OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "sig.h"
39 #include "occ.h"
40 #include "list.h"
41 #include "otime.h"
42 #include "pool.h"
43 #include "gremlin.h"
44 #include "pkcs11.h"
45 #include "ps.h"
46 #include "lladdr.h"
47 #include "ping.h"
48 #include "mstats.h"
49 #include "ssl_verify.h"
50 #include "tls_crypt.h"
51 #include "forward-inline.h"
52 
53 #include "memdbg.h"
54 
55 #include "occ-inline.h"
56 
57 static struct context *static_context; /* GLOBAL */
58 
59 /*
60  * Crypto initialization flags
61  */
62 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
63 #define CF_INIT_TLS_MULTI (1<<1)
64 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
65 
66 static void do_init_first_time(struct context *c);
67 
68 void
70 {
71  CLEAR(*c);
72 }
73 
74 void
76 {
77  CLEAR(c->c1);
78 }
79 
80 void
82 {
83  CLEAR(c->c2);
84 }
85 
86 void
88 {
89  const bool first_time_save = c->first_time;
90  const struct context_persist cpsave = c->persist;
91  context_clear(c);
92  c->first_time = first_time_save;
93  c->persist = cpsave;
94 }
95 
96 /*
97  * Pass tunnel endpoint and MTU parms to a user-supplied script.
98  * Used to execute the up/down script/plugins.
99  */
100 static void
101 run_up_down(const char *command,
102  const struct plugin_list *plugins,
103  int plugin_type,
104  const char *arg,
105 #ifdef _WIN32
106  DWORD adapter_index,
107 #endif
108  const char *dev_type,
109  int tun_mtu,
110  int link_mtu,
111  const char *ifconfig_local,
112  const char *ifconfig_remote,
113  const char *context,
114  const char *signal_text,
115  const char *script_type,
116  struct env_set *es)
117 {
118  struct gc_arena gc = gc_new();
119 
120  if (signal_text)
121  {
122  setenv_str(es, "signal", signal_text);
123  }
124  setenv_str(es, "script_context", context);
125  setenv_int(es, "tun_mtu", tun_mtu);
126  setenv_int(es, "link_mtu", link_mtu);
127  setenv_str(es, "dev", arg);
128  if (dev_type)
129  {
130  setenv_str(es, "dev_type", dev_type);
131  }
132 #ifdef _WIN32
133  setenv_int(es, "dev_idx", adapter_index);
134 #endif
135 
136  if (!ifconfig_local)
137  {
138  ifconfig_local = "";
139  }
140  if (!ifconfig_remote)
141  {
142  ifconfig_remote = "";
143  }
144  if (!context)
145  {
146  context = "";
147  }
148 
149  if (plugin_defined(plugins, plugin_type))
150  {
151  struct argv argv = argv_new();
152  ASSERT(arg);
153  argv_printf(&argv,
154  "%s %d %d %s %s %s",
155  arg,
156  tun_mtu, link_mtu,
157  ifconfig_local, ifconfig_remote,
158  context);
159 
160  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
161  {
162  msg(M_FATAL, "ERROR: up/down plugin call failed");
163  }
164 
165  argv_reset(&argv);
166  }
167 
168  if (command)
169  {
170  struct argv argv = argv_new();
171  ASSERT(arg);
172  setenv_str(es, "script_type", script_type);
173  argv_parse_cmd(&argv, command);
174  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
175  ifconfig_local, ifconfig_remote, context);
176  argv_msg(M_INFO, &argv);
177  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
178  argv_reset(&argv);
179  }
180 
181  gc_free(&gc);
182 }
183 
184 /*
185  * Should be called after options->ce is modified at the top
186  * of a SIGUSR1 restart.
187  */
188 static void
190 {
191 #if P2MP
192  /*
193  * In pull mode, we usually import --ping/--ping-restart parameters from
194  * the server. However we should also set an initial default --ping-restart
195  * for the period of time before we pull the --ping-restart parameter
196  * from the server.
197  */
198  if (options->pull
199  && options->ping_rec_timeout_action == PING_UNDEF
200  && proto_is_dgram(options->ce.proto))
201  {
204  }
205 #endif
206 }
207 
208 #ifdef ENABLE_MANAGEMENT
209 static bool
210 management_callback_proxy_cmd(void *arg, const char **p)
211 {
212  struct context *c = arg;
213  struct connection_entry *ce = &c->options.ce;
214  struct gc_arena *gc = &c->c2.gc;
215  bool ret = false;
216 
217  update_time();
218  if (streq(p[1], "NONE"))
219  {
220  ret = true;
221  }
222  else if (p[2] && p[3])
223  {
224  if (streq(p[1], "HTTP"))
225  {
226  struct http_proxy_options *ho;
227  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
228  {
229  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
230  return false;
231  }
233  ho->server = string_alloc(p[2], gc);
234  ho->port = string_alloc(p[3], gc);
235  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
236  ret = true;
237  }
238  else if (streq(p[1], "SOCKS"))
239  {
240  ce->socks_proxy_server = string_alloc(p[2], gc);
241  ce->socks_proxy_port = string_alloc(p[3], gc);
242  ret = true;
243  }
244  }
245  else
246  {
247  msg(M_WARN, "Bad proxy command");
248  }
249 
250  ce->flags &= ~CE_MAN_QUERY_PROXY;
251 
252  return ret;
253 }
254 
255 static bool
257 {
258  const struct connection_list *l = c->options.connection_list;
259  struct connection_entry *ce = &c->options.ce;
260  struct gc_arena gc;
261  bool ret = true;
262 
263  update_time();
264  if (management)
265  {
266  gc = gc_new();
267  {
268  struct buffer out = alloc_buf_gc(256, &gc);
269  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
270  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272  }
273  ce->flags |= CE_MAN_QUERY_PROXY;
274  while (ce->flags & CE_MAN_QUERY_PROXY)
275  {
277  if (IS_SIG(c))
278  {
279  ret = false;
280  break;
281  }
282  }
283  gc_free(&gc);
284  }
285 
286  return ret;
287 }
288 
289 
290 static bool
291 management_callback_remote_cmd(void *arg, const char **p)
292 {
293  struct context *c = (struct context *) arg;
294  struct connection_entry *ce = &c->options.ce;
295  int ret = false;
297  {
298  int flags = 0;
299  if (!strcmp(p[1], "ACCEPT"))
300  {
302  ret = true;
303  }
304  else if (!strcmp(p[1], "SKIP"))
305  {
306  flags = CE_MAN_QUERY_REMOTE_SKIP;
307  ret = true;
308  }
309  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
310  {
311  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
312  {
313  struct remote_host_store *rhs = c->options.rh_store;
314  if (!rhs)
315  {
317  c->options.rh_store = rhs;
318  }
319  strncpynt(rhs->host, p[2], RH_HOST_LEN);
320  strncpynt(rhs->port, p[3], RH_PORT_LEN);
321 
322  ce->remote = rhs->host;
323  ce->remote_port = rhs->port;
324  flags = CE_MAN_QUERY_REMOTE_MOD;
325  ret = true;
326  }
327  }
328  if (ret)
329  {
330  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
332  }
333  }
334  return ret;
335 }
336 
337 static bool
339 {
340  struct gc_arena gc = gc_new();
341  volatile struct connection_entry *ce = &c->options.ce;
342  int ce_changed = true; /* presume the connection entry will be changed */
343 
344  update_time();
345  if (management)
346  {
347  struct buffer out = alloc_buf_gc(256, &gc);
348 
349  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
350  proto2ascii(ce->proto, ce->af, false));
352 
355  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
357  {
359  if (IS_SIG(c))
360  {
361  ce_changed = false; /* connection entry have not been set */
362  break;
363  }
364  }
365  }
366  gc_free(&gc);
367 
368  if (ce_changed)
369  {
370  /* If it is likely a connection entry was modified,
371  * check what changed in the flags and that it was not skipped
372  */
373  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
375  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
376  }
377  return ce_changed;
378 }
379 #endif /* ENABLE_MANAGEMENT */
380 
381 /*
382  * Initialize and possibly randomize connection list.
383  */
384 static void
386 {
387  struct connection_list *l = c->options.connection_list;
388 
389  l->current = -1;
390  if (c->options.remote_random)
391  {
392  int i;
393  for (i = 0; i < l->len; ++i)
394  {
395  const int j = get_random() % l->len;
396  if (i != j)
397  {
398  struct connection_entry *tmp;
399  tmp = l->array[i];
400  l->array[i] = l->array[j];
401  l->array[j] = tmp;
402  }
403  }
404  }
405 }
406 
407 /*
408  * Clear the remote address list
409  */
410 static void
412 {
413  if (lsa->remote_list && free)
414  {
415  freeaddrinfo(lsa->remote_list);
416  }
417  lsa->remote_list = NULL;
418  lsa->current_remote = NULL;
419 }
420 
421 /*
422  * Increment to next connection entry
423  */
424 static void
426 {
427  struct connection_list *l = c->options.connection_list;
428  bool ce_defined;
429  struct connection_entry *ce;
430  int n_cycles = 0;
431 
432  do
433  {
434  ce_defined = true;
435  if (c->options.no_advance && l->current >= 0)
436  {
437  c->options.no_advance = false;
438  }
439  else
440  {
441  /* Check if there is another resolved address to try for
442  * the current connection */
444  && c->c1.link_socket_addr.current_remote->ai_next)
445  {
447  c->c1.link_socket_addr.current_remote->ai_next;
448  }
449  else
450  {
451  /* FIXME (schwabe) fix the persist-remote-ip option for real,
452  * this is broken probably ever since connection lists and multiple
453  * remote existed
454  */
455  if (!c->options.persist_remote_ip)
456  {
457  /* close_instance should have cleared the addrinfo objects */
460  }
461  else
462  {
465  }
466 
467  /*
468  * Increase the number of connection attempts
469  * If this is connect-retry-max * size(l)
470  * OpenVPN will quit
471  */
472 
474 
475  if (++l->current >= l->len)
476  {
477 
478  l->current = 0;
479  if (++n_cycles >= 2)
480  {
481  msg(M_FATAL, "No usable connection profiles are present");
482  }
483  }
484  }
485  }
486 
487  ce = l->array[l->current];
488 
489  if (ce->flags & CE_DISABLED)
490  {
491  ce_defined = false;
492  }
493 
494  c->options.ce = *ce;
495 #ifdef ENABLE_MANAGEMENT
497  {
498  /* allow management interface to override connection entry details */
499  ce_defined = ce_management_query_remote(c);
500  if (IS_SIG(c))
501  {
502  break;
503  }
504  }
505  else if (ce_defined && management && management_query_proxy_enabled(management))
506  {
507  ce_defined = ce_management_query_proxy(c);
508  if (IS_SIG(c))
509  {
510  break;
511  }
512  }
513 #endif
514  } while (!ce_defined);
515 
516  /* Check if this connection attempt would bring us over the limit */
517  if (c->options.connect_retry_max > 0
519  {
520  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
522  }
524 }
525 
526 /*
527  * Query for private key and auth-user-pass username/passwords
528  */
529 void
531 {
532 #ifdef ENABLE_CRYPTO
533  /* Certificate password input */
534  if (c->options.key_pass_file)
535  {
537  }
538 #endif
539 
540 #if P2MP
541  /* Auth user/pass input */
543  {
544 #ifdef ENABLE_CLIENT_CR
546 #else
548 #endif
549  }
550 #endif
551 }
552 
553 /*
554  * Initialize/Uninitialize HTTP or SOCKS proxy
555  */
556 
557 static void
559 {
560  if (c->c1.http_proxy_owned && c->c1.http_proxy)
561  {
563  c->c1.http_proxy = NULL;
564  c->c1.http_proxy_owned = false;
565  }
566  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
567  {
569  c->c1.socks_proxy = NULL;
570  c->c1.socks_proxy_owned = false;
571  }
572 }
573 
574 static void
576 {
577  bool did_http = false;
578 
580 
582  {
583  /* Possible HTTP proxy user/pass input */
585  if (c->c1.http_proxy)
586  {
587  did_http = true;
588  c->c1.http_proxy_owned = true;
589  }
590  }
591 
592  if (!did_http && c->options.ce.socks_proxy_server)
593  {
597  if (c->c1.socks_proxy)
598  {
599  c->c1.socks_proxy_owned = true;
600  }
601  }
602 }
603 
604 static void
605 init_proxy(struct context *c)
606 {
608 }
609 
610 static void
612 {
614 }
615 
616 void
618 {
619  context_clear_1(c);
620 
622 
624 
625 #if defined(ENABLE_PKCS11)
626  if (c->first_time)
627  {
628  int i;
629  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
630  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
631  {
632  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
633  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
634  }
635  }
636 #endif
637 
638 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
639  {
640  /*
641  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
642  */
643  struct user_pass up;
644  CLEAR(up);
645  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
646  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
647  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
648  * 'needok' command, usually 'ok' or 'cancel'. */
649  }
650 #endif
651 
652 #ifdef ENABLE_SYSTEMD
653  /* We can report the PID via getpid() to systemd here as OpenVPN will not
654  * do any fork due to daemon() a future call.
655  * See possibly_become_daemon() [init.c] for more details.
656  */
657  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
658  (unsigned long) getpid());
659 #endif
660 
661 }
662 
663 void
665 {
666  gc_free(&c->c2.gc);
667  gc_free(&c->options.gc);
668  gc_free(&c->gc);
669 }
670 
671 #if PORT_SHARE
672 
673 static void
674 close_port_share(void)
675 {
676  if (port_share)
677  {
678  port_share_close(port_share);
679  port_share = NULL;
680  }
681 }
682 
683 static void
684 init_port_share(struct context *c)
685 {
686  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
687  {
688  port_share = port_share_open(c->options.port_share_host,
689  c->options.port_share_port,
691  c->options.port_share_journal_dir);
692  if (port_share == NULL)
693  {
694  msg(M_FATAL, "Fatal error: Port sharing failed");
695  }
696  }
697 }
698 
699 #endif /* if PORT_SHARE */
700 
701 
702 bool
704 {
705  /* configure_path (); */
706 
707 #if defined(ENABLE_CRYPTO) && defined(DMALLOC)
708  crypto_init_dmalloc();
709 #endif
710 
711 
712  /*
713  * Initialize random number seed. random() is only used
714  * when "weak" random numbers are acceptable.
715  * SSL library routines are always used when cryptographically
716  * strong random numbers are required.
