2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
33 /* socket descriptor passed by inetd/xinetd server to us */
34 #define INETD_SOCKET_DESCRIPTOR 0
36 /* forward declarations */
39 /* used by argv_x functions */
48 * Handle environmental variable lists
53 struct env_item
*next
;
58 struct env_item
*list
;
61 /* Get/Set UID of process */
64 #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID)
72 bool get_user (const char *username
, struct user_state
*state
);
73 void set_user (const struct user_state
*state
);
75 /* Get/Set GID of process */
78 #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID)
79 const char *groupname
;
86 bool get_group (const char *groupname
, struct group_state
*state
);
87 void set_group (const struct group_state
*state
);
89 void set_nice (int niceval
);
90 void do_chroot (const char *path
);
92 void run_up_down (const char *command
,
93 const struct plugin_list
*plugins
,
98 const char *ifconfig_local
,
99 const char* ifconfig_remote
,
101 const char *signal_text
,
102 const char *script_type
,
105 /* workspace for get_pid_file/write_pid */
108 const char *filename
;
111 void get_pid_file (const char* filename
, struct pid_state
*state
);
112 void write_pid (const struct pid_state
*state
);
113 unsigned int openvpn_getpid (void);
115 void do_mlockall (bool print_msg
); /* Disable paging */
118 int daemon (int nochdir
, int noclose
);
121 /* check file protections */
122 void warn_if_group_others_accessible(const char* filename
);
125 #define S_SCRIPT (1<<0)
126 #define S_FATAL (1<<1)
128 /* interpret the status code returned by system()/execve() */
130 bool system_executed (int stat
);
131 const char *system_error_message (int, struct gc_arena
*gc
);
133 /* wrapper around the execve() call */
134 int openvpn_execve (const struct argv
*a
, const struct env_set
*es
, const unsigned int flags
);
135 bool openvpn_execve_check (const struct argv
*a
, const struct env_set
*es
, const unsigned int flags
, const char *error_message
);
136 bool openvpn_execve_allowed (const unsigned int flags
);
137 int openvpn_system (const char *command
, const struct env_set
*es
, unsigned int flags
);
140 /* a thread-safe version of strerror */
141 const char* strerror_ts (int errnum
, struct gc_arena
*gc
);
144 /* Set standard file descriptors to /dev/null */
145 void set_std_files_to_null (bool stdin_only
);
147 /* Wrapper for chdir library function */
148 int openvpn_chdir (const char* dir
);
150 /* dup inetd/xinetd socket descriptor and save */
151 extern int inetd_socket_descriptor
;
152 void save_inetd_socket_descriptor (void);
154 /* init random() function, only used as source for weak random numbers, when !USE_CRYPTO */
155 void init_random_seed(void);
157 /* set/delete environmental variable */
158 void setenv_str_ex (struct env_set
*es
,
161 const unsigned int name_include
,
162 const unsigned int name_exclude
,
163 const char name_replace
,
164 const unsigned int value_include
,
165 const unsigned int value_exclude
,
166 const char value_replace
);
168 void setenv_counter (struct env_set
*es
, const char *name
, counter_type value
);
169 void setenv_int (struct env_set
*es
, const char *name
, int value
);
170 void setenv_unsigned (struct env_set
*es
, const char *name
, unsigned int value
);
171 void setenv_str (struct env_set
*es
, const char *name
, const char *value
);
172 void setenv_str_safe (struct env_set
*es
, const char *name
, const char *value
);
173 void setenv_del (struct env_set
*es
, const char *name
);
175 void setenv_int_i (struct env_set
*es
, const char *name
, const int value
, const int i
);
176 void setenv_str_i (struct env_set
*es
, const char *name
, const char *value
, const int i
);
178 /* struct env_set functions */
180 struct env_set
*env_set_create (struct gc_arena
*gc
);
181 void env_set_destroy (struct env_set
*es
);
182 bool env_set_del (struct env_set
*es
, const char *str
);
183 void env_set_add (struct env_set
*es
, const char *str
);
185 void env_set_print (int msglevel
, const struct env_set
*es
);
187 void env_set_inherit (struct env_set
*es
, const struct env_set
*src
);
189 void env_set_add_to_environment (const struct env_set
*es
);
190 void env_set_remove_from_environment (const struct env_set
*es
);
192 /* Make arrays of strings */
194 const char **make_env_array (const struct env_set
*es
,
195 const bool check_allowed
,
196 struct gc_arena
*gc
);
198 const char **make_arg_array (const char *first
, const char *parms
, struct gc_arena
*gc
);
199 const char **make_extended_arg_array (char **p
, struct gc_arena
*gc
);
201 /* convert netmasks for iproute2 */
202 int count_netmask_bits(const char *);
203 unsigned int count_bits(unsigned int );
205 /* go to sleep for n milliseconds */
206 void sleep_milliseconds (unsigned int n
);
