OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 
55 #include "memdbg.h"
56 
57 
58 static struct context *static_context; /* GLOBAL */
59 
60 /*
61  * Crypto initialization flags
62  */
63 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
64 #define CF_INIT_TLS_MULTI (1<<1)
65 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
66 
67 static void do_init_first_time(struct context *c);
68 
69 void
71 {
72  CLEAR(*c);
73 }
74 
75 void
77 {
78  CLEAR(c->c1);
79 }
80 
81 void
83 {
84  CLEAR(c->c2);
85 }
86 
87 void
89 {
90  const bool first_time_save = c->first_time;
91  const struct context_persist cpsave = c->persist;
92  context_clear(c);
93  c->first_time = first_time_save;
94  c->persist = cpsave;
95 }
96 
97 /*
98  * Pass tunnel endpoint and MTU parms to a user-supplied script.
99  * Used to execute the up/down script/plugins.
100  */
101 static void
102 run_up_down(const char *command,
103  const struct plugin_list *plugins,
104  int plugin_type,
105  const char *arg,
106 #ifdef _WIN32
107  DWORD adapter_index,
108 #endif
109  const char *dev_type,
110  int tun_mtu,
111  int link_mtu,
112  const char *ifconfig_local,
113  const char *ifconfig_remote,
114  const char *context,
115  const char *signal_text,
116  const char *script_type,
117  struct env_set *es)
118 {
119  struct gc_arena gc = gc_new();
120 
121  if (signal_text)
122  {
123  setenv_str(es, "signal", signal_text);
124  }
125  setenv_str(es, "script_context", context);
126  setenv_int(es, "tun_mtu", tun_mtu);
127  setenv_int(es, "link_mtu", link_mtu);
128  setenv_str(es, "dev", arg);
129  if (dev_type)
130  {
131  setenv_str(es, "dev_type", dev_type);
132  }
133 #ifdef _WIN32
134  setenv_int(es, "dev_idx", adapter_index);
135 #endif
136 
137  if (!ifconfig_local)
138  {
139  ifconfig_local = "";
140  }
141  if (!ifconfig_remote)
142  {
143  ifconfig_remote = "";
144  }
145  if (!context)
146  {
147  context = "";
148  }
149 
150  if (plugin_defined(plugins, plugin_type))
151  {
152  struct argv argv = argv_new();
153  ASSERT(arg);
154  argv_printf(&argv,
155  "%s %d %d %s %s %s",
156  arg,
157  tun_mtu, link_mtu,
158  ifconfig_local, ifconfig_remote,
159  context);
160 
161  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
162  {
163  msg(M_FATAL, "ERROR: up/down plugin call failed");
164  }
165 
166  argv_reset(&argv);
167  }
168 
169  if (command)
170  {
171  struct argv argv = argv_new();
172  ASSERT(arg);
173  setenv_str(es, "script_type", script_type);
174  argv_parse_cmd(&argv, command);
175  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
176  ifconfig_local, ifconfig_remote, context);
177  argv_msg(M_INFO, &argv);
178  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
179  argv_reset(&argv);
180  }
181 
182  gc_free(&gc);
183 }
184 
185 /*
186  * Should be called after options->ce is modified at the top
187  * of a SIGUSR1 restart.
188  */
189 static void
191 {
192 #if P2MP
193  /*
194  * In pull mode, we usually import --ping/--ping-restart parameters from
195  * the server. However we should also set an initial default --ping-restart
196  * for the period of time before we pull the --ping-restart parameter
197  * from the server.
198  */
199  if (options->pull
200  && options->ping_rec_timeout_action == PING_UNDEF
201  && proto_is_dgram(options->ce.proto))
202  {
205  }
206 #endif
207 }
208 
209 #ifdef ENABLE_MANAGEMENT
210 static bool
211 management_callback_proxy_cmd(void *arg, const char **p)
212 {
213  struct context *c = arg;
214  struct connection_entry *ce = &c->options.ce;
215  struct gc_arena *gc = &c->c2.gc;
216  bool ret = false;
217 
218  update_time();
219  if (streq(p[1], "NONE"))
220  {
221  ret = true;
222  }
223  else if (p[2] && p[3])
224  {
225  if (streq(p[1], "HTTP"))
226  {
227  struct http_proxy_options *ho;
228  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
229  {
230  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231  return false;
232  }
234  ho->server = string_alloc(p[2], gc);
235  ho->port = string_alloc(p[3], gc);
236  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237  ret = true;
238  }
239  else if (streq(p[1], "SOCKS"))
240  {
241  ce->socks_proxy_server = string_alloc(p[2], gc);
242  ce->socks_proxy_port = string_alloc(p[3], gc);
243  ret = true;
244  }
245  }
246  else
247  {
248  msg(M_WARN, "Bad proxy command");
249  }
250 
251  ce->flags &= ~CE_MAN_QUERY_PROXY;
252 
253  return ret;
254 }
255 
256 static bool
258 {
259  const struct connection_list *l = c->options.connection_list;
260  struct connection_entry *ce = &c->options.ce;
261  struct gc_arena gc;
262  bool ret = true;
263 
264  update_time();
265  if (management)
266  {
267  gc = gc_new();
268  {
269  struct buffer out = alloc_buf_gc(256, &gc);
270  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
273  }
274  ce->flags |= CE_MAN_QUERY_PROXY;
275  while (ce->flags & CE_MAN_QUERY_PROXY)
276  {
278  if (IS_SIG(c))
279  {
280  ret = false;
281  break;
282  }
283  }
284  gc_free(&gc);
285  }
286 
287  return ret;
288 }
289 
290 
291 static bool
292 management_callback_remote_cmd(void *arg, const char **p)
293 {
294  struct context *c = (struct context *) arg;
295  struct connection_entry *ce = &c->options.ce;
296  int ret = false;
298  {
299  int flags = 0;
300  if (!strcmp(p[1], "ACCEPT"))
301  {
303  ret = true;
304  }
305  else if (!strcmp(p[1], "SKIP"))
306  {
307  flags = CE_MAN_QUERY_REMOTE_SKIP;
308  ret = true;
309  }
310  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
311  {
312  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
313  {
314  struct remote_host_store *rhs = c->options.rh_store;
315  if (!rhs)
316  {
318  c->options.rh_store = rhs;
319  }
320  strncpynt(rhs->host, p[2], RH_HOST_LEN);
321  strncpynt(rhs->port, p[3], RH_PORT_LEN);
322 
323  ce->remote = rhs->host;
324  ce->remote_port = rhs->port;
325  flags = CE_MAN_QUERY_REMOTE_MOD;
326  ret = true;
327  }
328  }
329  if (ret)
330  {
331  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
333  }
334  }
335  return ret;
336 }
337 
338 static bool
340 {
341  struct gc_arena gc = gc_new();
342  volatile struct connection_entry *ce = &c->options.ce;
343  int ce_changed = true; /* presume the connection entry will be changed */
344 
345  update_time();
346  if (management)
347  {
348  struct buffer out = alloc_buf_gc(256, &gc);
349 
350  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
351  proto2ascii(ce->proto, ce->af, false));
353 
356  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
358  {
360  if (IS_SIG(c))
361  {
362  ce_changed = false; /* connection entry have not been set */
363  break;
364  }
365  }
366  }
367  gc_free(&gc);
368 
369  if (ce_changed)
370  {
371  /* If it is likely a connection entry was modified,
372  * check what changed in the flags and that it was not skipped
373  */
374  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
376  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
377  }
378  return ce_changed;
379 }
380 #endif /* ENABLE_MANAGEMENT */
381 
382 /*
383  * Initialize and possibly randomize connection list.
384  */
385 static void
387 {
388  struct connection_list *l = c->options.connection_list;
389 
390  l->current = -1;
391  if (c->options.remote_random)
392  {
393  int i;
394  for (i = 0; i < l->len; ++i)
395  {
396  const int j = get_random() % l->len;
397  if (i != j)
398  {
399  struct connection_entry *tmp;
400  tmp = l->array[i];
401  l->array[i] = l->array[j];
402  l->array[j] = tmp;
403  }
404  }
405  }
406 }
407 
408 /*
409  * Clear the remote address list
410  */
411 static void
413 {
414  if (lsa->remote_list && free)
415  {
416  freeaddrinfo(lsa->remote_list);
417  }
418  lsa->remote_list = NULL;
419  lsa->current_remote = NULL;
420 }
421 
422 /*
423  * Increment to next connection entry
424  */
425 static void
427 {
428  struct connection_list *l = c->options.connection_list;
429  bool ce_defined;
430  struct connection_entry *ce;
431  int n_cycles = 0;
432 
433  do
434  {
435  ce_defined = true;
436  if (c->options.no_advance && l->current >= 0)
437  {
438  c->options.no_advance = false;
439  }
440  else
441  {
442  /* Check if there is another resolved address to try for
443  * the current connection */
445  && c->c1.link_socket_addr.current_remote->ai_next)
446  {
448  c->c1.link_socket_addr.current_remote->ai_next;
449  }
450  else
451  {
452  /* FIXME (schwabe) fix the persist-remote-ip option for real,
453  * this is broken probably ever since connection lists and multiple
454  * remote existed
455  */
456  if (!c->options.persist_remote_ip)
457  {
458  /* close_instance should have cleared the addrinfo objects */
461  }
462  else
463  {
466  }
467 
468  /*
469  * Increase the number of connection attempts
470  * If this is connect-retry-max * size(l)
471  * OpenVPN will quit
472  */
473 
475 
476  if (++l->current >= l->len)
477  {
478 
479  l->current = 0;
480  if (++n_cycles >= 2)
481  {
482  msg(M_FATAL, "No usable connection profiles are present");
483  }
484  }
485  }
486  }
487 
488  ce = l->array[l->current];
489 
490  if (ce->flags & CE_DISABLED)
491  {
492  ce_defined = false;
493  }
494 
495  c->options.ce = *ce;
496 #ifdef ENABLE_MANAGEMENT
498  {
499  /* allow management interface to override connection entry details */
500  ce_defined = ce_management_query_remote(c);
501  if (IS_SIG(c))
502  {
503  break;
504  }
505  }
506  else if (ce_defined && management && management_query_proxy_enabled(management))
507  {
508  ce_defined = ce_management_query_proxy(c);
509  if (IS_SIG(c))
510  {
511  break;
512  }
513  }
514 #endif
515  } while (!ce_defined);
516 
517  /* Check if this connection attempt would bring us over the limit */
518  if (c->options.connect_retry_max > 0
520  {
521  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
523  }
525 }
526 
527 /*
528  * Query for private key and auth-user-pass username/passwords
529  */
530 void
532 {
533  /* Certificate password input */
534  if (c->options.key_pass_file)
535  {
537  }
538 
539 #if P2MP
540  /* Auth user/pass input */
542  {
543 #ifdef ENABLE_MANAGEMENT
545 #else
547 #endif
548  }
549 #endif
550 }
551 
552 /*
553  * Initialize/Uninitialize HTTP or SOCKS proxy
554  */
555 
556 static void
558 {
559  if (c->c1.http_proxy_owned && c->c1.http_proxy)
560  {
562  c->c1.http_proxy = NULL;
563  c->c1.http_proxy_owned = false;
564  }
565  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
566  {
568  c->c1.socks_proxy = NULL;
569  c->c1.socks_proxy_owned = false;
570  }
571 }
572 
573 static void
575 {
576  bool did_http = false;
577 
579 
581  {
582  /* Possible HTTP proxy user/pass input */
584  if (c->c1.http_proxy)
585  {
586  did_http = true;
587  c->c1.http_proxy_owned = true;
588  }
589  }
590 
591  if (!did_http && c->options.ce.socks_proxy_server)
592  {
596  if (c->c1.socks_proxy)
597  {
598  c->c1.socks_proxy_owned = true;
599  }
600  }
601 }
602 
603 static void
604 init_proxy(struct context *c)
605 {
607 }
608 
609 static void
611 {
613 }
614 
615 /*
616  * Saves the initial state of NCP-regotiable
617  * options into a storage which persists over SIGUSR1.
618  */
619 static void
621 {
623  c->c1.authname = c->options.authname;
624  c->c1.keysize = c->options.keysize;
625 }
626 
627 /* Restores NCP-negotiable options to original values */
628 static void
630 {
632  c->options.authname = c->c1.authname;
633  c->options.keysize = c->c1.keysize;
634 }
635 
636 void
638 {
639  context_clear_1(c);
640 
642 
644 
645  save_ncp_options(c);
646 
647 #if defined(ENABLE_PKCS11)
648  if (c->first_time)
649  {
650  int i;
651  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
652  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
653  {
654  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
655  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
656  }
657  }
658 #endif
659 
660 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
661  {
662  /*
663  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
664  */
665  struct user_pass up;
666  CLEAR(up);
667  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
668  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
669  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
670  * 'needok' command, usually 'ok' or 'cancel'. */
671  }
672 #endif
673 
674 #ifdef ENABLE_SYSTEMD
675  /* We can report the PID via getpid() to systemd here as OpenVPN will not
676  * do any fork due to daemon() a future call.
677  * See possibly_become_daemon() [init.c] for more details.
678  */
679  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
680  (unsigned long) getpid());
681 #endif
682 
683 }
684 
685 void
687 {
688  gc_free(&c->c2.gc);
689  gc_free(&c->options.gc);
690  gc_free(&c->gc);
691 }
692 
693 #if PORT_SHARE
694 
695 static void
696 close_port_share(void)
697 {
698  if (port_share)
699  {
700  port_share_close(port_share);
701  port_share = NULL;
702  }
703 }
704 
705 static void
706 init_port_share(struct context *c)
707 {
708  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
709  {
710  port_share = port_share_open(c->options.port_share_host,
711  c->options.port_share_port,
713  c->options.port_share_journal_dir);
714  if (port_share == NULL)
715  {
716  msg(M_FATAL, "Fatal error: Port sharing failed");
717  }
718  }
719 }
720 
721 #endif /* if PORT_SHARE */
722 
723 
724 bool
726 {
727  /* configure_path (); */
728 
729 #if defined(DMALLOC)
730  crypto_init_dmalloc();
731 #endif
732 
733 
734  /*
735  * Initialize random number seed. random() is only used
736  * when "weak" random numbers are acceptable.
737  * SSL library routines are always used when cryptographically
738  * strong random numbers are required.
