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2357{
2358 int error_flags = 0;
2359 if (!c->c2.do_up_ran)
2360 {
2361 reset_coarse_timers(c);
2362
2363 if (pulled_options)
2364 {
2365 if (!do_deferred_options(c, option_types_found, false))
2366 {
2367 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2368 return false;
2369 }
2370 }
2371
2372 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2373 if (c->options.up_delay || PULL_DEFINED(&c->options))
2374 {
2375 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2376 update_time();
2377
2378 /*
2379 * Was tun interface object persisted from previous restart iteration,
2380 * and if so did pulled options string change from previous iteration?
2381 */
2382 if (!c->c2.did_open_tun && PULL_DEFINED(&c->options) && c->c1.tuntap
2383 && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2384 &c->c2.pulled_options_digest))
2385 {
2386 /* if so, close tun, delete routes, then reinitialize tun and add routes */
2387 msg(M_INFO,
2388 "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2389
2390 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2391 do_close_tun(c, true);
2392
2393 if (tt_dco_win)
2394 {
2395 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2396 /* prevent link_socket_close() from closing handle with WinSock API */
2397 c->c2.link_sockets[0]->sd = SOCKET_UNDEFINED;
2398 return false;
2399 }
2400 else
2401 {
2402 management_sleep(1);
2403 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2404 update_time();
2405 }
2406 }
2407 }
2408 }
2409
2410 /* This part needs to be run in p2p mode (without pull) when the client
2411 * reconnects to setup various things (like DCO and NCP cipher) that
2412 * might have changed from the previous connection.
2413 */
2414 if (!c->c2.do_up_ran
2415 || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
2416 {
2417 if (c->mode == MODE_POINT_TO_POINT)
2418 {
2419 /* ovpn-dco requires adding the peer now, before any option can be set,
2420 * but *after* having parsed the pushed peer-id in do_deferred_options()
2421 */
2422 int ret = dco_p2p_add_new_peer(c);
2423 if (ret < 0)
2424 {
2425 msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2426 return false;
2427 }
2428 }
2429
2430 /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2431 * invoked after open_tun().
2432 * This is required by DCO because we must have created the interface
2433 * and added the peer before we can fiddle with the keys or any other
2434 * data channel per-peer setting.
2435 */
2436 if (pulled_options)
2437 {
2438 if (!do_deferred_options_part2(c))
2439 {
2440 return false;
2441 }
2442 }
2443 else
2444 {
2445 if (c->mode == MODE_POINT_TO_POINT)
2446 {
2447 if (!do_deferred_p2p_ncp(c))
2448 {
2449 msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2450 return false;
2451 }
2452 }
2453 }
2454
2455 if (c->c2.did_open_tun)
2456 {
2457 c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2458
2459 /* if --route-delay was specified, start timer */
2460 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2461 {
2462 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2463 event_timeout_init(&c->c2.route_wakeup_expire,
2464 c->options.route_delay + c->options.route_delay_window, now);
2465 tun_standby_init(c->c1.tuntap);
2466 }
2467 else
2468 {
2469 /* client/p2p --route-delay undefined */
2470 initialization_sequence_completed(c, error_flags);
2471 }
2472 }
2473 else if (c->options.mode == MODE_POINT_TO_POINT)
2474 {
2475 /* client/p2p restart with --persist-tun */
2476 initialization_sequence_completed(c, error_flags);
2477 }
2478
2479 tls_print_deferred_options_results(c);
2480
2481 c->c2.do_up_ran = true;
2482 if (c->c2.tls_multi)
2483 {
2484 c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2485 }
2486 }
2487 return true;
2488}
2489
2490bool
2491do_update(struct context *c, unsigned int option_types_found)
2492{
2493 /* Not necessary since to receive the update the openvpn
2494 * instance must be up and running but just in case
2495 */
2496 if (!c->c2.do_up_ran)
2497 {
2498 return false;
2499 }
2500
2501 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2502 if (tt_dco_win)
2503 {
2504 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2505 return false;
2506 }
2507
2508 if (!do_deferred_options(c, option_types_found, true))
2509 {
2510 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2511 return false;
2512 }
2513
2514 do_close_tun(c, true);
2515
2516 management_sleep(1);
2517 int error_flags = 0;
2518 c->c2.did_open_tun = do_open_tun(c, &error_flags);
2519 update_time();
2520
2521 if (c->c2.did_open_tun)
2522 {
2523 /* if --route-delay was specified, start timer */
2524 if ((route_order(c->c1.tuntap) == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2525 {
2526 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2527 event_timeout_init(&c->c2.route_wakeup_expire,
2528 c->options.route_delay + c->options.route_delay_window, now);
2529 tun_standby_init(c->c1.tuntap);
2530 }
2531
2532 initialization_sequence_completed(c, error_flags);
2533 }
2534
2535 CLEAR(c->c1.pulled_options_digest_save);
2536
2537 return true;
2538}
2539
2540/*
2541 * These are the option categories which will be accepted by pull.
2542 */
2543unsigned int
2544pull_permission_mask(const struct context *c)
2545{
2546 unsigned int flags = OPT_P_UP | OPT_P_ROUTE_EXTRAS | OPT_P_SOCKBUF | OPT_P_SOCKFLAGS
2547 | OPT_P_SETENV | OPT_P_SHAPER | OPT_P_TIMER | OPT_P_COMP | OPT_P_PERSIST
2548 | OPT_P_MESSAGES | OPT_P_EXPLICIT_NOTIFY | OPT_P_ECHO | OPT_P_PULL_MODE
2549 | OPT_P_PEER_ID | OPT_P_NCP | OPT_P_PUSH_MTU;
2550
2551 if (!c->options.route_nopull)
2552 {
2553 flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2554 }
2555
2556 return flags;
2557}
2558
2559static bool
2560do_deferred_p2p_ncp(struct context *c)
2561{
2562 if (!c->c2.tls_multi)
2563 {
2564 return true;
2565 }
2566
2567 c->options.use_peer_id = c->c2.tls_multi->use_peer_id;
2568
2569 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2570
2571 const char *ncp_cipher =
2572 get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, &c->options.gc);
2573
2574 if (ncp_cipher)
2575 {
2576 c->options.ciphername = ncp_cipher;
2577 }
2578 else if (!c->options.enable_ncp_fallback)
2579 {
2580 msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2581 "--data-ciphers-fallback not enabled. No usable "
2582 "data channel cipher");
2583 return false;
2584 }
2585
2586 struct frame *frame_fragment = NULL;
2587#ifdef ENABLE_FRAGMENT
2588 if (c->options.ce.fragment)
2589 {
2590 frame_fragment = &c->c2.frame_fragment;
2591 }
2592#endif
2593
2594 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
2595 frame_fragment, get_link_socket_info(c),
2596 &c->c1.tuntap->dco))
2597 {
2598 msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2599 return false;
2600 }
2601 return true;
2602}
2603
2604bool
2605do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
2606{
2607 if (found & OPT_P_MESSAGES)
2608 {
2609 init_verb_mute(c, IVM_LEVEL_1 | IVM_LEVEL_2);
2610 msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2611 }
2612 if (found & OPT_P_TIMER)
2613 {
2614 do_init_timers(c, true);
2615 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
2616 }
2617
2618 if (found & OPT_P_EXPLICIT_NOTIFY)
2619 {
2620 /* Client side, so just check the first link_socket */
2621 if (!proto_is_udp(c->c2.link_sockets[0]->info.proto)
2622 && c->options.ce.explicit_exit_notification)
2623 {
2624 msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2625 c->options.ce.explicit_exit_notification = 0;
2626 }
2627 else
2628 {
2629 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
2630 }
2631 }
2632
2633 if (found & OPT_P_COMP)
2634 {
2635 if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
2636 {
2637 msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2638 "settings that are not allowed and will result "
2639 "in a non-working connection. "
2640 "See also allow-compression in the manual.");
2641 return false;
2642 }
2643#ifdef USE_COMP
2644 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
2645 comp_uninit(c->c2.comp_context);
2646 c->c2.comp_context = comp_init(&c->options.comp);
2647#endif
2648 }
2649
2650 if (found & OPT_P_SHAPER)
2651 {
2652 msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2653 do_init_traffic_shaper(c);
2654 }
2655
2656 if (found & OPT_P_SOCKBUF)
2657 {
2658 msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2659
2660 for (int i = 0; i < c->c1.link_sockets_num; i++)
2661 {
2662 link_socket_update_buffer_sizes(c->c2.link_sockets[i], c->options.rcvbuf,
2663 c->options.sndbuf);
2664 }
2665 }
2666
2667 if (found & OPT_P_SOCKFLAGS)
2668 {
2669 msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2670 for (int i = 0; i < c->c1.link_sockets_num; i++)
2671 {
2672 link_socket_update_flags(c->c2.link_sockets[i], c->options.sockflags);
2673 }
2674 }
2675
2676 if (found & OPT_P_PERSIST)
2677 {
2678 msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2679 }
2680 if (found & OPT_P_UP)
2681 {
2682 msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2683 }
2684 if (found & OPT_P_ROUTE)
2685 {
2686 msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2687 }
2688 if (found & OPT_P_ROUTE_EXTRAS)
2689 {
2690 msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2691 }
2692 if (found & OPT_P_DHCPDNS)
2693 {
2694 msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2695 }
2696 if (found & OPT_P_SETENV)
2697 {
2698 msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2699 }
2700
2701 if (found & OPT_P_PEER_ID)
2702 {
2703 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
2704 c->c2.tls_multi->use_peer_id = true;
2705 c->c2.tls_multi->peer_id = c->options.peer_id;
2706 }
2707
2708 /* process (potentially) pushed options */
2709 if (c->options.pull)
2710 {
2711 /* On PUSH_UPDATE, NCP related flags are never updated, and so the code
2712 * would assume "no cipher pushed = NCP failed" - so, don't call it on
2713 * updates */
2714 if (!is_update && !check_pull_client_ncp(c, found))
2715 {
2716 return false;
2717 }
2718
2719 /* Check if pushed options are compatible with DCO, if enabled */
2720 if (dco_enabled(&c->options) && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
2721 {
2722 msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2723 "with data channel offload. Use --disable-dco to connect to "
2724 "this server");
2725 return false;
2726 }
2727 }
2728
2729 /* Ensure that for epoch data format is only enabled if also data v2
2730 * is enabled */
2731 bool epoch_data = (c->options.imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT);
2732 bool datav2_enabled = (c->options.peer_id >= 0 && c->options.peer_id < MAX_PEER_ID);
2733
2734 if (epoch_data && !datav2_enabled)
2735 {
2736 msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires "
2737 "data v2 (peer-id) to be enabled.");
2738 return false;
2739 }
2740
2741
2742 if (found & OPT_P_PUSH_MTU)
2743 {
2744 /* MTU has changed, check that the pushed MTU is small enough to
2745 * be able to change it */
2746 msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2747
2748 struct frame *frame = &c->c2.frame;
2749
2750 if (c->options.ce.tun_mtu > frame->tun_max_mtu)
2751 {
2752 msg(D_PUSH_ERRORS,
2753 "Server-pushed tun-mtu is too large, please add "
2754 "tun-mtu-max %d in the client configuration",
2755 c->options.ce.tun_mtu);
2756 }
2757 frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
2758 }
2759
2760 return true;
2761}
2762
2763/*
2764 * Possible hold on initialization, holdtime is the
2765 * time OpenVPN would wait without management
2766 */
2767static bool
2768do_hold(int holdtime)
2769{
2770#ifdef ENABLE_MANAGEMENT
2771 if (management)
2772 {
2773 /* block until management hold is released */
2774 if (management_hold(management, holdtime))
2775 {
2776 return true;
2777 }
2778 }
2779#endif
2780 return false;
2781}
2782
2783/*
2784 * Sleep before restart.
2785 */
2786static void
2787socket_restart_pause(struct context *c)
2788{
2789 int sec = 2;
2790 int backoff = 0;
2791
2792 switch (c->mode)
2793 {
2794 case CM_TOP:
2795 sec = 1;
2796 break;
2797
2798 case CM_CHILD_UDP:
2799 case CM_CHILD_TCP:
2800 sec = c->options.ce.connect_retry_seconds;
2801 break;
2802 }
2803
2804#ifdef ENABLE_DEBUG
2805 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2806 {
2807 sec = 0;
2808 }
2809#endif
2810
2811 if (auth_retry_get() == AR_NOINTERACT)
2812 {
2813 sec = 10;
2814 }
2815
2816 /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2817 if (c->mode == CM_CHILD_TCP || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2818 {
2819 backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2820 if (backoff > 0)
2821 {
2822 /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2823 sec = max_int(sec, 1) << min_int(backoff, 15);
2824 }
2825 if (c->options.server_backoff_time)
2826 {
2827 sec = max_int(sec, c->options.server_backoff_time);
2828 c->options.server_backoff_time = 0;
2829 }
2830
2831 if (sec > c->options.ce.connect_retry_seconds_max)
2832 {
2833 sec = c->options.ce.connect_retry_seconds_max;
2834 }
2835 }
2836
2837 if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2838 {
2839 sec = c->persist.restart_sleep_seconds;
2840 }
2841 else if (c->persist.restart_sleep_seconds == -1)
2842 {
2843 sec = 0;
2844 }
2845 c->persist.restart_sleep_seconds = 0;
2846
2847 /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2848 if (do_hold(sec))
2849 {
2850 sec = 0;
2851 }
2852
2853 if (sec)
2854 {
2855 msg(D_RESTART, "Restart pause, %d second(s)", sec);
2856 management_sleep(sec);
2857 }
2858}
2859
2860/*
2861 * Do a possible pause on context_2 initialization.
2862 */
2863static void
2864do_startup_pause(struct context *c)
2865{
2866 if (!c->first_time)
2867 {
2868 socket_restart_pause(c);
2869 }
2870 else
2871 {
2872 do_hold(0); /* do management hold on first context initialization */
2873 }
2874}
2875
2876static size_t
2877get_frame_mtu(struct context *c, const struct options *o)
2878{
2879 size_t mtu;
2880
2881 if (o->ce.link_mtu_defined)
2882 {
2883 ASSERT(o->ce.link_mtu_defined);
2884 /* if we have a link mtu defined we calculate what the old code
2885 * would have come up with as tun-mtu */
2886 size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, o, true);
2887 mtu = o->ce.link_mtu - overhead;
2888 }
2889 else
2890 {
2891 ASSERT(o->ce.tun_mtu_defined);
2892 mtu = o->ce.tun_mtu;
2893 }
2894
2895 if (mtu < TUN_MTU_MIN)
2896 {
2897 msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2898 frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2899 }
2900 return mtu;
2901}
2902
2903/*
2904 * Finalize MTU parameters based on command line or config file options.
2905 */
2906static void
2907frame_finalize_options(struct context *c, const struct options *o)
2908{
2909 if (!o)
2910 {
2911 o = &c->options;
2912 }
2913
2914 struct frame *frame = &c->c2.frame;
2915
2916 frame->tun_mtu = get_frame_mtu(c, o);
2917 frame->tun_max_mtu = o->ce.tun_mtu_max;
2918
2919 /* max mtu needs to be at least as large as the tun mtu */
2920 frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
2921
2922 /* We always allow at least 1600 MTU packets to be received in our buffer
2923 * space to allow server to push "baby giant" MTU sizes */
2924 frame->tun_max_mtu = max_int(TUN_MTU_MAX_MIN, frame->tun_max_mtu);
2925
2926 size_t payload_size = frame->tun_max_mtu;
2927
2928 /* we need to be also large enough to hold larger control channel packets
2929 * if configured */
2930 payload_size = max_int(payload_size, o->ce.tls_mtu);
2931
2932 /* The extra tun needs to be added to the payload size */
2933 if (o->ce.tun_mtu_defined)
2934 {
2935 payload_size += o->ce.tun_mtu_extra;
2936 }
2937
2938 /* Add 32 byte of extra space in the buffer to account for small errors
2939 * in the calculation */
2940 payload_size += 32;
2941
2942
2943 /* the space that is reserved before the payload to add extra headers to it
2944 * we always reserve the space for the worst case */
2945 size_t headroom = 0;
2946
2947 /* includes IV and packet ID */
2948 headroom += crypto_max_overhead();
2949
2950 /* peer id + opcode */
2951 headroom += 4;
2952
2953 /* socks proxy header */
2954 headroom += 10;
2955
2956 /* compression header and fragment header (part of the encrypted payload) */
2957 headroom += 1 + 1;
2958
2959 /* Round up headroom to the next multiple of 4 to ensure alignment */
2960 headroom = (headroom + 3) & ~3;
2961
2962 /* Add the headroom to the payloadsize as a received (IP) packet can have
2963 * all the extra headers in it */
2964 payload_size += headroom;
2965
2966 /* the space after the payload, this needs some extra buffer space for
2967 * encryption so headroom is probably too much but we do not really care
2968 * the few extra bytes */
2969 size_t tailroom = headroom;
2970
2971#ifdef USE_COMP
2972 msg(D_MTU_DEBUG,
2973 "MTU: adding %zu buffer tailroom for compression for %zu "
2974 "bytes of payload",
2975 COMP_EXTRA_BUFFER(payload_size), payload_size);
2976 tailroom += COMP_EXTRA_BUFFER(payload_size);
2977#endif
2978
2979 frame->buf.payload_size = payload_size;
2980 frame->buf.headroom = headroom;
2981 frame->buf.tailroom = tailroom;
2982}
2983
2984/*
2985 * Free a key schedule, including OpenSSL components.
