OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #ifdef ENABLE_SYSTEMD
31 #include <systemd/sd-daemon.h>
32 #endif
33 
34 #include "win32.h"
35 #include "init.h"
36 #include "run_command.h"
37 #include "sig.h"
38 #include "occ.h"
39 #include "list.h"
40 #include "otime.h"
41 #include "pool.h"
42 #include "gremlin.h"
43 #include "occ.h"
44 #include "pkcs11.h"
45 #include "ps.h"
46 #include "lladdr.h"
47 #include "ping.h"
48 #include "mstats.h"
49 #include "ssl_verify.h"
50 #include "ssl_ncp.h"
51 #include "tls_crypt.h"
52 #include "forward.h"
53 #include "auth_token.h"
54 #include "mss.h"
55 #include "mudp.h"
56 #include "dco.h"
57 
58 #include "memdbg.h"
59 
60 
61 static struct context *static_context; /* GLOBAL */
62 static const char *saved_pid_file_name; /* GLOBAL */
63 
64 /*
65  * Crypto initialization flags
66  */
67 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
68 #define CF_INIT_TLS_MULTI (1<<1)
69 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
70 
71 static void do_init_first_time(struct context *c);
72 
73 static bool do_deferred_p2p_ncp(struct context *c);
74 
75 void
76 context_clear(struct context *c)
77 {
78  CLEAR(*c);
79 }
80 
81 void
82 context_clear_1(struct context *c)
83 {
84  CLEAR(c->c1);
85 }
86 
87 void
88 context_clear_2(struct context *c)
89 {
90  CLEAR(c->c2);
91 }
92 
93 void
94 context_clear_all_except_first_time(struct context *c)
95 {
96  const bool first_time_save = c->first_time;
97  const struct context_persist cpsave = c->persist;
98  context_clear(c);
99  c->first_time = first_time_save;
100  c->persist = cpsave;
101 }
102 
103 /*
104  * Pass tunnel endpoint and MTU parms to a user-supplied script.
105  * Used to execute the up/down script/plugins.
106  */
107 static void
108 run_up_down(const char *command,
109  const struct plugin_list *plugins,
110  int plugin_type,
111  const char *arg,
112 #ifdef _WIN32
113  DWORD adapter_index,
114 #endif
115  const char *dev_type,
116  int tun_mtu,
117  const char *ifconfig_local,
118  const char *ifconfig_remote,
119  const char *context,
120  const char *signal_text,
121  const char *script_type,
122  struct env_set *es)
123 {
124  struct gc_arena gc = gc_new();
125 
126  if (signal_text)
127  {
128  setenv_str(es, "signal", signal_text);
129  }
130  setenv_str(es, "script_context", context);
131  setenv_int(es, "tun_mtu", tun_mtu);
132  setenv_str(es, "dev", arg);
133  if (dev_type)
134  {
135  setenv_str(es, "dev_type", dev_type);
136  }
137 #ifdef _WIN32
138  setenv_int(es, "dev_idx", adapter_index);
139 #endif
140 
141  if (!ifconfig_local)
142  {
143  ifconfig_local = "";
144  }
145  if (!ifconfig_remote)
146  {
147  ifconfig_remote = "";
148  }
149  if (!context)
150  {
151  context = "";
152  }
153 
154  if (plugin_defined(plugins, plugin_type))
155  {
156  struct argv argv = argv_new();
157  ASSERT(arg);
158  argv_printf(&argv,
159  "%s %d 0 %s %s %s",
160  arg, tun_mtu, ifconfig_local, ifconfig_remote, context);
161 
162  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
163  {
164  msg(M_FATAL, "ERROR: up/down plugin call failed");
165  }
166 
167  argv_free(&argv);
168  }
169 
170  if (command)
171  {
172  struct argv argv = argv_new();
173  ASSERT(arg);
174  setenv_str(es, "script_type", script_type);
175  argv_parse_cmd(&argv, command);
176  argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu,
177  ifconfig_local, ifconfig_remote, context);
178  argv_msg(M_INFO, &argv);
179  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
180  argv_free(&argv);
181  }
182 
183  gc_free(&gc);
184 }
185 
186 /*
187  * Should be called after options->ce is modified at the top
188  * of a SIGUSR1 restart.
189  */
190 static void
191 update_options_ce_post(struct options *options)
192 {
193  /*
194  * In pull mode, we usually import --ping/--ping-restart parameters from
195  * the server. However we should also set an initial default --ping-restart
196  * for the period of time before we pull the --ping-restart parameter
197  * from the server.
198  */
199  if (options->pull
200  && options->ping_rec_timeout_action == PING_UNDEF
201  && proto_is_dgram(options->ce.proto))
202  {
203  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204  options->ping_rec_timeout_action = PING_RESTART;
205  }
206 }
207 
208 #ifdef ENABLE_MANAGEMENT
209 static bool
210 management_callback_proxy_cmd(void *arg, const char **p)
211 {
212  struct context *c = arg;
213  struct connection_entry *ce = &c->options.ce;
214  struct gc_arena *gc = &c->c2.gc;
215  bool ret = false;
216 
217  update_time();
218  if (streq(p[1], "NONE"))
219  {
220  ret = true;
221  }
222  else if (p[2] && p[3])
223  {
224  if (streq(p[1], "HTTP"))
225  {
226  struct http_proxy_options *ho;
227  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
228  {
229  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
230  return false;
231  }
232  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
233  ho->server = string_alloc(p[2], gc);
234  ho->port = string_alloc(p[3], gc);
235  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
236  ret = true;
237  }
238  else if (streq(p[1], "SOCKS"))
239  {
240  ce->socks_proxy_server = string_alloc(p[2], gc);
241  ce->socks_proxy_port = string_alloc(p[3], gc);
242  ret = true;
243  }
244  }
245  else
246  {
247  msg(M_WARN, "Bad proxy command");
248  }
249 
250  ce->flags &= ~CE_MAN_QUERY_PROXY;
251 
252  return ret;
253 }
254 
255 static bool
256 ce_management_query_proxy(struct context *c)
257 {
258  const struct connection_list *l = c->options.connection_list;
259  struct connection_entry *ce = &c->options.ce;
260  struct gc_arena gc;
261  bool ret = true;
262 
263  update_time();
264  if (management)
265  {
266  gc = gc_new();
267  {
268  struct buffer out = alloc_buf_gc(256, &gc);
269  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
270  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
271  management_notify_generic(management, BSTR(&out));
272  management->persist.special_state_msg = BSTR(&out);
273  }
274  ce->flags |= CE_MAN_QUERY_PROXY;
275  while (ce->flags & CE_MAN_QUERY_PROXY)
276  {
277  management_event_loop_n_seconds(management, 1);
278  if (IS_SIG(c))
279  {
280  ret = false;
281  break;
282  }
283  }
284  management->persist.special_state_msg = NULL;
285  gc_free(&gc);
286  }
287 
288  return ret;
289 }
290 
305 static bool
306 management_callback_send_cc_message(void *arg,
307  const char *command,
308  const char *parameters)
309 {
310  struct context *c = (struct context *) arg;
311  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
312  if (len > PUSH_BUNDLE_SIZE)
313  {
314  return false;
315  }
316 
317  struct gc_arena gc = gc_new();
318  struct buffer buf = alloc_buf_gc(len, &gc);
319  ASSERT(buf_printf(&buf, "%s", command));
320  if (parameters)
321  {
322  ASSERT(buf_printf(&buf, ",%s", parameters));
323  }
324  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
325 
326  gc_free(&gc);
327  return status;
328 }
329 
330 static unsigned int
331 management_callback_remote_entry_count(void *arg)
332 {
333  assert(arg);
334  struct context *c = (struct context *) arg;
335  struct connection_list *l = c->options.connection_list;
336 
337  return l->len;
338 }
339 
340 static bool
341 management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
342 {
343  assert(arg);
344  assert(remote);
345 
346  struct context *c = (struct context *) arg;
347  struct connection_list *l = c->options.connection_list;
348  bool ret = true;
349 
350  if (index < l->len)
351  {
352  struct connection_entry *ce = l->array[index];
353  const char *proto = proto2ascii(ce->proto, ce->af, false);
354  const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
355 
356  /* space for output including 3 commas and a nul */
357  int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto)
358  + strlen(status) + 3 + 1;
359  char *out = malloc(len);
360  check_malloc_return(out);
361 
362  snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
363  *remote = out;
364  }
365  else
366  {
367  ret = false;
368  msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
369  }
370 
371  return ret;
372 }
373 
374 static bool
375 management_callback_remote_cmd(void *arg, const char **p)
376 {
377  struct context *c = (struct context *) arg;
378  struct connection_entry *ce = &c->options.ce;
379  int ret = false;
380  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
381  {
382  int flags = 0;
383  if (!strcmp(p[1], "ACCEPT"))
384  {
385  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
386  ret = true;
387  }
388  else if (!strcmp(p[1], "SKIP"))
389  {
390  flags = CE_MAN_QUERY_REMOTE_SKIP;
391  ret = true;
392  c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
393  }
394  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
395  {
396  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
397  {
398  struct remote_host_store *rhs = c->options.rh_store;
399  if (!rhs)
400  {
401  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
402  c->options.rh_store = rhs;
403  }
404  strncpynt(rhs->host, p[2], RH_HOST_LEN);
405  strncpynt(rhs->port, p[3], RH_PORT_LEN);
406 
407  ce->remote = rhs->host;
408  ce->remote_port = rhs->port;
409  flags = CE_MAN_QUERY_REMOTE_MOD;
410  ret = true;
411  }
412  }
413  if (ret)
414  {
415  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
416  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
417  }
418  }
419  return ret;
420 }
421 
422 static bool
423 ce_management_query_remote(struct context *c)
424 {
425  struct gc_arena gc = gc_new();
426  volatile struct connection_entry *ce = &c->options.ce;
427  int ce_changed = true; /* presume the connection entry will be changed */
428 
429  update_time();
430  if (management)
431  {
432  struct buffer out = alloc_buf_gc(256, &gc);
433 
434  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
435  proto2ascii(ce->proto, ce->af, false));
436  management_notify_generic(management, BSTR(&out));
437  management->persist.special_state_msg = BSTR(&out);
438 
439  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
440  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
441  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
442  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
443  {
444  management_event_loop_n_seconds(management, 1);
445  if (IS_SIG(c))
446  {
447  ce_changed = false; /* connection entry have not been set */
448  break;
449  }
450  }
451  management->persist.special_state_msg = NULL;
452  }
453  gc_free(&gc);
454 
455  if (ce_changed)
456  {
457  /* If it is likely a connection entry was modified,
458  * check what changed in the flags and that it was not skipped
459  */
460  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
461  & CE_MAN_QUERY_REMOTE_MASK);
462  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
463  }
464  return ce_changed;
465 }
466 #endif /* ENABLE_MANAGEMENT */
467 
468 /*
469  * Initialize and possibly randomize connection list.
470  */
471 static void
472 init_connection_list(struct context *c)
473 {
474  struct connection_list *l = c->options.connection_list;
475 
476  l->current = -1;
477  if (c->options.remote_random)
478  {
479  int i;
480  for (i = 0; i < l->len; ++i)
481  {
482  const int j = get_random() % l->len;
483  if (i != j)
484  {
485  struct connection_entry *tmp;
486  tmp = l->array[i];
487  l->array[i] = l->array[j];
488  l->array[j] = tmp;
489  }
490  }
491  }
492 }
493 
494 /*
495  * Clear the remote address list
496  */
497 static void
498 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
499 {
500  if (lsa->remote_list && free)
501  {
502  freeaddrinfo(lsa->remote_list);
503  }
504  lsa->remote_list = NULL;
505  lsa->current_remote = NULL;
506 }
507 
508 /*
509  * Increment to next connection entry
510  */
511 static void
512 next_connection_entry(struct context *c)
513 {
514  struct connection_list *l = c->options.connection_list;
515  bool ce_defined;
516  struct connection_entry *ce;
517  int n_cycles = 0;
518 
519  do
520  {
521  ce_defined = true;
522  if (c->options.no_advance && l->current >= 0)
523  {
524  c->options.no_advance = false;
525  }
526  else
527  {
528  /* Check if there is another resolved address to try for
529  * the current connection */
530  if (c->c1.link_socket_addr.current_remote
531  && c->c1.link_socket_addr.current_remote->ai_next
532  && !c->options.advance_next_remote)
533  {
534  c->c1.link_socket_addr.current_remote =
535  c->c1.link_socket_addr.current_remote->ai_next;
536  }
537  else
538  {
539  c->options.advance_next_remote = false;
540  /* FIXME (schwabe) fix the persist-remote-ip option for real,
541  * this is broken probably ever since connection lists and multiple
542  * remote existed
543  */
544  if (!c->options.persist_remote_ip)
545  {
546  /* Connection entry addrinfo objects might have been
547  * resolved earlier but the entry itself might have been
548  * skipped by management on the previous loop.
549  * If so, clear the addrinfo objects as close_instance does
550  */
551  if (c->c1.link_socket_addr.remote_list)
552  {
553  clear_remote_addrlist(&c->c1.link_socket_addr,
554  !c->options.resolve_in_advance);
555  }
556 
557  /* close_instance should have cleared the addrinfo objects */
558  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
559  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
560  }
561  else
562  {
563  c->c1.link_socket_addr.current_remote =
564  c->c1.link_socket_addr.remote_list;
565  }
566 
567  int advance_count = 1;
568 
569  /* If previous connection entry was skipped by management client
570  * with a count to advance by, apply it.
571  */
572  if (c->options.ce_advance_count > 0)
573  {
574  advance_count = c->options.ce_advance_count;
575  }
576 
577  /*
578  * Increase the number of connection attempts
579  * If this is connect-retry-max * size(l)
580  * OpenVPN will quit
581  */
582 
583  c->options.unsuccessful_attempts += advance_count;
584  l->current += advance_count;
585 
586  if (l->current >= l->len)
587  {
588  l->current %= l->len;
589  if (++n_cycles >= 2)
590  {
591  msg(M_FATAL, "No usable connection profiles are present");
592  }
593  }
594  }
595  }
596 
597  c->options.ce_advance_count = 1;
598  ce = l->array[l->current];
599 
600  if (ce->flags & CE_DISABLED)
601  {
602  ce_defined = false;
603  }
604 
605  c->options.ce = *ce;
606 #ifdef ENABLE_MANAGEMENT
607  if (ce_defined && management && management_query_remote_enabled(management))
608  {
609  /* allow management interface to override connection entry details */
610  ce_defined = ce_management_query_remote(c);
611  if (IS_SIG(c))
612  {
613  break;
614  }
615  }
616  else if (ce_defined && management && management_query_proxy_enabled(management))
617  {
618  ce_defined = ce_management_query_proxy(c);
619  if (IS_SIG(c))
620  {
621  break;
622  }
623  }
624 #endif
625  } while (!ce_defined);
626 
627  /* Check if this connection attempt would bring us over the limit */
628  if (c->options.connect_retry_max > 0
629  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
630  {
631  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
632  c->options.connect_retry_max);
633  }
634  update_options_ce_post(&c->options);
635 }
636 
637 /*
638  * Query for private key and auth-user-pass username/passwords
639  */
640 void
641 init_query_passwords(const struct context *c)
642 {
643  /* Certificate password input */
644  if (c->options.key_pass_file)
645  {
646  pem_password_setup(c->options.key_pass_file);
647  }
648 
649  /* Auth user/pass input */
650  if (c->options.auth_user_pass_file)
651  {
652  enable_auth_user_pass();
653 #ifdef ENABLE_MANAGEMENT
654  auth_user_pass_setup(c->options.auth_user_pass_file,
655  c->options.auth_user_pass_file_inline,
656  &c->options.sc_info);
657 #else
658  auth_user_pass_setup(c->options.auth_user_pass_file,
659  c->options.auth_user_pass_file_inline, NULL);
660 #endif
661  }
662 }
663 
664 /*
665  * Initialize/Uninitialize HTTP or SOCKS proxy
666  */
667 
668 static void
669 uninit_proxy_dowork(struct context *c)
670 {
671  if (c->c1.http_proxy_owned && c->c1.http_proxy)
672  {
673  http_proxy_close(c->c1.http_proxy);
674  c->c1.http_proxy = NULL;
675  c->c1.http_proxy_owned = false;
676  }
677  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
678  {
679  socks_proxy_close(c->c1.socks_proxy);
680  c->c1.socks_proxy = NULL;
681  c->c1.socks_proxy_owned = false;
682  }
683 }
684 
685 static void
686 init_proxy_dowork(struct context *c)
687 {
688  bool did_http = false;
689 
690  uninit_proxy_dowork(c);
691 
692  if (c->options.ce.http_proxy_options)
693  {
694  c->options.ce.http_proxy_options->first_time = c->first_time;
695 
696  /* Possible HTTP proxy user/pass input */
697  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
698  if (c->c1.http_proxy)
699  {
700  did_http = true;
701  c->c1.http_proxy_owned = true;
702  }
703  }
704 
705  if (!did_http && c->options.ce.socks_proxy_server)
706  {
707  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
708  c->options.ce.socks_proxy_port,
709  c->options.ce.socks_proxy_authfile);
710  if (c->c1.socks_proxy)
711  {
712  c->c1.socks_proxy_owned = true;
713  }
714  }
715 }
716 
717 static void
718 init_proxy(struct context *c)
719 {
720  init_proxy_dowork(c);
721 }
722 
723 static void
724 uninit_proxy(struct context *c)
725 {
726  uninit_proxy_dowork(c);
727 }
728 
729 void
730 context_init_1(struct context *c)
731 {
732  context_clear_1(c);
733 
734  packet_id_persist_init(&c->c1.pid_persist);
735 
736  init_connection_list(c);
737 
738 #if defined(ENABLE_PKCS11)
739  if (c->first_time)
740  {
741  int i;
742  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
743  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
744  {
745  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
746  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
747  }
748  }
749 #endif
750 
751 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
752  {
753  /*
754  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
755  */
756  struct user_pass up;
757  CLEAR(up);
758  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
759  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
760  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
761  * 'needok' command, usually 'ok' or 'cancel'. */
762  }
763 #endif
764 
765 #ifdef ENABLE_SYSTEMD
766  /* We can report the PID via getpid() to systemd here as OpenVPN will not
767  * do any fork due to daemon() a future call.
768  * See possibly_become_daemon() [init.c] for more details.
769  */
770  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
771  (unsigned long) getpid());
772 #endif
773 
774 }
775 
776 void
777 context_gc_free(struct context *c)
778 {
779  gc_free(&c->c2.gc);
780  gc_free(&c->options.gc);
781  gc_free(&c->gc);
782 }
783 
784 #if PORT_SHARE
785 
786 static void
787 close_port_share(void)
788 {
789  if (port_share)
790  {
791  port_share_close(port_share);
792  port_share = NULL;
793  }
794 }
795 
796 static void
797 init_port_share(struct context *c)
798 {
799  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
800  {
801  port_share = port_share_open(c->options.port_share_host,
802  c->options.port_share_port,
803  c->c2.frame.buf.payload_size,
804  c->options.port_share_journal_dir);
805  if (port_share == NULL)
806  {
807  msg(M_FATAL, "Fatal error: Port sharing failed");
808  }
809  }
810 }
811 
812 #endif /* if PORT_SHARE */
813 
814 
815 bool
816 init_static(void)
817 {
818  /* configure_path (); */
819 
820 #if defined(DMALLOC)
821  crypto_init_dmalloc();
822 #endif
823 
824 
825  /*
826  * Initialize random number seed. random() is only used
827  * when "weak" random numbers are acceptable.
828  * SSL library routines are always used when cryptographically
829  * strong random numbers are required.
830  */
831  struct timeval tv;
832  if (!gettimeofday(&tv, NULL))
833  {
834  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
835  srandom(seed);
836  }
837 
838  error_reset(); /* initialize error.c */
839  reset_check_status(); /* initialize status check code in socket.c */
840 
841 #ifdef _WIN32
842  init_win32();
843 #endif
844 
845 #ifdef OPENVPN_DEBUG_COMMAND_LINE
846  {
847  int i;
848  for (i = 0; i < argc; ++i)
849  {
850  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
851  }
852  }
853 #endif
854 
855  update_time();
856 
857  init_ssl_lib();
858 
859 #ifdef SCHEDULE_TEST
860  schedule_test();
861  return false;
862 #endif
863 
864 #ifdef IFCONFIG_POOL_TEST
865  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
866  return false;
867 #endif
868 
869 #ifdef TIME_TEST
870  time_test();
871  return false;
872 #endif
873 
874 #ifdef GEN_PATH_TEST
875  {
876  struct gc_arena gc = gc_new();
877  const char *fn = gen_path("foo",
878  "bar",
879  &gc);
880  printf("%s\n", fn);
881  gc_free(&gc);
882  }
883  return false;
884 #endif
885 
886 #ifdef STATUS_PRINTF_TEST
887  {
888  struct gc_arena gc = gc_new();
889  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
890  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
891  status_printf(so, "%s", "foo");
892  status_printf(so, "%s", "bar");
893  if (!status_close(so))
894  {
895  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
896  }
897  gc_free(&gc);
898  }
899  return false;
900 #endif
901 
902 #ifdef MSTATS_TEST
903  {
904  int i;
905  mstats_open("/dev/shm/mstats.dat");
906  for (i = 0; i < 30; ++i)
907  {
908  mmap_stats->n_clients += 1;
909  mmap_stats->link_write_bytes += 8;
910  mmap_stats->link_read_bytes += 16;
911  sleep(1);
912  }
913  mstats_close();
914  return false;
915  }
916 #endif
917 
918  return true;
919 }
920 
921 void
922 uninit_static(void)
923 {
924  free_ssl_lib();
925 
926 #ifdef ENABLE_PKCS11
927  pkcs11_terminate();
928 #endif
929 
930 #if PORT_SHARE
931  close_port_share();
932 #endif
933 
934 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
935  show_tls_performance_stats();
936 #endif
937 }
938 
939 void
940 init_verb_mute(struct context *c, unsigned int flags)
941 {
942  if (flags & IVM_LEVEL_1)
943  {
944  /* set verbosity and mute levels */
945  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
946  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
947  set_mute_cutoff(c->options.mute);
948  }
949 
950  /* special D_LOG_RW mode */
951  if (flags & IVM_LEVEL_2)
952  {
953  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
954  }
955 }
956 
957 /*
958  * Possibly set --dev based on --dev-node.
959  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
960  * set --dev to tun.
961  */
962 void
963 init_options_dev(struct options *options)
964 {
965  if (!options->dev && options->dev_node)
966  {
967  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
968  options->dev = basename(dev_node);
969  }
970 }
971 
972 bool
973 print_openssl_info(const struct options *options)
974 {
975  /*
976  * OpenSSL info print mode?