739  */
740  struct timeval tv;
741  if (!gettimeofday(&tv, NULL))
742  {
743  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
744  srandom(seed);
745  }
746 
747  error_reset(); /* initialize error.c */
748  reset_check_status(); /* initialize status check code in socket.c */
749 
750 #ifdef _WIN32
751  init_win32();
752 #endif
753 
754 #ifdef OPENVPN_DEBUG_COMMAND_LINE
755  {
756  int i;
757  for (i = 0; i < argc; ++i)
758  {
759  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
760  }
761  }
762 #endif
763 
764  update_time();
765 
766  init_ssl_lib();
767 
768  /* init PRNG used for IV generation */
769  /* When forking, copy this to more places in the code to avoid fork
770  * random-state predictability */
771  prng_init(NULL, 0);
772 
773 #ifdef PID_TEST
774  packet_id_interactive_test(); /* test the sequence number code */
775  return false;
776 #endif
777 
778 #ifdef SCHEDULE_TEST
779  schedule_test();
780  return false;
781 #endif
782 
783 #ifdef LIST_TEST
784  list_test();
785  return false;
786 #endif
787 
788 #ifdef IFCONFIG_POOL_TEST
789  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
790  return false;
791 #endif
792 
793 #ifdef CHARACTER_CLASS_DEBUG
794  character_class_debug();
795  return false;
796 #endif
797 
798 #ifdef EXTRACT_X509_FIELD_TEST
800  return false;
801 #endif
802 
803 #ifdef TIME_TEST
804  time_test();
805  return false;
806 #endif
807 
808 #ifdef TEST_GET_DEFAULT_GATEWAY
809  {
810  struct route_gateway_info rgi;
811  struct route_ipv6_gateway_info rgi6;
812  get_default_gateway(&rgi);
813  get_default_gateway_ipv6(&rgi6, NULL);
814  print_default_gateway(M_INFO, &rgi, &rgi6);
815  return false;
816  }
817 #endif
818 
819 #ifdef GEN_PATH_TEST
820  {
821  struct gc_arena gc = gc_new();
822  const char *fn = gen_path("foo",
823  "bar",
824  &gc);
825  printf("%s\n", fn);
826  gc_free(&gc);
827  }
828  return false;
829 #endif
830 
831 #ifdef STATUS_PRINTF_TEST
832  {
833  struct gc_arena gc = gc_new();
834  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
835  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
836  status_printf(so, "%s", "foo");
837  status_printf(so, "%s", "bar");
838  if (!status_close(so))
839  {
840  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
841  }
842  gc_free(&gc);
843  }
844  return false;
845 #endif
846 
847 #ifdef ARGV_TEST
848  {
849  void argv_test(void);
850 
851  argv_test();
852  return false;
853  }
854 #endif
855 
856 #ifdef PRNG_TEST
857  {
858  struct gc_arena gc = gc_new();
859  uint8_t rndbuf[8];
860  int i;
861  prng_init("sha1", 16);
862  /*prng_init (NULL, 0);*/
863  const int factor = 1;
864  for (i = 0; i < factor * 8; ++i)
865  {
866 #if 1
867  prng_bytes(rndbuf, sizeof(rndbuf));
868 #else
869  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
870 #endif
871  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
872  }
873  gc_free(&gc);
874  prng_uninit();
875  return false;
876  }
877 #endif /* ifdef PRNG_TEST */
878 
879 #ifdef BUFFER_LIST_AGGREGATE_TEST
880  /* test buffer_list_aggregate function */
881  {
882  static const char *text[] = {
883  "It was a bright cold day in April, ",
884  "and the clocks were striking ",
885  "thirteen. ",
886  "Winston Smith, ",
887  "his chin nuzzled into his breast in an ",
888  "effort to escape the vile wind, ",
889  "slipped quickly through the glass doors ",
890  "of Victory Mansions, though not quickly ",
891  "enough to prevent a swirl of gritty dust from ",
892  "entering along with him."
893  };
894 
895  int iter, listcap;
896  for (listcap = 0; listcap < 12; ++listcap)
897  {
898  for (iter = 0; iter < 512; ++iter)
899  {
900  struct buffer_list *bl = buffer_list_new(listcap);
901  {
902  int i;
903  for (i = 0; i < SIZE(text); ++i)
904  {
905  buffer_list_push(bl, (unsigned char *)text[i]);
906  }
907  }
908  printf("[cap=%d i=%d] *************************\n", listcap, iter);
909  if (!(iter & 8))
910  {
911  buffer_list_aggregate(bl, iter/2);
912  }
913  if (!(iter & 16))
914  {
915  buffer_list_push(bl, (unsigned char *)"Even more text...");
916  }
917  buffer_list_aggregate(bl, iter);
918  if (!(iter & 1))
919  {
920  buffer_list_push(bl, (unsigned char *)"More text...");
921  }
922  {
923  struct buffer *buf;
924  while ((buf = buffer_list_peek(bl)))
925  {
926  int c;
927  printf("'");
928  while ((c = buf_read_u8(buf)) >= 0)
929  {
930  putchar(c);
931  }
932  printf("'\n");
933  buffer_list_advance(bl, 0);
934  }
935  }
936  buffer_list_free(bl);
937  }
938  }
939  return false;
940  }
941 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
942 
943 #ifdef MSTATS_TEST
944  {
945  int i;
946  mstats_open("/dev/shm/mstats.dat");
947  for (i = 0; i < 30; ++i)
948  {
949  mmap_stats->n_clients += 1;
950  mmap_stats->link_write_bytes += 8;
951  mmap_stats->link_read_bytes += 16;
952  sleep(1);
953  }
954  mstats_close();
955  return false;
956  }
957 #endif
958 
959  return true;
960 }
961 
962 void
964 {
965  free_ssl_lib();
966 
967 #ifdef ENABLE_PKCS11
968  pkcs11_terminate();
969 #endif
970 
971 #if PORT_SHARE
972  close_port_share();
973 #endif
974 
975 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
976  show_tls_performance_stats();
977 #endif
978 }
979 
980 void
981 init_verb_mute(struct context *c, unsigned int flags)
982 {
983  if (flags & IVM_LEVEL_1)
984  {
985  /* set verbosity and mute levels */
989  }
990 
991  /* special D_LOG_RW mode */
992  if (flags & IVM_LEVEL_2)
993  {
995  }
996 }
997 
998 /*
999  * Possibly set --dev based on --dev-node.
1000  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1001  * set --dev to tun.
1002  */
1003 void
1005 {
1006  if (!options->dev && options->dev_node)
1007  {
1008  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */
1009  options->dev = basename(dev_node);
1010  }
1011 }
1012 
1013 bool
1015 {
1016  /*
1017  * OpenSSL info print mode?
1018  */
1019  if (options->show_ciphers || options->show_digests || options->show_engines
1020  || options->show_tls_ciphers || options->show_curves)
1021  {
1022  if (options->show_ciphers)
1023  {
1025  }
1026  if (options->show_digests)
1027  {
1029  }
1030  if (options->show_engines)
1031  {
1033  }
1034  if (options->show_tls_ciphers)
1035  {
1037  options->cipher_list_tls13,
1038  options->tls_cert_profile);
1039  }
1040  if (options->show_curves)
1041  {
1043  }
1044  return true;
1045  }
1046  return false;
1047 }
1048 
1049 /*
1050  * Static pre-shared key generation mode?
1051  */
1052 bool
1053 do_genkey(const struct options *options)
1054 {
1055  /* should we disable paging? */
1056  if (options->mlock && (options->genkey || options->tls_crypt_v2_genkey_file))
1057  {
1058  platform_mlockall(true);
1059  }
1060  if (options->genkey)
1061  {
1062  int nbits_written;
1063 
1064  notnull(options->shared_secret_file,
1065  "shared secret output file (--secret)");
1066 
1067  nbits_written = write_key_file(2, options->shared_secret_file);
1068  if (nbits_written < 0)
1069  {
1070  msg(M_FATAL, "Failed to write key file");
1071  }
1072 
1074  "Randomly generated %d bit key written to %s", nbits_written,
1075  options->shared_secret_file);
1076  return true;
1077  }
1078  if (options->tls_crypt_v2_genkey_type)
1079  {
1080  if (!strcmp(options->tls_crypt_v2_genkey_type, "server"))
1081  {
1083  return true;
1084  }
1085  if (options->tls_crypt_v2_genkey_type
1086  && !strcmp(options->tls_crypt_v2_genkey_type, "client"))
1087  {
1088  if (!options->tls_crypt_v2_file)
1089  {
1090  msg(M_USAGE, "--tls-crypt-v2-genkey requires a server key to be set via --tls-crypt-v2 to create a client key");
1091  }
1092 
1094  options->tls_crypt_v2_metadata, options->tls_crypt_v2_file,
1095  options->tls_crypt_v2_inline);
1096  return true;
1097  }
1098 
1099  msg(M_USAGE, "--tls-crypt-v2-genkey type should be \"client\" or \"server\"");
1100  }
1101  return false;
1102 }
1103 
1104 /*
1105  * Persistent TUN/TAP device management mode?
1106  */
1107 bool
1109 {
1110  if (options->persist_config)
1111  {
1112  /* sanity check on options for --mktun or --rmtun */
1113  notnull(options->dev, "TUN/TAP device (--dev)");
1114  if (options->ce.remote || options->ifconfig_local
1115  || options->ifconfig_remote_netmask
1116  || options->shared_secret_file
1117  || options->tls_server || options->tls_client
1118  )
1119  {
1121  "options --mktun or --rmtun should only be used together with --dev");
1122  }
1123 #ifdef ENABLE_FEATURE_TUN_PERSIST
1124  tuncfg(options->dev, options->dev_type, options->dev_node,
1125  options->persist_mode,
1126  options->username, options->groupname, &options->tuntap_options);
1127  if (options->persist_mode && options->lladdr)
1128  {
1129  set_lladdr(options->dev, options->lladdr, NULL);
1130  }
1131  return true;
1132 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1133  msg( M_FATAL|M_OPTERR,
1134  "options --mktun and --rmtun are not available on your operating "
1135  "system. Please check 'man tun' (or 'tap'), whether your system "
1136  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1137  "persistant tunnel interfaces.", options->dev );
1138 #endif
1139  }
1140  return false;
1141 }
1142 
1143 /*
1144  * Should we become a daemon?
1145  * Return true if we did it.
1146  */
1147 bool
1149 {
1150  bool ret = false;
1151 
1152 #ifdef ENABLE_SYSTEMD
1153  /* return without forking if we are running from systemd */
1154  if (sd_notify(0, "READY=0") > 0)
1155  {
1156  return ret;
1157  }
1158 #endif
1159 
1160  if (options->daemon)
1161  {
1162  ASSERT(!options->inetd);
1163  /* Don't chdir immediately, but the end of the init sequence, if needed */
1164  if (daemon(1, options->log) < 0)
1165  {
1166  msg(M_ERR, "daemon() failed or unsupported");
1167  }
1169  if (options->log)
1170  {
1171  set_std_files_to_null(true);
1172  }
1173 
1174  ret = true;
1175  }
1176  return ret;
1177 }
1178 
1179 /*
1180  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1181  */
1182 static void
1183 do_uid_gid_chroot(struct context *c, bool no_delay)
1184 {
1185  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1186  struct context_0 *c0 = c->c0;
1187 
1188  if (c0 && !c0->uid_gid_chroot_set)
1189  {
1190  /* chroot if requested */
1191  if (c->options.chroot_dir)
1192  {
1193  if (no_delay)
1194  {
1196  }
1197  else if (c->first_time)
1198  {
1199  msg(M_INFO, "NOTE: chroot %s", why_not);
1200  }
1201  }
1202 
1203  /* set user and/or group if we want to setuid/setgid */
1204  if (c0->uid_gid_specified)
1205  {
1206  if (no_delay)
1207  {
1210  }
1211  else if (c->first_time)
1212  {
1213  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1214  }
1215  }
1216 
1217 #ifdef ENABLE_MEMSTATS
1218  if (c->first_time && c->options.memstats_fn)
1219  {
1220  mstats_open(c->options.memstats_fn);
1221  }
1222 #endif
1223 
1224 #ifdef ENABLE_SELINUX
1225  /* Apply a SELinux context in order to restrict what OpenVPN can do
1226  * to _only_ what it is supposed to do after initialization is complete
1227  * (basically just network I/O operations). Doing it after chroot
1228  * requires /proc to be mounted in the chroot (which is annoying indeed
1229  * but doing it before requires more complex SELinux policies.
1230  */
1231  if (c->options.selinux_context)
1232  {
1233  if (no_delay)
1234  {
1235  if (-1 == setcon(c->options.selinux_context))
1236  {
1237  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1238  }
1239  else
1240  {
1241  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1242  }
1243  }
1244  else if (c->first_time)
1245  {
1246  msg(M_INFO, "NOTE: setcon %s", why_not);
1247  }
1248  }
1249 #endif
1250 
1251  /* Privileges are going to be dropped by now (if requested), be sure
1252  * to prevent any future privilege dropping attempts from now on.
1253  */
1254  if (no_delay)
1255  {
1256  c0->uid_gid_chroot_set = true;
1257  }
1258  }
1259 }
1260 
1261 /*
1262  * Return common name in a way that is formatted for
1263  * prepending to msg() output.
1264  */
1265 const char *
1266 format_common_name(struct context *c, struct gc_arena *gc)
1267 {
1268  struct buffer out = alloc_buf_gc(256, gc);
1269  if (c->c2.tls_multi)
1270  {
1271  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1272  }
1273  return BSTR(&out);
1274 }
1275 
1276 void
1277 pre_setup(const struct options *options)
1278 {
1279 #ifdef _WIN32
1280  if (options->exit_event_name)
1281  {
1284  options->exit_event_name,
1285  options->exit_event_initial_state);
1286  }
1287  else
1288  {
1291  NULL,
1292  false);
1293 
1294  /* put a title on the top window bar */
1296  {
1298  window_title_generate(options->config);
1299  }
1300  }
1301 #endif /* ifdef _WIN32 */
1302 }
1303 
1304 void
1306 {
1307  c->c2.coarse_timer_wakeup = 0;
1308 }
1309 
1310 /*
1311  * Initialise the server poll timeout timer
1312  * This timer is used in the http/socks proxy setup so it needs to be setup
1313  * before
1314  */
1315 static void
1317 {
1318  update_time();
1319  if (c->options.ce.connect_timeout)
1320  {
1322  }
1323 }
1324 
1325 /*
1326  * Initialize timers
1327  */
1328 static void
1329 do_init_timers(struct context *c, bool deferred)
1330 {
1331  update_time();
1333 
1334  /* initialize inactivity timeout */
1335  if (c->options.inactivity_timeout)
1336  {
1338  }
1339 
1340  /* initialize pings */
1341 
1342  if (c->options.ping_send_timeout)
1343  {
1345  }
1346 
1347  if (c->options.ping_rec_timeout)
1348  {
1350  }
1351 
1352  if (!deferred)
1353  {
1354  /* initialize connection establishment timer */
1356 
1357 #ifdef ENABLE_OCC
1358  /* initialize occ timers */
1359 
1360  if (c->options.occ
1361  && !TLS_MODE(c)
1363  {
1365  }
1366 
1367  if (c->options.mtu_test)
1368  {
1370  }
1371 #endif
1372 
1373  /* initialize packet_id persistence timer */
1374  if (c->options.packet_id_file)
1375  {
1377  }
1378 
1379  /* initialize tmp_int optimization that limits the number of times we call
1380  * tls_multi_process in the main event loop */
1382  }
1383 }
1384 
1385 /*
1386  * Initialize traffic shaper.
