OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 #include "auth_token.h"
55 
56 #include "memdbg.h"
57 
58 
59 static struct context *static_context; /* GLOBAL */
60 
61 /*
62  * Crypto initialization flags
63  */
64 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
65 #define CF_INIT_TLS_MULTI (1<<1)
66 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
67 
68 static void do_init_first_time(struct context *c);
69 
70 void
72 {
73  CLEAR(*c);
74 }
75 
76 void
78 {
79  CLEAR(c->c1);
80 }
81 
82 void
84 {
85  CLEAR(c->c2);
86 }
87 
88 void
90 {
91  const bool first_time_save = c->first_time;
92  const struct context_persist cpsave = c->persist;
93  context_clear(c);
94  c->first_time = first_time_save;
95  c->persist = cpsave;
96 }
97 
98 /*
99  * Pass tunnel endpoint and MTU parms to a user-supplied script.
100  * Used to execute the up/down script/plugins.
101  */
102 static void
103 run_up_down(const char *command,
104  const struct plugin_list *plugins,
105  int plugin_type,
106  const char *arg,
107 #ifdef _WIN32
108  DWORD adapter_index,
109 #endif
110  const char *dev_type,
111  int tun_mtu,
112  int link_mtu,
113  const char *ifconfig_local,
114  const char *ifconfig_remote,
115  const char *context,
116  const char *signal_text,
117  const char *script_type,
118  struct env_set *es)
119 {
120  struct gc_arena gc = gc_new();
121 
122  if (signal_text)
123  {
124  setenv_str(es, "signal", signal_text);
125  }
126  setenv_str(es, "script_context", context);
127  setenv_int(es, "tun_mtu", tun_mtu);
128  setenv_int(es, "link_mtu", link_mtu);
129  setenv_str(es, "dev", arg);
130  if (dev_type)
131  {
132  setenv_str(es, "dev_type", dev_type);
133  }
134 #ifdef _WIN32
135  setenv_int(es, "dev_idx", adapter_index);
136 #endif
137 
138  if (!ifconfig_local)
139  {
140  ifconfig_local = "";
141  }
142  if (!ifconfig_remote)
143  {
144  ifconfig_remote = "";
145  }
146  if (!context)
147  {
148  context = "";
149  }
150 
151  if (plugin_defined(plugins, plugin_type))
152  {
153  struct argv argv = argv_new();
154  ASSERT(arg);
155  argv_printf(&argv,
156  "%s %d %d %s %s %s",
157  arg,
158  tun_mtu, link_mtu,
159  ifconfig_local, ifconfig_remote,
160  context);
161 
162  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
163  {
164  msg(M_FATAL, "ERROR: up/down plugin call failed");
165  }
166 
167  argv_reset(&argv);
168  }
169 
170  if (command)
171  {
172  struct argv argv = argv_new();
173  ASSERT(arg);
174  setenv_str(es, "script_type", script_type);
175  argv_parse_cmd(&argv, command);
176  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
177  ifconfig_local, ifconfig_remote, context);
178  argv_msg(M_INFO, &argv);
179  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
180  argv_reset(&argv);
181  }
182 
183  gc_free(&gc);
184 }
185 
186 /*
187  * Should be called after options->ce is modified at the top
188  * of a SIGUSR1 restart.
189  */
190 static void
192 {
193 #if P2MP
194  /*
195  * In pull mode, we usually import --ping/--ping-restart parameters from
196  * the server. However we should also set an initial default --ping-restart
197  * for the period of time before we pull the --ping-restart parameter
198  * from the server.
199  */
200  if (options->pull
201  && options->ping_rec_timeout_action == PING_UNDEF
202  && proto_is_dgram(options->ce.proto))
203  {
206  }
207 #endif
208 }
209 
210 #ifdef ENABLE_MANAGEMENT
211 static bool
212 management_callback_proxy_cmd(void *arg, const char **p)
213 {
214  struct context *c = arg;
215  struct connection_entry *ce = &c->options.ce;
216  struct gc_arena *gc = &c->c2.gc;
217  bool ret = false;
218 
219  update_time();
220  if (streq(p[1], "NONE"))
221  {
222  ret = true;
223  }
224  else if (p[2] && p[3])
225  {
226  if (streq(p[1], "HTTP"))
227  {
228  struct http_proxy_options *ho;
229  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
230  {
231  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
232  return false;
233  }
235  ho->server = string_alloc(p[2], gc);
236  ho->port = string_alloc(p[3], gc);
237  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
238  ret = true;
239  }
240  else if (streq(p[1], "SOCKS"))
241  {
242  ce->socks_proxy_server = string_alloc(p[2], gc);
243  ce->socks_proxy_port = string_alloc(p[3], gc);
244  ret = true;
245  }
246  }
247  else
248  {
249  msg(M_WARN, "Bad proxy command");
250  }
251 
252  ce->flags &= ~CE_MAN_QUERY_PROXY;
253 
254  return ret;
255 }
256 
257 static bool
259 {
260  const struct connection_list *l = c->options.connection_list;
261  struct connection_entry *ce = &c->options.ce;
262  struct gc_arena gc;
263  bool ret = true;
264 
265  update_time();
266  if (management)
267  {
268  gc = gc_new();
269  {
270  struct buffer out = alloc_buf_gc(256, &gc);
271  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
272  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
274  }
275  ce->flags |= CE_MAN_QUERY_PROXY;
276  while (ce->flags & CE_MAN_QUERY_PROXY)
277  {
279  if (IS_SIG(c))
280  {
281  ret = false;
282  break;
283  }
284  }
285  gc_free(&gc);
286  }
287 
288  return ret;
289 }
290 
291 
292 static bool
293 management_callback_remote_cmd(void *arg, const char **p)
294 {
295  struct context *c = (struct context *) arg;
296  struct connection_entry *ce = &c->options.ce;
297  int ret = false;
299  {
300  int flags = 0;
301  if (!strcmp(p[1], "ACCEPT"))
302  {
304  ret = true;
305  }
306  else if (!strcmp(p[1], "SKIP"))
307  {
308  flags = CE_MAN_QUERY_REMOTE_SKIP;
309  ret = true;
310  }
311  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
312  {
313  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
314  {
315  struct remote_host_store *rhs = c->options.rh_store;
316  if (!rhs)
317  {
319  c->options.rh_store = rhs;
320  }
321  strncpynt(rhs->host, p[2], RH_HOST_LEN);
322  strncpynt(rhs->port, p[3], RH_PORT_LEN);
323 
324  ce->remote = rhs->host;
325  ce->remote_port = rhs->port;
326  flags = CE_MAN_QUERY_REMOTE_MOD;
327  ret = true;
328  }
329  }
330  if (ret)
331  {
332  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
334  }
335  }
336  return ret;
337 }
338 
339 static bool
341 {
342  struct gc_arena gc = gc_new();
343  volatile struct connection_entry *ce = &c->options.ce;
344  int ce_changed = true; /* presume the connection entry will be changed */
345 
346  update_time();
347  if (management)
348  {
349  struct buffer out = alloc_buf_gc(256, &gc);
350 
351  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
352  proto2ascii(ce->proto, ce->af, false));
354 
357  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
359  {
361  if (IS_SIG(c))
362  {
363  ce_changed = false; /* connection entry have not been set */
364  break;
365  }
366  }
367  }
368  gc_free(&gc);
369 
370  if (ce_changed)
371  {
372  /* If it is likely a connection entry was modified,
373  * check what changed in the flags and that it was not skipped
374  */
375  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
377  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
378  }
379  return ce_changed;
380 }
381 #endif /* ENABLE_MANAGEMENT */
382 
383 /*
384  * Initialize and possibly randomize connection list.
385  */
386 static void
388 {
389  struct connection_list *l = c->options.connection_list;
390 
391  l->current = -1;
392  if (c->options.remote_random)
393  {
394  int i;
395  for (i = 0; i < l->len; ++i)
396  {
397  const int j = get_random() % l->len;
398  if (i != j)
399  {
400  struct connection_entry *tmp;
401  tmp = l->array[i];
402  l->array[i] = l->array[j];
403  l->array[j] = tmp;
404  }
405  }
406  }
407 }
408 
409 /*
410  * Clear the remote address list
411  */
412 static void
414 {
415  if (lsa->remote_list && free)
416  {
417  freeaddrinfo(lsa->remote_list);
418  }
419  lsa->remote_list = NULL;
420  lsa->current_remote = NULL;
421 }
422 
423 /*
424  * Increment to next connection entry
425  */
426 static void
428 {
429  struct connection_list *l = c->options.connection_list;
430  bool ce_defined;
431  struct connection_entry *ce;
432  int n_cycles = 0;
433 
434  do
435  {
436  ce_defined = true;
437  if (c->options.no_advance && l->current >= 0)
438  {
439  c->options.no_advance = false;
440  }
441  else
442  {
443  /* Check if there is another resolved address to try for
444  * the current connection */
446  && c->c1.link_socket_addr.current_remote->ai_next)
447  {
449  c->c1.link_socket_addr.current_remote->ai_next;
450  }
451  else
452  {
453  /* FIXME (schwabe) fix the persist-remote-ip option for real,
454  * this is broken probably ever since connection lists and multiple
455  * remote existed
456  */
457  if (!c->options.persist_remote_ip)
458  {
459  /* close_instance should have cleared the addrinfo objects */
462  }
463  else
464  {
467  }
468 
469  /*
470  * Increase the number of connection attempts
471  * If this is connect-retry-max * size(l)
472  * OpenVPN will quit
473  */
474 
476 
477  if (++l->current >= l->len)
478  {
479 
480  l->current = 0;
481  if (++n_cycles >= 2)
482  {
483  msg(M_FATAL, "No usable connection profiles are present");
484  }
485  }
486  }
487  }
488 
489  ce = l->array[l->current];
490 
491  if (ce->flags & CE_DISABLED)
492  {
493  ce_defined = false;
494  }
495 
496  c->options.ce = *ce;
497 #ifdef ENABLE_MANAGEMENT
499  {
500  /* allow management interface to override connection entry details */
501  ce_defined = ce_management_query_remote(c);
502  if (IS_SIG(c))
503  {
504  break;
505  }
506  }
507  else if (ce_defined && management && management_query_proxy_enabled(management))
508  {
509  ce_defined = ce_management_query_proxy(c);
510  if (IS_SIG(c))
511  {
512  break;
513  }
514  }
515 #endif
516  } while (!ce_defined);
517 
518  /* Check if this connection attempt would bring us over the limit */
519  if (c->options.connect_retry_max > 0
521  {
522  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
524  }
526 }
527 
528 /*
529  * Query for private key and auth-user-pass username/passwords
530  */
531 void
533 {
534  /* Certificate password input */
535  if (c->options.key_pass_file)
536  {
538  }
539 
540 #if P2MP
541  /* Auth user/pass input */
543  {
544 #ifdef ENABLE_MANAGEMENT
546 #else
548 #endif
549  }
550 #endif
551 }
552 
553 /*
554  * Initialize/Uninitialize HTTP or SOCKS proxy
555  */
556 
557 static void
559 {
560  if (c->c1.http_proxy_owned && c->c1.http_proxy)
561  {
563  c->c1.http_proxy = NULL;
564  c->c1.http_proxy_owned = false;
565  }
566  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
567  {
569  c->c1.socks_proxy = NULL;
570  c->c1.socks_proxy_owned = false;
571  }
572 }
573 
574 static void
576 {
577  bool did_http = false;
578 
580 
582  {
583  /* Possible HTTP proxy user/pass input */
585  if (c->c1.http_proxy)
586  {
587  did_http = true;
588  c->c1.http_proxy_owned = true;
589  }
590  }
591 
592  if (!did_http && c->options.ce.socks_proxy_server)
593  {
597  if (c->c1.socks_proxy)
598  {
599  c->c1.socks_proxy_owned = true;
600  }
601  }
602 }
603 
604 static void
605 init_proxy(struct context *c)
606 {
608 }
609 
610 static void
612 {
614 }
615 
616 /*
617  * Saves the initial state of NCP-regotiable
618  * options into a storage which persists over SIGUSR1.
619  */
620 static void
622 {
624  c->c1.authname = c->options.authname;
625  c->c1.keysize = c->options.keysize;
626 }
627 
628 /* Restores NCP-negotiable options to original values */
629 static void
631 {
633  c->options.authname = c->c1.authname;
634  c->options.keysize = c->c1.keysize;
635 }
636 
637 void
639 {
640  context_clear_1(c);
641 
643 
645 
646  save_ncp_options(c);
647 
648 #if defined(ENABLE_PKCS11)
649  if (c->first_time)
650  {
651  int i;
652  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
653  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
654  {
655  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
656  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
657  }
658  }
659 #endif
660 
661 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
662  {
663  /*
664  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
665  */
666  struct user_pass up;
667  CLEAR(up);
668  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
669  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
670  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
671  * 'needok' command, usually 'ok' or 'cancel'. */
672  }
673 #endif
674 
675 #ifdef ENABLE_SYSTEMD
676  /* We can report the PID via getpid() to systemd here as OpenVPN will not
677  * do any fork due to daemon() a future call.
678  * See possibly_become_daemon() [init.c] for more details.
679  */
680  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
681  (unsigned long) getpid());
682 #endif
683 
684 }
685 
686 void
688 {
689  gc_free(&c->c2.gc);
690  gc_free(&c->options.gc);
691  gc_free(&c->gc);
692 }
693 
694 #if PORT_SHARE
695 
696 static void
697 close_port_share(void)
698 {
699  if (port_share)
700  {
701  port_share_close(port_share);
702  port_share = NULL;
703  }
704 }
705 
706 static void
707 init_port_share(struct context *c)
708 {
709  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
710  {
711  port_share = port_share_open(c->options.port_share_host,
712  c->options.port_share_port,
714  c->options.port_share_journal_dir);
715  if (port_share == NULL)
716  {
717  msg(M_FATAL, "Fatal error: Port sharing failed");
718  }
719  }
720 }
721 
722 #endif /* if PORT_SHARE */
723 
724 
725 bool
727 {
728  /* configure_path (); */
729 
730 #if defined(DMALLOC)
731  crypto_init_dmalloc();
732 #endif
733 
734 
735  /*
736  * Initialize random number seed. random() is only used
737  * when "weak" random numbers are acceptable.
738  * SSL library routines are always used when cryptographically
739  * strong random numbers are required.
