OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 
72 void
74 {
75  CLEAR(*c);
76 }
77 
78 void
80 {
81  CLEAR(c->c1);
82 }
83 
84 void
86 {
87  CLEAR(c->c2);
88 }
89 
90 void
92 {
93  const bool first_time_save = c->first_time;
94  const struct context_persist cpsave = c->persist;
95  context_clear(c);
96  c->first_time = first_time_save;
97  c->persist = cpsave;
98 }
99 
100 /*
101  * Pass tunnel endpoint and MTU parms to a user-supplied script.
102  * Used to execute the up/down script/plugins.
103  */
104 static void
105 run_up_down(const char *command,
106  const struct plugin_list *plugins,
107  int plugin_type,
108  const char *arg,
109 #ifdef _WIN32
110  DWORD adapter_index,
111 #endif
112  const char *dev_type,
113  int tun_mtu,
114  int link_mtu,
115  const char *ifconfig_local,
116  const char *ifconfig_remote,
117  const char *context,
118  const char *signal_text,
119  const char *script_type,
120  struct env_set *es)
121 {
122  struct gc_arena gc = gc_new();
123 
124  if (signal_text)
125  {
126  setenv_str(es, "signal", signal_text);
127  }
128  setenv_str(es, "script_context", context);
129  setenv_int(es, "tun_mtu", tun_mtu);
130  setenv_int(es, "link_mtu", link_mtu);
131  setenv_str(es, "dev", arg);
132  if (dev_type)
133  {
134  setenv_str(es, "dev_type", dev_type);
135  }
136 #ifdef _WIN32
137  setenv_int(es, "dev_idx", adapter_index);
138 #endif
139 
140  if (!ifconfig_local)
141  {
142  ifconfig_local = "";
143  }
144  if (!ifconfig_remote)
145  {
146  ifconfig_remote = "";
147  }
148  if (!context)
149  {
150  context = "";
151  }
152 
153  if (plugin_defined(plugins, plugin_type))
154  {
155  struct argv argv = argv_new();
156  ASSERT(arg);
157  argv_printf(&argv,
158  "%s %d %d %s %s %s",
159  arg,
160  tun_mtu, link_mtu,
161  ifconfig_local, ifconfig_remote,
162  context);
163 
164  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
165  {
166  msg(M_FATAL, "ERROR: up/down plugin call failed");
167  }
168 
169  argv_free(&argv);
170  }
171 
172  if (command)
173  {
174  struct argv argv = argv_new();
175  ASSERT(arg);
176  setenv_str(es, "script_type", script_type);
177  argv_parse_cmd(&argv, command);
178  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
179  ifconfig_local, ifconfig_remote, context);
180  argv_msg(M_INFO, &argv);
181  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
182  argv_free(&argv);
183  }
184 
185  gc_free(&gc);
186 }
187 
188 /*
189  * Should be called after options->ce is modified at the top
190  * of a SIGUSR1 restart.
191  */
192 static void
194 {
195 #if P2MP
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
208  }
209 #endif
210 }
211 
212 #ifdef ENABLE_MANAGEMENT
213 static bool
214 management_callback_proxy_cmd(void *arg, const char **p)
215 {
216  struct context *c = arg;
217  struct connection_entry *ce = &c->options.ce;
218  struct gc_arena *gc = &c->c2.gc;
219  bool ret = false;
220 
221  update_time();
222  if (streq(p[1], "NONE"))
223  {
224  ret = true;
225  }
226  else if (p[2] && p[3])
227  {
228  if (streq(p[1], "HTTP"))
229  {
230  struct http_proxy_options *ho;
231  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
232  {
233  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
234  return false;
235  }
237  ho->server = string_alloc(p[2], gc);
238  ho->port = string_alloc(p[3], gc);
239  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
240  ret = true;
241  }
242  else if (streq(p[1], "SOCKS"))
243  {
244  ce->socks_proxy_server = string_alloc(p[2], gc);
245  ce->socks_proxy_port = string_alloc(p[3], gc);
246  ret = true;
247  }
248  }
249  else
250  {
251  msg(M_WARN, "Bad proxy command");
252  }
253 
254  ce->flags &= ~CE_MAN_QUERY_PROXY;
255 
256  return ret;
257 }
258 
259 static bool
261 {
262  const struct connection_list *l = c->options.connection_list;
263  struct connection_entry *ce = &c->options.ce;
264  struct gc_arena gc;
265  bool ret = true;
266 
267  update_time();
268  if (management)
269  {
270  gc = gc_new();
271  {
272  struct buffer out = alloc_buf_gc(256, &gc);
273  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
274  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
277  }
278  ce->flags |= CE_MAN_QUERY_PROXY;
279  while (ce->flags & CE_MAN_QUERY_PROXY)
280  {
282  if (IS_SIG(c))
283  {
284  ret = false;
285  break;
286  }
287  }
289  gc_free(&gc);
290  }
291 
292  return ret;
293 }
294 
309 static bool
311  const char *command,
312  const char *parameters)
313 {
314  struct context *c = (struct context *) arg;
315  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
316  if (len > PUSH_BUNDLE_SIZE)
317  {
318  return false;
319  }
320 
321  struct gc_arena gc = gc_new();
322  struct buffer buf = alloc_buf_gc(len, &gc);
323  ASSERT(buf_printf(&buf, "%s", command));
324  if (parameters)
325  {
326  ASSERT(buf_printf(&buf, ",%s", parameters));
327  }
328  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
329 
330  gc_free(&gc);
331  return status;
332 }
333 
334 static bool
335 management_callback_remote_cmd(void *arg, const char **p)
336 {
337  struct context *c = (struct context *) arg;
338  struct connection_entry *ce = &c->options.ce;
339  int ret = false;
341  {
342  int flags = 0;
343  if (!strcmp(p[1], "ACCEPT"))
344  {
346  ret = true;
347  }
348  else if (!strcmp(p[1], "SKIP"))
349  {
350  flags = CE_MAN_QUERY_REMOTE_SKIP;
351  ret = true;
352  }
353  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
354  {
355  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
356  {
357  struct remote_host_store *rhs = c->options.rh_store;
358  if (!rhs)
359  {
361  c->options.rh_store = rhs;
362  }
363  strncpynt(rhs->host, p[2], RH_HOST_LEN);
364  strncpynt(rhs->port, p[3], RH_PORT_LEN);
365 
366  ce->remote = rhs->host;
367  ce->remote_port = rhs->port;
368  flags = CE_MAN_QUERY_REMOTE_MOD;
369  ret = true;
370  }
371  }
372  if (ret)
373  {
374  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
376  }
377  }
378  return ret;
379 }
380 
381 static bool
383 {
384  struct gc_arena gc = gc_new();
385  volatile struct connection_entry *ce = &c->options.ce;
386  int ce_changed = true; /* presume the connection entry will be changed */
387 
388  update_time();
389  if (management)
390  {
391  struct buffer out = alloc_buf_gc(256, &gc);
392 
393  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
394  proto2ascii(ce->proto, ce->af, false));
397 
400  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
402  {
404  if (IS_SIG(c))
405  {
406  ce_changed = false; /* connection entry have not been set */
407  break;
408  }
409  }
411  }
412  gc_free(&gc);
413 
414  if (ce_changed)
415  {
416  /* If it is likely a connection entry was modified,
417  * check what changed in the flags and that it was not skipped
418  */
419  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
421  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
422  }
423  return ce_changed;
424 }
425 #endif /* ENABLE_MANAGEMENT */
426 
427 /*
428  * Initialize and possibly randomize connection list.
