OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 
55 #include "memdbg.h"
56 
57 
58 static struct context *static_context; /* GLOBAL */
59 
60 /*
61  * Crypto initialization flags
62  */
63 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
64 #define CF_INIT_TLS_MULTI (1<<1)
65 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
66 
67 static void do_init_first_time(struct context *c);
68 
69 void
70 context_clear(struct context *c)
71 {
72  CLEAR(*c);
73 }
74 
75 void
76 context_clear_1(struct context *c)
77 {
78  CLEAR(c->c1);
79 }
80 
81 void
82 context_clear_2(struct context *c)
83 {
84  CLEAR(c->c2);
85 }
86 
87 void
88 context_clear_all_except_first_time(struct context *c)
89 {
90  const bool first_time_save = c->first_time;
91  const struct context_persist cpsave = c->persist;
92  context_clear(c);
93  c->first_time = first_time_save;
94  c->persist = cpsave;
95 }
96 
97 /*
98  * Pass tunnel endpoint and MTU parms to a user-supplied script.
99  * Used to execute the up/down script/plugins.
100  */
101 static void
102 run_up_down(const char *command,
103  const struct plugin_list *plugins,
104  int plugin_type,
105  const char *arg,
106 #ifdef _WIN32
107  DWORD adapter_index,
108 #endif
109  const char *dev_type,
110  int tun_mtu,
111  int link_mtu,
112  const char *ifconfig_local,
113  const char *ifconfig_remote,
114  const char *context,
115  const char *signal_text,
116  const char *script_type,
117  struct env_set *es)
118 {
119  struct gc_arena gc = gc_new();
120 
121  if (signal_text)
122  {
123  setenv_str(es, "signal", signal_text);
124  }
125  setenv_str(es, "script_context", context);
126  setenv_int(es, "tun_mtu", tun_mtu);
127  setenv_int(es, "link_mtu", link_mtu);
128  setenv_str(es, "dev", arg);
129  if (dev_type)
130  {
131  setenv_str(es, "dev_type", dev_type);
132  }
133 #ifdef _WIN32
134  setenv_int(es, "dev_idx", adapter_index);
135 #endif
136 
137  if (!ifconfig_local)
138  {
139  ifconfig_local = "";
140  }
141  if (!ifconfig_remote)
142  {
143  ifconfig_remote = "";
144  }
145  if (!context)
146  {
147  context = "";
148  }
149 
150  if (plugin_defined(plugins, plugin_type))
151  {
152  struct argv argv = argv_new();
153  ASSERT(arg);
154  argv_printf(&argv,
155  "%s %d %d %s %s %s",
156  arg,
157  tun_mtu, link_mtu,
158  ifconfig_local, ifconfig_remote,
159  context);
160 
161  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
162  {
163  msg(M_FATAL, "ERROR: up/down plugin call failed");
164  }
165 
166  argv_reset(&argv);
167  }
168 
169  if (command)
170  {
171  struct argv argv = argv_new();
172  ASSERT(arg);
173  setenv_str(es, "script_type", script_type);
174  argv_parse_cmd(&argv, command);
175  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
176  ifconfig_local, ifconfig_remote, context);
177  argv_msg(M_INFO, &argv);
178  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
179  argv_reset(&argv);
180  }
181 
182  gc_free(&gc);
183 }
184 
185 /*
186  * Should be called after options->ce is modified at the top
187  * of a SIGUSR1 restart.
188  */
189 static void
190 update_options_ce_post(struct options *options)
191 {
192 #if P2MP
193  /*
194  * In pull mode, we usually import --ping/--ping-restart parameters from
195  * the server. However we should also set an initial default --ping-restart
196  * for the period of time before we pull the --ping-restart parameter
197  * from the server.
198  */
199  if (options->pull
200  && options->ping_rec_timeout_action == PING_UNDEF
201  && proto_is_dgram(options->ce.proto))
202  {
203  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204  options->ping_rec_timeout_action = PING_RESTART;
205  }
206 #endif
207 }
208 
209 #ifdef ENABLE_MANAGEMENT
210 static bool
211 management_callback_proxy_cmd(void *arg, const char **p)
212 {
213  struct context *c = arg;
214  struct connection_entry *ce = &c->options.ce;
215  struct gc_arena *gc = &c->c2.gc;
216  bool ret = false;
217 
218  update_time();
219  if (streq(p[1], "NONE"))
220  {
221  ret = true;
222  }
223  else if (p[2] && p[3])
224  {
225  if (streq(p[1], "HTTP"))
226  {
227  struct http_proxy_options *ho;
228  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
229  {
230  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231  return false;
232  }
233  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
234  ho->server = string_alloc(p[2], gc);
235  ho->port = string_alloc(p[3], gc);
236  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237  ret = true;
238  }
239  else if (streq(p[1], "SOCKS"))
240  {
241  ce->socks_proxy_server = string_alloc(p[2], gc);
242  ce->socks_proxy_port = string_alloc(p[3], gc);
243  ret = true;
244  }
245  }
246  else
247  {
248  msg(M_WARN, "Bad proxy command");
249  }
250 
251  ce->flags &= ~CE_MAN_QUERY_PROXY;
252 
253  return ret;
254 }
255 
256 static bool
257 ce_management_query_proxy(struct context *c)
258 {
259  const struct connection_list *l = c->options.connection_list;
260  struct connection_entry *ce = &c->options.ce;
261  struct gc_arena gc;
262  bool ret = true;
263 
264  update_time();
265  if (management)
266  {
267  gc = gc_new();
268  {
269  struct buffer out = alloc_buf_gc(256, &gc);
270  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272  management_notify_generic(management, BSTR(&out));
273  }
274  ce->flags |= CE_MAN_QUERY_PROXY;
275  while (ce->flags & CE_MAN_QUERY_PROXY)
276  {
277  management_event_loop_n_seconds(management, 1);
278  if (IS_SIG(c))
279  {
280  ret = false;
281  break;
282  }
283  }
284  gc_free(&gc);
285  }
286 
287  return ret;
288 }
289 
290 
291 static bool
292 management_callback_remote_cmd(void *arg, const char **p)
293 {
294  struct context *c = (struct context *) arg;
295  struct connection_entry *ce = &c->options.ce;
296  int ret = false;
297  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
298  {
299  int flags = 0;
300  if (!strcmp(p[1], "ACCEPT"))
301  {
302  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
303  ret = true;
304  }
305  else if (!strcmp(p[1], "SKIP"))
306  {
307  flags = CE_MAN_QUERY_REMOTE_SKIP;
308  ret = true;
309  }
310  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
311  {
312  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
313  {
314  struct remote_host_store *rhs = c->options.rh_store;
315  if (!rhs)
316  {
317  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
318  c->options.rh_store = rhs;
319  }
320  strncpynt(rhs->host, p[2], RH_HOST_LEN);
321  strncpynt(rhs->port, p[3], RH_PORT_LEN);
322 
323  ce->remote = rhs->host;
324  ce->remote_port = rhs->port;
325  flags = CE_MAN_QUERY_REMOTE_MOD;
326  ret = true;
327  }
328  }
329  if (ret)
330  {
331  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
332  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
333  }
334  }
335  return ret;
336 }
337 
338 static bool
339 ce_management_query_remote(struct context *c)
340 {
341  struct gc_arena gc = gc_new();
342  volatile struct connection_entry *ce = &c->options.ce;
343  int ce_changed = true; /* presume the connection entry will be changed */
344 
345  update_time();
346  if (management)
347  {
348  struct buffer out = alloc_buf_gc(256, &gc);
349 
350  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
351  proto2ascii(ce->proto, ce->af, false));
352  management_notify_generic(management, BSTR(&out));
353 
354  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
355  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
356  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
357  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
358  {
359  management_event_loop_n_seconds(management, 1);
360  if (IS_SIG(c))
361  {
362  ce_changed = false; /* connection entry have not been set */
363  break;
364  }
365  }
366  }
367  gc_free(&gc);
368 
369  if (ce_changed)
370  {
371  /* If it is likely a connection entry was modified,
372  * check what changed in the flags and that it was not skipped
373  */
374  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
375  & CE_MAN_QUERY_REMOTE_MASK);
376  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
377  }
378  return ce_changed;
379 }
380 #endif /* ENABLE_MANAGEMENT */
381 
382 /*
383  * Initialize and possibly randomize connection list.
384  */
385 static void
386 init_connection_list(struct context *c)
387 {
388  struct connection_list *l = c->options.connection_list;
389 
390  l->current = -1;
391  if (c->options.remote_random)
392  {
393  int i;
394  for (i = 0; i < l->len; ++i)
395  {
396  const int j = get_random() % l->len;
397  if (i != j)
398  {
399  struct connection_entry *tmp;
400  tmp = l->array[i];
401  l->array[i] = l->array[j];
402  l->array[j] = tmp;
403  }
404  }
405  }
406 }
407 
408 /*
409  * Clear the remote address list
410  */
411 static void
412 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
413 {
414  if (lsa->remote_list && free)
415  {
416  freeaddrinfo(lsa->remote_list);
417  }
418  lsa->remote_list = NULL;
419  lsa->current_remote = NULL;
420 }
421 
422 /*
423  * Increment to next connection entry
424  */
425 static void
426 next_connection_entry(struct context *c)
427 {
428  struct connection_list *l = c->options.connection_list;
429  bool ce_defined;
430  struct connection_entry *ce;
431  int n_cycles = 0;
432 
433  do
434  {
435  ce_defined = true;
436  if (c->options.no_advance && l->current >= 0)
437  {
438  c->options.no_advance = false;
439  }
440  else
441  {
442  /* Check if there is another resolved address to try for
443  * the current connection */
444  if (c->c1.link_socket_addr.current_remote
445  && c->c1.link_socket_addr.current_remote->ai_next)
446  {
447  c->c1.link_socket_addr.current_remote =
448  c->c1.link_socket_addr.current_remote->ai_next;
449  }
450  else
451  {
452  /* FIXME (schwabe) fix the persist-remote-ip option for real,
453  * this is broken probably ever since connection lists and multiple
454  * remote existed
455  */
456  if (!c->options.persist_remote_ip)
457  {
458  /* close_instance should have cleared the addrinfo objects */
459  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
460  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
461  }
462  else
463  {
464  c->c1.link_socket_addr.current_remote =
465  c->c1.link_socket_addr.remote_list;
466  }
467 
468  /*
469  * Increase the number of connection attempts
470  * If this is connect-retry-max * size(l)
471  * OpenVPN will quit
472  */
473 
474  c->options.unsuccessful_attempts++;
475 
476  if (++l->current >= l->len)
477  {
478 
479  l->current = 0;
480  if (++n_cycles >= 2)
481  {
482  msg(M_FATAL, "No usable connection profiles are present");
483  }
484  }
485  }
486  }
487 
488  ce = l->array[l->current];
489 
490  if (ce->flags & CE_DISABLED)
491  {
492  ce_defined = false;
493  }
494 
495  c->options.ce = *ce;
496 #ifdef ENABLE_MANAGEMENT
497  if (ce_defined && management && management_query_remote_enabled(management))
498  {
499  /* allow management interface to override connection entry details */
500  ce_defined = ce_management_query_remote(c);
501  if (IS_SIG(c))
502  {
503  break;
504  }
505  }
506  else if (ce_defined && management && management_query_proxy_enabled(management))
507  {
508  ce_defined = ce_management_query_proxy(c);
509  if (IS_SIG(c))
510  {
511  break;
512  }
513  }
514 #endif
515  } while (!ce_defined);
516 
517  /* Check if this connection attempt would bring us over the limit */
518  if (c->options.connect_retry_max > 0
519  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
520  {
521  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
522  c->options.connect_retry_max);
523  }
524  update_options_ce_post(&c->options);
525 }
526 
527 /*
528  * Query for private key and auth-user-pass username/passwords
529  */
530 void
531 init_query_passwords(const struct context *c)
532 {
533  /* Certificate password input */
534  if (c->options.key_pass_file)
535  {
536  pem_password_setup(c->options.key_pass_file);
537  }
538 
539 #if P2MP
540  /* Auth user/pass input */
541  if (c->options.auth_user_pass_file)
542  {
543 #ifdef ENABLE_MANAGEMENT
544  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
545 #else
546  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
547 #endif
548  }
549 #endif
550 }
551 
552 /*
553  * Initialize/Uninitialize HTTP or SOCKS proxy
554  */
555 
556 static void
557 uninit_proxy_dowork(struct context *c)
558 {
559  if (c->c1.http_proxy_owned && c->c1.http_proxy)
560  {
561  http_proxy_close(c->c1.http_proxy);
562  c->c1.http_proxy = NULL;
563  c->c1.http_proxy_owned = false;
564  }
565  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
566  {
567  socks_proxy_close(c->c1.socks_proxy);
568  c->c1.socks_proxy = NULL;
569  c->c1.socks_proxy_owned = false;
570  }
571 }
572 
573 static void
574 init_proxy_dowork(struct context *c)
575 {
576  bool did_http = false;
577 
578  uninit_proxy_dowork(c);
579 
580  if (c->options.ce.http_proxy_options)
581  {
582  /* Possible HTTP proxy user/pass input */
583  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
584  if (c->c1.http_proxy)
585  {
586  did_http = true;
587  c->c1.http_proxy_owned = true;
588  }
589  }
590 
591  if (!did_http && c->options.ce.socks_proxy_server)
592  {
593  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
594  c->options.ce.socks_proxy_port,
595  c->options.ce.socks_proxy_authfile);
596  if (c->c1.socks_proxy)
597  {
598  c->c1.socks_proxy_owned = true;
599  }
600  }
601 }
602 
603 static void
604 init_proxy(struct context *c)
605 {
606  init_proxy_dowork(c);
607 }
608 
609 static void
610 uninit_proxy(struct context *c)
611 {
612  uninit_proxy_dowork(c);
613 }
614 
615 /*
616  * Saves the initial state of NCP-regotiable
617  * options into a storage which persists over SIGUSR1.
618  */
619 static void
620 save_ncp_options(struct context *c)
621 {
622  c->c1.ciphername = c->options.ciphername;
623  c->c1.authname = c->options.authname;
624  c->c1.keysize = c->options.keysize;
625 }
626 
627 /* Restores NCP-negotiable options to original values */
628 static void
629 restore_ncp_options(struct context *c)
630 {
631  c->options.ciphername = c->c1.ciphername;
632  c->options.authname = c->c1.authname;
633  c->options.keysize = c->c1.keysize;
634 }
635 
636 void
637 context_init_1(struct context *c)
638 {
639  context_clear_1(c);
640 
641  packet_id_persist_init(&c->c1.pid_persist);
642 
643  init_connection_list(c);
644 
645  save_ncp_options(c);
646 
647 #if defined(ENABLE_PKCS11)
648  if (c->first_time)
649  {
650  int i;
651  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
652  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
653  {
654  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
655  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
656  }
657  }
658 #endif
659 
660 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
661  {
662  /*
663  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
664  */
665  struct user_pass up;
666  CLEAR(up);
667  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
668  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
669  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
670  * 'needok' command, usually 'ok' or 'cancel'. */
671  }
672 #endif
673 
674 #ifdef ENABLE_SYSTEMD
675  /* We can report the PID via getpid() to systemd here as OpenVPN will not
676  * do any fork due to daemon() a future call.
677  * See possibly_become_daemon() [init.c] for more details.
678  */
679  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
680  (unsigned long) getpid());
681 #endif
682 
683 }
684 
685 void
686 context_gc_free(struct context *c)
687 {
688  gc_free(&c->c2.gc);
689  gc_free(&c->options.gc);
690  gc_free(&c->gc);
691 }
692 
693 #if PORT_SHARE
694 
695 static void
696 close_port_share(void)
697 {
698  if (port_share)
699  {
700  port_share_close(port_share);
701  port_share = NULL;
702  }
703 }
704 
705 static void
706 init_port_share(struct context *c)
707 {
708  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
709  {
710  port_share = port_share_open(c->options.port_share_host,
711  c->options.port_share_port,
712  MAX_RW_SIZE_LINK(&c->c2.frame),
713  c->options.port_share_journal_dir);
714  if (port_share == NULL)
715  {
716  msg(M_FATAL, "Fatal error: Port sharing failed");
717  }
718  }
719 }
720 
721 #endif /* if PORT_SHARE */
722 
723 
724 bool
725 init_static(void)
726 {
727  /* configure_path (); */
728 
729 #if defined(DMALLOC)
730  crypto_init_dmalloc();
731 #endif
732 
733 
734  /*
735  * Initialize random number seed. random() is only used
736  * when "weak" random numbers are acceptable.
