OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 
55 #include "memdbg.h"
56 
57 
58 static struct context *static_context; /* GLOBAL */
59 
60 /*
61  * Crypto initialization flags
62  */
63 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
64 #define CF_INIT_TLS_MULTI (1<<1)
65 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
66 
67 static void do_init_first_time(struct context *c);
68 
69 void
70 context_clear(struct context *c)
71 {
72  CLEAR(*c);
73 }
74 
75 void
76 context_clear_1(struct context *c)
77 {
78  CLEAR(c->c1);
79 }
80 
81 void
82 context_clear_2(struct context *c)
83 {
84  CLEAR(c->c2);
85 }
86 
87 void
88 context_clear_all_except_first_time(struct context *c)
89 {
90  const bool first_time_save = c->first_time;
91  const struct context_persist cpsave = c->persist;
92  context_clear(c);
93  c->first_time = first_time_save;
94  c->persist = cpsave;
95 }
96 
97 /*
98  * Pass tunnel endpoint and MTU parms to a user-supplied script.
99  * Used to execute the up/down script/plugins.
100  */
101 static void
102 run_up_down(const char *command,
103  const struct plugin_list *plugins,
104  int plugin_type,
105  const char *arg,
106 #ifdef _WIN32
107  DWORD adapter_index,
108 #endif
109  const char *dev_type,
110  int tun_mtu,
111  int link_mtu,
112  const char *ifconfig_local,
113  const char *ifconfig_remote,
114  const char *context,
115  const char *signal_text,
116  const char *script_type,
117  struct env_set *es)
118 {
119  struct gc_arena gc = gc_new();
120 
121  if (signal_text)
122  {
123  setenv_str(es, "signal", signal_text);
124  }
125  setenv_str(es, "script_context", context);
126  setenv_int(es, "tun_mtu", tun_mtu);
127  setenv_int(es, "link_mtu", link_mtu);
128  setenv_str(es, "dev", arg);
129  if (dev_type)
130  {
131  setenv_str(es, "dev_type", dev_type);
132  }
133 #ifdef _WIN32
134  setenv_int(es, "dev_idx", adapter_index);
135 #endif
136 
137  if (!ifconfig_local)
138  {
139  ifconfig_local = "";
140  }
141  if (!ifconfig_remote)
142  {
143  ifconfig_remote = "";
144  }
145  if (!context)
146  {
147  context = "";
148  }
149 
150  if (plugin_defined(plugins, plugin_type))
151  {
152  struct argv argv = argv_new();
153  ASSERT(arg);
154  argv_printf(&argv,
155  "%s %d %d %s %s %s",
156  arg,
157  tun_mtu, link_mtu,
158  ifconfig_local, ifconfig_remote,
159  context);
160 
161  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
162  {
163  msg(M_FATAL, "ERROR: up/down plugin call failed");
164  }
165 
166  argv_reset(&argv);
167  }
168 
169  if (command)
170  {
171  struct argv argv = argv_new();
172  ASSERT(arg);
173  setenv_str(es, "script_type", script_type);
174  argv_parse_cmd(&argv, command);
175  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
176  ifconfig_local, ifconfig_remote, context);
177  argv_msg(M_INFO, &argv);
178  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
179  argv_reset(&argv);
180  }
181 
182  gc_free(&gc);
183 }
184 
185 /*
186  * Should be called after options->ce is modified at the top
187  * of a SIGUSR1 restart.
188  */
189 static void
190 update_options_ce_post(struct options *options)
191 {
192 #if P2MP
193  /*
194  * In pull mode, we usually import --ping/--ping-restart parameters from
195  * the server. However we should also set an initial default --ping-restart
196  * for the period of time before we pull the --ping-restart parameter
197  * from the server.
198  */
199  if (options->pull
200  && options->ping_rec_timeout_action == PING_UNDEF
201  && proto_is_dgram(options->ce.proto))
202  {
203  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204  options->ping_rec_timeout_action = PING_RESTART;
205  }
206 #endif
207 }
208 
209 #ifdef ENABLE_MANAGEMENT
210 static bool
211 management_callback_proxy_cmd(void *arg, const char **p)
212 {
213  struct context *c = arg;
214  struct connection_entry *ce = &c->options.ce;
215  struct gc_arena *gc = &c->c2.gc;
216  bool ret = false;
217 
218  update_time();
219  if (streq(p[1], "NONE"))
220  {
221  ret = true;
222  }
223  else if (p[2] && p[3])
224  {
225  if (streq(p[1], "HTTP"))
226  {
227  struct http_proxy_options *ho;
228  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
229  {
230  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231  return false;
232  }
233  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
234  ho->server = string_alloc(p[2], gc);
235  ho->port = string_alloc(p[3], gc);
236  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237  ret = true;
238  }
239  else if (streq(p[1], "SOCKS"))
240  {
241  ce->socks_proxy_server = string_alloc(p[2], gc);
242  ce->socks_proxy_port = string_alloc(p[3], gc);
243  ret = true;
244  }
245  }
246  else
247  {
248  msg(M_WARN, "Bad proxy command");
249  }
250 
251  ce->flags &= ~CE_MAN_QUERY_PROXY;
252 
253  return ret;
254 }
255 
256 static bool
257 ce_management_query_proxy(struct context *c)
258 {
259  const struct connection_list *l = c->options.connection_list;
260  struct connection_entry *ce = &c->options.ce;
261  struct gc_arena gc;
262  bool ret = true;
263 
264  update_time();
265  if (management)
266  {
267  gc = gc_new();
268  {
269  struct buffer out = alloc_buf_gc(256, &gc);
270  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272  management_notify_generic(management, BSTR(&out));
273  }
274  ce->flags |= CE_MAN_QUERY_PROXY;
275  while (ce->flags & CE_MAN_QUERY_PROXY)
276  {
277  management_event_loop_n_seconds(management, 1);
278  if (IS_SIG(c))
279  {
280  ret = false;
281  break;
282  }
283  }
284  gc_free(&gc);
285  }
286 
287  return ret;
288 }
289 
290 
291 static bool
292 management_callback_remote_cmd(void *arg, const char **p)
293 {
294  struct context *c = (struct context *) arg;
295  struct connection_entry *ce = &c->options.ce;
296  int ret = false;
297  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
298  {
299  int flags = 0;
300  if (!strcmp(p[1], "ACCEPT"))
301  {
302  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
303  ret = true;
304  }
305  else if (!strcmp(p[1], "SKIP"))
306  {
307  flags = CE_MAN_QUERY_REMOTE_SKIP;
308  ret = true;
309  }
310  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
311  {
312  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
313  {
314  struct remote_host_store *rhs = c->options.rh_store;
315  if (!rhs)
316  {
317  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
318  c->options.rh_store = rhs;
319  }
320  strncpynt(rhs->host, p[2], RH_HOST_LEN);
321  strncpynt(rhs->port, p[3], RH_PORT_LEN);
322 
323  ce->remote = rhs->host;
324  ce->remote_port = rhs->port;
325  flags = CE_MAN_QUERY_REMOTE_MOD;
326  ret = true;
327  }
328  }
329  if (ret)
330  {
331  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
332  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
333  }
334  }
335  return ret;
336 }
337 
338 static bool
339 ce_management_query_remote(struct context *c)
340 {
341  struct gc_arena gc = gc_new();
342  volatile struct connection_entry *ce = &c->options.ce;
343  int ce_changed = true; /* presume the connection entry will be changed */
344 
345  update_time();
346  if (management)
347  {
348  struct buffer out = alloc_buf_gc(256, &gc);
349 
350  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
351  proto2ascii(ce->proto, ce->af, false));
352  management_notify_generic(management, BSTR(&out));
353 
354  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
355  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
356  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
357  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
358  {
359  management_event_loop_n_seconds(management, 1);
360  if (IS_SIG(c))
361  {
362  ce_changed = false; /* connection entry have not been set */
363  break;
364  }
365  }
366  }
367  gc_free(&gc);
368 
369  if (ce_changed)
370  {
371  /* If it is likely a connection entry was modified,
372  * check what changed in the flags and that it was not skipped
373  */
374  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
375  & CE_MAN_QUERY_REMOTE_MASK);
376  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
377  }
378  return ce_changed;
379 }
380 #endif /* ENABLE_MANAGEMENT */
381 
382 /*
383  * Initialize and possibly randomize connection list.
384  */
385 static void
386 init_connection_list(struct context *c)
387 {
388  struct connection_list *l = c->options.connection_list;
389 
390  l->current = -1;
391  if (c->options.remote_random)
392  {
393  int i;
394  for (i = 0; i < l->len; ++i)
395  {
396  const int j = get_random() % l->len;
397  if (i != j)
398  {
399  struct connection_entry *tmp;
400  tmp = l->array[i];
401  l->array[i] = l->array[j];
402  l->array[j] = tmp;
403  }
404  }
405  }
406 }
407 
408 /*
409  * Clear the remote address list
410  */
411 static void
412 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
413 {
414  if (lsa->remote_list && free)
415  {
416  freeaddrinfo(lsa->remote_list);
417  }
418  lsa->remote_list = NULL;
419  lsa->current_remote = NULL;
420 }
421 
422 /*
423  * Increment to next connection entry
424  */
425 static void
426 next_connection_entry(struct context *c)
427 {
428  struct connection_list *l = c->options.connection_list;
429  bool ce_defined;
430  struct connection_entry *ce;
431  int n_cycles = 0;
432 
433  do
434  {
435  ce_defined = true;
436  if (c->options.no_advance && l->current >= 0)
437  {
438  c->options.no_advance = false;
439  }
440  else
441  {
442  /* Check if there is another resolved address to try for
443  * the current connection */
444  if (c->c1.link_socket_addr.current_remote
445  && c->c1.link_socket_addr.current_remote->ai_next)
446  {
447  c->c1.link_socket_addr.current_remote =
448  c->c1.link_socket_addr.current_remote->ai_next;
449  }
450  else
451  {
452  /* FIXME (schwabe) fix the persist-remote-ip option for real,
453  * this is broken probably ever since connection lists and multiple
454  * remote existed
455  */
456  if (!c->options.persist_remote_ip)
457  {
458  /* close_instance should have cleared the addrinfo objects */
459  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
460  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
461  }
462  else
463  {
464  c->c1.link_socket_addr.current_remote =
465  c->c1.link_socket_addr.remote_list;
466  }
467 
468  /*
469  * Increase the number of connection attempts
470  * If this is connect-retry-max * size(l)
471  * OpenVPN will quit
472  */
473 
474  c->options.unsuccessful_attempts++;
475 
476  if (++l->current >= l->len)
477  {
478 
479  l->current = 0;
480  if (++n_cycles >= 2)
481  {
482  msg(M_FATAL, "No usable connection profiles are present");
483  }
484  }
485  }
486  }
487 
488  ce = l->array[l->current];
489 
490  if (ce->flags & CE_DISABLED)
491  {
492  ce_defined = false;
493  }
494 
495  c->options.ce = *ce;
496 #ifdef ENABLE_MANAGEMENT
497  if (ce_defined && management && management_query_remote_enabled(management))
498  {
499  /* allow management interface to override connection entry details */
500  ce_defined = ce_management_query_remote(c);
501  if (IS_SIG(c))
502  {
503  break;
504  }
505  }
506  else if (ce_defined && management && management_query_proxy_enabled(management))
507  {
508  ce_defined = ce_management_query_proxy(c);
509  if (IS_SIG(c))
510  {
511  break;
512  }
513  }
514 #endif
515  } while (!ce_defined);
516 
517  /* Check if this connection attempt would bring us over the limit */
518  if (c->options.connect_retry_max > 0
519  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
520  {
521  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
522  c->options.connect_retry_max);
523  }
524  update_options_ce_post(&c->options);
525 }
526 
527 /*
528  * Query for private key and auth-user-pass username/passwords
529  */
530 void
531 init_query_passwords(const struct context *c)
532 {
533  /* Certificate password input */
534  if (c->options.key_pass_file)
535  {
536  pem_password_setup(c->options.key_pass_file);
537  }
538 
539 #if P2MP
540  /* Auth user/pass input */
541  if (c->options.auth_user_pass_file)
542  {
543 #ifdef ENABLE_MANAGEMENT
544  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
545 #else
546  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
547 #endif
548  }
549 #endif
550 }
551 
552 /*
553  * Initialize/Uninitialize HTTP or SOCKS proxy
554  */
555 
556 static void
557 uninit_proxy_dowork(struct context *c)
558 {
559  if (c->c1.http_proxy_owned && c->c1.http_proxy)
560  {
561  http_proxy_close(c->c1.http_proxy);
562  c->c1.http_proxy = NULL;
563  c->c1.http_proxy_owned = false;
564  }
565  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
566  {
567  socks_proxy_close(c->c1.socks_proxy);
568  c->c1.socks_proxy = NULL;
569  c->c1.socks_proxy_owned = false;
570  }
571 }
572 
573 static void
574 init_proxy_dowork(struct context *c)
575 {
576  bool did_http = false;
577 
578  uninit_proxy_dowork(c);
579 
580  if (c->options.ce.http_proxy_options)
581  {
582  /* Possible HTTP proxy user/pass input */
583  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
584  if (c->c1.http_proxy)
585  {
586  did_http = true;
587  c->c1.http_proxy_owned = true;
588  }
589  }
590 
591  if (!did_http && c->options.ce.socks_proxy_server)
592  {
593  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
594  c->options.ce.socks_proxy_port,
595  c->options.ce.socks_proxy_authfile);
596  if (c->c1.socks_proxy)
597  {
598  c->c1.socks_proxy_owned = true;
599  }
600  }
601 }
602 
603 static void
604 init_proxy(struct context *c)
605 {
606  init_proxy_dowork(c);
607 }
608 
609 static void
610 uninit_proxy(struct context *c)
611 {
612  uninit_proxy_dowork(c);
613 }
614 
615 /*
616  * Saves the initial state of NCP-regotiable
617  * options into a storage which persists over SIGUSR1.
618  */
619 static void
620 save_ncp_options(struct context *c)
621 {
622  c->c1.ciphername = c->options.ciphername;
623  c->c1.authname = c->options.authname;
624  c->c1.keysize = c->options.keysize;
625 }
626 
627 /* Restores NCP-negotiable options to original values */
628 static void
629 restore_ncp_options(struct context *c)
630 {
631  c->options.ciphername = c->c1.ciphername;
632  c->options.authname = c->c1.authname;
633  c->options.keysize = c->c1.keysize;
634 }
635 
636 void
637 context_init_1(struct context *c)
638 {
639  context_clear_1(c);
640 
641  packet_id_persist_init(&c->c1.pid_persist);
642 
643  init_connection_list(c);
644 
645  save_ncp_options(c);
646 
647 #if defined(ENABLE_PKCS11)
648  if (c->first_time)
649  {
650  int i;
651  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
652  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
653  {
654  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
655  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
656  }
657  }
658 #endif
659 
660 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
661  {
662  /*
663  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
664  */
665  struct user_pass up;
666  CLEAR(up);
667  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
668  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
669  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
670  * 'needok' command, usually 'ok' or 'cancel'. */
671  }
672 #endif
673 
674 #ifdef ENABLE_SYSTEMD
675  /* We can report the PID via getpid() to systemd here as OpenVPN will not
676  * do any fork due to daemon() a future call.
677  * See possibly_become_daemon() [init.c] for more details.
678  */
679  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
680  (unsigned long) getpid());
681 #endif
682 
683 }
684 
685 void
686 context_gc_free(struct context *c)
687 {
688  gc_free(&c->c2.gc);
689  gc_free(&c->options.gc);
690  gc_free(&c->gc);
691 }
692 
693 #if PORT_SHARE
694 
695 static void
696 close_port_share(void)
697 {
698  if (port_share)
699  {
700  port_share_close(port_share);
701  port_share = NULL;
702  }
703 }
704 
705 static void
706 init_port_share(struct context *c)
707 {
708  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
709  {
710  port_share = port_share_open(c->options.port_share_host,
711  c->options.port_share_port,
712  MAX_RW_SIZE_LINK(&c->c2.frame),
713  c->options.port_share_journal_dir);
714  if (port_share == NULL)
715  {
716  msg(M_FATAL, "Fatal error: Port sharing failed");
717  }
718  }
719 }
720 
721 #endif /* if PORT_SHARE */
722 
723 
724 bool
725 init_static(void)
726 {
727  /* configure_path (); */
728 
729 #if defined(DMALLOC)
730  crypto_init_dmalloc();
731 #endif
732 
733 
734  /*
735  * Initialize random number seed. random() is only used
736  * when "weak" random numbers are acceptable.