429  */
430 static void
432 {
433  struct connection_list *l = c->options.connection_list;
434 
435  l->current = -1;
436  if (c->options.remote_random)
437  {
438  int i;
439  for (i = 0; i < l->len; ++i)
440  {
441  const int j = get_random() % l->len;
442  if (i != j)
443  {
444  struct connection_entry *tmp;
445  tmp = l->array[i];
446  l->array[i] = l->array[j];
447  l->array[j] = tmp;
448  }
449  }
450  }
451 }
452 
453 /*
454  * Clear the remote address list
455  */
456 static void
458 {
459  if (lsa->remote_list && free)
460  {
461  freeaddrinfo(lsa->remote_list);
462  }
463  lsa->remote_list = NULL;
464  lsa->current_remote = NULL;
465 }
466 
467 /*
468  * Increment to next connection entry
469  */
470 static void
472 {
473  struct connection_list *l = c->options.connection_list;
474  bool ce_defined;
475  struct connection_entry *ce;
476  int n_cycles = 0;
477 
478  do
479  {
480  ce_defined = true;
481  if (c->options.no_advance && l->current >= 0)
482  {
483  c->options.no_advance = false;
484  }
485  else
486  {
487  /* Check if there is another resolved address to try for
488  * the current connection */
490  && c->c1.link_socket_addr.current_remote->ai_next)
491  {
493  c->c1.link_socket_addr.current_remote->ai_next;
494  }
495  else
496  {
497  /* FIXME (schwabe) fix the persist-remote-ip option for real,
498  * this is broken probably ever since connection lists and multiple
499  * remote existed
500  */
501  if (!c->options.persist_remote_ip)
502  {
503  /* Connection entry addrinfo objects might have been
504  * resolved earlier but the entry itself might have been
505  * skipped by management on the previous loop.
506  * If so, clear the addrinfo objects as close_instance does
507  */
509  {
512  }
513 
514  /* close_instance should have cleared the addrinfo objects */
517  }
518  else
519  {
522  }
523 
524  /*
525  * Increase the number of connection attempts
526  * If this is connect-retry-max * size(l)
527  * OpenVPN will quit
528  */
529 
531 
532  if (++l->current >= l->len)
533  {
534 
535  l->current = 0;
536  if (++n_cycles >= 2)
537  {
538  msg(M_FATAL, "No usable connection profiles are present");
539  }
540  }
541  }
542  }
543 
544  ce = l->array[l->current];
545 
546  if (ce->flags & CE_DISABLED)
547  {
548  ce_defined = false;
549  }
550 
551  c->options.ce = *ce;
552 #ifdef ENABLE_MANAGEMENT
554  {
555  /* allow management interface to override connection entry details */
556  ce_defined = ce_management_query_remote(c);
557  if (IS_SIG(c))
558  {
559  break;
560  }
561  }
562  else if (ce_defined && management && management_query_proxy_enabled(management))
563  {
564  ce_defined = ce_management_query_proxy(c);
565  if (IS_SIG(c))
566  {
567  break;
568  }
569  }
570 #endif
571  } while (!ce_defined);
572 
573  /* Check if this connection attempt would bring us over the limit */
574  if (c->options.connect_retry_max > 0
576  {
577  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
579  }
581 }
582 
583 /*
584  * Query for private key and auth-user-pass username/passwords
585  */
586 void
588 {
589  /* Certificate password input */
590  if (c->options.key_pass_file)
591  {
593  }
594 
595 #if P2MP
596  /* Auth user/pass input */
598  {
599 #ifdef ENABLE_MANAGEMENT
601 #else
603 #endif
604  }
605 #endif
606 }
607 
608 /*
609  * Initialize/Uninitialize HTTP or SOCKS proxy
610  */
611 
612 static void
614 {
615  if (c->c1.http_proxy_owned && c->c1.http_proxy)
616  {
618  c->c1.http_proxy = NULL;
619  c->c1.http_proxy_owned = false;
620  }
621  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
622  {
624  c->c1.socks_proxy = NULL;
625  c->c1.socks_proxy_owned = false;
626  }
627 }
628 
629 static void
631 {
632  bool did_http = false;
633 
635 
637  {
638  /* Possible HTTP proxy user/pass input */
640  if (c->c1.http_proxy)
641  {
642  did_http = true;
643  c->c1.http_proxy_owned = true;
644  }
645  }
646 
647  if (!did_http && c->options.ce.socks_proxy_server)
648  {
652  if (c->c1.socks_proxy)
653  {
654  c->c1.socks_proxy_owned = true;
655  }
656  }
657 }
658 
659 static void
660 init_proxy(struct context *c)
661 {
663 }
664 
665 static void
667 {
669 }
670 
671 /*
672  * Saves the initial state of NCP-regotiable
673  * options into a storage which persists over SIGUSR1.