977  */
978  if (options->show_ciphers || options->show_digests || options->show_engines
979  || options->show_tls_ciphers || options->show_curves)
980  {
981  if (options->show_ciphers)
982  {
983  show_available_ciphers();
984  }
985  if (options->show_digests)
986  {
987  show_available_digests();
988  }
989  if (options->show_engines)
990  {
991  show_available_engines();
992  }
993  if (options->show_tls_ciphers)
994  {
995  show_available_tls_ciphers(options->cipher_list,
996  options->cipher_list_tls13,
997  options->tls_cert_profile);
998  }
999  if (options->show_curves)
1000  {
1001  show_available_curves();
1002  }
1003  return true;
1004  }
1005  return false;
1006 }
1007 
1008 /*
1009  * Static pre-shared key generation mode?
1010  */
1011 bool
1012 do_genkey(const struct options *options)
1013 {
1014  /* should we disable paging? */
1015  if (options->mlock && (options->genkey))
1016  {
1017  platform_mlockall(true);
1018  }
1019 
1020  /*
1021  * We do not want user to use --genkey with --secret. In the transistion
1022  * phase we for secret.
1023  */
1024  if (options->genkey && options->genkey_type != GENKEY_SECRET
1025  && options->shared_secret_file)
1026  {
1027  msg(M_USAGE, "Using --genkey type with --secret filename is "
1028  "not supported. Use --genkey type filename instead.");
1029  }
1030  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1031  {
1032  int nbits_written;
1033  const char *genkey_filename = options->genkey_filename;
1034  if (options->shared_secret_file && options->genkey_filename)
1035  {
1036  msg(M_USAGE, "You must provide a filename to either --genkey "
1037  "or --secret, not both");
1038  }
1039 
1040  /*
1041  * Copy filename from shared_secret_file to genkey_filename to support
1042  * the old --genkey --secret foo.file syntax.
1043  */
1044  if (options->shared_secret_file)
1045  {
1046  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1047  "DEPRECATED. Use --genkey secret filename instead.");
1048  genkey_filename = options->shared_secret_file;
1049  }
1050 
1051  nbits_written = write_key_file(2, genkey_filename);
1052  if (nbits_written < 0)
1053  {
1054  msg(M_FATAL, "Failed to write key file");
1055  }
1056 
1057  msg(D_GENKEY | M_NOPREFIX,
1058  "Randomly generated %d bit key written to %s", nbits_written,
1059  options->shared_secret_file);
1060  return true;
1061  }
1062  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1063  {
1064  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1065  return true;
1066  }
1067  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1068  {
1069  if (!options->tls_crypt_v2_file)
1070  {
1071  msg(M_USAGE,
1072  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1073  }
1074 
1075  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1076  options->genkey_extra_data, options->tls_crypt_v2_file,
1077  options->tls_crypt_v2_file_inline);
1078  return true;
1079  }
1080  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1081  {
1082  auth_token_write_server_key_file(options->genkey_filename);
1083  return true;
1084  }
1085  else
1086  {
1087  return false;
1088  }
1089 }
1090 
1091 /*
1092  * Persistent TUN/TAP device management mode?
1093  */
1094 bool
1095 do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
1096 {
1097  if (!options->persist_config)
1098  {
1099  return false;
1100  }
1101 
1102  /* sanity check on options for --mktun or --rmtun */
1103  notnull(options->dev, "TUN/TAP device (--dev)");
1104  if (options->ce.remote || options->ifconfig_local
1105  || options->ifconfig_remote_netmask
1106  || options->shared_secret_file
1107  || options->tls_server || options->tls_client
1108  )
1109  {
1110  msg(M_FATAL|M_OPTERR,
1111  "options --mktun or --rmtun should only be used together with --dev");
1112  }
1113 
1114 #if defined(ENABLE_DCO)
1115  if (dco_enabled(options))
1116  {
1117  /* creating a DCO interface via --mktun is not supported as it does not
1118  * make much sense. Since DCO is enabled by default, people may run into
1119  * this without knowing, therefore this case should be properly handled.
1120  *
1121  * Disable DCO if --mktun was provided and print a message to let
1122  * user know.
1123  */
1124  if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN)
1125  {
1126  msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1127  }
1128 
1129  options->tuntap_options.disable_dco = true;
1130  }
1131 #endif
1132 
1133 #ifdef ENABLE_FEATURE_TUN_PERSIST
1134  tuncfg(options->dev, options->dev_type, options->dev_node,
1135  options->persist_mode,
1136  options->username, options->groupname, &options->tuntap_options,
1137  ctx);
1138  if (options->persist_mode && options->lladdr)
1139  {
1140  set_lladdr(ctx, options->dev, options->lladdr, NULL);
1141  }
1142  return true;
1143 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1144  msg(M_FATAL|M_OPTERR,
1145  "options --mktun and --rmtun are not available on your operating "
1146  "system. Please check 'man tun' (or 'tap'), whether your system "
1147  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1148  "persistent tunnel interfaces.", options->dev );
1149 #endif
1150  return false;
1151 }
1152 
1153 /*
1154  * Should we become a daemon?
1155  * Return true if we did it.
1156  */
1157 bool
1158 possibly_become_daemon(const struct options *options)
1159 {
1160  bool ret = false;
1161 
1162 #ifdef ENABLE_SYSTEMD
1163  /* return without forking if we are running from systemd */
1164  if (sd_notify(0, "READY=0") > 0)
1165  {
1166  return ret;
1167  }
1168 #endif
1169 
1170  if (options->daemon)
1171  {
1172  /* Don't chdir immediately, but the end of the init sequence, if needed */
1173 
1174 #if defined(__APPLE__) && defined(__clang__)
1175 #pragma clang diagnostic push
1176 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1177 #endif
1178  if (daemon(1, options->log) < 0)
1179  {
1180  msg(M_ERR, "daemon() failed or unsupported");
1181  }
1182 #if defined(__APPLE__) && defined(__clang__)
1183 #pragma clang diagnostic pop
1184 #endif
1185  restore_signal_state();
1186  if (options->log)
1187  {
1188  set_std_files_to_null(true);
1189  }
1190 
1191  ret = true;
1192  }
1193  return ret;
1194 }
1195 
1196 /*
1197  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1198  */
1199 static void
1200 do_uid_gid_chroot(struct context *c, bool no_delay)
1201 {
1202  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1203  struct context_0 *c0 = c->c0;
1204 
1205  if (c0 && !c0->uid_gid_chroot_set)
1206  {
1207  /* chroot if requested */
1208  if (c->options.chroot_dir)
1209  {
1210  if (no_delay)
1211  {
1212  platform_chroot(c->options.chroot_dir);
1213  }
1214  else if (c->first_time)
1215  {
1216  msg(M_INFO, "NOTE: chroot %s", why_not);
1217  }
1218  }
1219 
1220  /* set user and/or group if we want to setuid/setgid */
1221  if (c0->uid_gid_specified)
1222  {
1223  if (no_delay)
1224  {
1225  platform_user_group_set(&c0->platform_state_user,
1226  &c0->platform_state_group,
1227  c);
1228  }
1229  else if (c->first_time)
1230  {
1231  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1232  }
1233  }
1234 
1235 #ifdef ENABLE_MEMSTATS
1236  if (c->first_time && c->options.memstats_fn)
1237  {
1238  mstats_open(c->options.memstats_fn);
1239  }
1240 #endif
1241 
1242 #ifdef ENABLE_SELINUX
1243  /* Apply a SELinux context in order to restrict what OpenVPN can do
1244  * to _only_ what it is supposed to do after initialization is complete
1245  * (basically just network I/O operations). Doing it after chroot
1246  * requires /proc to be mounted in the chroot (which is annoying indeed
1247  * but doing it before requires more complex SELinux policies.
1248  */
1249  if (c->options.selinux_context)
1250  {
1251  if (no_delay)
1252  {
1253  if (-1 == setcon(c->options.selinux_context))
1254  {
1255  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1256  }
1257  else
1258  {
1259  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1260  }
1261  }
1262  else if (c->first_time)
1263  {
1264  msg(M_INFO, "NOTE: setcon %s", why_not);
1265  }
1266  }
1267 #endif
1268 
1269  /* Privileges are going to be dropped by now (if requested), be sure
1270  * to prevent any future privilege dropping attempts from now on.
1271  */
1272  if (no_delay)
1273  {
1274  c0->uid_gid_chroot_set = true;
1275  }
1276  }
1277 }
1278 
1279 /*
1280  * Return common name in a way that is formatted for
1281  * prepending to msg() output.
1282  */
1283 const char *
1284 format_common_name(struct context *c, struct gc_arena *gc)
1285 {
1286  struct buffer out = alloc_buf_gc(256, gc);
1287  if (c->c2.tls_multi)
1288  {
1289  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1290  }
1291  return BSTR(&out);
1292 }
1293 
1294 void
1295 pre_setup(const struct options *options)
1296 {
1297 #ifdef _WIN32
1298  if (options->exit_event_name)
1299  {
1300  win32_signal_open(&win32_signal,
1301  WSO_FORCE_SERVICE,
1302  options->exit_event_name,
1303  options->exit_event_initial_state);
1304  }
1305  else
1306  {
1307  win32_signal_open(&win32_signal,
1308  WSO_FORCE_CONSOLE,
1309  NULL,
1310  false);
1311 
1312  /* put a title on the top window bar */
1313  if (win32_signal.mode == WSO_MODE_CONSOLE)
1314  {
1315  window_title_save(&window_title);
1316  window_title_generate(options->config);
1317  }
1318  }
1319 #endif /* ifdef _WIN32 */
1320 }
1321 
1322 void
1323 reset_coarse_timers(struct context *c)
1324 {
1325  c->c2.coarse_timer_wakeup = 0;
1326 }
1327 
1328 /*
1329  * Initialise the server poll timeout timer
1330  * This timer is used in the http/socks proxy setup so it needs to be setup
1331  * before
1332  */
1333 static void
1334 do_init_server_poll_timeout(struct context *c)
1335 {
1336  update_time();
1337  if (c->options.ce.connect_timeout)
1338  {
1339  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1340  }
1341 }
1342 
1343 /*
1344  * Initialize timers
1345  */
1346 static void
1347 do_init_timers(struct context *c, bool deferred)
1348 {
1349  update_time();
1350  reset_coarse_timers(c);
1351 
1352  /* initialize inactivity timeout */
1353  if (c->options.inactivity_timeout)
1354  {
1355  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1356  }
1357 
1358  /* initialize inactivity timeout */
1359  if (c->options.session_timeout)
1360  {
1361  event_timeout_init(&c->c2.session_interval, c->options.session_timeout,
1362  now);
1363  }
1364 
1365  /* initialize pings */
1366  if (dco_enabled(&c->options))
1367  {
1368  /* The DCO kernel module will send the pings instead of user space */
1369  event_timeout_clear(&c->c2.ping_rec_interval);
1370  event_timeout_clear(&c->c2.ping_send_interval);
1371  }
1372  else
1373  {
1374  if (c->options.ping_send_timeout)
1375  {
1376  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1377  }
1378 
1379  if (c->options.ping_rec_timeout)
1380  {
1381  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1382  }
1383  }
1384 
1385  /* If the auth-token renewal interval is shorter than reneg-sec, arm
1386  * "auth-token renewal" timer to send additional auth-token to update the
1387  * token on the client more often. If not, this happens automatically
1388  * at renegotiation time, without needing an extra event.
1389  */
1390  if (c->options.auth_token_generate
1391  && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1392  {
1393  event_timeout_init(&c->c2.auth_token_renewal_interval,
1394  c->options.auth_token_renewal, now);
1395  }
1396 
1397  if (!deferred)
1398  {
1399  /* initialize connection establishment timer */
1400  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1401 
1402  /* initialize occ timers */
1403 
1404  if (c->options.occ
1405  && !TLS_MODE(c)
1406  && c->c2.options_string_local && c->c2.options_string_remote)
1407  {
1408  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1409  }
1410 
1411  if (c->options.mtu_test)
1412  {
1413  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1414  }
1415 
1416  /* initialize packet_id persistence timer */
1417  if (c->options.packet_id_file)
1418  {
1419  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1420  }
1421 
1422  /* initialize tmp_int optimization that limits the number of times we call
1423  * tls_multi_process in the main event loop */
1424  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1425  }
1426 }
1427 
1428 /*
1429  * Initialize traffic shaper.
1430  */
1431 static void
1432 do_init_traffic_shaper(struct context *c)
1433 {
1434  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1435  if (c->options.shaper)
1436  {
1437  shaper_init(&c->c2.shaper, c->options.shaper);
1438  shaper_msg(&c->c2.shaper);
1439  }
1440 }
1441 
1442 /*
1443  * Allocate route list structures for IPv4 and IPv6
1444  * (we do this for IPv4 even if no --route option has been seen, as other
1445  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1446  */
1447 static void
1448 do_alloc_route_list(struct context *c)
1449 {
1450  if (!c->c1.route_list)
1451  {
1452  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1453  }
1454  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1455  {
1456  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1457  }
1458 }
1459 
1460 
1461 /*
1462  * Initialize the route list, resolving any DNS names in route
1463  * options and saving routes in the environment.
1464  */
1465 static void
1466 do_init_route_list(const struct options *options,
1467  struct route_list *route_list,
1468  const struct link_socket_info *link_socket_info,
1469  struct env_set *es,
1470  openvpn_net_ctx_t *ctx)
1471 {
1472  const char *gw = NULL;
1473  int dev = dev_type_enum(options->dev, options->dev_type);
1474  int metric = 0;
1475 
1476  /* if DCO is enabled we have both regular routes and iroutes in the system
1477  * routing table, and normal routes must have a higher metric for that to
1478  * work so that iroutes are always matched first
1479  */
1480  if (dco_enabled(options))
1481  {
1482  metric = DCO_DEFAULT_METRIC;
1483  }
1484 
1485  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1486  {
1487  gw = options->ifconfig_remote_netmask;
1488  }
1489  if (options->route_default_gateway)
1490  {
1491  gw = options->route_default_gateway;
1492  }
1493  if (options->route_default_metric)
1494  {
1495  metric = options->route_default_metric;
1496  }
1497 
1498  if (init_route_list(route_list,
1499  options->routes,
1500  gw,
1501  metric,
1502  link_socket_current_remote(link_socket_info),
1503  es,
1504  ctx))
1505  {
1506  /* copy routes to environment */
1507  setenv_routes(es, route_list);
1508  }
1509 }
1510 
1511 static void
1512 do_init_route_ipv6_list(const struct options *options,
1513  struct route_ipv6_list *route_ipv6_list,
1514  const struct link_socket_info *link_socket_info,
1515  struct env_set *es,
1516  openvpn_net_ctx_t *ctx)
1517 {
1518  const char *gw = NULL;
1519  int metric = -1; /* no metric set */
1520 
1521  /* see explanation in do_init_route_list() */
1522  if (dco_enabled(options))
1523  {
1524  metric = DCO_DEFAULT_METRIC;
1525  }
1526 
1527  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1528  if (options->route_ipv6_default_gateway)
1529  {
1530  gw = options->route_ipv6_default_gateway;
1531  }
1532 
1533  if (options->route_default_metric)
1534  {
1535  metric = options->route_default_metric;
1536  }
1537 
1538  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1539  */
1540  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1541  {
1542  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1543  int i;
1544 
1545  for (i = 0; opt_list[i]; i++)
1546  {
1547  add_route_ipv6_to_option_list( options->routes_ipv6,
1548  string_alloc(opt_list[i], options->routes_ipv6->gc),
1549  NULL, NULL );
1550  }
1551  }
1552 
1553  if (init_route_ipv6_list(route_ipv6_list,
1554  options->routes_ipv6,
1555  gw,
1556  metric,
1557  link_socket_current_remote_ipv6(link_socket_info),
1558  es,
1559  ctx))
1560  {
1561  /* copy routes to environment */
1562  setenv_routes_ipv6(es, route_ipv6_list);
1563  }
1564 }
1565 
1566 
1567 /*
1568  * Called after all initialization has been completed.
1569  */
1570 void
1571 initialization_sequence_completed(struct context *c, const unsigned int flags)
1572 {
1573  static const char message[] = "Initialization Sequence Completed";
1574 
1575  /* Reset the unsuccessful connection counter on complete initialisation */
1576  c->options.unsuccessful_attempts = 0;
1577 
1578  /* If we delayed UID/GID downgrade or chroot, do it now */
1579  do_uid_gid_chroot(c, true);
1580 
1581  /* Test if errors */
1582  if (flags & ISC_ERRORS)
1583  {
1584 #ifdef _WIN32
1585  show_routes(M_INFO|M_NOPREFIX);
1586  show_adapters(M_INFO|M_NOPREFIX);
1587  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1588 #else
1589 #ifdef ENABLE_SYSTEMD
1590  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1591 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1592  msg(M_INFO, "%s With Errors", message);
1593 #endif
1594  }
1595  else
1596  {
1597 #ifdef ENABLE_SYSTEMD
1598  sd_notifyf(0, "STATUS=%s", message);
1599 #endif
1600  msg(M_INFO, "%s", message);
1601  }
1602 
1603  /* Flag that we initialized */
1604  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1605  {
1606  c->options.no_advance = true;
1607  }
1608 
1609 #ifdef _WIN32
1610  fork_register_dns_action(c->c1.tuntap);
1611 #endif
1612 
1613 #ifdef ENABLE_MANAGEMENT
1614  /* Tell management interface that we initialized */
1615  if (management)
1616  {
1617  in_addr_t *tun_local = NULL;
1618  struct in6_addr *tun_local6 = NULL;
1619  struct openvpn_sockaddr local, remote;
1620  struct link_socket_actual *actual;
1621  socklen_t sa_len = sizeof(local);
1622  const char *detail = "SUCCESS";
1623  if (flags & ISC_ERRORS)
1624  {
1625  detail = "ERROR";
1626  }
1627  /* Flag route error only on platforms where trivial "already exists" errors
1628  * are filtered out. Currently this is the case on Windows or if usng netlink.
1629  */
1630 #if defined(_WIN32) || defined(ENABLE_SITNL)
1631  else if (flags & ISC_ROUTE_ERRORS)
1632  {
1633  detail = "ROUTE_ERROR";
1634  }
1635 #endif
1636 
1637  CLEAR(local);
1638  actual = &get_link_socket_info(c)->lsa->actual;
1639  remote = actual->dest;
1640  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1641 #if ENABLE_IP_PKTINFO
1642  if (!addr_defined(&local))
1643  {
1644  switch (local.addr.sa.sa_family)
1645  {
1646  case AF_INET:
1647 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1648  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1649 #else
1650  local.addr.in4.sin_addr = actual->pi.in4;
1651 #endif
1652  break;
1653 
1654  case AF_INET6:
1655  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1656  break;
1657  }
1658  }
1659 #endif
1660 
1661  if (c->c1.tuntap)
1662  {
1663  tun_local = &c->c1.tuntap->local;
1664  tun_local6 = &c->c1.tuntap->local_ipv6;
1665  }
1666  management_set_state(management,
1667  OPENVPN_STATE_CONNECTED,
1668  detail,
1669  tun_local,
1670  tun_local6,
1671  &local,
1672  &remote);
1673  if (tun_local)
1674  {
1675  management_post_tunnel_open(management, *tun_local);
1676  }
1677  }
1678 #endif /* ifdef ENABLE_MANAGEMENT */
1679 }
1680 
1681 /*
1682  * Possibly add routes and/or call route-up script
1683  * based on options.
1684  */
1685 bool
1686 do_route(const struct options *options,
1687  struct route_list *route_list,
1688  struct route_ipv6_list *route_ipv6_list,
1689  const struct tuntap *tt,
1690  const struct plugin_list *plugins,
1691  struct env_set *es,
1692  openvpn_net_ctx_t *ctx)
1693 {
1694  bool ret = true;
1695  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1696  {
1697  ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1698  es, ctx);
1699  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1700  }
1701 #ifdef ENABLE_MANAGEMENT
1702  if (management)
1703  {
1704  management_up_down(management, "UP", es);
1705  }
1706 #endif
1707 
1708  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1709  {
1710  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1711  {
1712  msg(M_WARN, "WARNING: route-up plugin call failed");
1713  }
1714  }
1715 
1716  if (options->route_script)
1717  {
1718  struct argv argv = argv_new();
1719  setenv_str(es, "script_type", "route-up");
1720  argv_parse_cmd(&argv, options->route_script);
1721  openvpn_run_script(&argv, es, 0, "--route-up");
1722  argv_free(&argv);
1723  }
1724 
1725 #ifdef _WIN32
1726  if (options->show_net_up)
1727  {
1728  show_routes(M_INFO|M_NOPREFIX);
1729  show_adapters(M_INFO|M_NOPREFIX);
1730  }
1731  else if (check_debug_level(D_SHOW_NET))
1732  {
1733  show_routes(D_SHOW_NET|M_NOPREFIX);
1734  show_adapters(D_SHOW_NET|M_NOPREFIX);
1735  }
1736 #endif
1737  return ret;
1738 }
1739 
1740 /*
1741  * initialize tun/tap device object
1742  */
1743 static void
1744 do_init_tun(struct context *c)
1745 {
1746  c->c1.tuntap = init_tun(c->options.dev,
1747  c->options.dev_type,
1748  c->options.topology,
1749  c->options.ifconfig_local,
1750  c->options.ifconfig_remote_netmask,
1751  c->options.ifconfig_ipv6_local,
1752  c->options.ifconfig_ipv6_netbits,
1753  c->options.ifconfig_ipv6_remote,
1754  c->c1.link_socket_addr.bind_local,
1755  c->c1.link_socket_addr.remote_list,
1756  !c->options.ifconfig_nowarn,
1757  c->c2.es,
1758  &c->net_ctx,
1759  c->c1.tuntap);
1760 
1761 #ifdef _WIN32
1762  c->c1.tuntap->windows_driver = c->options.windows_driver;
1763 #endif
1764 
1765  init_tun_post(c->c1.tuntap,
1766  &c->c2.frame,
1767  &c->options.tuntap_options);
1768 
1769  c->c1.tuntap_owned = true;
1770 }
1771 
1772 /*
1773  * Open tun/tap device, ifconfig, call up script, etc.