737  * SSL library routines are always used when cryptographically
738  * strong random numbers are required.
739  */
740  struct timeval tv;
741  if (!gettimeofday(&tv, NULL))
742  {
743  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
744  srandom(seed);
745  }
746 
747  error_reset(); /* initialize error.c */
748  reset_check_status(); /* initialize status check code in socket.c */
749 
750 #ifdef _WIN32
751  init_win32();
752 #endif
753 
754 #ifdef OPENVPN_DEBUG_COMMAND_LINE
755  {
756  int i;
757  for (i = 0; i < argc; ++i)
758  {
759  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
760  }
761  }
762 #endif
763 
764  update_time();
765 
766  init_ssl_lib();
767 
768  /* init PRNG used for IV generation */
769  /* When forking, copy this to more places in the code to avoid fork
770  * random-state predictability */
771  prng_init(NULL, 0);
772 
773 #ifdef PID_TEST
774  packet_id_interactive_test(); /* test the sequence number code */
775  return false;
776 #endif
777 
778 #ifdef SCHEDULE_TEST
779  schedule_test();
780  return false;
781 #endif
782 
783 #ifdef LIST_TEST
784  list_test();
785  return false;
786 #endif
787 
788 #ifdef IFCONFIG_POOL_TEST
789  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
790  return false;
791 #endif
792 
793 #ifdef CHARACTER_CLASS_DEBUG
794  character_class_debug();
795  return false;
796 #endif
797 
798 #ifdef EXTRACT_X509_FIELD_TEST
799  extract_x509_field_test();
800  return false;
801 #endif
802 
803 #ifdef TIME_TEST
804  time_test();
805  return false;
806 #endif
807 
808 #ifdef TEST_GET_DEFAULT_GATEWAY
809  {
810  struct route_gateway_info rgi;
811  struct route_ipv6_gateway_info rgi6;
812  get_default_gateway(&rgi);
813  get_default_gateway_ipv6(&rgi6, NULL);
814  print_default_gateway(M_INFO, &rgi, &rgi6);
815  return false;
816  }
817 #endif
818 
819 #ifdef GEN_PATH_TEST
820  {
821  struct gc_arena gc = gc_new();
822  const char *fn = gen_path("foo",
823  "bar",
824  &gc);
825  printf("%s\n", fn);
826  gc_free(&gc);
827  }
828  return false;
829 #endif
830 
831 #ifdef STATUS_PRINTF_TEST
832  {
833  struct gc_arena gc = gc_new();
834  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
835  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
836  status_printf(so, "%s", "foo");
837  status_printf(so, "%s", "bar");
838  if (!status_close(so))
839  {
840  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
841  }
842  gc_free(&gc);
843  }
844  return false;
845 #endif
846 
847 #ifdef ARGV_TEST
848  {
849  void argv_test(void);
850 
851  argv_test();
852  return false;
853  }
854 #endif
855 
856 #ifdef PRNG_TEST
857  {
858  struct gc_arena gc = gc_new();
859  uint8_t rndbuf[8];
860  int i;
861  prng_init("sha1", 16);
862  /*prng_init (NULL, 0);*/
863  const int factor = 1;
864  for (i = 0; i < factor * 8; ++i)
865  {
866 #if 1
867  prng_bytes(rndbuf, sizeof(rndbuf));
868 #else
869  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
870 #endif
871  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
872  }
873  gc_free(&gc);
874  prng_uninit();
875  return false;
876  }
877 #endif /* ifdef PRNG_TEST */
878 
879 #ifdef BUFFER_LIST_AGGREGATE_TEST
880  /* test buffer_list_aggregate function */
881  {
882  static const char *text[] = {
883  "It was a bright cold day in April, ",
884  "and the clocks were striking ",
885  "thirteen. ",
886  "Winston Smith, ",
887  "his chin nuzzled into his breast in an ",
888  "effort to escape the vile wind, ",
889  "slipped quickly through the glass doors ",
890  "of Victory Mansions, though not quickly ",
891  "enough to prevent a swirl of gritty dust from ",
892  "entering along with him."
893  };
894 
895  int iter, listcap;
896  for (listcap = 0; listcap < 12; ++listcap)
897  {
898  for (iter = 0; iter < 512; ++iter)
899  {
900  struct buffer_list *bl = buffer_list_new(listcap);
901  {
902  int i;
903  for (i = 0; i < SIZE(text); ++i)
904  {
905  buffer_list_push(bl, (unsigned char *)text[i]);
906  }
907  }
908  printf("[cap=%d i=%d] *************************\n", listcap, iter);
909  if (!(iter & 8))
910  {
911  buffer_list_aggregate(bl, iter/2);
912  }
913  if (!(iter & 16))
914  {
915  buffer_list_push(bl, (unsigned char *)"Even more text...");
916  }
917  buffer_list_aggregate(bl, iter);
918  if (!(iter & 1))
919  {
920  buffer_list_push(bl, (unsigned char *)"More text...");
921  }
922  {
923  struct buffer *buf;
924  while ((buf = buffer_list_peek(bl)))
925  {
926  int c;
927  printf("'");
928  while ((c = buf_read_u8(buf)) >= 0)
929  {
930  putchar(c);
931  }
932  printf("'\n");
933  buffer_list_advance(bl, 0);
934  }
935  }
936  buffer_list_free(bl);
937  }
938  }
939  return false;
940  }
941 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
942 
943 #ifdef MSTATS_TEST
944  {
945  int i;
946  mstats_open("/dev/shm/mstats.dat");
947  for (i = 0; i < 30; ++i)
948  {
949  mmap_stats->n_clients += 1;
950  mmap_stats->link_write_bytes += 8;
951  mmap_stats->link_read_bytes += 16;
952  sleep(1);
953  }
954  mstats_close();
955  return false;
956  }
957 #endif
958 
959  return true;
960 }
961 
962 void
963 uninit_static(void)
964 {
965  free_ssl_lib();
966 
967 #ifdef ENABLE_PKCS11
968  pkcs11_terminate();
969 #endif
970 
971 #if PORT_SHARE
972  close_port_share();
973 #endif
974 
975 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
976  show_tls_performance_stats();
977 #endif
978 }
979 
980 void
981 init_verb_mute(struct context *c, unsigned int flags)
982 {
983  if (flags & IVM_LEVEL_1)
984  {
985  /* set verbosity and mute levels */
986  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
987  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
988  set_mute_cutoff(c->options.mute);
989  }
990 
991  /* special D_LOG_RW mode */
992  if (flags & IVM_LEVEL_2)
993  {
994  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
995  }
996 }
997 
998 /*
999  * Possibly set --dev based on --dev-node.
1000  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1001  * set --dev to tun.
1002  */
1003 void
1004 init_options_dev(struct options *options)
1005 {
1006  if (!options->dev && options->dev_node)
1007  {
1008  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */
1009  options->dev = basename(dev_node);
1010  }
1011 }
1012 
1013 bool
1014 print_openssl_info(const struct options *options)
1015 {
1016  /*
1017  * OpenSSL info print mode?
1018  */
1019  if (options->show_ciphers || options->show_digests || options->show_engines
1020  || options->show_tls_ciphers || options->show_curves)
1021  {
1022  if (options->show_ciphers)
1023  {
1024  show_available_ciphers();
1025  }
1026  if (options->show_digests)
1027  {
1028  show_available_digests();
1029  }
1030  if (options->show_engines)
1031  {
1032  show_available_engines();
1033  }
1034  if (options->show_tls_ciphers)
1035  {
1036  show_available_tls_ciphers(options->cipher_list,
1037  options->cipher_list_tls13,
1038  options->tls_cert_profile);
1039  }
1040  if (options->show_curves)
1041  {
1042  show_available_curves();
1043  }
1044  return true;
1045  }
1046  return false;
1047 }
1048 
1049 /*
1050  * Static pre-shared key generation mode?
1051  */
1052 bool
1053 do_genkey(const struct options *options)
1054 {
1055  /* should we disable paging? */
1056  if (options->mlock && (options->genkey || options->tls_crypt_v2_genkey_file))
1057  {
1058  platform_mlockall(true);
1059  }
1060  if (options->genkey)
1061  {
1062  int nbits_written;
1063 
1064  notnull(options->shared_secret_file,
1065  "shared secret output file (--secret)");
1066 
1067  nbits_written = write_key_file(2, options->shared_secret_file);
1068  if (nbits_written < 0)
1069  {
1070  msg(M_FATAL, "Failed to write key file");
1071  }
1072 
1073  msg(D_GENKEY | M_NOPREFIX,
1074  "Randomly generated %d bit key written to %s", nbits_written,
1075  options->shared_secret_file);
1076  return true;
1077  }
1078  if (options->tls_crypt_v2_genkey_type)
1079  {
1080  if (!strcmp(options->tls_crypt_v2_genkey_type, "server"))
1081  {
1082  tls_crypt_v2_write_server_key_file(options->tls_crypt_v2_genkey_file);
1083  return true;
1084  }
1085  if (options->tls_crypt_v2_genkey_type
1086  && !strcmp(options->tls_crypt_v2_genkey_type, "client"))
1087  {
1088  if (!options->tls_crypt_v2_file)
1089  {
1090  msg(M_USAGE, "--tls-crypt-v2-genkey requires a server key to be set via --tls-crypt-v2 to create a client key");
1091  }
1092 
1093  tls_crypt_v2_write_client_key_file(options->tls_crypt_v2_genkey_file,
1094  options->tls_crypt_v2_metadata, options->tls_crypt_v2_file,
1095  options->tls_crypt_v2_inline);
1096  return true;
1097  }
1098 
1099  msg(M_USAGE, "--tls-crypt-v2-genkey type should be \"client\" or \"server\"");
1100  }
1101  return false;
1102 }
1103 
1104 /*
1105  * Persistent TUN/TAP device management mode?
1106  */
1107 bool
1108 do_persist_tuntap(const struct options *options)
1109 {
1110  if (options->persist_config)
1111  {
1112  /* sanity check on options for --mktun or --rmtun */
1113  notnull(options->dev, "TUN/TAP device (--dev)");
1114  if (options->ce.remote || options->ifconfig_local
1115  || options->ifconfig_remote_netmask
1116  || options->shared_secret_file
1117  || options->tls_server || options->tls_client
1118  )
1119  {
1120  msg(M_FATAL|M_OPTERR,
1121  "options --mktun or --rmtun should only be used together with --dev");
1122  }
1123 #ifdef ENABLE_FEATURE_TUN_PERSIST
1124  tuncfg(options->dev, options->dev_type, options->dev_node,
1125  options->persist_mode,
1126  options->username, options->groupname, &options->tuntap_options);
1127  if (options->persist_mode && options->lladdr)
1128  {
1129  set_lladdr(options->dev, options->lladdr, NULL);
1130  }
1131  return true;
1132 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1133  msg( M_FATAL|M_OPTERR,
1134  "options --mktun and --rmtun are not available on your operating "
1135  "system. Please check 'man tun' (or 'tap'), whether your system "
1136  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1137  "persistant tunnel interfaces.", options->dev );
1138 #endif
1139  }
1140  return false;
1141 }
1142 
1143 /*
1144  * Should we become a daemon?
1145  * Return true if we did it.
1146  */
1147 bool
1148 possibly_become_daemon(const struct options *options)
1149 {
1150  bool ret = false;
1151 
1152 #ifdef ENABLE_SYSTEMD
1153  /* return without forking if we are running from systemd */
1154  if (sd_notify(0, "READY=0") > 0)
1155  {
1156  return ret;
1157  }
1158 #endif
1159 
1160  if (options->daemon)
1161  {
1162  ASSERT(!options->inetd);
1163  /* Don't chdir immediately, but the end of the init sequence, if needed */
1164  if (daemon(1, options->log) < 0)
1165  {
1166  msg(M_ERR, "daemon() failed or unsupported");
1167  }
1168  restore_signal_state();
1169  if (options->log)
1170  {
1171  set_std_files_to_null(true);
1172  }
1173 
1174  ret = true;
1175  }
1176  return ret;
1177 }
1178 
1179 /*
1180  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1181  */
1182 static void
1183 do_uid_gid_chroot(struct context *c, bool no_delay)
1184 {
1185  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1186  struct context_0 *c0 = c->c0;
1187 
1188  if (c0 && !c0->uid_gid_chroot_set)
1189  {
1190  /* chroot if requested */
1191  if (c->options.chroot_dir)
1192  {
1193  if (no_delay)
1194  {
1195  platform_chroot(c->options.chroot_dir);
1196  }
1197  else if (c->first_time)
1198  {
1199  msg(M_INFO, "NOTE: chroot %s", why_not);
1200  }
1201  }
1202 
1203  /* set user and/or group if we want to setuid/setgid */
1204  if (c0->uid_gid_specified)
1205  {
1206  if (no_delay)
1207  {
1208  platform_group_set(&c0->platform_state_group);
1209  platform_user_set(&c0->platform_state_user);
1210  }
1211  else if (c->first_time)
1212  {
1213  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1214  }
1215  }
1216 
1217 #ifdef ENABLE_MEMSTATS
1218  if (c->first_time && c->options.memstats_fn)
1219  {
1220  mstats_open(c->options.memstats_fn);
1221  }
1222 #endif
1223 
1224 #ifdef ENABLE_SELINUX
1225  /* Apply a SELinux context in order to restrict what OpenVPN can do
1226  * to _only_ what it is supposed to do after initialization is complete
1227  * (basically just network I/O operations). Doing it after chroot
1228  * requires /proc to be mounted in the chroot (which is annoying indeed
1229  * but doing it before requires more complex SELinux policies.
1230  */
1231  if (c->options.selinux_context)
1232  {
1233  if (no_delay)
1234  {
1235  if (-1 == setcon(c->options.selinux_context))
1236  {
1237  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1238  }
1239  else
1240  {
1241  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1242  }
1243  }
1244  else if (c->first_time)
1245  {
1246  msg(M_INFO, "NOTE: setcon %s", why_not);
1247  }
1248  }
1249 #endif
1250 
1251  /* Privileges are going to be dropped by now (if requested), be sure
1252  * to prevent any future privilege dropping attempts from now on.
1253  */
1254  if (no_delay)
1255  {
1256  c0->uid_gid_chroot_set = true;
1257  }
1258  }
1259 }
1260 
1261 /*
1262  * Return common name in a way that is formatted for
1263  * prepending to msg() output.
1264  */
1265 const char *
1266 format_common_name(struct context *c, struct gc_arena *gc)
1267 {
1268  struct buffer out = alloc_buf_gc(256, gc);
1269  if (c->c2.tls_multi)
1270  {
1271  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1272  }
1273  return BSTR(&out);
1274 }
1275 
1276 void
1277 pre_setup(const struct options *options)
1278 {
1279 #ifdef _WIN32
1280  if (options->exit_event_name)
1281  {
1282  win32_signal_open(&win32_signal,
1283  WSO_FORCE_SERVICE,
1284  options->exit_event_name,
1285  options->exit_event_initial_state);
1286  }
1287  else
1288  {
1289  win32_signal_open(&win32_signal,
1290  WSO_FORCE_CONSOLE,
1291  NULL,
1292  false);
1293 
1294  /* put a title on the top window bar */
1295  if (win32_signal.mode == WSO_MODE_CONSOLE)
1296  {
1297  window_title_save(&window_title);
1298  window_title_generate(options->config);
1299  }
1300  }
1301 #endif /* ifdef _WIN32 */
1302 }
1303 
1304 void
1305 reset_coarse_timers(struct context *c)
1306 {
1307  c->c2.coarse_timer_wakeup = 0;
1308 }
1309 
1310 /*
1311  * Initialise the server poll timeout timer
1312  * This timer is used in the http/socks proxy setup so it needs to be setup
1313  * before
1314  */
1315 static void
1316 do_init_server_poll_timeout(struct context *c)
1317 {
1318  update_time();
1319  if (c->options.ce.connect_timeout)
1320  {
1321  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1322  }
1323 }
1324 
1325 /*
1326  * Initialize timers
1327  */
1328 static void
1329 do_init_timers(struct context *c, bool deferred)
1330 {
1331  update_time();
1332  reset_coarse_timers(c);
1333 
1334  /* initialize inactivity timeout */
1335  if (c->options.inactivity_timeout)
1336  {
1337  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1338  }
1339 
1340  /* initialize pings */
1341 
1342  if (c->options.ping_send_timeout)
1343  {
1344  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1345  }
1346 
1347  if (c->options.ping_rec_timeout)
1348  {
1349  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1350  }
1351 
1352  if (!deferred)
1353  {
1354  /* initialize connection establishment timer */
1355  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1356 
1357 #ifdef ENABLE_OCC
1358  /* initialize occ timers */
1359 
1360  if (c->options.occ
1361  && !TLS_MODE(c)
1362  && c->c2.options_string_local && c->c2.options_string_remote)
1363  {
1364  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1365  }
1366 
1367  if (c->options.mtu_test)
1368  {
1369  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1370  }
1371 #endif
1372 
1373  /* initialize packet_id persistence timer */
1374  if (c->options.packet_id_file)
1375  {
1376  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1377  }
1378 
1379  /* initialize tmp_int optimization that limits the number of times we call
1380  * tls_multi_process in the main event loop */
1381  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1382  }
1383 }
1384 
1385 /*
1386  * Initialize traffic shaper.