740  */
741  struct timeval tv;
742  if (!gettimeofday(&tv, NULL))
743  {
744  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
745  srandom(seed);
746  }
747 
748  error_reset(); /* initialize error.c */
749  reset_check_status(); /* initialize status check code in socket.c */
750 
751 #ifdef _WIN32
752  init_win32();
753 #endif
754 
755 #ifdef OPENVPN_DEBUG_COMMAND_LINE
756  {
757  int i;
758  for (i = 0; i < argc; ++i)
759  {
760  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
761  }
762  }
763 #endif
764 
765  update_time();
766 
767  init_ssl_lib();
768 
769  /* init PRNG used for IV generation */
770  /* When forking, copy this to more places in the code to avoid fork
771  * random-state predictability */
772  prng_init(NULL, 0);
773 
774 #ifdef PID_TEST
775  packet_id_interactive_test(); /* test the sequence number code */
776  return false;
777 #endif
778 
779 #ifdef SCHEDULE_TEST
780  schedule_test();
781  return false;
782 #endif
783 
784 #ifdef LIST_TEST
785  list_test();
786  return false;
787 #endif
788 
789 #ifdef IFCONFIG_POOL_TEST
790  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
791  return false;
792 #endif
793 
794 #ifdef CHARACTER_CLASS_DEBUG
795  character_class_debug();
796  return false;
797 #endif
798 
799 #ifdef EXTRACT_X509_FIELD_TEST
801  return false;
802 #endif
803 
804 #ifdef TIME_TEST
805  time_test();
806  return false;
807 #endif
808 
809 #ifdef TEST_GET_DEFAULT_GATEWAY
810  {
811  struct route_gateway_info rgi;
812  struct route_ipv6_gateway_info rgi6;
813  get_default_gateway(&rgi);
814  get_default_gateway_ipv6(&rgi6, NULL);
815  print_default_gateway(M_INFO, &rgi, &rgi6);
816  return false;
817  }
818 #endif
819 
820 #ifdef GEN_PATH_TEST
821  {
822  struct gc_arena gc = gc_new();
823  const char *fn = gen_path("foo",
824  "bar",
825  &gc);
826  printf("%s\n", fn);
827  gc_free(&gc);
828  }
829  return false;
830 #endif
831 
832 #ifdef STATUS_PRINTF_TEST
833  {
834  struct gc_arena gc = gc_new();
835  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
836  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
837  status_printf(so, "%s", "foo");
838  status_printf(so, "%s", "bar");
839  if (!status_close(so))
840  {
841  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
842  }
843  gc_free(&gc);
844  }
845  return false;
846 #endif
847 
848 #ifdef ARGV_TEST
849  {
850  void argv_test(void);
851 
852  argv_test();
853  return false;
854  }
855 #endif
856 
857 #ifdef PRNG_TEST
858  {
859  struct gc_arena gc = gc_new();
860  uint8_t rndbuf[8];
861  int i;
862  prng_init("sha1", 16);
863  /*prng_init (NULL, 0);*/
864  const int factor = 1;
865  for (i = 0; i < factor * 8; ++i)
866  {
867 #if 1
868  prng_bytes(rndbuf, sizeof(rndbuf));
869 #else
870  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
871 #endif
872  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
873  }
874  gc_free(&gc);
875  prng_uninit();
876  return false;
877  }
878 #endif /* ifdef PRNG_TEST */
879 
880 #ifdef BUFFER_LIST_AGGREGATE_TEST
881  /* test buffer_list_aggregate function */
882  {
883  static const char *text[] = {
884  "It was a bright cold day in April, ",
885  "and the clocks were striking ",
886  "thirteen. ",
887  "Winston Smith, ",
888  "his chin nuzzled into his breast in an ",
889  "effort to escape the vile wind, ",
890  "slipped quickly through the glass doors ",
891  "of Victory Mansions, though not quickly ",
892  "enough to prevent a swirl of gritty dust from ",
893  "entering along with him."
894  };
895 
896  int iter, listcap;
897  for (listcap = 0; listcap < 12; ++listcap)
898  {
899  for (iter = 0; iter < 512; ++iter)
900  {
901  struct buffer_list *bl = buffer_list_new(listcap);
902  {
903  int i;
904  for (i = 0; i < SIZE(text); ++i)
905  {
906  buffer_list_push(bl, (unsigned char *)text[i]);
907  }
908  }
909  printf("[cap=%d i=%d] *************************\n", listcap, iter);
910  if (!(iter & 8))
911  {
912  buffer_list_aggregate(bl, iter/2);
913  }
914  if (!(iter & 16))
915  {
916  buffer_list_push(bl, (unsigned char *)"Even more text...");
917  }
918  buffer_list_aggregate(bl, iter);
919  if (!(iter & 1))
920  {
921  buffer_list_push(bl, (unsigned char *)"More text...");
922  }
923  {
924  struct buffer *buf;
925  while ((buf = buffer_list_peek(bl)))
926  {
927  int c;
928  printf("'");
929  while ((c = buf_read_u8(buf)) >= 0)
930  {
931  putchar(c);
932  }
933  printf("'\n");
934  buffer_list_advance(bl, 0);
935  }
936  }
937  buffer_list_free(bl);
938  }
939  }
940  return false;
941  }
942 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
943 
944 #ifdef MSTATS_TEST
945  {
946  int i;
947  mstats_open("/dev/shm/mstats.dat");
948  for (i = 0; i < 30; ++i)
949  {
950  mmap_stats->n_clients += 1;
951  mmap_stats->link_write_bytes += 8;
952  mmap_stats->link_read_bytes += 16;
953  sleep(1);
954  }
955  mstats_close();
956  return false;
957  }
958 #endif
959 
960  return true;
961 }
962 
963 void
965 {
966  free_ssl_lib();
967 
968 #ifdef ENABLE_PKCS11
969  pkcs11_terminate();
970 #endif
971 
972 #if PORT_SHARE
973  close_port_share();
974 #endif
975 
976 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
977  show_tls_performance_stats();
978 #endif
979 }
980 
981 void
982 init_verb_mute(struct context *c, unsigned int flags)
983 {
984  if (flags & IVM_LEVEL_1)
985  {
986  /* set verbosity and mute levels */
990  }
991 
992  /* special D_LOG_RW mode */
993  if (flags & IVM_LEVEL_2)
994  {
996  }
997 }
998 
999 /*
1000  * Possibly set --dev based on --dev-node.
1001  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1002  * set --dev to tun.
1003  */
1004 void
1006 {
1007  if (!options->dev && options->dev_node)
1008  {
1009  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1010  options->dev = basename(dev_node);
1011  }
1012 }
1013 
1014 bool
1016 {
1017  /*
1018  * OpenSSL info print mode?
1019  */
1020  if (options->show_ciphers || options->show_digests || options->show_engines
1021  || options->show_tls_ciphers || options->show_curves)
1022  {
1023  if (options->show_ciphers)
1024  {
1026  }
1027  if (options->show_digests)
1028  {
1030  }
1031  if (options->show_engines)
1032  {
1034  }
1035  if (options->show_tls_ciphers)
1036  {
1038  options->cipher_list_tls13,
1039  options->tls_cert_profile);
1040  }
1041  if (options->show_curves)
1042  {
1044  }
1045  return true;
1046  }
1047  return false;
1048 }
1049 
1050 /*
1051  * Static pre-shared key generation mode?
1052  */
1053 bool
1054 do_genkey(const struct options *options)
1055 {
1056  /* should we disable paging? */
1057  if (options->mlock && (options->genkey))
1058  {
1059  platform_mlockall(true);
1060  }
1061 
1062  /*
1063  * We do not want user to use --genkey with --secret. In the transistion
1064  * phase we for secret.
1065  */
1066  if (options->genkey && options->genkey_type != GENKEY_SECRET
1067  && options->shared_secret_file)
1068  {
1069  msg(M_USAGE, "Using --genkey type with --secret filename is "
1070  "not supported. Use --genkey type filename instead.");
1071  }
1072  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1073  {
1074  int nbits_written;
1075  const char *genkey_filename = options->genkey_filename;
1076  if (options->shared_secret_file && options->genkey_filename)
1077  {
1078  msg(M_USAGE, "You must provide a filename to either --genkey "
1079  "or --secret, not both");
1080  }
1081 
1082  /*
1083  * Copy filename from shared_secret_file to genkey_filename to support
1084  * the old --genkey --secret foo.file syntax.
1085  */
1086  if (options->shared_secret_file)
1087  {
1088  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1089  "DEPRECATED. Use --genkey secret filename instead.");
1090  genkey_filename = options->shared_secret_file;
1091  }
1092 
1093  nbits_written = write_key_file(2, genkey_filename);
1094  if (nbits_written < 0)
1095  {
1096  msg(M_FATAL, "Failed to write key file");
1097  }
1098 
1100  "Randomly generated %d bit key written to %s", nbits_written,
1101  options->shared_secret_file);
1102  return true;
1103  }
1104  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1105  {
1107  return true;
1108  }
1109  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1110  {
1111  if (!options->tls_crypt_v2_file)
1112  {
1113  msg(M_USAGE,
1114  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1115  }
1116 
1118  options->genkey_extra_data, options->tls_crypt_v2_file,
1119  options->tls_crypt_v2_inline);
1120  return true;
1121  }
1122  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1123  {
1125  return true;
1126  }
1127  else
1128  {
1129  return false;
1130  }
1131 }
1132 
1133 /*
1134  * Persistent TUN/TAP device management mode?
1135  */
1136 bool
1138 {
1139  if (options->persist_config)
1140  {
1141  /* sanity check on options for --mktun or --rmtun */
1142  notnull(options->dev, "TUN/TAP device (--dev)");
1143  if (options->ce.remote || options->ifconfig_local
1144  || options->ifconfig_remote_netmask
1145  || options->shared_secret_file
1146  || options->tls_server || options->tls_client
1147  )
1148  {
1150  "options --mktun or --rmtun should only be used together with --dev");
1151  }
1152 #ifdef ENABLE_FEATURE_TUN_PERSIST
1153  tuncfg(options->dev, options->dev_type, options->dev_node,
1154  options->persist_mode,
1155  options->username, options->groupname, &options->tuntap_options,
1156  ctx);
1157  if (options->persist_mode && options->lladdr)
1158  {
1159  set_lladdr(options->dev, options->lladdr, NULL);
1160  }
1161  return true;
1162 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1163  msg( M_FATAL|M_OPTERR,
1164  "options --mktun and --rmtun are not available on your operating "
1165  "system. Please check 'man tun' (or 'tap'), whether your system "
1166  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1167  "persistent tunnel interfaces.", options->dev );
1168 #endif
1169  }
1170  return false;
1171 }
1172 
1173 /*
1174  * Should we become a daemon?
1175  * Return true if we did it.
1176  */
1177 bool
1179 {
1180  bool ret = false;
1181 
1182 #ifdef ENABLE_SYSTEMD
1183  /* return without forking if we are running from systemd */
1184  if (sd_notify(0, "READY=0") > 0)
1185  {
1186  return ret;
1187  }
1188 #endif
1189 
1190  if (options->daemon)
1191  {
1192  ASSERT(!options->inetd);
1193  /* Don't chdir immediately, but the end of the init sequence, if needed */
1194  if (daemon(1, options->log) < 0)
1195  {
1196  msg(M_ERR, "daemon() failed or unsupported");
1197  }
1199  if (options->log)
1200  {
1201  set_std_files_to_null(true);
1202  }
1203 
1204  ret = true;
1205  }
1206  return ret;
1207 }
1208 
1209 /*
1210  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1211  */
1212 static void
1213 do_uid_gid_chroot(struct context *c, bool no_delay)
1214 {
1215  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1216  struct context_0 *c0 = c->c0;
1217 
1218  if (c0 && !c0->uid_gid_chroot_set)
1219  {
1220  /* chroot if requested */
1221  if (c->options.chroot_dir)
1222  {
1223  if (no_delay)
1224  {
1226  }
1227  else if (c->first_time)
1228  {
1229  msg(M_INFO, "NOTE: chroot %s", why_not);
1230  }
1231  }
1232 
1233  /* set user and/or group if we want to setuid/setgid */
1234  if (c0->uid_gid_specified)
1235  {
1236  if (no_delay)
1237  {
1240  }
1241  else if (c->first_time)
1242  {
1243  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1244  }
1245  }
1246 
1247 #ifdef ENABLE_MEMSTATS
1248  if (c->first_time && c->options.memstats_fn)
1249  {
1250  mstats_open(c->options.memstats_fn);
1251  }
1252 #endif
1253 
1254 #ifdef ENABLE_SELINUX
1255  /* Apply a SELinux context in order to restrict what OpenVPN can do
1256  * to _only_ what it is supposed to do after initialization is complete
1257  * (basically just network I/O operations). Doing it after chroot
1258  * requires /proc to be mounted in the chroot (which is annoying indeed
1259  * but doing it before requires more complex SELinux policies.
1260  */
1261  if (c->options.selinux_context)
1262  {
1263  if (no_delay)
1264  {
1265  if (-1 == setcon(c->options.selinux_context))
1266  {
1267  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1268  }
1269  else
1270  {
1271  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1272  }
1273  }
1274  else if (c->first_time)
1275  {
1276  msg(M_INFO, "NOTE: setcon %s", why_not);
1277  }
1278  }
1279 #endif
1280 
1281  /* Privileges are going to be dropped by now (if requested), be sure
1282  * to prevent any future privilege dropping attempts from now on.
1283  */
1284  if (no_delay)
1285  {
1286  c0->uid_gid_chroot_set = true;
1287  }
1288  }
1289 }
1290 
1291 /*
1292  * Return common name in a way that is formatted for
1293  * prepending to msg() output.
1294  */
1295 const char *
1296 format_common_name(struct context *c, struct gc_arena *gc)
1297 {
1298  struct buffer out = alloc_buf_gc(256, gc);
1299  if (c->c2.tls_multi)
1300  {
1301  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1302  }
1303  return BSTR(&out);
1304 }
1305 
1306 void
1307 pre_setup(const struct options *options)
1308 {
1309 #ifdef _WIN32
1310  if (options->exit_event_name)
1311  {
1314  options->exit_event_name,
1315  options->exit_event_initial_state);
1316  }
1317  else
1318  {
1321  NULL,
1322  false);
1323 
1324  /* put a title on the top window bar */
1326  {
1328  window_title_generate(options->config);
1329  }
1330  }
1331 #endif /* ifdef _WIN32 */
1332 }
1333 
1334 void
1336 {
1337  c->c2.coarse_timer_wakeup = 0;
1338 }
1339 
1340 /*
1341  * Initialise the server poll timeout timer
1342  * This timer is used in the http/socks proxy setup so it needs to be setup
1343  * before
1344  */
1345 static void
1347 {
1348  update_time();
1349  if (c->options.ce.connect_timeout)
1350  {
1352  }
1353 }
1354 
1355 /*
1356  * Initialize timers
1357  */
1358 static void
1359 do_init_timers(struct context *c, bool deferred)
1360 {
1361  update_time();
1363 
1364  /* initialize inactivity timeout */
1365  if (c->options.inactivity_timeout)
1366  {
1368  }
1369 
1370  /* initialize pings */
1371 
1372  if (c->options.ping_send_timeout)
1373  {
1375  }
1376 
1377  if (c->options.ping_rec_timeout)
1378  {
1380  }
1381 
1382  if (!deferred)
1383  {
1384  /* initialize connection establishment timer */
1386 
1387 #ifdef ENABLE_OCC
1388  /* initialize occ timers */
1389 
1390  if (c->options.occ
1391  && !TLS_MODE(c)
1393  {
1395  }
1396 
1397  if (c->options.mtu_test)
1398  {
1400  }
1401 #endif
1402 
1403  /* initialize packet_id persistence timer */
1404  if (c->options.packet_id_file)
1405  {
1407  }
1408 
1409  /* initialize tmp_int optimization that limits the number of times we call
1410  * tls_multi_process in the main event loop */
1412  }
1413 }
1414 
1415 /*
1416  * Initialize traffic shaper.