2986 */
2987static void
2988key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2989{
2990 free_key_ctx_bi(&ks->static_key);
2991 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2992 {
2993 tls_ctx_free(&ks->ssl_ctx);
2994 free_key_ctx(&ks->auth_token_key);
2995 }
2996 CLEAR(*ks);
2997}
2998
2999static void
3000init_crypto_pre(struct context *c, const unsigned int flags)
3001{
3002 if (c->options.engine)
3003 {
3004 crypto_init_lib_engine(c->options.engine);
3005 }
3006
3007 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
3008 {
3009 /* load a persisted packet-id for cross-session replay-protection */
3010 if (c->options.packet_id_file)
3011 {
3012 packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
3013 }
3014 }
3015
3016#ifdef ENABLE_PREDICTION_RESISTANCE
3017 if (c->options.use_prediction_resistance)
3018 {
3019 rand_ctx_enable_prediction_resistance();
3020 }
3021#endif
3022}
3023
3024/*
3025 * Static Key Mode (using a pre-shared key)
3026 */
3027static void
3028do_init_crypto_static(struct context *c, const unsigned int flags)
3029{
3030 const struct options *options = &c->options;
3031 ASSERT(options->shared_secret_file);
3032
3033 init_crypto_pre(c, flags);
3034
3035 /* Initialize flags */
3036 if (c->options.mute_replay_warnings)
3037 {
3038 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
3039 }
3040
3041 /* Initialize packet ID tracking */
3042 packet_id_init(&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time,
3043 "STATIC", 0);
3044 c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
3045 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
3046 packet_id_persist_load_obj(&c->c1.pid_persist, &c->c2.crypto_options.packet_id);
3047
3048 if (!key_ctx_bi_defined(&c->c1.ks.static_key))
3049 {
3050 /* Get cipher & hash algorithms */
3051 init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
3052 options->test_crypto, true);
3053
3054 /* Read cipher and hmac keys from shared secret file */
3055 crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
3056 options->shared_secret_file, options->shared_secret_file_inline,
3057 options->key_direction, "Static Key Encryption", "secret", NULL);
3058 }
3059 else
3060 {
3061 msg(M_INFO, "Re-using pre-shared static key");
3062 }
3063
3064 /* Get key schedule */
3065 c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
3066}
3067
3068/*
3069 * Initialize the tls-auth/crypt key context
3070 */
3071static void
3072do_init_tls_wrap_key(struct context *c)
3073{
3074 const struct options *options = &c->options;
3075
3076 /* TLS handshake authentication (--tls-auth) */
3077 if (options->ce.tls_auth_file)
3078 {
3079 /* Initialize key_type for tls-auth with auth only */
3080 CLEAR(c->c1.ks.tls_auth_key_type);
3081 c->c1.ks.tls_auth_key_type.cipher = "none";
3082 c->c1.ks.tls_auth_key_type.digest = options->authname;
3083 if (!md_valid(options->authname))
3084 {
3085 msg(M_FATAL,
3086 "ERROR: tls-auth enabled, but no valid --auth "
3087 "algorithm specified ('%s')",
3088 options->authname);
3089 }
3090
3091 crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, &c->c1.ks.tls_wrap_key,
3092 options->ce.tls_auth_file, options->ce.tls_auth_file_inline,
3093 options->ce.key_direction, "Control Channel Authentication",
3094 "tls-auth", &c->c1.ks.original_wrap_keydata);
3095 }
3096
3097 /* TLS handshake encryption+authentication (--tls-crypt) */
3098 if (options->ce.tls_crypt_file)
3099 {
3100 tls_crypt_init_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata,
3101 options->ce.tls_crypt_file, options->ce.tls_crypt_file_inline,
3102 options->tls_server);
3103 }
3104
3105 /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3106 if (options->ce.tls_crypt_v2_file)
3107 {
3108 if (options->tls_server)
3109 {
3110 tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key, true,
3111 options->ce.tls_crypt_v2_file,
3112 options->ce.tls_crypt_v2_file_inline);
3113 }
3114 else
3115 {
3116 tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key, &c->c1.ks.original_wrap_keydata,
3117 &c->c1.ks.tls_crypt_v2_wkc, options->ce.tls_crypt_v2_file,
3118 options->ce.tls_crypt_v2_file_inline);
3119 }
3120 /* We have to ensure that the loaded tls-crypt key is small enough
3121 * to fit into the initial hard reset v3 packet */
3122 int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3123
3124 /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3125 int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3126
3127 if (required_size > c->options.ce.tls_mtu)
3128 {
3129 msg(M_WARN,
3130 "ERROR: tls-crypt-v2 client key too large to work with "
3131 "requested --max-packet-size %d, requires at least "
3132 "--max-packet-size %d. Packets will ignore requested "
3133 "maximum packet size",
3134 c->options.ce.tls_mtu, required_size);
3135 }
3136 }
3137}
3138
3139/*
3140 * Initialize the persistent component of OpenVPN's TLS mode,
3141 * which is preserved across SIGUSR1 resets.
3142 */
3143static void
3144do_init_crypto_tls_c1(struct context *c)
3145{
3146 const struct options *options = &c->options;
3147
3148 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3149 {
3150 /*
3151 * Initialize the OpenSSL library's global
3152 * SSL context.
3153 */
3154 init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
3155 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3156 {
3157 switch (auth_retry_get())
3158 {
3159 case AR_NONE:
3160 msg(M_FATAL, "Error: private key password verification failed");
3161 break;
3162
3163 case AR_INTERACT:
3164 ssl_purge_auth(false);
3165 /* Intentional [[fallthrough]]; */
3166
3167 case AR_NOINTERACT:
3168 /* SOFT-SIGUSR1 -- Password failure error */
3169 register_signal(c->sig, SIGUSR1, "private-key-password-failure");
3170 break;
3171
3172 default:
3173 ASSERT(0);
3174 }
3175 return;
3176 }
3177
3178 /*
3179 * BF-CBC is allowed to be used only when explicitly configured
3180 * as NCP-fallback or when NCP has been disabled or explicitly
3181 * allowed in the in ncp_ciphers list.
3182 * In all other cases do not attempt to initialize BF-CBC as it
3183 * may not even be supported by the underlying SSL library.
3184 *
3185 * Therefore, the key structure has to be initialized when:
3186 * - any non-BF-CBC cipher was selected; or
3187 * - BF-CBC is selected, NCP is enabled and fallback is enabled
3188 * (BF-CBC will be the fallback).
3189 * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3190 * If the negotiated cipher and options->ciphername are the
3191 * same we do not reinit the cipher
3192 *
3193 * Note that BF-CBC will still be part of the OCC string to retain
3194 * backwards compatibility with older clients.
3195 */
3196 const char *ciphername = options->ciphername;
3197 if (streq(options->ciphername, "BF-CBC")
3198 && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
3199 && !options->enable_ncp_fallback)
3200 {
3201 ciphername = "none";
3202 }
3203
3204 /* Do not warn if the cipher is used only in OCC */
3205 bool warn = options->enable_ncp_fallback;
3206 init_key_type(&c->c1.ks.key_type, ciphername, options->authname, true, warn);
3207
3208 /* initialize tls-auth/crypt/crypt-v2 key */
3209 do_init_tls_wrap_key(c);
3210
3211 /* initialise auth-token crypto support */
3212 if (c->options.auth_token_generate)
3213 {
3214 auth_token_init_secret(&c->c1.ks.auth_token_key, c->options.auth_token_secret_file,
3215 c->options.auth_token_secret_file_inline);
3216 }
3217
3218#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
3219 if (options->priv_key_file_inline)
3220 {
3221 string_clear(c->options.priv_key_file_inline);
3222 c->options.priv_key_file_inline = NULL;
3223 }
3224#endif
3225 }
3226 else
3227 {
3228 msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
3229
3230 /*
3231 * tls-auth/crypt key can be configured per connection block, therefore
3232 * we must reload it as it may have changed
3233 */
3234 do_init_tls_wrap_key(c);
3235 }
3236}
3237
3238static void
3239do_init_crypto_tls(struct context *c, const unsigned int flags)
3240{
3241 const struct options *options = &c->options;
3242 struct tls_options to;
3243 bool packet_id_long_form;
3244
3245 ASSERT(options->tls_server || options->tls_client);
3246 ASSERT(!options->test_crypto);
3247
3248 init_crypto_pre(c, flags);
3249
3250 /* Make sure we are either a TLS client or server but not both */
3251 ASSERT(options->tls_server == !options->tls_client);
3252
3253 /* initialize persistent component */
3254 do_init_crypto_tls_c1(c);
3255 if (IS_SIG(c))
3256 {
3257 return;
3258 }
3259
3260 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3261 packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3262
3263 /* Set all command-line TLS-related options */
3264 CLEAR(to);
3265
3266 if (options->mute_replay_warnings)
3267 {
3268 to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
3269 }
3270
3271 to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
3272 if (packet_id_long_form)
3273 {
3274 to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
3275 }
3276
3277 to.ssl_ctx = c->c1.ks.ssl_ctx;
3278 to.key_type = c->c1.ks.key_type;
3279 to.server = options->tls_server;
3280 to.replay_window = options->replay_window;
3281 to.replay_time = options->replay_time;
3282 to.config_ciphername = c->options.ciphername;
3283 to.config_ncp_ciphers = c->options.ncp_ciphers;
3284 to.transition_window = options->transition_window;
3285 to.handshake_window = options->handshake_window;
3286 to.packet_timeout = options->tls_timeout;
3287 to.renegotiate_bytes = options->renegotiate_bytes;
3288 to.renegotiate_packets = options->renegotiate_packets;
3289 if (options->renegotiate_seconds_min < 0)
3290 {
3291 /* Add 10% jitter to reneg-sec by default (server side only) */
3292 int auto_jitter = options->mode != MODE_SERVER
3293 ? 0
3294 : get_random() % max_int(options->renegotiate_seconds / 10, 1);
3295 to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
3296 }
3297 else
3298 {
3299 /* Add user-specified jitter to reneg-sec */
3300 to.renegotiate_seconds =
3301 options->renegotiate_seconds
3302 - (get_random()
3303 % max_int(options->renegotiate_seconds - options->renegotiate_seconds_min, 1));
3304 }
3305 to.single_session = options->single_session;
3306 to.mode = options->mode;
3307 to.pull = options->pull;
3308 if (options->push_peer_info) /* all there is */
3309 {
3310 to.push_peer_info_detail = 3;
3311 }
3312 else if (options->pull) /* pull clients send some details */
3313 {
3314 to.push_peer_info_detail = 2;
3315 }
3316 else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3317 {
3318 to.push_peer_info_detail = 0;
3319 }
3320 else /* default: minimal info to allow NCP in P2P mode */
3321 {
3322 to.push_peer_info_detail = 1;
3323 }
3324
3325 /* Check if the DCO drivers support the epoch data format */
3326 if (dco_enabled(options))
3327 {
3328 to.data_epoch_supported = dco_supports_epoch_data(c);
3329 }
3330 else
3331 {
3332 to.data_epoch_supported = true;
3333 }
3334
3335 /* should we not xmit any packets until we get an initial
3336 * response from client? */
3337 if (to.server && c->mode == CM_CHILD_TCP)
3338 {
3339 to.xmit_hold = true;
3340 }
3341
3342 to.verify_command = options->tls_verify;
3343 to.verify_x509_type = (options->verify_x509_type & 0xff);
3344 to.verify_x509_name = options->verify_x509_name;
3345 to.crl_file = options->crl_file;
3346 to.crl_file_inline = options->crl_file_inline;
3347 to.ssl_flags = options->ssl_flags;
3348 to.ns_cert_type = options->ns_cert_type;
3349 memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3350 to.remote_cert_eku = options->remote_cert_eku;
3351 to.verify_hash = options->verify_hash;
3352 to.verify_hash_algo = options->verify_hash_algo;
3353 to.verify_hash_depth = options->verify_hash_depth;
3354 to.verify_hash_no_ca = options->verify_hash_no_ca;
3355#ifdef ENABLE_X509ALTUSERNAME
3356 memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3357#else
3358 to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
3359#endif
3360 to.es = c->c2.es;
3361 to.net_ctx = &c->net_ctx;
3362
3363#ifdef ENABLE_DEBUG
3364 to.gremlin = c->options.gremlin;
3365#endif
3366
3367 to.plugins = c->plugins;
3368
3369#ifdef ENABLE_MANAGEMENT
3370 to.mda_context = &c->c2.mda_context;
3371#endif
3372
3373 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
3374 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
3375 to.client_crresponse_script = options->client_crresponse_script;
3376 to.tmp_dir = options->tmp_dir;
3377 to.export_peer_cert_dir = options->tls_export_peer_cert_dir;
3378 if (options->ccd_exclusive)
3379 {
3380 to.client_config_dir_exclusive = options->client_config_dir;
3381 }
3382 to.auth_user_pass_file = options->auth_user_pass_file;
3383 to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
3384 to.auth_token_generate = options->auth_token_generate;
3385 to.auth_token_lifetime = options->auth_token_lifetime;
3386 to.auth_token_renewal = options->auth_token_renewal;
3387 to.auth_token_call_auth = options->auth_token_call_auth;
3388 to.auth_token_key = c->c1.ks.auth_token_key;
3389
3390 to.x509_track = options->x509_track;
3391
3392#ifdef ENABLE_MANAGEMENT
3393 to.sci = &options->sc_info;
3394#endif
3395
3396#ifdef USE_COMP
3397 to.comp_options = options->comp;
3398#endif
3399
3400 if (options->keying_material_exporter_label)
3401 {
3402 to.ekm_size = options->keying_material_exporter_length;
3403 if (to.ekm_size < 16 || to.ekm_size > 4095)
3404 {
3405 to.ekm_size = 0;
3406 }
3407
3408 to.ekm_label = options->keying_material_exporter_label;
3409 to.ekm_label_size = strlen(to.ekm_label);
3410 }
3411 else
3412 {
3413 to.ekm_size = 0;
3414 }
3415
3416 /* TLS handshake authentication (--tls-auth) */
3417 if (options->ce.tls_auth_file)
3418 {
3419 to.tls_wrap.mode = TLS_WRAP_AUTH;
3420 }
3421
3422 /* TLS handshake encryption (--tls-crypt) */
3423 if (options->ce.tls_crypt_file || (options->ce.tls_crypt_v2_file && options->tls_client))
3424 {
3425 to.tls_wrap.mode = TLS_WRAP_CRYPT;
3426 }
3427
3428 if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3429 {
3430 to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3431 to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3432 to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3433 to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata;
3434 }
3435
3436 if (options->ce.tls_crypt_v2_file)
3437 {
3438 to.tls_crypt_v2 = true;
3439 to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3440
3441 if (options->tls_server)
3442 {
3443 to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3444 to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3445 if (options->ce.tls_crypt_v2_force_cookie)
3446 {
3447 to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
3448 }
3449 }
3450 }
3451
3452 /* let the TLS engine know if keys have to be installed in DCO or not */
3453 to.dco_enabled = dco_enabled(options);
3454
3455 /*
3456 * Initialize OpenVPN's master TLS-mode object.