674  */
675 static void
677 {
679  c->c1.authname = c->options.authname;
680  c->c1.keysize = c->options.keysize;
681 }
682 
683 /* Restores NCP-negotiable options to original values */
684 static void
686 {
688  c->options.authname = c->c1.authname;
689  c->options.keysize = c->c1.keysize;
690  c->options.data_channel_use_ekm = false;
691 }
692 
693 void
695 {
696  context_clear_1(c);
697 
699 
701 
702  save_ncp_options(c);
703 
704 #if defined(ENABLE_PKCS11)
705  if (c->first_time)
706  {
707  int i;
708  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
709  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
710  {
711  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
712  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
713  }
714  }
715 #endif
716 
717 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
718  {
719  /*
720  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
721  */
722  struct user_pass up;
723  CLEAR(up);
724  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
725  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
726  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
727  * 'needok' command, usually 'ok' or 'cancel'. */
728  }
729 #endif
730 
731 #ifdef ENABLE_SYSTEMD
732  /* We can report the PID via getpid() to systemd here as OpenVPN will not
733  * do any fork due to daemon() a future call.
734  * See possibly_become_daemon() [init.c] for more details.
735  */
736  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
737  (unsigned long) getpid());
738 #endif
739 
740 }
741 
742 void
744 {
745  gc_free(&c->c2.gc);
746  gc_free(&c->options.gc);
747  gc_free(&c->gc);
748 }
749 
750 #if PORT_SHARE
751 
752 static void
753 close_port_share(void)
754 {
755  if (port_share)
756  {
757  port_share_close(port_share);
758  port_share = NULL;
759  }
760 }
761 
762 static void
763 init_port_share(struct context *c)
764 {
765  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
766  {
767  port_share = port_share_open(c->options.port_share_host,
768  c->options.port_share_port,
770  c->options.port_share_journal_dir);
771  if (port_share == NULL)
772  {
773  msg(M_FATAL, "Fatal error: Port sharing failed");
774  }
775  }
776 }
777 
778 #endif /* if PORT_SHARE */
779 
780 
781 bool
783 {
784  /* configure_path (); */
785 
786 #if defined(DMALLOC)
787  crypto_init_dmalloc();
788 #endif
789 
790 
791  /*
792  * Initialize random number seed. random() is only used
793  * when "weak" random numbers are acceptable.
794  * SSL library routines are always used when cryptographically
795  * strong random numbers are required.
796  */
797  struct timeval tv;
798  if (!gettimeofday(&tv, NULL))
799  {
800  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
801  srandom(seed);
802  }
803 
804  error_reset(); /* initialize error.c */
805  reset_check_status(); /* initialize status check code in socket.c */
806 
807 #ifdef _WIN32
808  init_win32();
809 #endif
810 
811 #ifdef OPENVPN_DEBUG_COMMAND_LINE
812  {
813  int i;
814  for (i = 0; i < argc; ++i)
815  {
816  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
817  }
818  }
819 #endif
820 
821  update_time();
822 
823  init_ssl_lib();
824 
825  /* init PRNG used for IV generation */
826  /* When forking, copy this to more places in the code to avoid fork
827  * random-state predictability */
828  prng_init(NULL, 0);
829 
830 #ifdef PID_TEST
831  packet_id_interactive_test(); /* test the sequence number code */
832  return false;
833 #endif
834 
835 #ifdef SCHEDULE_TEST
836  schedule_test();
837  return false;
838 #endif
839 
840 #ifdef LIST_TEST
841  list_test();
842  return false;
843 #endif
844 
845 #ifdef IFCONFIG_POOL_TEST
846  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
847  return false;
848 #endif
849 
850 #ifdef CHARACTER_CLASS_DEBUG
851  character_class_debug();
852  return false;
853 #endif
854 
855 #ifdef EXTRACT_X509_FIELD_TEST
857  return false;
858 #endif
859 
860 #ifdef TIME_TEST
861  time_test();
862  return false;
863 #endif
864 
865 #ifdef TEST_GET_DEFAULT_GATEWAY
866  {
867  struct route_gateway_info rgi;
868  struct route_ipv6_gateway_info rgi6;
869  get_default_gateway(&rgi);
870  get_default_gateway_ipv6(&rgi6, NULL);
871  print_default_gateway(M_INFO, &rgi, &rgi6);
872  return false;
873  }
874 #endif
875 
876 #ifdef GEN_PATH_TEST
877  {
878  struct gc_arena gc = gc_new();
879  const char *fn = gen_path("foo",
880  "bar",
881  &gc);
882  printf("%s\n", fn);
883  gc_free(&gc);
884  }
885  return false;
886 #endif
887 
888 #ifdef STATUS_PRINTF_TEST
889  {
890  struct gc_arena gc = gc_new();
891  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
892  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
893  status_printf(so, "%s", "foo");
894  status_printf(so, "%s", "bar");
895  if (!status_close(so))
896  {
897  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
898  }
899  gc_free(&gc);
900  }
901  return false;
902 #endif
903 
904 #ifdef PRNG_TEST
905  {
906  struct gc_arena gc = gc_new();
907  uint8_t rndbuf[8];
908  int i;
909  prng_init("sha1", 16);
910  /*prng_init (NULL, 0);*/
911  const int factor = 1;
912  for (i = 0; i < factor * 8; ++i)
913  {
914 #if 1
915  prng_bytes(rndbuf, sizeof(rndbuf));
916 #else
917  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
918 #endif
919  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
920  }
921  gc_free(&gc);
922  prng_uninit();
923  return false;
924  }
925 #endif /* ifdef PRNG_TEST */
926 
927 #ifdef BUFFER_LIST_AGGREGATE_TEST
928  /* test buffer_list_aggregate function */
929  {
930  static const char *text[] = {
931  "It was a bright cold day in April, ",
932  "and the clocks were striking ",
933  "thirteen. ",
934  "Winston Smith, ",
935  "his chin nuzzled into his breast in an ",
936  "effort to escape the vile wind, ",
937  "slipped quickly through the glass doors ",
938  "of Victory Mansions, though not quickly ",
939  "enough to prevent a swirl of gritty dust from ",
940  "entering along with him."