717  */
718  struct timeval tv;
719  if (!gettimeofday(&tv, NULL))
720  {
721  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
722  srandom(seed);
723  }
724 
725  error_reset(); /* initialize error.c */
726  reset_check_status(); /* initialize status check code in socket.c */
727 
728 #ifdef _WIN32
729  init_win32();
730 #endif
731 
732 #ifdef OPENVPN_DEBUG_COMMAND_LINE
733  {
734  int i;
735  for (i = 0; i < argc; ++i)
736  {
737  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
738  }
739  }
740 #endif
741 
742  update_time();
743 
744 #ifdef ENABLE_CRYPTO
745  init_ssl_lib();
746 
747  /* init PRNG used for IV generation */
748  /* When forking, copy this to more places in the code to avoid fork
749  * random-state predictability */
750  prng_init(NULL, 0);
751 #endif
752 
753 #ifdef PID_TEST
754  packet_id_interactive_test(); /* test the sequence number code */
755  return false;
756 #endif
757 
758 #ifdef SCHEDULE_TEST
759  schedule_test();
760  return false;
761 #endif
762 
763 #ifdef LIST_TEST
764  list_test();
765  return false;
766 #endif
767 
768 #ifdef IFCONFIG_POOL_TEST
769  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
770  return false;
771 #endif
772 
773 #ifdef CHARACTER_CLASS_DEBUG
774  character_class_debug();
775  return false;
776 #endif
777 
778 #ifdef EXTRACT_X509_FIELD_TEST
780  return false;
781 #endif
782 
783 #ifdef TIME_TEST
784  time_test();
785  return false;
786 #endif
787 
788 #ifdef TEST_GET_DEFAULT_GATEWAY
789  {
790  struct route_gateway_info rgi;
791  struct route_ipv6_gateway_info rgi6;
792  get_default_gateway(&rgi);
793  get_default_gateway_ipv6(&rgi6, NULL);
794  print_default_gateway(M_INFO, &rgi, &rgi6);
795  return false;
796  }
797 #endif
798 
799 #ifdef GEN_PATH_TEST
800  {
801  struct gc_arena gc = gc_new();
802  const char *fn = gen_path("foo",
803  "bar",
804  &gc);
805  printf("%s\n", fn);
806  gc_free(&gc);
807  }
808  return false;
809 #endif
810 
811 #ifdef STATUS_PRINTF_TEST
812  {
813  struct gc_arena gc = gc_new();
814  const char *tmp_file = create_temp_file("/tmp", "foo", &gc);
815  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
816  status_printf(so, "%s", "foo");
817  status_printf(so, "%s", "bar");
818  if (!status_close(so))
819  {
820  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
821  }
822  gc_free(&gc);
823  }
824  return false;
825 #endif
826 
827 #ifdef ARGV_TEST
828  {
829  void argv_test(void);
830 
831  argv_test();
832  return false;
833  }
834 #endif
835 
836 #ifdef PRNG_TEST
837  {
838  struct gc_arena gc = gc_new();
839  uint8_t rndbuf[8];
840  int i;
841  prng_init("sha1", 16);
842  /*prng_init (NULL, 0);*/
843  const int factor = 1;
844  for (i = 0; i < factor * 8; ++i)
845  {
846 #if 1
847  prng_bytes(rndbuf, sizeof(rndbuf));
848 #else
849  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
850 #endif
851  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
852  }
853  gc_free(&gc);
854  prng_uninit();
855  return false;
856  }
857 #endif /* ifdef PRNG_TEST */
858 
859 #ifdef BUFFER_LIST_AGGREGATE_TEST
860  /* test buffer_list_aggregate function */
861  {
862  static const char *text[] = {
863  "It was a bright cold day in April, ",
864  "and the clocks were striking ",
865  "thirteen. ",
866  "Winston Smith, ",
867  "his chin nuzzled into his breast in an ",
868  "effort to escape the vile wind, ",
869  "slipped quickly through the glass doors ",
870  "of Victory Mansions, though not quickly ",
871  "enough to prevent a swirl of gritty dust from ",
872  "entering along with him."
873  };
874 
875  int iter, listcap;
876  for (listcap = 0; listcap < 12; ++listcap)
877  {
878  for (iter = 0; iter < 512; ++iter)
879  {
880  struct buffer_list *bl = buffer_list_new(listcap);
881  {
882  int i;
883  for (i = 0; i < SIZE(text); ++i)
884  {
885  buffer_list_push(bl, (unsigned char *)text[i]);
886  }
887  }
888  printf("[cap=%d i=%d] *************************\n", listcap, iter);
889  if (!(iter & 8))
890  {
891  buffer_list_aggregate(bl, iter/2);
892  }
893  if (!(iter & 16))
894  {
895  buffer_list_push(bl, (unsigned char *)"Even more text...");
896  }
897  buffer_list_aggregate(bl, iter);
898  if (!(iter & 1))
899  {
900  buffer_list_push(bl, (unsigned char *)"More text...");
901  }
902  {
903  struct buffer *buf;
904  while ((buf = buffer_list_peek(bl)))
905  {
906  int c;
907  printf("'");
908  while ((c = buf_read_u8(buf)) >= 0)
909  {
910  putchar(c);
911  }
912  printf("'\n");
913  buffer_list_advance(bl, 0);
914  }
915  }
916  buffer_list_free(bl);
917  }
918  }
919  return false;
920  }
921 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
922 
923 #ifdef MSTATS_TEST
924  {
925  int i;
926  mstats_open("/dev/shm/mstats.dat");
927  for (i = 0; i < 30; ++i)
928  {
929  mmap_stats->n_clients += 1;
930  mmap_stats->link_write_bytes += 8;
931  mmap_stats->link_read_bytes += 16;
932  sleep(1);
933  }
934  mstats_close();
935  return false;
936  }
937 #endif
938 
939  return true;
940 }
941 
942 void
944 {
945 #ifdef ENABLE_CRYPTO
946  free_ssl_lib();
947 #endif
948 
949 #ifdef ENABLE_PKCS11
950  pkcs11_terminate();
951 #endif
952 
953 #if PORT_SHARE
954  close_port_share();
955 #endif
956 
957 #if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO)
958  show_tls_performance_stats();
959 #endif
960 }
961 
962 void
963 init_verb_mute(struct context *c, unsigned int flags)
964 {
965  if (flags & IVM_LEVEL_1)
966  {
967  /* set verbosity and mute levels */
971  }
972 
973  /* special D_LOG_RW mode */
974  if (flags & IVM_LEVEL_2)
975  {
977  }
978 }
979 
980 /*
981  * Possibly set --dev based on --dev-node.
982  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
983  * set --dev to tun.
984  */
985 void
987 {
988  if (!options->dev && options->dev_node)
989  {
990  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */
991  options->dev = basename(dev_node);
992  }
993 }
994 
995 bool
997 {
998  /*
999  * OpenSSL info print mode?
1000  */
1001 #ifdef ENABLE_CRYPTO
1002  if (options->show_ciphers || options->show_digests || options->show_engines
1003  || options->show_tls_ciphers || options->show_curves)
1004  {
1005  if (options->show_ciphers)
1006  {
1008  }
1009  if (options->show_digests)
1010  {
1012  }
1013  if (options->show_engines)
1014  {
1016  }
1017  if (options->show_tls_ciphers)
1018  {
1020  }
1021  if (options->show_curves)
1022  {
1024  }
1025  return true;
1026  }
1027 #endif /* ifdef ENABLE_CRYPTO */
1028  return false;
1029 }
1030 
1031 /*
1032  * Static pre-shared key generation mode?
1033  */
1034 bool
1035 do_genkey(const struct options *options)
1036 {
1037 #ifdef ENABLE_CRYPTO
1038  if (options->genkey)
1039  {
1040  int nbits_written;
1041 
1042  notnull(options->shared_secret_file,
1043  "shared secret output file (--secret)");
1044 
1045  if (options->mlock) /* should we disable paging? */
1046  {
1047  platform_mlockall(true);
1048  }
1049 
1050  nbits_written = write_key_file(2, options->shared_secret_file);
1051 
1053  "Randomly generated %d bit key written to %s", nbits_written,
1054  options->shared_secret_file);
1055  return true;
1056  }
1057 #endif
1058  return false;
1059 }
1060 
1061 /*
1062  * Persistent TUN/TAP device management mode?
1063  */
1064 bool
1066 {
1067  if (options->persist_config)
1068  {
1069  /* sanity check on options for --mktun or --rmtun */
1070  notnull(options->dev, "TUN/TAP device (--dev)");
1071  if (options->ce.remote || options->ifconfig_local
1072  || options->ifconfig_remote_netmask
1073 #ifdef ENABLE_CRYPTO
1074  || options->shared_secret_file
1075  || options->tls_server || options->tls_client
1076 #endif
1077  )
1078  {
1080  "options --mktun or --rmtun should only be used together with --dev");
1081  }
1082 #ifdef ENABLE_FEATURE_TUN_PERSIST
1083  tuncfg(options->dev, options->dev_type, options->dev_node,
1084  options->persist_mode,
1085  options->username, options->groupname, &options->tuntap_options);
1086  if (options->persist_mode && options->lladdr)
1087  {
1088  set_lladdr(options->dev, options->lladdr, NULL);
1089  }
1090  return true;
1091 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1092  msg( M_FATAL|M_OPTERR,
1093  "options --mktun and --rmtun are not available on your operating "
1094  "system. Please check 'man tun' (or 'tap'), whether your system "
1095  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1096  "persistant tunnel interfaces.", options->dev );
1097 #endif
1098  }
1099  return false;
1100 }
1101 
1102 /*
1103  * Should we become a daemon?
1104  * Return true if we did it.
1105  */
1106 bool
1108 {
1109  bool ret = false;
1110 
1111 #ifdef ENABLE_SYSTEMD
1112  /* return without forking if we are running from systemd */
1113  if (sd_notify(0, "READY=0") > 0)
1114  {
1115  return ret;
1116  }
1117 #endif
1118 
1119  if (options->daemon)
1120  {
1121  ASSERT(!options->inetd);
1122  /* Don't chdir immediately, but the end of the init sequence, if needed */
1123  if (daemon(1, options->log) < 0)
1124  {
1125  msg(M_ERR, "daemon() failed or unsupported");
1126  }
1128  if (options->log)
1129  {
1130  set_std_files_to_null(true);
1131  }
1132 
1133  ret = true;
1134  }
1135  return ret;
1136 }
1137 
1138 /*
1139  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1140  */
1141 static void
1142 do_uid_gid_chroot(struct context *c, bool no_delay)
1143 {
1144  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1145  struct context_0 *c0 = c->c0;
1146 
1147  if (c0 && !c0->uid_gid_chroot_set)
1148  {
1149  /* chroot if requested */
1150  if (c->options.chroot_dir)
1151  {
1152  if (no_delay)
1153  {
1155  }
1156  else if (c->first_time)
1157  {
1158  msg(M_INFO, "NOTE: chroot %s", why_not);
1159  }
1160  }
1161 
1162  /* set user and/or group if we want to setuid/setgid */
1163  if (c0->uid_gid_specified)
1164  {
1165  if (no_delay)
1166  {
1169  }
1170  else if (c->first_time)
1171  {
1172  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1173  }
1174  }
1175 
1176 #ifdef ENABLE_MEMSTATS
1177  if (c->first_time && c->options.memstats_fn)
1178  {
1179  mstats_open(c->options.memstats_fn);
1180  }
1181 #endif
1182 
1183 #ifdef ENABLE_SELINUX
1184  /* Apply a SELinux context in order to restrict what OpenVPN can do
1185  * to _only_ what it is supposed to do after initialization is complete
1186  * (basically just network I/O operations). Doing it after chroot
1187  * requires /proc to be mounted in the chroot (which is annoying indeed
1188  * but doing it before requires more complex SELinux policies.
1189  */
1190  if (c->options.selinux_context)
1191  {
1192  if (no_delay)
1193  {
1194  if (-1 == setcon(c->options.selinux_context))
1195  {
1196  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1197  }
1198  else
1199  {
1200  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1201  }
1202  }
1203  else if (c->first_time)
1204  {
1205  msg(M_INFO, "NOTE: setcon %s", why_not);
1206  }
1207  }
1208 #endif
1209 
1210  /* Privileges are going to be dropped by now (if requested), be sure
1211  * to prevent any future privilege dropping attempts from now on.
1212  */
1213  if (no_delay)
1214  {
1215  c0->uid_gid_chroot_set = true;
1216  }
1217  }
1218 }
1219 
1220 /*
1221  * Return common name in a way that is formatted for
1222  * prepending to msg() output.
1223  */
1224 const char *
1225 format_common_name(struct context *c, struct gc_arena *gc)
1226 {
1227  struct buffer out = alloc_buf_gc(256, gc);
1228 #ifdef ENABLE_CRYPTO
1229  if (c->c2.tls_multi)
1230  {
1231  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1232  }
1233 #endif
1234  return BSTR(&out);
1235 }
1236 
1237 void
1238 pre_setup(const struct options *options)
1239 {
1240 #ifdef _WIN32
1241  if (options->exit_event_name)
1242  {
1245  options->exit_event_name,
1246  options->exit_event_initial_state);
1247  }
1248  else
1249  {
1252  NULL,
1253  false);
1254 
1255  /* put a title on the top window bar */
1257  {
1259  window_title_generate(options->config);
1260  }
1261  }
1262 #endif /* ifdef _WIN32 */
1263 }
1264 
1265 void
1267 {
1268  c->c2.coarse_timer_wakeup = 0;
1269 }
1270 
1271 /*
1272  * Initialise the server poll timeout timer
1273  * This timer is used in the http/socks proxy setup so it needs to be setup
1274  * before
1275  */
1276 static void
1278 {
1279  update_time();
1280  if (c->options.ce.connect_timeout)
1281  {
1283  }
1284 }
1285 
1286 /*
1287  * Initialize timers
1288  */
1289 static void
1290 do_init_timers(struct context *c, bool deferred)
1291 {
1292  update_time();
1294 
1295  /* initialize inactivity timeout */
1296  if (c->options.inactivity_timeout)
1297  {
1299  }
1300 
1301  /* initialize pings */
1302 
1303  if (c->options.ping_send_timeout)
1304  {
1306  }
1307 
1308  if (c->options.ping_rec_timeout)
1309  {
1311  }
1312 
1313  if (!deferred)
1314  {
1315  /* initialize connection establishment timer */
1317 
1318 #ifdef ENABLE_OCC
1319  /* initialize occ timers */
1320 
1321  if (c->options.occ
1322  && !TLS_MODE(c)
1324  {
1326  }
1327 
1328  if (c->options.mtu_test)
1329  {
1331  }
1332 #endif
1333 
1334  /* initialize packet_id persistence timer */
1335 #ifdef ENABLE_CRYPTO
1336  if (c->options.packet_id_file)
1337  {
1339  }
1340 
1341  /* initialize tmp_int optimization that limits the number of times we call
1342  * tls_multi_process in the main event loop */
1344 #endif
1345  }
1346 }
1347 
1348 /*
1349  * Initialize traffic shaper.
1350  */
1351 static void
1353 {
1354 #ifdef ENABLE_FEATURE_SHAPER
1355  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1356  if (c->options.shaper)
1357  {
1358  shaper_init(&c->c2.shaper, c->options.shaper);
1359  shaper_msg(&c->c2.shaper);
1360  }
1361 #endif
1362 }
1363 
1364 /*
1365  * Allocate route list structures for IPv4 and IPv6
1366  * (we do this for IPv4 even if no --route option has been seen, as other
1367  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1368  */
1369 static void
1371 {
1372  if (!c->c1.route_list)
1373  {
1374  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1375  }
1376  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1377  {
1379  }
1380 }
1381 
1382 
1383 /*
1384  * Initialize the route list, resolving any DNS names in route
1385  * options and saving routes in the environment.