3457 */
3458 if (flags & CF_INIT_TLS_MULTI)
3459 {
3460 c->c2.tls_multi = tls_multi_init(&to);
3461 /* inherit the dco context from the tuntap object */
3462 if (c->c1.tuntap)
3463 {
3464 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3465 }
3466 }
3467
3468 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3469 {
3470 c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3471 c->c2.session_id_hmac = session_id_hmac_init();
3472 }
3473}
3474
3475static void
3476do_init_frame_tls(struct context *c)
3477{
3478 if (c->c2.tls_multi)
3479 {
3480 tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
3481 ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= c->c2.frame.buf.payload_size);
3482 frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms");
3483
3484 /* Keep the max mtu also in the frame of tls multi so it can access
3485 * it in push_peer_info */
3486 c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
3487 }
3488 if (c->c2.tls_auth_standalone)
3489 {
3490 tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame,
3491 c->options.ce.tls_mtu);
3492 frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, "TLS-Auth MTU parms");
3493 c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3494 c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3495 }
3496}
3497
3498#if defined(__GNUC__) || defined(__clang__)
3499#pragma GCC diagnostic pop
3500#endif
3501
3502/*
3503 * No encryption or authentication.
3504 */
3505static void
3506do_init_crypto_none(struct context *c)
3507{
3508 ASSERT(!c->options.test_crypto);
3509
3510 /* Initialise key_type with auth/cipher "none", so the key_type struct is
3511 * valid */
3512 init_key_type(&c->c1.ks.key_type, "none", "none", c->options.test_crypto, true);
3513
3514 msg(M_WARN, "******* WARNING *******: All encryption and authentication features "
3515 "disabled -- All data will be tunnelled as clear text and will not be "
3516 "protected against man-in-the-middle changes. "
3517 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3518}
3519
3520static void
3521do_init_crypto(struct context *c, const unsigned int flags)
3522{
3523 if (c->options.shared_secret_file)
3524 {
3525 do_init_crypto_static(c, flags);
3526 }
3527 else if (c->options.tls_server || c->options.tls_client)
3528 {
3529 do_init_crypto_tls(c, flags);
3530 }
3531 else /* no encryption or authentication. */
3532 {
3533 do_init_crypto_none(c);
3534 }
3535}
3536
3537static void
3538do_init_frame(struct context *c)
3539{
3540 /*
3541 * Adjust frame size based on the --tun-mtu-extra parameter.
3542 */
3543 if (c->options.ce.tun_mtu_extra_defined)
3544 {
3545 c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra;
3546 }
3547
3548 /*
3549 * Fill in the blanks in the frame parameters structure,
3550 * make sure values are rational, etc.
3551 */
3552 frame_finalize_options(c, NULL);
3553
3554
3555#if defined(ENABLE_FRAGMENT)
3556 /*
3557 * MTU advisories
3558 */
3559 if (c->options.ce.fragment && c->options.mtu_test)
3560 {
3561 msg(M_WARN,
3562 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3563 }
3564#endif
3565
3566#ifdef ENABLE_FRAGMENT
3567 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3568 {
3569 msg(M_WARN,
3570 "WARNING: if you use --mssfix and --fragment, you should "
3571 "set --fragment (%d) larger or equal than --mssfix (%d)",
3572 c->options.ce.fragment, c->options.ce.mssfix);
3573 }
3574 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3575 && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3576 {
3577 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3578 "use the \"mtu\" flag for both or none of of them.");
3579 }
3580#endif
3581}
3582
3583static void
3584do_option_warnings(struct context *c)
3585{
3586 const struct options *o = &c->options;
3587
3588 if (o->ping_send_timeout && !o->ping_rec_timeout)
3589 {
3590 msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3591 }
3592
3593 if (o->username || o->groupname || o->chroot_dir
3594#ifdef ENABLE_SELINUX
3595 || o->selinux_context
3596#endif
3597 )
3598 {
3599 if (!o->persist_tun)
3600 {
3601 msg(M_WARN,
3602 "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3603 }
3604 }
3605
3606 if (o->chroot_dir && !(o->username && o->groupname))
3607 {
3608 msg(M_WARN,
3609 "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3610 }
3611
3612 if (o->pull && o->ifconfig_local && c->first_time)
3613 {
3614 msg(M_WARN,
3615 "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3616 }
3617
3618 if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3619 {
3620 msg(M_WARN,
3621 "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3622 }
3623
3624 if (o->mode == MODE_SERVER)
3625 {
3626 if (o->duplicate_cn && o->client_config_dir)
3627 {
3628 msg(M_WARN,
3629 "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3630 }
3631 if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3632 {
3633 msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3634 }
3635 if (!o->keepalive_ping || !o->keepalive_timeout)
3636 {
3637 msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3638 }
3639 }
3640
3641 if (o->tls_server)
3642 {
3643 warn_on_use_of_common_subnets(&c->net_ctx);
3644 }
3645 if (o->tls_client && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE
3646 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) && !o->remote_cert_eku
3647 && !(o->verify_hash_depth == 0 && o->verify_hash))
3648 {
3649 msg(M_WARN,
3650 "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3651 }
3652 if (o->ns_cert_type)
3653 {
3654 msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3655 }
3656
3657 /* If a script is used, print appropriate warnings */
3658 if (o->user_script_used)
3659 {
3660 if (script_security() >= SSEC_SCRIPTS)
3661 {
3662 msg(M_WARN,
3663 "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3664 }
3665 else if (script_security() >= SSEC_PW_ENV)
3666 {
3667 msg(M_WARN,
3668 "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3669 }
3670 else
3671 {
3672 msg(M_WARN,
3673 "NOTE: starting with " PACKAGE_NAME
3674 " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3675 }
3676 }
3677}
3678
3679struct context_buffers *
3680init_context_buffers(const struct frame *frame)
3681{
3682 struct context_buffers *b;
3683
3684 ALLOC_OBJ_CLEAR(b, struct context_buffers);
3685
3686 size_t buf_size = BUF_SIZE(frame);
3687
3688 b->read_link_buf = alloc_buf(buf_size);
3689 b->read_tun_buf = alloc_buf(buf_size);
3690
3691 b->aux_buf = alloc_buf(buf_size);
3692
3693 b->encrypt_buf = alloc_buf(buf_size);
3694 b->decrypt_buf = alloc_buf(buf_size);
3695
3696#ifdef USE_COMP
3697 b->compress_buf = alloc_buf(buf_size);
3698 b->decompress_buf = alloc_buf(buf_size);
3699#endif
3700
3701 return b;
3702}
3703
3704void
3705free_context_buffers(struct context_buffers *b)
3706{
3707 if (b)
3708 {
3709 free_buf(&b->read_link_buf);
3710 free_buf(&b->read_tun_buf);
3711 free_buf(&b->aux_buf);
3712
3713#ifdef USE_COMP
3714 free_buf(&b->compress_buf);
3715 free_buf(&b->decompress_buf);
3716#endif
3717
3718 free_buf(&b->encrypt_buf);
3719 free_buf(&b->decrypt_buf);
3720
3721 free(b);
3722 }
3723}
3724
3725/*
3726 * Now that we know all frame parameters, initialize
3727 * our buffers.
3728 */
3729static void
3730do_init_buffers(struct context *c)
3731{
3732 c->c2.buffers = init_context_buffers(&c->c2.frame);
3733 c->c2.buffers_owned = true;
3734}
3735
3736#ifdef ENABLE_FRAGMENT
3737/*
3738 * Fragmenting code has buffers to initialize
3739 * once frame parameters are known.
3740 */
3741static void
3742do_init_fragment(struct context *c)
3743{
3744 ASSERT(c->options.ce.fragment);
3745
3746 /*
3747 * Set frame parameter for fragment code. This is necessary because
3748 * the fragmentation code deals with payloads which have already been
3749 * passed through the compression code.
3750 */
3751 c->c2.frame_fragment = c->c2.frame;
3752
3753 frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, &c->options,
3754 get_link_socket_info(c));
3755 fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3756}
3757#endif
3758
3759/*
3760 * Allocate our socket object.
3761 */
3762static void
3763do_link_socket_new(struct context *c)
3764{
3765 ASSERT(!c->c2.link_sockets);
3766
3767 ALLOC_ARRAY_GC(c->c2.link_sockets, struct link_socket *, c->c1.link_sockets_num, &c->c2.gc);
3768
3769 for (int i = 0; i < c->c1.link_sockets_num; i++)
3770 {
3771 c->c2.link_sockets[i] = link_socket_new();
3772 }
3773 c->c2.link_socket_owned = true;
3774}
3775
3776/*
3777 * bind TCP/UDP sockets
3778 */
3779static void
3780do_init_socket_phase1(struct context *c)
3781{
3782 for (int i = 0; i < c->c1.link_sockets_num; i++)
3783 {
3784 int mode = LS_MODE_DEFAULT;
3785
3786 /* mode allows CM_CHILD_TCP
3787 * instances to inherit acceptable fds
3788 * from a top-level parent */
3789 if (c->options.mode == MODE_SERVER)
3790 {
3791 /* initializing listening socket */
3792 if (c->mode == CM_TOP)
3793 {
3794 mode = LS_MODE_TCP_LISTEN;
3795 }
3796 /* initializing socket to client */
3797 else if (c->mode == CM_CHILD_TCP)
3798 {
3799 mode = LS_MODE_TCP_ACCEPT_FROM;
3800 }
3801 }
3802
3803 /* init each socket with its specific args */
3804 link_socket_init_phase1(c, i, mode);
3805 }
3806}
3807
3808/*
3809 * finalize TCP/UDP sockets
3810 */
3811static void
3812do_init_socket_phase2(struct context *c)
3813{
3814 for (int i = 0; i < c->c1.link_sockets_num; i++)
3815 {
3816 link_socket_init_phase2(c, c->c2.link_sockets[i]);
3817 }
3818}
3819
3820/*
3821 * Print MTU INFO
3822 */
3823static void
3824do_print_data_channel_mtu_parms(struct context *c)
3825{
3826 frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3827#ifdef ENABLE_FRAGMENT
3828 if (c->c2.fragment)
3829 {
3830 frame_print(&c->c2.frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
3831 }
3832#endif
3833}
3834
3835/*
3836 * Get local and remote options compatibility strings.
3837 */
3838static void
3839do_compute_occ_strings(struct context *c)
3840{
3841 struct gc_arena gc = gc_new();
3842
3843 c->c2.options_string_local =
3844 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, false, &gc);
3845 c->c2.options_string_remote =
3846 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, true, &gc);
3847
3848 msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3849 options_string_version(c->c2.options_string_local, &gc), c->c2.options_string_local);
3850 msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3851 options_string_version(c->c2.options_string_remote, &gc), c->c2.options_string_remote);
3852
3853 if (c->c2.tls_multi)
3854 {
3855 tls_multi_init_set_options(c->c2.tls_multi, c->c2.options_string_local,
3856 c->c2.options_string_remote);
3857 }
3858
3859 gc_free(&gc);
3860}
3861
3862/*
3863 * These things can only be executed once per program instantiation.
3864 * Set up for possible UID/GID downgrade, but don't do it yet.
3865 * Daemonize if requested.
3866 */
3867static void
3868do_init_first_time(struct context *c)
3869{
3870 if (c->first_time && !c->c0)
3871 {
3872 struct context_0 *c0;
3873
3874 ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3875 c0 = c->c0;
3876
3877 /* get user and/or group that we want to setuid/setgid to,
3878 * sets also platform_x_state */
3879 bool group_defined = platform_group_get(c->options.groupname, &c0->platform_state_group);
3880 bool user_defined = platform_user_get(c->options.username, &c0->platform_state_user);
3881
3882 c0->uid_gid_specified = user_defined || group_defined;
3883
3884 /* fork the dns script runner to preserve root? */
3885 c->persist.duri.required = user_defined;
3886
3887 /* perform postponed chdir if --daemon */
3888 if (c->did_we_daemonize && c->options.cd_dir == NULL)
3889 {
3890 platform_chdir("/");
3891 }
3892
3893 /* should we change scheduling priority? */
3894 platform_nice(c->options.nice);
3895 }
3896}
3897
3898/*
3899 * free buffers
3900 */
3901static void
3902do_close_free_buf(struct context *c)
3903{
3904 if (c->c2.buffers_owned)
3905 {
3906 free_context_buffers(c->c2.buffers);
3907 c->c2.buffers = NULL;
3908 c->c2.buffers_owned = false;
3909 }
3910}
3911
3912/*
3913 * close TLS
3914 */
3915static void
3916do_close_tls(struct context *c)
3917{
3918 if (c->c2.tls_multi)
3919 {
3920 tls_multi_free(c->c2.tls_multi, true);
3921 c->c2.tls_multi = NULL;
3922 }
3923
3924 /* free options compatibility strings */
3925 free(c->c2.options_string_local);
3926 free(c->c2.options_string_remote);
3927
3928 c->c2.options_string_local = c->c2.options_string_remote = NULL;
3929
3930 if (c->c2.pulled_options_state)
3931 {
3932 md_ctx_cleanup(c->c2.pulled_options_state);
3933 md_ctx_free(c->c2.pulled_options_state);
3934 }
3935
3936 tls_auth_standalone_free(c->c2.tls_auth_standalone);
3937}
3938
3939/*
3940 * Free key schedules
3941 */
3942static void
3943do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3944{
3945 /*
3946 * always free the tls_auth/crypt key. The key will
3947 * be reloaded from memory (pre-cached)
3948 */
3949 free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3950 free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3951 CLEAR(c->c1.ks.tls_wrap_key);
3952 buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3953 free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3954
3955 if (!(c->sig->signal_received == SIGUSR1))
3956 {
3957 key_schedule_free(&c->c1.ks, free_ssl_ctx);
3958 }
3959}
3960
3961/*
3962 * Close TCP/UDP connection
3963 */
3964static void
3965do_close_link_socket(struct context *c)
3966{
3967 if (c->c2.link_sockets && c->c2.link_socket_owned)
3968 {
3969 for (int i = 0; i < c->c1.link_sockets_num; i++)
3970 {
3971 /* in dco-win case, link socket is a tun handle which is
3972 * closed in do_close_tun(). Set it to UNDEFINED so
3973 * we won't use WinSock API to close it. */
3974 if (tuntap_is_dco_win(c->c1.tuntap))
3975 {
3976 c->c2.link_sockets[i]->sd = SOCKET_UNDEFINED;
3977 }
3978
3979 link_socket_close(c->c2.link_sockets[i]);
3980 }
3981 c->c2.link_sockets = NULL;
3982 }
3983
3984
3985 /* Preserve the resolved list of remote if the user request to or if we want
3986 * reconnect to the same host again or there are still addresses that need
3987 * to be tried */
3988 if (!(c->sig->signal_received == SIGUSR1
3989 && ((c->options.persist_remote_ip)
3990 || (c->sig->source != SIG_SOURCE_HARD
3991 && ((c->c1.link_socket_addrs[0].current_remote
3992 && c->c1.link_socket_addrs[0].current_remote->ai_next)
3993 || c->options.no_advance)))))
3994 {
3995 clear_remote_addrlist(&c->c1.link_socket_addrs[0], !c->options.resolve_in_advance);
3996 }
3997
3998 /* Clear the remote actual address when persist_remote_ip is not in use */
3999 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
4000 {
4001 for (int i = 0; i < c->c1.link_sockets_num; i++)
4002 {
4003 CLEAR(c->c1.link_socket_addrs[i].actual);
4004 }
4005 }
4006
4007 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
4008 {
4009 for (int i = 0; i < c->c1.link_sockets_num; i++)
4010 {
4011 if (c->c1.link_socket_addrs[i].bind_local && !c->options.resolve_in_advance)
4012 {
4013 freeaddrinfo(c->c1.link_socket_addrs[i].bind_local);
4014 }
4015
4016 c->c1.link_socket_addrs[i].bind_local = NULL;
4017 }
4018 }
4019}
4020
4021/*
4022 * Close packet-id persistence file
4023 */
4024static void
4025do_close_packet_id(struct context *c)
4026{
4027 packet_id_free(&c->c2.crypto_options.packet_id);
4028 packet_id_persist_save(&c->c1.pid_persist);
4029 if (!(c->sig->signal_received == SIGUSR1))
4030 {
4031 packet_id_persist_close(&c->c1.pid_persist);
4032 }
4033}
4034
4035#ifdef ENABLE_FRAGMENT
4036/*
4037 * Close fragmentation handler.