941  };
942 
943  int iter, listcap;
944  for (listcap = 0; listcap < 12; ++listcap)
945  {
946  for (iter = 0; iter < 512; ++iter)
947  {
948  struct buffer_list *bl = buffer_list_new(listcap);
949  {
950  int i;
951  for (i = 0; i < SIZE(text); ++i)
952  {
953  buffer_list_push(bl, (unsigned char *)text[i]);
954  }
955  }
956  printf("[cap=%d i=%d] *************************\n", listcap, iter);
957  if (!(iter & 8))
958  {
959  buffer_list_aggregate(bl, iter/2);
960  }
961  if (!(iter & 16))
962  {
963  buffer_list_push(bl, (unsigned char *)"Even more text...");
964  }
965  buffer_list_aggregate(bl, iter);
966  if (!(iter & 1))
967  {
968  buffer_list_push(bl, (unsigned char *)"More text...");
969  }
970  {
971  struct buffer *buf;
972  while ((buf = buffer_list_peek(bl)))
973  {
974  int c;
975  printf("'");
976  while ((c = buf_read_u8(buf)) >= 0)
977  {
978  putchar(c);
979  }
980  printf("'\n");
981  buffer_list_advance(bl, 0);
982  }
983  }
984  buffer_list_free(bl);
985  }
986  }
987  return false;
988  }
989 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
990 
991 #ifdef MSTATS_TEST
992  {
993  int i;
994  mstats_open("/dev/shm/mstats.dat");
995  for (i = 0; i < 30; ++i)
996  {
997  mmap_stats->n_clients += 1;
998  mmap_stats->link_write_bytes += 8;
999  mmap_stats->link_read_bytes += 16;
1000  sleep(1);
1001  }
1002  mstats_close();
1003  return false;
1004  }
1005 #endif
1006 
1007  return true;
1008 }
1009 
1010 void
1012 {
1013  free_ssl_lib();
1014 
1015 #ifdef ENABLE_PKCS11
1016  pkcs11_terminate();
1017 #endif
1018 
1019 #if PORT_SHARE
1020  close_port_share();
1021 #endif
1022 
1023 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
1024  show_tls_performance_stats();
1025 #endif
1026 }
1027 
1028 void
1029 init_verb_mute(struct context *c, unsigned int flags)
1030 {
1031  if (flags & IVM_LEVEL_1)
1032  {
1033  /* set verbosity and mute levels */
1037  }
1038 
1039  /* special D_LOG_RW mode */
1040  if (flags & IVM_LEVEL_2)
1041  {
1043  }
1044 }
1045 
1046 /*
1047  * Possibly set --dev based on --dev-node.
1048  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1049  * set --dev to tun.
1050  */
1051 void
1053 {
1054  if (!options->dev && options->dev_node)
1055  {
1056  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1057  options->dev = basename(dev_node);
1058  }
1059 }
1060 
1061 bool
1063 {
1064  /*
1065  * OpenSSL info print mode?
1066  */
1067  if (options->show_ciphers || options->show_digests || options->show_engines
1068  || options->show_tls_ciphers || options->show_curves)
1069  {
1070  if (options->show_ciphers)
1071  {
1073  }
1074  if (options->show_digests)
1075  {
1077  }
1078  if (options->show_engines)
1079  {
1081  }
1082  if (options->show_tls_ciphers)
1083  {
1085  options->cipher_list_tls13,
1086  options->tls_cert_profile);
1087  }
1088  if (options->show_curves)
1089  {
1091  }
1092  return true;
1093  }
1094  return false;
1095 }
1096 
1097 /*
1098  * Static pre-shared key generation mode?
1099  */
1100 bool
1101 do_genkey(const struct options *options)
1102 {
1103  /* should we disable paging? */
1104  if (options->mlock && (options->genkey))
1105  {
1106  platform_mlockall(true);
1107  }
1108 
1109  /*
1110  * We do not want user to use --genkey with --secret. In the transistion
1111  * phase we for secret.
1112  */
1113  if (options->genkey && options->genkey_type != GENKEY_SECRET
1114  && options->shared_secret_file)
1115  {
1116  msg(M_USAGE, "Using --genkey type with --secret filename is "
1117  "not supported. Use --genkey type filename instead.");
1118  }
1119  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1120  {
1121  int nbits_written;
1122  const char *genkey_filename = options->genkey_filename;
1123  if (options->shared_secret_file && options->genkey_filename)
1124  {
1125  msg(M_USAGE, "You must provide a filename to either --genkey "
1126  "or --secret, not both");
1127  }
1128 
1129  /*
1130  * Copy filename from shared_secret_file to genkey_filename to support
1131  * the old --genkey --secret foo.file syntax.
1132  */
1133  if (options->shared_secret_file)
1134  {
1135  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1136  "DEPRECATED. Use --genkey secret filename instead.");
1137  genkey_filename = options->shared_secret_file;
1138  }
1139 
1140  nbits_written = write_key_file(2, genkey_filename);
1141  if (nbits_written < 0)
1142  {
1143  msg(M_FATAL, "Failed to write key file");
1144  }
1145 
1147  "Randomly generated %d bit key written to %s", nbits_written,
1148  options->shared_secret_file);
1149  return true;
1150  }
1151  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1152  {
1154  return true;
1155  }
1156  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1157  {
1158  if (!options->tls_crypt_v2_file)
1159  {
1160  msg(M_USAGE,
1161  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1162  }
1163 
1165  options->genkey_extra_data, options->tls_crypt_v2_file,
1166  options->tls_crypt_v2_file_inline);
1167  return true;
1168  }
1169  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1170  {
1172  return true;
1173  }
1174  else
1175  {
1176  return false;
1177  }
1178 }
1179 
1180 /*
1181  * Persistent TUN/TAP device management mode?