208 /* go to sleep indefinitely */
209 void sleep_until_signal (void);
211 /* an analogue to the random() function, but use OpenSSL functions if available */
213 long int get_random(void);
215 #define get_random random
218 /* return true if filename can be opened for read */
219 bool test_file (const char *filename
);
221 /* create a temporary filename in directory */
222 const char *create_temp_filename (const char *directory
, const char *prefix
, struct gc_arena
*gc
);
224 /* put a directory and filename together */
225 const char *gen_path (const char *directory
, const char *filename
, struct gc_arena
*gc
);
227 /* delete a file, return true if succeeded */
228 bool delete_file (const char *filename
);
230 /* return true if pathname is absolute */
231 bool absolute_pathname (const char *pathname
);
233 /* prepend a random prefix to hostname (need USE_CRYPTO) */
234 const char *hostname_randomize(const char *hostname
, struct gc_arena
*gc
);
237 * Get and store a username/password
245 /* max length of username/password */
246 # ifdef ENABLE_PKCS11
247 # define USER_PASS_LEN 4096
249 # define USER_PASS_LEN 128
251 char username
[USER_PASS_LEN
];
252 char password
[USER_PASS_LEN
];
255 bool get_console_input (const char *prompt
, const bool echo
, char *input
, const int capacity
);
258 * Flags for get_user_pass and management_query_user_pass
260 #define GET_USER_PASS_MANAGEMENT (1<<0)
261 #define GET_USER_PASS_SENSITIVE (1<<1)
262 #define GET_USER_PASS_PASSWORD_ONLY (1<<2)
263 #define GET_USER_PASS_NEED_OK (1<<3)
264 #define GET_USER_PASS_NOFATAL (1<<4)
265 #define GET_USER_PASS_NEED_STR (1<<5)
267 bool get_user_pass (struct user_pass
*up
,
268 const char *auth_file
,
270 const unsigned int flags
);
272 void purge_user_pass (struct user_pass
*up
, const bool force
);
275 * Process string received by untrusted peer before
276 * printing to console or log file.
277 * Assumes that string has been null terminated.
279 const char *safe_print (const char *str
, struct gc_arena
*gc
);
281 /* returns true if environmental variable safe to print to log */
282 bool env_safe_to_print (const char *str
);
284 /* returns true if environmental variable may be passed to an external program */
285 bool env_allowed (const char *str
);
288 * A sleep function that services the management layer for n
289 * seconds rather than doing nothing.
291 void openvpn_sleep (const int n
);
293 void configure_path (void);
296 void get_user_pass_auto_userid (struct user_pass
*up
, const char *tag
);
300 * /sbin/ip path, may be overridden
302 #ifdef CONFIG_FEATURE_IPROUTE
303 extern const char *iproute_path
;
306 #define SSEC_NONE 0 /* strictly no calling of external programs */
307 #define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/
308 #define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */
309 #define SSEC_PW_ENV 3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */
310 extern int script_security
; /* GLOBAL */
312 #define SM_EXECVE 0 /* call external programs with execve() or CreateProcess() */
313 #define SM_SYSTEM 1 /* call external programs with system() */
314 extern int script_method
; /* GLOBAL */
316 /* return the next largest power of 2 */
317 size_t adjust_power_of_2 (size_t u
);
319 /* return the basename of path */
320 const char *openvpn_basename (const char *path
);
323 * A printf-like function (that only recognizes a subset of standard printf
324 * format operators) that prints arguments to an argv list instead
325 * of a standard string. This is used to build up argv arrays for passing
328 void argv_init (struct argv
*a
);
329 struct argv
argv_new (void);
330 void argv_reset (struct argv
*a
);
331 char *argv_term (const char **f
);
332 const char *argv_str (const struct argv
*a
, struct gc_arena
*gc
, const unsigned int flags
);
333 struct argv
argv_insert_head (const struct argv
*a
, const char *head
);
334 void argv_msg (const int msglev
, const struct argv
*a
);
335 void argv_msg_prefix (const int msglev
, const struct argv
*a
, const char *prefix
);
336 const char *argv_system_str (const struct argv
*a
);
338 #define APA_CAT (1<<0) /* concatentate onto existing struct argv list */
339 void argv_printf_arglist (struct argv
*a
, const char *format
, const unsigned int flags
, va_list arglist
);
341 void argv_printf (struct argv
*a
, const char *format
, ...)
343 __attribute__ ((format (printf
, 2, 3)))
347 void argv_printf_cat (struct argv
*a
, const char *format
, ...)
349 __attribute__ ((format (printf
, 2, 3)))
358 user_state_uid (const struct user_state
*s
)
360 #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID)
362 return s
->pw
->pw_uid
;
368 group_state_gid (const struct group_state
*s
)
370 #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID)
372 return s
->gr
->gr_gid
;