1387  */
1388 static void
1389 do_init_traffic_shaper(struct context *c)
1390 {
1391 #ifdef ENABLE_FEATURE_SHAPER
1392  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1393  if (c->options.shaper)
1394  {
1395  shaper_init(&c->c2.shaper, c->options.shaper);
1396  shaper_msg(&c->c2.shaper);
1397  }
1398 #endif
1399 }
1400 
1401 /*
1402  * Allocate route list structures for IPv4 and IPv6
1403  * (we do this for IPv4 even if no --route option has been seen, as other
1404  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1405  */
1406 static void
1407 do_alloc_route_list(struct context *c)
1408 {
1409  if (!c->c1.route_list)
1410  {
1411  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1412  }
1413  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1414  {
1415  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1416  }
1417 }
1418 
1419 
1420 /*
1421  * Initialize the route list, resolving any DNS names in route
1422  * options and saving routes in the environment.
1423  */
1424 static void
1425 do_init_route_list(const struct options *options,
1426  struct route_list *route_list,
1427  const struct link_socket_info *link_socket_info,
1428  struct env_set *es)
1429 {
1430  const char *gw = NULL;
1431  int dev = dev_type_enum(options->dev, options->dev_type);
1432  int metric = 0;
1433 
1434  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1435  {
1436  gw = options->ifconfig_remote_netmask;
1437  }
1438  if (options->route_default_gateway)
1439  {
1440  gw = options->route_default_gateway;
1441  }
1442  if (options->route_default_metric)
1443  {
1444  metric = options->route_default_metric;
1445  }
1446 
1447  if (init_route_list(route_list,
1448  options->routes,
1449  gw,
1450  metric,
1451  link_socket_current_remote(link_socket_info),
1452  es))
1453  {
1454  /* copy routes to environment */
1455  setenv_routes(es, route_list);
1456  }
1457 }
1458 
1459 static void
1460 do_init_route_ipv6_list(const struct options *options,
1461  struct route_ipv6_list *route_ipv6_list,
1462  const struct link_socket_info *link_socket_info,
1463  struct env_set *es)
1464 {
1465  const char *gw = NULL;
1466  int metric = -1; /* no metric set */
1467 
1468  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1469  if (options->route_ipv6_default_gateway)
1470  {
1471  gw = options->route_ipv6_default_gateway;
1472  }
1473 
1474  if (options->route_default_metric)
1475  {
1476  metric = options->route_default_metric;
1477  }
1478 
1479  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1480  */
1481  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1482  {
1483  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1484  int i;
1485 
1486  for (i = 0; opt_list[i]; i++)
1487  {
1488  add_route_ipv6_to_option_list( options->routes_ipv6,
1489  string_alloc(opt_list[i], options->routes_ipv6->gc),
1490  NULL, NULL );
1491  }
1492  }
1493 
1494  if (init_route_ipv6_list(route_ipv6_list,
1495  options->routes_ipv6,
1496  gw,
1497  metric,
1498  link_socket_current_remote_ipv6(link_socket_info),
1499  es))
1500  {
1501  /* copy routes to environment */
1502  setenv_routes_ipv6(es, route_ipv6_list);
1503  }
1504 }
1505 
1506 
1507 /*
1508  * Called after all initialization has been completed.
1509  */
1510 void
1511 initialization_sequence_completed(struct context *c, const unsigned int flags)
1512 {
1513  static const char message[] = "Initialization Sequence Completed";
1514 
1515  /* Reset the unsuccessful connection counter on complete initialisation */
1516  c->options.unsuccessful_attempts = 0;
1517 
1518  /* If we delayed UID/GID downgrade or chroot, do it now */
1519  do_uid_gid_chroot(c, true);
1520 
1521 
1522  /*
1523  * In some cases (i.e. when receiving auth-token via
1524  * push-reply) the auth-nocache option configured on the
1525  * client is overridden; for this reason we have to wait
1526  * for the push-reply message before attempting to wipe
1527  * the user/pass entered by the user
1528  */
1529  if (c->options.mode == MODE_POINT_TO_POINT)
1530  {
1531  delayed_auth_pass_purge();
1532  }
1533 
1534  /* Test if errors */
1535  if (flags & ISC_ERRORS)
1536  {
1537 #ifdef _WIN32
1538  show_routes(M_INFO|M_NOPREFIX);
1539  show_adapters(M_INFO|M_NOPREFIX);
1540  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1541 #else
1542 #ifdef ENABLE_SYSTEMD
1543  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1544 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1545  msg(M_INFO, "%s With Errors", message);
1546 #endif
1547  }
1548  else
1549  {
1550 #ifdef ENABLE_SYSTEMD
1551  sd_notifyf(0, "STATUS=%s", message);
1552 #endif
1553  msg(M_INFO, "%s", message);
1554  }
1555 
1556  /* Flag that we initialized */
1557  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1558  {
1559  c->options.no_advance = true;
1560  }
1561 
1562 #ifdef _WIN32
1563  fork_register_dns_action(c->c1.tuntap);
1564 #endif
1565 
1566 #ifdef ENABLE_MANAGEMENT
1567  /* Tell management interface that we initialized */
1568  if (management)
1569  {
1570  in_addr_t *tun_local = NULL;
1571  struct in6_addr *tun_local6 = NULL;
1572  struct openvpn_sockaddr local, remote;
1573  struct link_socket_actual *actual;
1574  socklen_t sa_len = sizeof(local);
1575  const char *detail = "SUCCESS";
1576  if (flags & ISC_ERRORS)
1577  {
1578  detail = "ERROR";
1579  }
1580 
1581  CLEAR(local);
1582  actual = &get_link_socket_info(c)->lsa->actual;
1583  remote = actual->dest;
1584  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1585 #if ENABLE_IP_PKTINFO
1586  if (!addr_defined(&local))
1587  {
1588  switch (local.addr.sa.sa_family)
1589  {
1590  case AF_INET:
1591 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1592  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1593 #else
1594  local.addr.in4.sin_addr = actual->pi.in4;
1595 #endif
1596  break;
1597 
1598  case AF_INET6:
1599  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1600  break;
1601  }
1602  }
1603 #endif
1604 
1605  if (c->c1.tuntap)
1606  {
1607  tun_local = &c->c1.tuntap->local;
1608  tun_local6 = &c->c1.tuntap->local_ipv6;
1609  }
1610  management_set_state(management,
1611  OPENVPN_STATE_CONNECTED,
1612  detail,
1613  tun_local,
1614  tun_local6,
1615  &local,
1616  &remote);
1617  if (tun_local)
1618  {
1619  management_post_tunnel_open(management, *tun_local);
1620  }
1621  }
1622 #endif /* ifdef ENABLE_MANAGEMENT */
1623 }
1624 
1625 /*
1626  * Possibly add routes and/or call route-up script
1627  * based on options.
1628  */
1629 void
1630 do_route(const struct options *options,
1631  struct route_list *route_list,
1632  struct route_ipv6_list *route_ipv6_list,
1633  const struct tuntap *tt,
1634  const struct plugin_list *plugins,
1635  struct env_set *es)
1636 {
1637  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1638  {
1639  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es);
1640  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1641  }
1642 #ifdef ENABLE_MANAGEMENT
1643  if (management)
1644  {
1645  management_up_down(management, "UP", es);
1646  }
1647 #endif
1648 
1649  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1650  {
1651  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1652  {
1653  msg(M_WARN, "WARNING: route-up plugin call failed");
1654  }
1655  }
1656 
1657  if (options->route_script)
1658  {
1659  struct argv argv = argv_new();
1660  setenv_str(es, "script_type", "route-up");
1661  argv_parse_cmd(&argv, options->route_script);
1662  openvpn_run_script(&argv, es, 0, "--route-up");
1663  argv_reset(&argv);
1664  }
1665 
1666 #ifdef _WIN32
1667  if (options->show_net_up)
1668  {
1669  show_routes(M_INFO|M_NOPREFIX);
1670  show_adapters(M_INFO|M_NOPREFIX);
1671  }
1672  else if (check_debug_level(D_SHOW_NET))
1673  {
1674  show_routes(D_SHOW_NET|M_NOPREFIX);
1675  show_adapters(D_SHOW_NET|M_NOPREFIX);
1676  }
1677 #endif
1678 }
1679 
1680 /*
1681  * initialize tun/tap device object
1682  */
1683 static void
1684 do_init_tun(struct context *c)
1685 {
1686  c->c1.tuntap = init_tun(c->options.dev,
1687  c->options.dev_type,
1688  c->options.topology,
1689  c->options.ifconfig_local,
1690  c->options.ifconfig_remote_netmask,
1691  c->options.ifconfig_ipv6_local,
1692  c->options.ifconfig_ipv6_netbits,
1693  c->options.ifconfig_ipv6_remote,
1694  c->c1.link_socket_addr.bind_local,
1695  c->c1.link_socket_addr.remote_list,
1696  !c->options.ifconfig_nowarn,
1697  c->c2.es);
1698 
1699  init_tun_post(c->c1.tuntap,
1700  &c->c2.frame,
1701  &c->options.tuntap_options);
1702 
1703  c->c1.tuntap_owned = true;
1704 }
1705 
1706 /*
1707  * Open tun/tap device, ifconfig, call up script, etc.
1708  */
1709 
1710 static bool
1711 do_open_tun(struct context *c)
1712 {
1713  struct gc_arena gc = gc_new();
1714  bool ret = false;
1715 
1716 #ifndef TARGET_ANDROID
1717  if (!c->c1.tuntap)
1718  {
1719 #endif
1720 
1721 #ifdef TARGET_ANDROID
1722  /* If we emulate persist-tun on android we still have to open a new tun and
1723  * then close the old */
1724  int oldtunfd = -1;
1725  if (c->c1.tuntap)
1726  {
1727  oldtunfd = c->c1.tuntap->fd;
1728  free(c->c1.tuntap);
1729  c->c1.tuntap = NULL;
1730  c->c1.tuntap_owned = false;
1731  }
1732 #endif
1733 
1734  /* initialize (but do not open) tun/tap object */
1735  do_init_tun(c);
1736 
1737 #ifdef _WIN32
1738  /* store (hide) interactive service handle in tuntap_options */
1739  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1740  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1741 #endif
1742 
1743  /* allocate route list structure */
1744  do_alloc_route_list(c);
1745 
1746  /* parse and resolve the route option list */
1747  ASSERT(c->c2.link_socket);
1748  if (c->options.routes && c->c1.route_list)
1749  {
1750  do_init_route_list(&c->options, c->c1.route_list,
1751  &c->c2.link_socket->info, c->c2.es);
1752  }
1753  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1754  {
1755  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1756  &c->c2.link_socket->info, c->c2.es);
1757  }
1758 
1759  /* do ifconfig */
1760  if (!c->options.ifconfig_noexec
1761  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1762  {
1763  /* guess actual tun/tap unit number that will be returned
1764  * by open_tun */
1765  const char *guess = guess_tuntap_dev(c->options.dev,
1766  c->options.dev_type,
1767  c->options.dev_node,
1768  &gc);
1769  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1770  }
1771 
1772  /* possibly add routes */
1773  if (route_order() == ROUTE_BEFORE_TUN)
1774  {
1775  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1776  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1777  c->c1.tuntap, c->plugins, c->c2.es);
1778  }
1779 #ifdef TARGET_ANDROID
1780  /* Store the old fd inside the fd so open_tun can use it */
1781  c->c1.tuntap->fd = oldtunfd;
1782 #endif
1783  /* open the tun device */
1784  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1785  c->c1.tuntap);
1786 
1787  /* set the hardware address */
1788  if (c->options.lladdr)
1789  {
1790  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1791  }
1792 
1793  /* do ifconfig */
1794  if (!c->options.ifconfig_noexec
1795  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1796  {
1797  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1798  }
1799 
1800  /* run the up script */
1801  run_up_down(c->options.up_script,
1802  c->plugins,
1803  OPENVPN_PLUGIN_UP,
1804  c->c1.tuntap->actual_name,
1805 #ifdef _WIN32
1806  c->c1.tuntap->adapter_index,
1807 #endif
1808  dev_type_string(c->options.dev, c->options.dev_type),
1809  TUN_MTU_SIZE(&c->c2.frame),
1810  EXPANDED_SIZE(&c->c2.frame),
1811  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1812  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1813  "init",
1814  NULL,
1815  "up",
1816  c->c2.es);
1817 
1818 #if defined(_WIN32)
1819  if (c->options.block_outside_dns)
1820  {
1821  dmsg(D_LOW, "Blocking outside DNS");
1822  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1823  {
1824  msg(M_FATAL, "Blocking DNS failed!");
1825  }
1826  }
1827 #endif
1828 
1829  /* possibly add routes */
1830  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1831  {
1832  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1833  c->c1.tuntap, c->plugins, c->c2.es);
1834  }
1835 
1836  /*
1837  * Did tun/tap driver give us an MTU?