1774  */
1775 
1776 
1777 static bool
1778 can_preserve_tun(struct tuntap *tt)
1779 {
1780 #ifdef TARGET_ANDROID
1781  return false;
1782 #else
1783  return is_tun_type_set(tt);
1784 #endif
1785 }
1786 
1795 static void
1796 add_wfp_block(struct context *c)
1797 {
1798 #if defined(_WIN32)
1799  /* Fortify 'redirect-gateway block-local' with firewall rules? */
1800  bool block_local = block_local_needed(c->c1.route_list);
1801 
1802  if (c->options.block_outside_dns || block_local)
1803  {
1804  BOOL dns_only = !block_local;
1805  if (!win_wfp_block(c->c1.tuntap->adapter_index, c->options.msg_channel, dns_only))
1806  {
1807  msg(M_FATAL, "WFP: initialization failed");
1808  }
1809  }
1810 #endif
1811 }
1812 
1821 static void
1822 del_wfp_block(struct context *c, unsigned long adapter_index)
1823 {
1824 #if defined(_WIN32)
1825  if (c->options.block_outside_dns || block_local_needed(c->c1.route_list))
1826  {
1827  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1828  {
1829  msg(M_FATAL, "WFP: deinitialization failed");
1830  }
1831  }
1832 #endif
1833 }
1834 
1835 static bool
1836 do_open_tun(struct context *c, int *error_flags)
1837 {
1838  struct gc_arena gc = gc_new();
1839  bool ret = false;
1840  *error_flags = 0;
1841 
1842  if (!can_preserve_tun(c->c1.tuntap))
1843  {
1844 #ifdef TARGET_ANDROID
1845  /* If we emulate persist-tun on android we still have to open a new tun and
1846  * then close the old */
1847  int oldtunfd = -1;
1848  if (c->c1.tuntap)
1849  {
1850  oldtunfd = c->c1.tuntap->fd;
1851  free(c->c1.tuntap);
1852  c->c1.tuntap = NULL;
1853  c->c1.tuntap_owned = false;
1854  }
1855 #endif
1856 
1857  /* initialize (but do not open) tun/tap object */
1858  do_init_tun(c);
1859 
1860  /* inherit the dco context from the tuntap object */
1861  if (c->c2.tls_multi)
1862  {
1863  c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1864  }
1865 
1866 #ifdef _WIN32
1867  /* store (hide) interactive service handle in tuntap_options */
1868  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1869  msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR,
1870  (intptr_t) c->options.msg_channel);
1871 #endif
1872 
1873  /* allocate route list structure */
1874  do_alloc_route_list(c);
1875 
1876  /* parse and resolve the route option list */
1877  ASSERT(c->c2.link_socket);
1878  if (c->options.routes && c->c1.route_list)
1879  {
1880  do_init_route_list(&c->options, c->c1.route_list,
1881  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1882  }
1883  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1884  {
1885  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1886  &c->c2.link_socket->info, c->c2.es,
1887  &c->net_ctx);
1888  }
1889 
1890  /* do ifconfig */
1891  if (!c->options.ifconfig_noexec
1892  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1893  {
1894  /* guess actual tun/tap unit number that will be returned
1895  * by open_tun */
1896  const char *guess = guess_tuntap_dev(c->options.dev,
1897  c->options.dev_type,
1898  c->options.dev_node,
1899  &gc);
1900  do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es,
1901  &c->net_ctx);
1902  }
1903 
1904  /* possibly add routes */
1905  if (route_order() == ROUTE_BEFORE_TUN)
1906  {
1907  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1908  bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1909  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1910  *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1911  }
1912 #ifdef TARGET_ANDROID
1913  /* Store the old fd inside the fd so open_tun can use it */
1914  c->c1.tuntap->fd = oldtunfd;
1915 #endif
1916  if (dco_enabled(&c->options))
1917  {
1918  ovpn_dco_init(c->mode, &c->c1.tuntap->dco);
1919  }
1920 
1921  /* open the tun device */
1922  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1923  c->c1.tuntap, &c->net_ctx);
1924 
1925  /* set the hardware address */
1926  if (c->options.lladdr)
1927  {
1928  set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr,
1929  c->c2.es);
1930  }
1931 
1932  /* do ifconfig */
1933  if (!c->options.ifconfig_noexec
1934  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1935  {
1936  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1937  c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1938  }
1939 
1940  /* run the up script */
1941  run_up_down(c->options.up_script,
1942  c->plugins,
1943  OPENVPN_PLUGIN_UP,
1944  c->c1.tuntap->actual_name,
1945 #ifdef _WIN32
1946  c->c1.tuntap->adapter_index,
1947 #endif
1948  dev_type_string(c->options.dev, c->options.dev_type),
1949  c->c2.frame.tun_mtu,
1950  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1951  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1952  "init",
1953  NULL,
1954  "up",
1955  c->c2.es);
1956 
1957  add_wfp_block(c);
1958 
1959  /* possibly add routes */
1960  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1961  {
1962  int status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1963  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1964  *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
1965  }
1966 
1967  ret = true;
1968  static_context = c;
1969  }
1970  else
1971  {
1972  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1973  c->c1.tuntap->actual_name);
1974 
1975  /* explicitly set the ifconfig_* env vars */
1976  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1977 
1978  /* run the up script if user specified --up-restart */
1979  if (c->options.up_restart)
1980  {
1981  run_up_down(c->options.up_script,
1982  c->plugins,
1983  OPENVPN_PLUGIN_UP,
1984  c->c1.tuntap->actual_name,
1985 #ifdef _WIN32
1986  c->c1.tuntap->adapter_index,
1987 #endif
1988  dev_type_string(c->options.dev, c->options.dev_type),
1989  c->c2.frame.tun_mtu,
1990  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1991  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1992  "restart",
1993  NULL,
1994  "up",
1995  c->c2.es);
1996  }
1997 
1998  add_wfp_block(c);
1999  }
2000  gc_free(&gc);
2001  return ret;
2002 }
2003 
2004 /*
2005  * Close TUN/TAP device
2006  */
2007 
2008 static void
2009 do_close_tun_simple(struct context *c)
2010 {
2011  msg(D_CLOSE, "Closing %s interface",
2012  dco_enabled(&c->options) ? "DCO" : "TUN/TAP");
2013 
2014  if (c->c1.tuntap)
2015  {
2016  if (!c->options.ifconfig_noexec)
2017  {
2018  undo_ifconfig(c->c1.tuntap, &c->net_ctx);
2019  }
2020  close_tun(c->c1.tuntap, &c->net_ctx);
2021  c->c1.tuntap = NULL;
2022  }
2023  c->c1.tuntap_owned = false;
2024  CLEAR(c->c1.pulled_options_digest_save);
2025 }
2026 
2027 static void
2028 do_close_tun(struct context *c, bool force)
2029 {
2030  /* With dco-win we open tun handle in the very beginning.
2031  * In case when tun wasn't opened - like we haven't connected,
2032  * we still need to close tun handle
2033  */
2034  if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
2035  {
2036  do_close_tun_simple(c);
2037  return;
2038  }
2039 
2040  if (!c->c1.tuntap || !c->c1.tuntap_owned)
2041  {
2042  return;
2043  }
2044 
2045  struct gc_arena gc = gc_new();
2046  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2047  const in_addr_t local = c->c1.tuntap->local;
2048  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2049  unsigned long adapter_index = 0;
2050 #ifdef _WIN32
2051  adapter_index = c->c1.tuntap->adapter_index;
2052 #endif
2053 
2054  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2055  {
2056  static_context = NULL;
2057 
2058 #ifdef ENABLE_MANAGEMENT
2059  /* tell management layer we are about to close the TUN/TAP device */
2060  if (management)
2061  {
2062  management_pre_tunnel_close(management);
2063  management_up_down(management, "DOWN", c->c2.es);
2064  }
2065 #endif
2066 
2067  /* delete any routes we added */
2068  if (c->c1.route_list || c->c1.route_ipv6_list)
2069  {
2070  run_up_down(c->options.route_predown_script,
2071  c->plugins,
2072  OPENVPN_PLUGIN_ROUTE_PREDOWN,
2073  tuntap_actual,
2074 #ifdef _WIN32
2075  adapter_index,
2076 #endif
2077  NULL,
2078  c->c2.frame.tun_mtu,
2079  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2080  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2081  "init",
2082  signal_description(c->sig->signal_received,
2083  c->sig->signal_text),
2084  "route-pre-down",
2085  c->c2.es);
2086 
2087  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2088  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2089  c->c2.es, &c->net_ctx);
2090  }
2091 
2092  /* actually close tun/tap device based on --down-pre flag */
2093  if (!c->options.down_pre)
2094  {
2095  do_close_tun_simple(c);
2096  }
2097 
2098  /* Run the down script -- note that it will run at reduced
2099  * privilege if, for example, "--user" was used. */
2100  run_up_down(c->options.down_script,
2101  c->plugins,
2102  OPENVPN_PLUGIN_DOWN,
2103  tuntap_actual,
2104 #ifdef _WIN32
2105  adapter_index,
2106 #endif
2107  NULL,
2108  c->c2.frame.tun_mtu,
2109  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2110  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2111  "init",
2112  signal_description(c->sig->signal_received,
2113  c->sig->signal_text),
2114  "down",
2115  c->c2.es);
2116 
2117  del_wfp_block(c, adapter_index);
2118 
2119  /* actually close tun/tap device based on --down-pre flag */
2120  if (c->options.down_pre)
2121  {
2122  do_close_tun_simple(c);
2123  }
2124  }
2125  else
2126  {
2127  /* run the down script on this restart if --up-restart was specified */
2128  if (c->options.up_restart)
2129  {
2130  run_up_down(c->options.down_script,
2131  c->plugins,
2132  OPENVPN_PLUGIN_DOWN,
2133  tuntap_actual,
2134 #ifdef _WIN32
2135  adapter_index,
2136 #endif
2137  NULL,
2138  c->c2.frame.tun_mtu,
2139  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2140  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2141  "restart",
2142  signal_description(c->sig->signal_received,
2143  c->sig->signal_text),
2144  "down",
2145  c->c2.es);
2146  }
2147 
2148  del_wfp_block(c, adapter_index);
2149  }
2150  gc_free(&gc);
2151 }
2152 
2153 void
2154 tun_abort(void)
2155 {
2156  struct context *c = static_context;
2157  if (c)
2158  {
2159  static_context = NULL;
2160  do_close_tun(c, true);
2161  }
2162 }
2163 
2164 /*
2165  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2166  */
2167 
2172 static bool
2173 options_hash_changed_or_zero(const struct sha256_digest *a,
2174  const struct sha256_digest *b)
2175 {
2176  const struct sha256_digest zero = {{0}};
2177  return memcmp(a, b, sizeof(struct sha256_digest))
2178  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2179 }
2180 
2181 static bool
2182 p2p_set_dco_keepalive(struct context *c)
2183 {
2184  if (dco_enabled(&c->options)
2185  && (c->options.ping_send_timeout || c->c2.frame.mss_fix))
2186  {
2187  int ret = dco_set_peer(&c->c1.tuntap->dco,
2188  c->c2.tls_multi->dco_peer_id,
2189  c->options.ping_send_timeout,
2190  c->options.ping_rec_timeout,
2191  c->c2.frame.mss_fix);
2192  if (ret < 0)
2193  {
2194  msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s",
2195  c->c2.tls_multi->dco_peer_id, strerror(-ret));
2196  return false;
2197  }
2198  }
2199  return true;
2200 }
2201 
2207 static void
2208 add_delim_if_non_empty(struct buffer *buf, const char *header)
2209 {
2210  if (buf_len(buf) > strlen(header))
2211  {
2212  buf_printf(buf, ", ");
2213  }
2214 }
2215 
2216 
2221 static void
2222 tls_print_deferred_options_results(struct context *c)
2223 {
2224  struct options *o = &c->options;
2225 
2226  struct buffer out;
2227  uint8_t line[1024] = { 0 };
2228  buf_set_write(&out, line, sizeof(line));
2229 
2230 
2231  if (cipher_kt_mode_aead(o->ciphername))
2232  {
2233  buf_printf(&out, "Data Channel: cipher '%s'",
2234  cipher_kt_name(o->ciphername));
2235  }
2236  else
2237  {
2238  buf_printf(&out, "Data Channel: cipher '%s', auth '%s'",
2239  cipher_kt_name(o->ciphername), md_kt_name(o->authname));
2240  }
2241 
2242  if (o->use_peer_id)
2243  {
2244  buf_printf(&out, ", peer-id: %d", o->peer_id);
2245  }
2246 
2247 #ifdef USE_COMP
2248  if (c->c2.comp_context)
2249  {
2250  buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2251  }
2252 #endif
2253 
2254  msg(D_HANDSHAKE, "%s", BSTR(&out));
2255 
2256  buf_clear(&out);
2257 
2258  const char *header = "Timers: ";
2259 
2260  buf_printf(&out, "%s", header);
2261 
2262  if (o->ping_send_timeout)
2263  {
2264  buf_printf(&out, "ping %d", o->ping_send_timeout);
2265  }
2266 
2267  if (o->ping_rec_timeout_action != PING_UNDEF)
2268  {
2269  /* yes unidirectional ping is possible .... */
2270  add_delim_if_non_empty(&out, header);
2271 
2272  if (o->ping_rec_timeout_action == PING_EXIT)
2273  {
2274  buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2275  }
2276  else
2277  {
2278  buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2279  }
2280  }
2281 
2282  if (o->inactivity_timeout)
2283  {
2284  add_delim_if_non_empty(&out, header);
2285 
2286  buf_printf(&out, "inactive %d", o->inactivity_timeout);
2287  if (o->inactivity_minimum_bytes)
2288  {
2289  buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2290  }
2291  }
2292 
2293  if (o->session_timeout)
2294  {
2295  add_delim_if_non_empty(&out, header);
2296  buf_printf(&out, "session-timeout %d", o->session_timeout);
2297  }
2298 
2299  if (buf_len(&out) > strlen(header))
2300  {
2301  msg(D_HANDSHAKE, "%s", BSTR(&out));
2302  }
2303 
2304  buf_clear(&out);
2305  header = "Protocol options: ";
2306  buf_printf(&out, "%s", header);
2307 
2308  if (c->options.ce.explicit_exit_notification)
2309  {
2310  buf_printf(&out, "explicit-exit-notify %d",
2311  c->options.ce.explicit_exit_notification);
2312  }
2313  if (c->options.imported_protocol_flags)
2314  {
2315  add_delim_if_non_empty(&out, header);
2316 
2317  buf_printf(&out, "protocol-flags");
2318 
2319  if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2320  {
2321  buf_printf(&out, " cc-exit");
2322  }
2323  if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2324  {
2325  buf_printf(&out, " tls-ekm");
2326  }
2327  if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2328  {
2329  buf_printf(&out, " dyn-tls-crypt");
2330  }
2331  }
2332 
2333  if (buf_len(&out) > strlen(header))
2334  {
2335  msg(D_HANDSHAKE, "%s", BSTR(&out));
2336  }
2337 }
2338 
2339 
2347 static bool
2348 do_deferred_options_part2(struct context *c)
2349 {
2350  struct frame *frame_fragment = NULL;
2351 #ifdef ENABLE_FRAGMENT
2352  if (c->options.ce.fragment)
2353  {
2354  frame_fragment = &c->c2.frame_fragment;
2355  }
2356 #endif
2357 
2358  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2359  if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
2360  &c->options, &c->c2.frame,
2361  frame_fragment,
2362  get_link_socket_info(c)))
2363  {
2364  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2365  return false;
2366  }
2367 
2368  return true;
2369 }
2370 
2371 bool
2372 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2373 {
2374  int error_flags = 0;
2375  if (!c->c2.do_up_ran)
2376  {
2377  reset_coarse_timers(c);
2378 
2379  if (pulled_options)
2380  {
2381  if (!do_deferred_options(c, option_types_found))
2382  {
2383  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2384  return false;
2385  }
2386  }
2387 
2388  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2389  if (c->options.up_delay || PULL_DEFINED(&c->options))
2390  {
2391  c->c2.did_open_tun = do_open_tun(c, &error_flags);
2392  update_time();
2393 
2394  /*
2395  * Was tun interface object persisted from previous restart iteration,
2396  * and if so did pulled options string change from previous iteration?
2397  */
2398  if (!c->c2.did_open_tun
2399  && PULL_DEFINED(&c->options)
2400  && c->c1.tuntap
2401  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2402  &c->c2.pulled_options_digest))
2403  {
2404  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2405  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2406 
2407  bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2408  do_close_tun(c, true);
2409 
2410  if (tt_dco_win)
2411  {
2412  msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2413  /* prevent link_socket_close() from closing handle with WinSock API */
2414  c->c2.link_socket->sd = SOCKET_UNDEFINED;
2415  return false;
2416  }
2417  else
2418  {
2419  management_sleep(1);
2420  c->c2.did_open_tun = do_open_tun(c, &error_flags);
2421  update_time();
2422  }
2423  }
2424  }
2425  }
2426 
2427  /* This part needs to be run in p2p mode (without pull) when the client
2428  * reconnects to setup various things (like DCO and NCP cipher) that
2429  * might have changed from the previous connection.
2430  */
2431  if (!c->c2.do_up_ran || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
2432  {
2433  if (c->mode == MODE_POINT_TO_POINT)
2434  {
2435  /* ovpn-dco requires adding the peer now, before any option can be set,
2436  * but *after* having parsed the pushed peer-id in do_deferred_options()
2437  */
2438  int ret = dco_p2p_add_new_peer(c);
2439  if (ret < 0)
2440  {
2441  msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2442  return false;
2443  }
2444  }
2445 
2446  /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2447  * invoked after open_tun().
2448  * This is required by DCO because we must have created the interface
2449  * and added the peer before we can fiddle with the keys or any other
2450  * data channel per-peer setting.
2451  */
2452  if (pulled_options)
2453  {
2454  if (!do_deferred_options_part2(c))
2455  {
2456  return false;
2457  }
2458  }
2459  else
2460  {
2461  if (c->mode == MODE_POINT_TO_POINT)
2462  {
2463  if (!do_deferred_p2p_ncp(c))
2464  {
2465  msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2466  return false;
2467  }
2468  }
2469  }
2470 
2471  if (c->mode == MODE_POINT_TO_POINT && !p2p_set_dco_keepalive(c))
2472  {
2473  msg(D_TLS_ERRORS, "ERROR: Failed to apply DCO keepalive or MSS fix parameters");
2474  return false;
2475  }
2476 
2477  if (c->c2.did_open_tun)
2478  {
2479  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2480 
2481  /* if --route-delay was specified, start timer */
2482  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2483  {
2484  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2485  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2486  if (c->c1.tuntap)
2487  {
2488  tun_standby_init(c->c1.tuntap);
2489  }
2490  }
2491  else
2492  {
2493  initialization_sequence_completed(c, error_flags); /* client/p2p --route-delay undefined */
2494  }
2495  }
2496  else if (c->options.mode == MODE_POINT_TO_POINT)
2497  {
2498  initialization_sequence_completed(c, error_flags); /* client/p2p restart with --persist-tun */
2499  }
2500 
2501  tls_print_deferred_options_results(c);
2502 
2503  c->c2.do_up_ran = true;
2504  if (c->c2.tls_multi)
2505  {
2506  c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2507  }
2508  }
2509  return true;
2510 }
2511 
2512 /*
2513  * These are the option categories which will be accepted by pull.
2514  */
2515 unsigned int
2516 pull_permission_mask(const struct context *c)
2517 {
2518  unsigned int flags =
2519  OPT_P_UP
2520  | OPT_P_ROUTE_EXTRAS
2521  | OPT_P_SOCKBUF
2522  | OPT_P_SOCKFLAGS
2523  | OPT_P_SETENV
2524  | OPT_P_SHAPER
2525  | OPT_P_TIMER
2526  | OPT_P_COMP
2527  | OPT_P_PERSIST
2528  | OPT_P_MESSAGES
2529  | OPT_P_EXPLICIT_NOTIFY
2530  | OPT_P_ECHO
2531  | OPT_P_PULL_MODE
2532  | OPT_P_PEER_ID
2533  | OPT_P_NCP
2534  | OPT_P_PUSH_MTU;
2535 
2536  if (!c->options.route_nopull)
2537  {
2538  flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2539  }
2540 
2541  return flags;
2542 }
2543 
2544 static bool
2545 do_deferred_p2p_ncp(struct context *c)
2546 {
2547  if (!c->c2.tls_multi)
2548  {
2549  return true;
2550  }
2551 
2552  c->options.use_peer_id = c->c2.tls_multi->use_peer_id;
2553 
2554  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2555 
2556  const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2557  &c->options.gc);
2558 
2559  if (ncp_cipher)
2560  {
2561  c->options.ciphername = ncp_cipher;
2562  }
2563  else if (!c->options.enable_ncp_fallback)
2564  {
2565  msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2566  "--data-ciphers-fallback not enabled. No usable "
2567  "data channel cipher");
2568  return false;
2569  }
2570 
2571  struct frame *frame_fragment = NULL;
2572 #ifdef ENABLE_FRAGMENT
2573  if (c->options.ce.fragment)
2574  {
2575  frame_fragment = &c->c2.frame_fragment;
2576  }
2577 #endif
2578 
2579  if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2580  &c->c2.frame, frame_fragment,
2581  get_link_socket_info(c)))
2582  {
2583  msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2584  return false;
2585  }
2586  return true;
2587 }
2588 
2589 /*
2590  * Handle non-tun-related pulled options.
2591  */
2592 bool
2593 do_deferred_options(struct context *c, const unsigned int found)
2594 {
2595  if (found & OPT_P_MESSAGES)
2596  {
2597  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2598  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2599  }
2600  if (found & OPT_P_TIMER)
2601  {
2602  do_init_timers(c, true);
2603  msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
2604  }
2605 
2606  if (found & OPT_P_EXPLICIT_NOTIFY)
2607  {
2608  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2609  {
2610  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2611  c->options.ce.explicit_exit_notification = 0;
2612  }
2613  else
2614  {
2615  msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
2616  }
2617  }
2618 
2619  if (found & OPT_P_COMP)
2620  {
2621  if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
2622  {
2623  msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2624  "settings that are not allowed and will result "
2625  "in a non-working connection. "
2626  "See also allow-compression in the manual.");
2627  return false;
2628  }
2629 #ifdef USE_COMP
2630  msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
2631  comp_uninit(c->c2.comp_context);
2632  c->c2.comp_context = comp_init(&c->options.comp);
2633 #endif
2634  }
2635 
2636  if (found & OPT_P_SHAPER)
2637  {
2638  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2639  do_init_traffic_shaper(c);
2640  }
2641 
2642  if (found & OPT_P_SOCKBUF)
2643  {
2644  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2645  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2646  }
2647 
2648  if (found & OPT_P_SOCKFLAGS)
2649  {
2650  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2651  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2652  }
2653 
2654  if (found & OPT_P_PERSIST)
2655  {
2656  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2657  }
2658  if (found & OPT_P_UP)
2659  {
2660  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2661  }
2662  if (found & OPT_P_ROUTE)
2663  {
2664  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2665  }
2666  if (found & OPT_P_ROUTE_EXTRAS)
2667  {
2668  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2669  }
2670  if (found & OPT_P_DHCPDNS)
2671  {
2672  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2673  }
2674  if (found & OPT_P_SETENV)
2675  {
2676  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2677  }
2678 
2679  if (found & OPT_P_PEER_ID)
2680  {
2681  msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
2682  c->c2.tls_multi->use_peer_id = true;
2683  c->c2.tls_multi->peer_id = c->options.peer_id;
2684  }
2685 
2686  /* process (potentially) pushed options */
2687  if (c->options.pull)
2688  {
2689  if (!check_pull_client_ncp(c, found))
2690  {
2691  return false;
2692  }
2693 
2694  /* Check if pushed options are compatible with DCO, if enabled */
2695  if (dco_enabled(&c->options)
2696  && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
2697  {
2698  msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2699  "with data channel offload. Use --disable-dco to connect to "
2700  "this server");
2701  return false;
2702  }
2703  }
2704 
2705  if (found & OPT_P_PUSH_MTU)
2706  {
2707  /* MTU has changed, check that the pushed MTU is small enough to
2708  * be able to change it */
2709  msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2710 
2711  struct frame *frame = &c->c2.frame;
2712 
2713  if (c->options.ce.tun_mtu > frame->tun_max_mtu)
2714  {
2715  msg(D_PUSH_ERRORS, "Server-pushed tun-mtu is too large, please add "
2716  "tun-mtu-max %d in the client configuration",
2717  c->options.ce.tun_mtu);
2718  }
2719  frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
2720  }
2721 
2722  return true;
2723 }
2724 
2725 /*
2726  * Possible hold on initialization, holdtime is the
2727  * time OpenVPN would wait without management
2728  */
2729 static bool
2730 do_hold(int holdtime)
2731 {
2732 #ifdef ENABLE_MANAGEMENT
2733  if (management)
2734  {
2735  /* block until management hold is released */
2736  if (management_hold(management, holdtime))
2737  {
2738  return true;
2739  }
2740  }
2741 #endif
2742  return false;
2743 }
2744 
2745 /*
2746  * Sleep before restart.