1386  */
1387 static void
1389  struct route_list *route_list,
1390  const struct link_socket_info *link_socket_info,
1391  struct env_set *es)
1392 {
1393  const char *gw = NULL;
1394  int dev = dev_type_enum(options->dev, options->dev_type);
1395  int metric = 0;
1396 
1397  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1398  {
1399  gw = options->ifconfig_remote_netmask;
1400  }
1401  if (options->route_default_gateway)
1402  {
1403  gw = options->route_default_gateway;
1404  }
1405  if (options->route_default_metric)
1406  {
1407  metric = options->route_default_metric;
1408  }
1409 
1410  if (init_route_list(route_list,
1411  options->routes,
1412  gw,
1413  metric,
1414  link_socket_current_remote(link_socket_info),
1415  es))
1416  {
1417  /* copy routes to environment */
1418  setenv_routes(es, route_list);
1419  }
1420 }
1421 
1422 static void
1425  const struct link_socket_info *link_socket_info,
1426  struct env_set *es)
1427 {
1428  const char *gw = NULL;
1429  int metric = -1; /* no metric set */
1430 
1431  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1432 #if 0 /* not yet done for IPv6 - TODO!*/
1433  if (options->route_ipv6_default_gateway) /* override? */
1434  {
1435  gw = options->route_ipv6_default_gateway;
1436  }
1437 #endif
1438 
1439  if (options->route_default_metric)
1440  {
1441  metric = options->route_default_metric;
1442  }
1443 
1444  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1445  */
1446  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1447  {
1448  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1449  int i;
1450 
1451  for (i = 0; opt_list[i]; i++)
1452  {
1454  string_alloc(opt_list[i], options->routes_ipv6->gc),
1455  NULL, NULL );
1456  }
1457  }
1458 
1459  if (init_route_ipv6_list(route_ipv6_list,
1460  options->routes_ipv6,
1461  gw,
1462  metric,
1463  link_socket_current_remote_ipv6(link_socket_info),
1464  es))
1465  {
1466  /* copy routes to environment */
1467  setenv_routes_ipv6(es, route_ipv6_list);
1468  }
1469 }
1470 
1471 
1472 /*
1473  * Called after all initialization has been completed.
1474  */
1475 void
1476 initialization_sequence_completed(struct context *c, const unsigned int flags)
1477 {
1478  static const char message[] = "Initialization Sequence Completed";
1479 
1480  /* Reset the unsuccessful connection counter on complete initialisation */
1482 
1483  /* If we delayed UID/GID downgrade or chroot, do it now */
1484  do_uid_gid_chroot(c, true);
1485 
1486 
1487 #ifdef ENABLE_CRYPTO
1488  /*
1489  * In some cases (i.e. when receiving auth-token via
1490  * push-reply) the auth-nocache option configured on the
1491  * client is overridden; for this reason we have to wait
1492  * for the push-reply message before attempting to wipe
1493  * the user/pass entered by the user
1494  */
1495  if (c->options.mode == MODE_POINT_TO_POINT)
1496  {
1498  }
1499 #endif /* ENABLE_CRYPTO */
1500 
1501  /* Test if errors */
1502  if (flags & ISC_ERRORS)
1503  {
1504 #ifdef _WIN32
1507  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1508 #else
1509 #ifdef ENABLE_SYSTEMD
1510  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1511 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1512  msg(M_INFO, "%s With Errors", message);
1513 #endif
1514  }
1515  else
1516  {
1517 #ifdef ENABLE_SYSTEMD
1518  sd_notifyf(0, "STATUS=%s", message);
1519 #endif
1520  msg(M_INFO, "%s", message);
1521  }
1522 
1523  /* Flag that we initialized */
1524  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1525  {
1526  c->options.no_advance = true;
1527  }
1528 
1529 #ifdef _WIN32
1531 #endif
1532 
1533 #ifdef ENABLE_MANAGEMENT
1534  /* Tell management interface that we initialized */
1535  if (management)
1536  {
1537  in_addr_t *tun_local = NULL;
1538  struct in6_addr *tun_local6 = NULL;
1539  struct openvpn_sockaddr local, remote;
1540  struct link_socket_actual *actual;
1541  socklen_t sa_len = sizeof(local);
1542  const char *detail = "SUCCESS";
1543  if (flags & ISC_ERRORS)
1544  {
1545  detail = "ERROR";
1546  }
1547 
1548  CLEAR(local);
1549  actual = &get_link_socket_info(c)->lsa->actual;
1550  remote = actual->dest;
1551  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1552 #if ENABLE_IP_PKTINFO
1553  if (!addr_defined(&local))
1554  {
1555  switch (local.addr.sa.sa_family)
1556  {
1557  case AF_INET:
1558 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1559  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1560 #else
1561  local.addr.in4.sin_addr = actual->pi.in4;
1562 #endif
1563  break;
1564 
1565  case AF_INET6:
1566  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1567  break;
1568  }
1569  }
1570 #endif
1571 
1572  if (c->c1.tuntap)
1573  {
1574  tun_local = &c->c1.tuntap->local;
1575  tun_local6 = &c->c1.tuntap->local_ipv6;
1576  }
1579  detail,
1580  tun_local,
1581  tun_local6,
1582  &local,
1583  &remote);
1584  if (tun_local)
1585  {
1587  }
1588  }
1589 #endif /* ifdef ENABLE_MANAGEMENT */
1590 }
1591 
1592 /*
1593  * Possibly add routes and/or call route-up script
1594  * based on options.
1595  */
1596 void
1597 do_route(const struct options *options,
1598  struct route_list *route_list,
1600  const struct tuntap *tt,
1601  const struct plugin_list *plugins,
1602  struct env_set *es)
1603 {
1604  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1605  {
1606  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es);
1607  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1608  }
1609 #ifdef ENABLE_MANAGEMENT
1610  if (management)
1611  {
1612  management_up_down(management, "UP", es);
1613  }
1614 #endif
1615 
1616  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1617  {
1618  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1619  {
1620  msg(M_WARN, "WARNING: route-up plugin call failed");
1621  }
1622  }
1623 
1624  if (options->route_script)
1625  {
1626  struct argv argv = argv_new();
1627  setenv_str(es, "script_type", "route-up");
1628  argv_parse_cmd(&argv, options->route_script);
1629  openvpn_run_script(&argv, es, 0, "--route-up");
1630  argv_reset(&argv);
1631  }
1632 
1633 #ifdef _WIN32
1634  if (options->show_net_up)
1635  {
1638  }
1639  else if (check_debug_level(D_SHOW_NET))
1640  {
1643  }
1644 #endif
1645 }
1646 
1647 /*
1648  * initialize tun/tap device object
1649  */
1650 static void
1652 {
1653  c->c1.tuntap = init_tun(c->options.dev,
1654  c->options.dev_type,
1655  c->options.topology,
1664  c->c2.es);
1665 
1666  init_tun_post(c->c1.tuntap,
1667  &c->c2.frame,
1668  &c->options.tuntap_options);
1669 
1670  c->c1.tuntap_owned = true;
1671 }
1672 
1673 /*
1674  * Open tun/tap device, ifconfig, call up script, etc.
1675  */
1676 
1677 static bool
1679 {
1680  struct gc_arena gc = gc_new();
1681  bool ret = false;
1682 
1683 #ifndef TARGET_ANDROID
1684  if (!c->c1.tuntap)
1685  {
1686 #endif
1687 
1688 #ifdef TARGET_ANDROID
1689  /* If we emulate persist-tun on android we still have to open a new tun and
1690  * then close the old */
1691  int oldtunfd = -1;
1692  if (c->c1.tuntap)
1693  {
1694  oldtunfd = c->c1.tuntap->fd;
1695  }
1696 #endif
1697 
1698  /* initialize (but do not open) tun/tap object */
1699  do_init_tun(c);
1700 
1701 #ifdef _WIN32
1702  /* store (hide) interactive service handle in tuntap_options */
1704  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1705 #endif
1706 
1707  /* allocate route list structure */
1709 
1710  /* parse and resolve the route option list */
1711  ASSERT(c->c2.link_socket);
1712  if (c->options.routes && c->c1.route_list)
1713  {
1715  &c->c2.link_socket->info, c->c2.es);
1716  }
1717  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1718  {
1720  &c->c2.link_socket->info, c->c2.es);
1721  }
1722 
1723  /* do ifconfig */
1724  if (!c->options.ifconfig_noexec
1726  {
1727  /* guess actual tun/tap unit number that will be returned
1728  * by open_tun */
1729  const char *guess = guess_tuntap_dev(c->options.dev,
1730  c->options.dev_type,
1731  c->options.dev_node,
1732  &gc);
1733  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1734  }
1735 
1736  /* possibly add routes */
1737  if (route_order() == ROUTE_BEFORE_TUN)
1738  {
1739  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1741  c->c1.tuntap, c->plugins, c->c2.es);
1742  }
1743 #ifdef TARGET_ANDROID
1744  /* Store the old fd inside the fd so open_tun can use it */
1745  c->c1.tuntap->fd = oldtunfd;
1746 #endif
1747  /* open the tun device */
1749  c->c1.tuntap);
1750 
1751  /* set the hardware address */
1752  if (c->options.lladdr)
1753  {
1755  }
1756 
1757  /* do ifconfig */
1758  if (!c->options.ifconfig_noexec
1760  {
1762  }
1763 
1764  /* run the up script */
1766  c->plugins,
1767  OPENVPN_PLUGIN_UP,
1768  c->c1.tuntap->actual_name,
1769 #ifdef _WIN32
1770  c->c1.tuntap->adapter_index,
1771 #endif
1773  TUN_MTU_SIZE(&c->c2.frame),
1774  EXPANDED_SIZE(&c->c2.frame),
1777  "init",
1778  NULL,
1779  "up",
1780  c->c2.es);
1781 
1782 #if defined(_WIN32)
1783  if (c->options.block_outside_dns)
1784  {
1785  dmsg(D_LOW, "Blocking outside DNS");
1787  {
1788  msg(M_FATAL, "Blocking DNS failed!");
1789  }
1790  }
1791 #endif
1792 
1793  /* possibly add routes */
1795  {
1797  c->c1.tuntap, c->plugins, c->c2.es);
1798  }
1799 
1800  /*
1801  * Did tun/tap driver give us an MTU?
1802  */
1803  if (c->c1.tuntap->post_open_mtu)
1804  {
1806  c->c1.tuntap->post_open_mtu,
1808  }
1809 
1810  ret = true;
1811  static_context = c;
1812 #ifndef TARGET_ANDROID
1813 }
1814 else
1815 {
1816  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1817  c->c1.tuntap->actual_name);
1818 
1819  /* explicitly set the ifconfig_* env vars */
1820  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1821 
1822  /* run the up script if user specified --up-restart */
1823  if (c->options.up_restart)
1824  {
1826  c->plugins,
1827  OPENVPN_PLUGIN_UP,
1828  c->c1.tuntap->actual_name,
1829 #ifdef _WIN32
1830  c->c1.tuntap->adapter_index,
1831 #endif
1833  TUN_MTU_SIZE(&c->c2.frame),
1834  EXPANDED_SIZE(&c->c2.frame),
1837  "restart",
1838  NULL,
1839  "up",
1840  c->c2.es);
1841  }
1842 #if defined(_WIN32)
1843  if (c->options.block_outside_dns)
1844  {
1845  dmsg(D_LOW, "Blocking outside DNS");
1847  {
1848  msg(M_FATAL, "Blocking DNS failed!");
1849  }
1850  }
1851 #endif
1852 
1853 }
1854 #endif /* ifndef TARGET_ANDROID */
1855  gc_free(&gc);
1856  return ret;
1857 }
1858 
1859 /*
1860  * Close TUN/TAP device
1861  */
1862 
1863 static void
1865 {
1866  msg(D_CLOSE, "Closing TUN/TAP interface");
1867  close_tun(c->c1.tuntap);
1868  c->c1.tuntap = NULL;
1869  c->c1.tuntap_owned = false;
1870 #if P2MP
1872 #endif
1873 }
1874 
1875 static void
1876 do_close_tun(struct context *c, bool force)
1877 {
1878  struct gc_arena gc = gc_new();
1879  if (c->c1.tuntap && c->c1.tuntap_owned)
1880  {
1881  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1882 #ifdef _WIN32
1883  DWORD adapter_index = c->c1.tuntap->adapter_index;
1884 #endif
1885  const in_addr_t local = c->c1.tuntap->local;
1886  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1887 
1888  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1889  {
1890  static_context = NULL;
1891 
1892 #ifdef ENABLE_MANAGEMENT
1893  /* tell management layer we are about to close the TUN/TAP device */
1894  if (management)
1895  {
1897  management_up_down(management, "DOWN", c->c2.es);
1898  }
1899 #endif
1900 
1901  /* delete any routes we added */
1902  if (c->c1.route_list || c->c1.route_ipv6_list)
1903  {
1905  c->plugins,
1906  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1907  tuntap_actual,
1908 #ifdef _WIN32
1909  adapter_index,
1910 #endif
1911  NULL,
1912  TUN_MTU_SIZE(&c->c2.frame),
1913  EXPANDED_SIZE(&c->c2.frame),
1914  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1915  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1916  "init",
1918  c->sig->signal_text),
1919  "route-pre-down",
1920  c->c2.es);
1921 
1923  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), c->c2.es);
1924  }
1925 
1926  /* actually close tun/tap device based on --down-pre flag */
1927  if (!c->options.down_pre)
1928  {
1930  }
1931 
1932  /* Run the down script -- note that it will run at reduced
1933  * privilege if, for example, "--user nobody" was used. */
1935  c->plugins,
1936  OPENVPN_PLUGIN_DOWN,
1937  tuntap_actual,
1938 #ifdef _WIN32
1939  adapter_index,
1940 #endif
1941  NULL,
1942  TUN_MTU_SIZE(&c->c2.frame),
1943  EXPANDED_SIZE(&c->c2.frame),
1944  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1945  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1946  "init",
1948  c->sig->signal_text),
1949  "down",
1950  c->c2.es);
1951 
1952 #if defined(_WIN32)
1953  if (c->options.block_outside_dns)
1954  {
1955  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1956  {
1957  msg(M_FATAL, "Uninitialising WFP failed!");
1958  }
1959  }
1960 #endif
1961 
1962  /* actually close tun/tap device based on --down-pre flag */
1963  if (c->options.down_pre)
1964  {
1966  }
1967  }
1968  else
1969  {
1970  /* run the down script on this restart if --up-restart was specified */
1971  if (c->options.up_restart)
1972  {
1974  c->plugins,
1975  OPENVPN_PLUGIN_DOWN,
1976  tuntap_actual,
1977 #ifdef _WIN32
1978  adapter_index,
1979 #endif
1980  NULL,
1981  TUN_MTU_SIZE(&c->c2.frame),
1982  EXPANDED_SIZE(&c->c2.frame),
1983  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1984  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1985  "restart",
1987  c->sig->signal_text),
1988  "down",
1989  c->c2.es);
1990  }
1991 
1992 #if defined(_WIN32)
1993  if (c->options.block_outside_dns)
1994  {
1995  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1996  {
1997  msg(M_FATAL, "Uninitialising WFP failed!");
1998  }
1999  }
2000 #endif
2001 
2002  }
2003  }
2004  gc_free(&gc);
2005 }
2006 
2007 void
2009 {
2010  struct context *c = static_context;
2011  if (c)
2012  {
2013  static_context = NULL;
2014  do_close_tun(c, true);
2015  }
2016 }
2017 
2018 /*
2019  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2020  */
2021 
2022 #if P2MP
2023 
2027 static bool
2029  const struct sha256_digest *b)
2030 {
2031  const struct sha256_digest zero = {{0}};
2032  return memcmp(a, b, sizeof(struct sha256_digest))
2033  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2034 }
2035 #endif /* P2MP */
2036 
2037 bool
2038 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2039 {
2040  if (!c->c2.do_up_ran)
2041  {
2043 
2044  if (pulled_options)
2045  {
2046  if (!do_deferred_options(c, option_types_found))
2047  {
2048  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2049  return false;
2050  }
2051  }
2052 
2053  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2054  if (c->options.up_delay || PULL_DEFINED(&c->options))
2055  {
2056  c->c2.did_open_tun = do_open_tun(c);
2057  update_time();
2058 
2059 #if P2MP
2060  /*
2061  * Was tun interface object persisted from previous restart iteration,
2062  * and if so did pulled options string change from previous iteration?