1182  */
1183 bool
1185 {
1186  if (options->persist_config)
1187  {
1188  /* sanity check on options for --mktun or --rmtun */
1189  notnull(options->dev, "TUN/TAP device (--dev)");
1190  if (options->ce.remote || options->ifconfig_local
1191  || options->ifconfig_remote_netmask
1192  || options->shared_secret_file
1193  || options->tls_server || options->tls_client
1194  )
1195  {
1197  "options --mktun or --rmtun should only be used together with --dev");
1198  }
1199 #ifdef ENABLE_FEATURE_TUN_PERSIST
1200  tuncfg(options->dev, options->dev_type, options->dev_node,
1201  options->persist_mode,
1202  options->username, options->groupname, &options->tuntap_options,
1203  ctx);
1204  if (options->persist_mode && options->lladdr)
1205  {
1206  set_lladdr(options->dev, options->lladdr, NULL);
1207  }
1208  return true;
1209 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1210  msg( M_FATAL|M_OPTERR,
1211  "options --mktun and --rmtun are not available on your operating "
1212  "system. Please check 'man tun' (or 'tap'), whether your system "
1213  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1214  "persistent tunnel interfaces.", options->dev );
1215 #endif
1216  }
1217  return false;
1218 }
1219 
1220 /*
1221  * Should we become a daemon?
1222  * Return true if we did it.
1223  */
1224 bool
1226 {
1227  bool ret = false;
1228 
1229 #ifdef ENABLE_SYSTEMD
1230  /* return without forking if we are running from systemd */
1231  if (sd_notify(0, "READY=0") > 0)
1232  {
1233  return ret;
1234  }
1235 #endif
1236 
1237  if (options->daemon)
1238  {
1239  ASSERT(!options->inetd);
1240  /* Don't chdir immediately, but the end of the init sequence, if needed */
1241 
1242 #if defined(__APPLE__) && defined(__clang__)
1243 #pragma clang diagnostic push
1244 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1245 #endif
1246  if (daemon(1, options->log) < 0)
1247  {
1248  msg(M_ERR, "daemon() failed or unsupported");
1249  }
1250 #if defined(__APPLE__) && defined(__clang__)
1251 #pragma clang diagnostic pop
1252 #endif
1254  if (options->log)
1255  {
1256  set_std_files_to_null(true);
1257  }
1258 
1259  ret = true;
1260  }
1261  return ret;
1262 }
1263 
1264 /*
1265  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1266  */
1267 static void
1268 do_uid_gid_chroot(struct context *c, bool no_delay)
1269 {
1270  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1271  struct context_0 *c0 = c->c0;
1272 
1273  if (c0 && !c0->uid_gid_chroot_set)
1274  {
1275  /* chroot if requested */
1276  if (c->options.chroot_dir)
1277  {
1278  if (no_delay)
1279  {
1281  }
1282  else if (c->first_time)
1283  {
1284  msg(M_INFO, "NOTE: chroot %s", why_not);
1285  }
1286  }
1287 
1288  /* set user and/or group if we want to setuid/setgid */
1289  if (c0->uid_gid_specified)
1290  {
1291  if (no_delay)
1292  {
1295  }
1296  else if (c->first_time)
1297  {
1298  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1299  }
1300  }
1301 
1302 #ifdef ENABLE_MEMSTATS
1303  if (c->first_time && c->options.memstats_fn)
1304  {
1305  mstats_open(c->options.memstats_fn);
1306  }
1307 #endif
1308 
1309 #ifdef ENABLE_SELINUX
1310  /* Apply a SELinux context in order to restrict what OpenVPN can do
1311  * to _only_ what it is supposed to do after initialization is complete
1312  * (basically just network I/O operations). Doing it after chroot
1313  * requires /proc to be mounted in the chroot (which is annoying indeed
1314  * but doing it before requires more complex SELinux policies.
1315  */
1316  if (c->options.selinux_context)
1317  {
1318  if (no_delay)
1319  {
1320  if (-1 == setcon(c->options.selinux_context))
1321  {
1322  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1323  }
1324  else
1325  {
1326  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1327  }
1328  }
1329  else if (c->first_time)
1330  {
1331  msg(M_INFO, "NOTE: setcon %s", why_not);
1332  }
1333  }
1334 #endif
1335 
1336  /* Privileges are going to be dropped by now (if requested), be sure
1337  * to prevent any future privilege dropping attempts from now on.
1338  */
1339  if (no_delay)
1340  {
1341  c0->uid_gid_chroot_set = true;
1342  }
1343  }
1344 }
1345 
1346 /*
1347  * Return common name in a way that is formatted for
1348  * prepending to msg() output.
1349  */
1350 const char *
1351 format_common_name(struct context *c, struct gc_arena *gc)
1352 {
1353  struct buffer out = alloc_buf_gc(256, gc);
1354  if (c->c2.tls_multi)
1355  {
1356  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1357  }
1358  return BSTR(&out);
1359 }
1360 
1361 void
1362 pre_setup(const struct options *options)
1363 {
1364 #ifdef _WIN32
1365  if (options->exit_event_name)
1366  {
1369  options->exit_event_name,
1370  options->exit_event_initial_state);
1371  }
1372  else
1373  {
1376  NULL,
1377  false);
1378 
1379  /* put a title on the top window bar */
1381  {
1383  window_title_generate(options->config);
1384  }
1385  }
1386 #endif /* ifdef _WIN32 */
1387 }
1388 
1389 void
1391 {
1392  c->c2.coarse_timer_wakeup = 0;
1393 }
1394 
1395 /*
1396  * Initialise the server poll timeout timer
1397  * This timer is used in the http/socks proxy setup so it needs to be setup
1398  * before
1399  */
1400 static void
1402 {
1403  update_time();
1404  if (c->options.ce.connect_timeout)
1405  {
1407  }
1408 }
1409 
1410 /*
1411  * Initialize timers
1412  */
1413 static void
1414 do_init_timers(struct context *c, bool deferred)
1415 {
1416  update_time();
1418 
1419  /* initialize inactivity timeout */
1420  if (c->options.inactivity_timeout)
1421  {
1423  }
1424 
1425  /* initialize pings */
1426 
1427  if (c->options.ping_send_timeout)
1428  {
1430  }
1431 
1432  if (c->options.ping_rec_timeout)
1433  {
1435  }
1436 
1437  if (!deferred)
1438  {
1439  /* initialize connection establishment timer */
1441 
1442  /* initialize occ timers */
1443 
1444  if (c->options.occ
1445  && !TLS_MODE(c)
1447  {
1449  }
1450 
1451  if (c->options.mtu_test)
1452  {
1454  }
1455 
1456  /* initialize packet_id persistence timer */
1457  if (c->options.packet_id_file)
1458  {
1460  }
1461 
1462  /* initialize tmp_int optimization that limits the number of times we call
1463  * tls_multi_process in the main event loop */
1465  }
1466 }
1467 
1468 /*
1469  * Initialize traffic shaper.