2747  */
2748 static void
2749 socket_restart_pause(struct context *c)
2750 {
2751  int sec = 2;
2752  int backoff = 0;
2753 
2754  switch (c->options.ce.proto)
2755  {
2756  case PROTO_TCP_SERVER:
2757  sec = 1;
2758  break;
2759 
2760  case PROTO_UDP:
2761  case PROTO_TCP_CLIENT:
2762  sec = c->options.ce.connect_retry_seconds;
2763  break;
2764  }
2765 
2766 #ifdef ENABLE_DEBUG
2767  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2768  {
2769  sec = 0;
2770  }
2771 #endif
2772 
2773  if (auth_retry_get() == AR_NOINTERACT)
2774  {
2775  sec = 10;
2776  }
2777 
2778  /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2779  if (c->options.ce.proto == PROTO_TCP_CLIENT
2780  || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2781  {
2782  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2783  if (backoff > 0)
2784  {
2785  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2786  sec = max_int(sec, 1) << min_int(backoff, 15);
2787  }
2788  if (c->options.server_backoff_time)
2789  {
2790  sec = max_int(sec, c->options.server_backoff_time);
2791  c->options.server_backoff_time = 0;
2792  }
2793 
2794  if (sec > c->options.ce.connect_retry_seconds_max)
2795  {
2796  sec = c->options.ce.connect_retry_seconds_max;
2797  }
2798  }
2799 
2800  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2801  {
2802  sec = c->persist.restart_sleep_seconds;
2803  }
2804  else if (c->persist.restart_sleep_seconds == -1)
2805  {
2806  sec = 0;
2807  }
2808  c->persist.restart_sleep_seconds = 0;
2809 
2810  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2811  if (do_hold(sec))
2812  {
2813  sec = 0;
2814  }
2815 
2816  if (sec)
2817  {
2818  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2819  management_sleep(sec);
2820  }
2821 }
2822 
2823 /*
2824  * Do a possible pause on context_2 initialization.
2825  */
2826 static void
2827 do_startup_pause(struct context *c)
2828 {
2829  if (!c->first_time)
2830  {
2831  socket_restart_pause(c);
2832  }
2833  else
2834  {
2835  do_hold(0); /* do management hold on first context initialization */
2836  }
2837 }
2838 
2839 static size_t
2840 get_frame_mtu(struct context *c, const struct options *o)
2841 {
2842  size_t mtu;
2843 
2844  if (o->ce.link_mtu_defined)
2845  {
2846  ASSERT(o->ce.link_mtu_defined);
2847  /* if we have a link mtu defined we calculate what the old code
2848  * would have come up with as tun-mtu */
2849  size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type,
2850  o, true);
2851  mtu = o->ce.link_mtu - overhead;
2852 
2853  }
2854  else
2855  {
2856  ASSERT(o->ce.tun_mtu_defined);
2857  mtu = o->ce.tun_mtu;
2858  }
2859 
2860  if (mtu < TUN_MTU_MIN)
2861  {
2862  msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2863  frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2864  }
2865  return mtu;
2866 }
2867 
2868 /*
2869  * Finalize MTU parameters based on command line or config file options.
2870  */
2871 static void
2872 frame_finalize_options(struct context *c, const struct options *o)
2873 {
2874  if (!o)
2875  {
2876  o = &c->options;
2877  }
2878 
2879  struct frame *frame = &c->c2.frame;
2880 
2881  frame->tun_mtu = get_frame_mtu(c, o);
2882  frame->tun_max_mtu = o->ce.tun_mtu_max;
2883 
2884  /* max mtu needs to be at least as large as the tun mtu */
2885  frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
2886 
2887  /* We always allow at least 1600 MTU packets to be received in our buffer
2888  * space to allow server to push "baby giant" MTU sizes */
2889  frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu);
2890 
2891  size_t payload_size = frame->tun_max_mtu;
2892 
2893  /* we need to be also large enough to hold larger control channel packets
2894  * if configured */
2895  payload_size = max_int(payload_size, o->ce.tls_mtu);
2896 
2897  /* The extra tun needs to be added to the payload size */
2898  if (o->ce.tun_mtu_defined)
2899  {
2900  payload_size += o->ce.tun_mtu_extra;
2901  }
2902 
2903  /* Add 32 byte of extra space in the buffer to account for small errors
2904  * in the calculation */
2905  payload_size += 32;
2906 
2907 
2908  /* the space that is reserved before the payload to add extra headers to it
2909  * we always reserve the space for the worst case */
2910  size_t headroom = 0;
2911 
2912  /* includes IV and packet ID */
2913  headroom += crypto_max_overhead();
2914 
2915  /* peer id + opcode */
2916  headroom += 4;
2917 
2918  /* socks proxy header */
2919  headroom += 10;
2920 
2921  /* compression header and fragment header (part of the encrypted payload) */
2922  headroom += 1 + 1;
2923 
2924  /* Round up headroom to the next multiple of 4 to ensure alignment */
2925  headroom = (headroom + 3) & ~3;
2926 
2927  /* Add the headroom to the payloadsize as a received (IP) packet can have
2928  * all the extra headers in it */
2929  payload_size += headroom;
2930 
2931  /* the space after the payload, this needs some extra buffer space for
2932  * encryption so headroom is probably too much but we do not really care
2933  * the few extra bytes */
2934  size_t tailroom = headroom;
2935 
2936 #ifdef USE_COMP
2937  msg(D_MTU_DEBUG, "MTU: adding %zu buffer tailroom for compression for %zu "
2938  "bytes of payload",
2939  COMP_EXTRA_BUFFER(payload_size), payload_size);
2940  tailroom += COMP_EXTRA_BUFFER(payload_size);
2941 #endif
2942 
2943  frame->buf.payload_size = payload_size;
2944  frame->buf.headroom = headroom;
2945  frame->buf.tailroom = tailroom;
2946 }
2947 
2948 /*
2949  * Free a key schedule, including OpenSSL components.
2950  */
2951 static void
2952 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2953 {
2954  free_key_ctx_bi(&ks->static_key);
2955  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2956  {
2957  tls_ctx_free(&ks->ssl_ctx);
2958  free_key_ctx(&ks->auth_token_key);
2959  }
2960  CLEAR(*ks);
2961 }
2962 
2963 static void
2964 init_crypto_pre(struct context *c, const unsigned int flags)
2965 {
2966  if (c->options.engine)
2967  {
2968  crypto_init_lib_engine(c->options.engine);
2969  }
2970 
2971  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2972  {
2973  /* load a persisted packet-id for cross-session replay-protection */
2974  if (c->options.packet_id_file)
2975  {
2976  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2977  }
2978  }
2979 
2980 #ifdef ENABLE_PREDICTION_RESISTANCE
2981  if (c->options.use_prediction_resistance)
2982  {
2983  rand_ctx_enable_prediction_resistance();
2984  }
2985 #endif
2986 }
2987 
2988 /*
2989  * Static Key Mode (using a pre-shared key)
2990  */
2991 static void
2992 do_init_crypto_static(struct context *c, const unsigned int flags)
2993 {
2994  const struct options *options = &c->options;
2995  ASSERT(options->shared_secret_file);
2996 
2997  init_crypto_pre(c, flags);
2998 
2999  /* Initialize flags */
3000  if (c->options.mute_replay_warnings)
3001  {
3002  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
3003  }
3004 
3005  /* Initialize packet ID tracking */
3006  packet_id_init(&c->c2.crypto_options.packet_id,
3007  options->replay_window,
3008  options->replay_time,
3009  "STATIC", 0);
3010  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
3011  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
3012  packet_id_persist_load_obj(&c->c1.pid_persist,
3013  &c->c2.crypto_options.packet_id);
3014 
3015  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
3016  {
3017  /* Get cipher & hash algorithms */
3018  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
3019  options->test_crypto, true);
3020 
3021  /* Read cipher and hmac keys from shared secret file */
3022  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
3023  options->shared_secret_file,
3024  options->shared_secret_file_inline,
3025  options->key_direction, "Static Key Encryption",
3026  "secret", NULL);
3027  }
3028  else
3029  {
3030  msg(M_INFO, "Re-using pre-shared static key");
3031  }
3032 
3033  /* Get key schedule */
3034  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
3035 }
3036 
3037 /*
3038  * Initialize the tls-auth/crypt key context
3039  */
3040 static void
3041 do_init_tls_wrap_key(struct context *c)
3042 {
3043  const struct options *options = &c->options;
3044 
3045  /* TLS handshake authentication (--tls-auth) */
3046  if (options->ce.tls_auth_file)
3047  {
3048  /* Initialize key_type for tls-auth with auth only */
3049  CLEAR(c->c1.ks.tls_auth_key_type);
3050  c->c1.ks.tls_auth_key_type.cipher = "none";
3051  c->c1.ks.tls_auth_key_type.digest = options->authname;
3052  if (!md_valid(options->authname))
3053  {
3054  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
3055  "algorithm specified ('%s')", options->authname);
3056  }
3057 
3058  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
3059  &c->c1.ks.tls_wrap_key,
3060  options->ce.tls_auth_file,
3061  options->ce.tls_auth_file_inline,
3062  options->ce.key_direction,
3063  "Control Channel Authentication", "tls-auth",
3064  &c->c1.ks.original_wrap_keydata);
3065  }
3066 
3067  /* TLS handshake encryption+authentication (--tls-crypt) */
3068  if (options->ce.tls_crypt_file)
3069  {
3070  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
3071  &c->c1.ks.original_wrap_keydata,
3072  options->ce.tls_crypt_file,
3073  options->ce.tls_crypt_file_inline,
3074  options->tls_server);
3075  }
3076 
3077  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3078  if (options->ce.tls_crypt_v2_file)
3079  {
3080  if (options->tls_server)
3081  {
3082  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
3083  true, options->ce.tls_crypt_v2_file,
3084  options->ce.tls_crypt_v2_file_inline);
3085  }
3086  else
3087  {
3088  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
3089  &c->c1.ks.original_wrap_keydata,
3090  &c->c1.ks.tls_crypt_v2_wkc,
3091  options->ce.tls_crypt_v2_file,
3092  options->ce.tls_crypt_v2_file_inline);
3093  }
3094  /* We have to ensure that the loaded tls-crypt key is small enough
3095  * to fit into the initial hard reset v3 packet */
3096  int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3097 
3098  /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3099  int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3100 
3101  if (required_size > c->options.ce.tls_mtu)
3102  {
3103  msg(M_WARN, "ERROR: tls-crypt-v2 client key too large to work with "
3104  "requested --max-packet-size %d, requires at least "
3105  "--max-packet-size %d. Packets will ignore requested "
3106  "maximum packet size", c->options.ce.tls_mtu,
3107  required_size);
3108  }
3109  }
3110 
3111 
3112 }
3113 
3114 /*
3115  * Initialize the persistent component of OpenVPN's TLS mode,
3116  * which is preserved across SIGUSR1 resets.
3117  */
3118 static void
3119 do_init_crypto_tls_c1(struct context *c)
3120 {
3121  const struct options *options = &c->options;
3122 
3123  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3124  {
3125  /*
3126  * Initialize the OpenSSL library's global
3127  * SSL context.
3128  */
3129  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
3130  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3131  {
3132  switch (auth_retry_get())
3133  {
3134  case AR_NONE:
3135  msg(M_FATAL, "Error: private key password verification failed");
3136  break;
3137 
3138  case AR_INTERACT:
3139  ssl_purge_auth(false);
3140  /* Intentional [[fallthrough]]; */
3141 
3142  case AR_NOINTERACT:
3143  /* SOFT-SIGUSR1 -- Password failure error */
3144  register_signal(c->sig, SIGUSR1, "private-key-password-failure");
3145  break;
3146 
3147  default:
3148  ASSERT(0);
3149  }
3150  return;
3151  }
3152 
3153  /*
3154  * BF-CBC is allowed to be used only when explicitly configured
3155  * as NCP-fallback or when NCP has been disabled or explicitly
3156  * allowed in the in ncp_ciphers list.
3157  * In all other cases do not attempt to initialize BF-CBC as it
3158  * may not even be supported by the underlying SSL library.
3159  *
3160  * Therefore, the key structure has to be initialized when:
3161  * - any non-BF-CBC cipher was selected; or
3162  * - BF-CBC is selected, NCP is enabled and fallback is enabled
3163  * (BF-CBC will be the fallback).
3164  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3165  * If the negotiated cipher and options->ciphername are the
3166  * same we do not reinit the cipher
3167  *
3168  * Note that BF-CBC will still be part of the OCC string to retain
3169  * backwards compatibility with older clients.
3170  */
3171  const char *ciphername = options->ciphername;
3172  if (streq(options->ciphername, "BF-CBC")
3173  && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
3174  && !options->enable_ncp_fallback)
3175  {
3176  ciphername = "none";
3177  }
3178 
3179  /* Do not warn if the cipher is used only in OCC */
3180  bool warn = options->enable_ncp_fallback;
3181  init_key_type(&c->c1.ks.key_type, ciphername, options->authname,
3182  true, warn);
3183 
3184  /* initialize tls-auth/crypt/crypt-v2 key */
3185  do_init_tls_wrap_key(c);
3186 
3187  /* initialise auth-token crypto support */
3188  if (c->options.auth_token_generate)
3189  {
3190  auth_token_init_secret(&c->c1.ks.auth_token_key,
3191  c->options.auth_token_secret_file,
3192  c->options.auth_token_secret_file_inline);
3193  }
3194 
3195 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
3196  if (options->priv_key_file_inline)
3197  {
3198  string_clear(c->options.priv_key_file_inline);
3199  c->options.priv_key_file_inline = NULL;
3200  }
3201 #endif
3202  }
3203  else
3204  {
3205  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
3206 
3207  /*
3208  * tls-auth/crypt key can be configured per connection block, therefore
3209  * we must reload it as it may have changed
3210  */
3211  do_init_tls_wrap_key(c);
3212  }
3213 }
3214 
3215 static void
3216 do_init_crypto_tls(struct context *c, const unsigned int flags)
3217 {
3218  const struct options *options = &c->options;
3219  struct tls_options to;
3220  bool packet_id_long_form;
3221 
3222  ASSERT(options->tls_server || options->tls_client);
3223  ASSERT(!options->test_crypto);
3224 
3225  init_crypto_pre(c, flags);
3226 
3227  /* Make sure we are either a TLS client or server but not both */
3228  ASSERT(options->tls_server == !options->tls_client);
3229 
3230  /* initialize persistent component */
3231  do_init_crypto_tls_c1(c);
3232  if (IS_SIG(c))
3233  {
3234  return;
3235  }
3236 
3237  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3238  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3239 
3240  /* Set all command-line TLS-related options */
3241  CLEAR(to);
3242 
3243  if (options->mute_replay_warnings)
3244  {
3245  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
3246  }
3247 
3248  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
3249  if (packet_id_long_form)
3250  {
3251  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
3252  }
3253 
3254  to.ssl_ctx = c->c1.ks.ssl_ctx;
3255  to.key_type = c->c1.ks.key_type;
3256  to.server = options->tls_server;
3257  to.replay_window = options->replay_window;
3258  to.replay_time = options->replay_time;
3259  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
3260  to.config_ciphername = c->options.ciphername;
3261  to.config_ncp_ciphers = c->options.ncp_ciphers;
3262  to.transition_window = options->transition_window;
3263  to.handshake_window = options->handshake_window;
3264  to.packet_timeout = options->tls_timeout;
3265  to.renegotiate_bytes = options->renegotiate_bytes;
3266  to.renegotiate_packets = options->renegotiate_packets;
3267  if (options->renegotiate_seconds_min < 0)
3268  {
3269  /* Add 10% jitter to reneg-sec by default (server side only) */
3270  int auto_jitter = options->mode != MODE_SERVER ? 0 :
3271  get_random() % max_int(options->renegotiate_seconds / 10, 1);
3272  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
3273  }
3274  else
3275  {
3276  /* Add user-specified jitter to reneg-sec */
3277  to.renegotiate_seconds = options->renegotiate_seconds
3278  -(get_random() % max_int(options->renegotiate_seconds
3279  - options->renegotiate_seconds_min, 1));
3280  }
3281  to.single_session = options->single_session;
3282  to.mode = options->mode;
3283  to.pull = options->pull;
3284  if (options->push_peer_info) /* all there is */
3285  {
3286  to.push_peer_info_detail = 3;
3287  }
3288  else if (options->pull) /* pull clients send some details */
3289  {
3290  to.push_peer_info_detail = 2;
3291  }
3292  else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3293  {
3294  to.push_peer_info_detail = 0;
3295  }
3296  else /* default: minimal info to allow NCP in P2P mode */
3297  {
3298  to.push_peer_info_detail = 1;
3299  }
3300 
3301 
3302  /* should we not xmit any packets until we get an initial
3303  * response from client? */
3304  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
3305  {
3306  to.xmit_hold = true;
3307  }
3308 
3309  to.verify_command = options->tls_verify;
3310  to.verify_x509_type = (options->verify_x509_type & 0xff);
3311  to.verify_x509_name = options->verify_x509_name;
3312  to.crl_file = options->crl_file;
3313  to.crl_file_inline = options->crl_file_inline;
3314  to.ssl_flags = options->ssl_flags;
3315  to.ns_cert_type = options->ns_cert_type;
3316  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3317  to.remote_cert_eku = options->remote_cert_eku;
3318  to.verify_hash = options->verify_hash;
3319  to.verify_hash_algo = options->verify_hash_algo;
3320  to.verify_hash_depth = options->verify_hash_depth;
3321  to.verify_hash_no_ca = options->verify_hash_no_ca;
3322 #ifdef ENABLE_X509ALTUSERNAME
3323  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3324 #else
3325  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
3326 #endif
3327  to.es = c->c2.es;
3328  to.net_ctx = &c->net_ctx;
3329 
3330 #ifdef ENABLE_DEBUG
3331  to.gremlin = c->options.gremlin;
3332 #endif
3333 
3334  to.plugins = c->plugins;
3335 
3336 #ifdef ENABLE_MANAGEMENT
3337  to.mda_context = &c->c2.mda_context;
3338 #endif
3339 
3340  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
3341  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
3342  to.client_crresponse_script = options->client_crresponse_script;
3343  to.tmp_dir = options->tmp_dir;
3344  to.export_peer_cert_dir = options->tls_export_peer_cert_dir;
3345  if (options->ccd_exclusive)
3346  {
3347  to.client_config_dir_exclusive = options->client_config_dir;
3348  }
3349  to.auth_user_pass_file = options->auth_user_pass_file;
3350  to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
3351  to.auth_token_generate = options->auth_token_generate;
3352  to.auth_token_lifetime = options->auth_token_lifetime;
3353  to.auth_token_renewal = options->auth_token_renewal;
3354  to.auth_token_call_auth = options->auth_token_call_auth;
3355  to.auth_token_key = c->c1.ks.auth_token_key;
3356 
3357  to.x509_track = options->x509_track;
3358 
3359 #ifdef ENABLE_MANAGEMENT
3360  to.sci = &options->sc_info;
3361 #endif
3362 
3363 #ifdef USE_COMP
3364  to.comp_options = options->comp;
3365 #endif
3366 
3367 #ifdef HAVE_EXPORT_KEYING_MATERIAL
3368  if (options->keying_material_exporter_label)
3369  {
3370  to.ekm_size = options->keying_material_exporter_length;
3371  if (to.ekm_size < 16 || to.ekm_size > 4095)
3372  {
3373  to.ekm_size = 0;
3374  }
3375 
3376  to.ekm_label = options->keying_material_exporter_label;
3377  to.ekm_label_size = strlen(to.ekm_label);
3378  }
3379  else
3380  {
3381  to.ekm_size = 0;
3382  }
3383 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
3384 
3385  /* TLS handshake authentication (--tls-auth) */
3386  if (options->ce.tls_auth_file)
3387  {
3388  to.tls_wrap.mode = TLS_WRAP_AUTH;
3389  }
3390 
3391  /* TLS handshake encryption (--tls-crypt) */
3392  if (options->ce.tls_crypt_file
3393  || (options->ce.tls_crypt_v2_file && options->tls_client))
3394  {
3395  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3396  }
3397 
3398  if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3399  {
3400  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3401  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3402  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3403  to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata;
3404  }
3405 
3406  if (options->ce.tls_crypt_v2_file)
3407  {
3408  to.tls_crypt_v2 = true;
3409  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3410 
3411  if (options->tls_server)
3412  {
3413  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3414  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3415  if (options->ce.tls_crypt_v2_force_cookie)
3416  {
3417  to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
3418  }
3419  }
3420  }
3421 
3422  /* let the TLS engine know if keys have to be installed in DCO or not */
3423  to.dco_enabled = dco_enabled(options);
3424 
3425  /*
3426  * Initialize OpenVPN's master TLS-mode object.
3427  */
3428  if (flags & CF_INIT_TLS_MULTI)
3429  {
3430  c->c2.tls_multi = tls_multi_init(&to);
3431  /* inherit the dco context from the tuntap object */
3432  if (c->c1.tuntap)
3433  {
3434  c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3435  }
3436  }
3437 
3438  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3439  {
3440  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3441  c->c2.session_id_hmac = session_id_hmac_init();
3442  }
3443 }
3444 
3445 static void
3446 do_init_frame_tls(struct context *c)
3447 {
3448  if (c->c2.tls_multi)
3449  {
3450  tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
3451  ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <=
3452  c->c2.frame.buf.payload_size);
3453  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3454  "Control Channel MTU parms");
3455 
3456  /* Keep the max mtu also in the frame of tls multi so it can access
3457  * it in push_peer_info */
3458  c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
3459  }
3460  if (c->c2.tls_auth_standalone)
3461  {
3462  tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, c->options.ce.tls_mtu);
3463  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3464  "TLS-Auth MTU parms");
3465  c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3466  c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3467  }
3468 }
3469 
3470 /*
3471  * No encryption or authentication.