1417  */
1418 static void
1420 {
1421 #ifdef ENABLE_FEATURE_SHAPER
1422  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1423  if (c->options.shaper)
1424  {
1425  shaper_init(&c->c2.shaper, c->options.shaper);
1426  shaper_msg(&c->c2.shaper);
1427  }
1428 #endif
1429 }
1430 
1431 /*
1432  * Allocate route list structures for IPv4 and IPv6
1433  * (we do this for IPv4 even if no --route option has been seen, as other
1434  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1435  */
1436 static void
1438 {
1439  if (!c->c1.route_list)
1440  {
1441  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1442  }
1443  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1444  {
1446  }
1447 }
1448 
1449 
1450 /*
1451  * Initialize the route list, resolving any DNS names in route
1452  * options and saving routes in the environment.
1453  */
1454 static void
1456  struct route_list *route_list,
1457  const struct link_socket_info *link_socket_info,
1458  struct env_set *es,
1459  openvpn_net_ctx_t *ctx)
1460 {
1461  const char *gw = NULL;
1462  int dev = dev_type_enum(options->dev, options->dev_type);
1463  int metric = 0;
1464 
1465  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1466  {
1467  gw = options->ifconfig_remote_netmask;
1468  }
1469  if (options->route_default_gateway)
1470  {
1471  gw = options->route_default_gateway;
1472  }
1473  if (options->route_default_metric)
1474  {
1475  metric = options->route_default_metric;
1476  }
1477 
1478  if (init_route_list(route_list,
1479  options->routes,
1480  gw,
1481  metric,
1482  link_socket_current_remote(link_socket_info),
1483  es,
1484  ctx))
1485  {
1486  /* copy routes to environment */
1487  setenv_routes(es, route_list);
1488  }
1489 }
1490 
1491 static void
1494  const struct link_socket_info *link_socket_info,
1495  struct env_set *es,
1496  openvpn_net_ctx_t *ctx)
1497 {
1498  const char *gw = NULL;
1499  int metric = -1; /* no metric set */
1500 
1501  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1502  if (options->route_ipv6_default_gateway)
1503  {
1504  gw = options->route_ipv6_default_gateway;
1505  }
1506 
1507  if (options->route_default_metric)
1508  {
1509  metric = options->route_default_metric;
1510  }
1511 
1512  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1513  */
1514  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1515  {
1516  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1517  int i;
1518 
1519  for (i = 0; opt_list[i]; i++)
1520  {
1522  string_alloc(opt_list[i], options->routes_ipv6->gc),
1523  NULL, NULL );
1524  }
1525  }
1526 
1527  if (init_route_ipv6_list(route_ipv6_list,
1528  options->routes_ipv6,
1529  gw,
1530  metric,
1531  link_socket_current_remote_ipv6(link_socket_info),
1532  es,
1533  ctx))
1534  {
1535  /* copy routes to environment */
1536  setenv_routes_ipv6(es, route_ipv6_list);
1537  }
1538 }
1539 
1540 
1541 /*
1542  * Called after all initialization has been completed.
1543  */
1544 void
1545 initialization_sequence_completed(struct context *c, const unsigned int flags)
1546 {
1547  static const char message[] = "Initialization Sequence Completed";
1548 
1549  /* Reset the unsuccessful connection counter on complete initialisation */
1551 
1552  /* If we delayed UID/GID downgrade or chroot, do it now */
1553  do_uid_gid_chroot(c, true);
1554 
1555 
1556  /*
1557  * In some cases (i.e. when receiving auth-token via
1558  * push-reply) the auth-nocache option configured on the
1559  * client is overridden; for this reason we have to wait
1560  * for the push-reply message before attempting to wipe
1561  * the user/pass entered by the user
1562  */
1563  if (c->options.mode == MODE_POINT_TO_POINT)
1564  {
1566  }
1567 
1568  /* Test if errors */
1569  if (flags & ISC_ERRORS)
1570  {
1571 #ifdef _WIN32
1574  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1575 #else
1576 #ifdef ENABLE_SYSTEMD
1577  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1578 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1579  msg(M_INFO, "%s With Errors", message);
1580 #endif
1581  }
1582  else
1583  {
1584 #ifdef ENABLE_SYSTEMD
1585  sd_notifyf(0, "STATUS=%s", message);
1586 #endif
1587  msg(M_INFO, "%s", message);
1588  }
1589 
1590  /* Flag that we initialized */
1591  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1592  {
1593  c->options.no_advance = true;
1594  }
1595 
1596 #ifdef _WIN32
1598 #endif
1599 
1600 #ifdef ENABLE_MANAGEMENT
1601  /* Tell management interface that we initialized */
1602  if (management)
1603  {
1604  in_addr_t *tun_local = NULL;
1605  struct in6_addr *tun_local6 = NULL;
1606  struct openvpn_sockaddr local, remote;
1607  struct link_socket_actual *actual;
1608  socklen_t sa_len = sizeof(local);
1609  const char *detail = "SUCCESS";
1610  if (flags & ISC_ERRORS)
1611  {
1612  detail = "ERROR";
1613  }
1614 
1615  CLEAR(local);
1616  actual = &get_link_socket_info(c)->lsa->actual;
1617  remote = actual->dest;
1618  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1619 #if ENABLE_IP_PKTINFO
1620  if (!addr_defined(&local))
1621  {
1622  switch (local.addr.sa.sa_family)
1623  {
1624  case AF_INET:
1625 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1626  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1627 #else
1628  local.addr.in4.sin_addr = actual->pi.in4;
1629 #endif
1630  break;
1631 
1632  case AF_INET6:
1633  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1634  break;
1635  }
1636  }
1637 #endif
1638 
1639  if (c->c1.tuntap)
1640  {
1641  tun_local = &c->c1.tuntap->local;
1642  tun_local6 = &c->c1.tuntap->local_ipv6;
1643  }
1646  detail,
1647  tun_local,
1648  tun_local6,
1649  &local,
1650  &remote);
1651  if (tun_local)
1652  {
1654  }
1655  }
1656 #endif /* ifdef ENABLE_MANAGEMENT */
1657 }
1658 
1659 /*
1660  * Possibly add routes and/or call route-up script
1661  * based on options.
1662  */
1663 void
1664 do_route(const struct options *options,
1665  struct route_list *route_list,
1667  const struct tuntap *tt,
1668  const struct plugin_list *plugins,
1669  struct env_set *es,
1670  openvpn_net_ctx_t *ctx)
1671 {
1672  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1673  {
1674  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1675  es, ctx);
1676  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1677  }
1678 #ifdef ENABLE_MANAGEMENT
1679  if (management)
1680  {
1681  management_up_down(management, "UP", es);
1682  }
1683 #endif
1684 
1686  {
1687  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1688  {
1689  msg(M_WARN, "WARNING: route-up plugin call failed");
1690  }
1691  }
1692 
1693  if (options->route_script)
1694  {
1695  struct argv argv = argv_new();
1696  setenv_str(es, "script_type", "route-up");
1697  argv_parse_cmd(&argv, options->route_script);
1698  openvpn_run_script(&argv, es, 0, "--route-up");
1699  argv_reset(&argv);
1700  }
1701 
1702 #ifdef _WIN32
1703  if (options->show_net_up)
1704  {
1707  }
1708  else if (check_debug_level(D_SHOW_NET))
1709  {
1712  }
1713 #endif
1714 }
1715 
1716 /*
1717  * initialize tun/tap device object
1718  */
1719 static void
1721 {
1722  c->c1.tuntap = init_tun(c->options.dev,
1723  c->options.dev_type,
1724  c->options.topology,
1733  c->c2.es,
1734  &c->net_ctx);
1735 
1736  init_tun_post(c->c1.tuntap,
1737  &c->c2.frame,
1738  &c->options.tuntap_options);
1739 
1740  c->c1.tuntap_owned = true;
1741 }
1742 
1743 /*
1744  * Open tun/tap device, ifconfig, call up script, etc.
1745  */
1746 
1747 static bool
1749 {
1750  struct gc_arena gc = gc_new();
1751  bool ret = false;
1752 
1753 #ifndef TARGET_ANDROID
1754  if (!c->c1.tuntap)
1755  {
1756 #endif
1757 
1758 #ifdef TARGET_ANDROID
1759  /* If we emulate persist-tun on android we still have to open a new tun and
1760  * then close the old */
1761  int oldtunfd = -1;
1762  if (c->c1.tuntap)
1763  {
1764  oldtunfd = c->c1.tuntap->fd;
1765  free(c->c1.tuntap);
1766  c->c1.tuntap = NULL;
1767  c->c1.tuntap_owned = false;
1768  }
1769 #endif
1770 
1771  /* initialize (but do not open) tun/tap object */
1772  do_init_tun(c);
1773 
1774 #ifdef _WIN32
1775  /* store (hide) interactive service handle in tuntap_options */
1777  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1778 #endif
1779 
1780  /* allocate route list structure */
1782 
1783  /* parse and resolve the route option list */
1784  ASSERT(c->c2.link_socket);
1785  if (c->options.routes && c->c1.route_list)
1786  {
1788  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1789  }
1790  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1791  {
1793  &c->c2.link_socket->info, c->c2.es,
1794  &c->net_ctx);
1795  }
1796 
1797  /* do ifconfig */
1798  if (!c->options.ifconfig_noexec
1800  {
1801  /* guess actual tun/tap unit number that will be returned
1802  * by open_tun */
1803  const char *guess = guess_tuntap_dev(c->options.dev,
1804  c->options.dev_type,
1805  c->options.dev_node,
1806  &gc);
1807  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1808  &c->net_ctx);
1809  }
1810 
1811  /* possibly add routes */
1812  if (route_order() == ROUTE_BEFORE_TUN)
1813  {
1814  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1816  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1817  }
1818 #ifdef TARGET_ANDROID
1819  /* Store the old fd inside the fd so open_tun can use it */
1820  c->c1.tuntap->fd = oldtunfd;
1821 #endif
1822  /* open the tun device */
1824  c->c1.tuntap);
1825 
1826  /* set the hardware address */
1827  if (c->options.lladdr)
1828  {
1830  }
1831 
1832  /* do ifconfig */
1833  if (!c->options.ifconfig_noexec
1835  {
1837  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1838  }
1839 
1840  /* run the up script */
1842  c->plugins,
1844  c->c1.tuntap->actual_name,
1845 #ifdef _WIN32
1846  c->c1.tuntap->adapter_index,
1847 #endif
1849  TUN_MTU_SIZE(&c->c2.frame),
1850  EXPANDED_SIZE(&c->c2.frame),
1853  "init",
1854  NULL,
1855  "up",
1856  c->c2.es);
1857 
1858 #if defined(_WIN32)
1859  if (c->options.block_outside_dns)
1860  {
1861  dmsg(D_LOW, "Blocking outside DNS");
1863  {
1864  msg(M_FATAL, "Blocking DNS failed!");
1865  }
1866  }
1867 #endif
1868 
1869  /* possibly add routes */
1871  {
1873  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1874  }
1875 
1876  /*
1877  * Did tun/tap driver give us an MTU?
