Go to the documentation of this file.
26 #elif defined(_MSC_VER)
33 #include <systemd/sd-daemon.h>
68 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
69 #define CF_INIT_TLS_MULTI (1<<1)
70 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
115 const char *dev_type,
117 const char *ifconfig_local,
118 const char *ifconfig_remote,
120 const char *signal_text,
121 const char *script_type,
145 if (!ifconfig_remote)
147 ifconfig_remote =
"";
160 arg, tun_mtu, ifconfig_local, ifconfig_remote,
context);
164 msg(
M_FATAL,
"ERROR: up/down plugin call failed");
177 ifconfig_local, ifconfig_remote,
context);
208 #ifdef ENABLE_MANAGEMENT
218 if (
streq(p[1],
"NONE"))
222 else if (p[2] && p[3])
224 if (
streq(p[1],
"HTTP"))
229 msg(
M_WARN,
"HTTP proxy support only works for TCP based connections");
238 else if (
streq(p[1],
"SOCKS"))
308 const char *parameters)
311 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
339 if (!strcmp(p[1],
"ACCEPT"))
344 else if (!strcmp(p[1],
"SKIP"))
349 else if (!strcmp(p[1],
"MOD") && p[2] && p[3])
382 int ce_changed =
true;
435 for (i = 0; i < l->
len; ++i)
534 msg(
M_FATAL,
"No usable connection profiles are present");
548 #ifdef ENABLE_MANAGEMENT
567 }
while (!ce_defined);
573 msg(
M_FATAL,
"All connections have been connect-retry-max (%d) times unsuccessful, exiting",
594 #ifdef ENABLE_MANAGEMENT
626 bool did_http =
false;
674 #if defined(ENABLE_PKCS11)
678 pkcs11_initialize(
true, c->
options.pkcs11_pin_cache_period);
681 pkcs11_addProvider(c->
options.pkcs11_providers[i], c->
options.pkcs11_protected_authentication[i],
682 c->
options.pkcs11_private_mode[i], c->
options.pkcs11_cert_private[i]);
694 strcpy(up.
username,
"Please insert your cryptographic token");
701 #ifdef ENABLE_SYSTEMD
706 sd_notifyf(0,
"READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
707 (
unsigned long) getpid());
723 close_port_share(
void)
727 port_share_close(port_share);
733 init_port_share(
struct context *c)
735 if (!port_share && (c->
options.port_share_host && c->
options.port_share_port))
737 port_share = port_share_open(c->
options.port_share_host,
740 c->
options.port_share_journal_dir);
741 if (port_share == NULL)
743 msg(
M_FATAL,
"Fatal error: Port sharing failed");
757 crypto_init_dmalloc();
768 if (!gettimeofday(&tv, NULL))
770 const unsigned int seed = (
unsigned int) tv.tv_sec ^ tv.tv_usec;
781 #ifdef OPENVPN_DEBUG_COMMAND_LINE
784 for (i = 0; i < argc; ++i)
805 #ifdef IFCONFIG_POOL_TEST
806 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
810 #ifdef CHARACTER_CLASS_DEBUG
811 character_class_debug();
815 #ifdef EXTRACT_X509_FIELD_TEST
825 #ifdef TEST_GET_DEFAULT_GATEWAY
839 const char *fn = gen_path(
"foo",
848 #ifdef STATUS_PRINTF_TEST
857 msg(
M_WARN,
"STATUS_PRINTF_TEST: %s: write error", tmp_file);
867 mstats_open(
"/dev/shm/mstats.dat");
868 for (i = 0; i < 30; ++i)
870 mmap_stats->n_clients += 1;
871 mmap_stats->link_write_bytes += 8;
872 mmap_stats->link_read_bytes += 16;
896 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
897 show_tls_performance_stats();
989 msg(
M_USAGE,
"Using --genkey type with --secret filename is "
990 "not supported. Use --genkey type filename instead.");
998 msg(
M_USAGE,
"You must provide a filename to either --genkey "
999 "or --secret, not both");
1008 msg(
M_WARN,
"WARNING: Using --genkey --secret filename is "
1009 "DEPRECATED. Use --genkey secret filename instead.");
1014 if (nbits_written < 0)
1020 "Randomly generated %d bit key written to %s", nbits_written,
1034 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1070 "options --mktun or --rmtun should only be used together with --dev");
1072 #ifdef ENABLE_FEATURE_TUN_PERSIST