1838  */
1839  if (c->c1.tuntap->post_open_mtu)
1840  {
1841  frame_set_mtu_dynamic(&c->c2.frame,
1842  c->c1.tuntap->post_open_mtu,
1843  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1844  }
1845 
1846  ret = true;
1847  static_context = c;
1848 #ifndef TARGET_ANDROID
1849 }
1850 else
1851 {
1852  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1853  c->c1.tuntap->actual_name);
1854 
1855  /* explicitly set the ifconfig_* env vars */
1856  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1857 
1858  /* run the up script if user specified --up-restart */
1859  if (c->options.up_restart)
1860  {
1861  run_up_down(c->options.up_script,
1862  c->plugins,
1863  OPENVPN_PLUGIN_UP,
1864  c->c1.tuntap->actual_name,
1865 #ifdef _WIN32
1866  c->c1.tuntap->adapter_index,
1867 #endif
1868  dev_type_string(c->options.dev, c->options.dev_type),
1869  TUN_MTU_SIZE(&c->c2.frame),
1870  EXPANDED_SIZE(&c->c2.frame),
1871  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1872  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1873  "restart",
1874  NULL,
1875  "up",
1876  c->c2.es);
1877  }
1878 #if defined(_WIN32)
1879  if (c->options.block_outside_dns)
1880  {
1881  dmsg(D_LOW, "Blocking outside DNS");
1882  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1883  {
1884  msg(M_FATAL, "Blocking DNS failed!");
1885  }
1886  }
1887 #endif
1888 
1889 }
1890 #endif /* ifndef TARGET_ANDROID */
1891  gc_free(&gc);
1892  return ret;
1893 }
1894 
1895 /*
1896  * Close TUN/TAP device
1897  */
1898 
1899 static void
1900 do_close_tun_simple(struct context *c)
1901 {
1902  msg(D_CLOSE, "Closing TUN/TAP interface");
1903  if (c->c1.tuntap)
1904  {
1905  close_tun(c->c1.tuntap);
1906  c->c1.tuntap = NULL;
1907  }
1908  c->c1.tuntap_owned = false;
1909 #if P2MP
1910  CLEAR(c->c1.pulled_options_digest_save);
1911 #endif
1912 }
1913 
1914 static void
1915 do_close_tun(struct context *c, bool force)
1916 {
1917  struct gc_arena gc = gc_new();
1918  if (c->c1.tuntap && c->c1.tuntap_owned)
1919  {
1920  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1921 #ifdef _WIN32
1922  DWORD adapter_index = c->c1.tuntap->adapter_index;
1923 #endif
1924  const in_addr_t local = c->c1.tuntap->local;
1925  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1926 
1927  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1928  {
1929  static_context = NULL;
1930 
1931 #ifdef ENABLE_MANAGEMENT
1932  /* tell management layer we are about to close the TUN/TAP device */
1933  if (management)
1934  {
1935  management_pre_tunnel_close(management);
1936  management_up_down(management, "DOWN", c->c2.es);
1937  }
1938 #endif
1939 
1940  /* delete any routes we added */
1941  if (c->c1.route_list || c->c1.route_ipv6_list)
1942  {
1943  run_up_down(c->options.route_predown_script,
1944  c->plugins,
1945  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1946  tuntap_actual,
1947 #ifdef _WIN32
1948  adapter_index,
1949 #endif
1950  NULL,
1951  TUN_MTU_SIZE(&c->c2.frame),
1952  EXPANDED_SIZE(&c->c2.frame),
1953  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1954  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1955  "init",
1956  signal_description(c->sig->signal_received,
1957  c->sig->signal_text),
1958  "route-pre-down",
1959  c->c2.es);
1960 
1961  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
1962  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), c->c2.es);
1963  }
1964 
1965  /* actually close tun/tap device based on --down-pre flag */
1966  if (!c->options.down_pre)
1967  {
1968  do_close_tun_simple(c);
1969  }
1970 
1971  /* Run the down script -- note that it will run at reduced
1972  * privilege if, for example, "--user nobody" was used. */
1973  run_up_down(c->options.down_script,
1974  c->plugins,
1975  OPENVPN_PLUGIN_DOWN,
1976  tuntap_actual,
1977 #ifdef _WIN32
1978  adapter_index,
1979 #endif
1980  NULL,
1981  TUN_MTU_SIZE(&c->c2.frame),
1982  EXPANDED_SIZE(&c->c2.frame),
1983  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1984  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1985  "init",
1986  signal_description(c->sig->signal_received,
1987  c->sig->signal_text),
1988  "down",
1989  c->c2.es);
1990 
1991 #if defined(_WIN32)
1992  if (c->options.block_outside_dns)
1993  {
1994  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1995  {
1996  msg(M_FATAL, "Uninitialising WFP failed!");
1997  }
1998  }
1999 #endif
2000 
2001  /* actually close tun/tap device based on --down-pre flag */
2002  if (c->options.down_pre)
2003  {
2004  do_close_tun_simple(c);
2005  }
2006  }
2007  else
2008  {
2009  /* run the down script on this restart if --up-restart was specified */
2010  if (c->options.up_restart)
2011  {
2012  run_up_down(c->options.down_script,
2013  c->plugins,
2014  OPENVPN_PLUGIN_DOWN,
2015  tuntap_actual,
2016 #ifdef _WIN32
2017  adapter_index,
2018 #endif
2019  NULL,
2020  TUN_MTU_SIZE(&c->c2.frame),
2021  EXPANDED_SIZE(&c->c2.frame),
2022  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2023  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2024  "restart",
2025  signal_description(c->sig->signal_received,
2026  c->sig->signal_text),
2027  "down",
2028  c->c2.es);
2029  }
2030 
2031 #if defined(_WIN32)
2032  if (c->options.block_outside_dns)
2033  {
2034  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2035  {
2036  msg(M_FATAL, "Uninitialising WFP failed!");
2037  }
2038  }
2039 #endif
2040 
2041  }
2042  }
2043  gc_free(&gc);
2044 }
2045 
2046 void
2047 tun_abort(void)
2048 {
2049  struct context *c = static_context;
2050  if (c)
2051  {
2052  static_context = NULL;
2053  do_close_tun(c, true);
2054  }
2055 }
2056 
2057 /*
2058  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2059  */
2060 
2061 #if P2MP
2062 
2066 static bool
2067 options_hash_changed_or_zero(const struct sha256_digest *a,
2068  const struct sha256_digest *b)
2069 {
2070  const struct sha256_digest zero = {{0}};
2071  return memcmp(a, b, sizeof(struct sha256_digest))
2072  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2073 }
2074 #endif /* P2MP */
2075 
2076 bool
2077 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2078 {
2079  if (!c->c2.do_up_ran)
2080  {
2081  reset_coarse_timers(c);
2082 
2083  if (pulled_options)
2084  {
2085  if (!do_deferred_options(c, option_types_found))
2086  {
2087  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2088  return false;
2089  }
2090  }
2091 
2092  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2093  if (c->options.up_delay || PULL_DEFINED(&c->options))
2094  {
2095  c->c2.did_open_tun = do_open_tun(c);
2096  update_time();
2097 
2098 #if P2MP
2099  /*
2100  * Was tun interface object persisted from previous restart iteration,
2101  * and if so did pulled options string change from previous iteration?
2102  */
2103  if (!c->c2.did_open_tun
2104  && PULL_DEFINED(&c->options)
2105  && c->c1.tuntap
2106  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2107  &c->c2.pulled_options_digest))
2108  {
2109  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2110  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2111  do_close_tun(c, true);
2112  management_sleep(1);
2113  c->c2.did_open_tun = do_open_tun(c);
2114  update_time();
2115  }
2116 #endif
2117  }
2118 
2119  if (c->c2.did_open_tun)
2120  {
2121 #if P2MP
2122  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2123 #endif
2124 
2125  /* if --route-delay was specified, start timer */
2126  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2127  {
2128  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2129  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2130  if (c->c1.tuntap)
2131  {
2132  tun_standby_init(c->c1.tuntap);
2133  }
2134  }
2135  else
2136  {
2137  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2138  }
2139  }
2140  else if (c->options.mode == MODE_POINT_TO_POINT)
2141  {
2142  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2143  }
2144 
2145  c->c2.do_up_ran = true;
2146  }
2147  return true;
2148 }
2149 
2150 /*
2151  * These are the option categories which will be accepted by pull.
2152  */
2153 unsigned int
2154 pull_permission_mask(const struct context *c)
2155 {
2156  unsigned int flags =
2157  OPT_P_UP
2158  | OPT_P_ROUTE_EXTRAS
2159  | OPT_P_SOCKBUF
2160  | OPT_P_SOCKFLAGS
2161  | OPT_P_SETENV
2162  | OPT_P_SHAPER
2163  | OPT_P_TIMER
2164  | OPT_P_COMP
2165  | OPT_P_PERSIST
2166  | OPT_P_MESSAGES
2167  | OPT_P_EXPLICIT_NOTIFY
2168  | OPT_P_ECHO
2169  | OPT_P_PULL_MODE
2170  | OPT_P_PEER_ID;
2171 
2172  if (!c->options.route_nopull)
2173  {
2174  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2175  }
2176 
2177  if (c->options.ncp_enabled)
2178  {
2179  flags |= OPT_P_NCP;
2180  }
2181 
2182  return flags;
2183 }
2184 
2185 /*
2186  * Handle non-tun-related pulled options.
2187  */
2188 bool
2189 do_deferred_options(struct context *c, const unsigned int found)
2190 {
2191  if (found & OPT_P_MESSAGES)
2192  {
2193  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2194  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2195  }
2196  if (found & OPT_P_TIMER)
2197  {
2198  do_init_timers(c, true);
2199  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2200  }
2201 
2202 #ifdef ENABLE_OCC
2203  if (found & OPT_P_EXPLICIT_NOTIFY)
2204  {
2205  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2206  {
2207  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2208  c->options.ce.explicit_exit_notification = 0;
2209  }
2210  else
2211  {
2212  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2213  }
2214  }
2215 #endif
2216 
2217 #ifdef USE_COMP
2218  if (found & OPT_P_COMP)
2219  {
2220  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2221  comp_uninit(c->c2.comp_context);
2222  c->c2.comp_context = comp_init(&c->options.comp);
2223  }
2224 #endif
2225 
2226  if (found & OPT_P_SHAPER)
2227  {
2228  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2229  do_init_traffic_shaper(c);
2230  }
2231 
2232  if (found & OPT_P_SOCKBUF)
2233  {
2234  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2235  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2236  }
2237 
2238  if (found & OPT_P_SOCKFLAGS)
2239  {
2240  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2241  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2242  }
2243 
2244  if (found & OPT_P_PERSIST)
2245  {
2246  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2247  }
2248  if (found & OPT_P_UP)
2249  {
2250  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2251  }
2252  if (found & OPT_P_ROUTE)
2253  {
2254  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2255  }
2256  if (found & OPT_P_ROUTE_EXTRAS)
2257  {
2258  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2259  }
2260  if (found & OPT_P_IPWIN32)
2261  {
2262  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2263  }
2264  if (found & OPT_P_SETENV)
2265  {
2266  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2267  }
2268 
2269  if (found & OPT_P_PEER_ID)
2270  {
2271  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2272  c->c2.tls_multi->use_peer_id = true;
2273  c->c2.tls_multi->peer_id = c->options.peer_id;
2274  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2275  if (!c->options.ce.link_mtu_defined)
2276  {
2277  frame_add_to_link_mtu(&c->c2.frame, +3);
2278  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2279  EXPANDED_SIZE(&c->c2.frame));
2280  }
2281  else
2282  {
2283  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2284  " fixed by config - reducing tun-mtu to %d, expect"
2285  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2286  }
2287  }
2288 
2289  /* process (potentially pushed) crypto options */
2290  if (c->options.pull)
2291  {
2292  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2293  if (found & OPT_P_NCP)
2294  {
2295  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2296  }
2297  else if (c->options.ncp_enabled)
2298  {
2299  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2300  }
2301  /* Do not regenerate keys if server sends an extra push reply */
2302  if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized
2303  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame))
2304  {
2305  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2306  return false;
2307  }
2308  }
2309 
2310  return true;
2311 }
2312 
2313 /*
2314  * Possible hold on initialization, holdtime is the
2315  * time OpenVPN would wait without management
2316  */
2317 static bool
2318 do_hold(int holdtime)
2319 {
2320 #ifdef ENABLE_MANAGEMENT
2321  if (management)
2322  {
2323  /* block until management hold is released */
2324  if (management_hold(management, holdtime))
2325  {
2326  return true;
2327  }
2328  }
2329 #endif
2330  return false;
2331 }
2332 
2333 /*
2334  * Sleep before restart.
2335  */
2336 static void
2337 socket_restart_pause(struct context *c)
2338 {
2339  int sec = 2;
2340  int backoff = 0;
2341 
2342  switch (c->options.ce.proto)
2343  {
2344  case PROTO_TCP_SERVER:
2345  sec = 1;
2346  break;
2347 
2348  case PROTO_UDP:
2349  case PROTO_TCP_CLIENT:
2350  sec = c->options.ce.connect_retry_seconds;
2351  break;
2352  }
2353 
2354 #ifdef ENABLE_DEBUG
2355  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2356  {
2357  sec = 0;
2358  }
2359 #endif
2360 
2361 #if P2MP
2362  if (auth_retry_get() == AR_NOINTERACT)
2363  {
2364  sec = 10;
2365  }
2366 #endif
2367 
2368  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2369  if (c->options.ce.proto != PROTO_TCP_SERVER)
2370  {
2371  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2372  if (backoff > 0)
2373  {
2374  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2375  sec = max_int(sec, 1) << min_int(backoff, 15);
2376  }
2377 
2378  if (sec > c->options.ce.connect_retry_seconds_max)
2379  {
2380  sec = c->options.ce.connect_retry_seconds_max;
2381  }
2382  }
2383 
2384  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2385  {
2386  sec = c->persist.restart_sleep_seconds;
2387  }
2388  else if (c->persist.restart_sleep_seconds == -1)
2389  {
2390  sec = 0;
2391  }
2392  c->persist.restart_sleep_seconds = 0;
2393 
2394  /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
2395  if (do_hold(sec))
2396  {
2397  sec = 0;
2398  }
2399 
2400  if (sec)
2401  {
2402  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2403  management_sleep(sec);
2404  }
2405 }
2406 
2407 /*
2408  * Do a possible pause on context_2 initialization.
2409  */
2410 static void
2411 do_startup_pause(struct context *c)
2412 {
2413  if (!c->first_time)
2414  {
2415  socket_restart_pause(c);
2416  }
2417  else
2418  {
2419  do_hold(0); /* do management hold on first context initialization */
2420  }
2421 }
2422 
2423 /*
2424  * Finalize MTU parameters based on command line or config file options.
2425  */
2426 static void
2427 frame_finalize_options(struct context *c, const struct options *o)
2428 {
2429  if (!o)
2430  {
2431  o = &c->options;
2432  }
2433 
2434  /*
2435  * Set adjustment factor for buffer alignment when no
2436  * cipher is used.
2437  */
2438  if (!CIPHER_ENABLED(c))
2439  {
2440  frame_align_to_extra_frame(&c->c2.frame);
2441  frame_or_align_flags(&c->c2.frame,
2442  FRAME_HEADROOM_MARKER_FRAGMENT
2443  |FRAME_HEADROOM_MARKER_READ_LINK
2444  |FRAME_HEADROOM_MARKER_READ_STREAM);
2445  }
2446 
2447  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2448  frame_finalize(&c->c2.frame,
2449  o->ce.link_mtu_defined,
2450  o->ce.link_mtu,
2451  o->ce.tun_mtu_defined,
2452  o->ce.tun_mtu);
2453 }
2454 
2455 /*
2456  * Free a key schedule, including OpenSSL components.
2457  */
2458 static void
2459 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2460 {
2461  free_key_ctx_bi(&ks->static_key);
2462  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2463  {
2464  tls_ctx_free(&ks->ssl_ctx);
2465  free_key_ctx(&ks->tls_crypt_v2_server_key);
2466  }
2467  CLEAR(*ks);
2468 }
2469 
2470 static void
2471 init_crypto_pre(struct context *c, const unsigned int flags)
2472 {
2473  if (c->options.engine)
2474  {
2475  crypto_init_lib_engine(c->options.engine);
2476  }
2477 
2478  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2479  {
2480  /* load a persisted packet-id for cross-session replay-protection */
2481  if (c->options.packet_id_file)
2482  {
2483  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2484  }
2485  }
2486 
2487 #ifdef ENABLE_PREDICTION_RESISTANCE
2488  if (c->options.use_prediction_resistance)
2489  {
2490  rand_ctx_enable_prediction_resistance();
2491  }
2492 #endif
2493 
2494 }
2495 
2496 /*
2497  * Static Key Mode (using a pre-shared key)
2498  */
2499 static void
2500 do_init_crypto_static(struct context *c, const unsigned int flags)
2501 {
2502  const struct options *options = &c->options;
2503  ASSERT(options->shared_secret_file);
2504 
2505  init_crypto_pre(c, flags);
2506 
2507  /* Initialize flags */
2508  if (c->options.mute_replay_warnings)
2509  {
2510  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2511  }
2512 
2513  /* Initialize packet ID tracking */
2514  if (options->replay)
2515  {
2516  packet_id_init(&c->c2.crypto_options.packet_id,
2517  options->replay_window,
2518  options->replay_time,
2519  "STATIC", 0);
2520  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2521  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2522  packet_id_persist_load_obj(&c->c1.pid_persist,
2523  &c->c2.crypto_options.packet_id);
2524  }
2525 
2526  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2527  {
2528  /* Get cipher & hash algorithms */
2529  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2530  options->keysize, options->test_crypto, true);
2531 
2532  /* Read cipher and hmac keys from shared secret file */
2533  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2534  options->shared_secret_file,
2535  options->shared_secret_file_inline,
2536  options->key_direction, "Static Key Encryption",
2537  "secret");
2538  }
2539  else
2540  {
2541  msg(M_INFO, "Re-using pre-shared static key");
2542  }
2543 
2544  /* Get key schedule */
2545  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2546 
2547  /* Compute MTU parameters */
2548  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2549  options->replay, true);
2550 
2551  /* Sanity check on sequence number, and cipher mode options */
2552  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2553 }
2554 
2555 /*
2556  * Initialize the tls-auth/crypt key context
2557  */
2558 static void
2559 do_init_tls_wrap_key(struct context *c)
2560 {
2561  const struct options *options = &c->options;
2562 
2563  /* TLS handshake authentication (--tls-auth) */
2564  if (options->ce.tls_auth_file)
2565  {
2566  /* Initialize key_type for tls-auth with auth only */
2567  CLEAR(c->c1.ks.tls_auth_key_type);
2568  if (!streq(options->authname, "none"))
2569  {
2570  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2571  c->c1.ks.tls_auth_key_type.hmac_length =
2572  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2573  }
2574  else
2575  {
2576  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2577  "algorithm specified ('%s')", options->authname);
2578  }
2579 
2580  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2581  &c->c1.ks.tls_wrap_key,
2582  options->ce.tls_auth_file,
2583  options->ce.tls_auth_file_inline,
2584  options->ce.key_direction,
2585  "Control Channel Authentication", "tls-auth");
2586  }
2587 
2588  /* TLS handshake encryption+authentication (--tls-crypt) */
2589  if (options->ce.tls_crypt_file)
2590  {
2591  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2592  options->ce.tls_crypt_file,
2593  options->ce.tls_crypt_inline, options->tls_server);
2594  }
2595 
2596  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2597  if (options->ce.tls_crypt_v2_file)
2598  {
2599  if (options->tls_server)
2600  {
2601  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2602  true, options->ce.tls_crypt_v2_file,
2603  options->ce.tls_crypt_v2_inline);
2604  }
2605  else
2606  {
2607  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2608  &c->c1.ks.tls_crypt_v2_wkc,
2609  options->ce.tls_crypt_v2_file,
2610  options->ce.tls_crypt_v2_inline);
2611  }
2612  }
2613 
2614 
2615 }
2616 
2617 /*
2618  * Initialize the persistent component of OpenVPN's TLS mode,
2619  * which is preserved across SIGUSR1 resets.