737  * SSL library routines are always used when cryptographically
738  * strong random numbers are required.
739  */
740  struct timeval tv;
741  if (!gettimeofday(&tv, NULL))
742  {
743  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
744  srandom(seed);
745  }
746 
747  error_reset(); /* initialize error.c */
748  reset_check_status(); /* initialize status check code in socket.c */
749 
750 #ifdef _WIN32
751  init_win32();
752 #endif
753 
754 #ifdef OPENVPN_DEBUG_COMMAND_LINE
755  {
756  int i;
757  for (i = 0; i < argc; ++i)
758  {
759  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
760  }
761  }
762 #endif
763 
764  update_time();
765 
766  init_ssl_lib();
767 
768  /* init PRNG used for IV generation */
769  /* When forking, copy this to more places in the code to avoid fork
770  * random-state predictability */
771  prng_init(NULL, 0);
772 
773 #ifdef PID_TEST
774  packet_id_interactive_test(); /* test the sequence number code */
775  return false;
776 #endif
777 
778 #ifdef SCHEDULE_TEST
779  schedule_test();
780  return false;
781 #endif
782 
783 #ifdef LIST_TEST
784  list_test();
785  return false;
786 #endif
787 
788 #ifdef IFCONFIG_POOL_TEST
789  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
790  return false;
791 #endif
792 
793 #ifdef CHARACTER_CLASS_DEBUG
794  character_class_debug();
795  return false;
796 #endif
797 
798 #ifdef EXTRACT_X509_FIELD_TEST
799  extract_x509_field_test();
800  return false;
801 #endif
802 
803 #ifdef TIME_TEST
804  time_test();
805  return false;
806 #endif
807 
808 #ifdef TEST_GET_DEFAULT_GATEWAY
809  {
810  struct route_gateway_info rgi;
811  struct route_ipv6_gateway_info rgi6;
812  get_default_gateway(&rgi);
813  get_default_gateway_ipv6(&rgi6, NULL);
814  print_default_gateway(M_INFO, &rgi, &rgi6);
815  return false;
816  }
817 #endif
818 
819 #ifdef GEN_PATH_TEST
820  {
821  struct gc_arena gc = gc_new();
822  const char *fn = gen_path("foo",
823  "bar",
824  &gc);
825  printf("%s\n", fn);
826  gc_free(&gc);
827  }
828  return false;
829 #endif
830 
831 #ifdef STATUS_PRINTF_TEST
832  {
833  struct gc_arena gc = gc_new();
834  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
835  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
836  status_printf(so, "%s", "foo");
837  status_printf(so, "%s", "bar");
838  if (!status_close(so))
839  {
840  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
841  }
842  gc_free(&gc);
843  }
844  return false;
845 #endif
846 
847 #ifdef ARGV_TEST
848  {
849  void argv_test(void);
850 
851  argv_test();
852  return false;
853  }
854 #endif
855 
856 #ifdef PRNG_TEST
857  {
858  struct gc_arena gc = gc_new();
859  uint8_t rndbuf[8];
860  int i;
861  prng_init("sha1", 16);
862  /*prng_init (NULL, 0);*/
863  const int factor = 1;
864  for (i = 0; i < factor * 8; ++i)
865  {
866 #if 1
867  prng_bytes(rndbuf, sizeof(rndbuf));
868 #else
869  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
870 #endif
871  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
872  }
873  gc_free(&gc);
874  prng_uninit();
875  return false;
876  }
877 #endif /* ifdef PRNG_TEST */
878 
879 #ifdef BUFFER_LIST_AGGREGATE_TEST
880  /* test buffer_list_aggregate function */
881  {
882  static const char *text[] = {
883  "It was a bright cold day in April, ",
884  "and the clocks were striking ",
885  "thirteen. ",
886  "Winston Smith, ",
887  "his chin nuzzled into his breast in an ",
888  "effort to escape the vile wind, ",
889  "slipped quickly through the glass doors ",
890  "of Victory Mansions, though not quickly ",
891  "enough to prevent a swirl of gritty dust from ",
892  "entering along with him."
893  };
894 
895  int iter, listcap;
896  for (listcap = 0; listcap < 12; ++listcap)
897  {
898  for (iter = 0; iter < 512; ++iter)
899  {
900  struct buffer_list *bl = buffer_list_new(listcap);
901  {
902  int i;
903  for (i = 0; i < SIZE(text); ++i)
904  {
905  buffer_list_push(bl, (unsigned char *)text[i]);
906  }
907  }
908  printf("[cap=%d i=%d] *************************\n", listcap, iter);
909  if (!(iter & 8))
910  {
911  buffer_list_aggregate(bl, iter/2);
912  }
913  if (!(iter & 16))
914  {
915  buffer_list_push(bl, (unsigned char *)"Even more text...");
916  }
917  buffer_list_aggregate(bl, iter);
918  if (!(iter & 1))
919  {
920  buffer_list_push(bl, (unsigned char *)"More text...");
921  }
922  {
923  struct buffer *buf;
924  while ((buf = buffer_list_peek(bl)))
925  {
926  int c;
927  printf("'");
928  while ((c = buf_read_u8(buf)) >= 0)
929  {
930  putchar(c);
931  }
932  printf("'\n");
933  buffer_list_advance(bl, 0);
934  }
935  }
936  buffer_list_free(bl);
937  }
938  }
939  return false;
940  }
941 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
942 
943 #ifdef MSTATS_TEST
944  {
945  int i;
946  mstats_open("/dev/shm/mstats.dat");
947  for (i = 0; i < 30; ++i)
948  {
949  mmap_stats->n_clients += 1;
950  mmap_stats->link_write_bytes += 8;
951  mmap_stats->link_read_bytes += 16;
952  sleep(1);
953  }
954  mstats_close();
955  return false;
956  }
957 #endif
958 
959  return true;
960 }
961 
962 void
963 uninit_static(void)
964 {
965  free_ssl_lib();
966 
967 #ifdef ENABLE_PKCS11
968  pkcs11_terminate();
969 #endif
970 
971 #if PORT_SHARE
972  close_port_share();
973 #endif
974 
975 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
976  show_tls_performance_stats();
977 #endif
978 }
979 
980 void
981 init_verb_mute(struct context *c, unsigned int flags)
982 {
983  if (flags & IVM_LEVEL_1)
984  {
985  /* set verbosity and mute levels */
986  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
987  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
988  set_mute_cutoff(c->options.mute);
989  }
990 
991  /* special D_LOG_RW mode */
992  if (flags & IVM_LEVEL_2)
993  {
994  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
995  }
996 }
997 
998 /*
999  * Possibly set --dev based on --dev-node.
1000  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1001  * set --dev to tun.
1002  */
1003 void
1004 init_options_dev(struct options *options)
1005 {
1006  if (!options->dev && options->dev_node)
1007  {
1008  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1009  options->dev = basename(dev_node);
1010  }
1011 }
1012 
1013 bool
1014 print_openssl_info(const struct options *options)
1015 {
1016  /*
1017  * OpenSSL info print mode?
1018  */
1019  if (options->show_ciphers || options->show_digests || options->show_engines
1020  || options->show_tls_ciphers || options->show_curves)
1021  {
1022  if (options->show_ciphers)
1023  {
1024  show_available_ciphers();
1025  }
1026  if (options->show_digests)
1027  {
1028  show_available_digests();
1029  }
1030  if (options->show_engines)
1031  {
1032  show_available_engines();
1033  }
1034  if (options->show_tls_ciphers)
1035  {
1036  show_available_tls_ciphers(options->cipher_list,
1037  options->cipher_list_tls13,
1038  options->tls_cert_profile);
1039  }
1040  if (options->show_curves)
1041  {
1042  show_available_curves();
1043  }
1044  return true;
1045  }
1046  return false;
1047 }
1048 
1049 /*
1050  * Static pre-shared key generation mode?
1051  */
1052 bool
1053 do_genkey(const struct options *options)
1054 {
1055  /* should we disable paging? */
1056  if (options->mlock && (options->genkey || options->tls_crypt_v2_genkey_file))
1057  {
1058  platform_mlockall(true);
1059  }
1060  if (options->genkey)
1061  {
1062  int nbits_written;
1063 
1064  notnull(options->shared_secret_file,
1065  "shared secret output file (--secret)");
1066 
1067  nbits_written = write_key_file(2, options->shared_secret_file);
1068  if (nbits_written < 0)
1069  {
1070  msg(M_FATAL, "Failed to write key file");
1071  }
1072 
1073  msg(D_GENKEY | M_NOPREFIX,
1074  "Randomly generated %d bit key written to %s", nbits_written,
1075  options->shared_secret_file);
1076  return true;
1077  }
1078  if (options->tls_crypt_v2_genkey_type)
1079  {
1080  if (!strcmp(options->tls_crypt_v2_genkey_type, "server"))
1081  {
1082  tls_crypt_v2_write_server_key_file(options->tls_crypt_v2_genkey_file);
1083  return true;
1084  }
1085  if (options->tls_crypt_v2_genkey_type
1086  && !strcmp(options->tls_crypt_v2_genkey_type, "client"))
1087  {
1088  if (!options->tls_crypt_v2_file)
1089  {
1090  msg(M_USAGE, "--tls-crypt-v2-genkey requires a server key to be set via --tls-crypt-v2 to create a client key");
1091  }
1092 
1093  tls_crypt_v2_write_client_key_file(options->tls_crypt_v2_genkey_file,
1094  options->tls_crypt_v2_metadata, options->tls_crypt_v2_file,
1095  options->tls_crypt_v2_inline);
1096  return true;
1097  }
1098 
1099  msg(M_USAGE, "--tls-crypt-v2-genkey type should be \"client\" or \"server\"");
1100  }
1101  return false;
1102 }
1103 
1104 /*
1105  * Persistent TUN/TAP device management mode?
1106  */
1107 bool
1108 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1109 {
1110  if (options->persist_config)
1111  {
1112  /* sanity check on options for --mktun or --rmtun */
1113  notnull(options->dev, "TUN/TAP device (--dev)");
1114  if (options->ce.remote || options->ifconfig_local
1115  || options->ifconfig_remote_netmask
1116  || options->shared_secret_file
1117  || options->tls_server || options->tls_client
1118  )
1119  {
1120  msg(M_FATAL|M_OPTERR,
1121  "options --mktun or --rmtun should only be used together with --dev");
1122  }
1123 #ifdef ENABLE_FEATURE_TUN_PERSIST
1124  tuncfg(options->dev, options->dev_type, options->dev_node,
1125  options->persist_mode,
1126  options->username, options->groupname, &options->tuntap_options,
1127  ctx);
1128  if (options->persist_mode && options->lladdr)
1129  {
1130  set_lladdr(options->dev, options->lladdr, NULL);
1131  }
1132  return true;
1133 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1134  msg( M_FATAL|M_OPTERR,
1135  "options --mktun and --rmtun are not available on your operating "
1136  "system. Please check 'man tun' (or 'tap'), whether your system "
1137  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1138  "persistent tunnel interfaces.", options->dev );
1139 #endif
1140  }
1141  return false;
1142 }
1143 
1144 /*
1145  * Should we become a daemon?
1146  * Return true if we did it.
1147  */
1148 bool
1149 possibly_become_daemon(const struct options *options)
1150 {
1151  bool ret = false;
1152 
1153 #ifdef ENABLE_SYSTEMD
1154  /* return without forking if we are running from systemd */
1155  if (sd_notify(0, "READY=0") > 0)
1156  {
1157  return ret;
1158  }
1159 #endif
1160 
1161  if (options->daemon)
1162  {
1163  ASSERT(!options->inetd);
1164  /* Don't chdir immediately, but the end of the init sequence, if needed */
1165  if (daemon(1, options->log) < 0)
1166  {
1167  msg(M_ERR, "daemon() failed or unsupported");
1168  }
1169  restore_signal_state();
1170  if (options->log)
1171  {
1172  set_std_files_to_null(true);
1173  }
1174 
1175  ret = true;
1176  }
1177  return ret;
1178 }
1179 
1180 /*
1181  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1182  */
1183 static void
1184 do_uid_gid_chroot(struct context *c, bool no_delay)
1185 {
1186  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1187  struct context_0 *c0 = c->c0;
1188 
1189  if (c0 && !c0->uid_gid_chroot_set)
1190  {
1191  /* chroot if requested */
1192  if (c->options.chroot_dir)
1193  {
1194  if (no_delay)
1195  {
1196  platform_chroot(c->options.chroot_dir);
1197  }
1198  else if (c->first_time)
1199  {
1200  msg(M_INFO, "NOTE: chroot %s", why_not);
1201  }
1202  }
1203 
1204  /* set user and/or group if we want to setuid/setgid */
1205  if (c0->uid_gid_specified)
1206  {
1207  if (no_delay)
1208  {
1209  platform_group_set(&c0->platform_state_group);
1210  platform_user_set(&c0->platform_state_user);
1211  }
1212  else if (c->first_time)
1213  {
1214  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1215  }
1216  }
1217 
1218 #ifdef ENABLE_MEMSTATS
1219  if (c->first_time && c->options.memstats_fn)
1220  {
1221  mstats_open(c->options.memstats_fn);
1222  }
1223 #endif
1224 
1225 #ifdef ENABLE_SELINUX
1226  /* Apply a SELinux context in order to restrict what OpenVPN can do
1227  * to _only_ what it is supposed to do after initialization is complete
1228  * (basically just network I/O operations). Doing it after chroot
1229  * requires /proc to be mounted in the chroot (which is annoying indeed
1230  * but doing it before requires more complex SELinux policies.
1231  */
1232  if (c->options.selinux_context)
1233  {
1234  if (no_delay)
1235  {
1236  if (-1 == setcon(c->options.selinux_context))
1237  {
1238  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1239  }
1240  else
1241  {
1242  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1243  }
1244  }
1245  else if (c->first_time)
1246  {
1247  msg(M_INFO, "NOTE: setcon %s", why_not);
1248  }
1249  }
1250 #endif
1251 
1252  /* Privileges are going to be dropped by now (if requested), be sure
1253  * to prevent any future privilege dropping attempts from now on.
1254  */
1255  if (no_delay)
1256  {
1257  c0->uid_gid_chroot_set = true;
1258  }
1259  }
1260 }
1261 
1262 /*
1263  * Return common name in a way that is formatted for
1264  * prepending to msg() output.