1878  */
1879  if (c->c1.tuntap->post_open_mtu)
1880  {
1882  c->c1.tuntap->post_open_mtu,
1884  }
1885 
1886  ret = true;
1887  static_context = c;
1888 #ifndef TARGET_ANDROID
1889 }
1890 else
1891 {
1892  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1893  c->c1.tuntap->actual_name);
1894 
1895  /* explicitly set the ifconfig_* env vars */
1896  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1897 
1898  /* run the up script if user specified --up-restart */
1899  if (c->options.up_restart)
1900  {
1902  c->plugins,
1904  c->c1.tuntap->actual_name,
1905 #ifdef _WIN32
1906  c->c1.tuntap->adapter_index,
1907 #endif
1909  TUN_MTU_SIZE(&c->c2.frame),
1910  EXPANDED_SIZE(&c->c2.frame),
1913  "restart",
1914  NULL,
1915  "up",
1916  c->c2.es);
1917  }
1918 #if defined(_WIN32)
1919  if (c->options.block_outside_dns)
1920  {
1921  dmsg(D_LOW, "Blocking outside DNS");
1923  {
1924  msg(M_FATAL, "Blocking DNS failed!");
1925  }
1926  }
1927 #endif
1928 
1929 }
1930 #endif /* ifndef TARGET_ANDROID */
1931  gc_free(&gc);
1932  return ret;
1933 }
1934 
1935 /*
1936  * Close TUN/TAP device
1937  */
1938 
1939 static void
1941 {
1942  msg(D_CLOSE, "Closing TUN/TAP interface");
1943  if (c->c1.tuntap)
1944  {
1945  close_tun(c->c1.tuntap, &c->net_ctx);
1946  c->c1.tuntap = NULL;
1947  }
1948  c->c1.tuntap_owned = false;
1949 #if P2MP
1951 #endif
1952 }
1953 
1954 static void
1955 do_close_tun(struct context *c, bool force)
1956 {
1957  struct gc_arena gc = gc_new();
1958  if (c->c1.tuntap && c->c1.tuntap_owned)
1959  {
1960  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1961 #ifdef _WIN32
1962  DWORD adapter_index = c->c1.tuntap->adapter_index;
1963 #endif
1964  const in_addr_t local = c->c1.tuntap->local;
1965  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1966 
1967  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1968  {
1969  static_context = NULL;
1970 
1971 #ifdef ENABLE_MANAGEMENT
1972  /* tell management layer we are about to close the TUN/TAP device */
1973  if (management)
1974  {
1976  management_up_down(management, "DOWN", c->c2.es);
1977  }
1978 #endif
1979 
1980  /* delete any routes we added */
1981  if (c->c1.route_list || c->c1.route_ipv6_list)
1982  {
1984  c->plugins,
1986  tuntap_actual,
1987 #ifdef _WIN32
1988  adapter_index,
1989 #endif
1990  NULL,
1991  TUN_MTU_SIZE(&c->c2.frame),
1992  EXPANDED_SIZE(&c->c2.frame),
1993  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1994  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1995  "init",
1997  c->sig->signal_text),
1998  "route-pre-down",
1999  c->c2.es);
2000 
2003  c->c2.es, &c->net_ctx);
2004  }
2005 
2006  /* actually close tun/tap device based on --down-pre flag */
2007  if (!c->options.down_pre)
2008  {
2010  }
2011 
2012  /* Run the down script -- note that it will run at reduced
2013  * privilege if, for example, "--user nobody" was used. */
2015  c->plugins,
2017  tuntap_actual,
2018 #ifdef _WIN32
2019  adapter_index,
2020 #endif
2021  NULL,
2022  TUN_MTU_SIZE(&c->c2.frame),
2023  EXPANDED_SIZE(&c->c2.frame),
2024  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2025  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2026  "init",
2028  c->sig->signal_text),
2029  "down",
2030  c->c2.es);
2031 
2032 #if defined(_WIN32)
2033  if (c->options.block_outside_dns)
2034  {
2035  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2036  {
2037  msg(M_FATAL, "Uninitialising WFP failed!");
2038  }
2039  }
2040 #endif
2041 
2042  /* actually close tun/tap device based on --down-pre flag */
2043  if (c->options.down_pre)
2044  {
2046  }
2047  }
2048  else
2049  {
2050  /* run the down script on this restart if --up-restart was specified */
2051  if (c->options.up_restart)
2052  {
2054  c->plugins,
2056  tuntap_actual,
2057 #ifdef _WIN32
2058  adapter_index,
2059 #endif
2060  NULL,
2061  TUN_MTU_SIZE(&c->c2.frame),
2062  EXPANDED_SIZE(&c->c2.frame),
2063  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2064  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2065  "restart",
2067  c->sig->signal_text),
2068  "down",
2069  c->c2.es);
2070  }
2071 
2072 #if defined(_WIN32)
2073  if (c->options.block_outside_dns)
2074  {
2075  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2076  {
2077  msg(M_FATAL, "Uninitialising WFP failed!");
2078  }
2079  }
2080 #endif
2081 
2082  }
2083  }
2084  gc_free(&gc);
2085 }
2086 
2087 void
2089 {
2090  struct context *c = static_context;
2091  if (c)
2092  {
2093  static_context = NULL;
2094  do_close_tun(c, true);
2095  }
2096 }
2097 
2098 /*
2099  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2100  */
2101 
2102 #if P2MP
2103 
2107 static bool
2109  const struct sha256_digest *b)
2110 {
2111  const struct sha256_digest zero = {{0}};
2112  return memcmp(a, b, sizeof(struct sha256_digest))
2113  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2114 }
2115 #endif /* P2MP */
2116 
2117 bool
2118 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2119 {
2120  if (!c->c2.do_up_ran)
2121  {
2123 
2124  if (pulled_options)
2125  {
2126  if (!do_deferred_options(c, option_types_found))
2127  {
2128  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2129  return false;
2130  }
2131  }
2132 
2133  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2134  if (c->options.up_delay || PULL_DEFINED(&c->options))
2135  {
2136  c->c2.did_open_tun = do_open_tun(c);
2137  update_time();
2138 
2139 #if P2MP
2140  /*
2141  * Was tun interface object persisted from previous restart iteration,
2142  * and if so did pulled options string change from previous iteration?
2143  */
2144  if (!c->c2.did_open_tun
2145  && PULL_DEFINED(&c->options)
2146  && c->c1.tuntap
2149  {
2150  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2151  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2152  do_close_tun(c, true);
2153  management_sleep(1);
2154  c->c2.did_open_tun = do_open_tun(c);
2155  update_time();
2156  }
2157 #endif
2158  }
2159 
2160  if (c->c2.did_open_tun)
2161  {
2162 #if P2MP
2164 #endif
2165 
2166  /* if --route-delay was specified, start timer */
2168  {
2171  if (c->c1.tuntap)
2172  {
2174  }
2175  }
2176  else
2177  {
2178  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2179  }
2180  }
2181  else if (c->options.mode == MODE_POINT_TO_POINT)
2182  {
2183  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2184  }
2185 
2186  c->c2.do_up_ran = true;
2187  }
2188  return true;
2189 }
2190 
2191 /*
2192  * These are the option categories which will be accepted by pull.
2193  */
2194 unsigned int
2196 {
2197  unsigned int flags =
2198  OPT_P_UP
2200  | OPT_P_SOCKBUF
2201  | OPT_P_SOCKFLAGS
2202  | OPT_P_SETENV
2203  | OPT_P_SHAPER
2204  | OPT_P_TIMER
2205  | OPT_P_COMP
2206  | OPT_P_PERSIST
2207  | OPT_P_MESSAGES
2209  | OPT_P_ECHO
2210  | OPT_P_PULL_MODE
2211  | OPT_P_PEER_ID;
2212 
2213  if (!c->options.route_nopull)
2214  {
2215  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2216  }
2217 
2218  if (c->options.ncp_enabled)
2219  {
2220  flags |= OPT_P_NCP;
2221  }
2222 
2223  return flags;
2224 }
2225 
2226 /*
2227  * Handle non-tun-related pulled options.
2228  */
2229 bool
2230 do_deferred_options(struct context *c, const unsigned int found)
2231 {
2232  if (found & OPT_P_MESSAGES)
2233  {
2235  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2236  }
2237  if (found & OPT_P_TIMER)
2238  {
2239  do_init_timers(c, true);
2240  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2241  }
2242 
2243 #ifdef ENABLE_OCC
2244  if (found & OPT_P_EXPLICIT_NOTIFY)
2245  {
2247  {
2248  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2250  }
2251  else
2252  {
2253  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2254  }
2255  }
2256 #endif
2257 
2258 #ifdef USE_COMP
2259  if (found & OPT_P_COMP)
2260  {
2261  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2262  comp_uninit(c->c2.comp_context);
2263  c->c2.comp_context = comp_init(&c->options.comp);
2264  }
2265 #endif
2266 
2267  if (found & OPT_P_SHAPER)
2268  {
2269  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2271  }
2272 
2273  if (found & OPT_P_SOCKBUF)
2274  {
2275  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2277  }
2278 
2279  if (found & OPT_P_SOCKFLAGS)
2280  {
2281  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2283  }
2284 
2285  if (found & OPT_P_PERSIST)
2286  {
2287  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2288  }
2289  if (found & OPT_P_UP)
2290  {
2291  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2292  }
2293  if (found & OPT_P_ROUTE)
2294  {
2295  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2296  }
2297  if (found & OPT_P_ROUTE_EXTRAS)
2298  {
2299  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2300  }
2301  if (found & OPT_P_IPWIN32)
2302  {
2303  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2304  }
2305  if (found & OPT_P_SETENV)
2306  {
2307  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2308  }
2309 
2310  if (found & OPT_P_PEER_ID)
2311  {
2312  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2313  c->c2.tls_multi->use_peer_id = true;
2314  c->c2.tls_multi->peer_id = c->options.peer_id;
2315  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2316  if (!c->options.ce.link_mtu_defined)
2317  {
2318  frame_add_to_link_mtu(&c->c2.frame, +3);
2319  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2320  EXPANDED_SIZE(&c->c2.frame));
2321  }
2322  else
2323  {
2324  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2325  " fixed by config - reducing tun-mtu to %d, expect"
2326  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2327  }
2328  }
2329 
2330  /* process (potentially pushed) crypto options */
2331  if (c->options.pull)
2332  {
2333  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2334  if (found & OPT_P_NCP)
2335  {
2336  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2337  }
2338  else if (c->options.ncp_enabled)
2339  {
2341  }
2342  struct frame *frame_fragment = NULL;
2343 #ifdef ENABLE_FRAGMENT
2344  if (c->options.ce.fragment)
2345  {
2346  frame_fragment = &c->c2.frame_fragment;
2347  }
2348 #endif
2349 
2350  /* Do not regenerate keys if server sends an extra push reply */
2352  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2353  frame_fragment))
2354  {
2355  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2356  return false;
2357  }
2358  }
2359 
2360  return true;
2361 }
2362 
2363 /*
2364  * Possible hold on initialization, holdtime is the
2365  * time OpenVPN would wait without management
2366  */
2367 static bool
2368 do_hold(int holdtime)
2369 {
2370 #ifdef ENABLE_MANAGEMENT
2371  if (management)
2372  {
2373  /* block until management hold is released */
2374  if (management_hold(management, holdtime))
2375  {
2376  return true;
2377  }
2378  }
2379 #endif
2380  return false;
2381 }
2382 
2383 /*
2384  * Sleep before restart.
2385  */
2386 static void
2388 {
2389  int sec = 2;
2390  int backoff = 0;
2391 
2392  switch (c->options.ce.proto)
2393  {
2394  case PROTO_TCP_SERVER:
2395  sec = 1;
2396  break;
2397 
2398  case PROTO_UDP:
2399  case PROTO_TCP_CLIENT:
2400  sec = c->options.ce.connect_retry_seconds;
2401  break;
2402  }
2403 
2404 #ifdef ENABLE_DEBUG
2405  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2406  {
2407  sec = 0;
2408  }
2409 #endif
2410 
2411 #if P2MP
2412  if (auth_retry_get() == AR_NOINTERACT)
2413  {
2414  sec = 10;
2415  }
2416 #endif
2417 
2418  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2419  if (c->options.ce.proto != PROTO_TCP_SERVER)
2420  {
2421  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2422  if (backoff > 0)
2423  {
2424  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2425  sec = max_int(sec, 1) << min_int(backoff, 15);
2426  }
2427 
2428  if (sec > c->options.ce.connect_retry_seconds_max)
2429  {
2431  }
2432  }
2433 
2435  {
2436  sec = c->persist.restart_sleep_seconds;
2437  }
2438  else if (c->persist.restart_sleep_seconds == -1)
2439  {
2440  sec = 0;
2441  }
2443 
2444  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2445  if (do_hold(sec))
2446  {
2447  sec = 0;
2448  }
2449 
2450  if (sec)
2451  {
2452  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2453  management_sleep(sec);
2454  }
2455 }
2456 
2457 /*
2458  * Do a possible pause on context_2 initialization.
2459  */
2460 static void
2462 {
2463  if (!c->first_time)
2464  {
2466  }
2467  else
2468  {
2469  do_hold(0); /* do management hold on first context initialization */
2470  }
2471 }
2472 
2473 /*
2474  * Finalize MTU parameters based on command line or config file options.
2475  */
2476 static void
2477 frame_finalize_options(struct context *c, const struct options *o)
2478 {
2479  if (!o)
2480  {
2481  o = &c->options;
2482  }
2483 
2484  /*
2485  * Set adjustment factor for buffer alignment when no
2486  * cipher is used.
2487  */
2488  if (!CIPHER_ENABLED(c))
2489  {
2495  }
2496 
2498  frame_finalize(&c->c2.frame,
2499  o->ce.link_mtu_defined,
2500  o->ce.link_mtu,
2501  o->ce.tun_mtu_defined,
2502  o->ce.tun_mtu);
2503 }
2504 
2505 /*
2506  * Free a key schedule, including OpenSSL components.
2507  */
2508 static void
2509 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2510 {
2512  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2513  {
2514  tls_ctx_free(&ks->ssl_ctx);
2516  }
2517  CLEAR(*ks);
2518 }
2519 
2520 static void
2521 init_crypto_pre(struct context *c, const unsigned int flags)
2522 {
2523  if (c->options.engine)
2524  {
2526  }
2527 
2528  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2529  {
2530  /* load a persisted packet-id for cross-session replay-protection */
2531  if (c->options.packet_id_file)
2532  {
2534  }
2535  }
2536 
2537 #ifdef ENABLE_PREDICTION_RESISTANCE
2538  if (c->options.use_prediction_resistance)
2539  {
2540  rand_ctx_enable_prediction_resistance();
2541  }
2542 #endif
2543 }
2544 
2545 /*
2546  * Static Key Mode (using a pre-shared key)
2547  */
2548 static void
2549 do_init_crypto_static(struct context *c, const unsigned int flags)
2550 {
2551  const struct options *options = &c->options;
2552  ASSERT(options->shared_secret_file);
2553 
2554  init_crypto_pre(c, flags);
2555 
2556  /* Initialize flags */
2558  {
2560  }
2561 
2562  /* Initialize packet ID tracking */
2563  if (options->replay)
2564  {
2566  options->replay_window,
2567  options->replay_time,
2568  "STATIC", 0);
2573  }
2574 
2575  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2576  {
2577  /* Get cipher & hash algorithms */
2578  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2579  options->keysize, options->test_crypto, true);
2580 
2581  /* Read cipher and hmac keys from shared secret file */
2583  options->shared_secret_file,
2584  options->shared_secret_file_inline,
2585  options->key_direction, "Static Key Encryption",
2586  "secret");
2587  }
2588  else
2589  {
2590  msg(M_INFO, "Re-using pre-shared static key");
2591  }
2592 
2593  /* Get key schedule */
2595 
2596  /* Compute MTU parameters */
2598  options->replay, true);
2599 
2600  /* Sanity check on sequence number, and cipher mode options */
2601  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2602 }
2603 
2604 /*
2605  * Initialize the tls-auth/crypt key context
2606  */
2607 static void
2609 {
2610  const struct options *options = &c->options;
2611 
2612  /* TLS handshake authentication (--tls-auth) */
2613  if (options->ce.tls_auth_file)
2614  {
2615  /* Initialize key_type for tls-auth with auth only */
2617  if (!streq(options->authname, "none"))
2618  {
2622  }
2623  else
2624  {
2625  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2626  "algorithm specified ('%s')", options->authname);
2627  }
2628 
2630  &c->c1.ks.tls_wrap_key,
2631  options->ce.tls_auth_file,
2632  options->ce.tls_auth_file_inline,
2633  options->ce.key_direction,
2634  "Control Channel Authentication", "tls-auth");
2635  }
2636 
2637  /* TLS handshake encryption+authentication (--tls-crypt) */
2638  if (options->ce.tls_crypt_file)
2639  {
2641  options->ce.tls_crypt_file,
2642  options->ce.tls_crypt_inline, options->tls_server);
2643  }
2644 
2645  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2646  if (options->ce.tls_crypt_v2_file)
2647  {
2648  if (options->tls_server)
2649  {
2651  true, options->ce.tls_crypt_v2_file,
2652  options->ce.tls_crypt_v2_inline);
2653  }
2654  else
2655  {
2657  &c->c1.ks.tls_crypt_v2_wkc,
2658  options->ce.tls_crypt_v2_file,
2659  options->ce.tls_crypt_v2_inline);
2660  }
2661  }
2662 
2663 
2664 }
2665 
2666 #if P2MP_SERVER
2667 /*
2668  * Initialise the auth-token key context
2669  */
2670 static void
2672 {
2673  if (!c->options.auth_token_generate)
2674  {
2675  return;
2676  }
2677 
2681 }
2682 #endif
2683 
2684 /*
2685  * Initialize the persistent component of OpenVPN's TLS mode,
2686  * which is preserved across SIGUSR1 resets.