4038 */
4039static void
4040do_close_fragment(struct context *c)
4041{
4042 if (c->c2.fragment)
4043 {
4044 fragment_free(c->c2.fragment);
4045 c->c2.fragment = NULL;
4046 }
4047}
4048#endif
4049
4050/*
4051 * Open and close our event objects.
4052 */
4053
4054static void
4055do_event_set_init(struct context *c, bool need_us_timeout)
4056{
4057 unsigned int flags = 0;
4058
4059 c->c2.event_set_max = BASE_N_EVENTS;
4060
4061 flags |= EVENT_METHOD_FAST;
4062
4063 if (need_us_timeout)
4064 {
4065 flags |= EVENT_METHOD_US_TIMEOUT;
4066 }
4067
4068 c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
4069 c->c2.event_set_owned = true;
4070}
4071
4072static void
4073do_close_event_set(struct context *c)
4074{
4075 if (c->c2.event_set && c->c2.event_set_owned)
4076 {
4077 event_free(c->c2.event_set);
4078 c->c2.event_set = NULL;
4079 c->c2.event_set_owned = false;
4080 }
4081}
4082
4083/*
4084 * Open and close --status file
4085 */
4086
4087static void
4088do_open_status_output(struct context *c)
4089{
4090 if (!c->c1.status_output)
4091 {
4092 c->c1.status_output =
4093 status_open(c->options.status_file, c->options.status_file_update_freq, -1, NULL,
4094 STATUS_OUTPUT_WRITE);
4095 c->c1.status_output_owned = true;
4096 }
4097}
4098
4099static void
4100do_close_status_output(struct context *c)
4101{
4102 if (!(c->sig->signal_received == SIGUSR1))
4103 {
4104 if (c->c1.status_output_owned && c->c1.status_output)
4105 {
4106 status_close(c->c1.status_output);
4107 c->c1.status_output = NULL;
4108 c->c1.status_output_owned = false;
4109 }
4110 }
4111}
4112
4113/*
4114 * Handle ifconfig-pool persistence object.
4115 */
4116static void
4127
4128static void
4129do_close_ifconfig_pool_persist(struct context *c)
4130{
4131 if (!(c->sig->signal_received == SIGUSR1))
4132 {
4133 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
4134 {
4135 ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
4136 c->c1.ifconfig_pool_persist = NULL;
4137 c->c1.ifconfig_pool_persist_owned = false;
4138 }
4139 }
4140}
4141
4142/*
4143 * Inherit environmental variables
4144 */
4145
4146static void
4147do_inherit_env(struct context *c, const struct env_set *src)
4148{
4149 c->c2.es = env_set_create(NULL);
4150 c->c2.es_owned = true;
4151 env_set_inherit(c->c2.es, src);
4152}
4153
4154static void
4155do_env_set_destroy(struct context *c)
4156{
4157 if (c->c2.es && c->c2.es_owned)
4158 {
4159 env_set_destroy(c->c2.es);
4160 c->c2.es = NULL;
4161 c->c2.es_owned = false;
4162 }
4163}
4164
4165/*
4166 * Fast I/O setup. Fast I/O is an optimization which only works
4167 * if all of the following are true:
4168 *
4169 * (1) The platform is not Windows
4170 * (2) --proto udp is enabled
4171 * (3) --shaper is disabled
4172 */
4173static void
4174do_setup_fast_io(struct context *c)
4175{
4176 if (c->options.fast_io)
4177 {
4178#ifdef _WIN32
4179 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
4180#else
4181 if (c->options.shaper)
4182 {
4183 msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4184 }
4185 else
4186 {
4187 c->c2.fast_io = true;
4188 }
4189#endif
4190 }
4191}
4192
4193static void
4194do_signal_on_tls_errors(struct context *c)
4195{
4196 if (c->options.tls_exit)
4197 {
4198 c->c2.tls_exit_signal = SIGTERM;
4199 }
4200 else
4201 {
4202 c->c2.tls_exit_signal = SIGUSR1;
4203 }
4204}
4205
4206#ifdef ENABLE_PLUGIN
4207
4208void
4209init_plugins(struct context *c)
4210{
4211 if (c->options.plugin_list && !c->plugins)
4212 {
4213 c->plugins = plugin_list_init(c->options.plugin_list);
4214 c->plugins_owned = true;
4215 }
4216}
4217
4218void
4219open_plugins(struct context *c, const bool import_options, int init_point)
4220{
4221 if (c->plugins && c->plugins_owned)
4222 {
4223 if (import_options)
4224 {
4225 struct plugin_return pr, config;
4226 plugin_return_init(&pr);
4227 plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4228 plugin_return_get_column(&pr, &config, "config");
4229 if (plugin_return_defined(&config))
4230 {
4231 int i;
4232 for (i = 0; i < config.n; ++i)
4233 {
4234 unsigned int option_types_found = 0;
4235 if (config.list[i] && config.list[i]->value)
4236 {
4237 options_string_import(
4238 &c->options, config.list[i]->value, D_IMPORT_ERRORS | M_OPTERR,
4239 OPT_P_DEFAULT & ~OPT_P_PLUGIN, &option_types_found, c->es);
4240 }
4241 }
4242 }
4243 plugin_return_free(&pr);
4244 }
4245 else
4246 {
4247 plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4248 }
4249 }
4250}
4251
4252static void
4253do_close_plugins(struct context *c)
4254{
4255 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
4256 {
4257 plugin_list_close(c->plugins);
4258 c->plugins = NULL;
4259 c->plugins_owned = false;
4260 }
4261}
4262
4263static void
4264do_inherit_plugins(struct context *c, const struct context *src)
4265{
4266 if (!c->plugins && src->plugins)
4267 {
4268 c->plugins = plugin_list_inherit(src->plugins);
4269 c->plugins_owned = true;
4270 }
4271}
4272
4273#endif /* ifdef ENABLE_PLUGIN */
4274
4275#ifdef ENABLE_MANAGEMENT
4276
4277static void
4278management_callback_status_p2p(void *arg, const int version, struct status_output *so)
4279{
4280 struct context *c = (struct context *)arg;
4281 print_status(c, so);
4282}
4283
4284void
4285management_show_net_callback(void *arg, const msglvl_t msglevel)
4286{
4287#ifdef _WIN32
4288 show_routes(msglevel);
4289 show_adapters(msglevel);
4290 msg(msglevel, "END");
4291#else
4292 msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4293#endif
4294}
4295
4296#ifdef TARGET_ANDROID
4297int
4298management_callback_network_change(void *arg, bool samenetwork)
4299{
4300 /* Check if the client should translate the network change to a SIGUSR1 to
4301 * reestablish the connection or just reprotect the socket
4302 *
4303 * At the moment just assume that, for all settings that use pull (not
4304 * --static) and are not using peer-id reestablishing the connection is
4305 * required (unless the network is the same)
4306 *
4307 * The function returns -1 on invalid fd and -2 if the socket cannot be
4308 * reused. On the -2 return value the man_network_change function triggers
4309 * a SIGUSR1 to force a reconnect.
4310 */
4311
4312 int socketfd = -1;
4313 struct context *c = (struct context *)arg;
4314 if (!c->c2.link_sockets || !c->c2.link_sockets[0])
4315 {
4316 return -1;
4317 }
4318 if (c->c2.link_sockets[0]->sd == SOCKET_UNDEFINED)
4319 {
4320 return -1;
4321 }
4322
4323 /* On some newer Android handsets, changing to a different network
4324 * often does not trigger a TCP reset but continue using the old
4325 * connection (e.g. using mobile connection when WiFi becomes available */
4326 struct link_socket_info *lsi = get_link_socket_info(c);
4327 if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
4328 {
4329 return -2;
4330 }
4331
4332 socketfd = c->c2.link_sockets[0]->sd;
4333 if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4334 {
4335 return socketfd;
4336 }
4337 else
4338 {
4339 return -2;
4340 }
4341}
4342#endif /* ifdef TARGET_ANDROID */
4343
4344#endif /* ifdef ENABLE_MANAGEMENT */
4345
4346void
4347init_management_callback_p2p(struct context *c)
4348{
4349#ifdef ENABLE_MANAGEMENT
4350 if (management)
4351 {
4352 struct management_callback cb;
4353 CLEAR(cb);
4354 cb.arg = c;
4355 cb.status = management_callback_status_p2p;
4356 cb.show_net = management_show_net_callback;
4357 cb.proxy_cmd = management_callback_proxy_cmd;
4358 cb.remote_cmd = management_callback_remote_cmd;
4359 cb.send_cc_message = management_callback_send_cc_message;
4360#ifdef TARGET_ANDROID
4361 cb.network_change = management_callback_network_change;
4362#endif
4363 cb.remote_entry_count = management_callback_remote_entry_count;
4364 cb.remote_entry_get = management_callback_remote_entry_get;
4365 management_set_callback(management, &cb);
4366 }
4367#endif
4368}
4369
4370#ifdef ENABLE_MANAGEMENT
4371
4372void
4373init_management(void)
4374{
4375 if (!management)
4376 {
4377 management = management_init();
4378 }
4379}
4380
4381bool
4382open_management(struct context *c)
4383{
4384 /* initialize management layer */
4385 if (management)
4386 {
4387 if (c->options.management_addr)
4388 {
4389 unsigned int flags = c->options.management_flags;
4390 if (c->options.mode == MODE_SERVER)
4391 {
4392 flags |= MF_SERVER;
4393 }
4394 if (management_open(
4395 management, c->options.management_addr, c->options.management_port,
4396 c->options.management_user_pass, c->options.management_client_user,
4397 c->options.management_client_group, c->options.management_log_history_cache,
4398 c->options.management_echo_buffer_size, c->options.management_state_buffer_size,
4399 c->options.remap_sigusr1, flags))
4400 {
4401 management_set_state(management, OPENVPN_STATE_CONNECTING, NULL, NULL, NULL, NULL,
4402 NULL);
4403 }
4404
4405 /* initial management hold, called early, before first context initialization */
4406 do_hold(0);
4407 if (IS_SIG(c))
4408 {
4409 msg(M_WARN, "Signal received from management interface, exiting");
4410 return false;
4411 }
4412 }
4413 else
4414 {
4415 close_management();
4416 }
4417 }
4418 return true;
4419}
4420
4421void
4422close_management(void)
4423{
4424 if (management)
4425 {
4426 management_close(management);
4427 management = NULL;
4428 }
4429}
4430
4431#endif /* ifdef ENABLE_MANAGEMENT */
4432
4433
4434void
4435uninit_management_callback(void)
4436{
4437#ifdef ENABLE_MANAGEMENT
4438 if (management)
4439 {
4440 management_clear_callback(management);
4441 }
4442#endif
4443}
4444
4445void
4446persist_client_stats(struct context *c)
4447{
4448#ifdef ENABLE_MANAGEMENT
4449 if (management)
4450 {
4451 man_persist_client_stats(management, c);
4452 }
4453#endif
4454}
4455
4456/*
4457 * Initialize a tunnel instance, handle pre and post-init
4458 * signal settings.
4459 */
4460void
4461init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4462{
4463 pre_init_signal_catch();
4464 init_instance(c, env, flags);
4465 post_init_signal_catch();
4466
4467 /*
4468 * This is done so that signals thrown during
4469 * initialization can bring us back to
4470 * a management hold.
4471 */
4472 if (IS_SIG(c))
4473 {
4474 remap_signal(c);
4475 uninit_management_callback();
4476 }
4477}
4478
4479/*
4480 * Initialize a tunnel instance.
4481 */
4482void
4483init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4484{
4485 const struct options *options = &c->options;
4486 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4487
4488 /* init garbage collection level */
4489 gc_init(&c->c2.gc);
4490
4491 /* inherit environmental variables */
4492 if (env)
4493 {
4494 do_inherit_env(c, env);
4495 }
4496
4497 if (c->mode == CM_P2P)
4498 {
4499 init_management_callback_p2p(c);
4500 }
4501
4502 /* possible sleep or management hold if restart */
4503 if (c->mode == CM_P2P || c->mode == CM_TOP)
4504 {
4505 do_startup_pause(c);
4506 if (IS_SIG(c))
4507 {
4508 goto sig;
4509 }
4510 }
4511
4512 if (c->options.resolve_in_advance)
4513 {
4514 do_preresolve(c);
4515 if (IS_SIG(c))
4516 {
4517 goto sig;
4518 }
4519 }
4520
4521 /* Resets all values to the initial values from the config where needed */
4522 pre_connect_restore(&c->options, &c->c2.gc);
4523
4524 /* map in current connection entry */
4525 next_connection_entry(c);
4526
4527 /* should we disable paging? */
4528 if (c->first_time && options->mlock)
4529 {
4530 platform_mlockall(true);
4531 }
4532
4533 /* get passwords if undefined */
4534 if (auth_retry_get() == AR_INTERACT)
4535 {
4536 init_query_passwords(c);
4537 }
4538
4539 /* initialize context level 2 --verb/--mute parms */
4540 init_verb_mute(c, IVM_LEVEL_2);
4541
4542 /* set error message delay for non-server modes */
4543 if (c->mode == CM_P2P)
4544 {
4545 set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4546 }
4547
4548 /* warn about inconsistent options */
4549 if (c->mode == CM_P2P || c->mode == CM_TOP)
4550 {
4551 do_option_warnings(c);
4552 }
4553
4554#ifdef ENABLE_PLUGIN
4555 /* initialize plugins */
4556 if (c->mode == CM_P2P || c->mode == CM_TOP)
4557 {
4558 open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4559 }
4560#endif
4561
4562 /* should we enable fast I/O? */
4563 if (c->mode == CM_P2P || c->mode == CM_TOP)
4564 {
4565 do_setup_fast_io(c);
4566 }
4567
4568 /* should we throw a signal on TLS errors? */
4569 do_signal_on_tls_errors(c);
4570
4571 /* open --status file */
4572 if (c->mode == CM_P2P || c->mode == CM_TOP)
4573 {
4574 do_open_status_output(c);
4575 }
4576
4577 /* open --ifconfig-pool-persist file */
4578 if (c->mode == CM_TOP)
4579 {
4580 do_open_ifconfig_pool_persist(c);
4581 }
4582
4583 /* reset OCC state */
4584 if (c->mode == CM_P2P || child)
4585 {
4586 c->c2.occ_op = occ_reset_op();
4587 }
4588
4589 /* our wait-for-i/o objects, different for posix vs. win32 */
4590 if (c->mode == CM_P2P || c->mode == CM_TOP)
4591 {
4592 do_event_set_init(c, SHAPER_DEFINED(&c->options));
4593 }
4594 else if (c->mode == CM_CHILD_TCP)
4595 {
4596 do_event_set_init(c, false);
4597 }
4598
4599 /* initialize HTTP or SOCKS proxy object at scope level 2 */
4600 init_proxy(c);
4601
4602 /* allocate our socket object */
4603 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4604 {
4605 do_link_socket_new(c);
4606 }
4607
4608#ifdef ENABLE_FRAGMENT
4609 /* initialize internal fragmentation object */
4610 if (options->ce.fragment && (c->mode == CM_P2P || child))
4611 {
4612 c->c2.fragment = fragment_init(&c->c2.frame);
4613 }
4614#endif
4615
4616 /* init crypto layer */
4617 {
4618 unsigned int crypto_flags = 0;
4619 if (c->mode == CM_TOP)
4620 {
4621 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4622 }
4623 else if (c->mode == CM_P2P)
4624 {
4625 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4626 }
4627 else if (child)
4628 {
4629 crypto_flags = CF_INIT_TLS_MULTI;
4630 }
4631 do_init_crypto(c, crypto_flags);
4632 if (IS_SIG(c) && !child)
4633 {
4634 goto sig;
4635 }
4636 }
4637
4638#ifdef USE_COMP
4639 /* initialize compression library. */
4640 if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4641 {
4642 c->c2.comp_context = comp_init(&options->comp);
4643 }
4644#endif
4645
4646 /* initialize MTU variables */
4647 do_init_frame(c);
4648
4649 /* initialize TLS MTU variables */
4650 do_init_frame_tls(c);
4651
4652 /* init workspace buffers whose size is derived from frame size */
4653 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4654 {
4655 do_init_buffers(c);
4656 }
4657
4658#ifdef ENABLE_FRAGMENT
4659 /* initialize internal fragmentation capability with known frame size */
4660 if (options->ce.fragment && (c->mode == CM_P2P || child))
4661 {
4662 do_init_fragment(c);
4663 }
4664#endif
4665
4666 /* bind the TCP/UDP socket */
4667 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4668 {
4669 do_init_socket_phase1(c);
4670 }
4671
4672 /* initialize tun/tap device object,
4673 * open tun/tap device, ifconfig, run up script, etc. */
4674 if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4675 {
4676 int error_flags = 0;
4677 c->c2.did_open_tun = do_open_tun(c, &error_flags);
4678 }
4679
4680 /* print MTU info */
4681 do_print_data_channel_mtu_parms(c);
4682
4683 /* get local and remote options compatibility strings */
4684 if (c->mode == CM_P2P || child)
4685 {
4686 do_compute_occ_strings(c);
4687 }
4688
4689 /* initialize output speed limiter */
4690 if (c->mode == CM_P2P)
4691 {
4692 do_init_traffic_shaper(c);
4693 }
4694
4695 /* do one-time inits, and possibly become a daemon here */
4696 do_init_first_time(c);
4697
4698#ifdef ENABLE_PLUGIN
4699 /* initialize plugins */
4700 if (c->mode == CM_P2P || c->mode == CM_TOP)
4701 {
4702 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4703 }
4704#endif
4705
4706 /* initialise connect timeout timer */
4707 do_init_server_poll_timeout(c);
4708
4709 /* finalize the TCP/UDP socket */
4710 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4711 {
4712 do_init_socket_phase2(c);
4713
4714
4715 /* Update dynamic frame calculation as exact transport socket information
4716 * (IP vs IPv6) may be only available after socket phase2 has finished.