1387  */
1388 static void
1390 {
1391 #ifdef ENABLE_FEATURE_SHAPER
1392  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1393  if (c->options.shaper)
1394  {
1395  shaper_init(&c->c2.shaper, c->options.shaper);
1396  shaper_msg(&c->c2.shaper);
1397  }
1398 #endif
1399 }
1400 
1401 /*
1402  * Allocate route list structures for IPv4 and IPv6
1403  * (we do this for IPv4 even if no --route option has been seen, as other
1404  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1405  */
1406 static void
1408 {
1409  if (!c->c1.route_list)
1410  {
1411  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1412  }
1413  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1414  {
1416  }
1417 }
1418 
1419 
1420 /*
1421  * Initialize the route list, resolving any DNS names in route
1422  * options and saving routes in the environment.
1423  */
1424 static void
1426  struct route_list *route_list,
1427  const struct link_socket_info *link_socket_info,
1428  struct env_set *es)
1429 {
1430  const char *gw = NULL;
1431  int dev = dev_type_enum(options->dev, options->dev_type);
1432  int metric = 0;
1433 
1434  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1435  {
1436  gw = options->ifconfig_remote_netmask;
1437  }
1438  if (options->route_default_gateway)
1439  {
1440  gw = options->route_default_gateway;
1441  }
1442  if (options->route_default_metric)
1443  {
1444  metric = options->route_default_metric;
1445  }
1446 
1447  if (init_route_list(route_list,
1448  options->routes,
1449  gw,
1450  metric,
1451  link_socket_current_remote(link_socket_info),
1452  es))
1453  {
1454  /* copy routes to environment */
1455  setenv_routes(es, route_list);
1456  }
1457 }
1458 
1459 static void
1462  const struct link_socket_info *link_socket_info,
1463  struct env_set *es)
1464 {
1465  const char *gw = NULL;
1466  int metric = -1; /* no metric set */
1467 
1468  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1469  if (options->route_ipv6_default_gateway)
1470  {
1471  gw = options->route_ipv6_default_gateway;
1472  }
1473 
1474  if (options->route_default_metric)
1475  {
1476  metric = options->route_default_metric;
1477  }
1478 
1479  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1480  */
1481  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1482  {
1483  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1484  int i;
1485 
1486  for (i = 0; opt_list[i]; i++)
1487  {
1489  string_alloc(opt_list[i], options->routes_ipv6->gc),
1490  NULL, NULL );
1491  }
1492  }
1493 
1494  if (init_route_ipv6_list(route_ipv6_list,
1495  options->routes_ipv6,
1496  gw,
1497  metric,
1498  link_socket_current_remote_ipv6(link_socket_info),
1499  es))
1500  {
1501  /* copy routes to environment */
1502  setenv_routes_ipv6(es, route_ipv6_list);
1503  }
1504 }
1505 
1506 
1507 /*
1508  * Called after all initialization has been completed.
1509  */
1510 void
1511 initialization_sequence_completed(struct context *c, const unsigned int flags)
1512 {
1513  static const char message[] = "Initialization Sequence Completed";
1514 
1515  /* Reset the unsuccessful connection counter on complete initialisation */
1517 
1518  /* If we delayed UID/GID downgrade or chroot, do it now */
1519  do_uid_gid_chroot(c, true);
1520 
1521 
1522  /*
1523  * In some cases (i.e. when receiving auth-token via
1524  * push-reply) the auth-nocache option configured on the
1525  * client is overridden; for this reason we have to wait
1526  * for the push-reply message before attempting to wipe
1527  * the user/pass entered by the user
1528  */
1529  if (c->options.mode == MODE_POINT_TO_POINT)
1530  {
1532  }
1533 
1534  /* Test if errors */
1535  if (flags & ISC_ERRORS)
1536  {
1537 #ifdef _WIN32
1540  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1541 #else
1542 #ifdef ENABLE_SYSTEMD
1543  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1544 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1545  msg(M_INFO, "%s With Errors", message);
1546 #endif
1547  }
1548  else
1549  {
1550 #ifdef ENABLE_SYSTEMD
1551  sd_notifyf(0, "STATUS=%s", message);
1552 #endif
1553  msg(M_INFO, "%s", message);
1554  }
1555 
1556  /* Flag that we initialized */
1557  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1558  {
1559  c->options.no_advance = true;
1560  }
1561 
1562 #ifdef _WIN32
1564 #endif
1565 
1566 #ifdef ENABLE_MANAGEMENT
1567  /* Tell management interface that we initialized */
1568  if (management)
1569  {
1570  in_addr_t *tun_local = NULL;
1571  struct in6_addr *tun_local6 = NULL;
1572  struct openvpn_sockaddr local, remote;
1573  struct link_socket_actual *actual;
1574  socklen_t sa_len = sizeof(local);
1575  const char *detail = "SUCCESS";
1576  if (flags & ISC_ERRORS)
1577  {
1578  detail = "ERROR";
1579  }
1580 
1581  CLEAR(local);
1582  actual = &get_link_socket_info(c)->lsa->actual;
1583  remote = actual->dest;
1584  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1585 #if ENABLE_IP_PKTINFO
1586  if (!addr_defined(&local))
1587  {
1588  switch (local.addr.sa.sa_family)
1589  {
1590  case AF_INET:
1591 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1592  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1593 #else
1594  local.addr.in4.sin_addr = actual->pi.in4;
1595 #endif
1596  break;
1597 
1598  case AF_INET6:
1599  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1600  break;
1601  }
1602  }
1603 #endif
1604 
1605  if (c->c1.tuntap)
1606  {
1607  tun_local = &c->c1.tuntap->local;
1608  tun_local6 = &c->c1.tuntap->local_ipv6;
1609  }
1612  detail,
1613  tun_local,
1614  tun_local6,
1615  &local,
1616  &remote);
1617  if (tun_local)
1618  {
1620  }
1621  }
1622 #endif /* ifdef ENABLE_MANAGEMENT */
1623 }
1624 
1625 /*
1626  * Possibly add routes and/or call route-up script
1627  * based on options.
1628  */
1629 void
1630 do_route(const struct options *options,
1631  struct route_list *route_list,
1633  const struct tuntap *tt,
1634  const struct plugin_list *plugins,
1635  struct env_set *es)
1636 {
1637  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1638  {
1639  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es);
1640  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1641  }
1642 #ifdef ENABLE_MANAGEMENT
1643  if (management)
1644  {
1645  management_up_down(management, "UP", es);
1646  }
1647 #endif
1648 
1650  {
1651  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1652  {
1653  msg(M_WARN, "WARNING: route-up plugin call failed");
1654  }
1655  }
1656 
1657  if (options->route_script)
1658  {
1659  struct argv argv = argv_new();
1660  setenv_str(es, "script_type", "route-up");
1661  argv_parse_cmd(&argv, options->route_script);
1662  openvpn_run_script(&argv, es, 0, "--route-up");
1663  argv_reset(&argv);
1664  }
1665 
1666 #ifdef _WIN32
1667  if (options->show_net_up)
1668  {
1671  }
1672  else if (check_debug_level(D_SHOW_NET))
1673  {
1676  }
1677 #endif
1678 }
1679 
1680 /*
1681  * initialize tun/tap device object
1682  */
1683 static void
1685 {
1686  c->c1.tuntap = init_tun(c->options.dev,
1687  c->options.dev_type,
1688  c->options.topology,
1697  c->c2.es);
1698 
1699  init_tun_post(c->c1.tuntap,
1700  &c->c2.frame,
1701  &c->options.tuntap_options);
1702 
1703  c->c1.tuntap_owned = true;
1704 }
1705 
1706 /*
1707  * Open tun/tap device, ifconfig, call up script, etc.
1708  */
1709 
1710 static bool
1712 {
1713  struct gc_arena gc = gc_new();
1714  bool ret = false;
1715 
1716 #ifndef TARGET_ANDROID
1717  if (!c->c1.tuntap)
1718  {
1719 #endif
1720 
1721 #ifdef TARGET_ANDROID
1722  /* If we emulate persist-tun on android we still have to open a new tun and
1723  * then close the old */
1724  int oldtunfd = -1;
1725  if (c->c1.tuntap)
1726  {
1727  oldtunfd = c->c1.tuntap->fd;
1728  free(c->c1.tuntap);
1729  c->c1.tuntap = NULL;
1730  c->c1.tuntap_owned = false;
1731  }
1732 #endif
1733 
1734  /* initialize (but do not open) tun/tap object */
1735  do_init_tun(c);
1736 
1737 #ifdef _WIN32
1738  /* store (hide) interactive service handle in tuntap_options */
1740  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1741 #endif
1742 
1743  /* allocate route list structure */
1745 
1746  /* parse and resolve the route option list */
1747  ASSERT(c->c2.link_socket);
1748  if (c->options.routes && c->c1.route_list)
1749  {
1751  &c->c2.link_socket->info, c->c2.es);
1752  }
1753  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1754  {
1756  &c->c2.link_socket->info, c->c2.es);
1757  }
1758 
1759  /* do ifconfig */
1760  if (!c->options.ifconfig_noexec
1762  {
1763  /* guess actual tun/tap unit number that will be returned
1764  * by open_tun */
1765  const char *guess = guess_tuntap_dev(c->options.dev,
1766  c->options.dev_type,
1767  c->options.dev_node,
1768  &gc);
1769  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1770  }
1771 
1772  /* possibly add routes */
1773  if (route_order() == ROUTE_BEFORE_TUN)
1774  {
1775  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1777  c->c1.tuntap, c->plugins, c->c2.es);
1778  }
1779 #ifdef TARGET_ANDROID
1780  /* Store the old fd inside the fd so open_tun can use it */
1781  c->c1.tuntap->fd = oldtunfd;
1782 #endif
1783  /* open the tun device */
1785  c->c1.tuntap);
1786 
1787  /* set the hardware address */
1788  if (c->options.lladdr)
1789  {
1791  }
1792 
1793  /* do ifconfig */
1794  if (!c->options.ifconfig_noexec
1796  {
1798  }
1799 
1800  /* run the up script */
1802  c->plugins,
1804  c->c1.tuntap->actual_name,
1805 #ifdef _WIN32
1806  c->c1.tuntap->adapter_index,
1807 #endif
1809  TUN_MTU_SIZE(&c->c2.frame),
1810  EXPANDED_SIZE(&c->c2.frame),
1813  "init",
1814  NULL,
1815  "up",
1816  c->c2.es);
1817 
1818 #if defined(_WIN32)
1819  if (c->options.block_outside_dns)
1820  {
1821  dmsg(D_LOW, "Blocking outside DNS");
1823  {
1824  msg(M_FATAL, "Blocking DNS failed!");
1825  }
1826  }
1827 #endif
1828 
1829  /* possibly add routes */
1831  {
1833  c->c1.tuntap, c->plugins, c->c2.es);
1834  }
1835 
1836  /*
1837  * Did tun/tap driver give us an MTU?
1838  */
1839  if (c->c1.tuntap->post_open_mtu)
1840  {
1842  c->c1.tuntap->post_open_mtu,
1844  }
1845 
1846  ret = true;
1847  static_context = c;
1848 #ifndef TARGET_ANDROID
1849 }
1850 else
1851 {
1852  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1853  c->c1.tuntap->actual_name);
1854 
1855  /* explicitly set the ifconfig_* env vars */
1856  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1857 
1858  /* run the up script if user specified --up-restart */
1859  if (c->options.up_restart)
1860  {
1862  c->plugins,
1864  c->c1.tuntap->actual_name,
1865 #ifdef _WIN32
1866  c->c1.tuntap->adapter_index,
1867 #endif
1869  TUN_MTU_SIZE(&c->c2.frame),
1870  EXPANDED_SIZE(&c->c2.frame),
1873  "restart",
1874  NULL,
1875  "up",
1876  c->c2.es);
1877  }
1878 #if defined(_WIN32)
1879  if (c->options.block_outside_dns)
1880  {
1881  dmsg(D_LOW, "Blocking outside DNS");
1883  {
1884  msg(M_FATAL, "Blocking DNS failed!");
1885  }
1886  }
1887 #endif
1888 
1889 }
1890 #endif /* ifndef TARGET_ANDROID */
1891  gc_free(&gc);
1892  return ret;
1893 }
1894 
1895 /*
1896  * Close TUN/TAP device
1897  */
1898 
1899 static void
1901 {
1902  msg(D_CLOSE, "Closing TUN/TAP interface");
1903  if (c->c1.tuntap)
1904  {
1905  close_tun(c->c1.tuntap);
1906  c->c1.tuntap = NULL;
1907  }
1908  c->c1.tuntap_owned = false;
1909 #if P2MP
1911 #endif
1912 }
1913 
1914 static void
1915 do_close_tun(struct context *c, bool force)
1916 {
1917  struct gc_arena gc = gc_new();
1918  if (c->c1.tuntap && c->c1.tuntap_owned)
1919  {
1920  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1921 #ifdef _WIN32
1922  DWORD adapter_index = c->c1.tuntap->adapter_index;
1923 #endif
1924  const in_addr_t local = c->c1.tuntap->local;
1925  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1926 
1927  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1928  {
1929  static_context = NULL;
1930 
1931 #ifdef ENABLE_MANAGEMENT
1932  /* tell management layer we are about to close the TUN/TAP device */
1933  if (management)
1934  {
1936  management_up_down(management, "DOWN", c->c2.es);
1937  }
1938 #endif
1939 
1940  /* delete any routes we added */
1941  if (c->c1.route_list || c->c1.route_ipv6_list)
1942  {
1944  c->plugins,
1946  tuntap_actual,
1947 #ifdef _WIN32
1948  adapter_index,
1949 #endif
1950  NULL,
1951  TUN_MTU_SIZE(&c->c2.frame),
1952  EXPANDED_SIZE(&c->c2.frame),
1953  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1954  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1955  "init",
1957  c->sig->signal_text),
1958  "route-pre-down",
1959  c->c2.es);
1960 
1962  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), c->c2.es);
1963  }
1964 
1965  /* actually close tun/tap device based on --down-pre flag */
1966  if (!c->options.down_pre)
1967  {
1969  }
1970 
1971  /* Run the down script -- note that it will run at reduced
1972  * privilege if, for example, "--user nobody" was used. */
1974  c->plugins,
1976  tuntap_actual,
1977 #ifdef _WIN32
1978  adapter_index,
1979 #endif
1980  NULL,
1981  TUN_MTU_SIZE(&c->c2.frame),
1982  EXPANDED_SIZE(&c->c2.frame),
1983  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1984  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1985  "init",
1987  c->sig->signal_text),
1988  "down",
1989  c->c2.es);
1990 
1991 #if defined(_WIN32)
1992  if (c->options.block_outside_dns)
1993  {
1994  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1995  {
1996  msg(M_FATAL, "Uninitialising WFP failed!");
1997  }
1998  }
1999 #endif
2000 
2001  /* actually close tun/tap device based on --down-pre flag */
2002  if (c->options.down_pre)
2003  {
2005  }
2006  }
2007  else
2008  {
2009  /* run the down script on this restart if --up-restart was specified */
2010  if (c->options.up_restart)
2011  {
2013  c->plugins,
2015  tuntap_actual,
2016 #ifdef _WIN32
2017  adapter_index,
2018 #endif
2019  NULL,
2020  TUN_MTU_SIZE(&c->c2.frame),
2021  EXPANDED_SIZE(&c->c2.frame),
2022  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2023  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2024  "restart",
2026  c->sig->signal_text),
2027  "down",
2028  c->c2.es);
2029  }
2030 
2031 #if defined(_WIN32)
2032  if (c->options.block_outside_dns)
2033  {
2034  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2035  {
2036  msg(M_FATAL, "Uninitialising WFP failed!");
2037  }
2038  }
2039 #endif
2040 
2041  }
2042  }
2043  gc_free(&gc);
2044 }
2045 
2046 void
2048 {
2049  struct context *c = static_context;
2050  if (c)
2051  {
2052  static_context = NULL;
2053  do_close_tun(c, true);
2054  }
2055 }
2056 
2057 /*
2058  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2059  */
2060 
2061 #if P2MP
2062 
2066 static bool
2068  const struct sha256_digest *b)
2069 {
2070  const struct sha256_digest zero = {{0}};
2071  return memcmp(a, b, sizeof(struct sha256_digest))
2072  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2073 }
2074 #endif /* P2MP */
2075 
2076 bool
2077 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2078 {
2079  if (!c->c2.do_up_ran)
2080  {
2082 
2083  if (pulled_options)
2084  {
2085  if (!do_deferred_options(c, option_types_found))
2086  {
2087  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2088  return false;
2089  }
2090  }
2091 
2092  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2093  if (c->options.up_delay || PULL_DEFINED(&c->options))
2094  {
2095  c->c2.did_open_tun = do_open_tun(c);
2096  update_time();
2097 
2098 #if P2MP
2099  /*
2100  * Was tun interface object persisted from previous restart iteration,
2101  * and if so did pulled options string change from previous iteration?