1470  */
1471 static void
1473 {
1474 #ifdef ENABLE_FEATURE_SHAPER
1475  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1476  if (c->options.shaper)
1477  {
1478  shaper_init(&c->c2.shaper, c->options.shaper);
1479  shaper_msg(&c->c2.shaper);
1480  }
1481 #endif
1482 }
1483 
1484 /*
1485  * Allocate route list structures for IPv4 and IPv6
1486  * (we do this for IPv4 even if no --route option has been seen, as other
1487  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1488  */
1489 static void
1491 {
1492  if (!c->c1.route_list)
1493  {
1494  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1495  }
1496  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1497  {
1499  }
1500 }
1501 
1502 
1503 /*
1504  * Initialize the route list, resolving any DNS names in route
1505  * options and saving routes in the environment.
1506  */
1507 static void
1509  struct route_list *route_list,
1510  const struct link_socket_info *link_socket_info,
1511  struct env_set *es,
1512  openvpn_net_ctx_t *ctx)
1513 {
1514  const char *gw = NULL;
1515  int dev = dev_type_enum(options->dev, options->dev_type);
1516  int metric = 0;
1517 
1518  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1519  {
1520  gw = options->ifconfig_remote_netmask;
1521  }
1522  if (options->route_default_gateway)
1523  {
1524  gw = options->route_default_gateway;
1525  }
1526  if (options->route_default_metric)
1527  {
1528  metric = options->route_default_metric;
1529  }
1530 
1531  if (init_route_list(route_list,
1532  options->routes,
1533  gw,
1534  metric,
1535  link_socket_current_remote(link_socket_info),
1536  es,
1537  ctx))
1538  {
1539  /* copy routes to environment */
1540  setenv_routes(es, route_list);
1541  }
1542 }
1543 
1544 static void
1547  const struct link_socket_info *link_socket_info,
1548  struct env_set *es,
1549  openvpn_net_ctx_t *ctx)
1550 {
1551  const char *gw = NULL;
1552  int metric = -1; /* no metric set */
1553 
1554  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1555  if (options->route_ipv6_default_gateway)
1556  {
1557  gw = options->route_ipv6_default_gateway;
1558  }
1559 
1560  if (options->route_default_metric)
1561  {
1562  metric = options->route_default_metric;
1563  }
1564 
1565  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1566  */
1567  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1568  {
1569  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1570  int i;
1571 
1572  for (i = 0; opt_list[i]; i++)
1573  {
1575  string_alloc(opt_list[i], options->routes_ipv6->gc),
1576  NULL, NULL );
1577  }
1578  }
1579 
1580  if (init_route_ipv6_list(route_ipv6_list,
1581  options->routes_ipv6,
1582  gw,
1583  metric,
1584  link_socket_current_remote_ipv6(link_socket_info),
1585  es,
1586  ctx))
1587  {
1588  /* copy routes to environment */
1589  setenv_routes_ipv6(es, route_ipv6_list);
1590  }
1591 }
1592 
1593 
1594 /*
1595  * Called after all initialization has been completed.
1596  */
1597 void
1598 initialization_sequence_completed(struct context *c, const unsigned int flags)
1599 {
1600  static const char message[] = "Initialization Sequence Completed";
1601 
1602  /* Reset the unsuccessful connection counter on complete initialisation */
1604 
1605  /* If we delayed UID/GID downgrade or chroot, do it now */
1606  do_uid_gid_chroot(c, true);
1607 
1608 
1609  /*
1610  * In some cases (i.e. when receiving auth-token via
1611  * push-reply) the auth-nocache option configured on the
1612  * client is overridden; for this reason we have to wait
1613  * for the push-reply message before attempting to wipe
1614  * the user/pass entered by the user
1615  */
1616  if (c->options.mode == MODE_POINT_TO_POINT)
1617  {
1619  }
1620 
1621  /* Test if errors */
1622  if (flags & ISC_ERRORS)
1623  {
1624 #ifdef _WIN32
1627  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1628 #else
1629 #ifdef ENABLE_SYSTEMD
1630  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1631 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1632  msg(M_INFO, "%s With Errors", message);
1633 #endif
1634  }
1635  else
1636  {
1637 #ifdef ENABLE_SYSTEMD
1638  sd_notifyf(0, "STATUS=%s", message);
1639 #endif
1640  msg(M_INFO, "%s", message);
1641  }
1642 
1643  /* Flag that we initialized */
1644  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1645  {
1646  c->options.no_advance = true;
1647  }
1648 
1649 #ifdef _WIN32
1651 #endif
1652 
1653 #ifdef ENABLE_MANAGEMENT
1654  /* Tell management interface that we initialized */
1655  if (management)
1656  {
1657  in_addr_t *tun_local = NULL;
1658  struct in6_addr *tun_local6 = NULL;
1659  struct openvpn_sockaddr local, remote;
1660  struct link_socket_actual *actual;
1661  socklen_t sa_len = sizeof(local);
1662  const char *detail = "SUCCESS";
1663  if (flags & ISC_ERRORS)
1664  {
1665  detail = "ERROR";
1666  }
1667 
1668  CLEAR(local);
1669  actual = &get_link_socket_info(c)->lsa->actual;
1670  remote = actual->dest;
1671  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1672 #if ENABLE_IP_PKTINFO
1673  if (!addr_defined(&local))
1674  {
1675  switch (local.addr.sa.sa_family)
1676  {
1677  case AF_INET:
1678 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1679  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1680 #else
1681  local.addr.in4.sin_addr = actual->pi.in4;
1682 #endif
1683  break;
1684 
1685  case AF_INET6:
1686  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1687  break;
1688  }
1689  }
1690 #endif
1691 
1692  if (c->c1.tuntap)
1693  {
1694  tun_local = &c->c1.tuntap->local;
1695  tun_local6 = &c->c1.tuntap->local_ipv6;
1696  }
1699  detail,
1700  tun_local,
1701  tun_local6,
1702  &local,
1703  &remote);
1704  if (tun_local)
1705  {
1707  }
1708  }
1709 #endif /* ifdef ENABLE_MANAGEMENT */
1710 }
1711 
1712 /*
1713  * Possibly add routes and/or call route-up script
1714  * based on options.