2687  */
2688 static void
2690 {
2691  const struct options *options = &c->options;
2692 
2693  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2694  {
2695  /*
2696  * Initialize the OpenSSL library's global
2697  * SSL context.
2698  */
2699  init_ssl(options, &(c->c1.ks.ssl_ctx));
2700  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2701  {
2702 #if P2MP
2703  switch (auth_retry_get())
2704  {
2705  case AR_NONE:
2706  msg(M_FATAL, "Error: private key password verification failed");
2707  break;
2708 
2709  case AR_INTERACT:
2710  ssl_purge_auth(false);
2711 
2712  case AR_NOINTERACT:
2713  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2714  break;
2715 
2716  default:
2717  ASSERT(0);
2718  }
2719  c->sig->signal_text = "private-key-password-failure";
2720  return;
2721 #else /* if P2MP */
2722  msg(M_FATAL, "Error: private key password verification failed");
2723 #endif /* if P2MP */
2724  }
2725 
2726  /* Get cipher & hash algorithms */
2727  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2728  options->keysize, true, true);
2729 
2730  /* Initialize PRNG with config-specified digest */
2731  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2732 
2733  /* initialize tls-auth/crypt/crypt-v2 key */
2735 
2736 #if P2MP_SERVER
2737  /* initialise auth-token crypto support */
2739 #endif
2740 
2741 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2742  if (options->priv_key_file_inline)
2743  {
2745  c->options.priv_key_file_inline = NULL;
2746  }
2747 #endif
2748  }
2749  else
2750  {
2751  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2752 
2753  /*
2754  * tls-auth/crypt key can be configured per connection block, therefore
2755  * we must reload it as it may have changed
2756  */
2758  }
2759 }
2760 
2761 static void
2762 do_init_crypto_tls(struct context *c, const unsigned int flags)
2763 {
2764  const struct options *options = &c->options;
2765  struct tls_options to;
2766  bool packet_id_long_form;
2767 
2768  ASSERT(options->tls_server || options->tls_client);
2769  ASSERT(!options->test_crypto);
2770 
2771  init_crypto_pre(c, flags);
2772 
2773  /* Make sure we are either a TLS client or server but not both */
2774  ASSERT(options->tls_server == !options->tls_client);
2775 
2776  /* initialize persistent component */
2778  if (IS_SIG(c))
2779  {
2780  return;
2781  }
2782 
2783  /* Sanity check on sequence number, and cipher mode options */
2784  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2785 
2786  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2787  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2788 
2789  /* Compute MTU parameters (postpone if we push/pull options) */
2790  if (c->options.pull || c->options.mode == MODE_SERVER)
2791  {
2792  /* Account for worst-case crypto overhead before allocating buffers */
2794  }
2795  else
2796  {
2798  options->replay, packet_id_long_form);
2799  }
2801 
2802  /* Set all command-line TLS-related options */
2803  CLEAR(to);
2804 
2805  if (options->mute_replay_warnings)
2806  {
2808  }
2809 
2811  if (packet_id_long_form)
2812  {
2814  }
2815 
2816  to.ssl_ctx = c->c1.ks.ssl_ctx;
2817  to.key_type = c->c1.ks.key_type;
2818  to.server = options->tls_server;
2819  to.key_method = options->key_method;
2820  to.replay = options->replay;
2821  to.replay_window = options->replay_window;
2822  to.replay_time = options->replay_time;
2825  to.config_authname = c->c1.authname;
2826  to.ncp_enabled = options->ncp_enabled;
2827  to.transition_window = options->transition_window;
2828  to.handshake_window = options->handshake_window;
2829  to.packet_timeout = options->tls_timeout;
2830  to.renegotiate_bytes = options->renegotiate_bytes;
2832  if (options->renegotiate_seconds_min < 0)
2833  {
2834  /* Add 10% jitter to reneg-sec by default (server side only) */
2835  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2836  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2837  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2838  }
2839  else
2840  {
2841  /* Add user-specified jitter to reneg-sec */
2843  -(get_random() % max_int(options->renegotiate_seconds
2844  - options->renegotiate_seconds_min, 1));
2845  }
2846  to.single_session = options->single_session;
2847  to.mode = options->mode;
2848  to.pull = options->pull;
2849  if (options->push_peer_info) /* all there is */
2850  {
2851  to.push_peer_info_detail = 2;
2852  }
2853  else if (options->pull) /* pull clients send some details */
2854  {
2855  to.push_peer_info_detail = 1;
2856  }
2857  else /* default: no peer-info at all */
2858  {
2859  to.push_peer_info_detail = 0;
2860  }
2861 
2862  /* should we not xmit any packets until we get an initial
2863  * response from client? */
2864  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2865  {
2866  to.xmit_hold = true;
2867  }
2868 
2869 #ifdef ENABLE_OCC
2870  to.disable_occ = !options->occ;
2871 #endif
2872 
2873  to.verify_command = options->tls_verify;
2874  to.verify_export_cert = options->tls_export_cert;
2875  to.verify_x509_type = (options->verify_x509_type & 0xff);
2876  to.verify_x509_name = options->verify_x509_name;
2877  to.crl_file = options->crl_file;
2878  to.crl_file_inline = options->crl_file_inline;
2879  to.ssl_flags = options->ssl_flags;
2880  to.ns_cert_type = options->ns_cert_type;
2881  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2882  to.remote_cert_eku = options->remote_cert_eku;
2883  to.verify_hash = options->verify_hash;
2884  to.verify_hash_algo = options->verify_hash_algo;
2885 #ifdef ENABLE_X509ALTUSERNAME
2886  to.x509_username_field = (char *) options->x509_username_field;
2887 #else
2889 #endif
2890  to.es = c->c2.es;
2891  to.net_ctx = &c->net_ctx;
2892 
2893 #ifdef ENABLE_DEBUG
2894  to.gremlin = c->options.gremlin;
2895 #endif
2896 
2897  to.plugins = c->plugins;
2898 
2899 #ifdef MANAGEMENT_DEF_AUTH
2900  to.mda_context = &c->c2.mda_context;
2901 #endif
2902 
2903 #if P2MP_SERVER
2906  to.tmp_dir = options->tmp_dir;
2907  if (options->ccd_exclusive)
2908  {
2910  }
2916 #endif
2917 
2918  to.x509_track = options->x509_track;
2919 
2920 #if P2MP
2921 #ifdef ENABLE_MANAGEMENT
2922  to.sci = &options->sc_info;
2923 #endif
2924 #endif
2925 
2926 #ifdef USE_COMP
2927  to.comp_options = options->comp;
2928 #endif
2929 
2930 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2931  if (options->keying_material_exporter_label)
2932  {
2933  to.ekm_size = options->keying_material_exporter_length;
2934  if (to.ekm_size < 16 || to.ekm_size > 4095)
2935  {
2936  to.ekm_size = 0;
2937  }
2938 
2939  to.ekm_label = options->keying_material_exporter_label;
2940  to.ekm_label_size = strlen(to.ekm_label);
2941  }
2942  else
2943  {
2944  to.ekm_size = 0;
2945  }
2946 #endif
2947 
2948  /* TLS handshake authentication (--tls-auth) */
2949  if (options->ce.tls_auth_file)
2950  {
2951  to.tls_wrap.mode = TLS_WRAP_AUTH;
2956  true, true);
2957  }
2958 
2959  /* TLS handshake encryption (--tls-crypt) */
2960  if (options->ce.tls_crypt_file
2961  || (options->ce.tls_crypt_v2_file && options->tls_client))
2962  {
2963  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2968 
2969  if (options->ce.tls_crypt_v2_file)
2970  {
2972  }
2973  }
2974 
2975  if (options->ce.tls_crypt_v2_file)
2976  {
2977  to.tls_crypt_v2 = true;
2978  if (options->tls_server)
2979  {
2982  }
2983  }
2984 
2985  /* If we are running over TCP, allow for
2986  * length prefix */
2988 
2989  /*
2990  * Initialize OpenVPN's master TLS-mode object.
2991  */
2992  if (flags & CF_INIT_TLS_MULTI)
2993  {
2994  c->c2.tls_multi = tls_multi_init(&to);
2995  }
2996 
2997  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2998  {
3000  }
3001 }
3002 
3003 static void
3005 {
3006  if (c->c2.tls_multi)
3007  {
3010  EXPANDED_SIZE(&c->c2.frame));
3012  "Control Channel MTU parms");
3013  }
3014  if (c->c2.tls_auth_standalone)
3015  {
3018  "TLS-Auth MTU parms");
3019  }
3020 }
3021 
3022 /*
3023  * No encryption or authentication.
3024  */
3025 static void
3027 {
3028  ASSERT(!c->options.test_crypto);
3029  msg(M_WARN,
3030  "******* WARNING *******: All encryption and authentication features "
3031  "disabled -- All data will be tunnelled as clear text and will not be "
3032  "protected against man-in-the-middle changes. "
3033  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3034 }
3035 
3036 static void
3037 do_init_crypto(struct context *c, const unsigned int flags)
3038 {
3039  if (c->options.shared_secret_file)
3040  {
3041  do_init_crypto_static(c, flags);
3042  }
3043  else if (c->options.tls_server || c->options.tls_client)
3044  {
3045  do_init_crypto_tls(c, flags);
3046  }
3047  else /* no encryption or authentication. */
3048  {
3050  }
3051 }
3052 
3053 static void
3055 {
3056 #ifdef USE_COMP
3057  /*
3058  * modify frame parameters if compression is enabled
3059  */
3060  if (comp_enabled(&c->options.comp))
3061  {
3062  comp_add_to_extra_frame(&c->c2.frame);
3063 
3064 #if !defined(ENABLE_LZ4)
3065  /*
3066  * Compression usage affects buffer alignment when non-swapped algs
3067  * such as LZO is used.
3068  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3069  * any special alignment because of the control-byte swap approach.
3070  * LZO alignment (on the other hand) is problematic because
3071  * the presence of the control byte means that either the output of
3072  * decryption must be written to an unaligned buffer, or the input
3073  * to compression (or packet dispatch if packet is uncompressed)
3074  * must be read from an unaligned buffer.
3075  * This code tries to align the input to compression (or packet
3076  * dispatch if packet is uncompressed) at the cost of requiring
3077  * decryption output to be written to an unaligned buffer, so
3078  * it's more of a tradeoff than an optimal solution and we don't
3079  * include it when we are doing a modern build with LZ4.
3080  * Strictly speaking, on the server it would be better to execute
3081  * this code for every connection after we decide the compression
3082  * method, but currently the frame code doesn't appear to be
3083  * flexible enough for this, since the frame is already established
3084  * before it is known which compression options will be pushed.
3085  */
3086  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3087  {
3088  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3092  }
3093 #endif
3094 
3095 #ifdef ENABLE_FRAGMENT
3096  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3097 #endif
3098  }
3099 #endif /* USE_COMP */
3100 
3101  /*
3102  * Adjust frame size for UDP Socks support.
3103  */
3104  if (c->options.ce.socks_proxy_server)
3105  {
3107  }
3108 
3109  /*
3110  * Adjust frame size based on the --tun-mtu-extra parameter.
3111  */
3113  {
3115  }
3116 
3117  /*
3118  * Adjust frame size based on link socket parameters.
3119  * (Since TCP is a stream protocol, we need to insert
3120  * a packet length uint16_t in the buffer.)
3121  */
3123 
3124  /*
3125  * Fill in the blanks in the frame parameters structure,
3126  * make sure values are rational, etc.
3127  */
3128  frame_finalize_options(c, NULL);
3129 
3130 #ifdef USE_COMP
3131  /*
3132  * Modify frame parameters if compression is compiled in.
3133  * Should be called after frame_finalize_options.
3134  */
3135  comp_add_to_extra_buffer(&c->c2.frame);
3136 #ifdef ENABLE_FRAGMENT
3137  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3138 #endif
3139 #endif /* USE_COMP */
3140 
3141  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3142  * and need link_mtu+3 bytes on socket reception (on server).
3143  *
3144  * accommodate receive path in f->extra_link, which has the side effect of
3145  * also increasing send buffers (BUF_SIZE() macro), which need to be
3146  * allocated big enough before receiving peer-id option from server.
3147  *
3148  * f->extra_frame is adjusted when peer-id option is push-received
3149  */
3151 
3152 #ifdef ENABLE_FRAGMENT
3153  /*
3154  * Set frame parameter for fragment code. This is necessary because
3155  * the fragmentation code deals with payloads which have already been
3156  * passed through the compression code.