2102  */
2103  if (!c->c2.did_open_tun
2104  && PULL_DEFINED(&c->options)
2105  && c->c1.tuntap
2108  {
2109  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2110  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2111  do_close_tun(c, true);
2112  management_sleep(1);
2113  c->c2.did_open_tun = do_open_tun(c);
2114  update_time();
2115  }
2116 #endif
2117  }
2118 
2119  if (c->c2.did_open_tun)
2120  {
2121 #if P2MP
2123 #endif
2124 
2125  /* if --route-delay was specified, start timer */
2127  {
2130  if (c->c1.tuntap)
2131  {
2133  }
2134  }
2135  else
2136  {
2137  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2138  }
2139  }
2140  else if (c->options.mode == MODE_POINT_TO_POINT)
2141  {
2142  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2143  }
2144 
2145  c->c2.do_up_ran = true;
2146  }
2147  return true;
2148 }
2149 
2150 /*
2151  * These are the option categories which will be accepted by pull.
2152  */
2153 unsigned int
2155 {
2156  unsigned int flags =
2157  OPT_P_UP
2159  | OPT_P_SOCKBUF
2160  | OPT_P_SOCKFLAGS
2161  | OPT_P_SETENV
2162  | OPT_P_SHAPER
2163  | OPT_P_TIMER
2164  | OPT_P_COMP
2165  | OPT_P_PERSIST
2166  | OPT_P_MESSAGES
2168  | OPT_P_ECHO
2169  | OPT_P_PULL_MODE
2170  | OPT_P_PEER_ID;
2171 
2172  if (!c->options.route_nopull)
2173  {
2174  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2175  }
2176 
2177  if (c->options.ncp_enabled)
2178  {
2179  flags |= OPT_P_NCP;
2180  }
2181 
2182  return flags;
2183 }
2184 
2185 /*
2186  * Handle non-tun-related pulled options.
2187  */
2188 bool
2189 do_deferred_options(struct context *c, const unsigned int found)
2190 {
2191  if (found & OPT_P_MESSAGES)
2192  {
2194  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2195  }
2196  if (found & OPT_P_TIMER)
2197  {
2198  do_init_timers(c, true);
2199  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2200  }
2201 
2202 #ifdef ENABLE_OCC
2203  if (found & OPT_P_EXPLICIT_NOTIFY)
2204  {
2206  {
2207  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2209  }
2210  else
2211  {
2212  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2213  }
2214  }
2215 #endif
2216 
2217 #ifdef USE_COMP
2218  if (found & OPT_P_COMP)
2219  {
2220  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2221  comp_uninit(c->c2.comp_context);
2222  c->c2.comp_context = comp_init(&c->options.comp);
2223  }
2224 #endif
2225 
2226  if (found & OPT_P_SHAPER)
2227  {
2228  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2230  }
2231 
2232  if (found & OPT_P_SOCKBUF)
2233  {
2234  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2236  }
2237 
2238  if (found & OPT_P_SOCKFLAGS)
2239  {
2240  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2242  }
2243 
2244  if (found & OPT_P_PERSIST)
2245  {
2246  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2247  }
2248  if (found & OPT_P_UP)
2249  {
2250  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2251  }
2252  if (found & OPT_P_ROUTE)
2253  {
2254  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2255  }
2256  if (found & OPT_P_ROUTE_EXTRAS)
2257  {
2258  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2259  }
2260  if (found & OPT_P_IPWIN32)
2261  {
2262  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2263  }
2264  if (found & OPT_P_SETENV)
2265  {
2266  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2267  }
2268 
2269  if (found & OPT_P_PEER_ID)
2270  {
2271  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2272  c->c2.tls_multi->use_peer_id = true;
2273  c->c2.tls_multi->peer_id = c->options.peer_id;
2274  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2275  if (!c->options.ce.link_mtu_defined)
2276  {
2277  frame_add_to_link_mtu(&c->c2.frame, +3);
2278  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2279  EXPANDED_SIZE(&c->c2.frame));
2280  }
2281  else
2282  {
2283  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2284  " fixed by config - reducing tun-mtu to %d, expect"
2285  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2286  }
2287  }
2288 
2289  /* process (potentially pushed) crypto options */
2290  if (c->options.pull)
2291  {
2292  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2293  if (found & OPT_P_NCP)
2294  {
2295  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2296  }
2297  else if (c->options.ncp_enabled)
2298  {
2300  }
2301  /* Do not regenerate keys if server sends an extra push reply */
2303  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame))
2304  {
2305  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2306  return false;
2307  }
2308  }
2309 
2310  return true;
2311 }
2312 
2313 /*
2314  * Possible hold on initialization, holdtime is the
2315  * time OpenVPN would wait without management
2316  */
2317 static bool
2318 do_hold(int holdtime)
2319 {
2320 #ifdef ENABLE_MANAGEMENT
2321  if (management)
2322  {
2323  /* block until management hold is released */
2324  if (management_hold(management, holdtime))
2325  {
2326  return true;
2327  }
2328  }
2329 #endif
2330  return false;
2331 }
2332 
2333 /*
2334  * Sleep before restart.
2335  */
2336 static void
2338 {
2339  int sec = 2;
2340  int backoff = 0;
2341 
2342  switch (c->options.ce.proto)
2343  {
2344  case PROTO_TCP_SERVER:
2345  sec = 1;
2346  break;
2347 
2348  case PROTO_UDP:
2349  case PROTO_TCP_CLIENT:
2350  sec = c->options.ce.connect_retry_seconds;
2351  break;
2352  }
2353 
2354 #ifdef ENABLE_DEBUG
2355  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2356  {
2357  sec = 0;
2358  }
2359 #endif
2360 
2361 #if P2MP
2362  if (auth_retry_get() == AR_NOINTERACT)
2363  {
2364  sec = 10;
2365  }
2366 #endif
2367 
2368  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2369  if (c->options.ce.proto != PROTO_TCP_SERVER)
2370  {
2371  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2372  if (backoff > 0)
2373  {
2374  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2375  sec = max_int(sec, 1) << min_int(backoff, 15);
2376  }
2377 
2378  if (sec > c->options.ce.connect_retry_seconds_max)
2379  {
2381  }
2382  }
2383 
2385  {
2386  sec = c->persist.restart_sleep_seconds;
2387  }
2388  else if (c->persist.restart_sleep_seconds == -1)
2389  {
2390  sec = 0;
2391  }
2393 
2394  /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
2395  if (do_hold(sec))
2396  {
2397  sec = 0;
2398  }
2399 
2400  if (sec)
2401  {
2402  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2403  management_sleep(sec);
2404  }
2405 }
2406 
2407 /*
2408  * Do a possible pause on context_2 initialization.
2409  */
2410 static void
2412 {
2413  if (!c->first_time)
2414  {
2416  }
2417  else
2418  {
2419  do_hold(0); /* do management hold on first context initialization */
2420  }
2421 }
2422 
2423 /*
2424  * Finalize MTU parameters based on command line or config file options.
2425  */
2426 static void
2427 frame_finalize_options(struct context *c, const struct options *o)
2428 {
2429  if (!o)
2430  {
2431  o = &c->options;
2432  }
2433 
2434  /*
2435  * Set adjustment factor for buffer alignment when no
2436  * cipher is used.
2437  */
2438  if (!CIPHER_ENABLED(c))
2439  {
2445  }
2446 
2448  frame_finalize(&c->c2.frame,
2449  o->ce.link_mtu_defined,
2450  o->ce.link_mtu,
2451  o->ce.tun_mtu_defined,
2452  o->ce.tun_mtu);
2453 }
2454 
2455 /*
2456  * Free a key schedule, including OpenSSL components.
2457  */
2458 static void
2459 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2460 {
2462  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2463  {
2464  tls_ctx_free(&ks->ssl_ctx);
2466  }
2467  CLEAR(*ks);
2468 }
2469 
2470 static void
2471 init_crypto_pre(struct context *c, const unsigned int flags)
2472 {
2473  if (c->options.engine)
2474  {
2476  }
2477 
2478  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2479  {
2480  /* load a persisted packet-id for cross-session replay-protection */
2481  if (c->options.packet_id_file)
2482  {
2484  }
2485  }
2486 
2487 #ifdef ENABLE_PREDICTION_RESISTANCE
2488  if (c->options.use_prediction_resistance)
2489  {
2490  rand_ctx_enable_prediction_resistance();
2491  }
2492 #endif
2493 
2494 }
2495 
2496 /*
2497  * Static Key Mode (using a pre-shared key)
2498  */
2499 static void
2500 do_init_crypto_static(struct context *c, const unsigned int flags)
2501 {
2502  const struct options *options = &c->options;
2503  ASSERT(options->shared_secret_file);
2504 
2505  init_crypto_pre(c, flags);
2506 
2507  /* Initialize flags */
2509  {
2511  }
2512 
2513  /* Initialize packet ID tracking */
2514  if (options->replay)
2515  {
2517  options->replay_window,
2518  options->replay_time,
2519  "STATIC", 0);
2524  }
2525 
2526  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2527  {
2528  /* Get cipher & hash algorithms */
2529  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2530  options->keysize, options->test_crypto, true);
2531 
2532  /* Read cipher and hmac keys from shared secret file */
2534  options->shared_secret_file,
2535  options->shared_secret_file_inline,
2536  options->key_direction, "Static Key Encryption",
2537  "secret");
2538  }
2539  else
2540  {
2541  msg(M_INFO, "Re-using pre-shared static key");
2542  }
2543 
2544  /* Get key schedule */
2546 
2547  /* Compute MTU parameters */
2549  options->replay, true);
2550 
2551  /* Sanity check on sequence number, and cipher mode options */
2552  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2553 }
2554 
2555 /*
2556  * Initialize the tls-auth/crypt key context
2557  */
2558 static void
2560 {
2561  const struct options *options = &c->options;
2562 
2563  /* TLS handshake authentication (--tls-auth) */
2564  if (options->ce.tls_auth_file)
2565  {
2566  /* Initialize key_type for tls-auth with auth only */
2568  if (!streq(options->authname, "none"))
2569  {
2573  }
2574  else
2575  {
2576  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2577  "algorithm specified ('%s')", options->authname);
2578  }
2579 
2581  &c->c1.ks.tls_wrap_key,
2582  options->ce.tls_auth_file,
2583  options->ce.tls_auth_file_inline,
2584  options->ce.key_direction,
2585  "Control Channel Authentication", "tls-auth");
2586  }
2587 
2588  /* TLS handshake encryption+authentication (--tls-crypt) */
2589  if (options->ce.tls_crypt_file)
2590  {
2592  options->ce.tls_crypt_file,
2593  options->ce.tls_crypt_inline, options->tls_server);
2594  }
2595 
2596  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2597  if (options->ce.tls_crypt_v2_file)
2598  {
2599  if (options->tls_server)
2600  {
2602  true, options->ce.tls_crypt_v2_file,
2603  options->ce.tls_crypt_v2_inline);
2604  }
2605  else
2606  {
2608  &c->c1.ks.tls_crypt_v2_wkc,
2609  options->ce.tls_crypt_v2_file,
2610  options->ce.tls_crypt_v2_inline);
2611  }
2612  }
2613 
2614 
2615 }
2616 
2617 /*
2618  * Initialize the persistent component of OpenVPN's TLS mode,
2619  * which is preserved across SIGUSR1 resets.
2620  */
2621 static void
2623 {
2624  const struct options *options = &c->options;
2625 
2626  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2627  {
2628  /*
2629  * Initialize the OpenSSL library's global
2630  * SSL context.