2063  */
2064  if (!c->c2.did_open_tun
2065  && PULL_DEFINED(&c->options)
2066  && c->c1.tuntap
2069  {
2070  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2071  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2072  do_close_tun(c, true);
2073  management_sleep(1);
2074  c->c2.did_open_tun = do_open_tun(c);
2075  update_time();
2076  }
2077 #endif
2078  }
2079 
2080  if (c->c2.did_open_tun)
2081  {
2082 #if P2MP
2084 #endif
2085 
2086  /* if --route-delay was specified, start timer */
2088  {
2091  if (c->c1.tuntap)
2092  {
2094  }
2095  }
2096  else
2097  {
2098  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2099  }
2100  }
2101  else if (c->options.mode == MODE_POINT_TO_POINT)
2102  {
2103  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2104  }
2105 
2106  c->c2.do_up_ran = true;
2107  }
2108  return true;
2109 }
2110 
2111 /*
2112  * These are the option categories which will be accepted by pull.
2113  */
2114 unsigned int
2116 {
2117  unsigned int flags =
2118  OPT_P_UP
2120  | OPT_P_SOCKBUF
2121  | OPT_P_SOCKFLAGS
2122  | OPT_P_SETENV
2123  | OPT_P_SHAPER
2124  | OPT_P_TIMER
2125  | OPT_P_COMP
2126  | OPT_P_PERSIST
2127  | OPT_P_MESSAGES
2129  | OPT_P_ECHO
2130  | OPT_P_PULL_MODE
2131  | OPT_P_PEER_ID;
2132 
2133  if (!c->options.route_nopull)
2134  {
2135  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2136  }
2137 
2138 #ifdef ENABLE_CRYPTO
2139  if (c->options.ncp_enabled)
2140  {
2141  flags |= OPT_P_NCP;
2142  }
2143 #endif
2144 
2145  return flags;
2146 }
2147 
2148 /*
2149  * Handle non-tun-related pulled options.
2150  */
2151 bool
2152 do_deferred_options(struct context *c, const unsigned int found)
2153 {
2154  if (found & OPT_P_MESSAGES)
2155  {
2157  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2158  }
2159  if (found & OPT_P_TIMER)
2160  {
2161  do_init_timers(c, true);
2162  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2163  }
2164 
2165 #ifdef ENABLE_OCC
2166  if (found & OPT_P_EXPLICIT_NOTIFY)
2167  {
2169  {
2170  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2172  }
2173  else
2174  {
2175  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2176  }
2177  }
2178 #endif
2179 
2180 #ifdef USE_COMP
2181  if (found & OPT_P_COMP)
2182  {
2183  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2184  comp_uninit(c->c2.comp_context);
2185  c->c2.comp_context = comp_init(&c->options.comp);
2186  }
2187 #endif
2188 
2189  if (found & OPT_P_SHAPER)
2190  {
2191  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2193  }
2194 
2195  if (found & OPT_P_SOCKBUF)
2196  {
2197  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2199  }
2200 
2201  if (found & OPT_P_SOCKFLAGS)
2202  {
2203  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2205  }
2206 
2207  if (found & OPT_P_PERSIST)
2208  {
2209  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2210  }
2211  if (found & OPT_P_UP)
2212  {
2213  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2214  }
2215  if (found & OPT_P_ROUTE)
2216  {
2217  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2218  }
2219  if (found & OPT_P_ROUTE_EXTRAS)
2220  {
2221  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2222  }
2223  if (found & OPT_P_IPWIN32)
2224  {
2225  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2226  }
2227  if (found & OPT_P_SETENV)
2228  {
2229  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2230  }
2231 
2232 #ifdef ENABLE_CRYPTO
2233  if (found & OPT_P_PEER_ID)
2234  {
2235  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2236  c->c2.tls_multi->use_peer_id = true;
2237  c->c2.tls_multi->peer_id = c->options.peer_id;
2238  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2239  if (!c->options.ce.link_mtu_defined)
2240  {
2241  frame_add_to_link_mtu(&c->c2.frame, +3);
2242  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2243  EXPANDED_SIZE(&c->c2.frame));
2244  }
2245  else
2246  {
2247  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2248  " fixed by config - reducing tun-mtu to %d, expect"
2249  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2250  }
2251  }
2252 
2253  /* process (potentially pushed) crypto options */
2254  if (c->options.pull)
2255  {
2256  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2257  if (found & OPT_P_NCP)
2258  {
2259  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2260  }
2261  else if (c->options.ncp_enabled)
2262  {
2264  }
2265  /* Do not regenerate keys if server sends an extra push reply */
2267  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame))
2268  {
2269  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2270  return false;
2271  }
2272  }
2273 #endif /* ifdef ENABLE_CRYPTO */
2274  return true;
2275 }
2276 
2277 /*
2278  * Possible hold on initialization, holdtime is the
2279  * time OpenVPN would wait without management
2280  */
2281 static bool
2282 do_hold(int holdtime)
2283 {
2284 #ifdef ENABLE_MANAGEMENT
2285  if (management)
2286  {
2287  /* block until management hold is released */
2288  if (management_hold(management, holdtime))
2289  {
2290  return true;
2291  }
2292  }
2293 #endif
2294  return false;
2295 }
2296 
2297 /*
2298  * Sleep before restart.
2299  */
2300 static void
2302 {
2303  int sec = 2;
2304  int backoff = 0;
2305 
2306  switch (c->options.ce.proto)
2307  {
2308  case PROTO_TCP_SERVER:
2309  sec = 1;
2310  break;
2311 
2312  case PROTO_UDP:
2313  case PROTO_TCP_CLIENT:
2314  sec = c->options.ce.connect_retry_seconds;
2315  break;
2316  }
2317 
2318 #ifdef ENABLE_DEBUG
2319  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2320  {
2321  sec = 0;
2322  }
2323 #endif
2324 
2325 #if P2MP
2326  if (auth_retry_get() == AR_NOINTERACT)
2327  {
2328  sec = 10;
2329  }
2330 #endif
2331 
2332  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2333  if (c->options.ce.proto != PROTO_TCP_SERVER)
2334  {
2335  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2336  if (backoff > 0)
2337  {
2338  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2339  sec = max_int(sec, 1) << min_int(backoff, 15);
2340  }
2341 
2342  if (sec > c->options.ce.connect_retry_seconds_max)
2343  {
2345  }
2346  }
2347 
2349  {
2350  sec = c->persist.restart_sleep_seconds;
2351  }
2352  else if (c->persist.restart_sleep_seconds == -1)
2353  {
2354  sec = 0;
2355  }
2357 
2358  /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
2359  if (do_hold(sec))
2360  {
2361  sec = 0;
2362  }
2363 
2364  if (sec)
2365  {
2366  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2367  management_sleep(sec);
2368  }
2369 }
2370 
2371 /*
2372  * Do a possible pause on context_2 initialization.
2373  */
2374 static void
2376 {
2377  if (!c->first_time)
2378  {
2380  }
2381  else
2382  {
2383  do_hold(0); /* do management hold on first context initialization */
2384  }
2385 }
2386 
2387 /*
2388  * Finalize MTU parameters based on command line or config file options.
2389  */
2390 static void
2391 frame_finalize_options(struct context *c, const struct options *o)
2392 {
2393  if (!o)
2394  {
2395  o = &c->options;
2396  }
2397 
2398  /*
2399  * Set adjustment factor for buffer alignment when no
2400  * cipher is used.
2401  */
2402  if (!CIPHER_ENABLED(c))
2403  {
2409  }
2410 
2412  frame_finalize(&c->c2.frame,
2413  o->ce.link_mtu_defined,
2414  o->ce.link_mtu,
2415  o->ce.tun_mtu_defined,
2416  o->ce.tun_mtu);
2417 }
2418 
2419 /*
2420  * Free a key schedule, including OpenSSL components.
2421  */
2422 static void
2423 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2424 {
2425 #ifdef ENABLE_CRYPTO
2427  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2428  {
2429  tls_ctx_free(&ks->ssl_ctx);
2431  }
2432 #endif /* ENABLE_CRYPTO */
2433  CLEAR(*ks);
2434 }
2435 
2436 #ifdef ENABLE_CRYPTO
2437 
2438 static void
2439 init_crypto_pre(struct context *c, const unsigned int flags)
2440 {
2441  if (c->options.engine)
2442  {
2444  }
2445 
2446  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2447  {
2448  /* load a persisted packet-id for cross-session replay-protection */
2449  if (c->options.packet_id_file)
2450  {
2452  }
2453  }
2454 
2455 #ifdef ENABLE_PREDICTION_RESISTANCE
2456  if (c->options.use_prediction_resistance)
2457  {
2458  rand_ctx_enable_prediction_resistance();
2459  }
2460 #endif
2461 
2462 }
2463 
2464 /*
2465  * Static Key Mode (using a pre-shared key)
2466  */
2467 static void
2468 do_init_crypto_static(struct context *c, const unsigned int flags)
2469 {
2470  const struct options *options = &c->options;
2471  ASSERT(options->shared_secret_file);
2472 
2473  init_crypto_pre(c, flags);
2474 
2475  /* Initialize flags */
2477  {
2479  }
2480 
2481  /* Initialize packet ID tracking */
2482  if (options->replay)
2483  {
2485  options->replay_window,
2486  options->replay_time,
2487  "STATIC", 0);
2492  }
2493 
2494  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2495  {
2496  /* Get cipher & hash algorithms */
2497  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2498  options->keysize, options->test_crypto, true);
2499 
2500  /* Read cipher and hmac keys from shared secret file */
2502  options->shared_secret_file,
2503  options->shared_secret_file_inline,
2504  options->key_direction, "Static Key Encryption",
2505  "secret");
2506  }
2507  else
2508  {
2509  msg(M_INFO, "Re-using pre-shared static key");
2510  }
2511 
2512  /* Get key schedule */
2514 
2515  /* Compute MTU parameters */
2517  options->replay, true);
2518 
2519  /* Sanity check on sequence number, and cipher mode options */
2520  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2521 }
2522 
2523 /*
2524  * Initialize the persistent component of OpenVPN's TLS mode,
2525  * which is preserved across SIGUSR1 resets.
2526  */
2527 static void
2529 {
2530  const struct options *options = &c->options;
2531 
2532  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2533  {
2534  /*
2535  * Initialize the OpenSSL library's global
2536  * SSL context.
2537  */
2538  init_ssl(options, &(c->c1.ks.ssl_ctx));
2539  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2540  {
2541 #if P2MP
2542  switch (auth_retry_get())
2543  {
2544  case AR_NONE:
2545  msg(M_FATAL, "Error: private key password verification failed");
2546  break;
2547 
2548  case AR_INTERACT:
2549  ssl_purge_auth(false);
2550 
2551  case AR_NOINTERACT:
2552  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2553  break;
2554 
2555  default:
2556  ASSERT(0);
2557  }
2558  c->sig->signal_text = "private-key-password-failure";
2559  return;
2560 #else /* if P2MP */
2561  msg(M_FATAL, "Error: private key password verification failed");
2562 #endif
2563  }
2564 
2565  /* Get cipher & hash algorithms */
2566  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2567  options->keysize, true, true);
2568 
2569  /* Initialize PRNG with config-specified digest */
2570  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2571 
2572  /* TLS handshake authentication (--tls-auth) */
2573  if (options->tls_auth_file)
2574  {
2575  /* Initialize key_type for tls-auth with auth only */
2577  if (!streq(options->authname, "none"))
2578  {
2582  }
2583  else
2584  {
2585  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2586  "algorithm specified ('%s')", options->authname);
2587  }
2588 
2590  &c->c1.ks.tls_wrap_key, options->tls_auth_file,
2591  options->tls_auth_file_inline, options->key_direction,
2592  "Control Channel Authentication", "tls-auth");
2593  }
2594 
2595  /* TLS handshake encryption+authentication (--tls-crypt) */
2596  if (options->tls_crypt_file)
2597  {
2599  options->tls_crypt_inline, options->tls_server);
2600  }
2601 
2602  c->c1.ciphername = options->ciphername;
2603  c->c1.authname = options->authname;
2604  c->c1.keysize = options->keysize;
2605 
2606 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2607  if (options->priv_key_file_inline)
2608  {
2610  c->options.priv_key_file_inline = NULL;
2611  }
2612 #endif
2613  }
2614  else
2615  {
2616  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2617 
2618  /* Restore pre-NCP cipher options */
2619  c->options.ciphername = c->c1.ciphername;
2620  c->options.authname = c->c1.authname;
2621  c->options.keysize = c->c1.keysize;
2622  }
2623 }
2624 
2625 static void
2626 do_init_crypto_tls(struct context *c, const unsigned int flags)
2627 {
2628  const struct options *options = &c->options;
2629  struct tls_options to;
2630  bool packet_id_long_form;
2631 
2632  ASSERT(options->tls_server || options->tls_client);
2633  ASSERT(!options->test_crypto);
2634 
2635  init_crypto_pre(c, flags);
2636 
2637  /* Make sure we are either a TLS client or server but not both */
2638  ASSERT(options->tls_server == !options->tls_client);
2639 
2640  /* initialize persistent component */
2642  if (IS_SIG(c))
2643  {
2644  return;
2645  }
2646 
2647  /* Sanity check on sequence number, and cipher mode options */
2648  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2649 
2650  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2651  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2652 
2653  /* Compute MTU parameters (postpone if we push/pull options) */
2654  if (c->options.pull || c->options.mode == MODE_SERVER)
2655  {
2656  /* Account for worst-case crypto overhead before allocating buffers */
2658  }
2659  else
2660  {
2662  options->replay, packet_id_long_form);
2663  }
2665 
2666  /* Set all command-line TLS-related options */
2667  CLEAR(to);
2668 
2669  if (options->mute_replay_warnings)
2670  {
2672  }
2673 
2675  if (packet_id_long_form)
2676  {
2678  }
2679 
2680  to.ssl_ctx = c->c1.ks.ssl_ctx;
2681  to.key_type = c->c1.ks.key_type;
2682  to.server = options->tls_server;
2683  to.key_method = options->key_method;
2684  to.replay = options->replay;
2685  to.replay_window = options->replay_window;
2686  to.replay_time = options->replay_time;
2689  to.config_authname = c->c1.authname;
2690  to.ncp_enabled = options->ncp_enabled;
2691  to.transition_window = options->transition_window;
2692  to.handshake_window = options->handshake_window;
2693  to.packet_timeout = options->tls_timeout;
2694  to.renegotiate_bytes = options->renegotiate_bytes;
2697  to.single_session = options->single_session;
2698  to.mode = options->mode;
2699  to.pull = options->pull;
2700 #ifdef ENABLE_PUSH_PEER_INFO
2701  if (options->push_peer_info) /* all there is */
2702  {
2703  to.push_peer_info_detail = 2;
2704  }
2705  else if (options->pull) /* pull clients send some details */
2706  {
2707  to.push_peer_info_detail = 1;
2708  }
2709  else /* default: no peer-info at all */
2710  {
2711  to.push_peer_info_detail = 0;
2712  }
2713 #endif
2714 
2715  /* should we not xmit any packets until we get an initial
2716  * response from client? */
2717  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2718  {
2719  to.xmit_hold = true;
2720  }
2721 
2722 #ifdef ENABLE_OCC
2723  to.disable_occ = !options->occ;
2724 #endif
2725 
2726  to.verify_command = options->tls_verify;
2727  to.verify_export_cert = options->tls_export_cert;
2728  to.verify_x509_type = (options->verify_x509_type & 0xff);
2729  to.verify_x509_name = options->verify_x509_name;
2730  to.crl_file = options->crl_file;
2731  to.crl_file_inline = options->crl_file_inline;
2732  to.ssl_flags = options->ssl_flags;
2733  to.ns_cert_type = options->ns_cert_type;
2734  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2735  to.remote_cert_eku = options->remote_cert_eku;
2736  to.verify_hash = options->verify_hash;
2737  to.verify_hash_algo = options->verify_hash_algo;
2738 #ifdef ENABLE_X509ALTUSERNAME
2739  to.x509_username_field = (char *) options->x509_username_field;
2740 #else
2742 #endif
2743  to.es = c->c2.es;
2744 
2745 #ifdef ENABLE_DEBUG
2746  to.gremlin = c->options.gremlin;
2747 #endif
2748 
2749  to.plugins = c->plugins;
2750 
2751 #ifdef MANAGEMENT_DEF_AUTH
2752  to.mda_context = &c->c2.mda_context;
2753 #endif
2754 
2755 #if P2MP_SERVER
2758  to.tmp_dir = options->tmp_dir;
2759  if (options->ccd_exclusive)
2760  {
2762  }
2766 #endif
2767 
2768  to.x509_track = options->x509_track;
2769 
2770 #if P2MP
2771 #ifdef ENABLE_CLIENT_CR
2772  to.sci = &options->sc_info;
2773 #endif
2774 #endif
2775 
2776 #ifdef USE_COMP
2777  to.comp_options = options->comp;
2778 #endif
2779 
2780 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2781  if (options->keying_material_exporter_label)
2782  {
2783  to.ekm_size = options->keying_material_exporter_length;
2784  if (to.ekm_size < 16 || to.ekm_size > 4095)
2785  {
2786  to.ekm_size = 0;
2787  }
2788 
2789  to.ekm_label = options->keying_material_exporter_label;
2790  to.ekm_label_size = strlen(to.ekm_label);
2791  }
2792  else
2793  {
2794  to.ekm_size = 0;
2795  }
2796 #endif
2797 
2798  /* TLS handshake authentication (--tls-auth) */
2799  if (options->tls_auth_file)
2800  {
2801  to.tls_wrap.mode = TLS_WRAP_AUTH;
2806  true, true);
2807  }
2808 
2809  /* TLS handshake encryption (--tls-crypt) */
2810  if (options->tls_crypt_file)
2811  {
2812  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2817  }
2818 
2819  /* If we are running over TCP, allow for
2820  * length prefix */
2822 
2823  /*
2824  * Initialize OpenVPN's master TLS-mode object.