1265  */
1266 const char *
1267 format_common_name(struct context *c, struct gc_arena *gc)
1268 {
1269  struct buffer out = alloc_buf_gc(256, gc);
1270  if (c->c2.tls_multi)
1271  {
1272  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1273  }
1274  return BSTR(&out);
1275 }
1276 
1277 void
1278 pre_setup(const struct options *options)
1279 {
1280 #ifdef _WIN32
1281  if (options->exit_event_name)
1282  {
1283  win32_signal_open(&win32_signal,
1284  WSO_FORCE_SERVICE,
1285  options->exit_event_name,
1286  options->exit_event_initial_state);
1287  }
1288  else
1289  {
1290  win32_signal_open(&win32_signal,
1291  WSO_FORCE_CONSOLE,
1292  NULL,
1293  false);
1294 
1295  /* put a title on the top window bar */
1296  if (win32_signal.mode == WSO_MODE_CONSOLE)
1297  {
1298  window_title_save(&window_title);
1299  window_title_generate(options->config);
1300  }
1301  }
1302 #endif /* ifdef _WIN32 */
1303 }
1304 
1305 void
1306 reset_coarse_timers(struct context *c)
1307 {
1308  c->c2.coarse_timer_wakeup = 0;
1309 }
1310 
1311 /*
1312  * Initialise the server poll timeout timer
1313  * This timer is used in the http/socks proxy setup so it needs to be setup
1314  * before
1315  */
1316 static void
1317 do_init_server_poll_timeout(struct context *c)
1318 {
1319  update_time();
1320  if (c->options.ce.connect_timeout)
1321  {
1322  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1323  }
1324 }
1325 
1326 /*
1327  * Initialize timers
1328  */
1329 static void
1330 do_init_timers(struct context *c, bool deferred)
1331 {
1332  update_time();
1333  reset_coarse_timers(c);
1334 
1335  /* initialize inactivity timeout */
1336  if (c->options.inactivity_timeout)
1337  {
1338  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1339  }
1340 
1341  /* initialize pings */
1342 
1343  if (c->options.ping_send_timeout)
1344  {
1345  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1346  }
1347 
1348  if (c->options.ping_rec_timeout)
1349  {
1350  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1351  }
1352 
1353  if (!deferred)
1354  {
1355  /* initialize connection establishment timer */
1356  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1357 
1358 #ifdef ENABLE_OCC
1359  /* initialize occ timers */
1360 
1361  if (c->options.occ
1362  && !TLS_MODE(c)
1363  && c->c2.options_string_local && c->c2.options_string_remote)
1364  {
1365  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1366  }
1367 
1368  if (c->options.mtu_test)
1369  {
1370  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1371  }
1372 #endif
1373 
1374  /* initialize packet_id persistence timer */
1375  if (c->options.packet_id_file)
1376  {
1377  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1378  }
1379 
1380  /* initialize tmp_int optimization that limits the number of times we call
1381  * tls_multi_process in the main event loop */
1382  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1383  }
1384 }
1385 
1386 /*
1387  * Initialize traffic shaper.
1388  */
1389 static void
1390 do_init_traffic_shaper(struct context *c)
1391 {
1392 #ifdef ENABLE_FEATURE_SHAPER
1393  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1394  if (c->options.shaper)
1395  {
1396  shaper_init(&c->c2.shaper, c->options.shaper);
1397  shaper_msg(&c->c2.shaper);
1398  }
1399 #endif
1400 }
1401 
1402 /*
1403  * Allocate route list structures for IPv4 and IPv6
1404  * (we do this for IPv4 even if no --route option has been seen, as other
1405  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1406  */
1407 static void
1408 do_alloc_route_list(struct context *c)
1409 {
1410  if (!c->c1.route_list)
1411  {
1412  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1413  }
1414  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1415  {
1416  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1417  }
1418 }
1419 
1420 
1421 /*
1422  * Initialize the route list, resolving any DNS names in route
1423  * options and saving routes in the environment.
1424  */
1425 static void
1426 do_init_route_list(const struct options *options,
1427  struct route_list *route_list,
1428  const struct link_socket_info *link_socket_info,
1429  struct env_set *es,
1430  openvpn_net_ctx_t *ctx)
1431 {
1432  const char *gw = NULL;
1433  int dev = dev_type_enum(options->dev, options->dev_type);
1434  int metric = 0;
1435 
1436  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1437  {
1438  gw = options->ifconfig_remote_netmask;
1439  }
1440  if (options->route_default_gateway)
1441  {
1442  gw = options->route_default_gateway;
1443  }
1444  if (options->route_default_metric)
1445  {
1446  metric = options->route_default_metric;
1447  }
1448 
1449  if (init_route_list(route_list,
1450  options->routes,
1451  gw,
1452  metric,
1453  link_socket_current_remote(link_socket_info),
1454  es,
1455  ctx))
1456  {
1457  /* copy routes to environment */
1458  setenv_routes(es, route_list);
1459  }
1460 }
1461 
1462 static void
1463 do_init_route_ipv6_list(const struct options *options,
1464  struct route_ipv6_list *route_ipv6_list,
1465  const struct link_socket_info *link_socket_info,
1466  struct env_set *es)
1467 {
1468  const char *gw = NULL;
1469  int metric = -1; /* no metric set */
1470 
1471  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1472  if (options->route_ipv6_default_gateway)
1473  {
1474  gw = options->route_ipv6_default_gateway;
1475  }
1476 
1477  if (options->route_default_metric)
1478  {
1479  metric = options->route_default_metric;
1480  }
1481 
1482  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1483  */
1484  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1485  {
1486  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1487  int i;
1488 
1489  for (i = 0; opt_list[i]; i++)
1490  {
1491  add_route_ipv6_to_option_list( options->routes_ipv6,
1492  string_alloc(opt_list[i], options->routes_ipv6->gc),
1493  NULL, NULL );
1494  }
1495  }
1496 
1497  if (init_route_ipv6_list(route_ipv6_list,
1498  options->routes_ipv6,
1499  gw,
1500  metric,
1501  link_socket_current_remote_ipv6(link_socket_info),
1502  es))
1503  {
1504  /* copy routes to environment */
1505  setenv_routes_ipv6(es, route_ipv6_list);
1506  }
1507 }
1508 
1509 
1510 /*
1511  * Called after all initialization has been completed.
1512  */
1513 void
1514 initialization_sequence_completed(struct context *c, const unsigned int flags)
1515 {
1516  static const char message[] = "Initialization Sequence Completed";
1517 
1518  /* Reset the unsuccessful connection counter on complete initialisation */
1519  c->options.unsuccessful_attempts = 0;
1520 
1521  /* If we delayed UID/GID downgrade or chroot, do it now */
1522  do_uid_gid_chroot(c, true);
1523 
1524 
1525  /*
1526  * In some cases (i.e. when receiving auth-token via
1527  * push-reply) the auth-nocache option configured on the
1528  * client is overridden; for this reason we have to wait
1529  * for the push-reply message before attempting to wipe
1530  * the user/pass entered by the user
1531  */
1532  if (c->options.mode == MODE_POINT_TO_POINT)
1533  {
1534  delayed_auth_pass_purge();
1535  }
1536 
1537  /* Test if errors */
1538  if (flags & ISC_ERRORS)
1539  {
1540 #ifdef _WIN32
1541  show_routes(M_INFO|M_NOPREFIX);
1542  show_adapters(M_INFO|M_NOPREFIX);
1543  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1544 #else
1545 #ifdef ENABLE_SYSTEMD
1546  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1547 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1548  msg(M_INFO, "%s With Errors", message);
1549 #endif
1550  }
1551  else
1552  {
1553 #ifdef ENABLE_SYSTEMD
1554  sd_notifyf(0, "STATUS=%s", message);
1555 #endif
1556  msg(M_INFO, "%s", message);
1557  }
1558 
1559  /* Flag that we initialized */
1560  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1561  {
1562  c->options.no_advance = true;
1563  }
1564 
1565 #ifdef _WIN32
1566  fork_register_dns_action(c->c1.tuntap);
1567 #endif
1568 
1569 #ifdef ENABLE_MANAGEMENT
1570  /* Tell management interface that we initialized */
1571  if (management)
1572  {
1573  in_addr_t *tun_local = NULL;
1574  struct in6_addr *tun_local6 = NULL;
1575  struct openvpn_sockaddr local, remote;
1576  struct link_socket_actual *actual;
1577  socklen_t sa_len = sizeof(local);
1578  const char *detail = "SUCCESS";
1579  if (flags & ISC_ERRORS)
1580  {
1581  detail = "ERROR";
1582  }
1583 
1584  CLEAR(local);
1585  actual = &get_link_socket_info(c)->lsa->actual;
1586  remote = actual->dest;
1587  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1588 #if ENABLE_IP_PKTINFO
1589  if (!addr_defined(&local))
1590  {
1591  switch (local.addr.sa.sa_family)
1592  {
1593  case AF_INET:
1594 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1595  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1596 #else
1597  local.addr.in4.sin_addr = actual->pi.in4;
1598 #endif
1599  break;
1600 
1601  case AF_INET6:
1602  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1603  break;
1604  }
1605  }
1606 #endif
1607 
1608  if (c->c1.tuntap)
1609  {
1610  tun_local = &c->c1.tuntap->local;
1611  tun_local6 = &c->c1.tuntap->local_ipv6;
1612  }
1613  management_set_state(management,
1614  OPENVPN_STATE_CONNECTED,
1615  detail,
1616  tun_local,
1617  tun_local6,
1618  &local,
1619  &remote);
1620  if (tun_local)
1621  {
1622  management_post_tunnel_open(management, *tun_local);
1623  }
1624  }
1625 #endif /* ifdef ENABLE_MANAGEMENT */
1626 }
1627 
1628 /*
1629  * Possibly add routes and/or call route-up script
1630  * based on options.
1631  */
1632 void
1633 do_route(const struct options *options,
1634  struct route_list *route_list,
1635  struct route_ipv6_list *route_ipv6_list,
1636  const struct tuntap *tt,
1637  const struct plugin_list *plugins,
1638  struct env_set *es,
1639  openvpn_net_ctx_t *ctx)
1640 {
1641  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1642  {
1643  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1644  es, ctx);
1645  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1646  }
1647 #ifdef ENABLE_MANAGEMENT
1648  if (management)
1649  {
1650  management_up_down(management, "UP", es);
1651  }
1652 #endif
1653 
1654  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1655  {
1656  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1657  {
1658  msg(M_WARN, "WARNING: route-up plugin call failed");
1659  }
1660  }
1661 
1662  if (options->route_script)
1663  {
1664  struct argv argv = argv_new();
1665  setenv_str(es, "script_type", "route-up");
1666  argv_parse_cmd(&argv, options->route_script);
1667  openvpn_run_script(&argv, es, 0, "--route-up");
1668  argv_reset(&argv);
1669  }
1670 
1671 #ifdef _WIN32
1672  if (options->show_net_up)
1673  {
1674  show_routes(M_INFO|M_NOPREFIX);
1675  show_adapters(M_INFO|M_NOPREFIX);
1676  }
1677  else if (check_debug_level(D_SHOW_NET))
1678  {
1679  show_routes(D_SHOW_NET|M_NOPREFIX);
1680  show_adapters(D_SHOW_NET|M_NOPREFIX);
1681  }
1682 #endif
1683 }
1684 
1685 /*
1686  * initialize tun/tap device object
1687  */
1688 static void
1689 do_init_tun(struct context *c)
1690 {
1691  c->c1.tuntap = init_tun(c->options.dev,
1692  c->options.dev_type,
1693  c->options.topology,
1694  c->options.ifconfig_local,
1695  c->options.ifconfig_remote_netmask,
1696  c->options.ifconfig_ipv6_local,
1697  c->options.ifconfig_ipv6_netbits,
1698  c->options.ifconfig_ipv6_remote,
1699  c->c1.link_socket_addr.bind_local,
1700  c->c1.link_socket_addr.remote_list,
1701  !c->options.ifconfig_nowarn,
1702  c->c2.es,
1703  &c->net_ctx);
1704 
1705  init_tun_post(c->c1.tuntap,
1706  &c->c2.frame,
1707  &c->options.tuntap_options);
1708 
1709  c->c1.tuntap_owned = true;
1710 }
1711 
1712 /*
1713  * Open tun/tap device, ifconfig, call up script, etc.
1714  */
1715 
1716 static bool
1717 do_open_tun(struct context *c)
1718 {
1719  struct gc_arena gc = gc_new();
1720  bool ret = false;
1721 
1722 #ifndef TARGET_ANDROID
1723  if (!c->c1.tuntap)
1724  {
1725 #endif
1726 
1727 #ifdef TARGET_ANDROID
1728  /* If we emulate persist-tun on android we still have to open a new tun and
1729  * then close the old */
1730  int oldtunfd = -1;
1731  if (c->c1.tuntap)
1732  {
1733  oldtunfd = c->c1.tuntap->fd;
1734  free(c->c1.tuntap);
1735  c->c1.tuntap = NULL;
1736  c->c1.tuntap_owned = false;
1737  }
1738 #endif
1739 
1740  /* initialize (but do not open) tun/tap object */
1741  do_init_tun(c);
1742 
1743 #ifdef _WIN32
1744  /* store (hide) interactive service handle in tuntap_options */
1745  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1746  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1747 #endif
1748 
1749  /* allocate route list structure */
1750  do_alloc_route_list(c);
1751 
1752  /* parse and resolve the route option list */
1753  ASSERT(c->c2.link_socket);
1754  if (c->options.routes && c->c1.route_list)
1755  {
1756  do_init_route_list(&c->options, c->c1.route_list,
1757  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1758  }
1759  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1760  {
1761  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1762  &c->c2.link_socket->info, c->c2.es);
1763  }
1764 
1765  /* do ifconfig */
1766  if (!c->options.ifconfig_noexec
1767  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1768  {
1769  /* guess actual tun/tap unit number that will be returned
1770  * by open_tun */
1771  const char *guess = guess_tuntap_dev(c->options.dev,
1772  c->options.dev_type,
1773  c->options.dev_node,
1774  &gc);
1775  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1776  &c->net_ctx);
1777  }
1778 
1779  /* possibly add routes */
1780  if (route_order() == ROUTE_BEFORE_TUN)
1781  {
1782  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1783  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1784  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1785  }
1786 #ifdef TARGET_ANDROID
1787  /* Store the old fd inside the fd so open_tun can use it */
1788  c->c1.tuntap->fd = oldtunfd;
1789 #endif
1790  /* open the tun device */
1791  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1792  c->c1.tuntap);
1793 
1794  /* set the hardware address */
1795  if (c->options.lladdr)
1796  {
1797  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1798  }
1799 
1800  /* do ifconfig */
1801  if (!c->options.ifconfig_noexec
1802  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1803  {
1804  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1805  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1806  }
1807 
1808  /* run the up script */
1809  run_up_down(c->options.up_script,
1810  c->plugins,
1811  OPENVPN_PLUGIN_UP,
1812  c->c1.tuntap->actual_name,
1813 #ifdef _WIN32
1814  c->c1.tuntap->adapter_index,
1815 #endif
1816  dev_type_string(c->options.dev, c->options.dev_type),
1817  TUN_MTU_SIZE(&c->c2.frame),
1818  EXPANDED_SIZE(&c->c2.frame),
1819  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1820  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1821  "init",
1822  NULL,
1823  "up",
1824  c->c2.es);
1825 
1826 #if defined(_WIN32)
1827  if (c->options.block_outside_dns)
1828  {
1829  dmsg(D_LOW, "Blocking outside DNS");
1830  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1831  {
1832  msg(M_FATAL, "Blocking DNS failed!");
1833  }
1834  }
1835 #endif
1836 
1837  /* possibly add routes */
1838  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1839  {
1840  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1841  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1842  }
1843 
1844  /*
1845  * Did tun/tap driver give us an MTU?