2631  */
2632  init_ssl(options, &(c->c1.ks.ssl_ctx));
2633  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2634  {
2635 #if P2MP
2636  switch (auth_retry_get())
2637  {
2638  case AR_NONE:
2639  msg(M_FATAL, "Error: private key password verification failed");
2640  break;
2641 
2642  case AR_INTERACT:
2643  ssl_purge_auth(false);
2644 
2645  case AR_NOINTERACT:
2646  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2647  break;
2648 
2649  default:
2650  ASSERT(0);
2651  }
2652  c->sig->signal_text = "private-key-password-failure";
2653  return;
2654 #else /* if P2MP */
2655  msg(M_FATAL, "Error: private key password verification failed");
2656 #endif /* if P2MP */
2657  }
2658 
2659  /* Get cipher & hash algorithms */
2660  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2661  options->keysize, true, true);
2662 
2663  /* Initialize PRNG with config-specified digest */
2664  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2665 
2666  /* initialize tls-auth/crypt/crypt-v2 key */
2668 
2669 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2670  if (options->priv_key_file_inline)
2671  {
2673  c->options.priv_key_file_inline = NULL;
2674  }
2675 #endif
2676  }
2677  else
2678  {
2679  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2680 
2681  /*
2682  * tls-auth/crypt key can be configured per connection block, therefore
2683  * we must reload it as it may have changed
2684  */
2686  }
2687 }
2688 
2689 static void
2690 do_init_crypto_tls(struct context *c, const unsigned int flags)
2691 {
2692  const struct options *options = &c->options;
2693  struct tls_options to;
2694  bool packet_id_long_form;
2695 
2696  ASSERT(options->tls_server || options->tls_client);
2697  ASSERT(!options->test_crypto);
2698 
2699  init_crypto_pre(c, flags);
2700 
2701  /* Make sure we are either a TLS client or server but not both */
2702  ASSERT(options->tls_server == !options->tls_client);
2703 
2704  /* initialize persistent component */
2706  if (IS_SIG(c))
2707  {
2708  return;
2709  }
2710 
2711  /* Sanity check on sequence number, and cipher mode options */
2712  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2713 
2714  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2715  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2716 
2717  /* Compute MTU parameters (postpone if we push/pull options) */
2718  if (c->options.pull || c->options.mode == MODE_SERVER)
2719  {
2720  /* Account for worst-case crypto overhead before allocating buffers */
2722  }
2723  else
2724  {
2726  options->replay, packet_id_long_form);
2727  }
2729 
2730  /* Set all command-line TLS-related options */
2731  CLEAR(to);
2732 
2733  if (options->mute_replay_warnings)
2734  {
2736  }
2737 
2739  if (packet_id_long_form)
2740  {
2742  }
2743 
2744  to.ssl_ctx = c->c1.ks.ssl_ctx;
2745  to.key_type = c->c1.ks.key_type;
2746  to.server = options->tls_server;
2747  to.key_method = options->key_method;
2748  to.replay = options->replay;
2749  to.replay_window = options->replay_window;
2750  to.replay_time = options->replay_time;
2753  to.config_authname = c->c1.authname;
2754  to.ncp_enabled = options->ncp_enabled;
2755  to.transition_window = options->transition_window;
2756  to.handshake_window = options->handshake_window;
2757  to.packet_timeout = options->tls_timeout;
2758  to.renegotiate_bytes = options->renegotiate_bytes;
2760  if (options->renegotiate_seconds_min < 0)
2761  {
2762  /* Add 10% jitter to reneg-sec by default (server side only) */
2763  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2764  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2765  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2766  }
2767  else
2768  {
2769  /* Add user-specified jitter to reneg-sec */
2771  -(get_random() % max_int(options->renegotiate_seconds
2772  - options->renegotiate_seconds_min, 1));
2773  }
2774  to.single_session = options->single_session;
2775  to.mode = options->mode;
2776  to.pull = options->pull;
2777  if (options->push_peer_info) /* all there is */
2778  {
2779  to.push_peer_info_detail = 2;
2780  }
2781  else if (options->pull) /* pull clients send some details */
2782  {
2783  to.push_peer_info_detail = 1;
2784  }
2785  else /* default: no peer-info at all */
2786  {
2787  to.push_peer_info_detail = 0;
2788  }
2789 
2790  /* should we not xmit any packets until we get an initial
2791  * response from client? */
2792  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2793  {
2794  to.xmit_hold = true;
2795  }
2796 
2797 #ifdef ENABLE_OCC
2798  to.disable_occ = !options->occ;
2799 #endif
2800 
2801  to.verify_command = options->tls_verify;
2802  to.verify_export_cert = options->tls_export_cert;
2803  to.verify_x509_type = (options->verify_x509_type & 0xff);
2804  to.verify_x509_name = options->verify_x509_name;
2805  to.crl_file = options->crl_file;
2806  to.crl_file_inline = options->crl_file_inline;
2807  to.ssl_flags = options->ssl_flags;
2808  to.ns_cert_type = options->ns_cert_type;
2809  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2810  to.remote_cert_eku = options->remote_cert_eku;
2811  to.verify_hash = options->verify_hash;
2812  to.verify_hash_algo = options->verify_hash_algo;
2813 #ifdef ENABLE_X509ALTUSERNAME
2814  to.x509_username_field = (char *) options->x509_username_field;
2815 #else
2817 #endif
2818  to.es = c->c2.es;
2819 
2820 #ifdef ENABLE_DEBUG
2821  to.gremlin = c->options.gremlin;
2822 #endif
2823 
2824  to.plugins = c->plugins;
2825 
2826 #ifdef MANAGEMENT_DEF_AUTH
2827  to.mda_context = &c->c2.mda_context;
2828 #endif
2829 
2830 #if P2MP_SERVER
2833  to.tmp_dir = options->tmp_dir;
2834  if (options->ccd_exclusive)
2835  {
2837  }
2841 #endif
2842 
2843  to.x509_track = options->x509_track;
2844 
2845 #if P2MP
2846 #ifdef ENABLE_MANAGEMENT
2847  to.sci = &options->sc_info;
2848 #endif
2849 #endif
2850 
2851 #ifdef USE_COMP
2852  to.comp_options = options->comp;
2853 #endif
2854 
2855 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2856  if (options->keying_material_exporter_label)
2857  {
2858  to.ekm_size = options->keying_material_exporter_length;
2859  if (to.ekm_size < 16 || to.ekm_size > 4095)
2860  {
2861  to.ekm_size = 0;
2862  }
2863 
2864  to.ekm_label = options->keying_material_exporter_label;
2865  to.ekm_label_size = strlen(to.ekm_label);
2866  }
2867  else
2868  {
2869  to.ekm_size = 0;
2870  }
2871 #endif
2872 
2873  /* TLS handshake authentication (--tls-auth) */
2874  if (options->ce.tls_auth_file)
2875  {
2876  to.tls_wrap.mode = TLS_WRAP_AUTH;
2881  true, true);
2882  }
2883 
2884  /* TLS handshake encryption (--tls-crypt) */
2885  if (options->ce.tls_crypt_file
2886  || (options->ce.tls_crypt_v2_file && options->tls_client))
2887  {
2888  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2893 
2894  if (options->ce.tls_crypt_v2_file)
2895  {
2897  }
2898  }
2899 
2900  if (options->ce.tls_crypt_v2_file)
2901  {
2902  to.tls_crypt_v2 = true;
2903  if (options->tls_server)
2904  {
2907  }
2908  }
2909 
2910  /* If we are running over TCP, allow for
2911  * length prefix */
2913 
2914  /*
2915  * Initialize OpenVPN's master TLS-mode object.
2916  */
2917  if (flags & CF_INIT_TLS_MULTI)
2918  {
2919  c->c2.tls_multi = tls_multi_init(&to);
2920  }
2921 
2922  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2923  {
2925  }
2926 }
2927 
2928 static void
2930 {
2931  if (c->c2.tls_multi)
2932  {
2935  EXPANDED_SIZE(&c->c2.frame));
2937  "Control Channel MTU parms");
2938  }
2939  if (c->c2.tls_auth_standalone)
2940  {
2943  "TLS-Auth MTU parms");
2944  }
2945 }
2946 
2947 /*
2948  * No encryption or authentication.
2949  */
2950 static void
2952 {
2953  ASSERT(!c->options.test_crypto);
2954  msg(M_WARN,
2955  "******* WARNING *******: All encryption and authentication features "
2956  "disabled -- All data will be tunnelled as clear text and will not be "
2957  "protected against man-in-the-middle changes. "
2958  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
2959 }
2960 
2961 static void
2962 do_init_crypto(struct context *c, const unsigned int flags)
2963 {
2964  if (c->options.shared_secret_file)
2965  {
2966  do_init_crypto_static(c, flags);
2967  }
2968  else if (c->options.tls_server || c->options.tls_client)
2969  {
2970  do_init_crypto_tls(c, flags);
2971  }
2972  else /* no encryption or authentication. */
2973  {
2975  }
2976 }
2977 
2978 static void
2980 {
2981 #ifdef USE_COMP
2982  /*
2983  * modify frame parameters if compression is enabled
2984  */
2985  if (comp_enabled(&c->options.comp))
2986  {
2987  comp_add_to_extra_frame(&c->c2.frame);
2988 
2989 #if !defined(ENABLE_LZ4)
2990  /*
2991  * Compression usage affects buffer alignment when non-swapped algs
2992  * such as LZO is used.
2993  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
2994  * any special alignment because of the control-byte swap approach.
2995  * LZO alignment (on the other hand) is problematic because
2996  * the presence of the control byte means that either the output of
2997  * decryption must be written to an unaligned buffer, or the input
2998  * to compression (or packet dispatch if packet is uncompressed)
2999  * must be read from an unaligned buffer.
3000  * This code tries to align the input to compression (or packet
3001  * dispatch if packet is uncompressed) at the cost of requiring
3002  * decryption output to be written to an unaligned buffer, so
3003  * it's more of a tradeoff than an optimal solution and we don't
3004  * include it when we are doing a modern build with LZ4.
3005  * Strictly speaking, on the server it would be better to execute
3006  * this code for every connection after we decide the compression
3007  * method, but currently the frame code doesn't appear to be
3008  * flexible enough for this, since the frame is already established
3009  * before it is known which compression options will be pushed.
3010  */
3011  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3012  {
3013  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3017  }
3018 #endif
3019 
3020 #ifdef ENABLE_FRAGMENT
3021  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3022 #endif
3023  }
3024 #endif /* USE_COMP */
3025 
3026  /*
3027  * Adjust frame size for UDP Socks support.
3028  */
3029  if (c->options.ce.socks_proxy_server)
3030  {
3032  }
3033 
3034  /*
3035  * Adjust frame size based on the --tun-mtu-extra parameter.
3036  */
3038  {
3040  }
3041 
3042  /*
3043  * Adjust frame size based on link socket parameters.
3044  * (Since TCP is a stream protocol, we need to insert
3045  * a packet length uint16_t in the buffer.)
3046  */
3048 
3049  /*
3050  * Fill in the blanks in the frame parameters structure,
3051  * make sure values are rational, etc.
3052  */
3053  frame_finalize_options(c, NULL);
3054 
3055 #ifdef USE_COMP
3056  /*
3057  * Modify frame parameters if compression is compiled in.
3058  * Should be called after frame_finalize_options.
3059  */
3060  comp_add_to_extra_buffer(&c->c2.frame);
3061 #ifdef ENABLE_FRAGMENT
3062  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3063 #endif
3064 #endif /* USE_COMP */
3065 
3066  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3067  * and need link_mtu+3 bytes on socket reception (on server).
3068  *
3069  * accomodate receive path in f->extra_link, which has the side effect of
3070  * also increasing send buffers (BUF_SIZE() macro), which need to be
3071  * allocated big enough before receiving peer-id option from server.
3072  *
3073  * f->extra_frame is adjusted when peer-id option is push-received
3074  */
3076 
3077 #ifdef ENABLE_FRAGMENT
3078  /*
3079  * Set frame parameter for fragment code. This is necessary because
3080  * the fragmentation code deals with payloads which have already been
3081  * passed through the compression code.
3082  */
3083  c->c2.frame_fragment = c->c2.frame;
3085 #endif
3086 
3087 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3088  /*
3089  * MTU advisories
3090  */
3091  if (c->options.ce.fragment && c->options.mtu_test)
3092  {
3093  msg(M_WARN,
3094  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3095  }
3096 #endif
3097 
3098 #ifdef ENABLE_FRAGMENT
3099  if ((c->options.ce.mssfix || c->options.ce.fragment)
3101  {
3102  msg(M_WARN,
3103  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3105  }
3106 #endif
3107 }
3108 
3109 static void
3111 {
3112  const struct options *o = &c->options;
3113 
3114  if (o->ping_send_timeout && !o->ping_rec_timeout)
3115  {
3116  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3117  }
3118 
3119  if (o->username || o->groupname || o->chroot_dir
3120 #ifdef ENABLE_SELINUX
3121  || o->selinux_context
3122 #endif
3123  )
3124  {
3125  if (!o->persist_tun)
3126  {
3127  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3128  }
3129  if (!o->persist_key
3130 #ifdef ENABLE_PKCS11
3131  && !o->pkcs11_id
3132 #endif
3133  )
3134  {
3135  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3136  }
3137  }
3138 
3139  if (o->chroot_dir && !(o->username && o->groupname))
3140  {
3141  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3142  }
3143 
3144 #if P2MP
3145  if (o->pull && o->ifconfig_local && c->first_time)
3146  {
3147  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3148  }
3149 
3150 #if P2MP_SERVER
3152  {
3153  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3154  }
3155 
3156  if (o->mode == MODE_SERVER)
3157  {
3158  if (o->duplicate_cn && o->client_config_dir)
3159  {
3160  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3161  }
3163  {
3164  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3165  }
3166  if (!o->keepalive_ping || !o->keepalive_timeout)
3167  {
3168  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3169  }
3170  }
3171 #endif /* if P2MP_SERVER */
3172 #endif /* if P2MP */
3173 
3174  if (!o->replay)
3175  {
3176  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3177  }
3178 
3179  if (o->tls_server)
3180  {
3182  }
3183  if (o->tls_client
3184  && !o->tls_verify
3187  && !o->remote_cert_eku)
3188  {
3189  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3190  }
3191  if (o->ns_cert_type)
3192  {
3193  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3194  }
3195 
3196  /* If a script is used, print appropiate warnings */
3197  if (o->user_script_used)
3198  {
3199  if (script_security() >= SSEC_SCRIPTS)
3200  {
3201  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3202  }
3203  else if (script_security() >= SSEC_PW_ENV)
3204  {
3205  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3206  }
3207  else
3208  {
3209  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3210  }
3211  }
3212 }
3213 
3214 static void
3216 {
3218 }
3219 
3220 struct context_buffers *
3222 {
3223  struct context_buffers *b;
3224 
3225  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3226 
3227  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3228  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3229 
3230  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3231 
3232  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3233  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3234 
3235 #ifdef USE_COMP
3236  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3237  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3238 #endif
3239 
3240  return b;
3241 }
3242 
3243 void
3245 {
3246  if (b)
3247  {
3248  free_buf(&b->read_link_buf);
3249  free_buf(&b->read_tun_buf);
3250  free_buf(&b->aux_buf);
3251 
3252 #ifdef USE_COMP
3253  free_buf(&b->compress_buf);
3254  free_buf(&b->decompress_buf);
3255 #endif
3256 
3257  free_buf(&b->encrypt_buf);
3258  free_buf(&b->decrypt_buf);
3259 
3260  free(b);
3261  }
3262 }
3263 
3264 /*
3265  * Now that we know all frame parameters, initialize
3266  * our buffers.