2825  */
2826  if (flags & CF_INIT_TLS_MULTI)
2827  {
2828  c->c2.tls_multi = tls_multi_init(&to);
2829  }
2830 
2831  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2832  {
2834  }
2835 }
2836 
2837 static void
2839 {
2840  if (c->c2.tls_multi)
2841  {
2844  EXPANDED_SIZE(&c->c2.frame));
2846  "Control Channel MTU parms");
2847  }
2848  if (c->c2.tls_auth_standalone)
2849  {
2852  "TLS-Auth MTU parms");
2853  }
2854 }
2855 
2856 /*
2857  * No encryption or authentication.
2858  */
2859 static void
2861 {
2862  ASSERT(!c->options.test_crypto);
2863  msg(M_WARN,
2864  "******* WARNING *******: All encryption and authentication features "
2865  "disabled -- All data will be tunnelled as clear text and will not be "
2866  "protected against man-in-the-middle changes. "
2867  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
2868 }
2869 #endif /* ifdef ENABLE_CRYPTO */
2870 
2871 static void
2872 do_init_crypto(struct context *c, const unsigned int flags)
2873 {
2874 #ifdef ENABLE_CRYPTO
2875  if (c->options.shared_secret_file)
2876  {
2877  do_init_crypto_static(c, flags);
2878  }
2879  else if (c->options.tls_server || c->options.tls_client)
2880  {
2881  do_init_crypto_tls(c, flags);
2882  }
2883  else /* no encryption or authentication. */
2884  {
2886  }
2887 #else /* ENABLE_CRYPTO */
2888  msg(M_WARN,
2889  "******* WARNING *******: " PACKAGE_NAME
2890  " built without crypto library -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
2891 #endif /* ENABLE_CRYPTO */
2892 }
2893 
2894 static void
2896 {
2897 #ifdef USE_COMP
2898  /*
2899  * modify frame parameters if compression is enabled
2900  */
2901  if (comp_enabled(&c->options.comp))
2902  {
2903  comp_add_to_extra_frame(&c->c2.frame);
2904 
2905 #if !defined(ENABLE_LZ4)
2906  /*
2907  * Compression usage affects buffer alignment when non-swapped algs
2908  * such as LZO is used.
2909  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
2910  * any special alignment because of the control-byte swap approach.
2911  * LZO alignment (on the other hand) is problematic because
2912  * the presence of the control byte means that either the output of
2913  * decryption must be written to an unaligned buffer, or the input
2914  * to compression (or packet dispatch if packet is uncompressed)
2915  * must be read from an unaligned buffer.
2916  * This code tries to align the input to compression (or packet
2917  * dispatch if packet is uncompressed) at the cost of requiring
2918  * decryption output to be written to an unaligned buffer, so
2919  * it's more of a tradeoff than an optimal solution and we don't
2920  * include it when we are doing a modern build with LZ4.
2921  * Strictly speaking, on the server it would be better to execute
2922  * this code for every connection after we decide the compression
2923  * method, but currently the frame code doesn't appear to be
2924  * flexible enough for this, since the frame is already established
2925  * before it is known which compression options will be pushed.
2926  */
2927  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
2928  {
2929  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
2933  }
2934 #endif
2935 
2936 #ifdef ENABLE_FRAGMENT
2937  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
2938 #endif
2939  }
2940 #endif /* USE_COMP */
2941 
2942  /*
2943  * Adjust frame size for UDP Socks support.
2944  */
2945  if (c->options.ce.socks_proxy_server)
2946  {
2948  }
2949 
2950  /*
2951  * Adjust frame size based on the --tun-mtu-extra parameter.
2952  */
2954  {
2956  }
2957 
2958  /*
2959  * Adjust frame size based on link socket parameters.
2960  * (Since TCP is a stream protocol, we need to insert
2961  * a packet length uint16_t in the buffer.)
2962  */
2964 
2965  /*
2966  * Fill in the blanks in the frame parameters structure,
2967  * make sure values are rational, etc.
2968  */
2969  frame_finalize_options(c, NULL);
2970 
2971 #ifdef USE_COMP
2972  /*
2973  * Modify frame parameters if compression is compiled in.
2974  * Should be called after frame_finalize_options.
2975  */
2976  comp_add_to_extra_buffer(&c->c2.frame);
2977 #ifdef ENABLE_FRAGMENT
2978  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
2979 #endif
2980 #endif /* USE_COMP */
2981 
2982  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
2983  * and need link_mtu+3 bytes on socket reception (on server).
2984  *
2985  * accomodate receive path in f->extra_link, which has the side effect of
2986  * also increasing send buffers (BUF_SIZE() macro), which need to be
2987  * allocated big enough before receiving peer-id option from server.
2988  *
2989  * f->extra_frame is adjusted when peer-id option is push-received
2990  */
2992 
2993 #ifdef ENABLE_FRAGMENT
2994  /*
2995  * Set frame parameter for fragment code. This is necessary because
2996  * the fragmentation code deals with payloads which have already been
2997  * passed through the compression code.
2998  */
2999  c->c2.frame_fragment = c->c2.frame;
3001 #endif
3002 
3003 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3004  /*
3005  * MTU advisories
3006  */
3007  if (c->options.ce.fragment && c->options.mtu_test)
3008  {
3009  msg(M_WARN,
3010  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3011  }
3012 #endif
3013 
3014 #ifdef ENABLE_FRAGMENT
3015  if ((c->options.ce.mssfix || c->options.ce.fragment)
3017  {
3018  msg(M_WARN,
3019  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3021  }
3022 #endif
3023 }
3024 
3025 static void
3027 {
3028  const struct options *o = &c->options;
3029 
3030  if (o->ping_send_timeout && !o->ping_rec_timeout)
3031  {
3032  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3033  }
3034 
3035  if (o->username || o->groupname || o->chroot_dir
3036 #ifdef ENABLE_SELINUX
3037  || o->selinux_context
3038 #endif
3039  )
3040  {
3041  if (!o->persist_tun)
3042  {
3043  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3044  }
3045  if (!o->persist_key
3046 #ifdef ENABLE_PKCS11
3047  && !o->pkcs11_id
3048 #endif
3049  )
3050  {
3051  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3052  }
3053  }
3054 
3055  if (o->chroot_dir && !(o->username && o->groupname))
3056  {
3057  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3058  }
3059 
3060 #if P2MP
3061  if (o->pull && o->ifconfig_local && c->first_time)
3062  {
3063  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3064  }
3065 
3066 #if P2MP_SERVER
3068  {
3069  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3070  }
3071 
3072  if (o->mode == MODE_SERVER)
3073  {
3074  if (o->duplicate_cn && o->client_config_dir)
3075  {
3076  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3077  }
3079  {
3080  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3081  }
3082  if (!o->keepalive_ping || !o->keepalive_timeout)
3083  {
3084  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3085  }
3086  }
3087 #endif /* if P2MP_SERVER */
3088 #endif /* if P2MP */
3089 
3090 #ifdef ENABLE_CRYPTO
3091  if (!o->replay)
3092  {
3093  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3094  }
3095 
3096  if (o->tls_server)
3097  {
3099  }
3100  if (o->tls_client
3101  && !o->tls_verify
3104  && !o->remote_cert_eku)
3105  {
3106  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3107  }
3108  if (o->ns_cert_type)
3109  {
3110  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3111  }
3112 #endif /* ifdef ENABLE_CRYPTO */
3113 
3114  /* If a script is used, print appropiate warnings */
3115  if (o->user_script_used)
3116  {
3118  {
3119  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3120  }
3121  else if (script_security >= SSEC_PW_ENV)
3122  {
3123  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3124  }
3125  else
3126  {
3127  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3128  }
3129  }
3130 }
3131 
3132 static void
3134 {
3135 #ifdef ENABLE_CRYPTO
3137 #endif
3138 }
3139 
3140 struct context_buffers *
3142 {
3143  struct context_buffers *b;
3144 
3145  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3146 
3147  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3148  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3149 
3150  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3151 
3152 #ifdef ENABLE_CRYPTO
3153  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3154  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3155 #endif
3156 
3157 #ifdef USE_COMP
3158  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3159  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3160 #endif
3161 
3162  return b;
3163 }
3164 
3165 void
3167 {
3168  if (b)
3169  {
3170  free_buf(&b->read_link_buf);
3171  free_buf(&b->read_tun_buf);
3172  free_buf(&b->aux_buf);
3173 
3174 #ifdef USE_COMP
3175  free_buf(&b->compress_buf);
3176  free_buf(&b->decompress_buf);
3177 #endif
3178 
3179 #ifdef ENABLE_CRYPTO
3180  free_buf(&b->encrypt_buf);
3181  free_buf(&b->decrypt_buf);
3182 #endif
3183 
3184  free(b);
3185  }
3186 }
3187 
3188 /*
3189  * Now that we know all frame parameters, initialize
3190  * our buffers.
3191  */
3192 static void
3194 {
3196  c->c2.buffers_owned = true;
3197 }
3198 
3199 #ifdef ENABLE_FRAGMENT
3200 /*
3201  * Fragmenting code has buffers to initialize
3202  * once frame parameters are known.
3203  */
3204 static void
3206 {
3207  ASSERT(c->options.ce.fragment);
3211 }
3212 #endif
3213 
3214 /*
3215  * Allocate our socket object.
3216  */
3217 static void
3219 {
3220  ASSERT(!c->c2.link_socket);
3222  c->c2.link_socket_owned = true;
3223 }
3224 
3225 /*
3226  * bind the TCP/UDP socket
3227  */
3228 static void
3229 do_init_socket_1(struct context *c, const int mode)
3230 {
3231  unsigned int sockflags = c->options.sockflags;
3232 
3233 #if PORT_SHARE
3234  if (c->options.port_share_host && c->options.port_share_port)
3235  {
3236  sockflags |= SF_PORT_SHARE;
3237  }
3238 #endif
3239 
3241  c->options.ce.local,
3242  c->options.ce.local_port,
3243  c->options.ce.remote,
3244  c->options.ce.remote_port,
3245  c->c1.dns_cache,
3246  c->options.ce.proto,
3247  c->options.ce.af,
3249  mode,
3250  c->c2.accept_from,
3251  c->c1.http_proxy,
3252  c->c1.socks_proxy,
3253 #ifdef ENABLE_DEBUG
3254  c->options.gremlin,
3255 #endif
3256  c->options.ce.bind_local,
3257  c->options.ce.remote_float,
3258  c->options.inetd,
3259  &c->c1.link_socket_addr,
3260  c->options.ipchange,
3261  c->plugins,
3264  c->options.rcvbuf,
3265  c->options.sndbuf,
3266  c->options.mark,
3268  sockflags);
3269 }
3270 
3271 /*
3272  * finalize the TCP/UDP socket
3273  */
3274 static void
3276 {
3278  c->sig);
3279 }
3280 
3281 /*
3282  * Print MTU INFO
3283  */
3284 static void
3286 {
3287  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3288 #ifdef ENABLE_FRAGMENT
3289  if (c->c2.fragment)
3290  {
3292  "Fragmentation MTU parms");
3293  }
3294 #endif
3295 }
3296 
3297 #ifdef ENABLE_OCC
3298 /*
3299  * Get local and remote options compatibility strings.
3300  */
3301 static void
3303 {
3304  struct gc_arena gc = gc_new();
3305 
3307  options_string(&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
3309  options_string(&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
3310 
3311  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3314  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3317 
3318 #ifdef ENABLE_CRYPTO
3319  if (c->c2.tls_multi)
3320  {
3324  }
3325 #endif
3326 
3327  gc_free(&gc);
3328 }
3329 #endif /* ifdef ENABLE_OCC */
3330 
3331 /*
3332  * These things can only be executed once per program instantiation.
3333  * Set up for possible UID/GID downgrade, but don't do it yet.
3334  * Daemonize if requested.
3335  */
3336 static void
3338 {
3339  if (c->first_time && !c->c0)
3340  {
3341  struct context_0 *c0;
3342 
3343  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3344  c0 = c->c0;
3345 
3346  /* get user and/or group that we want to setuid/setgid to */
3347  c0->uid_gid_specified =
3350 
3351  /* perform postponed chdir if --daemon */
3352  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3353  {
3354  platform_chdir("/");
3355  }
3356 
3357  /* should we change scheduling priority? */
3359  }
3360 }
3361 
3362 /*
3363  * If xinetd/inetd mode, don't allow restart.