1846  */
1847  if (c->c1.tuntap->post_open_mtu)
1848  {
1849  frame_set_mtu_dynamic(&c->c2.frame,
1850  c->c1.tuntap->post_open_mtu,
1851  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1852  }
1853 
1854  ret = true;
1855  static_context = c;
1856 #ifndef TARGET_ANDROID
1857 }
1858 else
1859 {
1860  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1861  c->c1.tuntap->actual_name);
1862 
1863  /* explicitly set the ifconfig_* env vars */
1864  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1865 
1866  /* run the up script if user specified --up-restart */
1867  if (c->options.up_restart)
1868  {
1869  run_up_down(c->options.up_script,
1870  c->plugins,
1871  OPENVPN_PLUGIN_UP,
1872  c->c1.tuntap->actual_name,
1873 #ifdef _WIN32
1874  c->c1.tuntap->adapter_index,
1875 #endif
1876  dev_type_string(c->options.dev, c->options.dev_type),
1877  TUN_MTU_SIZE(&c->c2.frame),
1878  EXPANDED_SIZE(&c->c2.frame),
1879  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1880  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1881  "restart",
1882  NULL,
1883  "up",
1884  c->c2.es);
1885  }
1886 #if defined(_WIN32)
1887  if (c->options.block_outside_dns)
1888  {
1889  dmsg(D_LOW, "Blocking outside DNS");
1890  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1891  {
1892  msg(M_FATAL, "Blocking DNS failed!");
1893  }
1894  }
1895 #endif
1896 
1897 }
1898 #endif /* ifndef TARGET_ANDROID */
1899  gc_free(&gc);
1900  return ret;
1901 }
1902 
1903 /*
1904  * Close TUN/TAP device
1905  */
1906 
1907 static void
1908 do_close_tun_simple(struct context *c)
1909 {
1910  msg(D_CLOSE, "Closing TUN/TAP interface");
1911  if (c->c1.tuntap)
1912  {
1913  close_tun(c->c1.tuntap, &c->net_ctx);
1914  c->c1.tuntap = NULL;
1915  }
1916  c->c1.tuntap_owned = false;
1917 #if P2MP
1918  CLEAR(c->c1.pulled_options_digest_save);
1919 #endif
1920 }
1921 
1922 static void
1923 do_close_tun(struct context *c, bool force)
1924 {
1925  struct gc_arena gc = gc_new();
1926  if (c->c1.tuntap && c->c1.tuntap_owned)
1927  {
1928  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1929 #ifdef _WIN32
1930  DWORD adapter_index = c->c1.tuntap->adapter_index;
1931 #endif
1932  const in_addr_t local = c->c1.tuntap->local;
1933  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1934 
1935  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1936  {
1937  static_context = NULL;
1938 
1939 #ifdef ENABLE_MANAGEMENT
1940  /* tell management layer we are about to close the TUN/TAP device */
1941  if (management)
1942  {
1943  management_pre_tunnel_close(management);
1944  management_up_down(management, "DOWN", c->c2.es);
1945  }
1946 #endif
1947 
1948  /* delete any routes we added */
1949  if (c->c1.route_list || c->c1.route_ipv6_list)
1950  {
1951  run_up_down(c->options.route_predown_script,
1952  c->plugins,
1953  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1954  tuntap_actual,
1955 #ifdef _WIN32
1956  adapter_index,
1957 #endif
1958  NULL,
1959  TUN_MTU_SIZE(&c->c2.frame),
1960  EXPANDED_SIZE(&c->c2.frame),
1961  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1962  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1963  "init",
1964  signal_description(c->sig->signal_received,
1965  c->sig->signal_text),
1966  "route-pre-down",
1967  c->c2.es);
1968 
1969  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
1970  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
1971  c->c2.es, &c->net_ctx);
1972  }
1973 
1974  /* actually close tun/tap device based on --down-pre flag */
1975  if (!c->options.down_pre)
1976  {
1977  do_close_tun_simple(c);
1978  }
1979 
1980  /* Run the down script -- note that it will run at reduced
1981  * privilege if, for example, "--user nobody" was used. */
1982  run_up_down(c->options.down_script,
1983  c->plugins,
1984  OPENVPN_PLUGIN_DOWN,
1985  tuntap_actual,
1986 #ifdef _WIN32
1987  adapter_index,
1988 #endif
1989  NULL,
1990  TUN_MTU_SIZE(&c->c2.frame),
1991  EXPANDED_SIZE(&c->c2.frame),
1992  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1993  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1994  "init",
1995  signal_description(c->sig->signal_received,
1996  c->sig->signal_text),
1997  "down",
1998  c->c2.es);
1999 
2000 #if defined(_WIN32)
2001  if (c->options.block_outside_dns)
2002  {
2003  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2004  {
2005  msg(M_FATAL, "Uninitialising WFP failed!");
2006  }
2007  }
2008 #endif
2009 
2010  /* actually close tun/tap device based on --down-pre flag */
2011  if (c->options.down_pre)
2012  {
2013  do_close_tun_simple(c);
2014  }
2015  }
2016  else
2017  {
2018  /* run the down script on this restart if --up-restart was specified */
2019  if (c->options.up_restart)
2020  {
2021  run_up_down(c->options.down_script,
2022  c->plugins,
2023  OPENVPN_PLUGIN_DOWN,
2024  tuntap_actual,
2025 #ifdef _WIN32
2026  adapter_index,
2027 #endif
2028  NULL,
2029  TUN_MTU_SIZE(&c->c2.frame),
2030  EXPANDED_SIZE(&c->c2.frame),
2031  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2032  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2033  "restart",
2034  signal_description(c->sig->signal_received,
2035  c->sig->signal_text),
2036  "down",
2037  c->c2.es);
2038  }
2039 
2040 #if defined(_WIN32)
2041  if (c->options.block_outside_dns)
2042  {
2043  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2044  {
2045  msg(M_FATAL, "Uninitialising WFP failed!");
2046  }
2047  }
2048 #endif
2049 
2050  }
2051  }
2052  gc_free(&gc);
2053 }
2054 
2055 void
2056 tun_abort(void)
2057 {
2058  struct context *c = static_context;
2059  if (c)
2060  {
2061  static_context = NULL;
2062  do_close_tun(c, true);
2063  }
2064 }
2065 
2066 /*
2067  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2068  */
2069 
2070 #if P2MP
2071 
2075 static bool
2076 options_hash_changed_or_zero(const struct sha256_digest *a,
2077  const struct sha256_digest *b)
2078 {
2079  const struct sha256_digest zero = {{0}};
2080  return memcmp(a, b, sizeof(struct sha256_digest))
2081  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2082 }
2083 #endif /* P2MP */
2084 
2085 bool
2086 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2087 {
2088  if (!c->c2.do_up_ran)
2089  {
2090  reset_coarse_timers(c);
2091 
2092  if (pulled_options)
2093  {
2094  if (!do_deferred_options(c, option_types_found))
2095  {
2096  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2097  return false;
2098  }
2099  }
2100 
2101  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2102  if (c->options.up_delay || PULL_DEFINED(&c->options))
2103  {
2104  c->c2.did_open_tun = do_open_tun(c);
2105  update_time();
2106 
2107 #if P2MP
2108  /*
2109  * Was tun interface object persisted from previous restart iteration,
2110  * and if so did pulled options string change from previous iteration?
2111  */
2112  if (!c->c2.did_open_tun
2113  && PULL_DEFINED(&c->options)
2114  && c->c1.tuntap
2115  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2116  &c->c2.pulled_options_digest))
2117  {
2118  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2119  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2120  do_close_tun(c, true);
2121  management_sleep(1);
2122  c->c2.did_open_tun = do_open_tun(c);
2123  update_time();
2124  }
2125 #endif
2126  }
2127 
2128  if (c->c2.did_open_tun)
2129  {
2130 #if P2MP
2131  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2132 #endif
2133 
2134  /* if --route-delay was specified, start timer */
2135  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2136  {
2137  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2138  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2139  if (c->c1.tuntap)
2140  {
2141  tun_standby_init(c->c1.tuntap);
2142  }
2143  }
2144  else
2145  {
2146  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2147  }
2148  }
2149  else if (c->options.mode == MODE_POINT_TO_POINT)
2150  {
2151  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2152  }
2153 
2154  c->c2.do_up_ran = true;
2155  }
2156  return true;
2157 }
2158 
2159 /*
2160  * These are the option categories which will be accepted by pull.
2161  */
2162 unsigned int
2163 pull_permission_mask(const struct context *c)
2164 {
2165  unsigned int flags =
2166  OPT_P_UP
2167  | OPT_P_ROUTE_EXTRAS
2168  | OPT_P_SOCKBUF
2169  | OPT_P_SOCKFLAGS
2170  | OPT_P_SETENV
2171  | OPT_P_SHAPER
2172  | OPT_P_TIMER
2173  | OPT_P_COMP
2174  | OPT_P_PERSIST
2175  | OPT_P_MESSAGES
2176  | OPT_P_EXPLICIT_NOTIFY
2177  | OPT_P_ECHO
2178  | OPT_P_PULL_MODE
2179  | OPT_P_PEER_ID;
2180 
2181  if (!c->options.route_nopull)
2182  {
2183  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2184  }
2185 
2186  if (c->options.ncp_enabled)
2187  {
2188  flags |= OPT_P_NCP;
2189  }
2190 
2191  return flags;
2192 }
2193 
2194 /*
2195  * Handle non-tun-related pulled options.
2196  */
2197 bool
2198 do_deferred_options(struct context *c, const unsigned int found)
2199 {
2200  if (found & OPT_P_MESSAGES)
2201  {
2202  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2203  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2204  }
2205  if (found & OPT_P_TIMER)
2206  {
2207  do_init_timers(c, true);
2208  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2209  }
2210 
2211 #ifdef ENABLE_OCC
2212  if (found & OPT_P_EXPLICIT_NOTIFY)
2213  {
2214  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2215  {
2216  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2217  c->options.ce.explicit_exit_notification = 0;
2218  }
2219  else
2220  {
2221  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2222  }
2223  }
2224 #endif
2225 
2226 #ifdef USE_COMP
2227  if (found & OPT_P_COMP)
2228  {
2229  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2230  comp_uninit(c->c2.comp_context);
2231  c->c2.comp_context = comp_init(&c->options.comp);
2232  }
2233 #endif
2234 
2235  if (found & OPT_P_SHAPER)
2236  {
2237  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2238  do_init_traffic_shaper(c);
2239  }
2240 
2241  if (found & OPT_P_SOCKBUF)
2242  {
2243  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2244  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2245  }
2246 
2247  if (found & OPT_P_SOCKFLAGS)
2248  {
2249  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2250  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2251  }
2252 
2253  if (found & OPT_P_PERSIST)
2254  {
2255  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2256  }
2257  if (found & OPT_P_UP)
2258  {
2259  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2260  }
2261  if (found & OPT_P_ROUTE)
2262  {
2263  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2264  }
2265  if (found & OPT_P_ROUTE_EXTRAS)
2266  {
2267  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2268  }
2269  if (found & OPT_P_IPWIN32)
2270  {
2271  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2272  }
2273  if (found & OPT_P_SETENV)
2274  {
2275  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2276  }
2277 
2278  if (found & OPT_P_PEER_ID)
2279  {
2280  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2281  c->c2.tls_multi->use_peer_id = true;
2282  c->c2.tls_multi->peer_id = c->options.peer_id;
2283  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2284  if (!c->options.ce.link_mtu_defined)
2285  {
2286  frame_add_to_link_mtu(&c->c2.frame, +3);
2287  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2288  EXPANDED_SIZE(&c->c2.frame));
2289  }
2290  else
2291  {
2292  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2293  " fixed by config - reducing tun-mtu to %d, expect"
2294  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2295  }
2296  }
2297 
2298  /* process (potentially pushed) crypto options */
2299  if (c->options.pull)
2300  {
2301  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2302  if (found & OPT_P_NCP)
2303  {
2304  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2305  }
2306  else if (c->options.ncp_enabled)
2307  {
2308  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2309  }
2310  /* Do not regenerate keys if server sends an extra push reply */
2311  if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized
2312  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame))
2313  {
2314  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2315  return false;
2316  }
2317  }
2318 
2319  return true;
2320 }
2321 
2322 /*
2323  * Possible hold on initialization, holdtime is the
2324  * time OpenVPN would wait without management
2325  */
2326 static bool
2327 do_hold(int holdtime)
2328 {
2329 #ifdef ENABLE_MANAGEMENT
2330  if (management)
2331  {
2332  /* block until management hold is released */
2333  if (management_hold(management, holdtime))
2334  {
2335  return true;
2336  }
2337  }
2338 #endif
2339  return false;
2340 }
2341 
2342 /*
2343  * Sleep before restart.
2344  */
2345 static void
2346 socket_restart_pause(struct context *c)
2347 {
2348  int sec = 2;
2349  int backoff = 0;
2350 
2351  switch (c->options.ce.proto)
2352  {
2353  case PROTO_TCP_SERVER:
2354  sec = 1;
2355  break;
2356 
2357  case PROTO_UDP:
2358  case PROTO_TCP_CLIENT:
2359  sec = c->options.ce.connect_retry_seconds;
2360  break;
2361  }
2362 
2363 #ifdef ENABLE_DEBUG
2364  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2365  {
2366  sec = 0;
2367  }
2368 #endif
2369 
2370 #if P2MP
2371  if (auth_retry_get() == AR_NOINTERACT)
2372  {
2373  sec = 10;
2374  }
2375 #endif
2376 
2377  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2378  if (c->options.ce.proto != PROTO_TCP_SERVER)
2379  {
2380  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2381  if (backoff > 0)
2382  {
2383  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2384  sec = max_int(sec, 1) << min_int(backoff, 15);
2385  }
2386 
2387  if (sec > c->options.ce.connect_retry_seconds_max)
2388  {
2389  sec = c->options.ce.connect_retry_seconds_max;
2390  }
2391  }
2392 
2393  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2394  {
2395  sec = c->persist.restart_sleep_seconds;
2396  }
2397  else if (c->persist.restart_sleep_seconds == -1)
2398  {
2399  sec = 0;
2400  }
2401  c->persist.restart_sleep_seconds = 0;
2402 
2403  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2404  if (do_hold(sec))
2405  {
2406  sec = 0;
2407  }
2408 
2409  if (sec)
2410  {
2411  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2412  management_sleep(sec);
2413  }
2414 }
2415 
2416 /*
2417  * Do a possible pause on context_2 initialization.
2418  */
2419 static void
2420 do_startup_pause(struct context *c)
2421 {
2422  if (!c->first_time)
2423  {
2424  socket_restart_pause(c);
2425  }
2426  else
2427  {
2428  do_hold(0); /* do management hold on first context initialization */
2429  }
2430 }
2431 
2432 /*
2433  * Finalize MTU parameters based on command line or config file options.
2434  */
2435 static void
2436 frame_finalize_options(struct context *c, const struct options *o)
2437 {
2438  if (!o)
2439  {
2440  o = &c->options;
2441  }
2442 
2443  /*
2444  * Set adjustment factor for buffer alignment when no
2445  * cipher is used.
2446  */
2447  if (!CIPHER_ENABLED(c))
2448  {
2449  frame_align_to_extra_frame(&c->c2.frame);
2450  frame_or_align_flags(&c->c2.frame,
2451  FRAME_HEADROOM_MARKER_FRAGMENT
2452  |FRAME_HEADROOM_MARKER_READ_LINK
2453  |FRAME_HEADROOM_MARKER_READ_STREAM);
2454  }
2455 
2456  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2457  frame_finalize(&c->c2.frame,
2458  o->ce.link_mtu_defined,
2459  o->ce.link_mtu,
2460  o->ce.tun_mtu_defined,
2461  o->ce.tun_mtu);
2462 }
2463 
2464 /*
2465  * Free a key schedule, including OpenSSL components.