2620  */
2621 static void
2622 do_init_crypto_tls_c1(struct context *c)
2623 {
2624  const struct options *options = &c->options;
2625 
2626  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2627  {
2628  /*
2629  * Initialize the OpenSSL library's global
2630  * SSL context.
2631  */
2632  init_ssl(options, &(c->c1.ks.ssl_ctx));
2633  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2634  {
2635 #if P2MP
2636  switch (auth_retry_get())
2637  {
2638  case AR_NONE:
2639  msg(M_FATAL, "Error: private key password verification failed");
2640  break;
2641 
2642  case AR_INTERACT:
2643  ssl_purge_auth(false);
2644 
2645  case AR_NOINTERACT:
2646  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2647  break;
2648 
2649  default:
2650  ASSERT(0);
2651  }
2652  c->sig->signal_text = "private-key-password-failure";
2653  return;
2654 #else /* if P2MP */
2655  msg(M_FATAL, "Error: private key password verification failed");
2656 #endif /* if P2MP */
2657  }
2658 
2659  /* Get cipher & hash algorithms */
2660  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2661  options->keysize, true, true);
2662 
2663  /* Initialize PRNG with config-specified digest */
2664  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2665 
2666  /* initialize tls-auth/crypt/crypt-v2 key */
2667  do_init_tls_wrap_key(c);
2668 
2669 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2670  if (options->priv_key_file_inline)
2671  {
2672  string_clear(c->options.priv_key_file_inline);
2673  c->options.priv_key_file_inline = NULL;
2674  }
2675 #endif
2676  }
2677  else
2678  {
2679  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2680 
2681  /*
2682  * tls-auth/crypt key can be configured per connection block, therefore
2683  * we must reload it as it may have changed
2684  */
2685  do_init_tls_wrap_key(c);
2686  }
2687 }
2688 
2689 static void
2690 do_init_crypto_tls(struct context *c, const unsigned int flags)
2691 {
2692  const struct options *options = &c->options;
2693  struct tls_options to;
2694  bool packet_id_long_form;
2695 
2696  ASSERT(options->tls_server || options->tls_client);
2697  ASSERT(!options->test_crypto);
2698 
2699  init_crypto_pre(c, flags);
2700 
2701  /* Make sure we are either a TLS client or server but not both */
2702  ASSERT(options->tls_server == !options->tls_client);
2703 
2704  /* initialize persistent component */
2705  do_init_crypto_tls_c1(c);
2706  if (IS_SIG(c))
2707  {
2708  return;
2709  }
2710 
2711  /* Sanity check on sequence number, and cipher mode options */
2712  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2713 
2714  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2715  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2716 
2717  /* Compute MTU parameters (postpone if we push/pull options) */
2718  if (c->options.pull || c->options.mode == MODE_SERVER)
2719  {
2720  /* Account for worst-case crypto overhead before allocating buffers */
2721  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2722  }
2723  else
2724  {
2725  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2726  options->replay, packet_id_long_form);
2727  }
2728  tls_adjust_frame_parameters(&c->c2.frame);
2729 
2730  /* Set all command-line TLS-related options */
2731  CLEAR(to);
2732 
2733  if (options->mute_replay_warnings)
2734  {
2735  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2736  }
2737 
2738  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2739  if (packet_id_long_form)
2740  {
2741  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2742  }
2743 
2744  to.ssl_ctx = c->c1.ks.ssl_ctx;
2745  to.key_type = c->c1.ks.key_type;
2746  to.server = options->tls_server;
2747  to.key_method = options->key_method;
2748  to.replay = options->replay;
2749  to.replay_window = options->replay_window;
2750  to.replay_time = options->replay_time;
2751  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2752  to.config_ciphername = c->c1.ciphername;
2753  to.config_authname = c->c1.authname;
2754  to.ncp_enabled = options->ncp_enabled;
2755  to.transition_window = options->transition_window;
2756  to.handshake_window = options->handshake_window;
2757  to.packet_timeout = options->tls_timeout;
2758  to.renegotiate_bytes = options->renegotiate_bytes;
2759  to.renegotiate_packets = options->renegotiate_packets;
2760  if (options->renegotiate_seconds_min < 0)
2761  {
2762  /* Add 10% jitter to reneg-sec by default (server side only) */
2763  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2764  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2765  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2766  }
2767  else
2768  {
2769  /* Add user-specified jitter to reneg-sec */
2770  to.renegotiate_seconds = options->renegotiate_seconds
2771  -(get_random() % max_int(options->renegotiate_seconds
2772  - options->renegotiate_seconds_min, 1));
2773  }
2774  to.single_session = options->single_session;
2775  to.mode = options->mode;
2776  to.pull = options->pull;
2777  if (options->push_peer_info) /* all there is */
2778  {
2779  to.push_peer_info_detail = 2;
2780  }
2781  else if (options->pull) /* pull clients send some details */
2782  {
2783  to.push_peer_info_detail = 1;
2784  }
2785  else /* default: no peer-info at all */
2786  {
2787  to.push_peer_info_detail = 0;
2788  }
2789 
2790  /* should we not xmit any packets until we get an initial
2791  * response from client? */
2792  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2793  {
2794  to.xmit_hold = true;
2795  }
2796 
2797 #ifdef ENABLE_OCC
2798  to.disable_occ = !options->occ;
2799 #endif
2800 
2801  to.verify_command = options->tls_verify;
2802  to.verify_export_cert = options->tls_export_cert;
2803  to.verify_x509_type = (options->verify_x509_type & 0xff);
2804  to.verify_x509_name = options->verify_x509_name;
2805  to.crl_file = options->crl_file;
2806  to.crl_file_inline = options->crl_file_inline;
2807  to.ssl_flags = options->ssl_flags;
2808  to.ns_cert_type = options->ns_cert_type;
2809  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2810  to.remote_cert_eku = options->remote_cert_eku;
2811  to.verify_hash = options->verify_hash;
2812  to.verify_hash_algo = options->verify_hash_algo;
2813 #ifdef ENABLE_X509ALTUSERNAME
2814  to.x509_username_field = (char *) options->x509_username_field;
2815 #else
2816  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2817 #endif
2818  to.es = c->c2.es;
2819 
2820 #ifdef ENABLE_DEBUG
2821  to.gremlin = c->options.gremlin;
2822 #endif
2823 
2824  to.plugins = c->plugins;
2825 
2826 #ifdef MANAGEMENT_DEF_AUTH
2827  to.mda_context = &c->c2.mda_context;
2828 #endif
2829 
2830 #if P2MP_SERVER
2831  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2832  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2833  to.tmp_dir = options->tmp_dir;
2834  if (options->ccd_exclusive)
2835  {
2836  to.client_config_dir_exclusive = options->client_config_dir;
2837  }
2838  to.auth_user_pass_file = options->auth_user_pass_file;
2839  to.auth_token_generate = options->auth_token_generate;
2840  to.auth_token_lifetime = options->auth_token_lifetime;
2841 #endif
2842 
2843  to.x509_track = options->x509_track;
2844 
2845 #if P2MP
2846 #ifdef ENABLE_MANAGEMENT
2847  to.sci = &options->sc_info;
2848 #endif
2849 #endif
2850 
2851 #ifdef USE_COMP
2852  to.comp_options = options->comp;
2853 #endif
2854 
2855 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2856  if (options->keying_material_exporter_label)
2857  {
2858  to.ekm_size = options->keying_material_exporter_length;
2859  if (to.ekm_size < 16 || to.ekm_size > 4095)
2860  {
2861  to.ekm_size = 0;
2862  }
2863 
2864  to.ekm_label = options->keying_material_exporter_label;
2865  to.ekm_label_size = strlen(to.ekm_label);
2866  }
2867  else
2868  {
2869  to.ekm_size = 0;
2870  }
2871 #endif
2872 
2873  /* TLS handshake authentication (--tls-auth) */
2874  if (options->ce.tls_auth_file)
2875  {
2876  to.tls_wrap.mode = TLS_WRAP_AUTH;
2877  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2878  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2879  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2880  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2881  true, true);
2882  }
2883 
2884  /* TLS handshake encryption (--tls-crypt) */
2885  if (options->ce.tls_crypt_file
2886  || (options->ce.tls_crypt_v2_file && options->tls_client))
2887  {
2888  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2889  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2890  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2891  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2892  tls_crypt_adjust_frame_parameters(&to.frame);
2893 
2894  if (options->ce.tls_crypt_v2_file)
2895  {
2896  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2897  }
2898  }
2899 
2900  if (options->ce.tls_crypt_v2_file)
2901  {
2902  to.tls_crypt_v2 = true;
2903  if (options->tls_server)
2904  {
2905  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
2906  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
2907  }
2908  }
2909 
2910  /* If we are running over TCP, allow for
2911  * length prefix */
2912  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
2913 
2914  /*
2915  * Initialize OpenVPN's master TLS-mode object.
2916  */
2917  if (flags & CF_INIT_TLS_MULTI)
2918  {
2919  c->c2.tls_multi = tls_multi_init(&to);
2920  }
2921 
2922  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2923  {
2924  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2925  }
2926 }
2927 
2928 static void
2929 do_init_finalize_tls_frame(struct context *c)
2930 {
2931  if (c->c2.tls_multi)
2932  {
2933  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
2934  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
2935  EXPANDED_SIZE(&c->c2.frame));
2936  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
2937  "Control Channel MTU parms");
2938  }
2939  if (c->c2.tls_auth_standalone)
2940  {
2941  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
2942  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
2943  "TLS-Auth MTU parms");
2944  }
2945 }
2946 
2947 /*
2948  * No encryption or authentication.
2949  */
2950 static void
2951 do_init_crypto_none(const struct context *c)
2952 {
2953  ASSERT(!c->options.test_crypto);
2954  msg(M_WARN,
2955  "******* WARNING *******: All encryption and authentication features "
2956  "disabled -- All data will be tunnelled as clear text and will not be "
2957  "protected against man-in-the-middle changes. "
2958  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
2959 }
2960 
2961 static void
2962 do_init_crypto(struct context *c, const unsigned int flags)
2963 {
2964  if (c->options.shared_secret_file)
2965  {
2966  do_init_crypto_static(c, flags);
2967  }
2968  else if (c->options.tls_server || c->options.tls_client)
2969  {
2970  do_init_crypto_tls(c, flags);
2971  }
2972  else /* no encryption or authentication. */
2973  {
2974  do_init_crypto_none(c);
2975  }
2976 }
2977 
2978 static void
2979 do_init_frame(struct context *c)
2980 {
2981 #ifdef USE_COMP
2982  /*
2983  * modify frame parameters if compression is enabled
2984  */
2985  if (comp_enabled(&c->options.comp))
2986  {
2987  comp_add_to_extra_frame(&c->c2.frame);
2988 
2989 #if !defined(ENABLE_LZ4)
2990  /*
2991  * Compression usage affects buffer alignment when non-swapped algs
2992  * such as LZO is used.
2993  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
2994  * any special alignment because of the control-byte swap approach.
2995  * LZO alignment (on the other hand) is problematic because
2996  * the presence of the control byte means that either the output of
2997  * decryption must be written to an unaligned buffer, or the input
2998  * to compression (or packet dispatch if packet is uncompressed)
2999  * must be read from an unaligned buffer.
3000  * This code tries to align the input to compression (or packet
3001  * dispatch if packet is uncompressed) at the cost of requiring
3002  * decryption output to be written to an unaligned buffer, so
3003  * it's more of a tradeoff than an optimal solution and we don't
3004  * include it when we are doing a modern build with LZ4.
3005  * Strictly speaking, on the server it would be better to execute
3006  * this code for every connection after we decide the compression
3007  * method, but currently the frame code doesn't appear to be
3008  * flexible enough for this, since the frame is already established
3009  * before it is known which compression options will be pushed.
3010  */
3011  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3012  {
3013  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3014  frame_or_align_flags(&c->c2.frame,
3015  FRAME_HEADROOM_MARKER_FRAGMENT
3016  |FRAME_HEADROOM_MARKER_DECRYPT);
3017  }
3018 #endif
3019 
3020 #ifdef ENABLE_FRAGMENT
3021  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3022 #endif
3023  }
3024 #endif /* USE_COMP */
3025 
3026  /*
3027  * Adjust frame size for UDP Socks support.
3028  */
3029  if (c->options.ce.socks_proxy_server)
3030  {
3031  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3032  }
3033 
3034  /*
3035  * Adjust frame size based on the --tun-mtu-extra parameter.
3036  */
3037  if (c->options.ce.tun_mtu_extra_defined)
3038  {
3039  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3040  }
3041 
3042  /*
3043  * Adjust frame size based on link socket parameters.
3044  * (Since TCP is a stream protocol, we need to insert
3045  * a packet length uint16_t in the buffer.)
3046  */
3047  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3048 
3049  /*
3050  * Fill in the blanks in the frame parameters structure,
3051  * make sure values are rational, etc.
3052  */
3053  frame_finalize_options(c, NULL);
3054 
3055 #ifdef USE_COMP
3056  /*
3057  * Modify frame parameters if compression is compiled in.
3058  * Should be called after frame_finalize_options.
3059  */
3060  comp_add_to_extra_buffer(&c->c2.frame);
3061 #ifdef ENABLE_FRAGMENT
3062  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3063 #endif
3064 #endif /* USE_COMP */
3065 
3066  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3067  * and need link_mtu+3 bytes on socket reception (on server).
3068  *
3069  * accomodate receive path in f->extra_link, which has the side effect of
3070  * also increasing send buffers (BUF_SIZE() macro), which need to be
3071  * allocated big enough before receiving peer-id option from server.
3072  *
3073  * f->extra_frame is adjusted when peer-id option is push-received
3074  */
3075  frame_add_to_extra_link(&c->c2.frame, 3);
3076 
3077 #ifdef ENABLE_FRAGMENT
3078  /*
3079  * Set frame parameter for fragment code. This is necessary because
3080  * the fragmentation code deals with payloads which have already been
3081  * passed through the compression code.