3157  */
3158  c->c2.frame_fragment = c->c2.frame;
3161 #endif
3162 
3163 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3164  /*
3165  * MTU advisories
3166  */
3167  if (c->options.ce.fragment && c->options.mtu_test)
3168  {
3169  msg(M_WARN,
3170  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3171  }
3172 #endif
3173 
3174 #ifdef ENABLE_FRAGMENT
3175  if ((c->options.ce.mssfix || c->options.ce.fragment)
3177  {
3178  msg(M_WARN,
3179  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3181  }
3182 #endif
3183 }
3184 
3185 static void
3187 {
3188  const struct options *o = &c->options;
3189 
3190  if (o->ping_send_timeout && !o->ping_rec_timeout)
3191  {
3192  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3193  }
3194 
3195  if (o->username || o->groupname || o->chroot_dir
3196 #ifdef ENABLE_SELINUX
3197  || o->selinux_context
3198 #endif
3199  )
3200  {
3201  if (!o->persist_tun)
3202  {
3203  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3204  }
3205  if (!o->persist_key
3206 #ifdef ENABLE_PKCS11
3207  && !o->pkcs11_id
3208 #endif
3209  )
3210  {
3211  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3212  }
3213  }
3214 
3215  if (o->chroot_dir && !(o->username && o->groupname))
3216  {
3217  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3218  }
3219 
3220 #if P2MP
3221  if (o->pull && o->ifconfig_local && c->first_time)
3222  {
3223  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3224  }
3225 
3226 #if P2MP_SERVER
3228  {
3229  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3230  }
3231 
3232  if (o->mode == MODE_SERVER)
3233  {
3234  if (o->duplicate_cn && o->client_config_dir)
3235  {
3236  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3237  }
3239  {
3240  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3241  }
3242  if (!o->keepalive_ping || !o->keepalive_timeout)
3243  {
3244  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3245  }
3246  }
3247 #endif /* if P2MP_SERVER */
3248 #endif /* if P2MP */
3249 
3250  if (!o->replay)
3251  {
3252  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3253  }
3254 
3255  if (o->tls_server)
3256  {
3258  }
3259  if (o->tls_client
3260  && !o->tls_verify
3263  && !o->remote_cert_eku)
3264  {
3265  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3266  }
3267  if (o->ns_cert_type)
3268  {
3269  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3270  }
3271 
3272  /* If a script is used, print appropriate warnings */
3273  if (o->user_script_used)
3274  {
3275  if (script_security() >= SSEC_SCRIPTS)
3276  {
3277  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3278  }
3279  else if (script_security() >= SSEC_PW_ENV)
3280  {
3281  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3282  }
3283  else
3284  {
3285  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3286  }
3287  }
3288 }
3289 
3290 static void
3292 {
3294 }
3295 
3296 struct context_buffers *
3298 {
3299  struct context_buffers *b;
3300 
3301  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3302 
3303  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3304  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3305 
3306  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3307 
3308  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3309  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3310 
3311 #ifdef USE_COMP
3312  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3313  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3314 #endif
3315 
3316  return b;
3317 }
3318 
3319 void
3321 {
3322  if (b)
3323  {
3324  free_buf(&b->read_link_buf);
3325  free_buf(&b->read_tun_buf);
3326  free_buf(&b->aux_buf);
3327 
3328 #ifdef USE_COMP
3329  free_buf(&b->compress_buf);
3330  free_buf(&b->decompress_buf);
3331 #endif
3332 
3333  free_buf(&b->encrypt_buf);
3334  free_buf(&b->decrypt_buf);
3335 
3336  free(b);
3337  }
3338 }
3339 
3340 /*
3341  * Now that we know all frame parameters, initialize
3342  * our buffers.
3343  */
3344 static void
3346 {
3348  c->c2.buffers_owned = true;
3349 }
3350 
3351 #ifdef ENABLE_FRAGMENT
3352 /*
3353  * Fragmenting code has buffers to initialize
3354  * once frame parameters are known.
3355  */
3356 static void
3358 {
3359  ASSERT(c->options.ce.fragment);
3363 }
3364 #endif
3365 
3366 /*
3367  * Allocate our socket object.
3368  */
3369 static void
3371 {
3372  ASSERT(!c->c2.link_socket);
3374  c->c2.link_socket_owned = true;
3375 }
3376 
3377 /*
3378  * bind the TCP/UDP socket
3379  */
3380 static void
3381 do_init_socket_1(struct context *c, const int mode)
3382 {
3383  unsigned int sockflags = c->options.sockflags;
3384 
3385 #if PORT_SHARE
3386  if (c->options.port_share_host && c->options.port_share_port)
3387  {
3388  sockflags |= SF_PORT_SHARE;
3389  }
3390 #endif
3391 
3393  c->options.ce.local,
3394  c->options.ce.local_port,
3395  c->options.ce.remote,
3396  c->options.ce.remote_port,
3397  c->c1.dns_cache,
3398  c->options.ce.proto,
3399  c->options.ce.af,
3401  mode,
3402  c->c2.accept_from,
3403  c->c1.http_proxy,
3404  c->c1.socks_proxy,
3405 #ifdef ENABLE_DEBUG
3406  c->options.gremlin,
3407 #endif
3408  c->options.ce.bind_local,
3409  c->options.ce.remote_float,
3410  c->options.inetd,
3411  &c->c1.link_socket_addr,
3412  c->options.ipchange,
3413  c->plugins,
3416  c->options.rcvbuf,
3417  c->options.sndbuf,
3418  c->options.mark,
3420  sockflags);
3421 }
3422 
3423 /*
3424  * finalize the TCP/UDP socket
3425  */
3426 static void
3428 {
3430  c->sig);
3431 }
3432 
3433 /*
3434  * Print MTU INFO
3435  */
3436 static void
3438 {
3439  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3440 #ifdef ENABLE_FRAGMENT
3441  if (c->c2.fragment)
3442  {
3444  "Fragmentation MTU parms");
3445  }
3446 #endif
3447 }
3448 
3449 #ifdef ENABLE_OCC
3450 /*
3451  * Get local and remote options compatibility strings.
3452  */
3453 static void
3455 {
3456  struct gc_arena gc = gc_new();
3457 
3459  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3460  false, &gc);
3462  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3463  true, &gc);
3464 
3465  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3468  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3471 
3472  if (c->c2.tls_multi)
3473  {
3477  }
3478 
3479  gc_free(&gc);
3480 }
3481 #endif /* ifdef ENABLE_OCC */
3482 
3483 /*
3484  * These things can only be executed once per program instantiation.
3485  * Set up for possible UID/GID downgrade, but don't do it yet.
3486  * Daemonize if requested.
3487  */
3488 static void
3490 {
3491  if (c->first_time && !c->c0)
3492  {
3493  struct context_0 *c0;
3494 
3495  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3496  c0 = c->c0;
3497 
3498  /* get user and/or group that we want to setuid/setgid to */
3499  c0->uid_gid_specified =
3502 
3503  /* perform postponed chdir if --daemon */
3504  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3505  {
3506  platform_chdir("/");
3507  }
3508 
3509  /* should we change scheduling priority? */
3511  }
3512 }
3513 
3514 /*
3515  * If xinetd/inetd mode, don't allow restart.
3516  */
3517 static void
3519 {
3520  if (c->options.inetd
3521  && (c->sig->signal_received == SIGHUP
3522  || c->sig->signal_received == SIGUSR1))
3523  {
3524  c->sig->signal_received = SIGTERM;
3525  msg(M_INFO,
3526  PACKAGE_NAME
3527  " started by inetd/xinetd cannot restart... Exiting.");
3528  }
3529 }
3530 
3531 /*
3532  * free buffers
3533  */
3534 static void
3536 {
3537  if (c->c2.buffers_owned)
3538  {
3540  c->c2.buffers = NULL;
3541  c->c2.buffers_owned = false;
3542  }
3543 }
3544 
3545 /*
3546  * close TLS
3547  */
3548 static void
3550 {
3551  if (c->c2.tls_multi)
3552  {
3553  tls_multi_free(c->c2.tls_multi, true);
3554  c->c2.tls_multi = NULL;
3555  }
3556 
3557 #ifdef ENABLE_OCC
3558  /* free options compatibility strings */
3559  if (c->c2.options_string_local)
3560  {
3562  }
3563  if (c->c2.options_string_remote)
3564  {
3566  }
3568 #endif
3569 
3570  if (c->c2.pulled_options_state)
3571  {
3574  }
3575 }
3576 
3577 /*
3578  * Free key schedules
3579  */
3580 static void
3581 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3582 {
3583  /*
3584  * always free the tls_auth/crypt key. If persist_key is true, the key will
3585  * be reloaded from memory (pre-cached)
3586  */
3588  CLEAR(c->c1.ks.tls_wrap_key);
3591 
3592  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3593  {
3594  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3595  }
3596 }
3597 
3598 /*
3599  * Close TCP/UDP connection
3600  */
3601 static void
3603 {
3604  if (c->c2.link_socket && c->c2.link_socket_owned)
3605  {
3607  c->c2.link_socket = NULL;
3608  }
3609 
3610 
3611  /* Preserve the resolved list of remote if the user request to or if we want
3612  * reconnect to the same host again or there are still addresses that need
3613  * to be tried */
3614  if (!(c->sig->signal_received == SIGUSR1
3615  && ( (c->options.persist_remote_ip)
3616  ||
3617  ( c->sig->source != SIG_SOURCE_HARD
3619  || c->options.no_advance))
3620  )))
3621  {
3623  }
3624 
3625  /* Clear the remote actual address when persist_remote_ip is not in use */
3626  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3627  {
3629  }
3630 
3631  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3632  {
3634  {
3635  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3636  }
3637 
3638  c->c1.link_socket_addr.bind_local = NULL;
3639  }
3640 }
3641 
3642 /*
3643  * Close packet-id persistence file
3644  */
3645 static void
3647 {
3650  if (!(c->sig->signal_received == SIGUSR1))
3651  {
3653  }
3654 }
3655 
3656 #ifdef ENABLE_FRAGMENT
3657 /*
3658  * Close fragmentation handler.
3659  */
3660 static void
3662 {
3663  if (c->c2.fragment)
3664  {
3666  c->c2.fragment = NULL;
3667  }
3668 }
3669 #endif
3670 
3671 /*
3672  * Open and close our event objects.
3673  */
3674 
3675 static void
3677  bool need_us_timeout)
3678 {
3679  unsigned int flags = 0;
3680 
3682 
3683  flags |= EVENT_METHOD_FAST;
3684 
3685  if (need_us_timeout)
3686  {
3687  flags |= EVENT_METHOD_US_TIMEOUT;
3688  }
3689 
3690  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3691  c->c2.event_set_owned = true;
3692 }
3693 
3694 static void
3696 {
3697  if (c->c2.event_set && c->c2.event_set_owned)
3698  {
3699  event_free(c->c2.event_set);
3700  c->c2.event_set = NULL;
3701  c->c2.event_set_owned = false;
3702  }
3703 }
3704 
3705 /*
3706  * Open and close --status file
3707  */
3708 
3709 static void
3711 {
3712  if (!c->c1.status_output)
3713  {
3716  -1,
3717  NULL,
3719  c->c1.status_output_owned = true;
3720  }
3721 }
3722 
3723 static void
3725 {
3726  if (!(c->sig->signal_received == SIGUSR1))
3727  {
3728  if (c->c1.status_output_owned && c->c1.status_output)
3729  {
3731  c->c1.status_output = NULL;
3732  c->c1.status_output_owned = false;
3733  }
3734  }
3735 }
3736 
3737 /*
3738  * Handle ifconfig-pool persistence object.
3739  */
3740 static void
3742 {
3743 #if P2MP_SERVER
3745  {
3748  c->c1.ifconfig_pool_persist_owned = true;
3749  }
3750 #endif
3751 }
3752 
3753 static void
3755 {
3756 #if P2MP_SERVER
3757  if (!(c->sig->signal_received == SIGUSR1))
3758  {
3760  {
3762  c->c1.ifconfig_pool_persist = NULL;
3763  c->c1.ifconfig_pool_persist_owned = false;
3764  }
3765  }
3766 #endif
3767 }
3768 
3769 /*
3770  * Inherit environmental variables
3771  */
3772 
3773 static void
3774 do_inherit_env(struct context *c, const struct env_set *src)
3775 {
3776  c->c2.es = env_set_create(NULL);
3777  c->c2.es_owned = true;
3778  env_set_inherit(c->c2.es, src);
3779 }
3780 
3781 static void
3783 {
3784  if (c->c2.es && c->c2.es_owned)
3785  {
3786  env_set_destroy(c->c2.es);
3787  c->c2.es = NULL;
3788  c->c2.es_owned = false;
3789  }
3790 }
3791 
3792 /*
3793  * Fast I/O setup. Fast I/O is an optimization which only works
3794  * if all of the following are true:
3795  *
3796  * (1) The platform is not Windows
3797  * (2) --proto udp is enabled
3798  * (3) --shaper is disabled
3799  */
3800 static void
3802 {
3803  if (c->options.fast_io)
3804  {
3805 #ifdef _WIN32
3806  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3807 #else
3808  if (!proto_is_udp(c->options.ce.proto))
3809  {
3810  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3811  }
3812  else
3813  {
3814 #ifdef ENABLE_FEATURE_SHAPER
3815  if (c->options.shaper)
3816  {
3817  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3818  }
3819  else
3820 #endif
3821  {
3822  c->c2.fast_io = true;
3823  }
3824  }
3825 #endif
3826  }
3827 }
3828 
3829 static void
3831 {
3832  if (c->options.tls_exit)
3833  {
3834  c->c2.tls_exit_signal = SIGTERM;
3835  }
3836  else
3837  {
3838  c->c2.tls_exit_signal = SIGUSR1;
3839  }
3840 }
3841 
3842 #ifdef ENABLE_PLUGIN
3843 
3844 void
3846 {
3847  if (c->options.plugin_list && !c->plugins)
3848  {
3850  c->plugins_owned = true;
3851  }
3852 }
3853 
3854 void
3855 open_plugins(struct context *c, const bool import_options, int init_point)
3856 {
3857  if (c->plugins && c->plugins_owned)
3858  {
3859  if (import_options)
3860  {
3861  struct plugin_return pr, config;
3862  plugin_return_init(&pr);
3863  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3864  plugin_return_get_column(&pr, &config, "config");
3865  if (plugin_return_defined(&config))
3866  {
3867  int i;
3868  for (i = 0; i < config.n; ++i)
3869  {
3870  unsigned int option_types_found = 0;
3871  if (config.list[i] && config.list[i]->value)
3872  {
3874  config.list[i]->value,
3877  &option_types_found,
3878  c->es);
3879  }
3880  }
3881  }
3882  plugin_return_free(&pr);
3883  }
3884  else
3885  {
3886  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3887  }
3888  }
3889 }
3890 
3891 static void
3893 {
3894  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3895  {
3897  c->plugins = NULL;
3898  c->plugins_owned = false;
3899  }
3900 }
3901 
3902 static void
3903 do_inherit_plugins(struct context *c, const struct context *src)
3904 {
3905  if (!c->plugins && src->plugins)
3906  {
3907  c->plugins = plugin_list_inherit(src->plugins);
3908  c->plugins_owned = true;
3909  }
3910 }
3911 
3912 #endif /* ifdef ENABLE_PLUGIN */
3913 
3914 #ifdef ENABLE_MANAGEMENT
3915 
3916 static void
3917 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3918 {
3919  struct context *c = (struct context *) arg;
3920  print_status(c, so);
3921 }
3922 
3923 void
3924 management_show_net_callback(void *arg, const int msglevel)
3925 {
3926 #ifdef _WIN32
3927  show_routes(msglevel);
3928  show_adapters(msglevel);
3929  msg(msglevel, "END");
3930 #else
3931  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3932 #endif
3933 }
3934 
3935 #ifdef TARGET_ANDROID
3936 int
3937 management_callback_network_change(void *arg, bool samenetwork)
3938 {
3939  /* Check if the client should translate the network change to a SIGUSR1 to
3940  * reestablish the connection or just reprotect the socket
3941  *
3942  * At the moment just assume that, for all settings that use pull (not
3943  * --static) and are not using peer-id reestablishing the connection is
3944  * required (unless the network is the same)
3945  *
3946  * The function returns -1 on invalid fd and -2 if the socket cannot be
3947  * reused. On the -2 return value the man_network_change function triggers
3948  * a SIGUSR1 to force a reconnect.