2466  */
2467 static void
2468 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2469 {
2470  free_key_ctx_bi(&ks->static_key);
2471  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2472  {
2473  tls_ctx_free(&ks->ssl_ctx);
2474  free_key_ctx(&ks->tls_crypt_v2_server_key);
2475  }
2476  CLEAR(*ks);
2477 }
2478 
2479 static void
2480 init_crypto_pre(struct context *c, const unsigned int flags)
2481 {
2482  if (c->options.engine)
2483  {
2484  crypto_init_lib_engine(c->options.engine);
2485  }
2486 
2487  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2488  {
2489  /* load a persisted packet-id for cross-session replay-protection */
2490  if (c->options.packet_id_file)
2491  {
2492  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2493  }
2494  }
2495 
2496 #ifdef ENABLE_PREDICTION_RESISTANCE
2497  if (c->options.use_prediction_resistance)
2498  {
2499  rand_ctx_enable_prediction_resistance();
2500  }
2501 #endif
2502 
2503 }
2504 
2505 /*
2506  * Static Key Mode (using a pre-shared key)
2507  */
2508 static void
2509 do_init_crypto_static(struct context *c, const unsigned int flags)
2510 {
2511  const struct options *options = &c->options;
2512  ASSERT(options->shared_secret_file);
2513 
2514  init_crypto_pre(c, flags);
2515 
2516  /* Initialize flags */
2517  if (c->options.mute_replay_warnings)
2518  {
2519  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2520  }
2521 
2522  /* Initialize packet ID tracking */
2523  if (options->replay)
2524  {
2525  packet_id_init(&c->c2.crypto_options.packet_id,
2526  options->replay_window,
2527  options->replay_time,
2528  "STATIC", 0);
2529  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2530  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2531  packet_id_persist_load_obj(&c->c1.pid_persist,
2532  &c->c2.crypto_options.packet_id);
2533  }
2534 
2535  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2536  {
2537  /* Get cipher & hash algorithms */
2538  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2539  options->keysize, options->test_crypto, true);
2540 
2541  /* Read cipher and hmac keys from shared secret file */
2542  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2543  options->shared_secret_file,
2544  options->shared_secret_file_inline,
2545  options->key_direction, "Static Key Encryption",
2546  "secret");
2547  }
2548  else
2549  {
2550  msg(M_INFO, "Re-using pre-shared static key");
2551  }
2552 
2553  /* Get key schedule */
2554  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2555 
2556  /* Compute MTU parameters */
2557  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2558  options->replay, true);
2559 
2560  /* Sanity check on sequence number, and cipher mode options */
2561  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2562 }
2563 
2564 /*
2565  * Initialize the tls-auth/crypt key context
2566  */
2567 static void
2568 do_init_tls_wrap_key(struct context *c)
2569 {
2570  const struct options *options = &c->options;
2571 
2572  /* TLS handshake authentication (--tls-auth) */
2573  if (options->ce.tls_auth_file)
2574  {
2575  /* Initialize key_type for tls-auth with auth only */
2576  CLEAR(c->c1.ks.tls_auth_key_type);
2577  if (!streq(options->authname, "none"))
2578  {
2579  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2580  c->c1.ks.tls_auth_key_type.hmac_length =
2581  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2582  }
2583  else
2584  {
2585  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2586  "algorithm specified ('%s')", options->authname);
2587  }
2588 
2589  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2590  &c->c1.ks.tls_wrap_key,
2591  options->ce.tls_auth_file,
2592  options->ce.tls_auth_file_inline,
2593  options->ce.key_direction,
2594  "Control Channel Authentication", "tls-auth");
2595  }
2596 
2597  /* TLS handshake encryption+authentication (--tls-crypt) */
2598  if (options->ce.tls_crypt_file)
2599  {
2600  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2601  options->ce.tls_crypt_file,
2602  options->ce.tls_crypt_inline, options->tls_server);
2603  }
2604 
2605  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2606  if (options->ce.tls_crypt_v2_file)
2607  {
2608  if (options->tls_server)
2609  {
2610  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2611  true, options->ce.tls_crypt_v2_file,
2612  options->ce.tls_crypt_v2_inline);
2613  }
2614  else
2615  {
2616  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2617  &c->c1.ks.tls_crypt_v2_wkc,
2618  options->ce.tls_crypt_v2_file,
2619  options->ce.tls_crypt_v2_inline);
2620  }
2621  }
2622 
2623 
2624 }
2625 
2626 /*
2627  * Initialize the persistent component of OpenVPN's TLS mode,
2628  * which is preserved across SIGUSR1 resets.
2629  */
2630 static void
2631 do_init_crypto_tls_c1(struct context *c)
2632 {
2633  const struct options *options = &c->options;
2634 
2635  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2636  {
2637  /*
2638  * Initialize the OpenSSL library's global
2639  * SSL context.
2640  */
2641  init_ssl(options, &(c->c1.ks.ssl_ctx));
2642  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2643  {
2644 #if P2MP
2645  switch (auth_retry_get())
2646  {
2647  case AR_NONE:
2648  msg(M_FATAL, "Error: private key password verification failed");
2649  break;
2650 
2651  case AR_INTERACT:
2652  ssl_purge_auth(false);
2653 
2654  case AR_NOINTERACT:
2655  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2656  break;
2657 
2658  default:
2659  ASSERT(0);
2660  }
2661  c->sig->signal_text = "private-key-password-failure";
2662  return;
2663 #else /* if P2MP */
2664  msg(M_FATAL, "Error: private key password verification failed");
2665 #endif /* if P2MP */
2666  }
2667 
2668  /* Get cipher & hash algorithms */
2669  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2670  options->keysize, true, true);
2671 
2672  /* Initialize PRNG with config-specified digest */
2673  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2674 
2675  /* initialize tls-auth/crypt/crypt-v2 key */
2676  do_init_tls_wrap_key(c);
2677 
2678 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2679  if (options->priv_key_file_inline)
2680  {
2681  string_clear(c->options.priv_key_file_inline);
2682  c->options.priv_key_file_inline = NULL;
2683  }
2684 #endif
2685  }
2686  else
2687  {
2688  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2689 
2690  /*
2691  * tls-auth/crypt key can be configured per connection block, therefore
2692  * we must reload it as it may have changed
2693  */
2694  do_init_tls_wrap_key(c);
2695  }
2696 }
2697 
2698 static void
2699 do_init_crypto_tls(struct context *c, const unsigned int flags)
2700 {
2701  const struct options *options = &c->options;
2702  struct tls_options to;
2703  bool packet_id_long_form;
2704 
2705  ASSERT(options->tls_server || options->tls_client);
2706  ASSERT(!options->test_crypto);
2707 
2708  init_crypto_pre(c, flags);
2709 
2710  /* Make sure we are either a TLS client or server but not both */
2711  ASSERT(options->tls_server == !options->tls_client);
2712 
2713  /* initialize persistent component */
2714  do_init_crypto_tls_c1(c);
2715  if (IS_SIG(c))
2716  {
2717  return;
2718  }
2719 
2720  /* Sanity check on sequence number, and cipher mode options */
2721  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2722 
2723  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2724  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2725 
2726  /* Compute MTU parameters (postpone if we push/pull options) */
2727  if (c->options.pull || c->options.mode == MODE_SERVER)
2728  {
2729  /* Account for worst-case crypto overhead before allocating buffers */
2730  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2731  }
2732  else
2733  {
2734  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2735  options->replay, packet_id_long_form);
2736  }
2737  tls_adjust_frame_parameters(&c->c2.frame);
2738 
2739  /* Set all command-line TLS-related options */
2740  CLEAR(to);
2741 
2742  if (options->mute_replay_warnings)
2743  {
2744  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2745  }
2746 
2747  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2748  if (packet_id_long_form)
2749  {
2750  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2751  }
2752 
2753  to.ssl_ctx = c->c1.ks.ssl_ctx;
2754  to.key_type = c->c1.ks.key_type;
2755  to.server = options->tls_server;
2756  to.key_method = options->key_method;
2757  to.replay = options->replay;
2758  to.replay_window = options->replay_window;
2759  to.replay_time = options->replay_time;
2760  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2761  to.config_ciphername = c->c1.ciphername;
2762  to.config_authname = c->c1.authname;
2763  to.ncp_enabled = options->ncp_enabled;
2764  to.transition_window = options->transition_window;
2765  to.handshake_window = options->handshake_window;
2766  to.packet_timeout = options->tls_timeout;
2767  to.renegotiate_bytes = options->renegotiate_bytes;
2768  to.renegotiate_packets = options->renegotiate_packets;
2769  if (options->renegotiate_seconds_min < 0)
2770  {
2771  /* Add 10% jitter to reneg-sec by default (server side only) */
2772  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2773  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2774  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2775  }
2776  else
2777  {
2778  /* Add user-specified jitter to reneg-sec */
2779  to.renegotiate_seconds = options->renegotiate_seconds
2780  -(get_random() % max_int(options->renegotiate_seconds
2781  - options->renegotiate_seconds_min, 1));
2782  }
2783  to.single_session = options->single_session;
2784  to.mode = options->mode;
2785  to.pull = options->pull;
2786  if (options->push_peer_info) /* all there is */
2787  {
2788  to.push_peer_info_detail = 2;
2789  }
2790  else if (options->pull) /* pull clients send some details */
2791  {
2792  to.push_peer_info_detail = 1;
2793  }
2794  else /* default: no peer-info at all */
2795  {
2796  to.push_peer_info_detail = 0;
2797  }
2798 
2799  /* should we not xmit any packets until we get an initial
2800  * response from client? */
2801  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2802  {
2803  to.xmit_hold = true;
2804  }
2805 
2806 #ifdef ENABLE_OCC
2807  to.disable_occ = !options->occ;
2808 #endif
2809 
2810  to.verify_command = options->tls_verify;
2811  to.verify_export_cert = options->tls_export_cert;
2812  to.verify_x509_type = (options->verify_x509_type & 0xff);
2813  to.verify_x509_name = options->verify_x509_name;
2814  to.crl_file = options->crl_file;
2815  to.crl_file_inline = options->crl_file_inline;
2816  to.ssl_flags = options->ssl_flags;
2817  to.ns_cert_type = options->ns_cert_type;
2818  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2819  to.remote_cert_eku = options->remote_cert_eku;
2820  to.verify_hash = options->verify_hash;
2821  to.verify_hash_algo = options->verify_hash_algo;
2822 #ifdef ENABLE_X509ALTUSERNAME
2823  to.x509_username_field = (char *) options->x509_username_field;
2824 #else
2825  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2826 #endif
2827  to.es = c->c2.es;
2828  to.net_ctx = &c->net_ctx;
2829 
2830 #ifdef ENABLE_DEBUG
2831  to.gremlin = c->options.gremlin;
2832 #endif
2833 
2834  to.plugins = c->plugins;
2835 
2836 #ifdef MANAGEMENT_DEF_AUTH
2837  to.mda_context = &c->c2.mda_context;
2838 #endif
2839 
2840 #if P2MP_SERVER
2841  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2842  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2843  to.tmp_dir = options->tmp_dir;
2844  if (options->ccd_exclusive)
2845  {
2846  to.client_config_dir_exclusive = options->client_config_dir;
2847  }
2848  to.auth_user_pass_file = options->auth_user_pass_file;
2849  to.auth_token_generate = options->auth_token_generate;
2850  to.auth_token_lifetime = options->auth_token_lifetime;
2851 #endif
2852 
2853  to.x509_track = options->x509_track;
2854 
2855 #if P2MP
2856 #ifdef ENABLE_MANAGEMENT
2857  to.sci = &options->sc_info;
2858 #endif
2859 #endif
2860 
2861 #ifdef USE_COMP
2862  to.comp_options = options->comp;
2863 #endif
2864 
2865 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2866  if (options->keying_material_exporter_label)
2867  {
2868  to.ekm_size = options->keying_material_exporter_length;
2869  if (to.ekm_size < 16 || to.ekm_size > 4095)
2870  {
2871  to.ekm_size = 0;
2872  }
2873 
2874  to.ekm_label = options->keying_material_exporter_label;
2875  to.ekm_label_size = strlen(to.ekm_label);
2876  }
2877  else
2878  {
2879  to.ekm_size = 0;
2880  }
2881 #endif
2882 
2883  /* TLS handshake authentication (--tls-auth) */
2884  if (options->ce.tls_auth_file)
2885  {
2886  to.tls_wrap.mode = TLS_WRAP_AUTH;
2887  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2888  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2889  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2890  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2891  true, true);
2892  }
2893 
2894  /* TLS handshake encryption (--tls-crypt) */
2895  if (options->ce.tls_crypt_file
2896  || (options->ce.tls_crypt_v2_file && options->tls_client))
2897  {
2898  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2899  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2900  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2901  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2902  tls_crypt_adjust_frame_parameters(&to.frame);
2903 
2904  if (options->ce.tls_crypt_v2_file)
2905  {
2906  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2907  }
2908  }
2909 
2910  if (options->ce.tls_crypt_v2_file)
2911  {
2912  to.tls_crypt_v2 = true;
2913  if (options->tls_server)
2914  {
2915  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
2916  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
2917  }
2918  }
2919 
2920  /* If we are running over TCP, allow for
2921  * length prefix */
2922  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
2923 
2924  /*
2925  * Initialize OpenVPN's master TLS-mode object.
2926  */
2927  if (flags & CF_INIT_TLS_MULTI)
2928  {
2929  c->c2.tls_multi = tls_multi_init(&to);
2930  }
2931 
2932  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2933  {
2934  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2935  }
2936 }
2937 
2938 static void
2939 do_init_finalize_tls_frame(struct context *c)
2940 {
2941  if (c->c2.tls_multi)
2942  {
2943  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
2944  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
2945  EXPANDED_SIZE(&c->c2.frame));
2946  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
2947  "Control Channel MTU parms");
2948  }
2949  if (c->c2.tls_auth_standalone)
2950  {
2951  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
2952  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
2953  "TLS-Auth MTU parms");
2954  }
2955 }
2956 
2957 /*
2958  * No encryption or authentication.
2959  */
2960 static void
2961 do_init_crypto_none(const struct context *c)
2962 {
2963  ASSERT(!c->options.test_crypto);
2964  msg(M_WARN,
2965  "******* WARNING *******: All encryption and authentication features "
2966  "disabled -- All data will be tunnelled as clear text and will not be "
2967  "protected against man-in-the-middle changes. "
2968  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
2969 }
2970 
2971 static void
2972 do_init_crypto(struct context *c, const unsigned int flags)
2973 {
2974  if (c->options.shared_secret_file)
2975  {
2976  do_init_crypto_static(c, flags);
2977  }
2978  else if (c->options.tls_server || c->options.tls_client)
2979  {
2980  do_init_crypto_tls(c, flags);
2981  }
2982  else /* no encryption or authentication. */
2983  {
2984  do_init_crypto_none(c);
2985  }
2986 }
2987 
2988 static void
2989 do_init_frame(struct context *c)
2990 {
2991 #ifdef USE_COMP
2992  /*
2993  * modify frame parameters if compression is enabled
2994  */
2995  if (comp_enabled(&c->options.comp))
2996  {
2997  comp_add_to_extra_frame(&c->c2.frame);
2998 
2999 #if !defined(ENABLE_LZ4)
3000  /*
3001  * Compression usage affects buffer alignment when non-swapped algs
3002  * such as LZO is used.
3003  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3004  * any special alignment because of the control-byte swap approach.
3005  * LZO alignment (on the other hand) is problematic because
3006  * the presence of the control byte means that either the output of
3007  * decryption must be written to an unaligned buffer, or the input
3008  * to compression (or packet dispatch if packet is uncompressed)
3009  * must be read from an unaligned buffer.
3010  * This code tries to align the input to compression (or packet
3011  * dispatch if packet is uncompressed) at the cost of requiring
3012  * decryption output to be written to an unaligned buffer, so
3013  * it's more of a tradeoff than an optimal solution and we don't
3014  * include it when we are doing a modern build with LZ4.
3015  * Strictly speaking, on the server it would be better to execute
3016  * this code for every connection after we decide the compression
3017  * method, but currently the frame code doesn't appear to be
3018  * flexible enough for this, since the frame is already established
3019  * before it is known which compression options will be pushed.
3020  */
3021  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3022  {
3023  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3024  frame_or_align_flags(&c->c2.frame,
3025  FRAME_HEADROOM_MARKER_FRAGMENT
3026  |FRAME_HEADROOM_MARKER_DECRYPT);
3027  }
3028 #endif
3029 
3030 #ifdef ENABLE_FRAGMENT
3031  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3032 #endif
3033  }
3034 #endif /* USE_COMP */
3035 
3036  /*
3037  * Adjust frame size for UDP Socks support.
3038  */
3039  if (c->options.ce.socks_proxy_server)
3040  {
3041  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3042  }
3043 
3044  /*
3045  * Adjust frame size based on the --tun-mtu-extra parameter.
3046  */
3047  if (c->options.ce.tun_mtu_extra_defined)
3048  {
3049  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3050  }
3051 
3052  /*
3053  * Adjust frame size based on link socket parameters.
3054  * (Since TCP is a stream protocol, we need to insert
3055  * a packet length uint16_t in the buffer.)
3056  */
3057  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3058 
3059  /*
3060  * Fill in the blanks in the frame parameters structure,
3061  * make sure values are rational, etc.
3062  */
3063  frame_finalize_options(c, NULL);
3064 
3065 #ifdef USE_COMP
3066  /*
3067  * Modify frame parameters if compression is compiled in.
3068  * Should be called after frame_finalize_options.
3069  */
3070  comp_add_to_extra_buffer(&c->c2.frame);
3071 #ifdef ENABLE_FRAGMENT
3072  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3073 #endif
3074 #endif /* USE_COMP */
3075 
3076  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3077  * and need link_mtu+3 bytes on socket reception (on server).
3078  *
3079  * accommodate receive path in f->extra_link, which has the side effect of
3080  * also increasing send buffers (BUF_SIZE() macro), which need to be
3081  * allocated big enough before receiving peer-id option from server.