4717 * This is only needed for --static or no crypto, NCP will recalculate this
4718 * in tls_session_update_crypto_params (P2MP) */
4719 for (int i = 0; i < c->c1.link_sockets_num; i++)
4720 {
4721 frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4722 &c->c2.link_sockets[i]->info);
4723 }
4724 }
4725
4726 /*
4727 * Actually do UID/GID downgrade, and chroot, if requested.
4728 * May be delayed by --client, --pull, or --up-delay.
4729 */
4730 do_uid_gid_chroot(c, c->c2.did_open_tun);
4731
4732 /* initialize timers */
4733 if (c->mode == CM_P2P || child)
4734 {
4735 do_init_timers(c, false);
4736 }
4737
4738#ifdef ENABLE_PLUGIN
4739 /* initialize plugins */
4740 if (c->mode == CM_P2P || c->mode == CM_TOP)
4741 {
4742 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4743 }
4744#endif
4745
4746#if PORT_SHARE
4747 /* share OpenVPN port with foreign (such as HTTPS) server */
4748 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4749 {
4750 init_port_share(c);
4751 }
4752#endif
4753
4754 /* Check for signals */
4755 if (IS_SIG(c))
4756 {
4757 goto sig;
4758 }
4759
4760 return;
4761
4762sig:
4763 if (!c->sig->signal_text)
4764 {
4765 c->sig->signal_text = "init_instance";
4766 }
4767 close_context(c, -1, flags);
4768 return;
4769}
4770
4771/*
4772 * Close a tunnel instance.
4773 */
4774void
4775close_instance(struct context *c)
4776{
4777 /* close event objects */
4778 do_close_event_set(c);
4779
4780 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP
4781 || c->mode == CM_TOP)
4782 {
4783#ifdef USE_COMP
4784 if (c->c2.comp_context)
4785 {
4786 comp_uninit(c->c2.comp_context);
4787 c->c2.comp_context = NULL;
4788 }
4789#endif
4790
4791 /* free buffers */
4792 do_close_free_buf(c);
4793
4794 /* close peer for DCO if enabled, needs peer-id so must be done before
4795 * closing TLS contexts */
4796 dco_remove_peer(c);
4797
4798 /* close TLS */
4799 do_close_tls(c);
4800
4801 /* free key schedules */
4802 do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4803
4804 /* close TCP/UDP connection */
4805 do_close_link_socket(c);
4806
4807 /* close TUN/TAP device */
4808 do_close_tun(c, false);
4809
4810#ifdef ENABLE_MANAGEMENT
4811 if (management)
4812 {
4813 management_notify_client_close(management, &c->c2.mda_context, NULL);
4814 }
4815#endif
4816
4817#ifdef ENABLE_PLUGIN
4818 /* call plugin close functions and unload */
4819 do_close_plugins(c);
4820#endif
4821
4822 /* close packet-id persistence file */
4823 do_close_packet_id(c);
4824
4825 /* close --status file */
4826 do_close_status_output(c);
4827
4828#ifdef ENABLE_FRAGMENT
4829 /* close fragmentation handler */
4830 do_close_fragment(c);
4831#endif
4832
4833 /* close --ifconfig-pool-persist obj */
4834 do_close_ifconfig_pool_persist(c);
4835
4836 /* free up environmental variable store */
4837 do_env_set_destroy(c);
4838
4839 /* close HTTP or SOCKS proxy */
4840 uninit_proxy(c);
4841
4842 /* garbage collect */
4843 gc_free(&c->c2.gc);
4844 }
4845}
4846
4847void
4848inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
4849{
4850 CLEAR(*dest);
4851
4852 /* proto_is_dgram will ASSERT(0) if proto is invalid */
4853 dest->mode = proto_is_dgram(sock->info.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4854
4855 dest->gc = gc_new();
4856
4857 ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4858
4859 /* c1 init */
4860 packet_id_persist_init(&dest->c1.pid_persist);
4861 dest->c1.link_sockets_num = 1;
4862 do_link_socket_addr_new(dest);
4863
4864 dest->c1.ks.key_type = src->c1.ks.key_type;
4865 /* inherit SSL context */
4866 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4867 dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4868 dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4869 dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4870 /* inherit pre-NCP ciphers */
4871 dest->options.ciphername = src->options.ciphername;
4872 dest->options.authname = src->options.authname;
4873
4874 /* inherit auth-token */
4875 dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4876
4877 /* options */
4878 dest->options = src->options;
4879 dest->options.ce.proto = sock->info.proto;
4880 options_detach(&dest->options);
4881
4882 dest->c2.event_set = src->c2.event_set;
4883
4884 if (dest->mode == CM_CHILD_TCP)
4885 {
4886 /*
4887 * The CM_TOP context does the socket listen(),
4888 * and the CM_CHILD_TCP context does the accept().
4889 */
4890 dest->c2.accept_from = sock;
4891 }
4892
4893#ifdef ENABLE_PLUGIN
4894 /* inherit plugins */
4895 do_inherit_plugins(dest, src);
4896#endif
4897
4898 /* context init */
4899
4900 /* inherit tun/tap interface object now as it may be required
4901 * to initialize the DCO context in init_instance()
4902 */
4903 dest->c1.tuntap = src->c1.tuntap;
4904
4905 /* UDP inherits some extra things which TCP does not */
4906 if (dest->mode == CM_CHILD_UDP)
4907 {
4908 ASSERT(!dest->c2.link_sockets);
4909 ASSERT(dest->options.ce.local_list);
4910
4911 /* inherit buffers */
4912 dest->c2.buffers = src->c2.buffers;
4913
4914 ALLOC_ARRAY_GC(dest->c2.link_sockets, struct link_socket *, 1, &dest->gc);
4915
4916 /* inherit parent link_socket and tuntap */
4917 dest->c2.link_sockets[0] = sock;
4918
4919 ALLOC_ARRAY_GC(dest->c2.link_socket_infos, struct link_socket_info *, 1, &dest->gc);
4920 ALLOC_OBJ_GC(dest->c2.link_socket_infos[0], struct link_socket_info, &dest->gc);
4921 *dest->c2.link_socket_infos[0] = sock->info;
4922
4923 /* locally override some link_socket_info fields */
4924 dest->c2.link_socket_infos[0]->lsa = &dest->c1.link_socket_addrs[0];
4925 dest->c2.link_socket_infos[0]->connection_established = false;
4926 }
4927
4928 init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4929 if (IS_SIG(dest))
4930 {
4931 return;
4932 }
4933}
4934
4935void
4936inherit_context_top(struct context *dest, const struct context *src)
4937{
4938 /* copy parent */
4939 *dest = *src;
4940
4941 /*
4942 * CM_TOP_CLONE will prevent close_instance from freeing or closing
4943 * resources owned by the parent.
4944 *
4945 * Also note that CM_TOP_CLONE context objects are
4946 * closed by multi_top_free in multi.c.
4947 */
4948 dest->mode = CM_TOP_CLONE;
4949
4950 dest->first_time = false;
4951 dest->c0 = NULL;
4952
4953 options_detach(&dest->options);
4954 gc_detach(&dest->gc);
4955 gc_detach(&dest->c2.gc);
4956
4957 /* detach plugins */
4958 dest->plugins_owned = false;
4959
4960 dest->c2.tls_multi = NULL;
4961
4962 /* detach c1 ownership */
4963 dest->c1.tuntap_owned = false;
4964 dest->c1.status_output_owned = false;
4965 dest->c1.ifconfig_pool_persist_owned = false;
4966
4967 /* detach c2 ownership */
4968 dest->c2.event_set_owned = false;
4969 dest->c2.link_socket_owned = false;
4970 dest->c2.buffers_owned = false;
4971 dest->c2.es_owned = false;
4972
4973 dest->c2.event_set = NULL;
4974 do_event_set_init(dest, false);
4975
4976#ifdef USE_COMP
4977 dest->c2.comp_context = NULL;
4978#endif
4979}
4980
4981void
4982close_context(struct context *c, int sig, unsigned int flags)
4983{
4984 ASSERT(c);
4985 ASSERT(c->sig);
4986
4987 if (sig >= 0)
4988 {
4989 register_signal(c->sig, sig, "close_context");
4990 }
4991
4992 if (c->sig->signal_received == SIGUSR1)
4993 {
4994 if ((flags & CC_USR1_TO_HUP)
4995 || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4996 {
4997 register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
4998 }
4999 }
5000
5001 if (!(flags & CC_NO_CLOSE))
5002 {
5003 close_instance(c);
5004 }
5005
5006 if (flags & CC_GC_FREE)
5007 {
5008 context_gc_free(c);
5009 }
5010}
5011
5012/* Write our PID to a file */
5013void
5014write_pid_file(const char *filename, const char *chroot_dir)
5015{
5016 if (filename)
5017 {
5018 unsigned int pid = 0;
5019 FILE *fp = platform_fopen(filename, "w");
5020 if (!fp)
5021 {
5022 msg(M_ERR, "Open error on pid file %s", filename);
5023 return;
5024 }
5025
5026 pid = platform_getpid();
5027 fprintf(fp, "%u\n", pid);
5028 if (fclose(fp))
5029 {
5030 msg(M_ERR, "Close error on pid file %s", filename);
5031 }
5032
5033 /* remember file name so it can be deleted "out of context" later */
5034 /* (the chroot case is more complex and not handled today) */
5035 if (!chroot_dir)
5036 {
5037 saved_pid_file_name = strdup(filename);
5038 if (!saved_pid_file_name)
5039 {
5040 msg(M_FATAL, "Failed allocate memory saved_pid_file_name");
5041 }
5042 }
5043 }
5044}
5045
5046/* remove PID file on exit, called from openvpn_exit() */
5047void
5048remove_pid_file(void)
5049{
5050 if (saved_pid_file_name)
5051 {
5052 platform_unlink(saved_pid_file_name);
5053 }
5054}
5055
5056
5057/*
5058 * Do a loopback test
5059 * on the crypto subsystem.
5060 */
5061static void *
5062test_crypto_thread(void *arg)
5063{
5064 struct context *c = (struct context *)arg;
5065 const struct options *options = &c->options;
5066
5067 ASSERT(options->test_crypto);
5068 init_verb_mute(c, IVM_LEVEL_1);
5069 context_init_1(c);
5070 next_connection_entry(c);
5071 do_init_crypto_static(c, 0);
5072
5073 frame_finalize_options(c, options);
5074
5075 test_crypto(&c->c2.crypto_options, &c->c2.frame);
5076
5077 key_schedule_free(&c->c1.ks, true);
5078 packet_id_free(&c->c2.crypto_options.packet_id);
5079
5080 context_gc_free(c);
5081 return NULL;
5082}
5083
5084bool
5085do_test_crypto(const struct options *o)
5086{
5087 if (o->test_crypto)
5088 {
5089 struct context c;
5090
5091 /* print version number */
5092 msg(M_INFO, "%s", title_string);
5093
5094 context_clear(&c);
5095 c.options = *o;
5096 options_detach(&c.options);
5097 c.first_time = true;
5098 test_crypto_thread((void *)&c);
5099 return true;
5100 }
5101 return false;
5102}
argv_msg
void argv_msg(const msglvl_t msglevel, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
auth_token_write_server_key_file
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition auth_token.c:118
auth_token_init_secret
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition auth_token.c:124
auth_token.h
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:184
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
string_clear
void string_clear(char *str)
Definition buffer.c:691
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1001
BSTR
#define BSTR(buf)
Definition buffer.h:128
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1053
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1064
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:994
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1074
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1085
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1007
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition common.h:87
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
basename
char * basename(char *filename)
Definition compat-basename.c:36
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:50
PACKAGE_NAME
#define PACKAGE_NAME
Definition config.h:492
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1099
get_random
long int get_random(void)
Definition crypto.c:1725
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:874
write_key_file
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition crypto.c:1545
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition crypto.c:849
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1198
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition crypto.c:1289
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1080
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:345
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
CO_MUTE_REPLAY_WARNINGS
#define CO_MUTE_REPLAY_WARNINGS
Bit-flag indicating not to display replay warnings.
Definition crypto.h:354
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition crypto.h:365
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition crypto.h:644
show_available_engines
void show_available_engines(void)
Definition crypto_openssl.c:473
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:811
show_available_ciphers
void show_available_ciphers(void)
Definition crypto_openssl.c:364
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition crypto_openssl.c:1040
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition crypto_openssl.c:798
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1072
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
crypto_init_lib_engine
void crypto_init_lib_engine(const char *engine_name)
Definition crypto_openssl.c:139
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
show_available_digests
void show_available_digests(void)
Definition crypto_openssl.c:432
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
DCO_DEFAULT_METRIC
#define DCO_DEFAULT_METRIC
Definition dco.h:47
dco_supports_epoch_data
static bool dco_supports_epoch_data(struct context *c)
Definition dco.h:389
dco_remove_peer
static void dco_remove_peer(struct context *c)
Definition dco.h:350
dco_check_pull_options
static bool dco_check_pull_options(msglvl_t msglevel, const struct options *o)
Definition dco.h:288
ovpn_dco_init
static bool ovpn_dco_init(struct context *c)
Definition dco.h:294
dco_p2p_add_new_peer
static int dco_p2p_add_new_peer(struct context *c)
Definition dco.h:337
run_dns_up_down
void run_dns_up_down(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *duri)
Invokes the action associated with bringing DNS up or down.
Definition dns.c:857
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition env_set.c:166
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
env_set_inherit
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition env_set.c:262
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
D_MTU_DEBUG
#define D_MTU_DEBUG
Definition errlevel.h:125
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:150
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_SHOW_NET
#define D_SHOW_NET
Definition errlevel.h:131
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition errlevel.h:40
D_RESTART
#define D_RESTART
Definition errlevel.h:81
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition errlevel.h:63
D_CLOSE
#define D_CLOSE
Definition errlevel.h:72
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition errlevel.h:149
D_DCO
#define D_DCO
Definition errlevel.h:93
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:71
D_GENKEY
#define D_GENKEY
Definition errlevel.h:78
D_MTU_INFO
#define D_MTU_INFO
Definition errlevel.h:104
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:66
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition errlevel.h:103
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
D_READ_WRITE
#define D_READ_WRITE
Definition errlevel.h:166
M_INFO
#define M_INFO
Definition errlevel.h:54
D_LOG_RW
#define D_LOG_RW
Definition errlevel.h:109
D_ROUTE
#define D_ROUTE
Definition errlevel.h:79
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition errlevel.h:56
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1177
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition event.h:82
EVENT_METHOD_US_TIMEOUT
#define EVENT_METHOD_US_TIMEOUT
Definition event.h:81
event_free
static void event_free(struct event_set *es)
Definition event.h:162
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
Definition forward.c:404
forward.h
Interface functions to the internal and external multiplexers.