1715  */
1716 void
1717 do_route(const struct options *options,
1718  struct route_list *route_list,
1720  const struct tuntap *tt,
1721  const struct plugin_list *plugins,
1722  struct env_set *es,
1723  openvpn_net_ctx_t *ctx)
1724 {
1725  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1726  {
1727  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1728  es, ctx);
1729  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1730  }
1731 #ifdef ENABLE_MANAGEMENT
1732  if (management)
1733  {
1734  management_up_down(management, "UP", es);
1735  }
1736 #endif
1737 
1739  {
1740  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1741  {
1742  msg(M_WARN, "WARNING: route-up plugin call failed");
1743  }
1744  }
1745 
1746  if (options->route_script)
1747  {
1748  struct argv argv = argv_new();
1749  setenv_str(es, "script_type", "route-up");
1750  argv_parse_cmd(&argv, options->route_script);
1751  openvpn_run_script(&argv, es, 0, "--route-up");
1752  argv_free(&argv);
1753  }
1754 
1755 #ifdef _WIN32
1756  if (options->show_net_up)
1757  {
1760  }
1761  else if (check_debug_level(D_SHOW_NET))
1762  {
1765  }
1766 #endif
1767 }
1768 
1769 /*
1770  * initialize tun/tap device object
1771  */
1772 static void
1774 {
1775  c->c1.tuntap = init_tun(c->options.dev,
1776  c->options.dev_type,
1777  c->options.topology,
1786  c->c2.es,
1787  &c->net_ctx);
1788 
1789 #ifdef _WIN32
1791 #endif
1792 
1793  init_tun_post(c->c1.tuntap,
1794  &c->c2.frame,
1795  &c->options.tuntap_options);
1796 
1797  c->c1.tuntap_owned = true;
1798 }
1799 
1800 /*
1801  * Open tun/tap device, ifconfig, call up script, etc.
1802  */
1803 
1804 static bool
1806 {
1807  struct gc_arena gc = gc_new();
1808  bool ret = false;
1809 
1810 #ifndef TARGET_ANDROID
1811  if (!c->c1.tuntap)
1812  {
1813 #endif
1814 
1815 #ifdef TARGET_ANDROID
1816  /* If we emulate persist-tun on android we still have to open a new tun and
1817  * then close the old */
1818  int oldtunfd = -1;
1819  if (c->c1.tuntap)
1820  {
1821  oldtunfd = c->c1.tuntap->fd;
1822  free(c->c1.tuntap);
1823  c->c1.tuntap = NULL;
1824  c->c1.tuntap_owned = false;
1825  }
1826 #endif
1827 
1828  /* initialize (but do not open) tun/tap object */
1829  do_init_tun(c);
1830 
1831 #ifdef _WIN32
1832  /* store (hide) interactive service handle in tuntap_options */
1834  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1835 #endif
1836 
1837  /* allocate route list structure */
1839 
1840  /* parse and resolve the route option list */
1841  ASSERT(c->c2.link_socket);
1842  if (c->options.routes && c->c1.route_list)
1843  {
1845  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1846  }
1847  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1848  {
1850  &c->c2.link_socket->info, c->c2.es,
1851  &c->net_ctx);
1852  }
1853 
1854  /* do ifconfig */
1855  if (!c->options.ifconfig_noexec
1857  {
1858  /* guess actual tun/tap unit number that will be returned
1859  * by open_tun */
1860  const char *guess = guess_tuntap_dev(c->options.dev,
1861  c->options.dev_type,
1862  c->options.dev_node,
1863  &gc);
1864  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1865  &c->net_ctx);
1866  }
1867 
1868  /* possibly add routes */
1869  if (route_order() == ROUTE_BEFORE_TUN)
1870  {
1871  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1873  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1874  }
1875 #ifdef TARGET_ANDROID
1876  /* Store the old fd inside the fd so open_tun can use it */
1877  c->c1.tuntap->fd = oldtunfd;
1878 #endif
1879  /* open the tun device */
1881  c->c1.tuntap);
1882 
1883  /* set the hardware address */
1884  if (c->options.lladdr)
1885  {
1887  }
1888 
1889  /* do ifconfig */
1890  if (!c->options.ifconfig_noexec
1892  {
1894  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1895  }
1896 
1897  /* run the up script */
1899  c->plugins,
1901  c->c1.tuntap->actual_name,
1902 #ifdef _WIN32
1903  c->c1.tuntap->adapter_index,
1904 #endif
1906  TUN_MTU_SIZE(&c->c2.frame),
1907  EXPANDED_SIZE(&c->c2.frame),
1910  "init",
1911  NULL,
1912  "up",
1913  c->c2.es);
1914 
1915 #if defined(_WIN32)
1916  if (c->options.block_outside_dns)
1917  {
1918  dmsg(D_LOW, "Blocking outside DNS");
1920  {
1921  msg(M_FATAL, "Blocking DNS failed!");
1922  }
1923  }
1924 #endif
1925 
1926  /* possibly add routes */
1928  {
1930  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1931  }
1932 
1933  /*
1934  * Did tun/tap driver give us an MTU?