3949  */
3950 
3951  int socketfd = -1;
3952  struct context *c = (struct context *) arg;
3953  if (!c->c2.link_socket)
3954  {
3955  return -1;
3956  }
3957  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3958  {
3959  return -1;
3960  }
3961 
3962  socketfd = c->c2.link_socket->sd;
3963  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3964  {
3965  return socketfd;
3966  }
3967  else
3968  {
3969  return -2;
3970  }
3971 }
3972 #endif /* ifdef TARGET_ANDROID */
3973 
3974 #endif /* ifdef ENABLE_MANAGEMENT */
3975 
3976 void
3978 {
3979 #ifdef ENABLE_MANAGEMENT
3980  if (management)
3981  {
3982  struct management_callback cb;
3983  CLEAR(cb);
3984  cb.arg = c;
3989 #ifdef TARGET_ANDROID
3990  cb.network_change = management_callback_network_change;
3991 #endif
3993  }
3994 #endif
3995 }
3996 
3997 #ifdef ENABLE_MANAGEMENT
3998 
3999 void
4001 {
4002  if (!management)
4003  {
4005  }
4006 }
4007 
4008 bool
4010 {
4011  /* initialize management layer */
4012  if (management)
4013  {
4014  if (c->options.management_addr)
4015  {
4016  unsigned int flags = c->options.management_flags;
4017  if (c->options.mode == MODE_SERVER)
4018  {
4019  flags |= MF_SERVER;
4020  }
4032  flags))
4033  {
4036  NULL,
4037  NULL,
4038  NULL,
4039  NULL,
4040  NULL);
4041  }
4042 
4043  /* initial management hold, called early, before first context initialization */
4044  do_hold(0);
4045  if (IS_SIG(c))
4046  {
4047  msg(M_WARN, "Signal received from management interface, exiting");
4048  return false;
4049  }
4050  }
4051  else
4052  {
4053  close_management();
4054  }
4055  }
4056  return true;
4057 }
4058 
4059 void
4061 {
4062  if (management)
4063  {
4065  management = NULL;
4066  }
4067 }
4068 
4069 #endif /* ifdef ENABLE_MANAGEMENT */
4070 
4071 
4072 void
4074 {
4075 #ifdef ENABLE_MANAGEMENT
4076  if (management)
4077  {
4079  }
4080 #endif
4081 }
4082 
4083 /*
4084  * Initialize a tunnel instance, handle pre and post-init
4085  * signal settings.
4086  */
4087 void
4088 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4089 {
4091  init_instance(c, env, flags);
4093 
4094  /*
4095  * This is done so that signals thrown during
4096  * initialization can bring us back to
4097  * a management hold.
4098  */
4099  if (IS_SIG(c))
4100  {
4101  remap_signal(c);
4103  }
4104 }
4105 
4106 /*
4107  * Initialize a tunnel instance.
4108  */
4109 void
4110 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4111 {
4112  const struct options *options = &c->options;
4113  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4114  int link_socket_mode = LS_MODE_DEFAULT;
4115 
4116  /* init garbage collection level */
4117  gc_init(&c->c2.gc);
4118 
4119  /* inherit environmental variables */
4120  if (env)
4121  {
4122  do_inherit_env(c, env);
4123  }
4124 
4125  /* signals caught here will abort */
4126  c->sig->signal_received = 0;
4127  c->sig->signal_text = NULL;
4128  c->sig->source = SIG_SOURCE_SOFT;
4129 
4130  if (c->mode == CM_P2P)
4131  {
4133  }
4134 
4135  /* possible sleep or management hold if restart */
4136  if (c->mode == CM_P2P || c->mode == CM_TOP)
4137  {
4138  do_startup_pause(c);
4139  if (IS_SIG(c))
4140  {
4141  goto sig;
4142  }
4143  }
4144 
4145  if (c->options.resolve_in_advance)
4146  {
4147  do_preresolve(c);
4148  if (IS_SIG(c))
4149  {
4150  goto sig;
4151  }
4152  }
4153 
4154  /* map in current connection entry */
4156 
4157  /* link_socket_mode allows CM_CHILD_TCP
4158  * instances to inherit acceptable fds
4159  * from a top-level parent */
4160  if (c->options.ce.proto == PROTO_TCP_SERVER)
4161  {
4162  if (c->mode == CM_TOP)
4163  {
4164  link_socket_mode = LS_MODE_TCP_LISTEN;
4165  }
4166  else if (c->mode == CM_CHILD_TCP)
4167  {
4168  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4169  }
4170  }
4171 
4172  /* should we disable paging? */
4173  if (c->first_time && options->mlock)
4174  {
4175  platform_mlockall(true);
4176  }
4177 
4178 #if P2MP
4179  /* get passwords if undefined */
4180  if (auth_retry_get() == AR_INTERACT)
4181  {
4183  }
4184 #endif
4185 
4186  /* initialize context level 2 --verb/--mute parms */
4188 
4189  /* set error message delay for non-server modes */
4190  if (c->mode == CM_P2P)
4191  {
4193  }
4194 
4195  /* warn about inconsistent options */
4196  if (c->mode == CM_P2P || c->mode == CM_TOP)
4197  {
4198  do_option_warnings(c);
4199  }
4200 
4201 #ifdef ENABLE_PLUGIN
4202  /* initialize plugins */
4203  if (c->mode == CM_P2P || c->mode == CM_TOP)
4204  {
4206  }
4207 #endif
4208 
4209  /* should we enable fast I/O? */
4210  if (c->mode == CM_P2P || c->mode == CM_TOP)
4211  {
4212  do_setup_fast_io(c);
4213  }
4214 
4215  /* should we throw a signal on TLS errors? */
4217 
4218  /* open --status file */
4219  if (c->mode == CM_P2P || c->mode == CM_TOP)
4220  {
4222  }
4223 
4224  /* open --ifconfig-pool-persist file */
4225  if (c->mode == CM_TOP)
4226  {
4228  }
4229 
4230 #ifdef ENABLE_OCC
4231  /* reset OCC state */
4232  if (c->mode == CM_P2P || child)
4233  {
4234  c->c2.occ_op = occ_reset_op();
4235  }
4236 #endif
4237 
4238  /* our wait-for-i/o objects, different for posix vs. win32 */
4239  if (c->mode == CM_P2P)
4240  {
4242  }
4243  else if (c->mode == CM_CHILD_TCP)
4244  {
4245  do_event_set_init(c, false);
4246  }
4247 
4248  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4249  init_proxy(c);
4250 
4251  /* allocate our socket object */
4252  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4253  {
4254  do_link_socket_new(c);
4255  }
4256 
4257 #ifdef ENABLE_FRAGMENT
4258  /* initialize internal fragmentation object */
4259  if (options->ce.fragment && (c->mode == CM_P2P || child))
4260  {
4261  c->c2.fragment = fragment_init(&c->c2.frame);
4262  }
4263 #endif
4264 
4265  /* init crypto layer */
4266  {
4267  unsigned int crypto_flags = 0;
4268  if (c->mode == CM_TOP)
4269  {
4270  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4271  }
4272  else if (c->mode == CM_P2P)
4273  {
4275  }
4276  else if (child)
4277  {
4278  crypto_flags = CF_INIT_TLS_MULTI;
4279  }
4280  do_init_crypto(c, crypto_flags);
4281  if (IS_SIG(c) && !child)
4282  {
4283  goto sig;
4284  }
4285  }
4286 
4287 #ifdef USE_COMP
4288  /* initialize compression library. */
4289  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4290  {
4291  c->c2.comp_context = comp_init(&options->comp);
4292  }
4293 #endif
4294 
4295  /* initialize MTU variables */
4296  do_init_frame(c);
4297 
4298  /* initialize TLS MTU variables */
4299  do_init_frame_tls(c);
4300 
4301  /* init workspace buffers whose size is derived from frame size */
4302  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4303  {
4304  do_init_buffers(c);
4305  }
4306 
4307 #ifdef ENABLE_FRAGMENT
4308  /* initialize internal fragmentation capability with known frame size */
4309  if (options->ce.fragment && (c->mode == CM_P2P || child))
4310  {
4311  do_init_fragment(c);
4312  }
4313 #endif
4314 
4315  /* initialize dynamic MTU variable */
4316  frame_init_mssfix(&c->c2.frame, &c->options);
4317 
4318  /* bind the TCP/UDP socket */
4319  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4320  {
4321  do_init_socket_1(c, link_socket_mode);
4322  }
4323 
4324  /* initialize tun/tap device object,
4325  * open tun/tap device, ifconfig, run up script, etc. */
4326  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4327  {
4328  c->c2.did_open_tun = do_open_tun(c);
4329  }
4330 
4331  c->c2.frame_initial = c->c2.frame;
4332 
4333  /* print MTU info */
4335 
4336 #ifdef ENABLE_OCC
4337  /* get local and remote options compatibility strings */
4338  if (c->mode == CM_P2P || child)
4339  {
4341  }
4342 #endif
4343 
4344  /* initialize output speed limiter */
4345  if (c->mode == CM_P2P)
4346  {
4348  }
4349 
4350  /* do one-time inits, and possibly become a daemon here */
4351  do_init_first_time(c);
4352 
4353 #ifdef ENABLE_PLUGIN
4354  /* initialize plugins */
4355  if (c->mode == CM_P2P || c->mode == CM_TOP)
4356  {
4358  }
4359 #endif
4360 
4361  /* initialise connect timeout timer */
4363 
4364  /* finalize the TCP/UDP socket */
4365  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4366  {
4367  do_init_socket_2(c);
4368  }
4369 
4370  /*
4371  * Actually do UID/GID downgrade, and chroot, if requested.
4372  * May be delayed by --client, --pull, or --up-delay.
4373  */
4375 
4376  /* initialize timers */
4377  if (c->mode == CM_P2P || child)
4378  {
4379  do_init_timers(c, false);
4380  }
4381 
4382 #ifdef ENABLE_PLUGIN
4383  /* initialize plugins */
4384  if (c->mode == CM_P2P || c->mode == CM_TOP)
4385  {
4387  }
4388 #endif
4389 
4390 #if PORT_SHARE
4391  /* share OpenVPN port with foreign (such as HTTPS) server */
4392  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4393  {
4394  init_port_share(c);
4395  }
4396 #endif
4397 
4398 #ifdef ENABLE_PF
4399  if (child)
4400  {
4401  pf_init_context(c);
4402  }
4403 #endif
4404 
4405  /* Check for signals */
4406  if (IS_SIG(c))
4407  {
4408  goto sig;
4409  }
4410 
4411  return;
4412 
4413 sig:
4414  if (!c->sig->signal_text)
4415  {
4416  c->sig->signal_text = "init_instance";
4417  }
4418  close_context(c, -1, flags);
4419  return;
4420 }
4421 
4422 /*
4423  * Close a tunnel instance.
4424  */
4425 void
4427 {
4428  /* close event objects */
4429  do_close_event_set(c);
4430 
4431  if (c->mode == CM_P2P
4432  || c->mode == CM_CHILD_TCP
4433  || c->mode == CM_CHILD_UDP
4434  || c->mode == CM_TOP)
4435  {
4436  /* if xinetd/inetd mode, don't allow restart */
4438 
4439 #ifdef USE_COMP
4440  if (c->c2.comp_context)
4441  {
4442  comp_uninit(c->c2.comp_context);
4443  c->c2.comp_context = NULL;
4444  }
4445 #endif
4446 
4447  /* free buffers */
4448  do_close_free_buf(c);
4449 
4450  /* close TLS */
4451  do_close_tls(c);
4452 
4453  /* free key schedules */
4454  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4455 
4457 
4458  /* close TCP/UDP connection */
4460 
4461  /* close TUN/TAP device */
4462  do_close_tun(c, false);
4463 
4464 #ifdef MANAGEMENT_DEF_AUTH
4465  if (management)
4466  {
4467  management_notify_client_close(management, &c->c2.mda_context, NULL);
4468  }
4469 #endif
4470 
4471 #ifdef ENABLE_PF
4472  pf_destroy_context(&c->c2.pf);
4473 #endif
4474 
4475 #ifdef ENABLE_PLUGIN
4476  /* call plugin close functions and unload */
4477  do_close_plugins(c);
4478 #endif
4479 
4480  /* close packet-id persistence file */
4481  do_close_packet_id(c);
4482 
4483  /* close --status file */
4485 
4486 #ifdef ENABLE_FRAGMENT
4487  /* close fragmentation handler */
4488  do_close_fragment(c);
4489 #endif
4490 
4491  /* close --ifconfig-pool-persist obj */
4493 
4494  /* free up environmental variable store */
4495  do_env_set_destroy(c);
4496 
4497  /* close HTTP or SOCKS proxy */
4498  uninit_proxy(c);
4499 
4500  /* garbage collect */
4501  gc_free(&c->c2.gc);
4502  }
4503 }
4504 
4505 void
4507  const struct context *src)
4508 {
4509  CLEAR(*dest);
4510 
4511  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4513 
4514  dest->gc = gc_new();
4515 
4516  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4517 
4518  /* c1 init */
4520 
4521  dest->c1.ks.key_type = src->c1.ks.key_type;
4522  /* inherit SSL context */
4523  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4524  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4527  /* inherit pre-NCP ciphers */
4528  dest->c1.ciphername = src->c1.ciphername;
4529  dest->c1.authname = src->c1.authname;
4530  dest->c1.keysize = src->c1.keysize;
4531 
4532  /* inherit auth-token */
4533  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4534 
4535  /* options */
4536  dest->options = src->options;
4537  options_detach(&dest->options);
4538 
4539  if (dest->mode == CM_CHILD_TCP)
4540  {
4541  /*
4542  * The CM_TOP context does the socket listen(),
4543  * and the CM_CHILD_TCP context does the accept().
4544  */
4545  dest->c2.accept_from = src->c2.link_socket;
4546  }
4547 
4548 #ifdef ENABLE_PLUGIN
4549  /* inherit plugins */
4550  do_inherit_plugins(dest, src);
4551 #endif
4552 
4553  /* context init */
4554  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4555  if (IS_SIG(dest))
4556  {
4557  return;
4558  }
4559 
4560  /* inherit tun/tap interface object */
4561  dest->c1.tuntap = src->c1.tuntap;
4562 
4563  /* UDP inherits some extra things which TCP does not */
4564  if (dest->mode == CM_CHILD_UDP)
4565  {
4566  /* inherit buffers */
4567  dest->c2.buffers = src->c2.buffers;
4568 
4569  /* inherit parent link_socket and tuntap */
4570  dest->c2.link_socket = src->c2.link_socket;
4571 
4572  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4573  *dest->c2.link_socket_info = src->c2.link_socket->info;
4574 
4575  /* locally override some link_socket_info fields */
4576  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4578  }
4579 }
4580 
4581 void
4583  const struct context *src)
4584 {
4585  /* copy parent */
4586  *dest = *src;
4587 
4588  /*
4589  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4590  * resources owned by the parent.