3082  */
3083  c->c2.frame_fragment = c->c2.frame;
3084  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3085 #endif
3086 
3087 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3088  /*
3089  * MTU advisories
3090  */
3091  if (c->options.ce.fragment && c->options.mtu_test)
3092  {
3093  msg(M_WARN,
3094  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3095  }
3096 #endif
3097 
3098 #ifdef ENABLE_FRAGMENT
3099  if ((c->options.ce.mssfix || c->options.ce.fragment)
3100  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3101  {
3102  msg(M_WARN,
3103  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3104  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3105  }
3106 #endif
3107 }
3108 
3109 static void
3110 do_option_warnings(struct context *c)
3111 {
3112  const struct options *o = &c->options;
3113 
3114  if (o->ping_send_timeout && !o->ping_rec_timeout)
3115  {
3116  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3117  }
3118 
3119  if (o->username || o->groupname || o->chroot_dir
3120 #ifdef ENABLE_SELINUX
3121  || o->selinux_context
3122 #endif
3123  )
3124  {
3125  if (!o->persist_tun)
3126  {
3127  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3128  }
3129  if (!o->persist_key
3130 #ifdef ENABLE_PKCS11
3131  && !o->pkcs11_id
3132 #endif
3133  )
3134  {
3135  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3136  }
3137  }
3138 
3139  if (o->chroot_dir && !(o->username && o->groupname))
3140  {
3141  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3142  }
3143 
3144 #if P2MP
3145  if (o->pull && o->ifconfig_local && c->first_time)
3146  {
3147  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3148  }
3149 
3150 #if P2MP_SERVER
3151  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3152  {
3153  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3154  }
3155 
3156  if (o->mode == MODE_SERVER)
3157  {
3158  if (o->duplicate_cn && o->client_config_dir)
3159  {
3160  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3161  }
3162  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3163  {
3164  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3165  }
3166  if (!o->keepalive_ping || !o->keepalive_timeout)
3167  {
3168  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3169  }
3170  }
3171 #endif /* if P2MP_SERVER */
3172 #endif /* if P2MP */
3173 
3174  if (!o->replay)
3175  {
3176  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3177  }
3178 
3179  if (o->tls_server)
3180  {
3181  warn_on_use_of_common_subnets();
3182  }
3183  if (o->tls_client
3184  && !o->tls_verify
3185  && o->verify_x509_type == VERIFY_X509_NONE
3186  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3187  && !o->remote_cert_eku)
3188  {
3189  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3190  }
3191  if (o->ns_cert_type)
3192  {
3193  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3194  }
3195 
3196  /* If a script is used, print appropiate warnings */
3197  if (o->user_script_used)
3198  {
3199  if (script_security() >= SSEC_SCRIPTS)
3200  {
3201  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3202  }
3203  else if (script_security() >= SSEC_PW_ENV)
3204  {
3205  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3206  }
3207  else
3208  {
3209  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3210  }
3211  }
3212 }
3213 
3214 static void
3215 do_init_frame_tls(struct context *c)
3216 {
3217  do_init_finalize_tls_frame(c);
3218 }
3219 
3220 struct context_buffers *
3221 init_context_buffers(const struct frame *frame)
3222 {
3223  struct context_buffers *b;
3224 
3225  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3226 
3227  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3228  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3229 
3230  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3231 
3232  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3233  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3234 
3235 #ifdef USE_COMP
3236  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3237  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3238 #endif
3239 
3240  return b;
3241 }
3242 
3243 void
3244 free_context_buffers(struct context_buffers *b)
3245 {
3246  if (b)
3247  {
3248  free_buf(&b->read_link_buf);
3249  free_buf(&b->read_tun_buf);
3250  free_buf(&b->aux_buf);
3251 
3252 #ifdef USE_COMP
3253  free_buf(&b->compress_buf);
3254  free_buf(&b->decompress_buf);
3255 #endif
3256 
3257  free_buf(&b->encrypt_buf);
3258  free_buf(&b->decrypt_buf);
3259 
3260  free(b);
3261  }
3262 }
3263 
3264 /*
3265  * Now that we know all frame parameters, initialize
3266  * our buffers.
3267  */
3268 static void
3269 do_init_buffers(struct context *c)
3270 {
3271  c->c2.buffers = init_context_buffers(&c->c2.frame);
3272  c->c2.buffers_owned = true;
3273 }
3274 
3275 #ifdef ENABLE_FRAGMENT
3276 /*
3277  * Fragmenting code has buffers to initialize
3278  * once frame parameters are known.
3279  */
3280 static void
3281 do_init_fragment(struct context *c)
3282 {
3283  ASSERT(c->options.ce.fragment);
3284  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3285  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3286  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3287 }
3288 #endif
3289 
3290 /*
3291  * Allocate our socket object.
3292  */
3293 static void
3294 do_link_socket_new(struct context *c)
3295 {
3296  ASSERT(!c->c2.link_socket);
3297  c->c2.link_socket = link_socket_new();
3298  c->c2.link_socket_owned = true;
3299 }
3300 
3301 /*
3302  * bind the TCP/UDP socket
3303  */
3304 static void
3305 do_init_socket_1(struct context *c, const int mode)
3306 {
3307  unsigned int sockflags = c->options.sockflags;
3308 
3309 #if PORT_SHARE
3310  if (c->options.port_share_host && c->options.port_share_port)
3311  {
3312  sockflags |= SF_PORT_SHARE;
3313  }
3314 #endif
3315 
3316  link_socket_init_phase1(c->c2.link_socket,
3317  c->options.ce.local,
3318  c->options.ce.local_port,
3319  c->options.ce.remote,
3320  c->options.ce.remote_port,
3321  c->c1.dns_cache,
3322  c->options.ce.proto,
3323  c->options.ce.af,
3324  c->options.ce.bind_ipv6_only,
3325  mode,
3326  c->c2.accept_from,
3327  c->c1.http_proxy,
3328  c->c1.socks_proxy,
3329 #ifdef ENABLE_DEBUG
3330  c->options.gremlin,
3331 #endif
3332  c->options.ce.bind_local,
3333  c->options.ce.remote_float,
3334  c->options.inetd,
3335  &c->c1.link_socket_addr,
3336  c->options.ipchange,
3337  c->plugins,
3338  c->options.resolve_retry_seconds,
3339  c->options.ce.mtu_discover_type,
3340  c->options.rcvbuf,
3341  c->options.sndbuf,
3342  c->options.mark,
3343  &c->c2.server_poll_interval,
3344  sockflags);
3345 }
3346 
3347 /*
3348  * finalize the TCP/UDP socket
3349  */
3350 static void
3351 do_init_socket_2(struct context *c)
3352 {
3353  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3354  c->sig);
3355 }
3356 
3357 /*
3358  * Print MTU INFO
3359  */
3360 static void
3361 do_print_data_channel_mtu_parms(struct context *c)
3362 {
3363  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3364 #ifdef ENABLE_FRAGMENT
3365  if (c->c2.fragment)
3366  {
3367  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3368  "Fragmentation MTU parms");
3369  }
3370 #endif
3371 }
3372 
3373 #ifdef ENABLE_OCC
3374 /*
3375  * Get local and remote options compatibility strings.
3376  */
3377 static void
3378 do_compute_occ_strings(struct context *c)
3379 {
3380  struct gc_arena gc = gc_new();
3381 
3382  c->c2.options_string_local =
3383  options_string(&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
3384  c->c2.options_string_remote =
3385  options_string(&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
3386 
3387  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3388  options_string_version(c->c2.options_string_local, &gc),
3389  c->c2.options_string_local);
3390  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3391  options_string_version(c->c2.options_string_remote, &gc),
3392  c->c2.options_string_remote);
3393 
3394  if (c->c2.tls_multi)
3395  {
3396  tls_multi_init_set_options(c->c2.tls_multi,
3397  c->c2.options_string_local,
3398  c->c2.options_string_remote);
3399  }
3400 
3401  gc_free(&gc);
3402 }
3403 #endif /* ifdef ENABLE_OCC */
3404 
3405 /*
3406  * These things can only be executed once per program instantiation.
3407  * Set up for possible UID/GID downgrade, but don't do it yet.
3408  * Daemonize if requested.
3409  */
3410 static void
3411 do_init_first_time(struct context *c)
3412 {
3413  if (c->first_time && !c->c0)
3414  {
3415  struct context_0 *c0;
3416 
3417  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3418  c0 = c->c0;
3419 
3420  /* get user and/or group that we want to setuid/setgid to */
3421  c0->uid_gid_specified =
3422  platform_group_get(c->options.groupname, &c0->platform_state_group)
3423  |platform_user_get(c->options.username, &c0->platform_state_user);
3424 
3425  /* perform postponed chdir if --daemon */
3426  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3427  {
3428  platform_chdir("/");
3429  }
3430 
3431  /* should we change scheduling priority? */
3432  platform_nice(c->options.nice);
3433  }
3434 }
3435 
3436 /*
3437  * If xinetd/inetd mode, don't allow restart.
3438  */
3439 static void
3440 do_close_check_if_restart_permitted(struct context *c)
3441 {
3442  if (c->options.inetd
3443  && (c->sig->signal_received == SIGHUP
3444  || c->sig->signal_received == SIGUSR1))
3445  {
3446  c->sig->signal_received = SIGTERM;
3447  msg(M_INFO,
3448  PACKAGE_NAME
3449  " started by inetd/xinetd cannot restart... Exiting.");
3450  }
3451 }
3452 
3453 /*
3454  * free buffers
3455  */
3456 static void
3457 do_close_free_buf(struct context *c)
3458 {
3459  if (c->c2.buffers_owned)
3460  {
3461  free_context_buffers(c->c2.buffers);
3462  c->c2.buffers = NULL;
3463  c->c2.buffers_owned = false;
3464  }
3465 }
3466 
3467 /*
3468  * close TLS
3469  */
3470 static void
3471 do_close_tls(struct context *c)
3472 {
3473  if (c->c2.tls_multi)
3474  {
3475  tls_multi_free(c->c2.tls_multi, true);
3476  c->c2.tls_multi = NULL;
3477  }
3478 
3479 #ifdef ENABLE_OCC
3480  /* free options compatibility strings */
3481  if (c->c2.options_string_local)
3482  {
3483  free(c->c2.options_string_local);
3484  }
3485  if (c->c2.options_string_remote)
3486  {
3487  free(c->c2.options_string_remote);
3488  }
3489  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3490 #endif
3491 
3492  if (c->c2.pulled_options_state)
3493  {
3494  md_ctx_cleanup(c->c2.pulled_options_state);
3495  md_ctx_free(c->c2.pulled_options_state);
3496  }
3497 }
3498 
3499 /*
3500  * Free key schedules
3501  */
3502 static void
3503 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3504 {
3505  /*
3506  * always free the tls_auth/crypt key. If persist_key is true, the key will
3507  * be reloaded from memory (pre-cached)
3508  */
3509  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3510  CLEAR(c->c1.ks.tls_wrap_key);
3511  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3512  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3513 
3514  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3515  {
3516  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3517  }
3518 }
3519 
3520 /*
3521  * Close TCP/UDP connection
3522  */
3523 static void
3524 do_close_link_socket(struct context *c)
3525 {
3526  if (c->c2.link_socket && c->c2.link_socket_owned)
3527  {
3528  link_socket_close(c->c2.link_socket);
3529  c->c2.link_socket = NULL;
3530  }
3531 
3532 
3533  /* Preserve the resolved list of remote if the user request to or if we want
3534  * reconnect to the same host again or there are still addresses that need
3535  * to be tried */
3536  if (!(c->sig->signal_received == SIGUSR1
3537  && ( (c->options.persist_remote_ip)
3538  ||
3539  ( c->sig->source != SIG_SOURCE_HARD
3540  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3541  || c->options.no_advance))
3542  )))
3543  {
3544  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3545  }
3546 
3547  /* Clear the remote actual address when persist_remote_ip is not in use */
3548  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3549  {
3550  CLEAR(c->c1.link_socket_addr.actual);
3551  }
3552 
3553  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3554  {
3555  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3556  {
3557  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3558  }
3559 
3560  c->c1.link_socket_addr.bind_local = NULL;
3561  }
3562 }
3563 
3564 /*
3565  * Close packet-id persistance file
3566  */
3567 static void
3568 do_close_packet_id(struct context *c)
3569 {
3570  packet_id_free(&c->c2.crypto_options.packet_id);
3571  packet_id_persist_save(&c->c1.pid_persist);
3572  if (!(c->sig->signal_received == SIGUSR1))
3573  {
3574  packet_id_persist_close(&c->c1.pid_persist);
3575  }
3576 }
3577 
3578 #ifdef ENABLE_FRAGMENT
3579 /*
3580  * Close fragmentation handler.
3581  */
3582 static void
3583 do_close_fragment(struct context *c)
3584 {
3585  if (c->c2.fragment)
3586  {
3587  fragment_free(c->c2.fragment);
3588  c->c2.fragment = NULL;
3589  }
3590 }
3591 #endif
3592 
3593 /*
3594  * Open and close our event objects.
3595  */
3596 
3597 static void
3598 do_event_set_init(struct context *c,
3599  bool need_us_timeout)
3600 {
3601  unsigned int flags = 0;
3602 
3603  c->c2.event_set_max = BASE_N_EVENTS;
3604 
3605  flags |= EVENT_METHOD_FAST;
3606 
3607  if (need_us_timeout)
3608  {
3609  flags |= EVENT_METHOD_US_TIMEOUT;
3610  }
3611 
3612  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3613  c->c2.event_set_owned = true;
3614 }
3615 
3616 static void
3617 do_close_event_set(struct context *c)
3618 {
3619  if (c->c2.event_set && c->c2.event_set_owned)
3620  {
3621  event_free(c->c2.event_set);
3622  c->c2.event_set = NULL;
3623  c->c2.event_set_owned = false;
3624  }
3625 }
3626 
3627 /*
3628  * Open and close --status file
3629  */
3630 
3631 static void
3632 do_open_status_output(struct context *c)
3633 {
3634  if (!c->c1.status_output)
3635  {
3636  c->c1.status_output = status_open(c->options.status_file,
3637  c->options.status_file_update_freq,
3638  -1,
3639  NULL,
3640  STATUS_OUTPUT_WRITE);
3641  c->c1.status_output_owned = true;
3642  }
3643 }
3644 
3645 static void
3646 do_close_status_output(struct context *c)
3647 {
3648  if (!(c->sig->signal_received == SIGUSR1))
3649  {
3650  if (c->c1.status_output_owned && c->c1.status_output)
3651  {
3652  status_close(c->c1.status_output);
3653  c->c1.status_output = NULL;
3654  c->c1.status_output_owned = false;
3655  }
3656  }
3657 }
3658 
3659 /*
3660  * Handle ifconfig-pool persistance object.