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:333
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1198
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:142
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1250
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1169
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1184
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1223
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1239
fragment_frame_init
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition fragment.c:125
fragment_init
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition fragment.c:92
fragment_free
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition fragment.c:116
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with --tls-crypt.
Definition tls_crypt.c:60
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition tls_crypt.c:343
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition tls_crypt.c:670
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition tls_crypt.c:664
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:54
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition tls_crypt.c:320
uninit_management_callback
void uninit_management_callback(void)
Definition init.c:4435
uninit_proxy
static void uninit_proxy(struct context *c)
Definition init.c:727
open_management
bool open_management(struct context *c)
Definition init.c:4382
do_init_first_time
static void do_init_first_time(struct context *c)
Definition init.c:3868
do_init_route_list
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1461
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition init.c:3072
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition init.c:364
do_genkey
bool do_genkey(const struct options *options)
Definition init.c:1021
next_connection_entry
static void next_connection_entry(struct context *c)
Definition init.c:515
can_preserve_tun
static bool can_preserve_tun(struct tuntap *tt)
Definition init.c:1772
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1552
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition init.c:4219
do_setup_fast_io
static void do_setup_fast_io(struct context *c)
Definition init.c:4174
tls_print_deferred_options_results
static void tls_print_deferred_options_results(struct context *c)
Prints the results of options imported for the data channel.
Definition init.c:2205
saved_pid_file_name
static const char * saved_pid_file_name
Definition init.c:62
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition init.c:949
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition init.c:1203
format_common_name
const char * format_common_name(struct context *c, struct gc_arena *gc)
Definition init.c:1286
do_close_link_socket
static void do_close_link_socket(struct context *c)
Definition init.c:3965
management_callback_remote_entry_count
static unsigned int management_callback_remote_entry_count(void *arg)
Definition init.c:320
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition init.c:4194
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition init.c:3028
key_schedule_free
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition init.c:2988
do_init_tun
static void do_init_tun(struct context *c)
Definition init.c:1727
do_option_warnings
static void do_option_warnings(struct context *c)
Definition init.c:3584
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4483
do_link_socket_addr_new
static void do_link_socket_addr_new(struct context *c)
Definition init.c:733
close_instance
void close_instance(struct context *c)
Definition init.c:4775
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1500
do_init_frame
static void do_init_frame(struct context *c)
Definition init.c:3538
persist_client_stats
void persist_client_stats(struct context *c)
Definition init.c:4446
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:4936
context_clear_1
void context_clear_1(struct context *c)
Definition init.c:82
ce_management_query_proxy
static bool ce_management_query_proxy(struct context *c)
Definition init.c:247
do_init_crypto
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition init.c:3521
do_init_frame_tls
static void do_init_frame_tls(struct context *c)
Definition init.c:3476
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition init.c:1427
route_noexec_enabled
static bool route_noexec_enabled(const struct options *o, const struct tuntap *tt)
Determine if external route commands should be executed based on configured options and backend drive...
Definition init.c:1662
ifconfig_noexec_enabled
static bool ifconfig_noexec_enabled(const struct context *c)
Determines if ifconfig execution should be disabled because of a.
Definition init.c:1839
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition init.c:501
do_test_crypto
bool do_test_crypto(const struct options *o)
Definition init.c:5085
do_print_data_channel_mtu_parms
static void do_print_data_channel_mtu_parms(struct context *c)
Definition init.c:3824
init_plugins
void init_plugins(struct context *c)
Definition init.c:4209
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition init.c:3705
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition init.c:3000
do_init_timers
static void do_init_timers(struct context *c, bool deferred)
Definition init.c:1344
CF_LOAD_PERSISTED_PACKET_ID
#define CF_LOAD_PERSISTED_PACKET_ID
Definition init.c:67
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition init.c:1443
do_close_status_output
static void do_close_status_output(struct context *c)
Definition init.c:4100
do_event_set_init
static void do_event_set_init(struct context *c, bool need_us_timeout)
Definition init.c:4055
static_context
static struct context * static_context
Definition init.c:61
do_init_fragment
static void do_init_fragment(struct context *c)
Definition init.c:3742
CF_INIT_TLS_MULTI
#define CF_INIT_TLS_MULTI
Definition init.c:68
context_init_1
void context_init_1(struct context *c)
Definition init.c:740
test_crypto_thread
static void * test_crypto_thread(void *arg)
Definition init.c:5062
pre_setup
void pre_setup(const struct options *options)
Definition init.c:1297
do_link_socket_new
static void do_link_socket_new(struct context *c)
Definition init.c:3763
do_close_free_key_schedule
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition init.c:3943
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition init.c:201
del_wfp_block
static void del_wfp_block(struct context *c, unsigned long adapter_index)
Remove any WFP block filters previously added.
Definition init.c:1820
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition init.c:1320
do_open_ifconfig_pool_persist
static void do_open_ifconfig_pool_persist(struct context *c)
Definition init.c:4117
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition init.c:4129
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition init.c:2055
init_management
void init_management(void)
Definition init.c:4373
uninit_static
void uninit_static(void)
Definition init.c:931
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4461
do_update
bool do_update(struct context *c, unsigned int option_types_found)
A simplified version of the do_up() function.
Definition init.c:2491
do_init_crypto_tls
static void do_init_crypto_tls(struct context *c, const unsigned int flags)
Definition init.c:3239
write_pid_file
void write_pid_file(const char *filename, const char *chroot_dir)
Definition init.c:5014
context_gc_free
void context_gc_free(struct context *c)
Definition init.c:791
socket_restart_pause
static void socket_restart_pause(struct context *c)
Definition init.c:2787
do_open_status_output
static void do_open_status_output(struct context *c)
Definition init.c:4088
init_options_dev
void init_options_dev(struct options *options)
Definition init.c:972
do_close_free_buf
static void do_close_free_buf(struct context *c)
Definition init.c:3902
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition init.c:645
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
Definition init.c:2605
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4848
do_compute_occ_strings
static void do_compute_occ_strings(struct context *c)
Definition init.c:3839
context_clear_2
void context_clear_2(struct context *c)
Definition init.c:88
do_close_fragment
static void do_close_fragment(struct context *c)
Definition init.c:4040
context_clear
void context_clear(struct context *c)
Definition init.c:76
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition init.c:183
do_init_crypto_none
static void do_init_crypto_none(struct context *c)
Definition init.c:3506
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition init.c:4278
remove_pid_file
void remove_pid_file(void)
Definition init.c:5048
add_delim_if_non_empty
static void add_delim_if_non_empty(struct buffer *buf, const char *header)
Helper function for tls_print_deferred_options_results Adds the ", " delimitor if there already some ...
Definition init.c:2191
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition init.c:983
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:4982
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition init.c:414
open_tun_backend
static void open_tun_backend(struct context *c)
Definition init.c:1847
do_close_event_set
static void do_close_event_set(struct context *c)
Definition init.c:4073
do_persist_tuntap
bool do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
Definition init.c:1102
do_hold
static bool do_hold(int holdtime)
Definition init.c:2768
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2356
tun_abort
void tun_abort(void)
Definition init.c:2159
do_init_server_poll_timeout
static void do_init_server_poll_timeout(struct context *c)
Definition init.c:1331
do_close_plugins
static void do_close_plugins(struct context *c)
Definition init.c:4253
do_init_socket_phase1
static void do_init_socket_phase1(struct context *c)
Definition init.c:3780
init_static
bool init_static(void)
Definition init.c:829
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition init.c:3144
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition init.c:2907
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition init.c:672
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition init.c:2178
add_wfp_block
static void add_wfp_block(struct context *c)
Add WFP filters to block traffic to local networks.
Definition init.c:1794
do_close_tun_simple
static void do_close_tun_simple(struct context *c)
Definition init.c:2025
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition init.c:4264
run_up_down
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es)
Definition init.c:108
do_init_socket_phase2
static void do_init_socket_phase2(struct context *c)
Definition init.c:3812
possibly_become_daemon
bool possibly_become_daemon(const struct options *options)
Definition init.c:1161
management_callback_remote_entry_get
static bool management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
Definition init.c:330
init_connection_list
static void init_connection_list(struct context *c)
Definition init.c:475
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition init.c:689
do_close_packet_id
static void do_close_packet_id(struct context *c)
Definition init.c:4025
do_startup_pause
static void do_startup_pause(struct context *c)
Definition init.c:2864
get_frame_mtu
static size_t get_frame_mtu(struct context *c, const struct options *o)
Definition init.c:2877
do_deferred_p2p_ncp
static bool do_deferred_p2p_ncp(struct context *c)
Definition init.c:2560
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition init.c:69
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2544
do_deferred_options_part2
static bool do_deferred_options_part2(struct context *c)
This function is expected to be invoked after open_tun() was performed.
Definition init.c:2333
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition init.c:4155
do_init_buffers
static void do_init_buffers(struct context *c)
Definition init.c:3730
init_proxy
static void init_proxy(struct context *c)
Definition init.c:721
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition init.c:4347
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition init.c:297
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition init.c:1673
do_inherit_env
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition init.c:4147
context_clear_all_except_first_time
void context_clear_all_except_first_time(struct context *c)
Definition init.c:94
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3680
do_open_tun
static bool do_open_tun(struct context *c, int *error_flags)
Definition init.c:1869
do_close_tls
static void do_close_tls(struct context *c)
Definition init.c:3916
close_management
void close_management(void)
Definition init.c:4422
management_show_net_callback
void management_show_net_callback(void *arg, const msglvl_t msglevel)
Definition init.c:4285
ISC_ERRORS
#define ISC_ERRORS
Definition init.h:126
CC_GC_FREE
#define CC_GC_FREE
Definition init.h:115
IVM_LEVEL_2
#define IVM_LEVEL_2
Definition init.h:49
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition init.h:128
IVM_LEVEL_1
#define IVM_LEVEL_1
Definition init.h:48
CC_USR1_TO_HUP
#define CC_USR1_TO_HUP
Definition init.h:116
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition init.h:32
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition init.h:117
ISC_SERVER
#define ISC_SERVER
Definition init.h:127
CC_NO_CLOSE
#define CC_NO_CLOSE
Definition init.h:118
min_int
static int min_int(int x, int y)
Definition integer.h:105
max_int
static int max_int(int x, int y)
Definition integer.h:92
status
static SERVICE_STATUS status
Definition interactive.c:51
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition interval.c:34
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition lladdr.c:17
management_pre_tunnel_close
void management_pre_tunnel_close(struct management *man)
Definition manage.c:3115
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3033
management_clear_callback
void management_clear_callback(struct management *man)
Definition manage.c:2787
management_hold
bool management_hold(struct management *man, int holdtime)
Definition manage.c:3841
management_init
struct management * management_init(void)
Definition manage.c:2717
management_event_loop_n_seconds
void management_event_loop_n_seconds(struct management *man, int sec)
Definition manage.c:3470
management_close
void management_close(struct management *man)
Definition manage.c:2770
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2796
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2731
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2947
man_persist_client_stats
void man_persist_client_stats(struct management *man, struct context *c)
Definition manage.c:4237
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2780
management_up_down
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition manage.c:2931
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4147
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition manage.c:3092
management_query_remote_enabled
static bool management_query_remote_enabled(const struct management *man)
Definition manage.h:425
OPENVPN_STATE_CONNECTING
#define OPENVPN_STATE_CONNECTING
Definition manage.h:449
management_query_proxy_enabled
static bool management_query_proxy_enabled(const struct management *man)
Definition manage.h:431
OPENVPN_STATE_CONNECTED
#define OPENVPN_STATE_CONNECTED
Definition manage.h:452
MF_SERVER
#define MF_SERVER
Definition manage.h:27
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition misc.c:55
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
GET_USER_PASS_NEED_OK
#define GET_USER_PASS_NEED_OK
Definition misc.h:113
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:331
frame_calculate_protocol_header_size
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition mtu.c:61
frame_print
void frame_print(const struct frame *frame, msglvl_t msglevel, const char *prefix)
Definition mtu.c:190
TUN_MTU_MAX_MIN
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:178
TUN_MTU_MIN
#define TUN_MTU_MIN
Definition mtu.h:59
np
static const char * np(const char *str)
Definition multi-auth.c:146
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition occ.h:61
occ_reset_op
static int occ_reset_op(void)
Definition occ.h:101
OCC_INTERVAL_SECONDS
#define OCC_INTERVAL_SECONDS
Definition occ.h:45
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition openvpn-plugin.h:768
OPENVPN_PLUGIN_INIT_PRE_DAEMON
#define OPENVPN_PLUGIN_INIT_PRE_DAEMON
Definition openvpn-plugin.h:767
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition openvpn-plugin.h:118
OPENVPN_PLUGIN_ROUTE_PREDOWN
#define OPENVPN_PLUGIN_ROUTE_PREDOWN
Definition openvpn-plugin.h:129
OPENVPN_PLUGIN_INIT_POST_UID_CHANGE
#define OPENVPN_PLUGIN_INIT_POST_UID_CHANGE
Definition openvpn-plugin.h:769
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition openvpn-plugin.h:148
OPENVPN_PLUGIN_UP
#define OPENVPN_PLUGIN_UP
Definition openvpn-plugin.h:117
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition openvpn-plugin.h:119
CLEAR
#define CLEAR(x)
Definition basic.h:32
error_reset
void error_reset(void)
Definition error.c:158
set_mute_cutoff
bool set_mute_cutoff(const int cutoff)
Definition error.c:120
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition error.c:612
reset_check_status
void reset_check_status(void)
Definition error.c:605
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:104
M_OPTERR
#define M_OPTERR
Definition error.h:101
check_debug_level
static bool check_debug_level(msglvl_t level)
Definition error.h:259
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:201
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:98
M_USAGE
#define M_USAGE
Definition error.h:107
M_FATAL
#define M_FATAL
Definition error.h:90
set_check_status_error_delay
static void set_check_status_error_delay(unsigned int milliseconds)
Definition error.h:323
M_NONFATAL
#define M_NONFATAL
Definition error.h:91
M_ERR
#define M_ERR
Definition error.h:106
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
TLS_MODE
#define TLS_MODE(c)
Definition openvpn.h:543
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition openvpn.h:86
CM_P2P
#define CM_P2P
Definition openvpn.h:482
CM_TOP_CLONE
#define CM_TOP_CLONE
Definition openvpn.h:484
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition openvpn.h:486
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition openvpn.h:485
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:554
CM_TOP
#define CM_TOP
Definition openvpn.h:483
options_string_import
void options_string_import(struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5537
options_detach
void options_detach(struct options *o)
Definition options.c:1565
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3165
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4700
title_string
const char title_string[]
Definition options.c:71
auth_retry_get
int auth_retry_get(void)
Definition options.c:4791
notnull
void notnull(const char *arg, const char *description)
Definition options.c:4931
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4350
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:260
OPT_P_UP
#define OPT_P_UP
Definition options.h:733
CE_MAN_QUERY_REMOTE_QUERY
#define CE_MAN_QUERY_REMOTE_QUERY
Definition options.h:153
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:744
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:752
MODE_SERVER
#define MODE_SERVER