3364  */
3365 static void
3367 {
3368  if (c->options.inetd
3369  && (c->sig->signal_received == SIGHUP
3370  || c->sig->signal_received == SIGUSR1))
3371  {
3372  c->sig->signal_received = SIGTERM;
3373  msg(M_INFO,
3374  PACKAGE_NAME
3375  " started by inetd/xinetd cannot restart... Exiting.");
3376  }
3377 }
3378 
3379 /*
3380  * free buffers
3381  */
3382 static void
3384 {
3385  if (c->c2.buffers_owned)
3386  {
3388  c->c2.buffers = NULL;
3389  c->c2.buffers_owned = false;
3390  }
3391 }
3392 
3393 /*
3394  * close TLS
3395  */
3396 static void
3398 {
3399 #ifdef ENABLE_CRYPTO
3400  if (c->c2.tls_multi)
3401  {
3402  tls_multi_free(c->c2.tls_multi, true);
3403  c->c2.tls_multi = NULL;
3404  }
3405 
3406 #ifdef ENABLE_OCC
3407  /* free options compatibility strings */
3408  if (c->c2.options_string_local)
3409  {
3410  free(c->c2.options_string_local);
3411  }
3412  if (c->c2.options_string_remote)
3413  {
3414  free(c->c2.options_string_remote);
3415  }
3417 #endif
3418 #endif
3419 }
3420 
3421 /*
3422  * Free key schedules
3423  */
3424 static void
3425 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3426 {
3427  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3428  {
3429  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3430  }
3431 }
3432 
3433 /*
3434  * Close TCP/UDP connection
3435  */
3436 static void
3438 {
3439  if (c->c2.link_socket && c->c2.link_socket_owned)
3440  {
3442  c->c2.link_socket = NULL;
3443  }
3444 
3445 
3446  /* Preserve the resolved list of remote if the user request to or if we want
3447  * reconnect to the same host again or there are still addresses that need
3448  * to be tried */
3449  if (!(c->sig->signal_received == SIGUSR1
3450  && ( (c->options.persist_remote_ip)
3451  ||
3452  ( c->sig->source != SIG_SOURCE_HARD
3454  || c->options.no_advance))
3455  )))
3456  {
3458  }
3459 
3460  /* Clear the remote actual address when persist_remote_ip is not in use */
3461  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3462  {
3464  }
3465 
3466  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3467  {
3469  {
3470  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3471  }
3472 
3473  c->c1.link_socket_addr.bind_local = NULL;
3474  }
3475 }
3476 
3477 /*
3478  * Close packet-id persistance file
3479  */
3480 static void
3482 {
3483 #ifdef ENABLE_CRYPTO
3486  if (!(c->sig->signal_received == SIGUSR1))
3487  {
3489  }
3490 #endif
3491 }
3492 
3493 #ifdef ENABLE_FRAGMENT
3494 /*
3495  * Close fragmentation handler.
3496  */
3497 static void
3499 {
3500  if (c->c2.fragment)
3501  {
3503  c->c2.fragment = NULL;
3504  }
3505 }
3506 #endif
3507 
3508 /*
3509  * Open and close our event objects.
3510  */
3511 
3512 static void
3514  bool need_us_timeout)
3515 {
3516  unsigned int flags = 0;
3517 
3519 
3520  flags |= EVENT_METHOD_FAST;
3521 
3522  if (need_us_timeout)
3523  {
3524  flags |= EVENT_METHOD_US_TIMEOUT;
3525  }
3526 
3527  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3528  c->c2.event_set_owned = true;
3529 }
3530 
3531 static void
3533 {
3534  if (c->c2.event_set && c->c2.event_set_owned)
3535  {
3536  event_free(c->c2.event_set);
3537  c->c2.event_set = NULL;
3538  c->c2.event_set_owned = false;
3539  }
3540 }
3541 
3542 /*
3543  * Open and close --status file
3544  */
3545 
3546 static void
3548 {
3549  if (!c->c1.status_output)
3550  {
3553  -1,
3554  NULL,
3556  c->c1.status_output_owned = true;
3557  }
3558 }
3559 
3560 static void
3562 {
3563  if (!(c->sig->signal_received == SIGUSR1))
3564  {
3565  if (c->c1.status_output_owned && c->c1.status_output)
3566  {
3568  c->c1.status_output = NULL;
3569  c->c1.status_output_owned = false;
3570  }
3571  }
3572 }
3573 
3574 /*
3575  * Handle ifconfig-pool persistance object.
3576  */
3577 static void
3579 {
3580 #if P2MP_SERVER
3582  {
3585  c->c1.ifconfig_pool_persist_owned = true;
3586  }
3587 #endif
3588 }
3589 
3590 static void
3592 {
3593 #if P2MP_SERVER
3594  if (!(c->sig->signal_received == SIGUSR1))
3595  {
3597  {
3599  c->c1.ifconfig_pool_persist = NULL;
3600  c->c1.ifconfig_pool_persist_owned = false;
3601  }
3602  }
3603 #endif
3604 }
3605 
3606 /*
3607  * Inherit environmental variables
3608  */
3609 
3610 static void
3611 do_inherit_env(struct context *c, const struct env_set *src)
3612 {
3613  c->c2.es = env_set_create(NULL);
3614  c->c2.es_owned = true;
3615  env_set_inherit(c->c2.es, src);
3616 }
3617 
3618 static void
3620 {
3621  if (c->c2.es && c->c2.es_owned)
3622  {
3623  env_set_destroy(c->c2.es);
3624  c->c2.es = NULL;
3625  c->c2.es_owned = false;
3626  }
3627 }
3628 
3629 /*
3630  * Fast I/O setup. Fast I/O is an optimization which only works
3631  * if all of the following are true:
3632  *
3633  * (1) The platform is not Windows
3634  * (2) --proto udp is enabled
3635  * (3) --shaper is disabled
3636  */
3637 static void
3639 {
3640  if (c->options.fast_io)
3641  {
3642 #ifdef _WIN32
3643  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3644 #else
3645  if (!proto_is_udp(c->options.ce.proto))
3646  {
3647  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3648  }
3649  else
3650  {
3651 #ifdef ENABLE_FEATURE_SHAPER
3652  if (c->options.shaper)
3653  {
3654  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3655  }
3656  else
3657 #endif
3658  {
3659  c->c2.fast_io = true;
3660  }
3661  }
3662 #endif
3663  }
3664 }
3665 
3666 static void
3668 {
3669 #ifdef ENABLE_CRYPTO
3670  if (c->options.tls_exit)
3671  {
3672  c->c2.tls_exit_signal = SIGTERM;
3673  }
3674  else
3675  {
3676  c->c2.tls_exit_signal = SIGUSR1;
3677  }
3678 #endif
3679 }
3680 
3681 #ifdef ENABLE_PLUGIN
3682 
3683 void
3685 {
3686  if (c->options.plugin_list && !c->plugins)
3687  {
3689  c->plugins_owned = true;
3690  }
3691 }
3692 
3693 void
3694 open_plugins(struct context *c, const bool import_options, int init_point)
3695 {
3696  if (c->plugins && c->plugins_owned)
3697  {
3698  if (import_options)
3699  {
3700  struct plugin_return pr, config;
3701  plugin_return_init(&pr);
3702  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3703  plugin_return_get_column(&pr, &config, "config");
3704  if (plugin_return_defined(&config))
3705  {
3706  int i;
3707  for (i = 0; i < config.n; ++i)
3708  {
3709  unsigned int option_types_found = 0;
3710  if (config.list[i] && config.list[i]->value)
3711  {
3713  config.list[i]->value,
3716  &option_types_found,
3717  c->es);
3718  }
3719  }
3720  }
3721  plugin_return_free(&pr);
3722  }
3723  else
3724  {
3725  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3726  }
3727  }
3728 }
3729 
3730 static void
3732 {
3733  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3734  {
3736  c->plugins = NULL;
3737  c->plugins_owned = false;
3738  }
3739 }
3740 
3741 static void
3742 do_inherit_plugins(struct context *c, const struct context *src)
3743 {
3744  if (!c->plugins && src->plugins)
3745  {
3746  c->plugins = plugin_list_inherit(src->plugins);
3747  c->plugins_owned = true;
3748  }
3749 }
3750 
3751 #endif /* ifdef ENABLE_PLUGIN */
3752 
3753 #ifdef ENABLE_MANAGEMENT
3754 
3755 static void
3756 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3757 {
3758  struct context *c = (struct context *) arg;
3759  print_status(c, so);
3760 }
3761 
3762 void
3763 management_show_net_callback(void *arg, const int msglevel)
3764 {
3765 #ifdef _WIN32
3766  show_routes(msglevel);
3767  show_adapters(msglevel);
3768  msg(msglevel, "END");
3769 #else
3770  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3771 #endif
3772 }
3773 
3774 #ifdef TARGET_ANDROID
3775 int
3776 management_callback_network_change(void *arg, bool samenetwork)
3777 {
3778  /* Check if the client should translate the network change to a SIGUSR1 to
3779  * reestablish the connection or just reprotect the socket
3780  *
3781  * At the moment just assume that, for all settings that use pull (not
3782  * --static) and are not using peer-id reestablishing the connection is
3783  * required (unless the network is the same)
3784  *
3785  * The function returns -1 on invalid fd and -2 if the socket cannot be
3786  * reused. On the -2 return value the man_network_change function triggers
3787  * a SIGUSR1 to force a reconnect.
3788  */
3789 
3790  int socketfd = -1;
3791  struct context *c = (struct context *) arg;
3792  if (!c->c2.link_socket)
3793  {
3794  return -1;
3795  }
3796  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3797  {
3798  return -1;
3799  }
3800 
3801  socketfd = c->c2.link_socket->sd;
3802  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3803  {
3804  return socketfd;
3805  }
3806  else
3807  {
3808  return -2;
3809  }
3810 }
3811 #endif /* ifdef TARGET_ANDROID */
3812 
3813 #endif /* ifdef ENABLE_MANAGEMENT */
3814 
3815 void
3817 {
3818 #ifdef ENABLE_MANAGEMENT
3819  if (management)
3820  {
3821  struct management_callback cb;
3822  CLEAR(cb);
3823  cb.arg = c;
3828 #ifdef TARGET_ANDROID
3829  cb.network_change = management_callback_network_change;
3830 #endif
3832  }
3833 #endif
3834 }
3835 
3836 #ifdef ENABLE_MANAGEMENT
3837 
3838 void
3840 {
3841  if (!management)
3842  {
3844  }
3845 }
3846 
3847 bool
3849 {
3850  /* initialize management layer */
3851  if (management)
3852  {
3853  if (c->options.management_addr)
3854  {
3855  unsigned int flags = c->options.management_flags;
3856  if (c->options.mode == MODE_SERVER)
3857  {
3858  flags |= MF_SERVER;
3859  }
3871  flags))
3872  {
3875  NULL,
3876  NULL,
3877  NULL,
3878  NULL,
3879  NULL);
3880  }
3881 
3882  /* initial management hold, called early, before first context initialization */
3883  do_hold(0);
3884  if (IS_SIG(c))
3885  {
3886  msg(M_WARN, "Signal received from management interface, exiting");
3887  return false;
3888  }
3889  }
3890  else
3891  {
3892  close_management();
3893  }
3894  }
3895  return true;
3896 }
3897 
3898 void
3900 {
3901  if (management)
3902  {
3904  management = NULL;
3905  }
3906 }
3907 
3908 #endif /* ifdef ENABLE_MANAGEMENT */
3909 
3910 
3911 void
3913 {
3914 #ifdef ENABLE_MANAGEMENT
3915  if (management)
3916  {
3918  }
3919 #endif
3920 }
3921 
3922 /*
3923  * Initialize a tunnel instance, handle pre and post-init
3924  * signal settings.
3925  */
3926 void
3927 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
3928 {
3930  init_instance(c, env, flags);
3932 
3933  /*
3934  * This is done so that signals thrown during
3935  * initialization can bring us back to
3936  * a management hold.
3937  */
3938  if (IS_SIG(c))
3939  {
3940  remap_signal(c);
3942  }
3943 }
3944 
3945 /*
3946  * Initialize a tunnel instance.
3947  */
3948 void
3949 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
3950 {
3951  const struct options *options = &c->options;
3952  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
3953  int link_socket_mode = LS_MODE_DEFAULT;
3954 
3955  /* init garbage collection level */
3956  gc_init(&c->c2.gc);
3957 
3958  /* inherit environmental variables */
3959  if (env)
3960  {
3961  do_inherit_env(c, env);
3962  }
3963 
3964  /* signals caught here will abort */
3965  c->sig->signal_received = 0;
3966  c->sig->signal_text = NULL;
3967  c->sig->source = SIG_SOURCE_SOFT;
3968 
3969  if (c->mode == CM_P2P)
3970  {
3972  }
3973 
3974  /* possible sleep or management hold if restart */
3975  if (c->mode == CM_P2P || c->mode == CM_TOP)
3976  {
3977  do_startup_pause(c);
3978  if (IS_SIG(c))
3979  {
3980  goto sig;
3981  }
3982  }
3983 
3984  if (c->options.resolve_in_advance)
3985  {
3986  do_preresolve(c);
3987  if (IS_SIG(c))
3988  {
3989  goto sig;
3990  }
3991  }
3992 
3993  /* map in current connection entry */
3995 
3996  /* link_socket_mode allows CM_CHILD_TCP
3997  * instances to inherit acceptable fds
3998  * from a top-level parent */
3999  if (c->options.ce.proto == PROTO_TCP_SERVER)
4000  {
4001  if (c->mode == CM_TOP)
4002  {
4003  link_socket_mode = LS_MODE_TCP_LISTEN;
4004  }
4005  else if (c->mode == CM_CHILD_TCP)
4006  {
4007  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4008  }
4009  }
4010 
4011  /* should we disable paging? */
4012  if (c->first_time && options->mlock)
4013  {
4014  platform_mlockall(true);
4015  }
4016 
4017 #if P2MP
4018  /* get passwords if undefined */
4019  if (auth_retry_get() == AR_INTERACT)
4020  {
4022  }
4023 #endif
4024 
4025  /* initialize context level 2 --verb/--mute parms */
4027 
4028  /* set error message delay for non-server modes */
4029  if (c->mode == CM_P2P)
4030  {
4032  }
4033 
4034  /* warn about inconsistent options */
4035  if (c->mode == CM_P2P || c->mode == CM_TOP)
4036  {
4037  do_option_warnings(c);
4038  }
4039 
4040 #ifdef ENABLE_PLUGIN
4041  /* initialize plugins */
4042  if (c->mode == CM_P2P || c->mode == CM_TOP)
4043  {
4044  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4045  }
4046 #endif
4047 
4048  /* should we enable fast I/O? */
4049  if (c->mode == CM_P2P || c->mode == CM_TOP)
4050  {
4051  do_setup_fast_io(c);
4052  }
4053 
4054  /* should we throw a signal on TLS errors? */
4056 
4057  /* open --status file */
4058  if (c->mode == CM_P2P || c->mode == CM_TOP)
4059  {
4061  }
4062 
4063  /* open --ifconfig-pool-persist file */
4064  if (c->mode == CM_TOP)
4065  {
4067  }
4068 
4069 #ifdef ENABLE_OCC
4070  /* reset OCC state */
4071  if (c->mode == CM_P2P || child)
4072  {
4073  c->c2.occ_op = occ_reset_op();
4074  }
4075 #endif
4076 
4077  /* our wait-for-i/o objects, different for posix vs. win32 */
4078  if (c->mode == CM_P2P)
4079  {
4081  }
4082  else if (c->mode == CM_CHILD_TCP)
4083  {
4084  do_event_set_init(c, false);
4085  }
4086 
4087  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4088  init_proxy(c);
4089 
4090  /* allocate our socket object */
4091  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4092  {
4093  do_link_socket_new(c);
4094  }
4095 
4096 #ifdef ENABLE_FRAGMENT
4097  /* initialize internal fragmentation object */
4098  if (options->ce.fragment && (c->mode == CM_P2P || child))
4099  {
4100  c->c2.fragment = fragment_init(&c->c2.frame);
4101  }
4102 #endif
4103 
4104  /* init crypto layer */
4105  {
4106  unsigned int crypto_flags = 0;
4107  if (c->mode == CM_TOP)
4108  {
4109  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4110  }
4111  else if (c->mode == CM_P2P)
4112  {
4114  }
4115  else if (child)
4116  {
4117  crypto_flags = CF_INIT_TLS_MULTI;
4118  }
4119  do_init_crypto(c, crypto_flags);
4120  if (IS_SIG(c) && !child)
4121  {
4122  goto sig;
4123  }
4124  }
4125 
4126 #ifdef USE_COMP
4127  /* initialize compression library. */
4128  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4129  {
4130  c->c2.comp_context = comp_init(&options->comp);
4131  }
4132 #endif
4133 
4134  /* initialize MTU variables */
4135  do_init_frame(c);
4136 
4137  /* initialize TLS MTU variables */
4138  do_init_frame_tls(c);
4139 
4140  /* init workspace buffers whose size is derived from frame size */
4141  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4142  {
4143  do_init_buffers(c);
4144  }
4145 
4146 #ifdef ENABLE_FRAGMENT
4147  /* initialize internal fragmentation capability with known frame size */
4148  if (options->ce.fragment && (c->mode == CM_P2P || child))
4149  {
4150  do_init_fragment(c);
4151  }
4152 #endif
4153 
4154  /* initialize dynamic MTU variable */
4155  frame_init_mssfix(&c->c2.frame, &c->options);
4156 
4157  /* bind the TCP/UDP socket */
4158  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4159  {
4160  do_init_socket_1(c, link_socket_mode);
4161  }
4162 
4163  /* initialize tun/tap device object,
4164  * open tun/tap device, ifconfig, run up script, etc. */
4165  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4166  {
4167  c->c2.did_open_tun = do_open_tun(c);
4168  }
4169 
4170  c->c2.frame_initial = c->c2.frame;
4171 
4172  /* print MTU info */
4174 
4175 #ifdef ENABLE_OCC
4176  /* get local and remote options compatibility strings */
4177  if (c->mode == CM_P2P || child)
4178  {
4180  }
4181 #endif
4182 
4183  /* initialize output speed limiter */
4184  if (c->mode == CM_P2P)
4185  {
4187  }
4188 
4189  /* do one-time inits, and possibily become a daemon here */
4190  do_init_first_time(c);
4191 
4192 #ifdef ENABLE_PLUGIN
4193  /* initialize plugins */
4194  if (c->mode == CM_P2P || c->mode == CM_TOP)
4195  {
4196  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4197  }
4198 #endif
4199 
4200  /* initialise connect timeout timer */
4202 
4203  /* finalize the TCP/UDP socket */
4204  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4205  {
4206  do_init_socket_2(c);
4207  }
4208 
4209  /*
4210  * Actually do UID/GID downgrade, and chroot, if requested.