3267  */
3268 static void
3270 {
3272  c->c2.buffers_owned = true;
3273 }
3274 
3275 #ifdef ENABLE_FRAGMENT
3276 /*
3277  * Fragmenting code has buffers to initialize
3278  * once frame parameters are known.
3279  */
3280 static void
3282 {
3283  ASSERT(c->options.ce.fragment);
3287 }
3288 #endif
3289 
3290 /*
3291  * Allocate our socket object.
3292  */
3293 static void
3295 {
3296  ASSERT(!c->c2.link_socket);
3298  c->c2.link_socket_owned = true;
3299 }
3300 
3301 /*
3302  * bind the TCP/UDP socket
3303  */
3304 static void
3305 do_init_socket_1(struct context *c, const int mode)
3306 {
3307  unsigned int sockflags = c->options.sockflags;
3308 
3309 #if PORT_SHARE
3310  if (c->options.port_share_host && c->options.port_share_port)
3311  {
3312  sockflags |= SF_PORT_SHARE;
3313  }
3314 #endif
3315 
3317  c->options.ce.local,
3318  c->options.ce.local_port,
3319  c->options.ce.remote,
3320  c->options.ce.remote_port,
3321  c->c1.dns_cache,
3322  c->options.ce.proto,
3323  c->options.ce.af,
3325  mode,
3326  c->c2.accept_from,
3327  c->c1.http_proxy,
3328  c->c1.socks_proxy,
3329 #ifdef ENABLE_DEBUG
3330  c->options.gremlin,
3331 #endif
3332  c->options.ce.bind_local,
3333  c->options.ce.remote_float,
3334  c->options.inetd,
3335  &c->c1.link_socket_addr,
3336  c->options.ipchange,
3337  c->plugins,
3340  c->options.rcvbuf,
3341  c->options.sndbuf,
3342  c->options.mark,
3344  sockflags);
3345 }
3346 
3347 /*
3348  * finalize the TCP/UDP socket
3349  */
3350 static void
3352 {
3354  c->sig);
3355 }
3356 
3357 /*
3358  * Print MTU INFO
3359  */
3360 static void
3362 {
3363  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3364 #ifdef ENABLE_FRAGMENT
3365  if (c->c2.fragment)
3366  {
3368  "Fragmentation MTU parms");
3369  }
3370 #endif
3371 }
3372 
3373 #ifdef ENABLE_OCC
3374 /*
3375  * Get local and remote options compatibility strings.
3376  */
3377 static void
3379 {
3380  struct gc_arena gc = gc_new();
3381 
3383  options_string(&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
3385  options_string(&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
3386 
3387  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3390  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3393 
3394  if (c->c2.tls_multi)
3395  {
3399  }
3400 
3401  gc_free(&gc);
3402 }
3403 #endif /* ifdef ENABLE_OCC */
3404 
3405 /*
3406  * These things can only be executed once per program instantiation.
3407  * Set up for possible UID/GID downgrade, but don't do it yet.
3408  * Daemonize if requested.
3409  */
3410 static void
3412 {
3413  if (c->first_time && !c->c0)
3414  {
3415  struct context_0 *c0;
3416 
3417  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3418  c0 = c->c0;
3419 
3420  /* get user and/or group that we want to setuid/setgid to */
3421  c0->uid_gid_specified =
3424 
3425  /* perform postponed chdir if --daemon */
3426  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3427  {
3428  platform_chdir("/");
3429  }
3430 
3431  /* should we change scheduling priority? */
3433  }
3434 }
3435 
3436 /*
3437  * If xinetd/inetd mode, don't allow restart.
3438  */
3439 static void
3441 {
3442  if (c->options.inetd
3443  && (c->sig->signal_received == SIGHUP
3444  || c->sig->signal_received == SIGUSR1))
3445  {
3446  c->sig->signal_received = SIGTERM;
3447  msg(M_INFO,
3448  PACKAGE_NAME
3449  " started by inetd/xinetd cannot restart... Exiting.");
3450  }
3451 }
3452 
3453 /*
3454  * free buffers
3455  */
3456 static void
3458 {
3459  if (c->c2.buffers_owned)
3460  {
3462  c->c2.buffers = NULL;
3463  c->c2.buffers_owned = false;
3464  }
3465 }
3466 
3467 /*
3468  * close TLS
3469  */
3470 static void
3472 {
3473  if (c->c2.tls_multi)
3474  {
3475  tls_multi_free(c->c2.tls_multi, true);
3476  c->c2.tls_multi = NULL;
3477  }
3478 
3479 #ifdef ENABLE_OCC
3480  /* free options compatibility strings */
3481  if (c->c2.options_string_local)
3482  {
3484  }
3485  if (c->c2.options_string_remote)
3486  {
3488  }
3490 #endif
3491 
3492  if (c->c2.pulled_options_state)
3493  {
3496  }
3497 }
3498 
3499 /*
3500  * Free key schedules
3501  */
3502 static void
3503 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3504 {
3505  /*
3506  * always free the tls_auth/crypt key. If persist_key is true, the key will
3507  * be reloaded from memory (pre-cached)
3508  */
3510  CLEAR(c->c1.ks.tls_wrap_key);
3513 
3514  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3515  {
3516  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3517  }
3518 }
3519 
3520 /*
3521  * Close TCP/UDP connection
3522  */
3523 static void
3525 {
3526  if (c->c2.link_socket && c->c2.link_socket_owned)
3527  {
3529  c->c2.link_socket = NULL;
3530  }
3531 
3532 
3533  /* Preserve the resolved list of remote if the user request to or if we want
3534  * reconnect to the same host again or there are still addresses that need
3535  * to be tried */
3536  if (!(c->sig->signal_received == SIGUSR1
3537  && ( (c->options.persist_remote_ip)
3538  ||
3539  ( c->sig->source != SIG_SOURCE_HARD
3541  || c->options.no_advance))
3542  )))
3543  {
3545  }
3546 
3547  /* Clear the remote actual address when persist_remote_ip is not in use */
3548  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3549  {
3551  }
3552 
3553  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3554  {
3556  {
3557  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3558  }
3559 
3560  c->c1.link_socket_addr.bind_local = NULL;
3561  }
3562 }
3563 
3564 /*
3565  * Close packet-id persistance file
3566  */
3567 static void
3569 {
3572  if (!(c->sig->signal_received == SIGUSR1))
3573  {
3575  }
3576 }
3577 
3578 #ifdef ENABLE_FRAGMENT
3579 /*
3580  * Close fragmentation handler.
3581  */
3582 static void
3584 {
3585  if (c->c2.fragment)
3586  {
3588  c->c2.fragment = NULL;
3589  }
3590 }
3591 #endif
3592 
3593 /*
3594  * Open and close our event objects.
3595  */
3596 
3597 static void
3599  bool need_us_timeout)
3600 {
3601  unsigned int flags = 0;
3602 
3604 
3605  flags |= EVENT_METHOD_FAST;
3606 
3607  if (need_us_timeout)
3608  {
3609  flags |= EVENT_METHOD_US_TIMEOUT;
3610  }
3611 
3612  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3613  c->c2.event_set_owned = true;
3614 }
3615 
3616 static void
3618 {
3619  if (c->c2.event_set && c->c2.event_set_owned)
3620  {
3621  event_free(c->c2.event_set);
3622  c->c2.event_set = NULL;
3623  c->c2.event_set_owned = false;
3624  }
3625 }
3626 
3627 /*
3628  * Open and close --status file
3629  */
3630 
3631 static void
3633 {
3634  if (!c->c1.status_output)
3635  {
3638  -1,
3639  NULL,
3641  c->c1.status_output_owned = true;
3642  }
3643 }
3644 
3645 static void
3647 {
3648  if (!(c->sig->signal_received == SIGUSR1))
3649  {
3650  if (c->c1.status_output_owned && c->c1.status_output)
3651  {
3653  c->c1.status_output = NULL;
3654  c->c1.status_output_owned = false;
3655  }
3656  }
3657 }
3658 
3659 /*
3660  * Handle ifconfig-pool persistance object.
3661  */
3662 static void
3664 {
3665 #if P2MP_SERVER
3667  {
3670  c->c1.ifconfig_pool_persist_owned = true;
3671  }
3672 #endif
3673 }
3674 
3675 static void
3677 {
3678 #if P2MP_SERVER
3679  if (!(c->sig->signal_received == SIGUSR1))
3680  {
3682  {
3684  c->c1.ifconfig_pool_persist = NULL;
3685  c->c1.ifconfig_pool_persist_owned = false;
3686  }
3687  }
3688 #endif
3689 }
3690 
3691 /*
3692  * Inherit environmental variables
3693  */
3694 
3695 static void
3696 do_inherit_env(struct context *c, const struct env_set *src)
3697 {
3698  c->c2.es = env_set_create(NULL);
3699  c->c2.es_owned = true;
3700  env_set_inherit(c->c2.es, src);
3701 }
3702 
3703 static void
3705 {
3706  if (c->c2.es && c->c2.es_owned)
3707  {
3708  env_set_destroy(c->c2.es);
3709  c->c2.es = NULL;
3710  c->c2.es_owned = false;
3711  }
3712 }
3713 
3714 /*
3715  * Fast I/O setup. Fast I/O is an optimization which only works
3716  * if all of the following are true:
3717  *
3718  * (1) The platform is not Windows
3719  * (2) --proto udp is enabled
3720  * (3) --shaper is disabled
3721  */
3722 static void
3724 {
3725  if (c->options.fast_io)
3726  {
3727 #ifdef _WIN32
3728  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3729 #else
3730  if (!proto_is_udp(c->options.ce.proto))
3731  {
3732  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3733  }
3734  else
3735  {
3736 #ifdef ENABLE_FEATURE_SHAPER
3737  if (c->options.shaper)
3738  {
3739  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3740  }
3741  else
3742 #endif
3743  {
3744  c->c2.fast_io = true;
3745  }
3746  }
3747 #endif
3748  }
3749 }
3750 
3751 static void
3753 {
3754  if (c->options.tls_exit)
3755  {
3756  c->c2.tls_exit_signal = SIGTERM;
3757  }
3758  else
3759  {
3760  c->c2.tls_exit_signal = SIGUSR1;
3761  }
3762 }
3763 
3764 #ifdef ENABLE_PLUGIN
3765 
3766 void
3768 {
3769  if (c->options.plugin_list && !c->plugins)
3770  {
3772  c->plugins_owned = true;
3773  }
3774 }
3775 
3776 void
3777 open_plugins(struct context *c, const bool import_options, int init_point)
3778 {
3779  if (c->plugins && c->plugins_owned)
3780  {
3781  if (import_options)
3782  {
3783  struct plugin_return pr, config;
3784  plugin_return_init(&pr);
3785  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3786  plugin_return_get_column(&pr, &config, "config");
3787  if (plugin_return_defined(&config))
3788  {
3789  int i;
3790  for (i = 0; i < config.n; ++i)
3791  {
3792  unsigned int option_types_found = 0;
3793  if (config.list[i] && config.list[i]->value)
3794  {
3796  config.list[i]->value,
3799  &option_types_found,
3800  c->es);
3801  }
3802  }
3803  }
3804  plugin_return_free(&pr);
3805  }
3806  else
3807  {
3808  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3809  }
3810  }
3811 }
3812 
3813 static void
3815 {
3816  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3817  {
3819  c->plugins = NULL;
3820  c->plugins_owned = false;
3821  }
3822 }
3823 
3824 static void
3825 do_inherit_plugins(struct context *c, const struct context *src)
3826 {
3827  if (!c->plugins && src->plugins)
3828  {
3829  c->plugins = plugin_list_inherit(src->plugins);
3830  c->plugins_owned = true;
3831  }
3832 }
3833 
3834 #endif /* ifdef ENABLE_PLUGIN */
3835 
3836 #ifdef ENABLE_MANAGEMENT
3837 
3838 static void
3839 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3840 {
3841  struct context *c = (struct context *) arg;
3842  print_status(c, so);
3843 }
3844 
3845 void
3846 management_show_net_callback(void *arg, const int msglevel)
3847 {
3848 #ifdef _WIN32
3849  show_routes(msglevel);
3850  show_adapters(msglevel);
3851  msg(msglevel, "END");
3852 #else
3853  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3854 #endif
3855 }
3856 
3857 #ifdef TARGET_ANDROID
3858 int
3859 management_callback_network_change(void *arg, bool samenetwork)
3860 {
3861  /* Check if the client should translate the network change to a SIGUSR1 to
3862  * reestablish the connection or just reprotect the socket
3863  *
3864  * At the moment just assume that, for all settings that use pull (not
3865  * --static) and are not using peer-id reestablishing the connection is
3866  * required (unless the network is the same)
3867  *
3868  * The function returns -1 on invalid fd and -2 if the socket cannot be
3869  * reused. On the -2 return value the man_network_change function triggers
3870  * a SIGUSR1 to force a reconnect.
3871  */
3872 
3873  int socketfd = -1;
3874  struct context *c = (struct context *) arg;
3875  if (!c->c2.link_socket)
3876  {
3877  return -1;
3878  }
3879  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3880  {
3881  return -1;
3882  }
3883 
3884  socketfd = c->c2.link_socket->sd;
3885  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3886  {
3887  return socketfd;
3888  }
3889  else
3890  {
3891  return -2;
3892  }
3893 }
3894 #endif /* ifdef TARGET_ANDROID */
3895 
3896 #endif /* ifdef ENABLE_MANAGEMENT */
3897 
3898 void
3900 {
3901 #ifdef ENABLE_MANAGEMENT
3902  if (management)
3903  {
3904  struct management_callback cb;
3905  CLEAR(cb);
3906  cb.arg = c;
3911 #ifdef TARGET_ANDROID
3912  cb.network_change = management_callback_network_change;
3913 #endif
3915  }
3916 #endif
3917 }
3918 
3919 #ifdef ENABLE_MANAGEMENT
3920 
3921 void
3923 {
3924  if (!management)
3925  {
3927  }
3928 }
3929 
3930 bool
3932 {
3933  /* initialize management layer */
3934  if (management)
3935  {
3936  if (c->options.management_addr)
3937  {
3938  unsigned int flags = c->options.management_flags;
3939  if (c->options.mode == MODE_SERVER)
3940  {
3941  flags |= MF_SERVER;
3942  }
3954  flags))
3955  {
3958  NULL,
3959  NULL,
3960  NULL,
3961  NULL,
3962  NULL);
3963  }
3964 
3965  /* initial management hold, called early, before first context initialization */
3966  do_hold(0);
3967  if (IS_SIG(c))
3968  {
3969  msg(M_WARN, "Signal received from management interface, exiting");
3970  return false;
3971  }
3972  }
3973  else
3974  {
3975  close_management();
3976  }
3977  }
3978  return true;
3979 }
3980 
3981 void
3983 {
3984  if (management)
3985  {
3987  management = NULL;
3988  }
3989 }
3990 
3991 #endif /* ifdef ENABLE_MANAGEMENT */
3992 
3993 
3994 void
3996 {
3997 #ifdef ENABLE_MANAGEMENT
3998  if (management)
3999  {
4001  }
4002 #endif
4003 }
4004 
4005 /*
4006  * Initialize a tunnel instance, handle pre and post-init
4007  * signal settings.