3472  */
3473 static void
3474 do_init_crypto_none(struct context *c)
3475 {
3476  ASSERT(!c->options.test_crypto);
3477 
3478  /* Initialise key_type with auth/cipher "none", so the key_type struct is
3479  * valid */
3480  init_key_type(&c->c1.ks.key_type, "none", "none",
3481  c->options.test_crypto, true);
3482 
3483  msg(M_WARN,
3484  "******* WARNING *******: All encryption and authentication features "
3485  "disabled -- All data will be tunnelled as clear text and will not be "
3486  "protected against man-in-the-middle changes. "
3487  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3488 }
3489 
3490 static void
3491 do_init_crypto(struct context *c, const unsigned int flags)
3492 {
3493  if (c->options.shared_secret_file)
3494  {
3495  do_init_crypto_static(c, flags);
3496  }
3497  else if (c->options.tls_server || c->options.tls_client)
3498  {
3499  do_init_crypto_tls(c, flags);
3500  }
3501  else /* no encryption or authentication. */
3502  {
3503  do_init_crypto_none(c);
3504  }
3505 }
3506 
3507 static void
3508 do_init_frame(struct context *c)
3509 {
3510  /*
3511  * Adjust frame size based on the --tun-mtu-extra parameter.
3512  */
3513  if (c->options.ce.tun_mtu_extra_defined)
3514  {
3515  c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra;
3516  }
3517 
3518  /*
3519  * Fill in the blanks in the frame parameters structure,
3520  * make sure values are rational, etc.
3521  */
3522  frame_finalize_options(c, NULL);
3523 
3524 
3525 #if defined(ENABLE_FRAGMENT)
3526  /*
3527  * MTU advisories
3528  */
3529  if (c->options.ce.fragment && c->options.mtu_test)
3530  {
3531  msg(M_WARN,
3532  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3533  }
3534 #endif
3535 
3536 #ifdef ENABLE_FRAGMENT
3537  if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3538  {
3539  msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3540  "set --fragment (%d) larger or equal than --mssfix (%d)",
3541  c->options.ce.fragment, c->options.ce.mssfix);
3542  }
3543  if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3544  && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3545  {
3546  msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3547  "use the \"mtu\" flag for both or none of of them.");
3548  }
3549 #endif
3550 }
3551 
3552 static void
3553 do_option_warnings(struct context *c)
3554 {
3555  const struct options *o = &c->options;
3556 
3557  if (o->ping_send_timeout && !o->ping_rec_timeout)
3558  {
3559  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3560  }
3561 
3562  if (o->username || o->groupname || o->chroot_dir
3563 #ifdef ENABLE_SELINUX
3564  || o->selinux_context
3565 #endif
3566  )
3567  {
3568  if (!o->persist_tun)
3569  {
3570  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3571  }
3572  }
3573 
3574  if (o->chroot_dir && !(o->username && o->groupname))
3575  {
3576  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3577  }
3578 
3579  if (o->pull && o->ifconfig_local && c->first_time)
3580  {
3581  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3582  }
3583 
3584  if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3585  {
3586  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3587  }
3588 
3589  if (o->mode == MODE_SERVER)
3590  {
3591  if (o->duplicate_cn && o->client_config_dir)
3592  {
3593  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3594  }
3595  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3596  {
3597  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3598  }
3599  if (!o->keepalive_ping || !o->keepalive_timeout)
3600  {
3601  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3602  }
3603  }
3604 
3605  if (o->tls_server)
3606  {
3607  warn_on_use_of_common_subnets(&c->net_ctx);
3608  }
3609  if (o->tls_client
3610  && !o->tls_verify
3611  && o->verify_x509_type == VERIFY_X509_NONE
3612  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3613  && !o->remote_cert_eku
3614  && !(o->verify_hash_depth == 0 && o->verify_hash))
3615  {
3616  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3617  }
3618  if (o->ns_cert_type)
3619  {
3620  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3621  }
3622 
3623  /* If a script is used, print appropriate warnings */
3624  if (o->user_script_used)
3625  {
3626  if (script_security() >= SSEC_SCRIPTS)
3627  {
3628  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3629  }
3630  else if (script_security() >= SSEC_PW_ENV)
3631  {
3632  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3633  }
3634  else
3635  {
3636  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3637  }
3638  }
3639 }
3640 
3641 struct context_buffers *
3642 init_context_buffers(const struct frame *frame)
3643 {
3644  struct context_buffers *b;
3645 
3646  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3647 
3648  size_t buf_size = BUF_SIZE(frame);
3649 
3650  b->read_link_buf = alloc_buf(buf_size);
3651  b->read_tun_buf = alloc_buf(buf_size);
3652 
3653  b->aux_buf = alloc_buf(buf_size);
3654 
3655  b->encrypt_buf = alloc_buf(buf_size);
3656  b->decrypt_buf = alloc_buf(buf_size);
3657 
3658 #ifdef USE_COMP
3659  b->compress_buf = alloc_buf(buf_size);
3660  b->decompress_buf = alloc_buf(buf_size);
3661 #endif
3662 
3663  return b;
3664 }
3665 
3666 void
3667 free_context_buffers(struct context_buffers *b)
3668 {
3669  if (b)
3670  {
3671  free_buf(&b->read_link_buf);
3672  free_buf(&b->read_tun_buf);
3673  free_buf(&b->aux_buf);
3674 
3675 #ifdef USE_COMP
3676  free_buf(&b->compress_buf);
3677  free_buf(&b->decompress_buf);
3678 #endif
3679 
3680  free_buf(&b->encrypt_buf);
3681  free_buf(&b->decrypt_buf);
3682 
3683  free(b);
3684  }
3685 }
3686 
3687 /*
3688  * Now that we know all frame parameters, initialize
3689  * our buffers.
3690  */
3691 static void
3692 do_init_buffers(struct context *c)
3693 {
3694  c->c2.buffers = init_context_buffers(&c->c2.frame);
3695  c->c2.buffers_owned = true;
3696 }
3697 
3698 #ifdef ENABLE_FRAGMENT
3699 /*
3700  * Fragmenting code has buffers to initialize
3701  * once frame parameters are known.
3702  */
3703 static void
3704 do_init_fragment(struct context *c)
3705 {
3706  ASSERT(c->options.ce.fragment);
3707 
3708  /*
3709  * Set frame parameter for fragment code. This is necessary because
3710  * the fragmentation code deals with payloads which have already been
3711  * passed through the compression code.
3712  */
3713  c->c2.frame_fragment = c->c2.frame;
3714 
3715  frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
3716  &c->options, get_link_socket_info(c));
3717  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3718 }
3719 #endif
3720 
3721 /*
3722  * Allocate our socket object.
3723  */
3724 static void
3725 do_link_socket_new(struct context *c)
3726 {
3727  ASSERT(!c->c2.link_socket);
3728  c->c2.link_socket = link_socket_new();
3729  c->c2.link_socket_owned = true;
3730 }
3731 
3732 /*
3733  * Print MTU INFO
3734  */
3735 static void
3736 do_print_data_channel_mtu_parms(struct context *c)
3737 {
3738  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3739 #ifdef ENABLE_FRAGMENT
3740  if (c->c2.fragment)
3741  {
3742  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3743  "Fragmentation MTU parms");
3744  }
3745 #endif
3746 }
3747 
3748 /*
3749  * Get local and remote options compatibility strings.
3750  */
3751 static void
3752 do_compute_occ_strings(struct context *c)
3753 {
3754  struct gc_arena gc = gc_new();
3755 
3756  c->c2.options_string_local =
3757  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3758  false, &gc);
3759  c->c2.options_string_remote =
3760  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3761  true, &gc);
3762 
3763  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3764  options_string_version(c->c2.options_string_local, &gc),
3765  c->c2.options_string_local);
3766  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3767  options_string_version(c->c2.options_string_remote, &gc),
3768  c->c2.options_string_remote);
3769 
3770  if (c->c2.tls_multi)
3771  {
3772  tls_multi_init_set_options(c->c2.tls_multi,
3773  c->c2.options_string_local,
3774  c->c2.options_string_remote);
3775  }
3776 
3777  gc_free(&gc);
3778 }
3779 
3780 /*
3781  * These things can only be executed once per program instantiation.
3782  * Set up for possible UID/GID downgrade, but don't do it yet.
3783  * Daemonize if requested.
3784  */
3785 static void
3786 do_init_first_time(struct context *c)
3787 {
3788  if (c->first_time && !c->c0)
3789  {
3790  struct context_0 *c0;
3791 
3792  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3793  c0 = c->c0;
3794 
3795  /* get user and/or group that we want to setuid/setgid to,
3796  * sets also platform_x_state */
3797  bool group_defined = platform_group_get(c->options.groupname,
3798  &c0->platform_state_group);
3799  bool user_defined = platform_user_get(c->options.username,
3800  &c0->platform_state_user);
3801 
3802  c0->uid_gid_specified = user_defined || group_defined;
3803 
3804  /* perform postponed chdir if --daemon */
3805  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3806  {
3807  platform_chdir("/");
3808  }
3809 
3810  /* should we change scheduling priority? */
3811  platform_nice(c->options.nice);
3812  }
3813 }
3814 
3815 /*
3816  * free buffers
3817  */
3818 static void
3819 do_close_free_buf(struct context *c)
3820 {
3821  if (c->c2.buffers_owned)
3822  {
3823  free_context_buffers(c->c2.buffers);
3824  c->c2.buffers = NULL;
3825  c->c2.buffers_owned = false;
3826  }
3827 }
3828 
3829 /*
3830  * close TLS
3831  */
3832 static void
3833 do_close_tls(struct context *c)
3834 {
3835  if (c->c2.tls_multi)
3836  {
3837  tls_multi_free(c->c2.tls_multi, true);
3838  c->c2.tls_multi = NULL;
3839  }
3840 
3841  /* free options compatibility strings */
3842  free(c->c2.options_string_local);
3843  free(c->c2.options_string_remote);
3844 
3845  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3846 
3847  if (c->c2.pulled_options_state)
3848  {
3849  md_ctx_cleanup(c->c2.pulled_options_state);
3850  md_ctx_free(c->c2.pulled_options_state);
3851  }
3852 
3853  tls_auth_standalone_free(c->c2.tls_auth_standalone);
3854 }
3855 
3856 /*
3857  * Free key schedules
3858  */
3859 static void
3860 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3861 {
3862  /*
3863  * always free the tls_auth/crypt key. The key will
3864  * be reloaded from memory (pre-cached)
3865  */
3866  free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3867  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3868  CLEAR(c->c1.ks.tls_wrap_key);
3869  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3870  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3871 
3872  if (!(c->sig->signal_received == SIGUSR1))
3873  {
3874  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3875  }
3876 }
3877 
3878 /*
3879  * Close TCP/UDP connection
3880  */
3881 static void
3882 do_close_link_socket(struct context *c)
3883 {
3884  /* in dco-win case, link socket is a tun handle which is
3885  * closed in do_close_tun(). Set it to UNDEFINED so
3886  * we won't use WinSock API to close it. */
3887  if (tuntap_is_dco_win(c->c1.tuntap) && c->c2.link_socket)
3888  {
3889  c->c2.link_socket->sd = SOCKET_UNDEFINED;
3890  }
3891 
3892  if (c->c2.link_socket && c->c2.link_socket_owned)
3893  {
3894  link_socket_close(c->c2.link_socket);
3895  c->c2.link_socket = NULL;
3896  }
3897 
3898 
3899  /* Preserve the resolved list of remote if the user request to or if we want
3900  * reconnect to the same host again or there are still addresses that need
3901  * to be tried */
3902  if (!(c->sig->signal_received == SIGUSR1
3903  && ( (c->options.persist_remote_ip)
3904  ||
3905  ( c->sig->source != SIG_SOURCE_HARD
3906  && ((c->c1.link_socket_addr.current_remote
3907  && c->c1.link_socket_addr.current_remote->ai_next)
3908  || c->options.no_advance))
3909  )))
3910  {
3911  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3912  }
3913 
3914  /* Clear the remote actual address when persist_remote_ip is not in use */
3915  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3916  {
3917  CLEAR(c->c1.link_socket_addr.actual);
3918  }
3919 
3920  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3921  {
3922  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3923  {
3924  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3925  }
3926 
3927  c->c1.link_socket_addr.bind_local = NULL;
3928  }
3929 }
3930 
3931 /*
3932  * Close packet-id persistence file
3933  */
3934 static void
3935 do_close_packet_id(struct context *c)
3936 {
3937  packet_id_free(&c->c2.crypto_options.packet_id);
3938  packet_id_persist_save(&c->c1.pid_persist);
3939  if (!(c->sig->signal_received == SIGUSR1))
3940  {
3941  packet_id_persist_close(&c->c1.pid_persist);
3942  }
3943 }
3944 
3945 #ifdef ENABLE_FRAGMENT
3946 /*
3947  * Close fragmentation handler.
3948  */
3949 static void
3950 do_close_fragment(struct context *c)
3951 {
3952  if (c->c2.fragment)
3953  {
3954  fragment_free(c->c2.fragment);
3955  c->c2.fragment = NULL;
3956  }
3957 }
3958 #endif
3959 
3960 /*
3961  * Open and close our event objects.
3962  */
3963 
3964 static void
3965 do_event_set_init(struct context *c,
3966  bool need_us_timeout)
3967 {
3968  unsigned int flags = 0;
3969 
3970  c->c2.event_set_max = BASE_N_EVENTS;
3971 
3972  flags |= EVENT_METHOD_FAST;
3973 
3974  if (need_us_timeout)
3975  {
3976  flags |= EVENT_METHOD_US_TIMEOUT;
3977  }
3978 
3979  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3980  c->c2.event_set_owned = true;
3981 }
3982 
3983 static void
3984 do_close_event_set(struct context *c)
3985 {
3986  if (c->c2.event_set && c->c2.event_set_owned)
3987  {
3988  event_free(c->c2.event_set);
3989  c->c2.event_set = NULL;
3990  c->c2.event_set_owned = false;
3991  }
3992 }
3993 
3994 /*
3995  * Open and close --status file
3996  */
3997 
3998 static void
3999 do_open_status_output(struct context *c)
4000 {
4001  if (!c->c1.status_output)
4002  {
4003  c->c1.status_output = status_open(c->options.status_file,
4004  c->options.status_file_update_freq,
4005  -1,
4006  NULL,
4007  STATUS_OUTPUT_WRITE);
4008  c->c1.status_output_owned = true;
4009  }
4010 }
4011 
4012 static void
4013 do_close_status_output(struct context *c)
4014 {
4015  if (!(c->sig->signal_received == SIGUSR1))
4016  {
4017  if (c->c1.status_output_owned && c->c1.status_output)
4018  {
4019  status_close(c->c1.status_output);
4020  c->c1.status_output = NULL;
4021  c->c1.status_output_owned = false;
4022  }
4023  }
4024 }
4025 
4026 /*
4027  * Handle ifconfig-pool persistence object.
4028  */
4029 static void
4030 do_open_ifconfig_pool_persist(struct context *c)
4031 {
4032  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
4033  {
4034  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
4035  c->options.ifconfig_pool_persist_refresh_freq);
4036  c->c1.ifconfig_pool_persist_owned = true;
4037  }
4038 }
4039 
4040 static void
4041 do_close_ifconfig_pool_persist(struct context *c)
4042 {
4043  if (!(c->sig->signal_received == SIGUSR1))
4044  {
4045  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
4046  {
4047  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
4048  c->c1.ifconfig_pool_persist = NULL;
4049  c->c1.ifconfig_pool_persist_owned = false;
4050  }
4051  }
4052 }
4053 
4054 /*
4055  * Inherit environmental variables
4056  */
4057 
4058 static void
4059 do_inherit_env(struct context *c, const struct env_set *src)
4060 {
4061  c->c2.es = env_set_create(NULL);
4062  c->c2.es_owned = true;
4063  env_set_inherit(c->c2.es, src);
4064 }
4065 
4066 static void
4067 do_env_set_destroy(struct context *c)
4068 {
4069  if (c->c2.es && c->c2.es_owned)
4070  {
4071  env_set_destroy(c->c2.es);
4072  c->c2.es = NULL;
4073  c->c2.es_owned = false;
4074  }
4075 }
4076 
4077 /*
4078  * Fast I/O setup. Fast I/O is an optimization which only works
4079  * if all of the following are true:
4080  *
4081  * (1) The platform is not Windows
4082  * (2) --proto udp is enabled
4083  * (3) --shaper is disabled
4084  */
4085 static void
4086 do_setup_fast_io(struct context *c)
4087 {
4088  if (c->options.fast_io)
4089  {
4090 #ifdef _WIN32
4091  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
4092 #else
4093  if (!proto_is_udp(c->options.ce.proto))
4094  {
4095  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
4096  }
4097  else
4098  {
4099  if (c->options.shaper)
4100  {
4101  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4102  }
4103  else
4104  {
4105  c->c2.fast_io = true;
4106  }
4107  }
4108 #endif
4109  }
4110 }
4111 
4112 static void
4113 do_signal_on_tls_errors(struct context *c)
4114 {
4115  if (c->options.tls_exit)
4116  {
4117  c->c2.tls_exit_signal = SIGTERM;
4118  }
4119  else
4120  {
4121  c->c2.tls_exit_signal = SIGUSR1;
4122  }
4123 }
4124 
4125 #ifdef ENABLE_PLUGIN
4126 
4127 void
4128 init_plugins(struct context *c)
4129 {
4130  if (c->options.plugin_list && !c->plugins)
4131  {
4132  c->plugins = plugin_list_init(c->options.plugin_list);
4133  c->plugins_owned = true;
4134  }
4135 }
4136 
4137 void
4138 open_plugins(struct context *c, const bool import_options, int init_point)
4139 {
4140  if (c->plugins && c->plugins_owned)
4141  {
4142  if (import_options)
4143  {
4144  struct plugin_return pr, config;
4145  plugin_return_init(&pr);
4146  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4147  plugin_return_get_column(&pr, &config, "config");
4148  if (plugin_return_defined(&config))
4149  {
4150  int i;
4151  for (i = 0; i < config.n; ++i)
4152  {
4153  unsigned int option_types_found = 0;
4154  if (config.list[i] && config.list[i]->value)
4155  {
4156  options_string_import(&c->options,
4157  config.list[i]->value,
4158  D_IMPORT_ERRORS|M_OPTERR,
4159  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
4160  &option_types_found,
4161  c->es);
4162  }
4163  }
4164  }
4165  plugin_return_free(&pr);
4166  }
4167  else
4168  {
4169  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4170  }
4171  }
4172 }
4173 
4174 static void
4175 do_close_plugins(struct context *c)
4176 {
4177  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
4178  {
4179  plugin_list_close(c->plugins);
4180  c->plugins = NULL;
4181  c->plugins_owned = false;
4182  }
4183 }
4184 
4185 static void
4186 do_inherit_plugins(struct context *c, const struct context *src)
4187 {
4188  if (!c->plugins && src->plugins)
4189  {
4190  c->plugins = plugin_list_inherit(src->plugins);
4191  c->plugins_owned = true;
4192  }
4193 }
4194 
4195 #endif /* ifdef ENABLE_PLUGIN */
4196 
4197 #ifdef ENABLE_MANAGEMENT
4198 
4199 static void
4200 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
4201 {
4202  struct context *c = (struct context *) arg;
4203  print_status(c, so);
4204 }
4205 
4206 void
4207 management_show_net_callback(void *arg, const int msglevel)
4208 {
4209 #ifdef _WIN32
4210  show_routes(msglevel);
4211  show_adapters(msglevel);
4212  msg(msglevel, "END");
4213 #else
4214  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4215 #endif
4216 }
4217 
4218 #ifdef TARGET_ANDROID
4219 int
4220 management_callback_network_change(void *arg, bool samenetwork)
4221 {
4222  /* Check if the client should translate the network change to a SIGUSR1 to
4223  * reestablish the connection or just reprotect the socket
4224  *
4225  * At the moment just assume that, for all settings that use pull (not
4226  * --static) and are not using peer-id reestablishing the connection is
4227  * required (unless the network is the same)
4228  *
4229  * The function returns -1 on invalid fd and -2 if the socket cannot be
4230  * reused. On the -2 return value the man_network_change function triggers
4231  * a SIGUSR1 to force a reconnect.
4232  */
4233 
4234  int socketfd = -1;
4235  struct context *c = (struct context *) arg;
4236  if (!c->c2.link_socket)
4237  {
4238  return -1;
4239  }
4240  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
4241  {
4242  return -1;
4243  }
4244 
4245  socketfd = c->c2.link_socket->sd;
4246  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4247  {
4248  return socketfd;
4249  }
4250  else
4251  {
4252  return -2;
4253  }
4254 }
4255 #endif /* ifdef TARGET_ANDROID */
4256 
4257 #endif /* ifdef ENABLE_MANAGEMENT */
4258 
4259 void
4260 init_management_callback_p2p(struct context *c)
4261 {
4262 #ifdef ENABLE_MANAGEMENT
4263  if (management)
4264  {
4265  struct management_callback cb;
4266  CLEAR(cb);
4267  cb.arg = c;
4268  cb.status = management_callback_status_p2p;
4269  cb.show_net = management_show_net_callback;
4270  cb.proxy_cmd = management_callback_proxy_cmd;
4271  cb.remote_cmd = management_callback_remote_cmd;
4272  cb.send_cc_message = management_callback_send_cc_message;
4273 #ifdef TARGET_ANDROID
4274  cb.network_change = management_callback_network_change;
4275 #endif
4276  cb.remote_entry_count = management_callback_remote_entry_count;
4277  cb.remote_entry_get = management_callback_remote_entry_get;
4278  management_set_callback(management, &cb);
4279  }
4280 #endif
4281 }
4282 
4283 #ifdef ENABLE_MANAGEMENT
4284 
4285 void
4286 init_management(void)
4287 {
4288  if (!management)
4289  {
4290  management = management_init();
4291  }
4292 }
4293 
4294 bool
4295 open_management(struct context *c)
4296 {
4297  /* initialize management layer */
4298  if (management)
4299  {
4300  if (c->options.management_addr)
4301  {
4302  unsigned int flags = c->options.management_flags;
4303  if (c->options.mode == MODE_SERVER)
4304  {
4305  flags |= MF_SERVER;
4306  }
4307  if (management_open(management,
4308  c->options.management_addr,
4309  c->options.management_port,
4310  c->options.management_user_pass,
4311  c->options.management_client_user,
4312  c->options.management_client_group,
4313  c->options.management_log_history_cache,
4314  c->options.management_echo_buffer_size,
4315  c->options.management_state_buffer_size,
4316  c->options.remap_sigusr1,
4317  flags))
4318  {
4319  management_set_state(management,
4320  OPENVPN_STATE_CONNECTING,
4321  NULL,
4322  NULL,
4323  NULL,
4324  NULL,
4325  NULL);
4326  }
4327 
4328  /* initial management hold, called early, before first context initialization */
4329  do_hold(0);
4330  if (IS_SIG(c))
4331  {
4332  msg(M_WARN, "Signal received from management interface, exiting");
4333  return false;
4334  }
4335  }
4336  else
4337  {
4338  close_management();
4339  }
4340  }
4341  return true;
4342 }
4343 
4344 void
4345 close_management(void)
4346 {
4347  if (management)
4348  {
4349  management_close(management);
4350  management = NULL;
4351  }
4352 }
4353 
4354 #endif /* ifdef ENABLE_MANAGEMENT */
4355 
4356 
4357 void
4358 uninit_management_callback(void)
4359 {
4360 #ifdef ENABLE_MANAGEMENT
4361  if (management)
4362  {
4363  management_clear_callback(management);
4364  }
4365 #endif
4366 }
4367 
4368 void
4369 persist_client_stats(struct context *c)
4370 {
4371 #ifdef ENABLE_MANAGEMENT
4372  if (management)
4373  {
4374  man_persist_client_stats(management, c);
4375  }
4376 #endif
4377 }
4378 
4379 /*
4380  * Initialize a tunnel instance, handle pre and post-init
4381  * signal settings.