4211  * May be delayed by --client, --pull, or --up-delay.
4212  */
4214 
4215  /* initialize timers */
4216  if (c->mode == CM_P2P || child)
4217  {
4218  do_init_timers(c, false);
4219  }
4220 
4221 #ifdef ENABLE_PLUGIN
4222  /* initialize plugins */
4223  if (c->mode == CM_P2P || c->mode == CM_TOP)
4224  {
4225  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4226  }
4227 #endif
4228 
4229 #if PORT_SHARE
4230  /* share OpenVPN port with foreign (such as HTTPS) server */
4231  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4232  {
4233  init_port_share(c);
4234  }
4235 #endif
4236 
4237 #ifdef ENABLE_PF
4238  if (child)
4239  {
4240  pf_init_context(c);
4241  }
4242 #endif
4243 
4244  /* Check for signals */
4245  if (IS_SIG(c))
4246  {
4247  goto sig;
4248  }
4249 
4250  return;
4251 
4252 sig:
4253  if (!c->sig->signal_text)
4254  {
4255  c->sig->signal_text = "init_instance";
4256  }
4257  close_context(c, -1, flags);
4258  return;
4259 }
4260 
4261 /*
4262  * Close a tunnel instance.
4263  */
4264 void
4266 {
4267  /* close event objects */
4268  do_close_event_set(c);
4269 
4270  if (c->mode == CM_P2P
4271  || c->mode == CM_CHILD_TCP
4272  || c->mode == CM_CHILD_UDP
4273  || c->mode == CM_TOP)
4274  {
4275  /* if xinetd/inetd mode, don't allow restart */
4277 
4278 #ifdef USE_COMP
4279  if (c->c2.comp_context)
4280  {
4281  comp_uninit(c->c2.comp_context);
4282  c->c2.comp_context = NULL;
4283  }
4284 #endif
4285 
4286  /* free buffers */
4287  do_close_free_buf(c);
4288 
4289  /* close TLS */
4290  do_close_tls(c);
4291 
4292  /* free key schedules */
4293  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4294 
4295  /* close TCP/UDP connection */
4297 
4298  /* close TUN/TAP device */
4299  do_close_tun(c, false);
4300 
4301 #ifdef MANAGEMENT_DEF_AUTH
4302  if (management)
4303  {
4304  management_notify_client_close(management, &c->c2.mda_context, NULL);
4305  }
4306 #endif
4307 
4308 #ifdef ENABLE_PF
4309  pf_destroy_context(&c->c2.pf);
4310 #endif
4311 
4312 #ifdef ENABLE_PLUGIN
4313  /* call plugin close functions and unload */
4314  do_close_plugins(c);
4315 #endif
4316 
4317  /* close packet-id persistance file */
4318  do_close_packet_id(c);
4319 
4320  /* close --status file */
4322 
4323 #ifdef ENABLE_FRAGMENT
4324  /* close fragmentation handler */
4325  do_close_fragment(c);
4326 #endif
4327 
4328  /* close --ifconfig-pool-persist obj */
4330 
4331  /* free up environmental variable store */
4332  do_env_set_destroy(c);
4333 
4334  /* close HTTP or SOCKS proxy */
4335  uninit_proxy(c);
4336 
4337  /* garbage collect */
4338  gc_free(&c->c2.gc);
4339  }
4340 }
4341 
4342 void
4344  const struct context *src)
4345 {
4346  CLEAR(*dest);
4347 
4348  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4350 
4351  dest->gc = gc_new();
4352 
4353  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4354 
4355  /* c1 init */
4357 
4358 #ifdef ENABLE_CRYPTO
4359  dest->c1.ks.key_type = src->c1.ks.key_type;
4360  /* inherit SSL context */
4361  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4362  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4364  /* inherit pre-NCP ciphers */
4365  dest->c1.ciphername = src->c1.ciphername;
4366  dest->c1.authname = src->c1.authname;
4367  dest->c1.keysize = src->c1.keysize;
4368 #endif
4369 
4370  /* options */
4371  dest->options = src->options;
4372  options_detach(&dest->options);
4373 
4374  if (dest->mode == CM_CHILD_TCP)
4375  {
4376  /*
4377  * The CM_TOP context does the socket listen(),
4378  * and the CM_CHILD_TCP context does the accept().
4379  */
4380  dest->c2.accept_from = src->c2.link_socket;
4381  }
4382 
4383 #ifdef ENABLE_PLUGIN
4384  /* inherit plugins */
4385  do_inherit_plugins(dest, src);
4386 #endif
4387 
4388  /* context init */
4389  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4390  if (IS_SIG(dest))
4391  {
4392  return;
4393  }
4394 
4395  /* inherit tun/tap interface object */
4396  dest->c1.tuntap = src->c1.tuntap;
4397 
4398  /* UDP inherits some extra things which TCP does not */
4399  if (dest->mode == CM_CHILD_UDP)
4400  {
4401  /* inherit buffers */
4402  dest->c2.buffers = src->c2.buffers;
4403 
4404  /* inherit parent link_socket and tuntap */
4405  dest->c2.link_socket = src->c2.link_socket;
4406 
4407  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4408  *dest->c2.link_socket_info = src->c2.link_socket->info;
4409 
4410  /* locally override some link_socket_info fields */
4411  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4413  }
4414 }
4415 
4416 void
4418  const struct context *src)
4419 {
4420  /* copy parent */
4421  *dest = *src;
4422 
4423  /*
4424  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4425  * resources owned by the parent.
4426  *
4427  * Also note that CM_TOP_CLONE context objects are
4428  * closed by multi_top_free in multi.c.
4429  */
4430  dest->mode = CM_TOP_CLONE;
4431 
4432  dest->first_time = false;
4433  dest->c0 = NULL;
4434 
4435  options_detach(&dest->options);
4436  gc_detach(&dest->gc);
4437  gc_detach(&dest->c2.gc);
4438 
4439  /* detach plugins */
4440  dest->plugins_owned = false;
4441 
4442 #ifdef ENABLE_CRYPTO
4443  dest->c2.tls_multi = NULL;
4444 #endif
4445 
4446  /* detach c1 ownership */
4447  dest->c1.tuntap_owned = false;
4448  dest->c1.status_output_owned = false;
4449 #if P2MP_SERVER
4450  dest->c1.ifconfig_pool_persist_owned = false;
4451 #endif
4452 
4453  /* detach c2 ownership */
4454  dest->c2.event_set_owned = false;
4455  dest->c2.link_socket_owned = false;
4456  dest->c2.buffers_owned = false;
4457  dest->c2.es_owned = false;
4458 
4459  dest->c2.event_set = NULL;
4460  if (proto_is_dgram(src->options.ce.proto))
4461  {
4462  do_event_set_init(dest, false);
4463  }
4464 
4465 #ifdef USE_COMP
4466  dest->c2.comp_context = NULL;
4467 #endif
4468 }
4469 
4470 void
4471 close_context(struct context *c, int sig, unsigned int flags)
4472 {
4473  ASSERT(c);
4474  ASSERT(c->sig);
4475 
4476  if (sig >= 0)
4477  {
4478  c->sig->signal_received = sig;
4479  }
4480 
4481  if (c->sig->signal_received == SIGUSR1)
4482  {
4483  if ((flags & CC_USR1_TO_HUP)
4484  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4485  {
4486  c->sig->signal_received = SIGHUP;
4487  c->sig->signal_text = "close_context usr1 to hup";
4488  }
4489  }
4490 
4491  if (!(flags & CC_NO_CLOSE))
4492  {
4493  close_instance(c);
4494  }
4495 
4496  if (flags & CC_GC_FREE)
4497  {
4498  context_gc_free(c);
4499  }
4500 }
4501 
4502 #ifdef ENABLE_CRYPTO
4503 
4504 /*
4505  * Do a loopback test
4506  * on the crypto subsystem.
4507  */
4508 static void *
4510 {
4511  struct context *c = (struct context *) arg;
4512  const struct options *options = &c->options;
4513 
4514  ASSERT(options->test_crypto);
4516  context_init_1(c);
4518  do_init_crypto_static(c, 0);
4519 
4520  frame_finalize_options(c, options);
4521 
4522  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4523 
4524  key_schedule_free(&c->c1.ks, true);
4526 
4527  context_gc_free(c);
4528  return NULL;
4529 }
4530 
4531 #endif /* ENABLE_CRYPTO */
4532 
4533 bool
4534 do_test_crypto(const struct options *o)
4535 {
4536 #ifdef ENABLE_CRYPTO
4537  if (o->test_crypto)
4538  {
4539  struct context c;
4540 
4541  /* print version number */
4542  msg(M_INFO, "%s", title_string);
4543 
4544  context_clear(&c);
4545  c.options = *o;
4546  options_detach(&c.options);
4547  c.first_time = true;
4548  test_crypto_thread((void *) &c);
4549  return true;
4550  }
4551 #endif
4552  return false;
4553 }
struct tuntap_options tuntap_options
Definition: options.h:276
bool tcp_mode
Definition: ssl_common.h:298
struct env_set * es
Definition: openvpn.h:435
char port[RH_PORT_LEN]
Definition: options.h:165
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:213
bool remote_float
Definition: options.h:97
const char * tls_crypt_file
Definition: options.h:569
bool socks_proxy_owned
Definition: openvpn.h:193
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2439
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:311
void management_close(struct management *man)
Definition: manage.c:2640
int ifconfig_pool_persist_refresh_freq
Definition: options.h:407
struct key_type key_type
Definition: ssl_common.h:241
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
bool persist_remote_ip
Definition: options.h:265
int sndbuf
Definition: options.h:324
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:292
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:128
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:342
union openvpn_sockaddr::@6 addr
bool log_rw
Definition: openvpn.h:395
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:392
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:61
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:247
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:486
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:343
const char * socks_proxy_port
Definition: options.h:106
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:458
struct frame frame_fragment_omit
Definition: openvpn.h:272
const char * tmp_dir
Definition: ssl_common.h:313
struct event_timeout route_wakeup
Definition: openvpn.h:398
bool tun_mtu_defined
Definition: options.h:110
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:558
#define OPT_P_DEFAULT
Definition: options.h:648
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:106
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:246
Definition: tun.h:131
bool ncp_enabled
Definition: options.h:477
unsigned int management_flags
Definition: options.h:366
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1876
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:240
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2468
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct key_state key[KS_SIZE]
Definition: ssl_common.h:438
struct buffer read_tun_buf
Definition: openvpn.h:115
const char * crl_file
Definition: ssl_common.h:280
#define P2MP_SERVER
Definition: syshead.h:523
bool block_outside_dns
Definition: options.h:594
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:144
#define D_INIT_MEDIUM
Definition: errlevel.h:105
struct event_timeout ping_rec_interval
Definition: openvpn.h:303
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1309
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:510
void platform_nice(int niceval)
Definition: platform.c:154
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:971
struct event_timeout route_wakeup_expire
Definition: openvpn.h:399
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:485
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1090
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5393
bool show_curves
Definition: options.h:197
void free_buf(struct buffer *buf)
Definition: buffer.c:191
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: misc.h:70
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:591
const char * cipher_list
Definition: options.h:504
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:259
bool tls_server
Definition: options.h:495
struct link_socket * link_socket_new(void)
Definition: socket.c:1708
static void do_alloc_route_list(struct context *c)
Definition: init.c:1370
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:291
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:626
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:130
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:963
struct argv argv_new(void)
Definition: argv.c:51
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2028
static void init_proxy_dowork(struct context *c)
Definition: init.c:575
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:310
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1728
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:242
#define SET_MTU_TUN
Definition: mtu.h:220
struct cached_dns_entry * dns_cache
Definition: openvpn.h:166
bool did_open_tun
Definition: openvpn.h:402
unsigned int auth_token_lifetime
Definition: ssl_common.h:317
int management_log_history_cache
Definition: options.h:357
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
struct interval tmp_int
Definition: openvpn.h:357
#define streq(x, y)
Definition: options.h:613
const char * ifconfig_pool_persist_filename
Definition: options.h:406
const char * chroot_dir
Definition: options.h:281
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:669
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3742
static void do_close_event_set(struct context *c)
Definition: init.c:3532
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2528
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:172
bool server_bridge_proxy_dhcp
Definition: options.h:393
const char * dev
Definition: options.h:220
#define WSO_FORCE_SERVICE
Definition: win32.h:162
int ping_rec_timeout_action
Definition: options.h:261
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2038
bool auth_token_generate
Definition: options.h:448
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:526
int inetd
Definition: options.h:298
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1301
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4166
void tun_abort(void)
Definition: init.c:2008
Contains all state information for one tunnel.