4008  */
4009 void
4010 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4011 {
4013  init_instance(c, env, flags);
4015 
4016  /*
4017  * This is done so that signals thrown during
4018  * initialization can bring us back to
4019  * a management hold.
4020  */
4021  if (IS_SIG(c))
4022  {
4023  remap_signal(c);
4025  }
4026 }
4027 
4028 /*
4029  * Initialize a tunnel instance.
4030  */
4031 void
4032 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4033 {
4034  const struct options *options = &c->options;
4035  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4036  int link_socket_mode = LS_MODE_DEFAULT;
4037 
4038  /* init garbage collection level */
4039  gc_init(&c->c2.gc);
4040 
4041  /* inherit environmental variables */
4042  if (env)
4043  {
4044  do_inherit_env(c, env);
4045  }
4046 
4047  /* signals caught here will abort */
4048  c->sig->signal_received = 0;
4049  c->sig->signal_text = NULL;
4050  c->sig->source = SIG_SOURCE_SOFT;
4051 
4052  if (c->mode == CM_P2P)
4053  {
4055  }
4056 
4057  /* possible sleep or management hold if restart */
4058  if (c->mode == CM_P2P || c->mode == CM_TOP)
4059  {
4060  do_startup_pause(c);
4061  if (IS_SIG(c))
4062  {
4063  goto sig;
4064  }
4065  }
4066 
4067  if (c->options.resolve_in_advance)
4068  {
4069  do_preresolve(c);
4070  if (IS_SIG(c))
4071  {
4072  goto sig;
4073  }
4074  }
4075 
4076  /* map in current connection entry */
4078 
4079  /* link_socket_mode allows CM_CHILD_TCP
4080  * instances to inherit acceptable fds
4081  * from a top-level parent */
4082  if (c->options.ce.proto == PROTO_TCP_SERVER)
4083  {
4084  if (c->mode == CM_TOP)
4085  {
4086  link_socket_mode = LS_MODE_TCP_LISTEN;
4087  }
4088  else if (c->mode == CM_CHILD_TCP)
4089  {
4090  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4091  }
4092  }
4093 
4094  /* should we disable paging? */
4095  if (c->first_time && options->mlock)
4096  {
4097  platform_mlockall(true);
4098  }
4099 
4100 #if P2MP
4101  /* get passwords if undefined */
4102  if (auth_retry_get() == AR_INTERACT)
4103  {
4105  }
4106 #endif
4107 
4108  /* initialize context level 2 --verb/--mute parms */
4110 
4111  /* set error message delay for non-server modes */
4112  if (c->mode == CM_P2P)
4113  {
4115  }
4116 
4117  /* warn about inconsistent options */
4118  if (c->mode == CM_P2P || c->mode == CM_TOP)
4119  {
4120  do_option_warnings(c);
4121  }
4122 
4123 #ifdef ENABLE_PLUGIN
4124  /* initialize plugins */
4125  if (c->mode == CM_P2P || c->mode == CM_TOP)
4126  {
4128  }
4129 #endif
4130 
4131  /* should we enable fast I/O? */
4132  if (c->mode == CM_P2P || c->mode == CM_TOP)
4133  {
4134  do_setup_fast_io(c);
4135  }
4136 
4137  /* should we throw a signal on TLS errors? */
4139 
4140  /* open --status file */
4141  if (c->mode == CM_P2P || c->mode == CM_TOP)
4142  {
4144  }
4145 
4146  /* open --ifconfig-pool-persist file */
4147  if (c->mode == CM_TOP)
4148  {
4150  }
4151 
4152 #ifdef ENABLE_OCC
4153  /* reset OCC state */
4154  if (c->mode == CM_P2P || child)
4155  {
4156  c->c2.occ_op = occ_reset_op();
4157  }
4158 #endif
4159 
4160  /* our wait-for-i/o objects, different for posix vs. win32 */
4161  if (c->mode == CM_P2P)
4162  {
4164  }
4165  else if (c->mode == CM_CHILD_TCP)
4166  {
4167  do_event_set_init(c, false);
4168  }
4169 
4170  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4171  init_proxy(c);
4172 
4173  /* allocate our socket object */
4174  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4175  {
4176  do_link_socket_new(c);
4177  }
4178 
4179 #ifdef ENABLE_FRAGMENT
4180  /* initialize internal fragmentation object */
4181  if (options->ce.fragment && (c->mode == CM_P2P || child))
4182  {
4183  c->c2.fragment = fragment_init(&c->c2.frame);
4184  }
4185 #endif
4186 
4187  /* init crypto layer */
4188  {
4189  unsigned int crypto_flags = 0;
4190  if (c->mode == CM_TOP)
4191  {
4192  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4193  }
4194  else if (c->mode == CM_P2P)
4195  {
4197  }
4198  else if (child)
4199  {
4200  crypto_flags = CF_INIT_TLS_MULTI;
4201  }
4202  do_init_crypto(c, crypto_flags);
4203  if (IS_SIG(c) && !child)
4204  {
4205  goto sig;
4206  }
4207  }
4208 
4209 #ifdef USE_COMP
4210  /* initialize compression library. */
4211  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4212  {
4213  c->c2.comp_context = comp_init(&options->comp);
4214  }
4215 #endif
4216 
4217  /* initialize MTU variables */
4218  do_init_frame(c);
4219 
4220  /* initialize TLS MTU variables */
4221  do_init_frame_tls(c);
4222 
4223  /* init workspace buffers whose size is derived from frame size */
4224  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4225  {
4226  do_init_buffers(c);
4227  }
4228 
4229 #ifdef ENABLE_FRAGMENT
4230  /* initialize internal fragmentation capability with known frame size */
4231  if (options->ce.fragment && (c->mode == CM_P2P || child))
4232  {
4233  do_init_fragment(c);
4234  }
4235 #endif
4236 
4237  /* initialize dynamic MTU variable */
4238  frame_init_mssfix(&c->c2.frame, &c->options);
4239 
4240  /* bind the TCP/UDP socket */
4241  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4242  {
4243  do_init_socket_1(c, link_socket_mode);
4244  }
4245 
4246  /* initialize tun/tap device object,
4247  * open tun/tap device, ifconfig, run up script, etc. */
4248  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4249  {
4250  c->c2.did_open_tun = do_open_tun(c);
4251  }
4252 
4253  c->c2.frame_initial = c->c2.frame;
4254 
4255  /* print MTU info */
4257 
4258 #ifdef ENABLE_OCC
4259  /* get local and remote options compatibility strings */
4260  if (c->mode == CM_P2P || child)
4261  {
4263  }
4264 #endif
4265 
4266  /* initialize output speed limiter */
4267  if (c->mode == CM_P2P)
4268  {
4270  }
4271 
4272  /* do one-time inits, and possibily become a daemon here */
4273  do_init_first_time(c);
4274 
4275 #ifdef ENABLE_PLUGIN
4276  /* initialize plugins */
4277  if (c->mode == CM_P2P || c->mode == CM_TOP)
4278  {
4280  }
4281 #endif
4282 
4283  /* initialise connect timeout timer */
4285 
4286  /* finalize the TCP/UDP socket */
4287  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4288  {
4289  do_init_socket_2(c);
4290  }
4291 
4292  /*
4293  * Actually do UID/GID downgrade, and chroot, if requested.
4294  * May be delayed by --client, --pull, or --up-delay.
4295  */
4297 
4298  /* initialize timers */
4299  if (c->mode == CM_P2P || child)
4300  {
4301  do_init_timers(c, false);
4302  }
4303 
4304 #ifdef ENABLE_PLUGIN
4305  /* initialize plugins */
4306  if (c->mode == CM_P2P || c->mode == CM_TOP)
4307  {
4309  }
4310 #endif
4311 
4312 #if PORT_SHARE
4313  /* share OpenVPN port with foreign (such as HTTPS) server */
4314  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4315  {
4316  init_port_share(c);
4317  }
4318 #endif
4319 
4320 #ifdef ENABLE_PF
4321  if (child)
4322  {
4323  pf_init_context(c);
4324  }
4325 #endif
4326 
4327  /* Check for signals */
4328  if (IS_SIG(c))
4329  {
4330  goto sig;
4331  }
4332 
4333  return;
4334 
4335 sig:
4336  if (!c->sig->signal_text)
4337  {
4338  c->sig->signal_text = "init_instance";
4339  }
4340  close_context(c, -1, flags);
4341  return;
4342 }
4343 
4344 /*
4345  * Close a tunnel instance.
4346  */
4347 void
4349 {
4350  /* close event objects */
4351  do_close_event_set(c);
4352 
4353  if (c->mode == CM_P2P
4354  || c->mode == CM_CHILD_TCP
4355  || c->mode == CM_CHILD_UDP
4356  || c->mode == CM_TOP)
4357  {
4358  /* if xinetd/inetd mode, don't allow restart */
4360 
4361 #ifdef USE_COMP
4362  if (c->c2.comp_context)
4363  {
4364  comp_uninit(c->c2.comp_context);
4365  c->c2.comp_context = NULL;
4366  }
4367 #endif
4368 
4369  /* free buffers */
4370  do_close_free_buf(c);
4371 
4372  /* close TLS */
4373  do_close_tls(c);
4374 
4375  /* free key schedules */
4376  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4377 
4379 
4380  /* close TCP/UDP connection */
4382 
4383  /* close TUN/TAP device */
4384  do_close_tun(c, false);
4385 
4386 #ifdef MANAGEMENT_DEF_AUTH
4387  if (management)
4388  {
4389  management_notify_client_close(management, &c->c2.mda_context, NULL);
4390  }
4391 #endif
4392 
4393 #ifdef ENABLE_PF
4394  pf_destroy_context(&c->c2.pf);
4395 #endif
4396 
4397 #ifdef ENABLE_PLUGIN
4398  /* call plugin close functions and unload */
4399  do_close_plugins(c);
4400 #endif
4401 
4402  /* close packet-id persistance file */
4403  do_close_packet_id(c);
4404 
4405  /* close --status file */
4407 
4408 #ifdef ENABLE_FRAGMENT
4409  /* close fragmentation handler */
4410  do_close_fragment(c);
4411 #endif
4412 
4413  /* close --ifconfig-pool-persist obj */
4415 
4416  /* free up environmental variable store */
4417  do_env_set_destroy(c);
4418 
4419  /* close HTTP or SOCKS proxy */
4420  uninit_proxy(c);
4421 
4422  /* garbage collect */
4423  gc_free(&c->c2.gc);
4424  }
4425 }
4426 
4427 void
4429  const struct context *src)
4430 {
4431  CLEAR(*dest);
4432 
4433  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4435 
4436  dest->gc = gc_new();
4437 
4438  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4439 
4440  /* c1 init */
4442 
4443  dest->c1.ks.key_type = src->c1.ks.key_type;
4444  /* inherit SSL context */
4445  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4446  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4449  /* inherit pre-NCP ciphers */
4450  dest->c1.ciphername = src->c1.ciphername;
4451  dest->c1.authname = src->c1.authname;
4452  dest->c1.keysize = src->c1.keysize;
4453 
4454  /* options */
4455  dest->options = src->options;
4456  options_detach(&dest->options);
4457 
4458  if (dest->mode == CM_CHILD_TCP)
4459  {
4460  /*
4461  * The CM_TOP context does the socket listen(),
4462  * and the CM_CHILD_TCP context does the accept().
4463  */
4464  dest->c2.accept_from = src->c2.link_socket;
4465  }
4466 
4467 #ifdef ENABLE_PLUGIN
4468  /* inherit plugins */
4469  do_inherit_plugins(dest, src);
4470 #endif
4471 
4472  /* context init */
4473  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4474  if (IS_SIG(dest))
4475  {
4476  return;
4477  }
4478 
4479  /* inherit tun/tap interface object */
4480  dest->c1.tuntap = src->c1.tuntap;
4481 
4482  /* UDP inherits some extra things which TCP does not */
4483  if (dest->mode == CM_CHILD_UDP)
4484  {
4485  /* inherit buffers */
4486  dest->c2.buffers = src->c2.buffers;
4487 
4488  /* inherit parent link_socket and tuntap */
4489  dest->c2.link_socket = src->c2.link_socket;
4490 
4491  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4492  *dest->c2.link_socket_info = src->c2.link_socket->info;
4493 
4494  /* locally override some link_socket_info fields */
4495  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4497  }
4498 }
4499 
4500 void
4502  const struct context *src)
4503 {
4504  /* copy parent */
4505  *dest = *src;
4506 
4507  /*
4508  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4509  * resources owned by the parent.
4510  *
4511  * Also note that CM_TOP_CLONE context objects are
4512  * closed by multi_top_free in multi.c.
4513  */
4514  dest->mode = CM_TOP_CLONE;
4515 
4516  dest->first_time = false;
4517  dest->c0 = NULL;
4518 
4519  options_detach(&dest->options);
4520  gc_detach(&dest->gc);
4521  gc_detach(&dest->c2.gc);
4522 
4523  /* detach plugins */
4524  dest->plugins_owned = false;
4525 
4526  dest->c2.tls_multi = NULL;
4527 
4528  /* detach c1 ownership */
4529  dest->c1.tuntap_owned = false;
4530  dest->c1.status_output_owned = false;
4531 #if P2MP_SERVER
4532  dest->c1.ifconfig_pool_persist_owned = false;
4533 #endif
4534 
4535  /* detach c2 ownership */
4536  dest->c2.event_set_owned = false;
4537  dest->c2.link_socket_owned = false;
4538  dest->c2.buffers_owned = false;
4539  dest->c2.es_owned = false;
4540 
4541  dest->c2.event_set = NULL;
4542  if (proto_is_dgram(src->options.ce.proto))
4543  {
4544  do_event_set_init(dest, false);
4545  }
4546 
4547 #ifdef USE_COMP
4548  dest->c2.comp_context = NULL;
4549 #endif
4550 }
4551 
4552 void
4553 close_context(struct context *c, int sig, unsigned int flags)
4554 {
4555  ASSERT(c);
4556  ASSERT(c->sig);
4557 
4558  if (sig >= 0)
4559  {
4560  c->sig->signal_received = sig;
4561  }
4562 
4563  if (c->sig->signal_received == SIGUSR1)
4564  {
4565  if ((flags & CC_USR1_TO_HUP)
4566  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4567  {
4568  c->sig->signal_received = SIGHUP;
4569  c->sig->signal_text = "close_context usr1 to hup";
4570  }
4571  }
4572 
4573  if (!(flags & CC_NO_CLOSE))
4574  {
4575  close_instance(c);
4576  }
4577 
4578  if (flags & CC_GC_FREE)
4579  {
4580  context_gc_free(c);
4581  }
4582 }
4583 
4584 /*
4585  * Do a loopback test
4586  * on the crypto subsystem.