1084 "options --mktun and --rmtun are not available on your operating "
1085 "system. Please check 'man tun' (or 'tap'), whether your system "
1086 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1087 "persistent tunnel interfaces.",
options->
dev );
1102 #ifdef ENABLE_SYSTEMD
1104 if (sd_notify(0,
"READY=0") > 0)
1114 #if defined(__APPLE__) && defined(__clang__)
1115 #pragma clang diagnostic push
1116 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1120 msg(
M_ERR,
"daemon() failed or unsupported");
1122 #if defined(__APPLE__) && defined(__clang__)
1123 #pragma clang diagnostic pop
1142 static const char why_not[] =
"will be delayed because of --client, --pull, or --up-delay";
1156 msg(
M_INFO,
"NOTE: chroot %s", why_not);
1170 msg(
M_INFO,
"NOTE: UID/GID downgrade %s", why_not);
1174 #ifdef ENABLE_MEMSTATS
1177 mstats_open(c->
options.memstats_fn);
1181 #ifdef ENABLE_SELINUX
1188 if (c->
options.selinux_context)
1192 if (-1 == setcon(c->
options.selinux_context))
1194 msg(
M_ERR,
"setcon to '%s' failed; is /proc accessible?", c->
options.selinux_context);
1203 msg(
M_INFO,
"NOTE: setcon %s", why_not);
1384 const char *gw = NULL;
1421 const char *gw = NULL;
1439 char *opt_list[] = {
"::/3",
"2000::/4",
"3000::/4",
"fc00::/7", NULL };
1442 for (i = 0; opt_list[i]; i++)
1470 static const char message[] =
"Initialization Sequence Completed";
1497 msg(
M_INFO,
"%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1499 #ifdef ENABLE_SYSTEMD
1500 sd_notifyf(0,
"STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1507 #ifdef ENABLE_SYSTEMD
1508 sd_notifyf(0,
"STATUS=%s", message);
1523 #ifdef ENABLE_MANAGEMENT
1528 struct in6_addr *tun_local6 = NULL;
1531 socklen_t sa_len =
sizeof(local);
1532 const char *detail =
"SUCCESS";
1540 remote = actual->
dest;
1542 #if ENABLE_IP_PKTINFO
1545 switch (local.
addr.
sa.sa_family)
1548 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1549 local.
addr.
in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1551 local.
addr.
in4.sin_addr = actual->pi.in4;
1556 local.
addr.
in6.sin6_addr = actual->pi.in6.ipi6_addr;
1601 #ifdef ENABLE_MANAGEMENT
1612 msg(
M_WARN,
"WARNING: route-up plugin call failed");
1680 #ifndef TARGET_ANDROID
1685 #ifdef TARGET_ANDROID
1745 #ifdef TARGET_ANDROID
1805 #ifndef TARGET_ANDROID
1809 msg(
M_INFO,
"Preserving previous TUN/TAP instance: %s",
1885 #ifdef ENABLE_MANAGEMENT
2027 do_up(
struct context *c,
bool pulled_options,
unsigned int option_types_found)
2045 msg(
D_TLS_ERRORS,
"ERROR: Failed to apply P2P negotiated protocol options");
2067 msg(
M_INFO,
"NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2114 unsigned int flags =
2159 "--data-ciphers-fallback not enabled. No usable "
2160 "data channel cipher");
2164 struct frame *frame_fragment = NULL;
2165 #ifdef ENABLE_FRAGMENT
2190 msg(
D_PUSH,
"OPTIONS IMPORT: --verb and/or --mute level changed");
2195 msg(
D_PUSH,
"OPTIONS IMPORT: timers and/or timeouts modified");
2202 msg(
D_PUSH,
"OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2207 msg(
D_PUSH,
"OPTIONS IMPORT: explicit notify parm(s) modified");
2214 msg(
D_PUSH,
"OPTIONS IMPORT: compression parms modified");
2215 comp_uninit(c->
c2.comp_context);
2216 c->
c2.comp_context = comp_init(&c->
options.comp);
2222 msg(
D_PUSH,
"OPTIONS IMPORT: traffic shaper enabled");
2228 msg(
D_PUSH,
"OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2234 msg(
D_PUSH,
"OPTIONS IMPORT: --socket-flags option modified");
2240 msg(
D_PUSH,
"OPTIONS IMPORT: --persist options modified");
2244 msg(
D_PUSH,
"OPTIONS IMPORT: --ifconfig/up options modified");
2248 msg(
D_PUSH,
"OPTIONS IMPORT: route options modified");
2252 msg(
D_PUSH,