Definition options.h:261
streq
#define streq(x, y)
Definition options.h:727
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:751
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition options.h:156
AR_INTERACT
#define AR_INTERACT
Definition options.h:915
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:738
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:758
SHAPER_DEFINED
#define SHAPER_DEFINED(opt)
Definition options.h:784
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition options.h:155
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition options.h:151
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:743
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:737
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:757
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition options.h:157
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:756
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:739
PING_RESTART
#define PING_RESTART
Definition options.h:356
RH_PORT_LEN
#define RH_PORT_LEN
Definition options.h:230
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition options.h:765
CE_MAN_QUERY_REMOTE_SHIFT
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition options.h:158
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:735
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:755
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:239
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:236
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:238
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:237
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:762
AR_NONE
#define AR_NONE
Definition options.h:914
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:916
RH_HOST_LEN
#define RH_HOST_LEN
Definition options.h:228
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:740
MAX_PARMS
#define MAX_PARMS
Definition options.h:51
PING_UNDEF
#define PING_UNDEF
Definition options.h:354
CE_MAN_QUERY_REMOTE_ACCEPT
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition options.h:154
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:767
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:779
PING_EXIT
#define PING_EXIT
Definition options.h:355
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:742
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:754
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:760
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:734
CE_DISABLED
#define CE_DISABLED
Definition options.h:150
now
time_t now
Definition otime.c:33
update_time
static void update_time(void)
Definition otime.h:81
time_test
void time_test(void)
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition packet_id.c:508
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:548
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition packet_id.c:450
packet_id_free
void packet_id_free(struct packet_id *p)
Definition packet_id.c:126
packet_id_persist_load
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition packet_id.c:464
PRE_PULL_INITIAL_PING_RESTART
#define PRE_PULL_INITIAL_PING_RESTART
Definition ping.h:32
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:337
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:544
platform_user_group_set
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition platform.c:222
platform_nice
void platform_nice(int niceval)
Definition platform.c:315
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition platform.c:80
platform_unlink
bool platform_unlink(const char *filename)
Definition platform.c:491
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:504
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:396
platform_mlockall
void platform_mlockall(bool print_msg)
Definition platform.c:348
platform_chroot
void platform_chroot(const char *path)
Definition platform.c:54
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition platform.c:126
plugin_list_close
void plugin_list_close(struct plugin_list *pl)
Definition plugin.c:869
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:986
plugin_list_inherit
struct plugin_list * plugin_list_inherit(const struct plugin_list *src)
Definition plugin.c:690
plugin_list_init
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition plugin.c:764
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:972
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition plugin.c:774
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:163
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:157
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition pool.c:538
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition pool.c:560
TOP_NET30
#define TOP_NET30
Definition proto.h:41
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
TOP_P2P
#define TOP_P2P
Definition proto.h:42
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition proxy.c:558
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition proxy.c:493
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:45
PAR_NCT
#define PAR_NCT
Definition proxy.h:51
PAR_ALL
#define PAR_ALL
Definition proxy.h:50
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1101
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1404
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:596
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:753
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:604
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1166
show_routes
void show_routes(msglvl_t msglevel)
Definition route.c:3070
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1367
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition route.h:424
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
script_security
int script_security(void)
Definition run_command.c:42
run_command.h
S_FATAL
#define S_FATAL
Definition run_command.h:50
SSEC_SCRIPTS
#define SSEC_SCRIPTS
allow calling of built-in programs and user-defined scripts
Definition run_command.h:35
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
SSEC_PW_ENV
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
shaper_msg
void shaper_msg(struct shaper *s)
Definition shaper.c:87
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition shaper.h:85
post_init_signal_catch
void post_init_signal_catch(void)
Definition sig.c:421
print_status
void print_status(struct context *c, struct status_output *so)
Definition sig.c:478
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition sig.c:392
remap_signal
void remap_signal(struct context *c)
Definition sig.c:588
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition sig.c:105
restore_signal_state
void restore_signal_state(void)
Definition sig.c:460
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
IS_SIG
#define IS_SIG(c)
Definition sig.h:47
SIG_SOURCE_HARD
#define SIG_SOURCE_HARD
Definition sig.h:30
link_socket_init_phase1
void link_socket_init_phase1(struct context *c, int sock_index, int mode)
Definition socket.c:1367
link_socket_init_phase2
void link_socket_init_phase2(struct context *c, struct link_socket *sock)
Definition socket.c:1710
link_socket_update_buffer_sizes
void link_socket_update_buffer_sizes(struct link_socket *sock, int rcvbuf, int sndbuf)
Definition socket.c:557
link_socket_current_remote_ipv6
const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info)
Definition socket.c:2024
link_socket_close
void link_socket_close(struct link_socket *sock)
Definition socket.c:1831
link_socket_current_remote
in_addr_t link_socket_current_remote(const struct link_socket_info *info)
Definition socket.c:1990
do_preresolve
void do_preresolve(struct context *c)
Definition socket.c:320
link_socket_new
struct link_socket * link_socket_new(void)
Definition socket.c:1353
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *sock, unsigned int sockflags)
Definition socket.c:543
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition socket.h:181
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition socket.h:179
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition socket.h:180
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket_util.c:409
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket_util.h:195
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
PROTO_TCP
@ PROTO_TCP
Definition socket_util.h:178
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket_util.h:180
proto_is_tcp
static bool proto_is_tcp(int proto)
returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
Definition socket_util.h:215
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket_util.h:206
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition socket_util.h:234
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition socks.c:51
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition socks.c:78
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:391
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:521
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition ssl.c:258
init_ssl_lib
void init_ssl_lib(void)
Definition ssl.c:235
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1651
free_ssl_lib
void free_ssl_lib(void)
Definition ssl.c:243
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:303
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition ssl.c:297
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4120
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
TLS_MULTI_HORIZON
#define TLS_MULTI_HORIZON
Definition ssl.h:61
TLS_MULTI_REFRESH
#define TLS_MULTI_REFRESH
Definition ssl.h:60
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:139
show_available_curves
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
Definition ssl_openssl.c:2606
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition ssl_openssl.c:148
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:593
check_pull_client_ncp
bool check_pull_client_ncp(struct context *c, const unsigned int found)
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should ...
Definition ssl_ncp.c:310
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
get_p2p_ncp_cipher
const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
Determines the best common cipher from both peers IV_CIPHER lists.
Definition ssl_ncp.c:355
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition ssl_pkt.c:450
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
ssl_verify.h
Control Channel Verification Module.
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition ssl_verify.h:68
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:218
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:60
status_close
bool status_close(struct status_output *so)
Definition status.c:179
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition status.h:51
argv
Definition argv.h:35
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
connection_entry
Definition options.h:104
connection_entry::local_list
struct local_list * local_list
Definition options.h:105
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:126
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:116
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:176
connection_entry::link_mtu
int link_mtu
Definition options.h:131
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:132
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:129
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:117
connection_entry::mssfix
int mssfix
Definition options.h:141
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:167
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:172
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:130
connection_entry::remote
const char * remote
Definition options.h:111
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:121
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:143
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:119
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:168
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:163
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:128
connection_entry::tls_mtu
int tls_mtu
Definition options.h:133
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:147
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:122
connection_entry::remote_port
const char * remote_port
Definition options.h:110
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:139
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:120
connection_entry::fragment
int fragment
Definition options.h:138
connection_entry::proto
int proto
Definition options.h:106
connection_entry::af
sa_family_t af
Definition options.h:107
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:162
connection_entry::tun_mtu
int tun_mtu
Definition options.h:124
connection_entry::key_direction
int key_direction
Definition options.h:164
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:173
connection_entry::flags
unsigned int flags
Definition options.h:159
connection_list
Definition options.h:197
connection_list::array
struct connection_entry ** array
Definition options.h:201
connection_list::current
int current
Definition options.h:200
connection_list::len
int len
Definition options.h:199
context_0
Level 0 context containing information related to the OpenVPN process.
Definition openvpn.h:137
context_0::platform_state_group
struct platform_state_group platform_state_group
Definition openvpn.h:143
context_0::platform_state_user
struct platform_state_user platform_state_user
Definition openvpn.h:142
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition openvpn.h:141
context_0::uid_gid_specified
bool uid_gid_specified
Definition openvpn.h:139
context_1::ks
struct key_schedule ks
Definition openvpn.h:164
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:197
context_1::http_proxy_owned
bool http_proxy_owned
Definition openvpn.h:190
context_1::status_output
struct status_output * status_output
Definition openvpn.h:185
context_1::route_list
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
context_1::link_socket_addrs
struct link_socket_addr * link_socket_addrs
Local and remote addresses on the external network.
Definition openvpn.h:159
context_1::pulled_options_digest_save
struct sha256_digest pulled_options_digest_save
Hash of option strings received from the remote OpenVPN server.
Definition openvpn.h:201
context_1::link_sockets_num
int link_sockets_num
Definition openvpn.h:158
context_1::status_output_owned
bool status_output_owned
Definition openvpn.h:186
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
context_1::pid_persist
struct packet_id_persist pid_persist
Definition openvpn.h:170
context_1::http_proxy
struct http_proxy_info * http_proxy
Definition openvpn.h:189
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition openvpn.h:194
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition openvpn.h:173
context_1::ifconfig_pool_persist_owned
bool ifconfig_pool_persist_owned
Definition openvpn.h:198
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition openvpn.h:193
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context_2::options_string_local
char * options_string_local
Definition openvpn.h:296
context_2::fragment
struct fragment_master * fragment
Definition openvpn.h:252
context_2::do_up_ran
bool do_up_ran
Definition openvpn.h:411
context_2::options_string_remote
char * options_string_remote
Definition openvpn.h:297
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition openvpn.h:384
context_2::did_open_tun
bool did_open_tun
Definition openvpn.h:387
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition openvpn.h:444
context_2::es_owned
bool es_owned
Definition openvpn.h:421
context_2::mda_context
struct man_def_auth_context mda_context
Definition openvpn.h:453
context_2::session_id_hmac
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition openvpn.h:338
context_2::accept_from
const struct link_socket * accept_from
Definition openvpn.h:242
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition openvpn.h:326
context_2::occ_op
int occ_op
Definition openvpn.h:299
context_2::es
struct env_set * es
Definition openvpn.h:420
context_2::link_socket_owned
bool link_socket_owned
Definition openvpn.h:240
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context_2::frame
struct frame frame
Definition openvpn.h:248
context_2::frame_fragment
struct frame frame_fragment
Definition openvpn.h:253
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition openvpn.h:349
context_2::buffers_owned
bool buffers_owned
Definition openvpn.h:368
context_2::link_sockets
struct link_socket ** link_sockets
Definition openvpn.h:237
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
context_2::log_rw
bool log_rw
Definition openvpn.h:380
context_2::event_set_max
int event_set_max
Definition openvpn.h:231
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition openvpn.h:225
context_2::fast_io
bool fast_io
Definition openvpn.h:424
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition openvpn.h:445
context_2::event_set
struct event_set * event_set
Definition openvpn.h:230
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:367
context_2::route_wakeup
struct event_timeout route_wakeup
Definition openvpn.h:383
context_2::tls_exit_signal
int tls_exit_signal
Definition openvpn.h:347
context_2::event_set_owned
bool event_set_owned
Definition openvpn.h:232
context_buffers
Definition openvpn.h:95
context_buffers::read_link_buf
struct buffer read_link_buf
Definition openvpn.h:113
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition openvpn.h:100
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition openvpn.h:114
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition openvpn.h:101
context_buffers::aux_buf
struct buffer aux_buf
Definition openvpn.h:97
context_persist
Definition openvpn.h:121
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition openvpn.h:122
context_persist::duri
struct dns_updown_runner_info duri
Definition openvpn.h:123
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::mode
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
context::c0
struct context_0 * c0
Level 0 context.
Definition openvpn.h:515
context::did_we_daemonize
bool did_we_daemonize
Whether demonization has already taken place.
Definition openvpn.h:510
context::first_time
bool first_time
True on the first iteration of OpenVPN's main loop.
Definition openvpn.h:478
context::sig
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:505
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
context::es
struct env_set * es
Set of environment variables.
Definition openvpn.h:499
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::plugins_owned
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition openvpn.h:506
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition openvpn.h:495
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
context::persist
struct context_persist persist
Persistent context.
Definition openvpn.h:513
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:384
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:340
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:331
dns_updown_runner_info::required
bool required
Definition dns.h:84
env_set
Definition env_set.h:43
frame
Packet geometry parameters.
Definition mtu.h:103
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
frame::tun_max_mtu
int tun_max_mtu
the maximum tun-mtu size the buffers are are sized for.
Definition mtu.h:147
frame::extra_tun
int extra_tun
Maximum number of bytes in excess of the tun/tap MTU that might be read from or written to the virtua...