3661  */
3662 static void
3663 do_open_ifconfig_pool_persist(struct context *c)
3664 {
3665 #if P2MP_SERVER
3666  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3667  {
3668  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3669  c->options.ifconfig_pool_persist_refresh_freq);
3670  c->c1.ifconfig_pool_persist_owned = true;
3671  }
3672 #endif
3673 }
3674 
3675 static void
3676 do_close_ifconfig_pool_persist(struct context *c)
3677 {
3678 #if P2MP_SERVER
3679  if (!(c->sig->signal_received == SIGUSR1))
3680  {
3681  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3682  {
3683  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3684  c->c1.ifconfig_pool_persist = NULL;
3685  c->c1.ifconfig_pool_persist_owned = false;
3686  }
3687  }
3688 #endif
3689 }
3690 
3691 /*
3692  * Inherit environmental variables
3693  */
3694 
3695 static void
3696 do_inherit_env(struct context *c, const struct env_set *src)
3697 {
3698  c->c2.es = env_set_create(NULL);
3699  c->c2.es_owned = true;
3700  env_set_inherit(c->c2.es, src);
3701 }
3702 
3703 static void
3704 do_env_set_destroy(struct context *c)
3705 {
3706  if (c->c2.es && c->c2.es_owned)
3707  {
3708  env_set_destroy(c->c2.es);
3709  c->c2.es = NULL;
3710  c->c2.es_owned = false;
3711  }
3712 }
3713 
3714 /*
3715  * Fast I/O setup. Fast I/O is an optimization which only works
3716  * if all of the following are true:
3717  *
3718  * (1) The platform is not Windows
3719  * (2) --proto udp is enabled
3720  * (3) --shaper is disabled
3721  */
3722 static void
3723 do_setup_fast_io(struct context *c)
3724 {
3725  if (c->options.fast_io)
3726  {
3727 #ifdef _WIN32
3728  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3729 #else
3730  if (!proto_is_udp(c->options.ce.proto))
3731  {
3732  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3733  }
3734  else
3735  {
3736 #ifdef ENABLE_FEATURE_SHAPER
3737  if (c->options.shaper)
3738  {
3739  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3740  }
3741  else
3742 #endif
3743  {
3744  c->c2.fast_io = true;
3745  }
3746  }
3747 #endif
3748  }
3749 }
3750 
3751 static void
3752 do_signal_on_tls_errors(struct context *c)
3753 {
3754  if (c->options.tls_exit)
3755  {
3756  c->c2.tls_exit_signal = SIGTERM;
3757  }
3758  else
3759  {
3760  c->c2.tls_exit_signal = SIGUSR1;
3761  }
3762 }
3763 
3764 #ifdef ENABLE_PLUGIN
3765 
3766 void
3767 init_plugins(struct context *c)
3768 {
3769  if (c->options.plugin_list && !c->plugins)
3770  {
3771  c->plugins = plugin_list_init(c->options.plugin_list);
3772  c->plugins_owned = true;
3773  }
3774 }
3775 
3776 void
3777 open_plugins(struct context *c, const bool import_options, int init_point)
3778 {
3779  if (c->plugins && c->plugins_owned)
3780  {
3781  if (import_options)
3782  {
3783  struct plugin_return pr, config;
3784  plugin_return_init(&pr);
3785  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3786  plugin_return_get_column(&pr, &config, "config");
3787  if (plugin_return_defined(&config))
3788  {
3789  int i;
3790  for (i = 0; i < config.n; ++i)
3791  {
3792  unsigned int option_types_found = 0;
3793  if (config.list[i] && config.list[i]->value)
3794  {
3795  options_string_import(&c->options,
3796  config.list[i]->value,
3797  D_IMPORT_ERRORS|M_OPTERR,
3798  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3799  &option_types_found,
3800  c->es);
3801  }
3802  }
3803  }
3804  plugin_return_free(&pr);
3805  }
3806  else
3807  {
3808  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3809  }
3810  }
3811 }
3812 
3813 static void
3814 do_close_plugins(struct context *c)
3815 {
3816  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3817  {
3818  plugin_list_close(c->plugins);
3819  c->plugins = NULL;
3820  c->plugins_owned = false;
3821  }
3822 }
3823 
3824 static void
3825 do_inherit_plugins(struct context *c, const struct context *src)
3826 {
3827  if (!c->plugins && src->plugins)
3828  {
3829  c->plugins = plugin_list_inherit(src->plugins);
3830  c->plugins_owned = true;
3831  }
3832 }
3833 
3834 #endif /* ifdef ENABLE_PLUGIN */
3835 
3836 #ifdef ENABLE_MANAGEMENT
3837 
3838 static void
3839 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3840 {
3841  struct context *c = (struct context *) arg;
3842  print_status(c, so);
3843 }
3844 
3845 void
3846 management_show_net_callback(void *arg, const int msglevel)
3847 {
3848 #ifdef _WIN32
3849  show_routes(msglevel);
3850  show_adapters(msglevel);
3851  msg(msglevel, "END");
3852 #else
3853  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3854 #endif
3855 }
3856 
3857 #ifdef TARGET_ANDROID
3858 int
3859 management_callback_network_change(void *arg, bool samenetwork)
3860 {
3861  /* Check if the client should translate the network change to a SIGUSR1 to
3862  * reestablish the connection or just reprotect the socket
3863  *
3864  * At the moment just assume that, for all settings that use pull (not
3865  * --static) and are not using peer-id reestablishing the connection is
3866  * required (unless the network is the same)
3867  *
3868  * The function returns -1 on invalid fd and -2 if the socket cannot be
3869  * reused. On the -2 return value the man_network_change function triggers
3870  * a SIGUSR1 to force a reconnect.
3871  */
3872 
3873  int socketfd = -1;
3874  struct context *c = (struct context *) arg;
3875  if (!c->c2.link_socket)
3876  {
3877  return -1;
3878  }
3879  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3880  {
3881  return -1;
3882  }
3883 
3884  socketfd = c->c2.link_socket->sd;
3885  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3886  {
3887  return socketfd;
3888  }
3889  else
3890  {
3891  return -2;
3892  }
3893 }
3894 #endif /* ifdef TARGET_ANDROID */
3895 
3896 #endif /* ifdef ENABLE_MANAGEMENT */
3897 
3898 void
3899 init_management_callback_p2p(struct context *c)
3900 {
3901 #ifdef ENABLE_MANAGEMENT
3902  if (management)
3903  {
3904  struct management_callback cb;
3905  CLEAR(cb);
3906  cb.arg = c;
3907  cb.status = management_callback_status_p2p;
3908  cb.show_net = management_show_net_callback;
3909  cb.proxy_cmd = management_callback_proxy_cmd;
3910  cb.remote_cmd = management_callback_remote_cmd;
3911 #ifdef TARGET_ANDROID
3912  cb.network_change = management_callback_network_change;
3913 #endif
3914  management_set_callback(management, &cb);
3915  }
3916 #endif
3917 }
3918 
3919 #ifdef ENABLE_MANAGEMENT
3920 
3921 void
3922 init_management(struct context *c)
3923 {
3924  if (!management)
3925  {
3926  management = management_init();
3927  }
3928 }
3929 
3930 bool
3931 open_management(struct context *c)
3932 {
3933  /* initialize management layer */
3934  if (management)
3935  {
3936  if (c->options.management_addr)
3937  {
3938  unsigned int flags = c->options.management_flags;
3939  if (c->options.mode == MODE_SERVER)
3940  {
3941  flags |= MF_SERVER;
3942  }
3943  if (management_open(management,
3944  c->options.management_addr,
3945  c->options.management_port,
3946  c->options.management_user_pass,
3947  c->options.management_client_user,
3948  c->options.management_client_group,
3949  c->options.management_log_history_cache,
3950  c->options.management_echo_buffer_size,
3951  c->options.management_state_buffer_size,
3952  c->options.management_write_peer_info_file,
3953  c->options.remap_sigusr1,
3954  flags))
3955  {
3956  management_set_state(management,
3957  OPENVPN_STATE_CONNECTING,
3958  NULL,
3959  NULL,
3960  NULL,
3961  NULL,
3962  NULL);
3963  }
3964 
3965  /* initial management hold, called early, before first context initialization */
3966  do_hold(0);
3967  if (IS_SIG(c))
3968  {
3969  msg(M_WARN, "Signal received from management interface, exiting");
3970  return false;
3971  }
3972  }
3973  else
3974  {
3975  close_management();
3976  }
3977  }
3978  return true;
3979 }
3980 
3981 void
3982 close_management(void)
3983 {
3984  if (management)
3985  {
3986  management_close(management);
3987  management = NULL;
3988  }
3989 }
3990 
3991 #endif /* ifdef ENABLE_MANAGEMENT */
3992 
3993 
3994 void
3995 uninit_management_callback(void)
3996 {
3997 #ifdef ENABLE_MANAGEMENT
3998  if (management)
3999  {
4000  management_clear_callback(management);
4001  }
4002 #endif
4003 }
4004 
4005 /*
4006  * Initialize a tunnel instance, handle pre and post-init
4007  * signal settings.
4008  */
4009 void
4010 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4011 {
4012  pre_init_signal_catch();
4013  init_instance(c, env, flags);
4014  post_init_signal_catch();
4015 
4016  /*
4017  * This is done so that signals thrown during
4018  * initialization can bring us back to
4019  * a management hold.
4020  */
4021  if (IS_SIG(c))
4022  {
4023  remap_signal(c);
4024  uninit_management_callback();
4025  }
4026 }
4027 
4028 /*
4029  * Initialize a tunnel instance.
4030  */
4031 void
4032 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4033 {
4034  const struct options *options = &c->options;
4035  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4036  int link_socket_mode = LS_MODE_DEFAULT;
4037 
4038  /* init garbage collection level */
4039  gc_init(&c->c2.gc);
4040 
4041  /* inherit environmental variables */
4042  if (env)
4043  {
4044  do_inherit_env(c, env);
4045  }
4046 
4047  /* signals caught here will abort */
4048  c->sig->signal_received = 0;
4049  c->sig->signal_text = NULL;
4050  c->sig->source = SIG_SOURCE_SOFT;
4051 
4052  if (c->mode == CM_P2P)
4053  {
4054  init_management_callback_p2p(c);
4055  }
4056 
4057  /* possible sleep or management hold if restart */
4058  if (c->mode == CM_P2P || c->mode == CM_TOP)
4059  {
4060  do_startup_pause(c);
4061  if (IS_SIG(c))
4062  {
4063  goto sig;
4064  }
4065  }
4066 
4067  if (c->options.resolve_in_advance)
4068  {
4069  do_preresolve(c);
4070  if (IS_SIG(c))
4071  {
4072  goto sig;
4073  }
4074  }
4075 
4076  /* map in current connection entry */
4077  next_connection_entry(c);
4078 
4079  /* link_socket_mode allows CM_CHILD_TCP
4080  * instances to inherit acceptable fds
4081  * from a top-level parent */
4082  if (c->options.ce.proto == PROTO_TCP_SERVER)
4083  {
4084  if (c->mode == CM_TOP)
4085  {
4086  link_socket_mode = LS_MODE_TCP_LISTEN;
4087  }
4088  else if (c->mode == CM_CHILD_TCP)
4089  {
4090  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4091  }
4092  }
4093 
4094  /* should we disable paging? */
4095  if (c->first_time && options->mlock)
4096  {
4097  platform_mlockall(true);
4098  }
4099 
4100 #if P2MP
4101  /* get passwords if undefined */
4102  if (auth_retry_get() == AR_INTERACT)
4103  {
4104  init_query_passwords(c);
4105  }
4106 #endif
4107 
4108  /* initialize context level 2 --verb/--mute parms */
4109  init_verb_mute(c, IVM_LEVEL_2);
4110 
4111  /* set error message delay for non-server modes */
4112  if (c->mode == CM_P2P)
4113  {
4114  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4115  }
4116 
4117  /* warn about inconsistent options */
4118  if (c->mode == CM_P2P || c->mode == CM_TOP)
4119  {
4120  do_option_warnings(c);
4121  }
4122 
4123 #ifdef ENABLE_PLUGIN
4124  /* initialize plugins */
4125  if (c->mode == CM_P2P || c->mode == CM_TOP)
4126  {
4127  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4128  }
4129 #endif
4130 
4131  /* should we enable fast I/O? */
4132  if (c->mode == CM_P2P || c->mode == CM_TOP)
4133  {
4134  do_setup_fast_io(c);
4135  }
4136 
4137  /* should we throw a signal on TLS errors? */
4138  do_signal_on_tls_errors(c);
4139 
4140  /* open --status file */
4141  if (c->mode == CM_P2P || c->mode == CM_TOP)
4142  {
4143  do_open_status_output(c);
4144  }
4145 
4146  /* open --ifconfig-pool-persist file */
4147  if (c->mode == CM_TOP)
4148  {
4149  do_open_ifconfig_pool_persist(c);
4150  }
4151 
4152 #ifdef ENABLE_OCC
4153  /* reset OCC state */
4154  if (c->mode == CM_P2P || child)
4155  {
4156  c->c2.occ_op = occ_reset_op();
4157  }
4158 #endif
4159 
4160  /* our wait-for-i/o objects, different for posix vs. win32 */
4161  if (c->mode == CM_P2P)
4162  {
4163  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4164  }
4165  else if (c->mode == CM_CHILD_TCP)
4166  {
4167  do_event_set_init(c, false);
4168  }
4169 
4170  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4171  init_proxy(c);
4172 
4173  /* allocate our socket object */
4174  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4175  {
4176  do_link_socket_new(c);
4177  }
4178 
4179 #ifdef ENABLE_FRAGMENT
4180  /* initialize internal fragmentation object */
4181  if (options->ce.fragment && (c->mode == CM_P2P || child))
4182  {
4183  c->c2.fragment = fragment_init(&c->c2.frame);
4184  }
4185 #endif
4186 
4187  /* init crypto layer */
4188  {
4189  unsigned int crypto_flags = 0;
4190  if (c->mode == CM_TOP)
4191  {
4192  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4193  }
4194  else if (c->mode == CM_P2P)
4195  {
4196  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4197  }
4198  else if (child)
4199  {
4200  crypto_flags = CF_INIT_TLS_MULTI;
4201  }
4202  do_init_crypto(c, crypto_flags);
4203  if (IS_SIG(c) && !child)
4204  {
4205  goto sig;
4206  }
4207  }
4208 
4209 #ifdef USE_COMP
4210  /* initialize compression library. */
4211  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4212  {
4213  c->c2.comp_context = comp_init(&options->comp);
4214  }
4215 #endif
4216 
4217  /* initialize MTU variables */
4218  do_init_frame(c);
4219 
4220  /* initialize TLS MTU variables */
4221  do_init_frame_tls(c);
4222 
4223  /* init workspace buffers whose size is derived from frame size */
4224  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4225  {
4226  do_init_buffers(c);
4227  }
4228 
4229 #ifdef ENABLE_FRAGMENT
4230  /* initialize internal fragmentation capability with known frame size */
4231  if (options->ce.fragment && (c->mode == CM_P2P || child))
4232  {
4233  do_init_fragment(c);
4234  }
4235 #endif
4236 
4237  /* initialize dynamic MTU variable */
4238  frame_init_mssfix(&c->c2.frame, &c->options);
4239 
4240  /* bind the TCP/UDP socket */
4241  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4242  {
4243  do_init_socket_1(c, link_socket_mode);
4244  }
4245 
4246  /* initialize tun/tap device object,
4247  * open tun/tap device, ifconfig, run up script, etc. */
4248  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4249  {
4250  c->c2.did_open_tun = do_open_tun(c);
4251  }
4252 
4253  c->c2.frame_initial = c->c2.frame;
4254 
4255  /* print MTU info */
4256  do_print_data_channel_mtu_parms(c);
4257 
4258 #ifdef ENABLE_OCC
4259  /* get local and remote options compatibility strings */
4260  if (c->mode == CM_P2P || child)
4261  {
4262  do_compute_occ_strings(c);
4263  }
4264 #endif
4265 
4266  /* initialize output speed limiter */
4267  if (c->mode == CM_P2P)
4268  {
4269  do_init_traffic_shaper(c);
4270  }
4271 
4272  /* do one-time inits, and possibily become a daemon here */
4273  do_init_first_time(c);
4274 
4275 #ifdef ENABLE_PLUGIN
4276  /* initialize plugins */
4277  if (c->mode == CM_P2P || c->mode == CM_TOP)
4278  {
4279  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4280  }
4281 #endif
4282 
4283  /* initialise connect timeout timer */
4284  do_init_server_poll_timeout(c);
4285 
4286  /* finalize the TCP/UDP socket */
4287  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4288  {
4289  do_init_socket_2(c);
4290  }
4291 
4292  /*
4293  * Actually do UID/GID downgrade, and chroot, if requested.
4294  * May be delayed by --client, --pull, or --up-delay.
4295  */
4296  do_uid_gid_chroot(c, c->c2.did_open_tun);
4297 
4298  /* initialize timers */
4299  if (c->mode == CM_P2P || child)
4300  {
4301  do_init_timers(c, false);
4302  }
4303 
4304 #ifdef ENABLE_PLUGIN
4305  /* initialize plugins */
4306  if (c->mode == CM_P2P || c->mode == CM_TOP)
4307  {
4308  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4309  }
4310 #endif
4311 
4312 #if PORT_SHARE
4313  /* share OpenVPN port with foreign (such as HTTPS) server */
4314  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4315  {
4316  init_port_share(c);
4317  }
4318 #endif
4319 
4320 #ifdef ENABLE_PF
4321  if (child)
4322  {
4323  pf_init_context(c);
4324  }
4325 #endif
4326 
4327  /* Check for signals */
4328  if (IS_SIG(c))
4329  {
4330  goto sig;
4331  }
4332 
4333  return;
4334 
4335 sig:
4336  if (!c->sig->signal_text)
4337  {
4338  c->sig->signal_text = "init_instance";
4339  }
4340  close_context(c, -1, flags);
4341  return;
4342 }
4343 
4344 /*
4345  * Close a tunnel instance.