3082  *
3083  * f->extra_frame is adjusted when peer-id option is push-received
3084  */
3085  frame_add_to_extra_link(&c->c2.frame, 3);
3086 
3087 #ifdef ENABLE_FRAGMENT
3088  /*
3089  * Set frame parameter for fragment code. This is necessary because
3090  * the fragmentation code deals with payloads which have already been
3091  * passed through the compression code.
3092  */
3093  c->c2.frame_fragment = c->c2.frame;
3094  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3095 #endif
3096 
3097 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3098  /*
3099  * MTU advisories
3100  */
3101  if (c->options.ce.fragment && c->options.mtu_test)
3102  {
3103  msg(M_WARN,
3104  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3105  }
3106 #endif
3107 
3108 #ifdef ENABLE_FRAGMENT
3109  if ((c->options.ce.mssfix || c->options.ce.fragment)
3110  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3111  {
3112  msg(M_WARN,
3113  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3114  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3115  }
3116 #endif
3117 }
3118 
3119 static void
3120 do_option_warnings(struct context *c)
3121 {
3122  const struct options *o = &c->options;
3123 
3124  if (o->ping_send_timeout && !o->ping_rec_timeout)
3125  {
3126  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3127  }
3128 
3129  if (o->username || o->groupname || o->chroot_dir
3130 #ifdef ENABLE_SELINUX
3131  || o->selinux_context
3132 #endif
3133  )
3134  {
3135  if (!o->persist_tun)
3136  {
3137  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3138  }
3139  if (!o->persist_key
3140 #ifdef ENABLE_PKCS11
3141  && !o->pkcs11_id
3142 #endif
3143  )
3144  {
3145  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3146  }
3147  }
3148 
3149  if (o->chroot_dir && !(o->username && o->groupname))
3150  {
3151  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3152  }
3153 
3154 #if P2MP
3155  if (o->pull && o->ifconfig_local && c->first_time)
3156  {
3157  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3158  }
3159 
3160 #if P2MP_SERVER
3161  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3162  {
3163  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3164  }
3165 
3166  if (o->mode == MODE_SERVER)
3167  {
3168  if (o->duplicate_cn && o->client_config_dir)
3169  {
3170  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3171  }
3172  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3173  {
3174  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3175  }
3176  if (!o->keepalive_ping || !o->keepalive_timeout)
3177  {
3178  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3179  }
3180  }
3181 #endif /* if P2MP_SERVER */
3182 #endif /* if P2MP */
3183 
3184  if (!o->replay)
3185  {
3186  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3187  }
3188 
3189  if (o->tls_server)
3190  {
3191  warn_on_use_of_common_subnets(&c->net_ctx);
3192  }
3193  if (o->tls_client
3194  && !o->tls_verify
3195  && o->verify_x509_type == VERIFY_X509_NONE
3196  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3197  && !o->remote_cert_eku)
3198  {
3199  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3200  }
3201  if (o->ns_cert_type)
3202  {
3203  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3204  }
3205 
3206  /* If a script is used, print appropriate warnings */
3207  if (o->user_script_used)
3208  {
3209  if (script_security() >= SSEC_SCRIPTS)
3210  {
3211  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3212  }
3213  else if (script_security() >= SSEC_PW_ENV)
3214  {
3215  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3216  }
3217  else
3218  {
3219  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3220  }
3221  }
3222 }
3223 
3224 static void
3225 do_init_frame_tls(struct context *c)
3226 {
3227  do_init_finalize_tls_frame(c);
3228 }
3229 
3230 struct context_buffers *
3231 init_context_buffers(const struct frame *frame)
3232 {
3233  struct context_buffers *b;
3234 
3235  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3236 
3237  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3238  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3239 
3240  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3241 
3242  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3243  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3244 
3245 #ifdef USE_COMP
3246  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3247  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3248 #endif
3249 
3250  return b;
3251 }
3252 
3253 void
3254 free_context_buffers(struct context_buffers *b)
3255 {
3256  if (b)
3257  {
3258  free_buf(&b->read_link_buf);
3259  free_buf(&b->read_tun_buf);
3260  free_buf(&b->aux_buf);
3261 
3262 #ifdef USE_COMP
3263  free_buf(&b->compress_buf);
3264  free_buf(&b->decompress_buf);
3265 #endif
3266 
3267  free_buf(&b->encrypt_buf);
3268  free_buf(&b->decrypt_buf);
3269 
3270  free(b);
3271  }
3272 }
3273 
3274 /*
3275  * Now that we know all frame parameters, initialize
3276  * our buffers.
3277  */
3278 static void
3279 do_init_buffers(struct context *c)
3280 {
3281  c->c2.buffers = init_context_buffers(&c->c2.frame);
3282  c->c2.buffers_owned = true;
3283 }
3284 
3285 #ifdef ENABLE_FRAGMENT
3286 /*
3287  * Fragmenting code has buffers to initialize
3288  * once frame parameters are known.
3289  */
3290 static void
3291 do_init_fragment(struct context *c)
3292 {
3293  ASSERT(c->options.ce.fragment);
3294  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3295  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3296  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3297 }
3298 #endif
3299 
3300 /*
3301  * Allocate our socket object.
3302  */
3303 static void
3304 do_link_socket_new(struct context *c)
3305 {
3306  ASSERT(!c->c2.link_socket);
3307  c->c2.link_socket = link_socket_new();
3308  c->c2.link_socket_owned = true;
3309 }
3310 
3311 /*
3312  * bind the TCP/UDP socket
3313  */
3314 static void
3315 do_init_socket_1(struct context *c, const int mode)
3316 {
3317  unsigned int sockflags = c->options.sockflags;
3318 
3319 #if PORT_SHARE
3320  if (c->options.port_share_host && c->options.port_share_port)
3321  {
3322  sockflags |= SF_PORT_SHARE;
3323  }
3324 #endif
3325 
3326  link_socket_init_phase1(c->c2.link_socket,
3327  c->options.ce.local,
3328  c->options.ce.local_port,
3329  c->options.ce.remote,
3330  c->options.ce.remote_port,
3331  c->c1.dns_cache,
3332  c->options.ce.proto,
3333  c->options.ce.af,
3334  c->options.ce.bind_ipv6_only,
3335  mode,
3336  c->c2.accept_from,
3337  c->c1.http_proxy,
3338  c->c1.socks_proxy,
3339 #ifdef ENABLE_DEBUG
3340  c->options.gremlin,
3341 #endif
3342  c->options.ce.bind_local,
3343  c->options.ce.remote_float,
3344  c->options.inetd,
3345  &c->c1.link_socket_addr,
3346  c->options.ipchange,
3347  c->plugins,
3348  c->options.resolve_retry_seconds,
3349  c->options.ce.mtu_discover_type,
3350  c->options.rcvbuf,
3351  c->options.sndbuf,
3352  c->options.mark,
3353  &c->c2.server_poll_interval,
3354  sockflags);
3355 }
3356 
3357 /*
3358  * finalize the TCP/UDP socket
3359  */
3360 static void
3361 do_init_socket_2(struct context *c)
3362 {
3363  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3364  c->sig);
3365 }
3366 
3367 /*
3368  * Print MTU INFO
3369  */
3370 static void
3371 do_print_data_channel_mtu_parms(struct context *c)
3372 {
3373  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3374 #ifdef ENABLE_FRAGMENT
3375  if (c->c2.fragment)
3376  {
3377  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3378  "Fragmentation MTU parms");
3379  }
3380 #endif
3381 }
3382 
3383 #ifdef ENABLE_OCC
3384 /*
3385  * Get local and remote options compatibility strings.
3386  */
3387 static void
3388 do_compute_occ_strings(struct context *c)
3389 {
3390  struct gc_arena gc = gc_new();
3391 
3392  c->c2.options_string_local =
3393  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3394  false, &gc);
3395  c->c2.options_string_remote =
3396  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3397  true, &gc);
3398 
3399  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3400  options_string_version(c->c2.options_string_local, &gc),
3401  c->c2.options_string_local);
3402  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3403  options_string_version(c->c2.options_string_remote, &gc),
3404  c->c2.options_string_remote);
3405 
3406  if (c->c2.tls_multi)
3407  {
3408  tls_multi_init_set_options(c->c2.tls_multi,
3409  c->c2.options_string_local,
3410  c->c2.options_string_remote);
3411  }
3412 
3413  gc_free(&gc);
3414 }
3415 #endif /* ifdef ENABLE_OCC */
3416 
3417 /*
3418  * These things can only be executed once per program instantiation.
3419  * Set up for possible UID/GID downgrade, but don't do it yet.
3420  * Daemonize if requested.
3421  */
3422 static void
3423 do_init_first_time(struct context *c)
3424 {
3425  if (c->first_time && !c->c0)
3426  {
3427  struct context_0 *c0;
3428 
3429  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3430  c0 = c->c0;
3431 
3432  /* get user and/or group that we want to setuid/setgid to */
3433  c0->uid_gid_specified =
3434  platform_group_get(c->options.groupname, &c0->platform_state_group)
3435  |platform_user_get(c->options.username, &c0->platform_state_user);
3436 
3437  /* perform postponed chdir if --daemon */
3438  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3439  {
3440  platform_chdir("/");
3441  }
3442 
3443  /* should we change scheduling priority? */
3444  platform_nice(c->options.nice);
3445  }
3446 }
3447 
3448 /*
3449  * If xinetd/inetd mode, don't allow restart.
3450  */
3451 static void
3452 do_close_check_if_restart_permitted(struct context *c)
3453 {
3454  if (c->options.inetd
3455  && (c->sig->signal_received == SIGHUP
3456  || c->sig->signal_received == SIGUSR1))
3457  {
3458  c->sig->signal_received = SIGTERM;
3459  msg(M_INFO,
3460  PACKAGE_NAME
3461  " started by inetd/xinetd cannot restart... Exiting.");
3462  }
3463 }
3464 
3465 /*
3466  * free buffers
3467  */
3468 static void
3469 do_close_free_buf(struct context *c)
3470 {
3471  if (c->c2.buffers_owned)
3472  {
3473  free_context_buffers(c->c2.buffers);
3474  c->c2.buffers = NULL;
3475  c->c2.buffers_owned = false;
3476  }
3477 }
3478 
3479 /*
3480  * close TLS
3481  */
3482 static void
3483 do_close_tls(struct context *c)
3484 {
3485  if (c->c2.tls_multi)
3486  {
3487  tls_multi_free(c->c2.tls_multi, true);
3488  c->c2.tls_multi = NULL;
3489  }
3490 
3491 #ifdef ENABLE_OCC
3492  /* free options compatibility strings */
3493  if (c->c2.options_string_local)
3494  {
3495  free(c->c2.options_string_local);
3496  }
3497  if (c->c2.options_string_remote)
3498  {
3499  free(c->c2.options_string_remote);
3500  }
3501  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3502 #endif
3503 
3504  if (c->c2.pulled_options_state)
3505  {
3506  md_ctx_cleanup(c->c2.pulled_options_state);
3507  md_ctx_free(c->c2.pulled_options_state);
3508  }
3509 }
3510 
3511 /*
3512  * Free key schedules
3513  */
3514 static void
3515 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3516 {
3517  /*
3518  * always free the tls_auth/crypt key. If persist_key is true, the key will
3519  * be reloaded from memory (pre-cached)
3520  */
3521  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3522  CLEAR(c->c1.ks.tls_wrap_key);
3523  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3524  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3525 
3526  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3527  {
3528  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3529  }
3530 }
3531 
3532 /*
3533  * Close TCP/UDP connection
3534  */
3535 static void
3536 do_close_link_socket(struct context *c)
3537 {
3538  if (c->c2.link_socket && c->c2.link_socket_owned)
3539  {
3540  link_socket_close(c->c2.link_socket);
3541  c->c2.link_socket = NULL;
3542  }
3543 
3544 
3545  /* Preserve the resolved list of remote if the user request to or if we want
3546  * reconnect to the same host again or there are still addresses that need
3547  * to be tried */
3548  if (!(c->sig->signal_received == SIGUSR1
3549  && ( (c->options.persist_remote_ip)
3550  ||
3551  ( c->sig->source != SIG_SOURCE_HARD
3552  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3553  || c->options.no_advance))
3554  )))
3555  {
3556  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3557  }
3558 
3559  /* Clear the remote actual address when persist_remote_ip is not in use */
3560  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3561  {
3562  CLEAR(c->c1.link_socket_addr.actual);
3563  }
3564 
3565  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3566  {
3567  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3568  {
3569  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3570  }
3571 
3572  c->c1.link_socket_addr.bind_local = NULL;
3573  }
3574 }
3575 
3576 /*
3577  * Close packet-id persistence file
3578  */
3579 static void
3580 do_close_packet_id(struct context *c)
3581 {
3582  packet_id_free(&c->c2.crypto_options.packet_id);
3583  packet_id_persist_save(&c->c1.pid_persist);
3584  if (!(c->sig->signal_received == SIGUSR1))
3585  {
3586  packet_id_persist_close(&c->c1.pid_persist);
3587  }
3588 }
3589 
3590 #ifdef ENABLE_FRAGMENT
3591 /*
3592  * Close fragmentation handler.
3593  */
3594 static void
3595 do_close_fragment(struct context *c)
3596 {
3597  if (c->c2.fragment)
3598  {
3599  fragment_free(c->c2.fragment);
3600  c->c2.fragment = NULL;
3601  }
3602 }
3603 #endif
3604 
3605 /*
3606  * Open and close our event objects.
3607  */
3608 
3609 static void
3610 do_event_set_init(struct context *c,
3611  bool need_us_timeout)
3612 {
3613  unsigned int flags = 0;
3614 
3615  c->c2.event_set_max = BASE_N_EVENTS;
3616 
3617  flags |= EVENT_METHOD_FAST;
3618 
3619  if (need_us_timeout)
3620  {
3621  flags |= EVENT_METHOD_US_TIMEOUT;
3622  }
3623 
3624  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3625  c->c2.event_set_owned = true;
3626 }
3627 
3628 static void
3629 do_close_event_set(struct context *c)
3630 {
3631  if (c->c2.event_set && c->c2.event_set_owned)
3632  {
3633  event_free(c->c2.event_set);
3634  c->c2.event_set = NULL;
3635  c->c2.event_set_owned = false;
3636  }
3637 }
3638 
3639 /*
3640  * Open and close --status file
3641  */
3642 
3643 static void
3644 do_open_status_output(struct context *c)
3645 {
3646  if (!c->c1.status_output)
3647  {
3648  c->c1.status_output = status_open(c->options.status_file,
3649  c->options.status_file_update_freq,
3650  -1,
3651  NULL,
3652  STATUS_OUTPUT_WRITE);
3653  c->c1.status_output_owned = true;
3654  }
3655 }
3656 
3657 static void
3658 do_close_status_output(struct context *c)
3659 {
3660  if (!(c->sig->signal_received == SIGUSR1))
3661  {
3662  if (c->c1.status_output_owned && c->c1.status_output)
3663  {
3664  status_close(c->c1.status_output);
3665  c->c1.status_output = NULL;
3666  c->c1.status_output_owned = false;
3667  }
3668  }
3669 }
3670 
3671 /*
3672  * Handle ifconfig-pool persistence object.