"OPTIONS IMPORT: route-related options modified");
2256 msg(
D_PUSH,
"OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2260 msg(
D_PUSH,
"OPTIONS IMPORT: environment modified");
2265 msg(
D_PUSH,
"OPTIONS IMPORT: peer-id set");
2277 struct frame *frame_fragment = NULL;
2278 #ifdef ENABLE_FRAGMENT
2304 #ifdef ENABLE_MANAGEMENT
2339 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->
options.gremlin))
2494 msg(
D_MTU_DEBUG,
"MTU: adding %lu buffer tailroom for compression for %lu "
2537 #ifdef ENABLE_PREDICTION_RESISTANCE
2538 if (c->
options.use_prediction_resistance)
2540 rand_ctx_enable_prediction_resistance();
2590 msg(
M_INFO,
"Re-using pre-shared static key");
2617 msg(
M_FATAL,
"ERROR: tls-auth enabled, but no valid --auth "
2626 "Control Channel Authentication",
"tls-auth");
2680 msg(
M_FATAL,
"Error: private key password verification failed");
2764 bool packet_id_long_form;
2796 if (packet_id_long_form)
2873 #ifdef ENABLE_X509ALTUSERNAME
2887 #ifdef ENABLE_MANAGEMENT
2906 #ifdef ENABLE_MANAGEMENT
2911 to.comp_options =
options->comp;
2914 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2915 if (
options->keying_material_exporter_label)
2994 "Control Channel MTU parms");
3000 "TLS-Auth MTU parms");
3019 "******* WARNING *******: All encryption and authentication features "
3020 "disabled -- All data will be tunnelled as clear text and will not be "
3021 "protected against man-in-the-middle changes. "
3022 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3059 #ifdef ENABLE_FRAGMENT
3069 #if defined(ENABLE_FRAGMENT)
3076 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3080 #ifdef ENABLE_FRAGMENT
3083 msg(
M_WARN,
"WARNING: if you use --mssfix and --fragment, you should "
3084 "set --fragment (%d) larger or equal than --mssfix (%d)",
3090 msg(
M_WARN,
"WARNING: if you use --mssfix and --fragment, you should "
3091 "use the \"mtu\" flag for both or none of of them.");
3103 msg(
M_WARN,
"WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3107 #ifdef ENABLE_SELINUX
3108 || o->selinux_context
3114 msg(
M_WARN,
"WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3122 msg(
M_WARN,
"WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3128 msg(
M_WARN,
"WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3133 msg(
M_WARN,
"WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3138 msg(
M_WARN,
"NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3145 msg(
M_WARN,
"WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3149 msg(
M_WARN,
"WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3153 msg(
M_WARN,
"WARNING: --keepalive option is missing from server config");
3159 msg(
M_WARN,
"WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3172 msg(
M_WARN,
"WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3176 msg(
M_WARN,
"WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3184 msg(
M_WARN,
"NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3188 msg(
M_WARN,
"WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3192 msg(
M_WARN,
"NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3216 b->decompress_buf =
alloc_buf(buf_size);
3254 #ifdef ENABLE_FRAGMENT
3287 #ifdef ENABLE_FRAGMENT
3291 "Fragmentation MTU parms");
3314 msg(
D_SHOW_OCC,
"Expected Remote Options String (VER=%s): '%s'",
3479 #ifdef ENABLE_FRAGMENT
3500 bool need_us_timeout)
3502 unsigned int flags = 0;
3508 if (need_us_timeout)
3625 msg(
M_INFO,
"NOTE: --fast-io is disabled since we are running on Windows");
3629 msg(
M_INFO,
"NOTE: --fast-io is disabled since we are not using UDP");
3635 msg(
M_INFO,
"NOTE: --fast-io is disabled since we are using --shaper");
3659 #ifdef ENABLE_PLUGIN
3685 for (i = 0; i < config.