4591  *
4592  * Also note that CM_TOP_CLONE context objects are
4593  * closed by multi_top_free in multi.c.
4594  */
4595  dest->mode = CM_TOP_CLONE;
4596 
4597  dest->first_time = false;
4598  dest->c0 = NULL;
4599 
4600  options_detach(&dest->options);
4601  gc_detach(&dest->gc);
4602  gc_detach(&dest->c2.gc);
4603 
4604  /* detach plugins */
4605  dest->plugins_owned = false;
4606 
4607  dest->c2.tls_multi = NULL;
4608 
4609  /* detach c1 ownership */
4610  dest->c1.tuntap_owned = false;
4611  dest->c1.status_output_owned = false;
4612 #if P2MP_SERVER
4613  dest->c1.ifconfig_pool_persist_owned = false;
4614 #endif
4615 
4616  /* detach c2 ownership */
4617  dest->c2.event_set_owned = false;
4618  dest->c2.link_socket_owned = false;
4619  dest->c2.buffers_owned = false;
4620  dest->c2.es_owned = false;
4621 
4622  dest->c2.event_set = NULL;
4623  if (proto_is_dgram(src->options.ce.proto))
4624  {
4625  do_event_set_init(dest, false);
4626  }
4627 
4628 #ifdef USE_COMP
4629  dest->c2.comp_context = NULL;
4630 #endif
4631 }
4632 
4633 void
4634 close_context(struct context *c, int sig, unsigned int flags)
4635 {
4636  ASSERT(c);
4637  ASSERT(c->sig);
4638 
4639  if (sig >= 0)
4640  {
4641  c->sig->signal_received = sig;
4642  }
4643 
4644  if (c->sig->signal_received == SIGUSR1)
4645  {
4646  if ((flags & CC_USR1_TO_HUP)
4647  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4648  {
4649  c->sig->signal_received = SIGHUP;
4650  c->sig->signal_text = "close_context usr1 to hup";
4651  }
4652  }
4653 
4654  if (!(flags & CC_NO_CLOSE))
4655  {
4656  close_instance(c);
4657  }
4658 
4659  if (flags & CC_GC_FREE)
4660  {
4661  context_gc_free(c);
4662  }
4663 }
4664 
4665 /*
4666  * Do a loopback test
4667  * on the crypto subsystem.
4668  */
4669 static void *
4671 {
4672  struct context *c = (struct context *) arg;
4673  const struct options *options = &c->options;
4674 
4675  ASSERT(options->test_crypto);
4677  context_init_1(c);
4679  do_init_crypto_static(c, 0);
4680 
4681  frame_finalize_options(c, options);
4682 
4683  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4684 
4685  key_schedule_free(&c->c1.ks, true);
4687 
4688  context_gc_free(c);
4689  return NULL;
4690 }
4691 
4692 bool
4693 do_test_crypto(const struct options *o)
4694 {
4695  if (o->test_crypto)
4696  {
4697  struct context c;
4698 
4699  /* print version number */
4700  msg(M_INFO, "%s", title_string);
4701 
4702  context_clear(&c);
4703  c.options = *o;
4704  options_detach(&c.options);
4705  c.first_time = true;
4706  test_crypto_thread((void *) &c);
4707  return true;
4708  }
4709  return false;
4710 }
struct tuntap_options tuntap_options
Definition: options.h:296
bool tcp_mode
Definition: ssl_common.h:302
struct env_set * es
Definition: openvpn.h:429
char port[RH_PORT_LEN]
Definition: options.h:177
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:210
bool remote_float
Definition: options.h:95
bool socks_proxy_owned
Definition: openvpn.h:190
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:456
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2521
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:331
void management_close(struct management *man)
Definition: manage.c:2636
int ifconfig_pool_persist_refresh_freq
Definition: options.h:429
struct key_type key_type
Definition: ssl_common.h:247
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
bool persist_remote_ip
Definition: options.h:285
int sndbuf
Definition: options.h:344
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:363
bool log_rw
Definition: openvpn.h:389
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:406
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:104
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
struct frame frame_fragment_omit
Definition: openvpn.h:270
const char * tmp_dir
Definition: ssl_common.h:319
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:392
bool tun_mtu_defined
Definition: options.h:108
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:558
#define OPT_P_DEFAULT
Definition: options.h:683
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1492
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:240
Definition: tun.h:132
bool ncp_enabled
Definition: options.h:504
unsigned int management_flags
Definition: options.h:388
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1955
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:894
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2549
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
struct buffer read_tun_buf
Definition: openvpn.h:112
const char * crl_file
Definition: ssl_common.h:284
#define P2MP_SERVER
Definition: syshead.h:524
#define M_NOPREFIX
Definition: error.h:102
bool block_outside_dns
Definition: options.h:629
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:105
struct event_timeout ping_rec_interval
Definition: openvpn.h:301
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1319
bool tls_crypt_v2
Definition: ssl_common.h:308
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:504
void platform_nice(int niceval)
Definition: platform.c:156
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
struct event_timeout route_wakeup_expire
Definition: openvpn.h:393
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:512
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1089
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5296
bool show_curves
Definition: options.h:215
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:626
const char * cipher_list
Definition: options.h:531
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
bool tls_server
Definition: options.h:522
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
static void do_alloc_route_list(struct context *c)
Definition: init.c:1437
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:293
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:982
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3551
struct argv argv_new(void)
Definition: argv.c:52
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2108
static void init_proxy_dowork(struct context *c)
Definition: init.c:575
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1711
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
bool did_open_tun
Definition: openvpn.h:396
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
unsigned int auth_token_lifetime
Definition: ssl_common.h:327
const char * tls_cert_profile
Definition: options.h:533
int management_log_history_cache
Definition: options.h:379
#define M_OPTERR
Definition: error.h:105
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
struct interval tmp_int
Definition: openvpn.h:353
#define streq(x, y)
Definition: options.h:648
const char * ifconfig_pool_persist_filename
Definition: options.h:428
const char * chroot_dir
Definition: options.h:301
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:731
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3903
static void do_close_event_set(struct context *c)
Definition: init.c:3695
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2689
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
bool server_bridge_proxy_dhcp
Definition: options.h:415
#define S_FATAL
Definition: run_command.h:46
const char * dev
Definition: options.h:240
#define WSO_FORCE_SERVICE
Definition: win32.h:164
int ping_rec_timeout_action
Definition: options.h:281
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2118
bool auth_token_generate
Definition: options.h:471
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
int inetd
Definition: options.h:318
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1323
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4183
void tun_abort(void)
Definition: init.c:2088
Contains all state information for one tunnel.
Definition: openvpn.h:502
#define CIPHER_ENABLED(c)
Definition: openvpn.h:573
Packet geometry parameters.
Definition: mtu.h:93
static void do_env_set_destroy(struct context *c)
Definition: init.c:3782
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2608
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:323
struct env_set * es
Set of environment variables.
Definition: openvpn.h:525
#define D_PUSH
Definition: errlevel.h:83
#define M_USAGE
Definition: error.h:111
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1177
#define srandom
Definition: syshead.h:44
bool proto_is_udp(int proto)
Definition: socket.c:3174
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:374
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
void error_reset(void)
Definition: error.c:163
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:212
#define OPT_P_PLUGIN
Definition: options.h:677
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
#define dmsg
Definition: error.h:174
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4634
int script_security(void)
Definition: run_command.c:45
static void do_init_socket_2(struct context *c)
Definition: init.c:3427
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
#define SDL_CONSTRAIN
Definition: error.h:203
const char * auth_user_pass_verify_script
Definition: ssl_common.h:317
const char * shared_secret_file
Definition: options.h:500
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
union openvpn_sockaddr::@8 addr
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5541
#define RH_PORT_LEN
Definition: options.h:176
#define EVENT_METHOD_FAST
Definition: event.h:42
uint32_t peer_id
Definition: options.h:633
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:3977
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:341
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:295
void close_instance(struct context *c)
Definition: init.c:4426
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2808
Definition: options.h:86
int renegotiate_seconds
Definition: options.h:579
const char * client_config_dir_exclusive
Definition: ssl_common.h:333
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1346
#define OPT_P_IPWIN32
Definition: options.h:656
bool persist_key
Definition: options.h:286
#define SIGUSR1
Definition: config-msvc.h:116
int replay_window
Definition: options.h:513
int persist_mode
Definition: options.h:208
int keysize
Data channel keysize from config file.
Definition: openvpn.h:212
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:413
const char * auth_user_pass_file
Definition: ssl_common.h:320
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3830
struct context_buffers * buffers
Definition: openvpn.h:376
int verify_x509_type
Definition: ssl_common.h:282
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:99
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1470
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
struct event_timeout wait_for_connect
Definition: openvpn.h:299
int rcvbuf
Definition: options.h:343
const char * crl_file_inline
Definition: options.h:544
#define D_LOG_RW
Definition: errlevel.h:110
struct link_socket_info * link_socket_info
Definition: openvpn.h:255
static void next_connection_entry(struct context *c)
Definition: init.c:427
int handshake_window
Definition: ssl_common.h:273
struct connection_list * connection_list
Definition: options.h:224
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:284
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
#define LS_MODE_DEFAULT
Definition: socket.h:196
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
#define RH_HOST_LEN
Definition: options.h:174
const char * exit_event_name
Definition: options.h:625
#define AR_NONE
Definition: options.h:835
void md_ctx_free(md_ctx_t *ctx)
const struct link_socket * accept_from
Definition: openvpn.h:256
bool route_noexec
Definition: options.h:358
unsigned int sockflags
Definition: options.h:350
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2477
const char * auth_token_secret_file_inline
Definition: options.h:476
in_addr_t remote_netmask
Definition: tun.h:154
const char * tls_crypt_file
Definition: options.h:140
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
static void do_close_tls(struct context *c)
Definition: init.c:3549
const char * genkey_extra_data
Definition: options.h:219
static bool ce_management_query_remote(struct context *c)
Definition: init.c:340
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define ENABLE_PKCS11
Definition: config-msvc.h:18
const char * route_script
Definition: options.h:353
int management_state_buffer_size
Definition: options.h:381
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
int resolve_retry_seconds
Definition: options.h:292
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
const char * auth_token_secret_file
Definition: options.h:475
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:106
#define D_READ_WRITE
Definition: errlevel.h:162
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
#define in_addr_t
Definition: config-msvc.h:104
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:3054
const char * config
Definition: options.h:194
int route_delay
Definition: options.h:359
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:529
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:308
const char * local_port
Definition: options.h:90
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:354
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3855
const char * ekm_label
Definition: ssl_common.h:372
void post_init_signal_catch(void)
Definition: sig.c:255
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
struct frame frame_initial
Definition: openvpn.h:263
bool down_pre
Definition: options.h:310
int keepalive_timeout
Definition: options.h:269
#define OPT_P_SOCKBUF
Definition: options.h:678
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
void * openvpn_net_ctx_t
Definition: networking.h:26
#define SIGTERM
Definition: config-msvc.h:118
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:323
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1419
#define TLS_MODE(c)
Definition: openvpn.h:565
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:532
bool push_peer_info
Definition: options.h:614
#define OPT_P_SETENV
Definition: options.h:658
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
int renegotiate_seconds_min
Definition: options.h:580
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3698
#define PING_RESTART
Definition: options.h:280
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3004
int handshake_window
Definition: options.h:584
#define ASSERT(x)
Definition: error.h:221
static void do_close_plugins(struct context *c)
Definition: init.c:3892
#define D_SHOW_NET
Definition: errlevel.h:129
static int ifconfig_order(void)
Definition: tun.h:301
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:227
char * basename(char *filename)
static bool check_debug_level(unsigned int level)
Definition: error.h:245
unsigned int crypto_flags
Definition: ssl_common.h:298
const char * tls_auth_file_inline
Definition: options.h:136
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:236
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
int explicit_exit_notification
Definition: options.h:121
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
int status_file_update_freq
Definition: options.h:333
int verify_x509_type
Definition: options.h:536
unsigned int unsuccessful_attempts
Definition: options.h:230
void close_management(void)
Definition: init.c:4060
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
bool auth_token_call_auth
Definition: options.h:473
const char * config_ciphername
Definition: ssl_common.h:304
const char * prng_hash
Definition: options.h:508
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1987
int ping_rec_timeout
Definition: options.h:275
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
#define D_LOW
Definition: errlevel.h:97
bool ifconfig_noexec
Definition: options.h:250
bool fast_io
Definition: options.h:336
int key_direction
Definition: options.h:502
int renegotiate_bytes
Definition: ssl_common.h:275
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
static void update_options_ce_post(struct options *options)
Definition: init.c:191
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1408
struct tuntap_options options
Definition: tun.h:145
bool link_mtu_defined
Definition: options.h:112
static struct context * static_context
Definition: init.c:59
char username[USER_PASS_LEN]
Definition: misc.h:74
const char * tls_crypt_v2_inline
Definition: options.h:146
bool init_static(void)
Definition: init.c:726
void platform_mlockall(bool print_msg)
Definition: platform.c:193
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
struct frame frame_fragment_initial
Definition: openvpn.h:269
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:198
bool use_peer_id
Definition: ssl_common.h:586
struct event_timeout ping_send_interval
Definition: openvpn.h:300
bool route_delay_defined
Definition: options.h:361
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
#define CM_CHILD_UDP
Definition: openvpn.h:514
bool initialized
Definition: crypto.h:225
bool tls_exit
Definition: options.h:616
#define MF_SERVER
Definition: manage.h:332
bool print_openssl_info(const struct options *options)
Definition: init.c:1015
void restore_signal_state(void)
Definition: sig.c:272
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1006
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:787
int key_direction
Definition: options.h:137
#define PULL_DEFINED(opt)
Definition: options.h:686
char * x509_username_field
Definition: ssl_common.h:291
bool route_nopull
Definition: options.h:365
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
#define TOP_P2P
Definition: proto.h:44
static void do_close_fragment(struct context *c)
Definition: init.c:3661
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1213
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6085
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:66
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
const char * tls_export_cert
Definition: options.h:538
const char * route_default_gateway
Definition: options.h:355
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4088
int remap_sigusr1
Definition: options.h:315
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
void extract_x509_field_test(void)
bool uid_gid_chroot_set
Definition: openvpn.h:138