3673  */
3674 static void
3675 do_open_ifconfig_pool_persist(struct context *c)
3676 {
3677 #if P2MP_SERVER
3678  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3679  {
3680  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3681  c->options.ifconfig_pool_persist_refresh_freq);
3682  c->c1.ifconfig_pool_persist_owned = true;
3683  }
3684 #endif
3685 }
3686 
3687 static void
3688 do_close_ifconfig_pool_persist(struct context *c)
3689 {
3690 #if P2MP_SERVER
3691  if (!(c->sig->signal_received == SIGUSR1))
3692  {
3693  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3694  {
3695  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3696  c->c1.ifconfig_pool_persist = NULL;
3697  c->c1.ifconfig_pool_persist_owned = false;
3698  }
3699  }
3700 #endif
3701 }
3702 
3703 /*
3704  * Inherit environmental variables
3705  */
3706 
3707 static void
3708 do_inherit_env(struct context *c, const struct env_set *src)
3709 {
3710  c->c2.es = env_set_create(NULL);
3711  c->c2.es_owned = true;
3712  env_set_inherit(c->c2.es, src);
3713 }
3714 
3715 static void
3716 do_env_set_destroy(struct context *c)
3717 {
3718  if (c->c2.es && c->c2.es_owned)
3719  {
3720  env_set_destroy(c->c2.es);
3721  c->c2.es = NULL;
3722  c->c2.es_owned = false;
3723  }
3724 }
3725 
3726 /*
3727  * Fast I/O setup. Fast I/O is an optimization which only works
3728  * if all of the following are true:
3729  *
3730  * (1) The platform is not Windows
3731  * (2) --proto udp is enabled
3732  * (3) --shaper is disabled
3733  */
3734 static void
3735 do_setup_fast_io(struct context *c)
3736 {
3737  if (c->options.fast_io)
3738  {
3739 #ifdef _WIN32
3740  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3741 #else
3742  if (!proto_is_udp(c->options.ce.proto))
3743  {
3744  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3745  }
3746  else
3747  {
3748 #ifdef ENABLE_FEATURE_SHAPER
3749  if (c->options.shaper)
3750  {
3751  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3752  }
3753  else
3754 #endif
3755  {
3756  c->c2.fast_io = true;
3757  }
3758  }
3759 #endif
3760  }
3761 }
3762 
3763 static void
3764 do_signal_on_tls_errors(struct context *c)
3765 {
3766  if (c->options.tls_exit)
3767  {
3768  c->c2.tls_exit_signal = SIGTERM;
3769  }
3770  else
3771  {
3772  c->c2.tls_exit_signal = SIGUSR1;
3773  }
3774 }
3775 
3776 #ifdef ENABLE_PLUGIN
3777 
3778 void
3779 init_plugins(struct context *c)
3780 {
3781  if (c->options.plugin_list && !c->plugins)
3782  {
3783  c->plugins = plugin_list_init(c->options.plugin_list);
3784  c->plugins_owned = true;
3785  }
3786 }
3787 
3788 void
3789 open_plugins(struct context *c, const bool import_options, int init_point)
3790 {
3791  if (c->plugins && c->plugins_owned)
3792  {
3793  if (import_options)
3794  {
3795  struct plugin_return pr, config;
3796  plugin_return_init(&pr);
3797  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3798  plugin_return_get_column(&pr, &config, "config");
3799  if (plugin_return_defined(&config))
3800  {
3801  int i;
3802  for (i = 0; i < config.n; ++i)
3803  {
3804  unsigned int option_types_found = 0;
3805  if (config.list[i] && config.list[i]->value)
3806  {
3807  options_string_import(&c->options,
3808  config.list[i]->value,
3809  D_IMPORT_ERRORS|M_OPTERR,
3810  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3811  &option_types_found,
3812  c->es);
3813  }
3814  }
3815  }
3816  plugin_return_free(&pr);
3817  }
3818  else
3819  {
3820  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3821  }
3822  }
3823 }
3824 
3825 static void
3826 do_close_plugins(struct context *c)
3827 {
3828  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3829  {
3830  plugin_list_close(c->plugins);
3831  c->plugins = NULL;
3832  c->plugins_owned = false;
3833  }
3834 }
3835 
3836 static void
3837 do_inherit_plugins(struct context *c, const struct context *src)
3838 {
3839  if (!c->plugins && src->plugins)
3840  {
3841  c->plugins = plugin_list_inherit(src->plugins);
3842  c->plugins_owned = true;
3843  }
3844 }
3845 
3846 #endif /* ifdef ENABLE_PLUGIN */
3847 
3848 #ifdef ENABLE_MANAGEMENT
3849 
3850 static void
3851 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3852 {
3853  struct context *c = (struct context *) arg;
3854  print_status(c, so);
3855 }
3856 
3857 void
3858 management_show_net_callback(void *arg, const int msglevel)
3859 {
3860 #ifdef _WIN32
3861  show_routes(msglevel);
3862  show_adapters(msglevel);
3863  msg(msglevel, "END");
3864 #else
3865  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3866 #endif
3867 }
3868 
3869 #ifdef TARGET_ANDROID
3870 int
3871 management_callback_network_change(void *arg, bool samenetwork)
3872 {
3873  /* Check if the client should translate the network change to a SIGUSR1 to
3874  * reestablish the connection or just reprotect the socket
3875  *
3876  * At the moment just assume that, for all settings that use pull (not
3877  * --static) and are not using peer-id reestablishing the connection is
3878  * required (unless the network is the same)
3879  *
3880  * The function returns -1 on invalid fd and -2 if the socket cannot be
3881  * reused. On the -2 return value the man_network_change function triggers
3882  * a SIGUSR1 to force a reconnect.
3883  */
3884 
3885  int socketfd = -1;
3886  struct context *c = (struct context *) arg;
3887  if (!c->c2.link_socket)
3888  {
3889  return -1;
3890  }
3891  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3892  {
3893  return -1;
3894  }
3895 
3896  socketfd = c->c2.link_socket->sd;
3897  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3898  {
3899  return socketfd;
3900  }
3901  else
3902  {
3903  return -2;
3904  }
3905 }
3906 #endif /* ifdef TARGET_ANDROID */
3907 
3908 #endif /* ifdef ENABLE_MANAGEMENT */
3909 
3910 void
3911 init_management_callback_p2p(struct context *c)
3912 {
3913 #ifdef ENABLE_MANAGEMENT
3914  if (management)
3915  {
3916  struct management_callback cb;
3917  CLEAR(cb);
3918  cb.arg = c;
3919  cb.status = management_callback_status_p2p;
3920  cb.show_net = management_show_net_callback;
3921  cb.proxy_cmd = management_callback_proxy_cmd;
3922  cb.remote_cmd = management_callback_remote_cmd;
3923 #ifdef TARGET_ANDROID
3924  cb.network_change = management_callback_network_change;
3925 #endif
3926  management_set_callback(management, &cb);
3927  }
3928 #endif
3929 }
3930 
3931 #ifdef ENABLE_MANAGEMENT
3932 
3933 void
3934 init_management(void)
3935 {
3936  if (!management)
3937  {
3938  management = management_init();
3939  }
3940 }
3941 
3942 bool
3943 open_management(struct context *c)
3944 {
3945  /* initialize management layer */
3946  if (management)
3947  {
3948  if (c->options.management_addr)
3949  {
3950  unsigned int flags = c->options.management_flags;
3951  if (c->options.mode == MODE_SERVER)
3952  {
3953  flags |= MF_SERVER;
3954  }
3955  if (management_open(management,
3956  c->options.management_addr,
3957  c->options.management_port,
3958  c->options.management_user_pass,
3959  c->options.management_client_user,
3960  c->options.management_client_group,
3961  c->options.management_log_history_cache,
3962  c->options.management_echo_buffer_size,
3963  c->options.management_state_buffer_size,
3964  c->options.management_write_peer_info_file,
3965  c->options.remap_sigusr1,
3966  flags))
3967  {
3968  management_set_state(management,
3969  OPENVPN_STATE_CONNECTING,
3970  NULL,
3971  NULL,
3972  NULL,
3973  NULL,
3974  NULL);
3975  }
3976 
3977  /* initial management hold, called early, before first context initialization */
3978  do_hold(0);
3979  if (IS_SIG(c))
3980  {
3981  msg(M_WARN, "Signal received from management interface, exiting");
3982  return false;
3983  }
3984  }
3985  else
3986  {
3987  close_management();
3988  }
3989  }
3990  return true;
3991 }
3992 
3993 void
3994 close_management(void)
3995 {
3996  if (management)
3997  {
3998  management_close(management);
3999  management = NULL;
4000  }
4001 }
4002 
4003 #endif /* ifdef ENABLE_MANAGEMENT */
4004 
4005 
4006 void
4007 uninit_management_callback(void)
4008 {
4009 #ifdef ENABLE_MANAGEMENT
4010  if (management)
4011  {
4012  management_clear_callback(management);
4013  }
4014 #endif
4015 }
4016 
4017 /*
4018  * Initialize a tunnel instance, handle pre and post-init
4019  * signal settings.
4020  */
4021 void
4022 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4023 {
4024  pre_init_signal_catch();
4025  init_instance(c, env, flags);
4026  post_init_signal_catch();
4027 
4028  /*
4029  * This is done so that signals thrown during
4030  * initialization can bring us back to
4031  * a management hold.
4032  */
4033  if (IS_SIG(c))
4034  {
4035  remap_signal(c);
4036  uninit_management_callback();
4037  }
4038 }
4039 
4040 /*
4041  * Initialize a tunnel instance.
4042  */
4043 void
4044 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4045 {
4046  const struct options *options = &c->options;
4047  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4048  int link_socket_mode = LS_MODE_DEFAULT;
4049 
4050  /* init garbage collection level */
4051  gc_init(&c->c2.gc);
4052 
4053  /* inherit environmental variables */
4054  if (env)
4055  {
4056  do_inherit_env(c, env);
4057  }
4058 
4059  /* signals caught here will abort */
4060  c->sig->signal_received = 0;
4061  c->sig->signal_text = NULL;
4062  c->sig->source = SIG_SOURCE_SOFT;
4063 
4064  if (c->mode == CM_P2P)
4065  {
4066  init_management_callback_p2p(c);
4067  }
4068 
4069  /* possible sleep or management hold if restart */
4070  if (c->mode == CM_P2P || c->mode == CM_TOP)
4071  {
4072  do_startup_pause(c);
4073  if (IS_SIG(c))
4074  {
4075  goto sig;
4076  }
4077  }
4078 
4079  if (c->options.resolve_in_advance)
4080  {
4081  do_preresolve(c);
4082  if (IS_SIG(c))
4083  {
4084  goto sig;
4085  }
4086  }
4087 
4088  /* map in current connection entry */
4089  next_connection_entry(c);
4090 
4091  /* link_socket_mode allows CM_CHILD_TCP
4092  * instances to inherit acceptable fds
4093  * from a top-level parent */
4094  if (c->options.ce.proto == PROTO_TCP_SERVER)
4095  {
4096  if (c->mode == CM_TOP)
4097  {
4098  link_socket_mode = LS_MODE_TCP_LISTEN;
4099  }
4100  else if (c->mode == CM_CHILD_TCP)
4101  {
4102  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4103  }
4104  }
4105 
4106  /* should we disable paging? */
4107  if (c->first_time && options->mlock)
4108  {
4109  platform_mlockall(true);
4110  }
4111 
4112 #if P2MP
4113  /* get passwords if undefined */
4114  if (auth_retry_get() == AR_INTERACT)
4115  {
4116  init_query_passwords(c);
4117  }
4118 #endif
4119 
4120  /* initialize context level 2 --verb/--mute parms */
4121  init_verb_mute(c, IVM_LEVEL_2);
4122 
4123  /* set error message delay for non-server modes */
4124  if (c->mode == CM_P2P)
4125  {
4126  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4127  }
4128 
4129  /* warn about inconsistent options */
4130  if (c->mode == CM_P2P || c->mode == CM_TOP)
4131  {
4132  do_option_warnings(c);
4133  }
4134 
4135 #ifdef ENABLE_PLUGIN
4136  /* initialize plugins */
4137  if (c->mode == CM_P2P || c->mode == CM_TOP)
4138  {
4139  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4140  }
4141 #endif
4142 
4143  /* should we enable fast I/O? */
4144  if (c->mode == CM_P2P || c->mode == CM_TOP)
4145  {
4146  do_setup_fast_io(c);
4147  }
4148 
4149  /* should we throw a signal on TLS errors? */
4150  do_signal_on_tls_errors(c);
4151 
4152  /* open --status file */
4153  if (c->mode == CM_P2P || c->mode == CM_TOP)
4154  {
4155  do_open_status_output(c);
4156  }
4157 
4158  /* open --ifconfig-pool-persist file */
4159  if (c->mode == CM_TOP)
4160  {
4161  do_open_ifconfig_pool_persist(c);
4162  }
4163 
4164 #ifdef ENABLE_OCC
4165  /* reset OCC state */
4166  if (c->mode == CM_P2P || child)
4167  {
4168  c->c2.occ_op = occ_reset_op();
4169  }
4170 #endif
4171 
4172  /* our wait-for-i/o objects, different for posix vs. win32 */
4173  if (c->mode == CM_P2P)
4174  {
4175  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4176  }
4177  else if (c->mode == CM_CHILD_TCP)
4178  {
4179  do_event_set_init(c, false);
4180  }
4181 
4182  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4183  init_proxy(c);
4184 
4185  /* allocate our socket object */
4186  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4187  {
4188  do_link_socket_new(c);
4189  }
4190 
4191 #ifdef ENABLE_FRAGMENT
4192  /* initialize internal fragmentation object */
4193  if (options->ce.fragment && (c->mode == CM_P2P || child))
4194  {
4195  c->c2.fragment = fragment_init(&c->c2.frame);
4196  }
4197 #endif
4198 
4199  /* init crypto layer */
4200  {
4201  unsigned int crypto_flags = 0;
4202  if (c->mode == CM_TOP)
4203  {
4204  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4205  }
4206  else if (c->mode == CM_P2P)
4207  {
4208  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4209  }
4210  else if (child)
4211  {
4212  crypto_flags = CF_INIT_TLS_MULTI;
4213  }
4214  do_init_crypto(c, crypto_flags);
4215  if (IS_SIG(c) && !child)
4216  {
4217  goto sig;
4218  }
4219  }
4220 
4221 #ifdef USE_COMP
4222  /* initialize compression library. */
4223  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4224  {
4225  c->c2.comp_context = comp_init(&options->comp);
4226  }
4227 #endif
4228 
4229  /* initialize MTU variables */
4230  do_init_frame(c);
4231 
4232  /* initialize TLS MTU variables */
4233  do_init_frame_tls(c);
4234 
4235  /* init workspace buffers whose size is derived from frame size */
4236  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4237  {
4238  do_init_buffers(c);
4239  }
4240 
4241 #ifdef ENABLE_FRAGMENT
4242  /* initialize internal fragmentation capability with known frame size */
4243  if (options->ce.fragment && (c->mode == CM_P2P || child))
4244  {
4245  do_init_fragment(c);
4246  }
4247 #endif
4248 
4249  /* initialize dynamic MTU variable */
4250  frame_init_mssfix(&c->c2.frame, &c->options);
4251 
4252  /* bind the TCP/UDP socket */
4253  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4254  {
4255  do_init_socket_1(c, link_socket_mode);
4256  }
4257 
4258  /* initialize tun/tap device object,
4259  * open tun/tap device, ifconfig, run up script, etc. */
4260  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4261  {
4262  c->c2.did_open_tun = do_open_tun(c);
4263  }
4264 
4265  c->c2.frame_initial = c->c2.frame;
4266 
4267  /* print MTU info */
4268  do_print_data_channel_mtu_parms(c);
4269 
4270 #ifdef ENABLE_OCC
4271  /* get local and remote options compatibility strings */
4272  if (c->mode == CM_P2P || child)
4273  {
4274  do_compute_occ_strings(c);
4275  }
4276 #endif
4277 
4278  /* initialize output speed limiter */
4279  if (c->mode == CM_P2P)
4280  {
4281  do_init_traffic_shaper(c);
4282  }
4283 
4284  /* do one-time inits, and possibly become a daemon here */
4285  do_init_first_time(c);
4286 
4287 #ifdef ENABLE_PLUGIN
4288  /* initialize plugins */
4289  if (c->mode == CM_P2P || c->mode == CM_TOP)
4290  {
4291  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4292  }
4293 #endif
4294 
4295  /* initialise connect timeout timer */
4296  do_init_server_poll_timeout(c);
4297 
4298  /* finalize the TCP/UDP socket */
4299  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4300  {
4301  do_init_socket_2(c);
4302  }
4303 
4304  /*
4305  * Actually do UID/GID downgrade, and chroot, if requested.
4306  * May be delayed by --client, --pull, or --up-delay.