Definition: openvpn.h:508
#define CIPHER_ENABLED(c)
Definition: openvpn.h:589
Packet geometry parameters.
Definition: mtu.h:93
#define SIZE(x)
Definition: basic.h:30
static void do_env_set_destroy(struct context *c)
Definition: init.c:3619
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:314
struct env_set * es
Set of environment variables.
Definition: openvpn.h:531
#define D_PUSH
Definition: errlevel.h:83
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1178
enum tls_wrap_ctx::@7 mode
Control channel wrapping mode.
#define srandom
Definition: syshead.h:44
bool proto_is_udp(int proto)
Definition: socket.c:3037
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:374
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:69
const char * tls_auth_file
Definition: options.h:565
static void gc_free(struct gc_arena *a)
Definition: buffer.h:990
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1719
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:238
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:210
#define OPT_P_PLUGIN
Definition: options.h:642
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:205
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4471
static void do_init_socket_2(struct context *c)
Definition: init.c:3275
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:67
const char * auth_user_pass_verify_script
Definition: ssl_common.h:311
const char * shared_secret_file
Definition: options.h:473
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:85
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5640
#define RH_PORT_LEN
Definition: options.h:164
#define EVENT_METHOD_FAST
Definition: event.h:42
uint32_t peer_id
Definition: options.h:598
#define D_TLS_ERRORS
Definition: errlevel.h:59
void init_management_callback_p2p(struct context *c)
Definition: init.c:3816
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:345
int script_security
Definition: misc.c:55
struct buffer_list * buffer_list_new(const int max_size)
Definition: buffer.c:1139
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:286
void close_instance(struct context *c)
Definition: init.c:4265
#define ASSERT(x)
Definition: error.h:221
Definition: options.h:88
int renegotiate_seconds
Definition: options.h:550
const char * client_config_dir_exclusive
Definition: ssl_common.h:320
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:547
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:286
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1336
#define OPT_P_IPWIN32
Definition: options.h:621
bool persist_key
Definition: options.h:266
#define SIGUSR1
Definition: config-msvc.h:116
int replay_window
Definition: options.h:486
int persist_mode
Definition: options.h:189
int keysize
Data channel keysize from config file.
Definition: openvpn.h:215
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:411
const char * auth_user_pass_file
Definition: ssl_common.h:314
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3667
struct context_buffers * buffers
Definition: openvpn.h:382
int verify_x509_type
Definition: ssl_common.h:278
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
int connect_retry_seconds
Definition: options.h:101
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1448
void buffer_list_free(struct buffer_list *ol)
Definition: buffer.c:1149
struct event_timeout wait_for_connect
Definition: openvpn.h:301
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1167
int rcvbuf
Definition: options.h:323
const char * crl_file_inline
Definition: options.h:515
#define D_LOG_RW
Definition: errlevel.h:110
struct link_socket_info * link_socket_info
Definition: openvpn.h:258
static void next_connection_entry(struct context *c)
Definition: init.c:425
int handshake_window
Definition: ssl_common.h:269
struct connection_list * connection_list
Definition: options.h:204
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:290
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Definition: buffer.c:1278
#define LS_MODE_DEFAULT
Definition: socket.h:196
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
#define RH_HOST_LEN
Definition: options.h:162
const char * exit_event_name
Definition: options.h:590
#define AR_NONE
Definition: options.h:799
const struct link_socket * accept_from
Definition: openvpn.h:259
bool route_noexec
Definition: options.h:337
unsigned int sockflags
Definition: options.h:330
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2391
in_addr_t remote_netmask
Definition: tun.h:154
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:421
static void do_close_tls(struct context *c)
Definition: init.c:3397
static bool ce_management_query_remote(struct context *c)
Definition: init.c:338
#define M_FATAL
Definition: error.h:94
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:507
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:223
#define ENABLE_PKCS11
Definition: config-msvc.h:18
static int occ_reset_op(void)
Definition: occ-inline.h:34
const char * route_script
Definition: options.h:333
#define SDL_CONSTRAIN
Definition: error.h:203
int management_state_buffer_size
Definition: options.h:359
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1597
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:500
int resolve_retry_seconds
Definition: options.h:272
#define CLEAR(x)
Definition: basic.h:33
#define D_GENKEY
Definition: errlevel.h:79
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:158
#define D_MTU_INFO
Definition: errlevel.h:106
#define D_READ_WRITE
Definition: errlevel.h:162
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:192
#define in_addr_t
Definition: config-msvc.h:104
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:786
static void do_init_frame(struct context *c)
Definition: init.c:2895
const char * config
Definition: options.h:175
int route_delay
Definition: options.h:338
const char * gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Definition: misc.c:807
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, bool remote, struct gc_arena *gc)
Definition: options.c:3521
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:533
const char * tls_auth_file_inline
Definition: options.h:566
#define MAX_PARMS
Definition: options.h:53
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:288
const char * local_port
Definition: options.h:92
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:334
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3694
const char * ekm_label
Definition: ssl_common.h:358
void post_init_signal_catch(void)
Definition: sig.c:255
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:850
struct frame frame_initial
Definition: openvpn.h:266
bool down_pre
Definition: options.h:290
int keepalive_timeout
Definition: options.h:249
#define OPT_P_SOCKBUF
Definition: options.h:643
#define SIGTERM
Definition: config-msvc.h:118
bool auth_token_generate
Generate auth-tokens on successful user/pass auth, set via options->auth_token_generate.
Definition: ssl_common.h:315
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1352
#define TLS_MODE(c)
Definition: openvpn.h:570
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:530
#define OPT_P_SETENV
Definition: options.h:623
#define CE_MAN_QUERY_PROXY
Definition: options.h:126
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:171
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: misc.c:564
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3704
#define PING_RESTART
Definition: options.h:260
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2838
int handshake_window
Definition: options.h:554
void init_management(struct context *c)
Definition: init.c:3839
static void do_close_plugins(struct context *c)
Definition: init.c:3731
#define ENABLE_CRYPTO
Definition: config-msvc.h:7
#define D_SHOW_NET
Definition: errlevel.h:128
static int ifconfig_order(void)
Definition: tun.h:292
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:230
char * basename(char *filename)
unsigned int crypto_flags
Definition: ssl_common.h:294
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:69
struct remote_host_store * rh_store
Definition: options.h:216
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:571
int explicit_exit_notification
Definition: options.h:123
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:89
int status_file_update_freq
Definition: options.h:313
int verify_x509_type
Definition: options.h:507
unsigned int unsuccessful_attempts
Definition: options.h:210
void close_management(void)
Definition: init.c:3899
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:172
const char * config_ciphername
Definition: ssl_common.h:300
const char * prng_hash
Definition: options.h:481
int ping_rec_timeout
Definition: options.h:255
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
#define D_LOW
Definition: errlevel.h:97
bool ifconfig_noexec
Definition: options.h:230
bool fast_io
Definition: options.h:316
static void frame_add_to_extra_frame(struct frame *frame, const int increment)
Definition: mtu.h:274
int key_direction
Definition: options.h:475
int renegotiate_bytes
Definition: ssl_common.h:271
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
static void update_options_ce_post(struct options *options)
Definition: init.c:189
struct tuntap_options options
Definition: tun.h:145
bool link_mtu_defined
Definition: options.h:114
static struct context * static_context
Definition: init.c:57
char username[USER_PASS_LEN]
Definition: misc.h:185
bool init_static(void)
Definition: init.c:703
void platform_mlockall(bool print_msg)
Definition: platform.c:191
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:103
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:131
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:179
bool use_peer_id
Definition: ssl_common.h:557
struct event_timeout ping_send_interval
Definition: openvpn.h:302
bool route_delay_defined
Definition: options.h:340
void buffer_list_push(struct buffer_list *ol, const unsigned char *str)
Definition: buffer.c:1180
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:205
#define CM_CHILD_UDP
Definition: openvpn.h:520
bool initialized
Definition: crypto.h:227
bool tls_exit
Definition: options.h:579
#define MF_SERVER
Definition: manage.h:337
bool print_openssl_info(const struct options *options)
Definition: init.c:996
void restore_signal_state(void)
Definition: sig.c:272
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1007
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1049
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:792
#define PULL_DEFINED(opt)
Definition: options.h:651
char * x509_username_field
Definition: ssl_common.h:287
bool route_nopull
Definition: options.h:343
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
struct sockaddr_in6 in6
Definition: socket.h:70
#define TOP_P2P
Definition: proto.h:44
static void do_close_fragment(struct context *c)
Definition: init.c:3498
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1142
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:64
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
const char * tls_export_cert
Definition: options.h:509
const char * route_default_gateway
Definition: options.h:335
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3927
int remap_sigusr1
Definition: options.h:295
#define VERIFY_X509_NONE
Definition: ssl_verify.h:65
void extract_x509_field_test(void)
bool uid_gid_chroot_set
Definition: openvpn.h:141
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:511
bool remote_random
Definition: options.h:218
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
bool status_close(struct status_output *so)
Definition: status.c:203
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:198
struct context_1 c1
Level 1 context.
Definition: openvpn.h:546
void pre_init_signal_catch(void)
Definition: sig.c:239
#define WSO_FORCE_CONSOLE
Definition: win32.h:163
void init_options_dev(struct options *options)
Definition: init.c:986
struct context_persist persist
Persistent context.
Definition: openvpn.h:543
void prng_uninit(void)
Definition: crypto.c:1747
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1286
bool auth_user_pass_verify_script_via_file
Definition: options.h:447
#define WSO_MODE_CONSOLE
Definition: win32.h:148
const char * tls_verify
Definition: options.h:506
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1417
struct buffer decrypt_buf
Definition: openvpn.h:101
struct event_timeout inactivity_interval
Definition: openvpn.h:306
size_t ekm_size
Definition: ssl_common.h:360
bool open_management(struct context *c)
Definition: init.c:3848
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:80
#define BUF_SIZE(f)
Definition: mtu.h:194
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:109
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:598
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4343
#define OPT_P_PULL_MODE
Definition: options.h:641
struct frame frame_fragment
Definition: openvpn.h:271
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:3756
void context_gc_free(struct context *c)
Definition: init.c:664
static void do_open_status_output(struct context *c)
Definition: init.c:3547
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest)
Definition: route.c:2801
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2583
#define FRAME_HEADROOM_MARKER_FRAGMENT
Definition: mtu.h:130
#define CE_MAN_QUERY_REMOTE_MASK
Definition: options.h:132
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:619
interval_t packet_timeout
Definition: ssl_common.h:270
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:3591
static void do_close_check_if_restart_permitted(struct context *c)
Definition: init.c:3366
const char * config_authname
Definition: ssl_common.h:301
int tun_mtu
Definition: options.h:109
const char * verify_x509_name
Definition: options.h:508
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3166
bool do_genkey(const struct options *options)
Definition: init.c:1035
in_addr_t local
Definition: tun.h:153
interval_t renegotiate_seconds
Definition: ssl_common.h:273
const char * socks_proxy_server
Definition: options.h:105
int ns_cert_type
Definition: options.h:520
const char * management_write_peer_info_file
Definition: options.h:360
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
#define LS_MODE_TCP_LISTEN
Definition: socket.h:197
int md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
struct plugin_option_list * plugin_list
Definition: options.h:371
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:126
int proto
Definition: options.h:90
int verbosity
Definition: options.h:304
bool show_net_up
Definition: options.h:592
bool auth_user_pass_verify_script_via_file
Definition: ssl_common.h:312
bool show_engines
Definition: options.h:195
void show_available_engines(void)
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
static const char * np(const char *str)
Definition: simple.c:108
const char * crl_file_inline
Definition: ssl_common.h:281
int mode
Definition: options.h:180
bool(* proxy_cmd)(void *arg, const char **p)
Definition: manage.h:183
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:139
bool show_tls_ciphers
Definition: options.h:196
bool ccd_exclusive
Definition: options.h:419
static struct gc_arena gc_new(void)
Definition: buffer.h:982
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:370
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition: plugin.c:774
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4789
bool single_session
Definition: ssl_common.h:259
bool occ
Definition: options.h:350
unsigned remote_cert_ku[MAX_PARMS]
Definition: ssl_common.h:283
#define IFCONFIG_AFTER_TUN_OPEN
Definition: tun.h:287
time_t now
Definition: otime.c:36
int ifconfig_ipv6_netbits
Definition: options.h:228
#define CM_CHILD_TCP
Definition: openvpn.h:521
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3949
static void uninit_proxy(struct context *c)
Definition: init.c:611
bool tls_client
Definition: options.h:496
const char * authname
Definition: options.h:479
static void do_init_crypto_none(const struct context *c)
Definition: init.c:2860
struct event_timeout occ_interval
Definition: openvpn.h:316
struct route_list * route_list
List of routing information.
Definition: openvpn.h:176
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2822
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1017
struct crypto_options crypto_options
Definition: ssl_common.h:181
int connect_retry_max
Definition: options.h:202
bool show_digests
Definition: options.h:194
struct platform_state_group platform_state_group
Definition: openvpn.h:143
bool genkey
Definition: options.h:198
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition: init.c:2872
void init_win32(void)
Definition: win32.c:105
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1245
void prng_bytes(uint8_t *output, int len)
Definition: crypto.c:1756
int auth_retry_get(void)
Definition: options.c:4013
int topology
Definition: options.h:224
#define OPT_P_MESSAGES
Definition: options.h:629
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2835
static void do_init_fragment(struct context *c)
Definition: init.c:3205
static void do_init_buffers(struct context *c)
Definition: init.c:3193
void free_ssl_lib(void)
Definition: ssl.c:358
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition: error.c:645
#define OPT_P_COMP
Definition: options.h:628
void buffer_list_advance(struct buffer_list *ol, int n)
Definition: buffer.c:1301
static void * test_crypto_thread(void *arg)
Definition: init.c:4509
int mssfix
Definition: options.h:120
#define sleep(x)
Definition: syshead.h:42
struct frame frame
Definition: openvpn.h:265
bool do_persist_tuntap(const struct options *options)
Definition: init.c:1065
#define DEV_TYPE_TUN
Definition: proto.h:37
int transition_window
Definition: ssl_common.h:268
#define CE_MAN_QUERY_REMOTE_SHIFT
Definition: options.h:133
void management_event_loop_n_seconds(struct management *man, int sec)
Definition: manage.c:3328
static void gc_init(struct gc_arena *a)
Definition: buffer.h:969
int ns_cert_type
Definition: ssl_common.h:282
#define CC_NO_CLOSE
Definition: init.h:108
const struct x509_track * x509_track
Definition: options.h:583
struct sockaddr_in in4
Definition: socket.h:69
void frame_init_mssfix(struct frame *frame, const struct options *options)
Set the –mssfix option.
Definition: mtu.c:130
struct management * management_init(void)
Definition: manage.c:2567
#define CE_MAN_QUERY_REMOTE_ACCEPT
Definition: options.h:129
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3141
void uninit_static(void)
Definition: init.c:943
static void frame_add_to_align_adjust(struct frame *frame, const int increment)
Definition: mtu.h:298
#define M_ERR
Definition: error.h:110
hash_algo_type verify_hash_algo
Definition: ssl_common.h:286
bool xmit_hold
Definition: ssl_common.h:247
static void run_up_down(const char *command, const struct plugin_list *plugins, int plugin_type, const char *arg, DWORD adapter_index, const char *dev_type, int tun_mtu, int link_mtu, const char *ifconfig_local, const char *ifconfig_remote, cons