4382  */
4383 void
4384 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4385 {
4386  pre_init_signal_catch();
4387  init_instance(c, env, flags);
4388  post_init_signal_catch();
4389 
4390  /*
4391  * This is done so that signals thrown during
4392  * initialization can bring us back to
4393  * a management hold.
4394  */
4395  if (IS_SIG(c))
4396  {
4397  remap_signal(c);
4398  uninit_management_callback();
4399  }
4400 }
4401 
4402 /*
4403  * Initialize a tunnel instance.
4404  */
4405 void
4406 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4407 {
4408  const struct options *options = &c->options;
4409  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4410  int link_socket_mode = LS_MODE_DEFAULT;
4411 
4412  /* init garbage collection level */
4413  gc_init(&c->c2.gc);
4414 
4415  /* inherit environmental variables */
4416  if (env)
4417  {
4418  do_inherit_env(c, env);
4419  }
4420 
4421  if (c->mode == CM_P2P)
4422  {
4423  init_management_callback_p2p(c);
4424  }
4425 
4426  /* possible sleep or management hold if restart */
4427  if (c->mode == CM_P2P || c->mode == CM_TOP)
4428  {
4429  do_startup_pause(c);
4430  if (IS_SIG(c))
4431  {
4432  goto sig;
4433  }
4434  }
4435 
4436  if (c->options.resolve_in_advance)
4437  {
4438  do_preresolve(c);
4439  if (IS_SIG(c))
4440  {
4441  goto sig;
4442  }
4443  }
4444 
4445  /* Resets all values to the initial values from the config where needed */
4446  pre_connect_restore(&c->options, &c->c2.gc);
4447 
4448  /* map in current connection entry */
4449  next_connection_entry(c);
4450 
4451  /* link_socket_mode allows CM_CHILD_TCP
4452  * instances to inherit acceptable fds
4453  * from a top-level parent */
4454  if (c->options.ce.proto == PROTO_TCP_SERVER)
4455  {
4456  if (c->mode == CM_TOP)
4457  {
4458  link_socket_mode = LS_MODE_TCP_LISTEN;
4459  }
4460  else if (c->mode == CM_CHILD_TCP)
4461  {
4462  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4463  }
4464  }
4465 
4466  /* should we disable paging? */
4467  if (c->first_time && options->mlock)
4468  {
4469  platform_mlockall(true);
4470  }
4471 
4472  /* get passwords if undefined */
4473  if (auth_retry_get() == AR_INTERACT)
4474  {
4475  init_query_passwords(c);
4476  }
4477 
4478  /* initialize context level 2 --verb/--mute parms */
4479  init_verb_mute(c, IVM_LEVEL_2);
4480 
4481  /* set error message delay for non-server modes */
4482  if (c->mode == CM_P2P)
4483  {
4484  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4485  }
4486 
4487  /* warn about inconsistent options */
4488  if (c->mode == CM_P2P || c->mode == CM_TOP)
4489  {
4490  do_option_warnings(c);
4491  }
4492 
4493 #ifdef ENABLE_PLUGIN
4494  /* initialize plugins */
4495  if (c->mode == CM_P2P || c->mode == CM_TOP)
4496  {
4497  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4498  }
4499 #endif
4500 
4501  /* should we enable fast I/O? */
4502  if (c->mode == CM_P2P || c->mode == CM_TOP)
4503  {
4504  do_setup_fast_io(c);
4505  }
4506 
4507  /* should we throw a signal on TLS errors? */
4508  do_signal_on_tls_errors(c);
4509 
4510  /* open --status file */
4511  if (c->mode == CM_P2P || c->mode == CM_TOP)
4512  {
4513  do_open_status_output(c);
4514  }
4515 
4516  /* open --ifconfig-pool-persist file */
4517  if (c->mode == CM_TOP)
4518  {
4519  do_open_ifconfig_pool_persist(c);
4520  }
4521 
4522  /* reset OCC state */
4523  if (c->mode == CM_P2P || child)
4524  {
4525  c->c2.occ_op = occ_reset_op();
4526  }
4527 
4528  /* our wait-for-i/o objects, different for posix vs. win32 */
4529  if (c->mode == CM_P2P)
4530  {
4531  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4532  }
4533  else if (c->mode == CM_CHILD_TCP)
4534  {
4535  do_event_set_init(c, false);
4536  }
4537 
4538  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4539  init_proxy(c);
4540 
4541  /* allocate our socket object */
4542  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4543  {
4544  do_link_socket_new(c);
4545  }
4546 
4547 #ifdef ENABLE_FRAGMENT
4548  /* initialize internal fragmentation object */
4549  if (options->ce.fragment && (c->mode == CM_P2P || child))
4550  {
4551  c->c2.fragment = fragment_init(&c->c2.frame);
4552  }
4553 #endif
4554 
4555  /* init crypto layer */
4556  {
4557  unsigned int crypto_flags = 0;
4558  if (c->mode == CM_TOP)
4559  {
4560  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4561  }
4562  else if (c->mode == CM_P2P)
4563  {
4564  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4565  }
4566  else if (child)
4567  {
4568  crypto_flags = CF_INIT_TLS_MULTI;
4569  }
4570  do_init_crypto(c, crypto_flags);
4571  if (IS_SIG(c) && !child)
4572  {
4573  goto sig;
4574  }
4575  }
4576 
4577 #ifdef USE_COMP
4578  /* initialize compression library. */
4579  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4580  {
4581  c->c2.comp_context = comp_init(&options->comp);
4582  }
4583 #endif
4584 
4585  /* initialize MTU variables */
4586  do_init_frame(c);
4587 
4588  /* initialize TLS MTU variables */
4589  do_init_frame_tls(c);
4590 
4591  /* init workspace buffers whose size is derived from frame size */
4592  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4593  {
4594  do_init_buffers(c);
4595  }
4596 
4597 #ifdef ENABLE_FRAGMENT
4598  /* initialize internal fragmentation capability with known frame size */
4599  if (options->ce.fragment && (c->mode == CM_P2P || child))
4600  {
4601  do_init_fragment(c);
4602  }
4603 #endif
4604 
4605  /* bind the TCP/UDP socket */
4606  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4607  {
4608  link_socket_init_phase1(c, link_socket_mode);
4609  }
4610 
4611  /* initialize tun/tap device object,
4612  * open tun/tap device, ifconfig, run up script, etc. */
4613  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4614  {
4615  int error_flags = 0;
4616  c->c2.did_open_tun = do_open_tun(c, &error_flags);
4617  }
4618 
4619  /* print MTU info */
4620  do_print_data_channel_mtu_parms(c);
4621 
4622  /* get local and remote options compatibility strings */
4623  if (c->mode == CM_P2P || child)
4624  {
4625  do_compute_occ_strings(c);
4626  }
4627 
4628  /* initialize output speed limiter */
4629  if (c->mode == CM_P2P)
4630  {
4631  do_init_traffic_shaper(c);
4632  }
4633 
4634  /* do one-time inits, and possibly become a daemon here */
4635  do_init_first_time(c);
4636 
4637 #ifdef ENABLE_PLUGIN
4638  /* initialize plugins */
4639  if (c->mode == CM_P2P || c->mode == CM_TOP)
4640  {
4641  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4642  }
4643 #endif
4644 
4645  /* initialise connect timeout timer */
4646  do_init_server_poll_timeout(c);
4647 
4648  /* finalize the TCP/UDP socket */
4649  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4650  {
4651  link_socket_init_phase2(c);
4652 
4653 
4654  /* Update dynamic frame calculation as exact transport socket information
4655  * (IP vs IPv6) may be only available after socket phase2 has finished.
4656  * This is only needed for --static or no crypto, NCP will recalculate this
4657  * in tls_session_update_crypto_params (P2MP) */
4658  frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4659  get_link_socket_info(c));
4660  }
4661 
4662  /*
4663  * Actually do UID/GID downgrade, and chroot, if requested.
4664  * May be delayed by --client, --pull, or --up-delay.
4665  */
4666  do_uid_gid_chroot(c, c->c2.did_open_tun);
4667 
4668  /* initialize timers */
4669  if (c->mode == CM_P2P || child)
4670  {
4671  do_init_timers(c, false);
4672  }
4673 
4674 #ifdef ENABLE_PLUGIN
4675  /* initialize plugins */
4676  if (c->mode == CM_P2P || c->mode == CM_TOP)
4677  {
4678  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4679  }
4680 #endif
4681 
4682 #if PORT_SHARE
4683  /* share OpenVPN port with foreign (such as HTTPS) server */
4684  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4685  {
4686  init_port_share(c);
4687  }
4688 #endif
4689 
4690  /* Check for signals */
4691  if (IS_SIG(c))
4692  {
4693  goto sig;
4694  }
4695 
4696  return;
4697 
4698 sig:
4699  if (!c->sig->signal_text)
4700  {
4701  c->sig->signal_text = "init_instance";
4702  }
4703  close_context(c, -1, flags);
4704  return;
4705 }
4706 
4707 /*
4708  * Close a tunnel instance.
4709  */
4710 void
4711 close_instance(struct context *c)
4712 {
4713  /* close event objects */
4714  do_close_event_set(c);
4715 
4716  if (c->mode == CM_P2P
4717  || c->mode == CM_CHILD_TCP
4718  || c->mode == CM_CHILD_UDP
4719  || c->mode == CM_TOP)
4720  {
4721 #ifdef USE_COMP
4722  if (c->c2.comp_context)
4723  {
4724  comp_uninit(c->c2.comp_context);
4725  c->c2.comp_context = NULL;
4726  }
4727 #endif
4728 
4729  /* free buffers */
4730  do_close_free_buf(c);
4731 
4732  /* close peer for DCO if enabled, needs peer-id so must be done before
4733  * closing TLS contexts */
4734  dco_remove_peer(c);
4735 
4736  /* close TLS */
4737  do_close_tls(c);
4738 
4739  /* free key schedules */
4740  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4741 
4742  /* close TCP/UDP connection */
4743  do_close_link_socket(c);
4744 
4745  /* close TUN/TAP device */
4746  do_close_tun(c, false);
4747 
4748 #ifdef ENABLE_MANAGEMENT
4749  if (management)
4750  {
4751  management_notify_client_close(management, &c->c2.mda_context, NULL);
4752  }
4753 #endif
4754 
4755 #ifdef ENABLE_PLUGIN
4756  /* call plugin close functions and unload */
4757  do_close_plugins(c);
4758 #endif
4759 
4760  /* close packet-id persistence file */
4761  do_close_packet_id(c);
4762 
4763  /* close --status file */
4764  do_close_status_output(c);
4765 
4766 #ifdef ENABLE_FRAGMENT
4767  /* close fragmentation handler */
4768  do_close_fragment(c);
4769 #endif
4770 
4771  /* close --ifconfig-pool-persist obj */
4772  do_close_ifconfig_pool_persist(c);
4773 
4774  /* free up environmental variable store */
4775  do_env_set_destroy(c);
4776 
4777  /* close HTTP or SOCKS proxy */
4778  uninit_proxy(c);
4779 
4780  /* garbage collect */
4781  gc_free(&c->c2.gc);
4782  }
4783 }
4784 
4785 void
4786 inherit_context_child(struct context *dest,
4787  const struct context *src)
4788 {
4789  CLEAR(*dest);
4790 
4791  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4792  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4793 
4794  dest->gc = gc_new();
4795 
4796  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4797 
4798  /* c1 init */
4799  packet_id_persist_init(&dest->c1.pid_persist);
4800 
4801  dest->c1.ks.key_type = src->c1.ks.key_type;
4802  /* inherit SSL context */
4803  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4804  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4805  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4806  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4807  /* inherit pre-NCP ciphers */
4808  dest->options.ciphername = src->options.ciphername;
4809  dest->options.authname = src->options.authname;
4810 
4811  /* inherit auth-token */
4812  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4813 
4814  /* options */
4815  dest->options = src->options;
4816  options_detach(&dest->options);
4817 
4818  if (dest->mode == CM_CHILD_TCP)
4819  {
4820  /*
4821  * The CM_TOP context does the socket listen(),
4822  * and the CM_CHILD_TCP context does the accept().
4823  */
4824  dest->c2.accept_from = src->c2.link_socket;
4825  }
4826 
4827 #ifdef ENABLE_PLUGIN
4828  /* inherit plugins */
4829  do_inherit_plugins(dest, src);
4830 #endif
4831 
4832  /* context init */
4833 
4834  /* inherit tun/tap interface object now as it may be required
4835  * to initialize the DCO context in init_instance()
4836  */
4837  dest->c1.tuntap = src->c1.tuntap;
4838 
4839  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4840  if (IS_SIG(dest))
4841  {
4842  return;
4843  }
4844 
4845  /* UDP inherits some extra things which TCP does not */
4846  if (dest->mode == CM_CHILD_UDP)
4847  {
4848  /* inherit buffers */
4849  dest->c2.buffers = src->c2.buffers;
4850 
4851  /* inherit parent link_socket and tuntap */
4852  dest->c2.link_socket = src->c2.link_socket;
4853 
4854  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4855  *dest->c2.link_socket_info = src->c2.link_socket->info;
4856 
4857  /* locally override some link_socket_info fields */
4858  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4859  dest->c2.link_socket_info->connection_established = false;
4860  }
4861 }
4862 
4863 void
4864 inherit_context_top(struct context *dest,
4865  const struct context *src)
4866 {
4867  /* copy parent */
4868  *dest = *src;
4869 
4870  /*
4871  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4872  * resources owned by the parent.
4873  *
4874  * Also note that CM_TOP_CLONE context objects are
4875  * closed by multi_top_free in multi.c.
4876  */
4877  dest->mode = CM_TOP_CLONE;
4878 
4879  dest->first_time = false;
4880  dest->c0 = NULL;
4881 
4882  options_detach(&dest->options);
4883  gc_detach(&dest->gc);
4884  gc_detach(&dest->c2.gc);
4885 
4886  /* detach plugins */
4887  dest->plugins_owned = false;
4888 
4889  dest->c2.tls_multi = NULL;
4890 
4891  /* detach c1 ownership */
4892  dest->c1.tuntap_owned = false;
4893  dest->c1.status_output_owned = false;
4894  dest->c1.ifconfig_pool_persist_owned = false;
4895 
4896  /* detach c2 ownership */
4897  dest->c2.event_set_owned = false;
4898  dest->c2.link_socket_owned = false;
4899  dest->c2.buffers_owned = false;
4900  dest->c2.es_owned = false;
4901 
4902  dest->c2.event_set = NULL;
4903  if (proto_is_dgram(src->options.ce.proto))
4904  {
4905  do_event_set_init(dest, false);
4906  }
4907 
4908 #ifdef USE_COMP
4909  dest->c2.comp_context = NULL;
4910 #endif
4911 }
4912 
4913 void
4914 close_context(struct context *c, int sig, unsigned int flags)
4915 {
4916  ASSERT(c);
4917  ASSERT(c->sig);
4918 
4919  if (sig >= 0)
4920  {
4921  register_signal(c->sig, sig, "close_context");
4922  }
4923 
4924  if (c->sig->signal_received == SIGUSR1)
4925  {
4926  if ((flags & CC_USR1_TO_HUP)
4927  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4928  {
4929  register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
4930  }
4931  }
4932 
4933  if (!(flags & CC_NO_CLOSE))
4934  {
4935  close_instance(c);
4936  }
4937 
4938  if (flags & CC_GC_FREE)
4939  {
4940  context_gc_free(c);
4941  }
4942 }
4943 
4944 /* Write our PID to a file */
4945 void
4946 write_pid_file(const char *filename, const char *chroot_dir)
4947 {
4948  if (filename)
4949  {
4950  unsigned int pid = 0;
4951  FILE *fp = platform_fopen(filename, "w");
4952  if (!fp)
4953  {
4954  msg(M_ERR, "Open error on pid file %s", filename);
4955  return;
4956  }
4957 
4958  pid = platform_getpid();
4959  fprintf(fp, "%u\n", pid);
4960  if (fclose(fp))
4961  {
4962  msg(M_ERR, "Close error on pid file %s", filename);
4963  }
4964 
4965  /* remember file name so it can be deleted "out of context" later */
4966  /* (the chroot case is more complex and not handled today) */
4967  if (!chroot_dir)
4968  {
4969  saved_pid_file_name = strdup(filename);
4970  }
4971  }
4972 }
4973 
4974 /* remove PID file on exit, called from openvpn_exit() */
4975 void
4976 remove_pid_file(void)
4977 {
4978  if (saved_pid_file_name)
4979  {
4980  platform_unlink(saved_pid_file_name);
4981  }
4982 }
4983 
4984 
4985 /*
4986  * Do a loopback test
4987  * on the crypto subsystem.
4988  */
4989 static void *
4990 test_crypto_thread(void *arg)
4991 {
4992  struct context *c = (struct context *) arg;
4993  const struct options *options = &c->options;
4994 
4995  ASSERT(options->test_crypto);
4996  init_verb_mute(c, IVM_LEVEL_1);
4997  context_init_1(c);
4998  next_connection_entry(c);
4999  do_init_crypto_static(c, 0);
5000 
5001  frame_finalize_options(c, options);
5002 
5003  test_crypto(&c->c2.crypto_options, &c->c2.frame);
5004 
5005  key_schedule_free(&c->c1.ks, true);
5006  packet_id_free(&c->c2.crypto_options.packet_id);
5007 
5008  context_gc_free(c);
5009  return NULL;
5010 }
5011 
5012 bool
5013 do_test_crypto(const struct options *o)
5014 {
5015  if (o->test_crypto)
5016  {
5017  struct context c;
5018 
5019  /* print version number */
5020  msg(M_INFO, "%s", title_string);
5021 
5022  context_clear(&c);
5023  c.options = *o;
5024  options_detach(&c.options);
5025  c.first_time = true;
5026  test_crypto_thread((void *) &c);
5027  return true;
5028  }
5029  return false;
5030 }
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:160
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:61
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:328
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition: tun.c:808
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:4041
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition: init.c:2516
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:386
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5817
options::replay_time
int replay_time
Definition: options.h:565
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition: options.h:224
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:554
do_test_crypto
bool do_test_crypto(const struct options *o)
Definition: init.c:5013
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition: openvpn.h:329
options::genkey_type
enum genkey_type genkey_type
Definition: options.h:269
plugin_list_init
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition: plugin.c:776
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2737
options::show_engines
bool show_engines
Definition: options.h:265
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:4175
write_key_file
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition: crypto.c:1350
signal_info::signal_received
volatile int signal_received
Definition: sig.h:43
options::ssl_flags
unsigned int ssl_flags
Definition: options.h:607
options::verbosity
int verbosity
Definition: options.h:381
do_ifconfig_setenv
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition: tun.c:764
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:156
do_init_server_poll_timeout
static void do_init_server_poll_timeout(struct context *c)
Definition: init.c:1334
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition: ssl.c:135
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:512
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:148
openvpn_sockaddr::addr
union openvpn_sockaddr::@14 addr
options::verify_hash
struct verify_hash_list * verify_hash
Definition: options.h:603
OPENVPN_PLUGIN_UP
#define OPENVPN_PLUGIN_UP
Definition: openvpn-plugin.h:117
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:362
connection_entry::mssfix_encap
bool mssfix_encap
Definition: options.h:137
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:365
platform_user_group_set
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition: platform.c:217
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:135
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition: manage.c:3046
options::show_digests
bool show_digests
Definition: options.h:264
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3833
connection_entry::link_mtu
int link_mtu
Definition: options.h:125
route_ipv6_option_list::flags
unsigned int flags
Definition: route.h:107
fragment_frame_init
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition: fragment.c:122
options::use_peer_id
bool use_peer_id
Definition: options.h:682
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4913
M_OPTERR
#define M_OPTERR
Definition: error.h:100
tls_options::verify_x509_name
const char * verify_x509_name
Definition: ssl_common.h:341
options::sc_info
struct static_challenge_info sc_info
Definition: options.h:549
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:118
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition: ssl_common.h:289
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:245
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:557
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:528
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1030
GENKEY_SECRET
@ GENKEY_SECRET
Definition: options.h:221
fragment_init
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition: fragment.c:89
options::nice
int nice
Definition: options.h:380
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1650
run_command.h
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
auth_token.h
tls_options::frame
struct frame frame
Definition: ssl_common.h:373
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:110
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:141
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:326
forward.h
open_management
bool open_management(struct context *c)
Definition: init.c:4295
plugin_return
Definition: plugin.h:101
ROUTE_BEFORE_TUN
#define ROUTE_BEFORE_TUN
Definition: tun.h:379
fragment_free
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition: fragment.c:113
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:548
signal_info::signal_text
const char * signal_text
Definition: sig.h:45
route_list
Definition: route.h:206
gremlin.h
context_1::status_output_owned
bool status_output_owned
Definition: openvpn.h:184
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:492
options::up_script
const char * up_script
Definition: options.h:367
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:513
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:466
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:195
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:744
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition: options.h:742
options::keepalive_ping
int keepalive_ping
Definition: options.h:327
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:114
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition: lladdr.c:17
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6815
init_connection_list
static void init_connection_list(struct context *c)
Definition: init.c:472
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:79
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition: errlevel.h:57
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3813
M_FATAL
#define M_FATAL
Definition: error.h:89
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:207
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:641
win32.h
options::ce_advance_count
int ce_advance_count
Definition: options.h:287
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition: env_set.c:166
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:529
EVENT_METHOD_US_TIMEOUT
#define EVENT_METHOD_US_TIMEOUT
Definition: event.h:82
tuntap::windows_driver
enum windows_driver_type windows_driver
Definition: tun.h:213
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:4251
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:170
options::show_ciphers
bool show_ciphers
Definition: options.h:263
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:216
argv
Definition: argv.h:35
context_2::es_owned
bool es_owned
Definition: openvpn.h:424
options::duplicate_cn
bool duplicate_cn
Definition: options.h:510
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:161
streq
#define streq(x, y)
Definition: options.h:707
set_check_status_error_delay
static void set_check_status_error_delay(unsigned int milliseconds)
Definition: error.h:286
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3128
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition: options.h:331
packet_id_persist_load
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition: packet_id.c:431
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:539
M_NONFATAL
#define M_NONFATAL
Definition: error.h:90
do_close_free_buf
static void do_close_free_buf(struct context *c)
Definition: init.c:3819
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:276
occ_reset_op
static int occ_reset_op(void)
Definition: occ.h:101
connection_entry::remote_port
const char * remote_port
Definition: options.h:103
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition: manage.c:4114
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:171
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:380
lladdr.h
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:3999
context
Contains all state information for one tunnel.