Definition mtu.h:151
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
frame::buf
struct frame::@8 buf
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition mtu.h:118
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
http_proxy_options
Definition proxy.h:45
http_proxy_options::first_time
bool first_time
Definition proxy.h:61
http_proxy_options::port
const char * port
Definition proxy.h:47
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:52
http_proxy_options::server
const char * server
Definition proxy.h:46
key_schedule
Definition openvpn.h:55
key_schedule::tls_crypt_v2_wkc
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition openvpn.h:72
key_schedule::original_wrap_keydata
struct key2 original_wrap_keydata
original tls-crypt key preserved to xored into the tls_crypt renegotiation key
Definition openvpn.h:70
key_schedule::key_type
struct key_type key_type
Definition openvpn.h:57
key_schedule::auth_token_key
struct key_ctx auth_token_key
Definition openvpn.h:73
key_schedule::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition openvpn.h:63
key_schedule::tls_auth_key_type
struct key_type tls_auth_key_type
Definition openvpn.h:66
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition openvpn.h:67
key_schedule::static_key
struct key_ctx_bi static_key
Definition openvpn.h:60
key_schedule::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Definition openvpn.h:71
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
link_socket_actual
Definition socket_util.h:50
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket_util.h:53
link_socket_addr
Definition socket.h:77
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:82
link_socket_addr::remote_list
struct addrinfo * remote_list
Definition socket.h:79
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition socket.h:78
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition socket.h:80
link_socket_info
Definition socket.h:86
link_socket_info::connection_established
bool connection_established
Definition socket.h:88
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:87
link_socket_info::proto
int proto
Definition socket.h:92
link_socket
Definition socket.h:148
link_socket::info
struct link_socket_info info
Definition socket.h:149
link_socket::sd
socket_descriptor_t sd
Definition socket.h:156
local_list::len
int len
Definition options.h:192
man_persist::special_state_msg
const char * special_state_msg
Definition manage.h:232
management_callback
Definition manage.h:172
management_callback::arg
void * arg
Definition manage.h:173
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
management_callback::remote_entry_get
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition manage.h:198
management_callback::remote_entry_count
unsigned int(* remote_entry_count)(void *arg)
Definition manage.h:197
management_callback::send_cc_message
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition manage.h:184
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition manage.h:192
management_callback::show_net
void(* show_net)(void *arg, const msglvl_t msglevel)
Definition manage.h:179
management_callback::flags
unsigned int flags
Definition manage.h:176
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition manage.h:193
management::persist
struct man_persist persist
Definition manage.h:333
openvpn_plugin_string_list::value
char * value
Definition openvpn-plugin.h:194
openvpn_sockaddr
Definition socket_util.h:38
openvpn_sockaddr::addr
union openvpn_sockaddr::@27 addr
openvpn_sockaddr::sa
struct sockaddr sa
Definition socket_util.h:42
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket_util.h:43
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition socket_util.h:44
options::rcvbuf
int rcvbuf
Definition options.h:416
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:368
options::route_nopull
bool route_nopull
Definition options.h:440
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:286
options::comp
struct compress_options comp
Definition options.h:413
options::persist_config
bool persist_config
Definition options.h:274
options::connection_list
struct connection_list * connection_list
Definition options.h:291
options::management_port
const char * management_port
Definition options.h:450
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:327
options::server_backoff_time
int server_backoff_time
Definition options.h:306
options::auth_token_renewal
int auth_token_renewal
Definition options.h:548
options::tmp_dir
const char * tmp_dir
Definition options.h:469
options::push_peer_info
bool push_peer_info
Definition options.h:685
options::daemon
bool daemon
Definition options.h:391
options::route_default_metric
int route_default_metric
Definition options.h:432
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:651
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:549
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:724
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:616
options::crl_file_inline
bool crl_file_inline
Definition options.h:620
options::down_script
const char * down_script
Definition options.h:386
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:626
options::replay_time
int replay_time
Definition options.h:587
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:454
options::duplicate_cn
bool duplicate_cn
Definition options.h:530
options::shaper
int shaper
Definition options.h:330
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:453
options::show_net_up
bool show_net_up
Definition options.h:698
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:628
options::use_peer_id
bool use_peer_id
Definition options.h:704
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:623
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:484
options::keying_material_exporter_label
const char * keying_material_exporter_label
Definition options.h:708
options::status_file
const char * status_file
Definition options.h:406
options::ssl_flags
unsigned int ssl_flags
Definition options.h:629
options::route_noexec
bool route_noexec
Definition options.h:433
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:329
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:624
options::tls_timeout
int tls_timeout
Definition options.h:645
options::test_crypto
bool test_crypto
Definition options.h:589
options::up_delay
bool up_delay
Definition options.h:389
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:482
options::authname
const char * authname
Definition options.h:582
options::exit_event_name
const char * exit_event_name
Definition options.h:696
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:325
options::replay_window
int replay_window
Definition options.h:586
options::mute
int mute
Definition options.h:400
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:544
options::dev_type
const char * dev_type
Definition options.h:319
options::persist_mode
int persist_mode
Definition options.h:275
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:496
options::show_digests
bool show_digests
Definition options.h:279
options::up_script
const char * up_script
Definition options.h:385
options::ce_advance_count
int ce_advance_count
Definition options.h:302
options::single_session
bool single_session
Definition options.h:683
options::rh_store
struct remote_host_store * rh_store
Definition options.h:312
options::verify_hash_depth
int verify_hash_depth
Definition options.h:627
options::route_delay_defined
bool route_delay_defined
Definition options.h:436
options::packet_id_file
const char * packet_id_file
Definition options.h:588
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:675
options::management_log_history_cache
int management_log_history_cache
Definition options.h:452
options::peer_id
uint32_t peer_id
Definition options.h:705
options::routes
struct route_option_list * routes
Definition options.h:437
options::keepalive_timeout
int keepalive_timeout
Definition options.h:343
options::fast_io
bool fast_io
Definition options.h:411
options::block_outside_dns
bool block_outside_dns
Definition options.h:700
options::tls_exit
bool tls_exit
Definition options.h:687
options::show_engines
bool show_engines
Definition options.h:280
options::msg_channel
HANDLE msg_channel
Definition options.h:695
options::key_pass_file
const char * key_pass_file
Definition options.h:277
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:585
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition options.h:300
options::handshake_window
int handshake_window
Definition options.h:655
options::ifconfig_local
const char * ifconfig_local
Definition options.h:323
options::ce
struct connection_entry ce
Definition options.h:290
options::user_script_used
bool user_script_used
Definition options.h:387
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:281
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:371
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:625
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:613
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:649
options::management_flags
unsigned int management_flags
Definition options.h:462
options::route_default_gateway
const char * route_default_gateway
Definition options.h:429
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:697
options::sc_info
struct static_challenge_info sc_info
Definition options.h:569
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:546
options::topology
int topology
Definition options.h:322
options::disable_dco
bool disable_dco
Definition options.h:374
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:581
options::genkey
bool genkey
Definition options.h:283
options::ciphername
const char * ciphername
Definition options.h:576
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:562
options::username
const char * username
Definition options.h:377
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:465
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:547
options::ns_cert_type
int ns_cert_type
Definition options.h:622
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:680
options::mode
int mode
Definition options.h:262
options::tls_server
bool tls_server
Definition options.h:595
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:543
options::connect_retry_max
int connect_retry_max
Definition options.h:289
options::pull
bool pull
Definition options.h:559
options::show_curves
bool show_curves
Definition options.h:282
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:430
options::tls_client
bool tls_client
Definition options.h:596
options::auth_token_generate
bool auth_token_generate
Definition options.h:545
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:607
options::tls_verify
const char * tls_verify
Definition options.h:615
options::crl_file
const char * crl_file
Definition options.h:619
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:357
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:563
options::show_ciphers
bool show_ciphers
Definition options.h:278
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:577
options::route_predown_script
const char * route_predown_script
Definition options.h:428
options::route_delay_window
int route_delay_window
Definition options.h:435
options::mlock
bool mlock
Definition options.h:340
options::sndbuf
int sndbuf
Definition options.h:417
options::gc
struct gc_arena gc
Definition options.h:253
options::down_pre
bool down_pre
Definition options.h:388
options::persist_tun
bool persist_tun
Definition options.h:359
options::route_default_table_id
int route_default_table_id
Definition options.h:431
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:550
options::config
const char * config
Definition options.h:257
options::keying_material_exporter_length
int keying_material_exporter_length
Definition options.h:709
options::mtu_test
bool mtu_test
Definition options.h:334
options::verify_x509_type
int verify_x509_type
Definition options.h:617
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:611
options::status_file_update_freq
int status_file_update_freq
Definition options.h:408
options::management_client_user
const char * management_client_user
Definition options.h:456
options::cipher_list
const char * cipher_list
Definition options.h:610
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:509
options::genkey_filename
const char * genkey_filename
Definition options.h:285
options::x509_track
const struct x509_track * x509_track
Definition options.h:689
options::chroot_dir
const char * chroot_dir
Definition options.h:379
options::log
bool log
Definition options.h:395
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:573
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:650
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:351
options::sockflags
unsigned int sockflags
Definition options.h:424
options::engine
const char * engine
Definition options.h:583
options::management_addr
const char * management_addr
Definition options.h:449
options::verify_x509_name
const char * verify_x509_name
Definition options.h:618
options::ping_send_timeout
int ping_send_timeout
Definition options.h:350
options::route_delay
int route_delay
Definition options.h:434
options::dev_node
const char * dev_node
Definition options.h:320
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:507
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:438
options::key_direction
int key_direction
Definition options.h:575
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:361
options::up_restart
bool up_restart
Definition options.h:390
options::keepalive_ping
int keepalive_ping
Definition options.h:342
options::no_advance
bool no_advance
Definition options.h:295
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:676
options::groupname
const char * groupname
Definition options.h:378
options::cd_dir
const char * cd_dir
Definition options.h:380
options::nice
int nice
Definition options.h:398
options::transition_window
int transition_window
Definition options.h:663
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:324
options::lladdr
const char * lladdr
Definition options.h:321
options::verbosity
int verbosity
Definition options.h:399
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:701
options::remap_sigusr1
int remap_sigusr1
Definition options.h:393
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:648
options::route_script
const char * route_script
Definition options.h:427
options::management_user_pass
const char * management_user_pass
Definition options.h:451
options::shared_secret_file
const char * shared_secret_file
Definition options.h:572
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:328
options::dev
const char * dev
Definition options.h:318
options::management_client_group
const char * management_client_group
Definition options.h:457
options::client_config_dir
const char * client_config_dir
Definition options.h:508
options::genkey_type
enum genkey_type genkey_type
Definition options.h:284
options::advance_next_remote
bool advance_next_remote
Definition options.h:298
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:495
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:326
options::persist_local_ip
bool persist_local_ip
Definition options.h:360
plugin_list
Definition plugin.h:97
plugin_return
Definition plugin.h:104
plugin_return::n
int n
Definition plugin.h:105
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:106
remote_host_store
Definition options.h:227
remote_host_store::port
char port[RH_PORT_LEN]
Definition options.h:231
remote_host_store::host
char host[RH_HOST_LEN]
Definition options.h:229
route_ipv6_list
Definition route.h:243
route_ipv6_list::gc
struct gc_arena gc
Definition route.h:254
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_ipv6_option_list::gc
struct gc_arena * gc
Definition route.h:115
route_list
Definition route.h:229
route_list::gc
struct gc_arena gc
Definition route.h:239
sha256_digest
Wrapper struct to pass around SHA256 digests.
Definition crypto.h:133
signal_info
Definition sig.h:41
signal_info::signal_text
const char * signal_text
Definition sig.h:44
signal_info::signal_received
volatile int signal_received
Definition sig.h:42
signal_info::source
volatile int source
Definition sig.h:43
status_output
Definition status.h:49
status_output::flags
unsigned int flags
Definition status.h:52
tls_auth_standalone::frame
struct frame frame
Definition ssl_pkt.h:81
tls_auth_standalone::workbuf
struct buffer workbuf
Definition ssl_pkt.h:80
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
tls_multi::dco
dco_context_t * dco
Definition ssl_common.h:726
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:633
tls_multi::opt
struct tls_options opt
Definition ssl_common.h:617
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:700
tls_multi::use_peer_id
bool use_peer_id
Definition ssl_common.h:701
tls_options
Definition ssl_common.h:307
tls_options::renegotiate_bytes
int64_t renegotiate_bytes
Definition ssl_common.h:343
tls_options::auth_token_key
struct key_ctx auth_token_key
Definition ssl_common.h:408
tls_options::mode
int mode
Definition ssl_common.h:327
tls_options::auth_token_renewal
unsigned int auth_token_renewal
Definition ssl_common.h:406
tls_options::es
struct env_set * es
Definition ssl_common.h:414
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition ssl_common.h:405
tls_options::gremlin
int gremlin
Definition ssl_common.h:448
tls_options::server
bool server
Definition ssl_common.h:315
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:388
tls_options::ekm_label_size
size_t ekm_label_size
Definition ssl_common.h:452
tls_options::crypto_flags
unsigned int crypto_flags
Definition ssl_common.h:370
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition ssl_common.h:357
tls_options::packet_timeout
interval_t packet_timeout
Definition ssl_common.h:342
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition ssl_common.h:398
tls_options::client_crresponse_script
const char * client_crresponse_script
Definition ssl_common.h:394
tls_options::sci
const struct static_challenge_info * sci
Definition ssl_common.h:444
tls_options::net_ctx
openvpn_net_ctx_t * net_ctx
Definition ssl_common.h:415
tls_options::tmp_dir
const char * tmp_dir
Definition ssl_common.h:396
tls_options::replay_time
int replay_time
Definition ssl_common.h:373
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition ssl_common.h:348
tls_options::frame
struct frame frame
Definition ssl_common.h:390
tls_options::renegotiate_packets
int64_t renegotiate_packets
Definition ssl_common.h:344
tls_options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition ssl_common.h:399
tls_options::verify_hash_depth
int verify_hash_depth
Definition ssl_common.h:360
tls_options::plugins
const struct plugin_list * plugins
Definition ssl_common.h:416
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition ssl_common.h:411
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition ssl_common.h:384
tls_options::export_peer_cert_dir
const char * export_peer_cert_dir
Definition ssl_common.h:397
tls_options::verify_command
const char * verify_command
Definition ssl_common.h:351
tls_options::verify_hash
struct verify_hash_list * verify_hash
Definition ssl_common.h:359
tls_options::ekm_label
const char * ekm_label
Definition ssl_common.h:451
tls_options::ekm_size
size_t ekm_size
Definition ssl_common.h:453
tls_options::x509_username_field
char * x509_username_field[2]
Definition ssl_common.h:366
tls_options::transition_window
int transition_window
Definition ssl_common.h:340
tls_options::config_ciphername
const char * config_ciphername
Definition ssl_common.h:375
tls_options::verify_x509_type
int verify_x509_type
Definition ssl_common.h:352
tls_options::single_session
bool single_session
Definition ssl_common.h:326
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:382
tls_options::verify_x509_name
const char * verify_x509_name
Definition ssl_common.h:353
tls_options::crl_file_inline
bool crl_file_inline
Definition ssl_common.h:355
tls_options::x509_track
const struct x509_track * x509_track
Definition ssl_common.h:441
tls_options::verify_hash_no_ca
bool verify_hash_no_ca
Definition ssl_common.h:361
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition ssl_common.h:438
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition ssl_common.h:385
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition ssl_common.h:309
tls_options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition ssl_common.h:395
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition ssl_common.h:376
tls_options::xmit_hold
bool xmit_hold
Definition ssl_common.h:318
tls_options::ssl_flags
unsigned int ssl_flags
Definition ssl_common.h:435
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition ssl_common.h:401
tls_options::key_type
struct key_type key_type
Definition ssl_common.h:312
tls_options::push_peer_info_detail
int push_peer_info_detail
The detail of info we push in peer info.
Definition ssl_common.h:339
tls_options::ns_cert_type
int ns_cert_type
Definition ssl_common.h:356
tls_options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition ssl_common.h:362
tls_options::pull
bool pull
Definition ssl_common.h:328
tls_options::auth_token_call_auth
bool auth_token_call_auth
always call normal authentication
Definition ssl_common.h:404
tls_options::crl_file
const char * crl_file
Definition ssl_common.h:354
tls_options::handshake_window
int handshake_window
Definition ssl_common.h:341
tls_options::dco_enabled
bool dco_enabled
Whether keys have to be installed in DCO or not.
Definition ssl_common.h:455
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition ssl_common.h:393
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition ssl_common.h:358
tls_options::replay_window
int replay_window
Definition ssl_common.h:372
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
tls_wrap_ctx::mode
enum tls_wrap_ctx::@28 mode
Control channel wrapping mode.
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:284
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:285
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition ssl_common.h:286
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:299
tuntap_options::msg_channel
HANDLE msg_channel
Definition tun.h:88
tuntap
Definition tun.h:183
tuntap::local
in_addr_t local
Definition tun.h:210
tuntap::adapter_index
DWORD adapter_index
Definition tun.h:234
tuntap::backend_driver
enum tun_driver_type backend_driver
The backend driver that used for this tun/tap device.
Definition tun.h:193
tuntap::options
struct tuntap_options options
Definition tun.h:205
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition tun.h:213
tuntap::dco
dco_context_t dco
Definition tun.h:249
tuntap::actual_name
char * actual_name
Definition tun.h:207
tuntap::remote_netmask
in_addr_t remote_netmask
Definition tun.h:211
user_pass
Definition misc.h:52
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:68
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:67
win32_signal
Definition win32.h:156
win32_signal::mode
int mode
Definition win32.h:160
window_title
Definition win32.h:74
srandom
#define srandom
Definition syshead.h:44
SOCKET_UNDEFINED
#define SOCKET_UNDEFINED
Definition syshead.h:438
sleep
#define sleep(x)
Definition syshead.h:42
es
struct env_set * es
Definition test_pkcs11.c:138
i
int i
Definition test_push_update_msg.c:120
gc
struct gc_arena gc
Definition test_ssl.c:131
tls_crypt.h
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6421
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:520
fork_register_dns_action
void fork_register_dns_action(struct tuntap *tt)
Definition tun.c:5809
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:829
is_dev_type
bool is_dev_type(const char *dev, const char *dev_type, const char *match_type)
Definition tun.c:502
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition tun.c:1565
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:539
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition tun.c:6572
show_adapters
void show_adapters(msglvl_t msglevel)
Definition tun.c:4878
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition tun.c:669
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition tun.c:953
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition tun.c:559
do_ifconfig_setenv
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition tun.c:785
undo_ifconfig
void undo_ifconfig(struct tuntap *tt, openvpn_net_ctx_t *ctx)
undo_ifconfig - undo configuration of the tunnel interface
Definition tun.c:1654
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition tun.c:5531
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:58
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition tun.h:349
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition tun.h:348
tuntap_is_dco_win
static bool tuntap_is_dco_win(struct tuntap *tt)
Definition tun.h:532
DRIVER_NULL
@ DRIVER_NULL
Definition tun.h:52
DRIVER_GENERIC_TUNTAP
@ DRIVER_GENERIC_TUNTAP
Definition tun.h:47
DRIVER_AFUNIX
@ DRIVER_AFUNIX
using an AF_UNIX socket to pass packets from/to an external program.
Definition tun.h:51
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:53
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition tun.h:380
ifconfig_order
static int ifconfig_order(struct tuntap *tt)
Definition tun.h:354
open_tun_null
static void open_tun_null(struct tuntap *tt)
Definition tun.h:634
route_order
static int route_order(struct tuntap *tt)
Definition tun.h:384
ROUTE_BEFORE_TUN
#define ROUTE_BEFORE_TUN
Definition tun.h:379
is_tun_type_set
static bool is_tun_type_set(const struct tuntap *tt)
Definition tun.h:628
tuncfg
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
open_tun_afunix
void open_tun_afunix(struct options *o, int mtu, struct tuntap *tt, struct env_set *orig_env)
Opens an AF_UNIX based tun device.
Definition tun_afunix.c:71
close_tun_afunix
void close_tun_afunix(struct tuntap *tt)
Closes the socket used for the AF_UNIX based device.
Definition tun_afunix.c:123
tun_afunix.h
is_tun_afunix
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
win32_signal_open
void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state)
Definition win32.c:452
win_wfp_block
bool win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only)
Definition win32.c:1202
window_title_generate
void window_title_generate(const char *title)
Definition win32.c:723
window_title_save
void window_title_save(struct window_title *wt)
Definition win32.c:697
win_wfp_uninit
bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
Definition win32.c:1251
init_win32
void init_win32(void)
Definition win32.c:107
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition win32.h:159
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition win32.h:173
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition win32.h:174
Generated by doxygen 1.9.8