4346  */
4347 void
4348 close_instance(struct context *c)
4349 {
4350  /* close event objects */
4351  do_close_event_set(c);
4352 
4353  if (c->mode == CM_P2P
4354  || c->mode == CM_CHILD_TCP
4355  || c->mode == CM_CHILD_UDP
4356  || c->mode == CM_TOP)
4357  {
4358  /* if xinetd/inetd mode, don't allow restart */
4359  do_close_check_if_restart_permitted(c);
4360 
4361 #ifdef USE_COMP
4362  if (c->c2.comp_context)
4363  {
4364  comp_uninit(c->c2.comp_context);
4365  c->c2.comp_context = NULL;
4366  }
4367 #endif
4368 
4369  /* free buffers */
4370  do_close_free_buf(c);
4371 
4372  /* close TLS */
4373  do_close_tls(c);
4374 
4375  /* free key schedules */
4376  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4377 
4378  restore_ncp_options(c);
4379 
4380  /* close TCP/UDP connection */
4381  do_close_link_socket(c);
4382 
4383  /* close TUN/TAP device */
4384  do_close_tun(c, false);
4385 
4386 #ifdef MANAGEMENT_DEF_AUTH
4387  if (management)
4388  {
4389  management_notify_client_close(management, &c->c2.mda_context, NULL);
4390  }
4391 #endif
4392 
4393 #ifdef ENABLE_PF
4394  pf_destroy_context(&c->c2.pf);
4395 #endif
4396 
4397 #ifdef ENABLE_PLUGIN
4398  /* call plugin close functions and unload */
4399  do_close_plugins(c);
4400 #endif
4401 
4402  /* close packet-id persistance file */
4403  do_close_packet_id(c);
4404 
4405  /* close --status file */
4406  do_close_status_output(c);
4407 
4408 #ifdef ENABLE_FRAGMENT
4409  /* close fragmentation handler */
4410  do_close_fragment(c);
4411 #endif
4412 
4413  /* close --ifconfig-pool-persist obj */
4414  do_close_ifconfig_pool_persist(c);
4415 
4416  /* free up environmental variable store */
4417  do_env_set_destroy(c);
4418 
4419  /* close HTTP or SOCKS proxy */
4420  uninit_proxy(c);
4421 
4422  /* garbage collect */
4423  gc_free(&c->c2.gc);
4424  }
4425 }
4426 
4427 void
4428 inherit_context_child(struct context *dest,
4429  const struct context *src)
4430 {
4431  CLEAR(*dest);
4432 
4433  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4434  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4435 
4436  dest->gc = gc_new();
4437 
4438  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4439 
4440  /* c1 init */
4441  packet_id_persist_init(&dest->c1.pid_persist);
4442 
4443  dest->c1.ks.key_type = src->c1.ks.key_type;
4444  /* inherit SSL context */
4445  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4446  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4447  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4448  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4449  /* inherit pre-NCP ciphers */
4450  dest->c1.ciphername = src->c1.ciphername;
4451  dest->c1.authname = src->c1.authname;
4452  dest->c1.keysize = src->c1.keysize;
4453 
4454  /* options */
4455  dest->options = src->options;
4456  options_detach(&dest->options);
4457 
4458  if (dest->mode == CM_CHILD_TCP)
4459  {
4460  /*
4461  * The CM_TOP context does the socket listen(),
4462  * and the CM_CHILD_TCP context does the accept().
4463  */
4464  dest->c2.accept_from = src->c2.link_socket;
4465  }
4466 
4467 #ifdef ENABLE_PLUGIN
4468  /* inherit plugins */
4469  do_inherit_plugins(dest, src);
4470 #endif
4471 
4472  /* context init */
4473  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4474  if (IS_SIG(dest))
4475  {
4476  return;
4477  }
4478 
4479  /* inherit tun/tap interface object */
4480  dest->c1.tuntap = src->c1.tuntap;
4481 
4482  /* UDP inherits some extra things which TCP does not */
4483  if (dest->mode == CM_CHILD_UDP)
4484  {
4485  /* inherit buffers */
4486  dest->c2.buffers = src->c2.buffers;
4487 
4488  /* inherit parent link_socket and tuntap */
4489  dest->c2.link_socket = src->c2.link_socket;
4490 
4491  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4492  *dest->c2.link_socket_info = src->c2.link_socket->info;
4493 
4494  /* locally override some link_socket_info fields */
4495  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4496  dest->c2.link_socket_info->connection_established = false;
4497  }
4498 }
4499 
4500 void
4501 inherit_context_top(struct context *dest,
4502  const struct context *src)
4503 {
4504  /* copy parent */
4505  *dest = *src;
4506 
4507  /*
4508  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4509  * resources owned by the parent.
4510  *
4511  * Also note that CM_TOP_CLONE context objects are
4512  * closed by multi_top_free in multi.c.
4513  */
4514  dest->mode = CM_TOP_CLONE;
4515 
4516  dest->first_time = false;
4517  dest->c0 = NULL;
4518 
4519  options_detach(&dest->options);
4520  gc_detach(&dest->gc);
4521  gc_detach(&dest->c2.gc);
4522 
4523  /* detach plugins */
4524  dest->plugins_owned = false;
4525 
4526  dest->c2.tls_multi = NULL;
4527 
4528  /* detach c1 ownership */
4529  dest->c1.tuntap_owned = false;
4530  dest->c1.status_output_owned = false;
4531 #if P2MP_SERVER
4532  dest->c1.ifconfig_pool_persist_owned = false;
4533 #endif
4534 
4535  /* detach c2 ownership */
4536  dest->c2.event_set_owned = false;
4537  dest->c2.link_socket_owned = false;
4538  dest->c2.buffers_owned = false;
4539  dest->c2.es_owned = false;
4540 
4541  dest->c2.event_set = NULL;
4542  if (proto_is_dgram(src->options.ce.proto))
4543  {
4544  do_event_set_init(dest, false);
4545  }
4546 
4547 #ifdef USE_COMP
4548  dest->c2.comp_context = NULL;
4549 #endif
4550 }
4551 
4552 void
4553 close_context(struct context *c, int sig, unsigned int flags)
4554 {
4555  ASSERT(c);
4556  ASSERT(c->sig);
4557 
4558  if (sig >= 0)
4559  {
4560  c->sig->signal_received = sig;
4561  }
4562 
4563  if (c->sig->signal_received == SIGUSR1)
4564  {
4565  if ((flags & CC_USR1_TO_HUP)
4566  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4567  {
4568  c->sig->signal_received = SIGHUP;
4569  c->sig->signal_text = "close_context usr1 to hup";
4570  }
4571  }
4572 
4573  if (!(flags & CC_NO_CLOSE))
4574  {
4575  close_instance(c);
4576  }
4577 
4578  if (flags & CC_GC_FREE)
4579  {
4580  context_gc_free(c);
4581  }
4582 }
4583 
4584 /*
4585  * Do a loopback test
4586  * on the crypto subsystem.
4587  */
4588 static void *
4589 test_crypto_thread(void *arg)
4590 {
4591  struct context *c = (struct context *) arg;
4592  const struct options *options = &c->options;
4593 
4594  ASSERT(options->test_crypto);
4595  init_verb_mute(c, IVM_LEVEL_1);
4596  context_init_1(c);
4597  next_connection_entry(c);
4598  do_init_crypto_static(c, 0);
4599 
4600  frame_finalize_options(c, options);
4601 
4602  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4603 
4604  key_schedule_free(&c->c1.ks, true);
4605  packet_id_free(&c->c2.crypto_options.packet_id);
4606 
4607  context_gc_free(c);
4608  return NULL;
4609 }
4610 
4611 bool
4612 do_test_crypto(const struct options *o)
4613 {
4614  if (o->test_crypto)
4615  {
4616  struct context c;
4617 
4618  /* print version number */
4619  msg(M_INFO, "%s", title_string);
4620 
4621  context_clear(&c);
4622  c.options = *o;
4623  options_detach(&c.options);
4624  c.first_time = true;
4625  test_crypto_thread((void *) &c);
4626  return true;
4627  }
4628  return false;
4629 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:286
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:302
context_2::es
struct env_set * es
Definition: openvpn.h:427
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:177
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:209
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:189
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2471
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:321
management_close
void management_close(struct management *man)
Definition: manage.c:2636
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:419
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:247
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:275
options::sndbuf
int sndbuf
Definition: options.h:334
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:353
context_2::log_rw
bool log_rw
Definition: openvpn.h:387
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:394
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:465
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:268
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:320
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:390
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:557
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:670
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:239
tuntap
Definition: tun.h:131
options::ncp_enabled
bool ncp_enabled
Definition: options.h:489
options::management_flags
unsigned int management_flags
Definition: options.h:378
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1915
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:894
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2500
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:445
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:111
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:284
P2MP_SERVER
#define P2MP_SERVER
Definition: syshead.h:524
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1409
options::block_outside_dns
bool block_outside_dns
Definition: options.h:616
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:299
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1318
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:308
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:502
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:391
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:497
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1090
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5283
options::show_curves
bool show_curves
Definition: options.h:208
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:613
options::cipher_list
const char * cipher_list
Definition: options.h:516
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:507
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1407
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:292
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:981
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
argv_new
struct argv argv_new(void)
Definition: argv.c:52
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2067
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:574
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1707
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:162
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:394
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:324
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:518
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:369
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:351
streq
#define streq(x, y)
Definition: options.h:635
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:418
options::chroot_dir
const char * chroot_dir
Definition: options.h:291
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:731
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3825
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3617
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2622
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:405
S_FATAL
#define S_FATAL
Definition: run_command.h:42
options::dev
const char * dev
Definition: options.h:230
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:164
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:271
tls_options::mode
int mode
Definition: ssl_common.h:269
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2077
options::auth_token_generate
bool auth_token_generate
Definition: options.h:461
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:308
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1296
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4178
tun_abort
void tun_abort(void)
Definition: init.c:2047
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:500
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:569
frame
Packet geometry parameters.
Definition: mtu.h:93
SIZE
#define SIZE(x)
Definition: basic.h:30
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3704
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2559
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:715
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:319
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:523
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
route_ipv6_gateway_info
Definition: route.h:178
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1178
srandom
#define srandom
Definition: syshead.h:44
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3174
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:374
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:211
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:664
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4553
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3351
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:318
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:485
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
openvpn_sockaddr::addr
union openvpn_sockaddr::@8 addr
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5528
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:176
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:620
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3899
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:339
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:291
close_instance
void close_instance(struct context *c)
Definition: init.c:4348
ASSERT
#define ASSERT(x)
Definition: error.h:221
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:564
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:327
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1345
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:643
options::persist_key
bool persist_key
Definition: options.h:276
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:116
options::replay_window
int replay_window
Definition: options.h:498
options::persist_mode
int persist_mode
Definition: options.h:201
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:211
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:412
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:321
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3752
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:374
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:282
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1443
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:297
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1162
options::rcvbuf
int rcvbuf
Definition: options.h:333
options::crl_file_inline
const char * crl_file_inline
Definition: options.h:529
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:254
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:426
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:273
options::connection_list
struct connection_list * connection_list
Definition: options.h:214
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:283
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:174
options::exit_event_name
const char * exit_event_name
Definition: options.h:612
AR_NONE
#define AR_NONE
Definition: options.h:821
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:255
options::route_noexec
bool route_noexec
Definition: options.h:348
options::sockflags
unsigned int sockflags
Definition: options.h:340
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2427
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:153
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3471
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:339
M_FATAL
#define M_FATAL
Definition: error.h:94
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:502
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:18
options::route_script
const char * route_script
Definition: options.h:343
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
options::tls_crypt_v2_genkey_file
const char * tls_crypt_v2_genkey_file
Definition: options.h:593
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:371
do_route
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1630
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:282
CLEAR
#define CLEAR(x)
Definition: basic.h:33
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:161
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
in_addr_t
#define in_addr_t
Definition: config-msvc.h:104
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:2979
options::config
const char * config
Definition: options.h:187
options::route_delay
int route_delay
Definition: options.h:349
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, bool remote, struct gc_arena *gc)
Definition: options.c:3548
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:525
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:298
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:344
tls_options::gremlin
int gremlin
Definition: ssl_common.h:362
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3777
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:365
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:262
options::down_pre
bool down_pre
Definition: options.h:300
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:259
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:665
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
SIGTERM
#define SIGTERM
Definition: config-msvc.h:118
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth, set via options->auth_token_generate.
Definition: ssl_common.h:322
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1389
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:561
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:531
options::push_peer_info
bool push_peer_info
Definition: options.h:601
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:645
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:114
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:565
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3696
PING_RESTART
#define PING_RESTART
Definition: options.h:270
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2929
options::handshake_window
int handshake_window
Definition: options.h:569
init_management
void init_management(struct context *c)
Definition: init.c:3922
route_ipv6_list
Definition: route.h:214
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3814
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:128
tls_options
Definition: ssl_common.h:241
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:297
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:226
basename
char * basename(char *filename)
Definition: compat-basename.c:39
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:298
connection_entry::tls_auth_file_inline
const char * tls_auth_file_inline
Definition: options.h:136
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:226
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:578
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:323
options::verify_x509_type
int verify_x509_type
Definition: options.h:521
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:220
close_management
void close_management(void)
Definition: init.c:3982
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:304
options::prng_hash
const char * prng_hash
Definition: options.h:493
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:265
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:240
options::fast_io
bool fast_io
Definition: options.h:326
options::key_direction
int key_direction
Definition: options.h:487
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:275
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:190
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:144
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:58
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:74
connection_entry::tls_crypt_v2_inline
const char * tls_crypt_v2_inline
Definition: options.h:146
init_static
bool init_static(void)
Definition: init.c:725
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:191
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:564
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:298
options::route_delay_defined
bool route_delay_defined
Definition: options.h:351
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:512
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:225
options::tls_exit
bool tls_exit
Definition: options.h:603
MF_SERVER
#define MF_SERVER
Definition: manage.h:332
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1014
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1007
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:785
connection_entry::key_direction
int key_direction
Definition: options.h:137
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:673
tls_options::x509_username_field
char * x509_username_field
Definition: ssl_common.h:291
options::route_nopull
bool route_nopull
Definition: options.h:355
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3583
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1183
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:65
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:523
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:345
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4010
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:305
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:137
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:516
options::remote_random
bool remote_random
Definition: options.h:228
frame_add_to_link_mtu
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
status_close
bool status_close(struct status_output *so)
Definition: status.c:203
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:198
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:538
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:239
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:165
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:1004
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:535
prng_uninit
void prng_uninit(void)
Definition: crypto.c:1726
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1295
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:460
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:150
options::tls_verify
const char * tls_verify
Definition: options.h:520
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1412
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:98
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:302
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:367
open_management
bool open_management(struct context *c)
Definition: init.c:3931
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:194
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:110
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:600
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4428
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:663
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct buffer *wkc_buf, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:336
save_ncp_options
static void save_ncp_options(struct context *c)
Definition: init.c:620
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:267
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:3839
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:686
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:3632
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest)
Definition: route.c:2810
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2579
FRAME_HEADROOM_MARKER_FRAGMENT
#define FRAME_HEADROOM_MARKER_FRAGMENT
Definition: mtu.h:130
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition: options.h:130
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:631
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:307
tls_options::packet_timeout
interval_t packet_timeout
Definition: ssl_common.h:274
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:3676
do_close_check_if_restart_permitted
static void do_close_check_if_restart_permitted(struct context *c)
Definition: init.c:3440
tls_options::config_authname
const char * config_authname
Definition: ssl_common.h:305
connection_list::len
int len
Definition: options.h:161
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:107
options::verify_x509_name
const char * verify_x509_name
Definition: options.h:522
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:467
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3244
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition: run_command.h:33
do_genkey
bool do_genkey(const struct options *options)
Definition: init.c:1053
tuntap::local
in_addr_t local
Definition: tun.h:152
management_callback::arg
void * arg
Definition: manage.h:156
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:277
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:103
options::ns_cert_type
int ns_cert_type
Definition: options.h:534
options::management_write_peer_info_file
const char * management_write_peer_info_file
Definition: options.h:372
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition: socket.h:197
md_kt_size
int md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
options::plugin_list
struct plugin_option_list * plugin_list
Definition: options.h:383
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:361
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:131
connection_entry::proto
int proto
Definition: options.h:88