4307  */
4308  do_uid_gid_chroot(c, c->c2.did_open_tun);
4309 
4310  /* initialize timers */
4311  if (c->mode == CM_P2P || child)
4312  {
4313  do_init_timers(c, false);
4314  }
4315 
4316 #ifdef ENABLE_PLUGIN
4317  /* initialize plugins */
4318  if (c->mode == CM_P2P || c->mode == CM_TOP)
4319  {
4320  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4321  }
4322 #endif
4323 
4324 #if PORT_SHARE
4325  /* share OpenVPN port with foreign (such as HTTPS) server */
4326  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4327  {
4328  init_port_share(c);
4329  }
4330 #endif
4331 
4332 #ifdef ENABLE_PF
4333  if (child)
4334  {
4335  pf_init_context(c);
4336  }
4337 #endif
4338 
4339  /* Check for signals */
4340  if (IS_SIG(c))
4341  {
4342  goto sig;
4343  }
4344 
4345  return;
4346 
4347 sig:
4348  if (!c->sig->signal_text)
4349  {
4350  c->sig->signal_text = "init_instance";
4351  }
4352  close_context(c, -1, flags);
4353  return;
4354 }
4355 
4356 /*
4357  * Close a tunnel instance.
4358  */
4359 void
4360 close_instance(struct context *c)
4361 {
4362  /* close event objects */
4363  do_close_event_set(c);
4364 
4365  if (c->mode == CM_P2P
4366  || c->mode == CM_CHILD_TCP
4367  || c->mode == CM_CHILD_UDP
4368  || c->mode == CM_TOP)
4369  {
4370  /* if xinetd/inetd mode, don't allow restart */
4371  do_close_check_if_restart_permitted(c);
4372 
4373 #ifdef USE_COMP
4374  if (c->c2.comp_context)
4375  {
4376  comp_uninit(c->c2.comp_context);
4377  c->c2.comp_context = NULL;
4378  }
4379 #endif
4380 
4381  /* free buffers */
4382  do_close_free_buf(c);
4383 
4384  /* close TLS */
4385  do_close_tls(c);
4386 
4387  /* free key schedules */
4388  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4389 
4390  restore_ncp_options(c);
4391 
4392  /* close TCP/UDP connection */
4393  do_close_link_socket(c);
4394 
4395  /* close TUN/TAP device */
4396  do_close_tun(c, false);
4397 
4398 #ifdef MANAGEMENT_DEF_AUTH
4399  if (management)
4400  {
4401  management_notify_client_close(management, &c->c2.mda_context, NULL);
4402  }
4403 #endif
4404 
4405 #ifdef ENABLE_PF
4406  pf_destroy_context(&c->c2.pf);
4407 #endif
4408 
4409 #ifdef ENABLE_PLUGIN
4410  /* call plugin close functions and unload */
4411  do_close_plugins(c);
4412 #endif
4413 
4414  /* close packet-id persistence file */
4415  do_close_packet_id(c);
4416 
4417  /* close --status file */
4418  do_close_status_output(c);
4419 
4420 #ifdef ENABLE_FRAGMENT
4421  /* close fragmentation handler */
4422  do_close_fragment(c);
4423 #endif
4424 
4425  /* close --ifconfig-pool-persist obj */
4426  do_close_ifconfig_pool_persist(c);
4427 
4428  /* free up environmental variable store */
4429  do_env_set_destroy(c);
4430 
4431  /* close HTTP or SOCKS proxy */
4432  uninit_proxy(c);
4433 
4434  /* garbage collect */
4435  gc_free(&c->c2.gc);
4436  }
4437 }
4438 
4439 void
4440 inherit_context_child(struct context *dest,
4441  const struct context *src)
4442 {
4443  CLEAR(*dest);
4444 
4445  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4446  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4447 
4448  dest->gc = gc_new();
4449 
4450  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4451 
4452  /* c1 init */
4453  packet_id_persist_init(&dest->c1.pid_persist);
4454 
4455  dest->c1.ks.key_type = src->c1.ks.key_type;
4456  /* inherit SSL context */
4457  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4458  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4459  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4460  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4461  /* inherit pre-NCP ciphers */
4462  dest->c1.ciphername = src->c1.ciphername;
4463  dest->c1.authname = src->c1.authname;
4464  dest->c1.keysize = src->c1.keysize;
4465 
4466  /* options */
4467  dest->options = src->options;
4468  options_detach(&dest->options);
4469 
4470  if (dest->mode == CM_CHILD_TCP)
4471  {
4472  /*
4473  * The CM_TOP context does the socket listen(),
4474  * and the CM_CHILD_TCP context does the accept().
4475  */
4476  dest->c2.accept_from = src->c2.link_socket;
4477  }
4478 
4479 #ifdef ENABLE_PLUGIN
4480  /* inherit plugins */
4481  do_inherit_plugins(dest, src);
4482 #endif
4483 
4484  /* context init */
4485  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4486  if (IS_SIG(dest))
4487  {
4488  return;
4489  }
4490 
4491  /* inherit tun/tap interface object */
4492  dest->c1.tuntap = src->c1.tuntap;
4493 
4494  /* UDP inherits some extra things which TCP does not */
4495  if (dest->mode == CM_CHILD_UDP)
4496  {
4497  /* inherit buffers */
4498  dest->c2.buffers = src->c2.buffers;
4499 
4500  /* inherit parent link_socket and tuntap */
4501  dest->c2.link_socket = src->c2.link_socket;
4502 
4503  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4504  *dest->c2.link_socket_info = src->c2.link_socket->info;
4505 
4506  /* locally override some link_socket_info fields */
4507  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4508  dest->c2.link_socket_info->connection_established = false;
4509  }
4510 }
4511 
4512 void
4513 inherit_context_top(struct context *dest,
4514  const struct context *src)
4515 {
4516  /* copy parent */
4517  *dest = *src;
4518 
4519  /*
4520  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4521  * resources owned by the parent.
4522  *
4523  * Also note that CM_TOP_CLONE context objects are
4524  * closed by multi_top_free in multi.c.
4525  */
4526  dest->mode = CM_TOP_CLONE;
4527 
4528  dest->first_time = false;
4529  dest->c0 = NULL;
4530 
4531  options_detach(&dest->options);
4532  gc_detach(&dest->gc);
4533  gc_detach(&dest->c2.gc);
4534 
4535  /* detach plugins */
4536  dest->plugins_owned = false;
4537 
4538  dest->c2.tls_multi = NULL;
4539 
4540  /* detach c1 ownership */
4541  dest->c1.tuntap_owned = false;
4542  dest->c1.status_output_owned = false;
4543 #if P2MP_SERVER
4544  dest->c1.ifconfig_pool_persist_owned = false;
4545 #endif
4546 
4547  /* detach c2 ownership */
4548  dest->c2.event_set_owned = false;
4549  dest->c2.link_socket_owned = false;
4550  dest->c2.buffers_owned = false;
4551  dest->c2.es_owned = false;
4552 
4553  dest->c2.event_set = NULL;
4554  if (proto_is_dgram(src->options.ce.proto))
4555  {
4556  do_event_set_init(dest, false);
4557  }
4558 
4559 #ifdef USE_COMP
4560  dest->c2.comp_context = NULL;
4561 #endif
4562 }
4563 
4564 void
4565 close_context(struct context *c, int sig, unsigned int flags)
4566 {
4567  ASSERT(c);
4568  ASSERT(c->sig);
4569 
4570  if (sig >= 0)
4571  {
4572  c->sig->signal_received = sig;
4573  }
4574 
4575  if (c->sig->signal_received == SIGUSR1)
4576  {
4577  if ((flags & CC_USR1_TO_HUP)
4578  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4579  {
4580  c->sig->signal_received = SIGHUP;
4581  c->sig->signal_text = "close_context usr1 to hup";
4582  }
4583  }
4584 
4585  if (!(flags & CC_NO_CLOSE))
4586  {
4587  close_instance(c);
4588  }
4589 
4590  if (flags & CC_GC_FREE)
4591  {
4592  context_gc_free(c);
4593  }
4594 }
4595 
4596 /*
4597  * Do a loopback test
4598  * on the crypto subsystem.
4599  */
4600 static void *
4601 test_crypto_thread(void *arg)
4602 {
4603  struct context *c = (struct context *) arg;
4604  const struct options *options = &c->options;
4605 
4606  ASSERT(options->test_crypto);
4607  init_verb_mute(c, IVM_LEVEL_1);
4608  context_init_1(c);
4609  next_connection_entry(c);
4610  do_init_crypto_static(c, 0);
4611 
4612  frame_finalize_options(c, options);
4613 
4614  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4615 
4616  key_schedule_free(&c->c1.ks, true);
4617  packet_id_free(&c->c2.crypto_options.packet_id);
4618 
4619  context_gc_free(c);
4620  return NULL;
4621 }
4622 
4623 bool
4624 do_test_crypto(const struct options *o)
4625 {
4626  if (o->test_crypto)
4627  {
4628  struct context c;
4629 
4630  /* print version number */
4631  msg(M_INFO, "%s", title_string);
4632 
4633  context_clear(&c);
4634  c.options = *o;
4635  options_detach(&c.options);
4636  c.first_time = true;
4637  test_crypto_thread((void *) &c);
4638  return true;
4639  }
4640  return false;
4641 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:286
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:302
context_2::es
struct env_set * es
Definition: openvpn.h:427
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:177
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:209
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:189
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:456
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2480
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:321
management_close
void management_close(struct management *man)
Definition: manage.c:2636
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:419
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:247
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:275
options::sndbuf
int sndbuf
Definition: options.h:334
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:353
context_2::log_rw
bool log_rw
Definition: openvpn.h:387
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:399
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:268
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:320
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:390
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:557
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:670
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:240
tuntap
Definition: tun.h:132
options::ncp_enabled
bool ncp_enabled
Definition: options.h:489
options::management_flags
unsigned int management_flags
Definition: options.h:378
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1923
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:894
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2509
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:111
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:284
P2MP_SERVER
#define P2MP_SERVER
Definition: syshead.h:524
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:616
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:299
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1318
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:308
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:502
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:391
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:497
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1090
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5296
options::show_curves
bool show_curves
Definition: options.h:208
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:613
options::cipher_list
const char * cipher_list
Definition: options.h:516
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:507
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1408
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:292
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:981
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3548
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
argv_new
struct argv argv_new(void)
Definition: argv.c:52
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2076
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:574
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1712
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:162
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:394
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1185
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:324
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:518
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:369
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:351
streq
#define streq(x, y)
Definition: options.h:635
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:418
options::chroot_dir
const char * chroot_dir
Definition: options.h:291
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:731
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3837
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3629
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2631
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:405
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:230
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:164
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:271
tls_options::mode
int mode
Definition: ssl_common.h:269
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2086
options::auth_token_generate
bool auth_token_generate
Definition: options.h:461
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:308
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1322
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4180
tun_abort
void tun_abort(void)
Definition: init.c:2056
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:500
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:571
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3716
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2568
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:716
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:323
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:523
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
route_ipv6_gateway_info
Definition: route.h:178
M_USAGE
#define M_USAGE
Definition: error.h:111
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1178
srandom
#define srandom
Definition: syshead.h:44
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3174
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:374
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:211
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:664
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
dmsg
#define dmsg
Definition: error.h:174
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4565
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3361
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:318
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:485
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
openvpn_sockaddr::addr
union openvpn_sockaddr::@8 addr
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5541
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:176
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:620
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3911
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:339
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:295
close_instance
void close_instance(struct context *c)
Definition: init.c:4360
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:564
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:327
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1345
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:643
options::persist_key
bool persist_key
Definition: options.h:276
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:116
options::replay_window
int replay_window
Definition: options.h:498
options::persist_mode
int persist_mode
Definition: options.h:201
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:211
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:412
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:321
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3764
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:374
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:282
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1469
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:297
options::rcvbuf
int rcvbuf
Definition: options.h:333
options::crl_file_inline
const char * crl_file_inline
Definition: options.h:529
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:254
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:426
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:273
options::connection_list
struct connection_list * connection_list
Definition: options.h:214
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:284
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:174
options::exit_event_name
const char * exit_event_name
Definition: options.h:612
AR_NONE
#define AR_NONE
Definition: options.h:822
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:255
options::route_noexec
bool route_noexec
Definition: options.h:348
options::sockflags
unsigned int sockflags
Definition: options.h:340
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2436
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:154
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3483
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:339
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:18
options::route_script
const char * route_script
Definition: options.h:343
options::tls_crypt_v2_genkey_file
const char * tls_crypt_v2_genkey_file
Definition: options.h:593
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:371
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:282
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:162
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
in_addr_t
#define in_addr_t
Definition: config-msvc.h:104
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:2989
options::config
const char * config
Definition: options.h:187
options::route_delay
int route_delay
Definition: options.h:349
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:527
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:298
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:344
tls_options::gremlin
int gremlin
Definition: ssl_common.h:363
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3789
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:366
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:262
options::down_pre
bool down_pre
Definition: options.h:300
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:259
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:665
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
SIGTERM
#define SIGTERM
Definition: config-msvc.h:118
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth, set via options->auth_token_generate.
Definition: ssl_common.h:322
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1390
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:563
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:531
options::push_peer_info
bool push_peer_info
Definition: options.h:601
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:645
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:114
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:565
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3696
PING_RESTART
#define PING_RESTART
Definition: options.h:270
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2939
options::handshake_window
int handshake_window
Definition: options.h:569
ASSERT
#define ASSERT(x)
Definition: error.h:221
route_ipv6_list
Definition: route.h:214
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3826
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:129
tls_options
Definition: ssl_common.h:241
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:301
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:226
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:298
connection_entry::tls_auth_file_inline
const char * tls_auth_file_inline
Definition: options.h:136
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:226
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:579
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:323
options::verify_x509_type
int verify_x509_type
Definition: options.h:521
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:220
close_management
void close_management(void)
Definition: init.c:3994
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:304
options::prng_hash
const char * prng_hash
Definition: options.h:493
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:265
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:240
options::fast_io
bool fast_io
Definition: options.h:326
options::key_direction
int key_direction
Definition: options.h:487
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:275
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:190
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1410
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:145
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:58
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:74
connection_entry::tls_crypt_v2_inline
const char * tls_crypt_v2_inline
Definition: options.h:146
init_static
bool init_static(void)
Definition: init.c:725
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:191
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:565
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:298
options::route_delay_defined
bool route_delay_defined
Definition: options.h:351
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:512
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:225
options::tls_exit
bool tls_exit
Definition: options.h:603
MF_SERVER
#define MF_SERVER
Definition: manage.h:332
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1014
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1007
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:787
connection_entry::key_direction
int key_direction
Definition: options.h:137
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:673
tls_options::x509_username_field
char * x509_username_field
Definition: ssl_common.h:291
options::route_nopull
bool route_nopull
Definition: options.h:355
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3595
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1184
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6085
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:65
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:523
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:345
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4022
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:305
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:137
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:538
options::remote_random
bool remote_random
Definition: options.h:228
frame_add_to_link_mtu
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
status_close
bool status_close(struct status_output *so)
Definition: status.c:203
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:198
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:540
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:239
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:165
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:1004
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:537
prng_uninit
void prng_uninit(void)
Definition: crypto.c:1731
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1295
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:460
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:150
options::tls_verify
const char * tls_verify
Definition: options.h:520
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1438
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:98
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:302
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:525
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:368
open_management
bool open_management(struct context *c)
Definition: init.c:3943
CLEAR
#define CLEAR(x)
Definition: basic.h:33
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:194
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:110
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:600
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4440
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:663
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct buffer *wkc_buf, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:297
save_ncp_options
static void save_ncp_options(struct context *c)
Definition: init.c:620
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:267
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:3851
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:686
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:3644
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest)
Definition: route.c:2801
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2579
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2715
FRAME_HEADROOM_MARKER_FRAGMENT
#define FRAME_HEADROOM_MARKER_FRAGMENT
Definition: mtu.h:130
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition: options.h:130
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:631
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:336
tls_options::packet_timeout
interval_t packet_timeout
Definition: ssl_common.h:274
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:3688
do_close_check_if_restart_permitted
static void do_close_check_if_restart_permitted(struct context *c)
Definition: init.c:3452
tls_options::config_authname
const char * config_authname
Definition: ssl_common.h:305