Definition: openvpn.h:476
do_setup_fast_io
static void do_setup_fast_io(struct context *c)
Definition: init.c:4086
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2655
es
struct env_set * es
Definition: test_pkcs11.c:133
tls_options::transition_window
int transition_window
Definition: ssl_common.h:331
options::route_nopull
bool route_nopull
Definition: options.h:421
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:790
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:675
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:103
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:122
key_schedule::auth_token_key
struct key_ctx auth_token_key
Definition: openvpn.h:73
options::key_direction
int key_direction
Definition: options.h:555
options::topology
int topology
Definition: options.h:307
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition: run_command.h:33
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:115
context_2::auth_token_renewal_interval
struct event_timeout auth_token_renewal_interval
Definition: openvpn.h:296
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:178
options::authname
const char * authname
Definition: options.h:560
options::dev_type
const char * dev_type
Definition: options.h:304
tls_options::auth_token_key
struct key_ctx auth_token_key
Definition: ssl_common.h:391
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:71
get_random
long int get_random(void)
Definition: crypto.c:1611
do_init_crypto_none
static void do_init_crypto_none(struct context *c)
Definition: init.c:3474
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:347
AR_NONE
#define AR_NONE
Definition: options.h:884
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:333
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:105
do_print_data_channel_mtu_parms
static void do_print_data_channel_mtu_parms(struct context *c)
Definition: init.c:3736
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:390
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition: socket.h:106
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:488
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:505
D_HANDSHAKE
#define D_HANDSHAKE
Definition: errlevel.h:72
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:336
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:642
options::tls_client
bool tls_client
Definition: options.h:574
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:552
context_2::log_rw
bool log_rw
Definition: openvpn.h:383
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:436
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:464
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition: options.h:169
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:973
context_2::es
struct env_set * es
Definition: openvpn.h:423
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:681
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:112
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:110
tls_options::client_crresponse_script
const char * client_crresponse_script
Definition: ssl_common.h:377
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:192
link_socket_proto_connection_oriented
static bool link_socket_proto_connection_oriented(int proto)
Definition: socket.h:629
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:105
man_persist::special_state_msg
const char * special_state_msg
Definition: manage.h:238
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3950
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition: options.h:222
tls_options::replay_time
int replay_time
Definition: ssl_common.h:361
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:736
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition: ssl_pkt.c:473
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition: tun.c:457
options::cipher_list
const char * cipher_list
Definition: options.h:588
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition: plugin.c:786
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4406
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition: manage.h:202
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition: ssl_common.h:346
options::mode
int mode
Definition: options.h:247
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition: mtu.h:112
options::session_timeout
int session_timeout
Definition: options.h:333
tls_options::single_session
bool single_session
Definition: ssl_common.h:316
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition: init.c:1323
route_ipv6_list
Definition: route.h:219
options::mute
int mute
Definition: options.h:382
tls_options::verify_hash_depth
int verify_hash_depth
Definition: ssl_common.h:348
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:86
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:123
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:290
SSEC_PW_ENV
#define SSEC_PW_ENV
Definition: run_command.h:34
MF_SERVER
#define MF_SERVER
Definition: manage.h:28
show_available_ciphers
void show_available_ciphers(void)
Definition: crypto_openssl.c:369
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:217
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
context::c0
struct context_0 * c0
Level 0 context.
Definition: openvpn.h:515
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:162
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:144
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:126
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:2028
time_test
void time_test(void)
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition: crypto.h:270
options::ce
struct connection_entry ce
Definition: options.h:275
options::msg_channel
HANDLE msg_channel
Definition: options.h:673
tls_options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: ssl_common.h:349
tls_options::crl_file_inline
bool crl_file_inline
Definition: ssl_common.h:343
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:140
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition: socket.h:108
openvpn_sockaddr
Definition: socket.h:65
env_set_inherit
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition: env_set.c:238
do_close_free_key_schedule
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition: init.c:3860
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:362
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:370
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: options.h:604
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:777
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:28
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:390
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition: error.c:637
frame_calculate_protocol_header_size
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition: mtu.c:63
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:271
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:97
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition: init.c:306
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3642
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:387
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:101
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2173
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:584
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:447
SIG_SOURCE_HARD
#define SIG_SOURCE_HARD
Definition: sig.h:31
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:81
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:371
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:367
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:364
options::shaper
int shaper
Definition: options.h:315
window_title_save
void window_title_save(struct window_title *wt)
Definition: win32.c:704
window_title
Definition: win32.h:73
tls_crypt.h
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:4186
do_close_packet_id
static void do_close_packet_id(struct context *c)
Definition: init.c:3935
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition: crypto_openssl.c:659
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition: options.h:594
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:336
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context::mode
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:490
reset_check_status
void reset_check_status(void)
Definition: error.c:630
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2372
options::cd_dir
const char * cd_dir
Definition: options.h:362
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition: tls_crypt.c:55
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:244
tls_auth_standalone::workbuf
struct buffer workbuf
Definition: ssl_pkt.h:80
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:214
tun_abort
void tun_abort(void)
Definition: init.c:2154
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
options::remote_random
bool remote_random
Definition: options.h:301
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:313
frame
Packet geometry parameters.
Definition: mtu.h:98
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition: tun.h:353
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1487
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:379
key_schedule_free
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition: init.c:2952
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition: socket.h:557
connection_entry::fragment_encap
bool fragment_encap
Definition: options.h:133
status_output::flags
unsigned int flags
Definition: status.h:52
options::tls_server
bool tls_server
Definition: options.h:573
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:267
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:35
options::auth_token_renewal
int auth_token_renewal
Definition: options.h:528
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition: route.c:621
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:4207
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:107
del_wfp_block
static void del_wfp_block(struct context *c, unsigned long adapter_index)
Remove any WFP block filters previously added.
Definition: init.c:1822
srandom
#define srandom
Definition: syshead.h:45
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:71
connection_entry
Definition: options.h:97
tls_multi::dco
dco_context_t * dco
Definition: ssl_common.h:692
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition: crypto.c:1094
do_inherit_env
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition: init.c:4059
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2894
sleep
#define sleep(x)
Definition: syshead.h:43
tls_options::auth_token_renewal
unsigned int auth_token_renewal
Definition: ssl_common.h:389
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:419
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:717
route_order
static int route_order(void)
Definition: tun.h:384
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1512
options::tls_exit
bool tls_exit
Definition: options.h:665
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:4061
context_2::occ_interval
struct event_timeout occ_interval
Definition: openvpn.h:304
np
static const char * np(const char *str)
Definition: multi-auth.c:146
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:67
options::route_noexec
bool route_noexec
Definition: options.h:414
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:591
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2992
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:384
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
link_socket::sd
socket_descriptor_t sd
Definition: socket.h:169
context_persist
Definition: openvpn.h:120
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:628
context_0
Level 0 context containing information related to the OpenVPN process.
Definition: openvpn.h:135
context_1::route_list
struct route_list * route_list
List of routing information.
Definition: openvpn.h:175
PING_RESTART
#define PING_RESTART
Definition: options.h:341
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:285
options::persist_local_ip
bool persist_local_ip
Definition: options.h:345
tuntap::actual_name
char * actual_name
Definition: tun.h:186
is_tun_type_set
static bool is_tun_type_set(const struct tuntap *tt)
Definition: tun.h:759
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:999
CLEAR
#define CLEAR(x)
Definition: basic.h:33
tls_options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition: ssl_common.h:382
options::verify_hash_depth
int verify_hash_depth
Definition: options.h:605
win32_signal
Definition: win32.h:153
man_persist_client_stats
void man_persist_client_stats(struct management *man, struct context *c)
Definition: manage.c:4164
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:737
do_init_first_time
static void do_init_first_time(struct context *c)
Definition: init.c:3786
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:612
D_MTU_DEBUG
#define D_MTU_DEBUG
Definition: errlevel.h:126
options::show_curves
bool show_curves
Definition: options.h:267
tls_auth_standalone::frame
struct frame frame
Definition: ssl_pkt.h:81
connection_list::len
int len
Definition: options.h:185
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:517
options::cipher_list_tls13
const char * cipher_list_tls13
Definition: options.h:589
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:551
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:906
do_close_tun_simple
static void do_close_tun_simple(struct context *c)
Definition: init.c:2009
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
options::up_delay
bool up_delay
Definition: options.h:371
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:529
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:299
do_init_route_list
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1466
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:667
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition: openvpn.h:228
do_compute_occ_strings
static void do_compute_occ_strings(struct context *c)
Definition: init.c:3752
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:115
options::resolve_in_advance
bool resolve_in_advance
Definition: options.h:353
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:192
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:273
ssl_verify.h
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition: options.h:314
tls_options::ekm_label_size
size_t ekm_label_size
Definition: ssl_common.h:435
options::dev
const char * dev
Definition: options.h:303
connection_list::current
int current
Definition: options.h:186
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition: ssl_common.h:569
ASSERT
#define ASSERT(x)
Definition: error.h:195
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:768
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition: tun.h:192
options::management_port
const char * management_port
Definition: options.h:431
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:275
string_clear
void string_clear(char *str)
Definition: buffer.c:709
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:297
options::groupname
const char * groupname
Definition: options.h:360
D_SHOW_OCC
#define D_SHOW_OCC
Definition: errlevel.h:151
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition: options.h:111
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:423
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition: socket.h:558
options::single_session
bool single_session
Definition: options.h:661
options::auth_user_pass_file
const char * auth_user_pass_file
Definition: options.h:542
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:746
key_schedule::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: openvpn.h:63
link_socket_actual
Definition: socket.h:86
D_DCO
#define D_DCO
Definition: errlevel.h:94
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:434
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition: openvpn.h:489
tls_options::verify_hash
struct verify_hash_list * verify_hash
Definition: ssl_common.h:347
key_schedule::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Definition: openvpn.h:71
connection_list
Definition: options.h:182
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition: openvpn.h:495
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition: route.h:89
OPENVPN_PLUGIN_INIT_PRE_DAEMON
#define OPENVPN_PLUGIN_INIT_PRE_DAEMON
Definition: openvpn-plugin.h:767
ping.h
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition: crypto_openssl.c:1070
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:335
tls_options::net_ctx
openvpn_net_ctx_t * net_ctx
Definition: ssl_common.h:398
tls_options
Definition: ssl_common.h:296
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:480
context_2::event_set_max
int event_set_max
Definition: openvpn.h:234
tls_options::x509_track
const struct x509_track * x509_track
Definition: ssl_common.h:424
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:149
options::x509_track
const struct x509_track * x509_track
Definition: options.h:667
options::windows_driver
enum windows_driver_type windows_driver
Definition: options.h:679
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:157
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition: options.h:553
init_proxy
static void init_proxy(struct context *c)
Definition: init.c:718
options::management_client_group
const char * management_client_group
Definition: options.h:438
do_link_socket_new
static void do_link_socket_new(struct context *c)
Definition: init.c:3725
openvpn_sockaddr::sa
struct sockaddr sa
Definition: socket.h:69
key_schedule::tls_auth_key_type
struct key_type tls_auth_key_type
Definition: openvpn.h:66
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1254
context::plugins_owned
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition: openvpn.h:506
options::test_crypto
bool test_crypto
Definition: options.h:567
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:606
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:4138
options::block_outside_dns
bool block_outside_dns
Definition: options.h:678
key_schedule
Definition: openvpn.h:54
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:191
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition: options.h:723
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:311
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:559
key_schedule::key_type
struct key_type key_type
Definition: openvpn.h:57
tls_options::export_peer_cert_dir
const char * export_peer_cert_dir
Definition: ssl_common.h:380
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:735
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition: options.h:715
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2985
key_type::digest
const char * digest
Message digest static parameters.
Definition: crypto.h:142
frame::extra_tun
int extra_tun
Maximum number of bytes in excess of the tun/tap MTU that might be read from or written to the virtua...
Definition: mtu.h:145
options::comp
struct compress_options comp
Definition: options.h:395
options::persist_config
bool persist_config
Definition: options.h:259
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:102
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:704
management_callback_remote_entry_count
static unsigned int management_callback_remote_entry_count(void *arg)
Definition: init.c:331
init_ssl_lib
void init_ssl_lib(void)
Definition: ssl.c:221
options::auth_token_lifetime
int auth_token_lifetime
Definition: options.h:527
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition: options.h:724
tls_options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: ssl_common.h:378
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
plugin_list_close
void plugin_list_close(struct plugin_list *pl)
Definition: plugin.c:897
update_time
static void update_time(void)
Definition: otime.h:77
options::push_peer_info
bool push_peer_info
Definition: options.h:663
context_buffers
Definition: openvpn.h:94
tuntap::options
struct tuntap_options options
Definition: tun.h:184
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:274
tls_options::push_peer_info_detail
int push_peer_info_detail
The detail of info we push in peer info.
Definition: ssl_common.h:330
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition: ssl_openssl.c:142
tls_options::ssl_flags
unsigned int ssl_flags
Definition: ssl_common.h:418
tls_multi::opt
struct tls_options opt
Definition: ssl_common.h:596
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:653
init.h
ovpn_dco_init
bool ovpn_dco_init(int mode, dco_context_t *dco)
Definition: dco_win.c:56
context::first_time
bool first_time
True on the first iteration of OpenVPN's main loop.
Definition: openvpn.h:481
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:1015
context_2::shaper
struct shaper shaper
Definition: openvpn.h:262
do_open_tun
static bool do_open_tun(struct context *c, int *error_flags)
Definition: init.c:1836
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:4260
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition: mss.c:335
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:435
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition: options.h:150
remote_host_store::host
char host[RH_HOST_LEN]
Definition: options.h:215
CE_MAN_QUERY_REMOTE_ACCEPT
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition: options.h:147
M_WARN
#define M_WARN
Definition: error.h:91
plugin_return::n
int n
Definition: plugin.h:103
close_instance
void close_instance(struct context *c)
Definition: init.c:4711
options::persist_tun
bool persist_tun
Definition: options.h:344
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition: ssl.c:280
plugin_list_inherit
struct plugin_list * plugin_list_inherit(const struct plugin_list *src)
Definition: plugin.c:695
connection_entry::tls_auth_file
const char * tls_auth_file
Definition: options.h:155
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:375
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition: options.h:718
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:654
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1102
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:940
management_init
struct management * management_init(void)
Definition: manage.c:2639
tuntap::adapter_index
DWORD adapter_index
Definition: tun.h:211
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:119
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:194
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:478
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition: openvpn.h:180
management_callback_remote_entry_get
static bool management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
Definition: init.c:341
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:166
options::route_predown_script
const char * route_predown_script
Definition: options.h:410
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2593
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition: options.h:156
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition: options.h:530
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:286
add_delim_if_non_empty
static void add_delim_if_non_empty(struct buffer *buf, const char *header)
Helper function for tls_print_deferred_options_results Adds the ", " delimitor if there already some ...
Definition: init.c:2208
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:222
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:165
CO_MUTE_REPLAY_WARNINGS
#define CO_MUTE_REPLAY_WARNINGS
Bit-flag indicating not to display replay warnings.
Definition: crypto.h:259
OPENVPN_STATE_CONNECTING
#define OPENVPN_STATE_CONNECTING
Definition: manage.h:472
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:352
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::verify_x509_type
int verify_x509_type
Definition: options.h:595
context_0::uid_gid_specified
bool uid_gid_specified
Definition: openvpn.h:138
options
Definition: options.h:236
pool.h
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition: options.h:543
connection_entry::key_direction
int key_direction
Definition: options.h:157
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2872
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:133
options::log
bool log
Definition: options.h:377
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition: ssl_common.h:690
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:332
options::gc
struct gc_arena gc
Definition: options.h:238
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:722
management_callback::remote_entry_count
unsigned int(* remote_entry_count)(void *arg)
Definition: manage.h:206
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:4067
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5553
options::mlock
bool mlock
Definition: options.h:325
http_proxy_options::first_time
bool first_time
Definition: proxy.h:60
tls_options::verify_command
const char * verify_command
Definition: ssl_common.h:339
options::tls_timeout
int tls_timeout
Definition: options.h:623
M_ERR
#define M_ERR
Definition: error.h:105
options::management_addr
const char * management_addr
Definition: options.h:430
options::tls_verify
const char * tls_verify
Definition: options.h:593
options::down_script
const char * down_script
Definition: options.h:368
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition: options.h:123
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:368
can_preserve_tun
static bool can_preserve_tun(struct tuntap *tt)
Definition: init.c:1778
PRE_PULL_INITIAL_PING_RESTART
#define PRE_PULL_INITIAL_PING_RESTART
Definition: ping.h:33
status_output
Definition: status.h:48
dco_p2p_add_new_peer
static int dco_p2p_add_new_peer(struct context *c)
Definition: dco.h:331
CF_INIT_TLS_MULTI
#define CF_INIT_TLS_MULTI
Definition: init.c:68
write_pid_file
void write_pid_file(const char *filename, const char *chroot_dir)
Definition: init.c:4946
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:177
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:61
options::no_advance
bool no_advance
Definition: options.h:280
signal_info::source
volatile int source
Definition: sig.h:44
context_0::platform_state_group
struct platform_state_group platform_state_group
Definition: openvpn.h:142
OPENVPN_PLUGIN_INIT_POST_UID_CHANGE
#define OPENVPN_PLUGIN_INIT_POST_UID_CHANGE
Definition: openvpn-plugin.h:769
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition: misc.h:147
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:181
gc_detach
static void gc_detach(struct gc_arena *a)
Definition: buffer.h:1024
management_callback::arg
void * arg
Definition: manage.h:175
IVM_LEVEL_1
#define IVM_LEVEL_1
Definition: init.h:49
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:480
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4766
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:334
do_startup_pause
static void do_startup_pause(struct context *c)
Definition: init.c:2827
link_socket_current_remote_ipv6
const struct in6_addr * link_socket_current_remote_ipv6(const struct link_socket_info *info)
Definition: socket.c:2492
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:256
context::did_we_daemonize
bool did_we_daemonize
Whether demonization has already taken place.
Definition: openvpn.h:510
options::show_tls_ciphers
bool show_tls_ciphers
Definition: options.h:266
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition: crypto_openssl.c:816
OPT_P_ECHO
#define OPT_P_ECHO
Definition: options.h:732
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:629
format_common_name
const char * format_common_name(struct context *c, struct gc_arena *gc)
Definition: init.c:1284
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:346
context_2::session_id_hmac
hmac_ctx_t * session_id_hmac
the HMAC we use to generate and verify our syn cookie like session ids from the server.
Definition: openvpn.h:341
options::ccd_exclusive
bool ccd_exclusive
Definition: options.h:490
management_up_down
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition: manage.c:2878
win_wfp_block
bool win_wfp_block(const NET_IFINDEX index, const HANDLE msg_channel, BOOL dns_only)
Definition: win32.c:1211
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:61
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:336
dco_remove_peer
static void dco_remove_peer(struct context *c)
Definition: dco.h:344
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:309
CE_MAN_QUERY_REMOTE_SHIFT
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition: options.h:151
options::client_crresponse_script
const char * client_crresponse_script
Definition: options.h:488
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:643
auth_token_init_secret
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition: auth_token.c:124
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1638
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
context_2::buffers_owned
bool buffers_owned
Definition: openvpn.h:371
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition: options.h:223
pre_setup
void pre_setup(const struct options *options)
Definition: init.c:1295
TLS_MULTI_HORIZON
#define TLS_MULTI_HORIZON
Definition: ssl.h:61
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:573
options::genkey
bool genkey
Definition: options.h:268
options::verify_x509_name
const char * verify_x509_name
Definition: options.h:596
argv::gc
struct gc_arena gc
Definition: argv.h:36
options::replay_window
int replay_window
Definition: options.h:564
static_context
static struct context * static_context
Definition: init.c:61
DCO_DEFAULT_METRIC
#define DCO_DEFAULT_METRIC
Definition: dco.h:48
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
tls_options::gremlin
int gremlin
Definition: ssl_common.h:431
p2p_set_dco_keepalive
static bool p2p_set_dco_keepalive(struct context *c)
Definition: init.c:2182
do_close_status_output
static void do_close_status_output(struct context *c)
Definition: init.c:4013
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:498
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition: options.h:412
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
http_proxy_options::server
const char * server
Definition: proxy.h:45
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition: socket.h:193
openvpn_plugin_string_list::value
char * value
Definition: openvpn-plugin.h:194
tls_print_deferred_options_results
static void tls_print_deferred_options_results(struct context *c)
Prints the results of options imported for the data channel.