4587  */
4588 static void *
4590 {
4591  struct context *c = (struct context *) arg;
4592  const struct options *options = &c->options;
4593 
4594  ASSERT(options->test_crypto);
4596  context_init_1(c);
4598  do_init_crypto_static(c, 0);
4599 
4600  frame_finalize_options(c, options);
4601 
4602  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4603 
4604  key_schedule_free(&c->c1.ks, true);
4606 
4607  context_gc_free(c);
4608  return NULL;
4609 }
4610 
4611 bool
4612 do_test_crypto(const struct options *o)
4613 {
4614  if (o->test_crypto)
4615  {
4616  struct context c;
4617 
4618  /* print version number */
4619  msg(M_INFO, "%s", title_string);
4620 
4621  context_clear(&c);
4622  c.options = *o;
4623  options_detach(&c.options);
4624  c.first_time = true;
4625  test_crypto_thread((void *) &c);
4626  return true;
4627  }
4628  return false;
4629 }
struct tuntap_options tuntap_options
Definition: options.h:286
bool tcp_mode
Definition: ssl_common.h:302
struct env_set * es
Definition: openvpn.h:427
char port[RH_PORT_LEN]
Definition: options.h:177
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:209
bool remote_float
Definition: options.h:95
bool socks_proxy_owned
Definition: openvpn.h:189
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2471
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:321
void management_close(struct management *man)
Definition: manage.c:2636
int ifconfig_pool_persist_refresh_freq
Definition: options.h:419
struct key_type key_type
Definition: ssl_common.h:247
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
bool persist_remote_ip
Definition: options.h:275
int sndbuf
Definition: options.h:334
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:353
bool log_rw
Definition: openvpn.h:387
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:394
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:104
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:465
struct frame frame_fragment_omit
Definition: openvpn.h:268
const char * tmp_dir
Definition: ssl_common.h:320
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:390
bool tun_mtu_defined
Definition: options.h:108
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:557
#define OPT_P_DEFAULT
Definition: options.h:670
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:239
Definition: tun.h:131
bool ncp_enabled
Definition: options.h:489
unsigned int management_flags
Definition: options.h:378
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1915
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:894
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2500
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct key_state key[KS_SIZE]
Definition: ssl_common.h:445
struct buffer read_tun_buf
Definition: openvpn.h:111
const char * crl_file
Definition: ssl_common.h:284
#define P2MP_SERVER
Definition: syshead.h:524
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1409
bool block_outside_dns
Definition: options.h:616
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:105
struct event_timeout ping_rec_interval
Definition: openvpn.h:299
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1318
bool tls_crypt_v2
Definition: ssl_common.h:308
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:502
void platform_nice(int niceval)
Definition: platform.c:156
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
struct event_timeout route_wakeup_expire
Definition: openvpn.h:391
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:497
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1090
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5283
bool show_curves
Definition: options.h:208
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:613
const char * cipher_list
Definition: options.h:516
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
bool tls_server
Definition: options.h:507
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
static void do_alloc_route_list(struct context *c)
Definition: init.c:1407
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:292
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:981
struct argv argv_new(void)
Definition: argv.c:52
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2067
static void init_proxy_dowork(struct context *c)
Definition: init.c:574
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1707
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
struct cached_dns_entry * dns_cache
Definition: openvpn.h:162
bool did_open_tun
Definition: openvpn.h:394
unsigned int auth_token_lifetime
Definition: ssl_common.h:324
const char * tls_cert_profile
Definition: options.h:518
int management_log_history_cache
Definition: options.h:369
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
struct interval tmp_int
Definition: openvpn.h:351
#define streq(x, y)
Definition: options.h:635
const char * ifconfig_pool_persist_filename
Definition: options.h:418
const char * chroot_dir
Definition: options.h:291
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:731
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3825
static void do_close_event_set(struct context *c)
Definition: init.c:3617
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2622
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
bool server_bridge_proxy_dhcp
Definition: options.h:405
#define S_FATAL
Definition: run_command.h:42
const char * dev
Definition: options.h:230
#define WSO_FORCE_SERVICE
Definition: win32.h:164
int ping_rec_timeout_action
Definition: options.h:271
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2077
bool auth_token_generate
Definition: options.h:461
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
int inetd
Definition: options.h:308
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1296
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4178
void tun_abort(void)
Definition: init.c:2047
Contains all state information for one tunnel.
Definition: openvpn.h:500
#define CIPHER_ENABLED(c)
Definition: openvpn.h:569
Packet geometry parameters.
Definition: mtu.h:93
#define SIZE(x)
Definition: basic.h:30
static void do_env_set_destroy(struct context *c)
Definition: init.c:3704
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2559
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:319
struct env_set * es
Set of environment variables.
Definition: openvpn.h:523
#define D_PUSH
Definition: errlevel.h:83
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1178
#define srandom
Definition: syshead.h:44
bool proto_is_udp(int proto)
Definition: socket.c:3174
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:374
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:211
#define OPT_P_PLUGIN
Definition: options.h:664
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4553
int script_security(void)
Definition: run_command.c:45
static void do_init_socket_2(struct context *c)
Definition: init.c:3351
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
const char * auth_user_pass_verify_script
Definition: ssl_common.h:318
const char * shared_secret_file
Definition: options.h:485
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
union openvpn_sockaddr::@8 addr
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5528
#define RH_PORT_LEN
Definition: options.h:176
#define EVENT_METHOD_FAST
Definition: event.h:42
uint32_t peer_id
Definition: options.h:620
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:3899
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:339
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:291
void close_instance(struct context *c)
Definition: init.c:4348
#define ASSERT(x)
Definition: error.h:221
Definition: options.h:86
int renegotiate_seconds
Definition: options.h:564
const char * client_config_dir_exclusive
Definition: ssl_common.h:327
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1345
#define OPT_P_IPWIN32
Definition: options.h:643
bool persist_key
Definition: options.h:276
#define SIGUSR1
Definition: config-msvc.h:116
int replay_window
Definition: options.h:498
int persist_mode
Definition: options.h:201
int keysize
Data channel keysize from config file.
Definition: openvpn.h:211
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:412
const char * auth_user_pass_file
Definition: ssl_common.h:321
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3752
struct context_buffers * buffers
Definition: openvpn.h:374
int verify_x509_type
Definition: ssl_common.h:282
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:99
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1443
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
struct event_timeout wait_for_connect
Definition: openvpn.h:297
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1162
int rcvbuf
Definition: options.h:333
const char * crl_file_inline
Definition: options.h:529
#define D_LOG_RW
Definition: errlevel.h:110
struct link_socket_info * link_socket_info
Definition: openvpn.h:254
static void next_connection_entry(struct context *c)
Definition: init.c:426
int handshake_window
Definition: ssl_common.h:273
struct connection_list * connection_list
Definition: options.h:214
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:283
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
#define LS_MODE_DEFAULT
Definition: socket.h:196
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
#define RH_HOST_LEN
Definition: options.h:174
const char * exit_event_name
Definition: options.h:612
#define AR_NONE
Definition: options.h:821
void md_ctx_free(md_ctx_t *ctx)
const struct link_socket * accept_from
Definition: openvpn.h:255
bool route_noexec
Definition: options.h:348
unsigned int sockflags
Definition: options.h:340
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2427
in_addr_t remote_netmask
Definition: tun.h:153
const char * tls_crypt_file
Definition: options.h:140
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
static void do_close_tls(struct context *c)
Definition: init.c:3471
static bool ce_management_query_remote(struct context *c)
Definition: init.c:339
#define M_FATAL
Definition: error.h:94
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:502
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define ENABLE_PKCS11
Definition: config-msvc.h:18
const char * route_script
Definition: options.h:343
#define SDL_CONSTRAIN
Definition: error.h:203
const char * tls_crypt_v2_genkey_file
Definition: options.h:593
int management_state_buffer_size
Definition: options.h:371
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1630
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
int resolve_retry_seconds
Definition: options.h:282
#define CLEAR(x)
Definition: basic.h:33
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
#define D_MTU_INFO
Definition: errlevel.h:106
#define D_READ_WRITE
Definition: errlevel.h:161
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
#define in_addr_t
Definition: config-msvc.h:104
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:2979
const char * config
Definition: options.h:187
int route_delay
Definition: options.h:349
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, bool remote, struct gc_arena *gc)
Definition: options.c:3548
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:525
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:298
const char * local_port
Definition: options.h:90
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:344
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3777
const char * ekm_label
Definition: ssl_common.h:365
void post_init_signal_catch(void)
Definition: sig.c:255
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
struct frame frame_initial
Definition: openvpn.h:262
bool down_pre
Definition: options.h:300
int keepalive_timeout
Definition: options.h:259
#define OPT_P_SOCKBUF
Definition: options.h:665
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
#define SIGTERM
Definition: config-msvc.h:118
bool auth_token_generate
Generate auth-tokens on successful user/pass auth, set via options->auth_token_generate.
Definition: ssl_common.h:322
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1389
#define TLS_MODE(c)
Definition: openvpn.h:561
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:531
bool push_peer_info
Definition: options.h:601
#define OPT_P_SETENV
Definition: options.h:645
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
int renegotiate_seconds_min
Definition: options.h:565
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3696
#define PING_RESTART
Definition: options.h:270
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2929
int handshake_window
Definition: options.h:569
void init_management(struct context *c)
Definition: init.c:3922
static void do_close_plugins(struct context *c)
Definition: init.c:3814
#define D_SHOW_NET
Definition: errlevel.h:128
static int ifconfig_order(void)
Definition: tun.h:297
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:226
char * basename(char *filename)
unsigned int crypto_flags
Definition: ssl_common.h:298
const char * tls_auth_file_inline
Definition: options.h:136
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:226
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:578
int explicit_exit_notification
Definition: options.h:121
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
int status_file_update_freq
Definition: options.h:323
int verify_x509_type
Definition: options.h:521
unsigned int unsuccessful_attempts
Definition: options.h:220
void close_management(void)
Definition: init.c:3982
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
const char * config_ciphername
Definition: ssl_common.h:304
const char * prng_hash
Definition: options.h:493
int ping_rec_timeout
Definition: options.h:265
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
#define D_LOW
Definition: errlevel.h:97
bool ifconfig_noexec
Definition: options.h:240
bool fast_io
Definition: options.h:326
int key_direction
Definition: options.h:487
int renegotiate_bytes
Definition: ssl_common.h:275
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
static void update_options_ce_post(struct options *options)
Definition: init.c:190
struct tuntap_options options
Definition: tun.h:144
bool link_mtu_defined
Definition: options.h:112
static struct context * static_context
Definition: init.c:58
char username[USER_PASS_LEN]
Definition: misc.h:74
const char * tls_crypt_v2_inline
Definition: options.h:146
bool init_static(void)
Definition: init.c:725
void platform_mlockall(bool print_msg)
Definition: platform.c:193
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:191
bool use_peer_id
Definition: ssl_common.h:564
struct event_timeout ping_send_interval
Definition: openvpn.h:298
bool route_delay_defined
Definition: options.h:351
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
#define CM_CHILD_UDP
Definition: openvpn.h:512
bool initialized
Definition: crypto.h:225
bool tls_exit
Definition: options.h:603
#define MF_SERVER
Definition: manage.h:332
bool print_openssl_info(const struct options *options)
Definition: init.c:1014
void restore_signal_state(void)
Definition: sig.c:272
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1007
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:785
int key_direction
Definition: options.h:137
#define PULL_DEFINED(opt)
Definition: options.h:673
char * x509_username_field
Definition: ssl_common.h:291
bool route_nopull
Definition: options.h:355
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
#define TOP_P2P
Definition: proto.h:44
static void do_close_fragment(struct context *c)
Definition: init.c:3583
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1183
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:65
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
const char * tls_export_cert
Definition: options.h:523
const char * route_default_gateway
Definition: options.h:345
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4010
int remap_sigusr1
Definition: options.h:305
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
void extract_x509_field_test(void)
bool uid_gid_chroot_set
Definition: openvpn.h:137
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:516
bool remote_random
Definition: options.h:228
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
bool status_close(struct status_output *so)
Definition: status.c:203
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:198
struct context_1 c1
Level 1 context.
Definition: openvpn.h:538
void pre_init_signal_catch(void)
Definition: sig.c:239
#define WSO_FORCE_CONSOLE
Definition: win32.h:165
void init_options_dev(struct options *options)
Definition: init.c:1004
struct context_persist persist
Persistent context.
Definition: openvpn.h:535
void prng_uninit(void)
Definition: crypto.c:1726
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1295
bool auth_user_pass_verify_script_via_file
Definition: options.h:460
#define WSO_MODE_CONSOLE
Definition: win32.h:150
const char * tls_verify
Definition: options.h:520
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1412
struct buffer decrypt_buf
Definition: openvpn.h:98
struct event_timeout inactivity_interval
Definition: openvpn.h:302
size_t ekm_size
Definition: ssl_common.h:367
bool open_management(struct context *c)
Definition: init.c:3931
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
#define BUF_SIZE(f)
Definition: mtu.h:194
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:110
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:600
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4428
#define OPT_P_PULL_MODE
Definition: options.h:663
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct buffer *wkc_buf, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:336
static void save_ncp_options(struct context *c)
Definition: init.c:620
struct frame frame_fragment
Definition: openvpn.h:267
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:3839
void context_gc_free(struct context *c)
Definition: init.c:686
static void do_open_status_output(struct context *c)
Definition: init.c:3632
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest)
Definition: route.c:2810
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2579
#define FRAME_HEADROOM_MARKER_FRAGMENT
Definition: mtu.h:130
#define CE_MAN_QUERY_REMOTE_MASK
Definition: options.h:130
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:631
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:307
interval_t packet_timeout
Definition: ssl_common.h:274
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:3676
static void do_close_check_if_restart_permitted(struct context *c)
Definition: init.c:3440
const char * config_authname
Definition: ssl_common.h:305
int tun_mtu
Definition: options.h:107
const char * verify_x509_name
Definition: options.h:522
md_ctx_t * pulled_options_state
Definition: openvpn.h:467
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3244
#define SSEC_SCRIPTS
Definition: run_command.h:33
bool do_genkey(const struct options *options)
Definition: init.c:1053
in_addr_t local
Definition: tun.h:152
interval_t renegotiate_seconds
Definition: ssl_common.h:277
const char * socks_proxy_server
Definition: options.h:103
int ns_cert_type
Definition: options.h:534
const char * management_write_peer_info_file
Definition: options.h:372
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
#define LS_MODE_TCP_LISTEN
Definition: socket.h:197
int md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
struct plugin_option_list * plugin_list
Definition: options.h:383
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:361
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:131
int proto
Definition: options.h:88