n; ++i)
3687 unsigned int option_types_found = 0;
3694 &option_types_found,
3731 #ifdef ENABLE_MANAGEMENT
3746 msg(msglevel,
"END");
3748 msg(msglevel,
"ERROR: Sorry, this command is currently only implemented on Windows");
3752 #ifdef TARGET_ANDROID
3754 management_callback_network_change(
void *arg,
bool samenetwork)
3796 #ifdef ENABLE_MANAGEMENT
3807 #ifdef TARGET_ANDROID
3808 cb.network_change = management_callback_network_change;
3815 #ifdef ENABLE_MANAGEMENT
3865 msg(
M_WARN,
"Signal received from management interface, exiting");
3893 #ifdef ENABLE_MANAGEMENT
4020 #ifdef ENABLE_PLUGIN
4074 #ifdef ENABLE_FRAGMENT
4084 unsigned int crypto_flags = 0;
4108 c->
c2.comp_context = comp_init(&
options->comp);
4124 #ifdef ENABLE_FRAGMENT
4165 #ifdef ENABLE_PLUGIN
4201 #ifdef ENABLE_PLUGIN
4249 if (c->
c2.comp_context)
4251 comp_uninit(c->
c2.comp_context);
4252 c->
c2.comp_context = NULL;
4271 #ifdef ENABLE_MANAGEMENT
4278 #ifdef ENABLE_PLUGIN
4289 #ifdef ENABLE_FRAGMENT
4350 #ifdef ENABLE_PLUGIN
4429 dest->
c2.comp_context = NULL;
4471 unsigned int pid = 0;
4475 msg(
M_ERR,
"Open error on pid file %s", filename);
4480 fprintf(fp,
"%u\n", pid);
4483 msg(
M_ERR,
"Close error on pid file %s", filename);
const char * tls_crypt_file
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
static void do_close_ifconfig_pool_persist(struct context *c)
unsigned int pull_permission_mask(const struct context *c)
struct event_timeout route_wakeup
void tun_standby_init(struct tuntap *tt)
bool do_test_crypto(const struct options *o)
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
enum genkey_type genkey_type
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
static void do_close_plugins(struct context *c)
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
volatile int signal_received
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
static void do_init_server_poll_timeout(struct context *c)
static void next_connection_entry(struct context *c)
#define CE_MAN_QUERY_REMOTE_MOD
void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
Finalize initialization of a tls_multi structure.
struct verify_hash_list * verify_hash
#define OPENVPN_PLUGIN_UP
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
const char * config_ncp_ciphers
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
static void do_close_tls(struct context *c)
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
const char * management_write_peer_info_file
void notnull(const char *arg, const char *description)
const char * verify_x509_name
struct static_challenge_info sc_info
#define OPENVPN_PLUGIN_DOWN
const struct link_socket * accept_from
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
static struct gc_arena gc_new(void)
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
int connect_retry_seconds
int explicit_exit_notification
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
bool open_management(struct context *c)
struct frame frame_initial
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
struct context_persist persist
Persistent context.
int len
Length in bytes of the actual content within the allocated memory.
void restore_signal_state(void)
void frame_print(const struct frame *frame, int level, const char *prefix)
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
const char * socks_proxy_server
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
static void init_connection_list(struct context *c)
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
bool management_hold(struct management *man, int holdtime)
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
void env_set_destroy(struct env_set *es)
const char * auth_token_secret_file
#define EVENT_METHOD_US_TIMEOUT
enum windows_driver_type windows_driver
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
struct tuntap * tuntap
Tun/tap virtual network interface.
bool tls_crypt_file_inline
static void set_check_status_error_delay(unsigned int milliseconds)
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
static void do_close_free_buf(struct context *c)
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
static int occ_reset_op(void)
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
static void do_open_status_output(struct context *c)
Contains all state information for one tunnel.
static void do_setup_fast_io(struct context *c)
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
static int route_did_redirect_default_gateway(const struct route_list *rl)
struct key_ctx auth_token_key
void extract_x509_field_test(void)
enum tls_wrap_ctx::@14 mode
Control channel wrapping mode.
struct link_socket_addr * lsa
struct key_ctx auth_token_key
char username[USER_PASS_LEN]
long int get_random(void)
static void do_init_crypto_none(struct context *c)
static void do_print_data_channel_mtu_parms(struct context *c)
int status_file_update_freq
struct addrinfo * bind_local
struct plugin_list * plugins
List of plug-ins.
static void plugin_return_init(struct plugin_return *pr)
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
const char * shared_secret_file
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
bool tls_crypt_v2_force_cookie
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
bool print_openssl_info(const struct options *options)
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
#define X509_USERNAME_FIELD_DEFAULT
static bool link_socket_proto_connection_oriented(int proto)
bool set_debug_level(const int level, const unsigned int flags)
const char * special_state_msg
static void do_close_fragment(struct context *c)
@ GENKEY_TLS_CRYPTV2_CLIENT
hmac_ctx_t * session_id_hmac_init(void)
const char * dev_type_string(const char *dev, const char *dev_type)
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
bool(* remote_cmd)(void *arg, const char **p)
const char * remote_cert_eku
int tailroom
the tailroom in the buffer.