Definition: init.c:2222
dco_set_peer
int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition: dco_win.c:272
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:171
options::exit_event_name
const char * exit_event_name
Definition: options.h:674
context_2::options_string_remote
char * options_string_remote
Definition: openvpn.h:300
platform_nice
void platform_nice(int niceval)
Definition: platform.c:311
platform_chroot
void platform_chroot(const char *path)
Definition: platform.c:55
ISC_SERVER
#define ISC_SERVER
Definition: init.h:115
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6995
tuntap_options::msg_channel
HANDLE msg_channel
Definition: tun.h:84
set_mute_cutoff
bool set_mute_cutoff(const int cutoff)
Definition: error.c:123
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:278
window_title_generate
void window_title_generate(const char *title)
Definition: win32.c:730
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:340
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
link_socket::info
struct link_socket_info info
Definition: socket.h:167
options::route_delay_defined
bool route_delay_defined
Definition: options.h:417
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2904
options::handshake_window
int handshake_window
Definition: options.h:633
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: options.h:601
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1200
init_management
void init_management(void)
Definition: init.c:4286
tls_options::x509_username_field
char * x509_username_field[2]
Definition: ssl_common.h:354
show_available_engines
void show_available_engines(void)
Definition: crypto_openssl.c:477
options::crl_file_inline
bool crl_file_inline
Definition: options.h:598
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:110
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:398
ps.h
auth_token_write_server_key_file
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition: auth_token.c:118
options::route_default_metric
int route_default_metric
Definition: options.h:413
context_2::event_set
struct event_set * event_set
Definition: openvpn.h:233
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:501
init_static
bool init_static(void)
Definition: init.c:816
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:969
context_buffers::read_link_buf
struct buffer read_link_buf
Definition: openvpn.h:113
link_socket_info
Definition: socket.h:113
tls_options::ns_cert_type
int ns_cert_type
Definition: ssl_common.h:344
context_buffers::aux_buf
struct buffer aux_buf
Definition: openvpn.h:97
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition: options.h:720
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:471
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:156
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:180
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:83
options::sndbuf
int sndbuf
Definition: options.h:399
management_event_loop_n_seconds
void management_event_loop_n_seconds(struct management *man, int sec)
Definition: manage.c:3430
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:46
show_adapters
void show_adapters(int msglev)
Definition: tun.c:5095
status_close
bool status_close(struct status_output *so)
Definition: status.c:188
frame::buf
struct frame::@6 buf
context_2::frame
struct frame frame
Definition: openvpn.h:251
context_2::link_socket
struct link_socket * link_socket
Definition: openvpn.h:240
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2964
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:573
options::fast_io
bool fast_io
Definition: options.h:393
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:463
do_init_fragment
static void do_init_fragment(struct context *c)
Definition: init.c:3704
tls_options::sci
const struct static_challenge_info * sci
Definition: ssl_common.h:427
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3508
syshead.h
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:514
pkcs11.h
context_persist::restart_sleep_seconds
int restart_sleep_seconds
Definition: openvpn.h:122
options::management_flags
unsigned int management_flags
Definition: options.h:443
show_available_digests
void show_available_digests(void)
Definition: crypto_openssl.c:436
options::management_echo_buffer_size
int management_echo_buffer_size
Definition: options.h:434
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:285
connection_list::array
struct connection_entry ** array
Definition: options.h:187
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4786
add_wfp_block
static void add_wfp_block(struct context *c)
Add WFP filters to block traffic to local networks.
Definition: init.c:1796
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition: options.h:714
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:804
show_routes
void show_routes(int msglev)
Definition: route.c:3209
CC_NO_CLOSE
#define CC_NO_CLOSE
Definition: init.h:106
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition: ssl.c:1210
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:381
context_1::ifconfig_pool_persist_owned
bool ifconfig_pool_persist_owned
Definition: openvpn.h:196
tls_options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: ssl_common.h:350
options::client_config_dir
const char * client_config_dir
Definition: options.h:489
context_1::http_proxy
struct http_proxy_info * http_proxy
Definition: openvpn.h:187
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
options::status_file
const char * status_file
Definition: options.h:388
uninit_static
void uninit_static(void)
Definition: init.c:922
options::genkey_filename
const char * genkey_filename
Definition: options.h:270
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:376
occ.h
link_socket_addr
Definition: socket.h:104
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:503
context_clear_2
void context_clear_2(struct context *c)
Definition: init.c:88
management_callback::remote_entry_get
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition: manage.h:207
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition: options.h:245
CC_USR1_TO_HUP
#define CC_USR1_TO_HUP
Definition: init.h:104
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition: buffer.h:331
key_schedule::tls_crypt_v2_wkc
struct buffer tls_crypt_v2_wkc
Wrapped client key.
Definition: openvpn.h:72
remote_host_store
Definition: options.h:212
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:167
fork_register_dns_action
void fork_register_dns_action(struct tuntap *tt)
Definition: tun.c:6130
key_type::cipher
const char * cipher
const name of the cipher
Definition: crypto.h:141
do_genkey
bool do_genkey(const struct options *options)
Definition: init.c:1012
daemon
int daemon(int nochdir, int noclose)
Definition: compat-daemon.c:51
PING_UNDEF
#define PING_UNDEF
Definition: options.h:339
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:526
possibly_become_daemon
bool possibly_become_daemon(const struct options *options)
Definition: init.c:1158
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
SOCKET_UNDEFINED
#define SOCKET_UNDEFINED
Definition: syshead.h:427
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition: ssl.c:244
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition: comp.c:163
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition: options.h:113
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:963
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1184
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
env_set
Definition: env_set.h:42
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1239
context_2::occ_mtu_load_test_interval
struct event_timeout occ_mtu_load_test_interval
Definition: openvpn.h:320
uninit_management_callback
void uninit_management_callback(void)
Definition: init.c:4358
OPT_P_TIMER
#define OPT_P_TIMER
Definition: options.h:719
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1448
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:572
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition: ssl_common.h:421
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:388
TUN_MTU_MIN
#define TUN_MTU_MIN
Definition: mtu.h:60
options::config
const char * config
Definition: options.h:242
CE_MAN_QUERY_REMOTE_QUERY
#define CE_MAN_QUERY_REMOTE_QUERY
Definition: options.h:146
plugin_list
Definition: plugin.h:94
options::plugin_list
struct plugin_option_list * plugin_list
Definition: options.h:446
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4864
options::priv_key_file_inline
bool priv_key_file_inline
Definition: options.h:585
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3667
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:191
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:907
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:440
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition: ssl_pkt.h:79
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
connection_entry::flags
unsigned int flags
Definition: options.h:152
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:889
dco.h
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:394
options::connect_retry_max
int connect_retry_max
Definition: options.h:274
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:719
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:3119
PING_EXIT
#define PING_EXIT
Definition: options.h:340
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:220
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:499
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:667
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:1000
error_reset
void error_reset(void)
Definition: error.c:161
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:433
options_detach
void options_detach(struct options *o)
Definition: options.c:1674
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition: init.h:105
shaper_msg
void shaper_msg(struct shaper *s)
Definition: shaper.c:88
tuntap_options::disable_dco
bool disable_dco
Definition: tun.h:73
options::daemon
bool daemon
Definition: options.h:373
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition: options.h:116
management_pre_tunnel_close
void management_pre_tunnel_close(struct management *man)
Definition: manage.c:3071
event_free
static void event_free(struct event_set *es)
Definition: event.h:139
context_2::packet_id_persist_interval
struct event_timeout packet_id_persist_interval
Definition: openvpn.h:358
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition: ssl.c:1170
management_callback::send_cc_message
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition: manage.h:186
management_query_proxy_enabled
static bool management_query_proxy_enabled(const struct management *man)
Definition: manage.h:454
tls_options::pull
bool pull
Definition: ssl_common.h:319
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
run_up_down
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, const char *ifconfig_local, const char *ifconfig_remote, const char *context, const char *signal_text, const char *script_type, struct env_set *es)
Definition: init.c:108
options::rcvbuf
int rcvbuf
Definition: options.h:398
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1155
buf_len
static int buf_len(const struct buffer *buf)
Definition: buffer.h:253
test_crypto_thread
static void * test_crypto_thread(void *arg)
Definition: init.c:4990
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:375
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:675
do_open_ifconfig_pool_persist
static void do_open_ifconfig_pool_persist(struct context *c)
Definition: init.c:4030
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:69
tuntap::local
in_addr_t local
Definition: tun.h:189
link_socket_init_phase1
void link_socket_init_phase1(struct context *c, int mode)
Definition: socket.c:1834
link_socket_info::connection_established
bool connection_established
Definition: socket.h:116
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:456
mstats.h
uninit_proxy
static void uninit_proxy(struct context *c)
Definition: init.c:724
frame::mss_fix
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition: mtu.h:118
IS_SIG
#define IS_SIG(c)
Definition: sig.h:48
options::peer_id
uint32_t peer_id
Definition: options.h:683
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:56
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:648
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4384
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition: manage.h:201
options::advance_next_remote
bool advance_next_remote
Definition: options.h:283
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition: options.h:758
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:255
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:342
max_int
static int max_int(int x, int y)
Definition: integer.h:76
otime.h
connection_entry::remote
const char * remote
Definition: options.h:105
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:669
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:376
tuntap::dco
dco_context_t dco
Definition: tun.h:234
do_init_crypto
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition: init.c:3491
signal_info
Definition: sig.h:41
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:963
context_1::ks
struct key_schedule ks
Definition: openvpn.h:162
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: options.h:658
options::key_pass_file
const char * key_pass_file
Definition: options.h:262
CM_TOP
#define CM_TOP
Definition: openvpn.h:486
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition: options.h:738
status
static SERVICE_STATUS status
Definition: interactive.c:53
do_route
bool do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1686
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition: options.h:124
options::ns_cert_type
int ns_cert_type
Definition: options.h:600
OPENVPN_STATE_CONNECTED
#define OPENVPN_STATE_CONNECTED
Definition: manage.h:475
options::packet_id_file
const char * packet_id_file
Definition: options.h:566
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition: crypto.h:250
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:522
management
Definition: manage.h:335
min_int
static int min_int(int x, int y)
Definition: integer.h:89
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1038
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:302
tls_options::server
bool server
Definition: ssl_common.h:305
key_schedule::original_wrap_keydata
struct key2 original_wrap_keydata
original tls-crypt key preserved to xored into the tls_crypt renegotiation key
Definition: openvpn.h:70
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1186
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:170
saved_pid_file_name
static const char * saved_pid_file_name
Definition: init.c:62
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:172
frame::tun_max_mtu
int tun_max_mtu
the maximum tun-mtu size the buffers are are sized for.
Definition: mtu.h:141
options::renegotiate_packets
int renegotiate_packets
Definition: options.h:627
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:190
do_close_link_socket
static void do_close_link_socket(struct context *c)
Definition: init.c:3882
check_pull_client_ncp
bool check_pull_client_ncp(struct context *c, const int found)
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should ...
Definition: ssl_ncp.c:315
IVM_LEVEL_2
#define IVM_LEVEL_2
Definition: init.h:50
options::connection_list
struct connection_list * connection_list
Definition: options.h:276
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:52
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:4113
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition: options.h:309
tls_options::replay_window
int replay_window
Definition: ssl_common.h:360
show_available_curves
void show_available_curves(void)
Definition: ssl_openssl.c:2344
options::routes
struct route_option_list * routes
Definition: options.h:418
options::chroot_dir
const char * chroot_dir
Definition: options.h:361
mss.h
GET_USER_PASS_NEED_OK
#define GET_USER_PASS_NEED_OK
Definition: misc.h:110
options::down_pre
bool down_pre
Definition: options.h:370
tuntap
Definition: tun.h:171
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:686
management_close
void management_close(struct management *man)
Definition: manage.c:2710
context_2::crypto_options
struct crypto_options crypto_options
Security parameters and crypto state used by the Data Channel Crypto module to process data channel p...
Definition: openvpn.h:352
tls_options::mode
int mode
Definition: ssl_common.h:318
CM_TOP_CLONE
#define CM_TOP_CLONE
Definition: openvpn.h:487
mudp.h
init_win32
void init_win32(void)
Definition: win32.c:109
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1065
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1823
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:232
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition: openvpn.h:448
context_1::pulled_options_digest_save
struct sha256_digest pulled_options_digest_save
Hash of option strings received from the remote OpenVPN server.
Definition: openvpn.h:199
free_ssl_lib
void free_ssl_lib(void)
Definition: ssl.c:229
now
time_t now
Definition: otime.c:34
context_buffers::encrypt_buf
struct buffer encrypt_buf
Definition: openvpn.h:100
tls_options::renegotiate_packets
int renegotiate_packets
Definition: ssl_common.h:335
options::sockflags
unsigned int sockflags
Definition: options.h:406
options::username
const char * username
Definition: options.h:359
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:243
SHAPER_DEFINED
#define SHAPER_DEFINED(opt)
Definition: options.h:763
do_persist_tuntap
bool do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
Definition: init.c:1095
platform_chdir
int platform_chdir(const char *dir)
Definition: platform.c:393
context_0::platform_state_user
struct platform_state_user platform_state_user
Definition: openvpn.h:141
AR_INTERACT
#define AR_INTERACT
Definition: options.h:885
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:183
TOP_NET30
#define TOP_NET30
Definition: proto.h:43
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:148
config.h
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:3041
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition: errlevel.h:150
do_preresolve
void do_preresolve(struct context *c)
Definition: socket.c:328
http_proxy_options
Definition: proxy.h:44
ssl_ncp.h
init_plugins
void init_plugins(struct context *c)
Definition: init.c:4128
connection_entry::fragment
int fragment
Definition: options.h:132
win_wfp_uninit
bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
Definition: win32.c:1260
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:358
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:195
options::up_restart
bool up_restart
Definition: options.h:372
tls_options::xmit_hold
bool xmit_hold
Definition: ssl_common.h:308
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:358
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:79
gc_init
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1017
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:476
OCC_INTERVAL_SECONDS
#define OCC_INTERVAL_SECONDS
Definition: occ.h:46
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:666
connection_entry::tls_mtu
int tls_mtu
Definition: options.h:127
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:524
context_1::pid_persist
struct packet_id_persist pid_persist
Definition: openvpn.h:168
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:132
ISC_ROUTE_ERRORS
#define ISC_ROUTE_ERRORS
Definition: init.h:116
options::transition_window
int transition_window
Definition: options.h:641
context_clear
void context_clear(struct context *c)
Definition: init.c:76
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:344
context_2::tls_exit_signal
int tls_exit_signal
Definition: openvpn.h:350
socket_restart_pause
static void socket_restart_pause(struct context *c)
Definition: init.c:2749
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition: options.c:4641
connection_entry::proto
int proto
Definition: options.h:99
do_deferred_options_part2
static bool do_deferred_options_part2(struct context *c)
This function is expected to be invoked after open_tun() was performed.
Definition: init.c:2348
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2720
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:563
management_clear_callback
void management_clear_callback(struct management *man)
Definition: manage.c:2728
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:388
link_socket_current_remote
in_addr_t link_socket_current_remote(const struct link_socket_info *info)
Definition: socket.c:2457
tls_options::packet_timeout
interval_t packet_timeout
Definition: ssl_common.h:333
do_init_buffers
static void do_init_buffers(struct context *c)
Definition: init.c:3692
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: ssl_common.h:345
options::auth_token_generate
bool auth_token_generate
Definition: options.h:525
OPENVPN_PLUGIN_ROUTE_PREDOWN
#define OPENVPN_PLUGIN_ROUTE_PREDOWN
Definition: openvpn-plugin.h:129
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition: options.h:310
link_socket_update_buffer_sizes
void link_socket_update_buffer_sizes(struct link_socket *ls, int rcvbuf, int sndbuf)
Definition: socket.c:983
user_pass::password
char password[USER_PASS_LEN]
Definition: misc.h:72
check_malloc_return
static void check_malloc_return(void *p)
Definition: buffer.h:1108
options::engine
const char * engine
Definition: options.h:561
context_2::server_poll_interval
struct event_timeout server_poll_interval
Definition: openvpn.h:411
print_status
void print_status(struct context *c, struct status_output *so)
Definition: sig.c:484
AR_NOINTERACT
#define AR_NOINTERACT
Definition: options.h:886
OPT_P_UP
#define OPT_P_UP
Definition: options.h:713
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:88
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:744
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1432
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition: options.c:3328
session
Definition: keyingmaterialexporter.c:56
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition: crypto_openssl.c:1038
options::show_net_up
bool show_net_up
Definition: options.h:676
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:932
sha256_digest
Wrapper struct to pass around SHA256 digests.
Definition: crypto.h:132
options::tmp_dir
const char * tmp_dir
Definition: options.h:450
list.h
win32_signal::mode
int mode
Definition: win32.h:157
options::crl_file
const char * crl_file
Definition: options.h:597
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:236
context_2::options_string_local
char * options_string_local
Definition: openvpn.h:299
get_frame_mtu
static size_t get_frame_mtu(struct context *c, const struct options *o)
Definition: init.c:2840
context_2::session_interval
struct event_timeout session_interval
Definition: openvpn.h:293
tuncfg
void tuncfg(const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options, openvpn_net_ctx_t *ctx)
sig.h
CF_LOAD_PERSISTED_PACKET_ID
#define CF_LOAD_PERSISTED_PACKET_ID
Definition: init.c:67
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:210
options::route_delay_window
int route_delay_window
Definition: options.h:416
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
win32_signal_open
void win32_signal_open(struct win32_signal *ws, int force, const char *exit_event_name, bool exit_event_initial_state)
Definition: win32.c:453
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition: options.h:734
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition: socket.h:90
CE_DISABLED
#define CE_DISABLED
Definition: options.h:143
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition: interval.h:155
options::occ
bool occ
Definition: options.h:427
options::persist_mode
int persist_mode
Definition: options.h:260
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:588
context_2::link_socket_owned
bool link_socket_owned
Definition: openvpn.h:241
do_init_tun
static void do_init_tun(struct context *c)
Definition: init.c:1744
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition: sig.c:231
connection_entry::af
sa_family_t af
Definition: options.h:100
crypto_init_lib_engine
void crypto_init_lib_engine(const char *engine_name)
Definition: crypto_openssl.c:144
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:283
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition: ssl.c:1226
user_pass
Definition: misc.h:56
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition: ssl.c:286
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:114
options::route_script
const char * route_script
Definition: options.h:409
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:262
do_hold
static bool do_hold(int holdtime)
Definition: init.c:2730
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:356
context_clear_1
void context_clear_1(struct context *c)
Definition: init.c:82
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:427
do_event_set_init
static void do_event_set_init(struct context *c, bool need_us_timeout)
Definition: init.c:3965
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:245
options::route_delay
int route_delay
Definition: options.h:415
options::ifconfig_local
const char * ifconfig_local
Definition: options.h:308
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:118
context_2::occ_op
int occ_op
Definition: openvpn.h:302
memdbg.h
options::user_script_used
bool user_script_used
Definition: options.h:369
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:287
connection_entry::tun_mtu_max
int tun_mtu_max
Definition: options.h:120
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:102
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:342
do_init_crypto_tls
static void do_init_crypto_tls(struct context *c, const unsigned int flags)
Definition: init.c:3216
options::mtu_test
bool mtu_test
Definition: options.h:319
options::management_client_user
const char * management_client_user
Definition: options.h:437
management_callback
Definition: manage.h:173
options::ciphername
const char * ciphername
Definition: options.h:556
tls_wrap_ctx::mode
enum tls_wrap_ctx::@17 mode
Control channel wrapping mode.
options::inactivity_timeout
int inactivity_timeout
Definition: options.h:330
context_2::coarse_timer_wakeup
time_t coarse_timer_wakeup
Definition: openvpn.h:402
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:417
context_clear_all_except_first_time
void context_clear_all_except_first_time(struct context *c)
Definition: init.c:94
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1449
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition: options.h:731
title_string
const char title_string[]
Definition: options.c:67
ce_management_query_proxy
static bool ce_management_query_proxy(struct context *c)
Definition: init.c:256
get_p2p_ncp_cipher
const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc)
Determines the best common cipher from both peers IV_CIPHER lists.
Definition: ssl_ncp.c:360
tls_options::auth_token_call_auth
bool auth_token_call_auth
always call normal authentication
Definition: ssl_common.h:387
M_USAGE
#define M_USAGE
Definition: error.h:106
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:501
context_2::event_set_owned
bool event_set_owned
Definition: openvpn.h:235
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:274
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
options::dev_node
const char * dev_node
Definition: options.h:305
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3984
options::server_backoff_time
int server_backoff_time
Definition: options.h:291
remove_pid_file
void remove_pid_file(void)
Definition: init.c:4976
msg
#define msg(flags,...)
Definition: error.h:144
tls_options::dco_enabled
bool dco_enabled
Whether keys have to be installed in DCO or not.
Definition: ssl_common.h:438
context_init_1
void context_init_1(struct context *c)
Definition: init.c:730
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: options.h:523
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition: options.h:740
undo_ifconfig
void undo_ifconfig(struct tuntap *tt, openvpn_net_ctx_t *ctx)
undo_ifconfig - undo configuration of the tunnel interface
Definition: tun.c:1749
do_init_frame_tls
static void do_init_frame_tls(struct context *c)
Definition: init.c:3446
link_socket_init_phase2
void link_socket_init_phase2(struct context *c)
Definition: socket.c:2169
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:631
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:477
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition: mtu.h:131
persist_client_stats
void persist_client_stats(struct context *c)
Definition: init.c:4369
ISC_ERRORS
#define ISC_ERRORS
Definition: init.h:114
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition: options.h:312
options::renegotiate_bytes
int renegotiate_bytes
Definition: options.h:626
link_socket_close
void link_socket_close(struct link_socket *sock)
Definition: socket.c:2297
D_CLOSE
#define D_CLOSE
Definition: errlevel.h:73
options::lladdr
const char * lladdr
Definition: options.h:306
dco_check_pull_options
static bool dco_check_pull_options(int msglevel, const struct options *o)
Definition: dco.h:281
tls_options::es
struct env_set * es
Definition: ssl_common.h:397
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
key_schedule::static_key
struct key_ctx_bi static_key
Definition: openvpn.h:60
options::server_bridge_defined
bool server_bridge_defined
Definition: options.h:465
management_query_remote_enabled
static bool management_query_remote_enabled(const struct management *man)
Definition: manage.h:448
do_init_timers
static void do_init_timers(struct context *c, bool deferred)
Definition: init.c:1347
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:507
context_2::do_up_ran
bool do_up_ran
Definition: openvpn.h:414
do_option_warnings
static void do_option_warnings(struct context *c)
Definition: init.c:3553
script_security
int script_security(void)
Definition: run_command.c:43
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1571
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition: mtu.h:108
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1097
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition: shaper.h:86
tls_options::plugins
const struct plugin_list * plugins
Definition: ssl_common.h:399
TLS_MULTI_REFRESH
#define TLS_MULTI_REFRESH
Definition: ssl.h:60
tuntap_is_dco_win
static bool tuntap_is_dco_win(struct tuntap *tt)
Definition: tun.h:656
options::management_user_pass
const char * management_user_pass
Definition: options.h:432
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:229
context_1::http_proxy_owned
bool http_proxy_owned
Definition: openvpn.h:188
link_socket_addr::remote_list
struct addrinfo * remote_list
Definition: socket.h:107
options::remote_cert_eku
const char * remote_cert_eku
Definition: options.h:602
options::pull
bool pull
Definition: options.h:539
basename
char * basename(char *filename)
Definition: compat-basename.c:37
PROTO_UDP
@ PROTO_UDP
Definition: socket.h:555
PROTO_TCP
@ PROTO_TCP
Definition: socket.h:556
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:516
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition: tls_crypt.c:675
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:113
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:104
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4914
CM_P2P
#define CM_P2P
Definition: openvpn.h:485
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:436
management::persist
struct man_persist persist
Definition: manage.h:337
route_ipv6_option_list::gc
struct gc_arena * gc
Definition: route.h:109
do_deferred_p2p_ncp
static bool do_deferred_p2p_ncp(struct context *c)
Definition: init.c:2545
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:107
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:565
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:4200
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:431
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:411
close_management
void close_management(void)
Definition: init.c:4345
context_2::fast_io
bool fast_io
Definition: openvpn.h:427
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:501
Generated by   doxygen 1.8.17