void reset_coarse_timers(struct context *c)
static void packet_id_persist_init(struct packet_id_persist *p)
struct event_timeout inactivity_interval
void show_available_ciphers(void)
struct context_0 * c0
Level 0 context.
void buf_clear(struct buffer *buf)
#define CE_MAN_QUERY_PROXY
static void do_close_tun(struct context *c, bool force)
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name)
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
struct connection_entry ce
struct addrinfo * current_remote
void env_set_inherit(struct env_set *es, const struct env_set *src)
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
struct context_buffers * buffers
hash_algo_type verify_hash_algo
void context_gc_free(struct context *c)
void set_check_status(unsigned int info_level, unsigned int verbose_level)
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
const char * genkey_extra_data
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
struct context_buffers * init_context_buffers(const struct frame *frame)
struct event_timeout route_wakeup_expire
struct buffer decrypt_buf
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
md_ctx_t * pulled_options_state
void socks_proxy_close(struct socks_proxy_info *sp)
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
const char * config_ciphername
void window_title_save(struct window_title *wt)
static void do_inherit_plugins(struct context *c, const struct context *src)
static void do_close_packet_id(struct context *c)
interval_t renegotiate_seconds
int mode
Role of this context within the OpenVPN process.
void reset_check_status(void)
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
#define STATUS_OUTPUT_WRITE
struct frame frame_fragment_initial
Packet geometry parameters.
#define IFCONFIG_AFTER_TUN_OPEN
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
void setenv_int(struct env_set *es, const char *name, int value)
void interval_init(struct interval *top, int horizon, int refresh)
void management_show_net_callback(void *arg, const int msglevel)
#define GET_USER_PASS_MANAGEMENT
static void do_inherit_env(struct context *c, const struct env_set *src)
void management_notify_generic(struct management *man, const char *str)
struct route_ipv6_option_list * routes_ipv6
static int route_order(void)
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
struct event_timeout occ_interval
static const char * np(const char *str)
struct key_ctx_bi tls_wrap_key
const char * tls_cert_profile
static void do_init_crypto_static(struct context *c, const unsigned int flags)
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Level 0 context containing information related to the OpenVPN process.
struct route_list * route_list
List of routing information.
struct event_timeout wait_for_connect
void test_crypto(struct crypto_options *co, struct frame *frame)
static void do_init_first_time(struct context *c)
enum multi_status multi_state
struct context_2 c2
Level 2 context.
const char * cipher_list_tls13
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
void free_key_ctx_bi(struct key_ctx_bi *ctx)
static void do_close_tun_simple(struct context *c)
#define TM_ACTIVE
Active tls_session.
struct tls_root_ctx ssl_ctx
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
char * string_alloc(const char *str, struct gc_arena *gc)
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
static void do_compute_occ_strings(struct context *c)
const char * socks_proxy_port
struct crypto_options opt
Crypto state.
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
struct in6_addr local_ipv6
const char * management_port
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
void string_clear(char *str)
struct remote_host_store * rh_store
int connect_retry_seconds_max
static bool ce_management_query_remote(struct context *c)
const char * auth_user_pass_file
#define PULL_DEFINED(opt)
struct tls_root_ctx ssl_ctx
const char * verify_export_cert
static void frame_add_to_extra_tun(struct frame *frame, const int increment)
struct verify_hash_list * verify_hash
struct key_ctx tls_crypt_v2_server_key
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
#define OPENVPN_PLUGIN_INIT_PRE_DAEMON
openvpn_net_ctx_t * net_ctx
void packet_id_persist_save(struct packet_id_persist *p)
const struct x509_track * x509_track
#define CE_MAN_QUERY_REMOTE_SKIP
const struct x509_track * x509_track
enum windows_driver_type windows_driver
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
bool shared_secret_file_inline
static void init_proxy(struct context *c)
const char * management_client_group
static void do_link_socket_new(struct context *c)
struct key_type tls_auth_key_type
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
void open_plugins(struct context *c, const bool import_options, int init_point)
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
struct socks_proxy_info * socks_proxy
int ifconfig_ipv6_netbits
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
const char * digest
Message digest static parameters.
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.