1935  */
1936  if (c->c1.tuntap->post_open_mtu)
1937  {
1939  c->c1.tuntap->post_open_mtu,
1941  }
1942 
1943  ret = true;
1944  static_context = c;
1945 #ifndef TARGET_ANDROID
1946 }
1947 else
1948 {
1949  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1950  c->c1.tuntap->actual_name);
1951 
1952  /* explicitly set the ifconfig_* env vars */
1953  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1954 
1955  /* run the up script if user specified --up-restart */
1956  if (c->options.up_restart)
1957  {
1959  c->plugins,
1961  c->c1.tuntap->actual_name,
1962 #ifdef _WIN32
1963  c->c1.tuntap->adapter_index,
1964 #endif
1966  TUN_MTU_SIZE(&c->c2.frame),
1967  EXPANDED_SIZE(&c->c2.frame),
1970  "restart",
1971  NULL,
1972  "up",
1973  c->c2.es);
1974  }
1975 #if defined(_WIN32)
1976  if (c->options.block_outside_dns)
1977  {
1978  dmsg(D_LOW, "Blocking outside DNS");
1980  {
1981  msg(M_FATAL, "Blocking DNS failed!");
1982  }
1983  }
1984 #endif
1985 
1986 }
1987 #endif /* ifndef TARGET_ANDROID */
1988  gc_free(&gc);
1989  return ret;
1990 }
1991 
1992 /*
1993  * Close TUN/TAP device
1994  */
1995 
1996 static void
1998 {
1999  msg(D_CLOSE, "Closing TUN/TAP interface");
2000  if (c->c1.tuntap)
2001  {
2002  close_tun(c->c1.tuntap, &c->net_ctx);
2003  c->c1.tuntap = NULL;
2004  }
2005  c->c1.tuntap_owned = false;
2006 #if P2MP
2008 #endif
2009 }
2010 
2011 static void
2012 do_close_tun(struct context *c, bool force)
2013 {
2014  struct gc_arena gc = gc_new();
2015  if (c->c1.tuntap && c->c1.tuntap_owned)
2016  {
2017  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2018 #ifdef _WIN32
2019  DWORD adapter_index = c->c1.tuntap->adapter_index;
2020 #endif
2021  const in_addr_t local = c->c1.tuntap->local;
2022  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2023 
2024  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2025  {
2026  static_context = NULL;
2027 
2028 #ifdef ENABLE_MANAGEMENT
2029  /* tell management layer we are about to close the TUN/TAP device */
2030  if (management)
2031  {
2033  management_up_down(management, "DOWN", c->c2.es);
2034  }
2035 #endif
2036 
2037  /* delete any routes we added */
2038  if (c->c1.route_list || c->c1.route_ipv6_list)
2039  {
2041  c->plugins,
2043  tuntap_actual,
2044 #ifdef _WIN32
2045  adapter_index,
2046 #endif
2047  NULL,
2048  TUN_MTU_SIZE(&c->c2.frame),
2049  EXPANDED_SIZE(&c->c2.frame),
2050  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2051  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2052  "init",
2054  c->sig->signal_text),
2055  "route-pre-down",
2056  c->c2.es);
2057 
2060  c->c2.es, &c->net_ctx);
2061  }
2062 
2063  /* actually close tun/tap device based on --down-pre flag */
2064  if (!c->options.down_pre)
2065  {
2067  }
2068 
2069  /* Run the down script -- note that it will run at reduced
2070  * privilege if, for example, "--user nobody" was used. */
2072  c->plugins,
2074  tuntap_actual,
2075 #ifdef _WIN32
2076  adapter_index,
2077 #endif
2078  NULL,
2079  TUN_MTU_SIZE(&c->c2.frame),
2080  EXPANDED_SIZE(&c->c2.frame),
2081  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2082  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2083  "init",
2085  c->sig->signal_text),
2086  "down",
2087  c->c2.es);
2088 
2089 #if defined(_WIN32)
2090  if (c->options.block_outside_dns)
2091  {
2092  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2093  {
2094  msg(M_FATAL, "Uninitialising WFP failed!");
2095  }
2096  }
2097 #endif
2098 
2099  /* actually close tun/tap device based on --down-pre flag */
2100  if (c->options.down_pre)
2101  {
2103  }
2104  }
2105  else
2106  {
2107  /* run the down script on this restart if --up-restart was specified */
2108  if (c->options.up_restart)
2109  {
2111  c->plugins,
2113  tuntap_actual,
2114 #ifdef _WIN32
2115  adapter_index,
2116 #endif
2117  NULL,
2118  TUN_MTU_SIZE(&c->c2.frame),
2119  EXPANDED_SIZE(&c->c2.frame),
2120  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2121  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2122  "restart",
2124  c->sig->signal_text),
2125  "down",
2126  c->c2.es);
2127  }
2128 
2129 #if defined(_WIN32)
2130  if (c->options.block_outside_dns)
2131  {
2132  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2133  {
2134  msg(M_FATAL, "Uninitialising WFP failed!");
2135  }
2136  }
2137 #endif
2138 
2139  }
2140  }
2141  gc_free(&gc);
2142 }
2143 
2144 void
2146 {
2147  struct context *c = static_context;
2148  if (c)
2149  {
2150  static_context = NULL;
2151  do_close_tun(c, true);
2152  }
2153 }
2154 
2155 /*
2156  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2157  */
2158 
2159 #if P2MP
2160 
2164 static bool
2166  const struct sha256_digest *b)
2167 {
2168  const struct sha256_digest zero = {{0}};
2169  return memcmp(a, b, sizeof(struct sha256_digest))
2170  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2171 }
2172 #endif /* P2MP */
2173 
2174 bool
2175 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2176 {
2177  if (!c->c2.do_up_ran)
2178  {
2180 
2181  if (pulled_options)
2182  {
2183  if (!do_deferred_options(c, option_types_found))
2184  {
2185  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2186  return false;
2187  }
2188  }
2189 
2190  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2191  if (c->options.up_delay || PULL_DEFINED(&c->options))
2192  {
2193  c->c2.did_open_tun = do_open_tun(c);
2194  update_time();
2195 
2196 #if P2MP
2197  /*
2198  * Was tun interface object persisted from previous restart iteration,
2199  * and if so did pulled options string change from previous iteration?
2200  */
2201  if (!c->c2.did_open_tun
2202  && PULL_DEFINED(&c->options)
2203  && c->c1.tuntap
2206  {
2207  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2208  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2209  do_close_tun(c, true);
2210  management_sleep(1);
2211  c->c2.did_open_tun = do_open_tun(c);
2212  update_time();
2213  }
2214 #endif
2215  }
2216 
2217  if (c->c2.did_open_tun)
2218  {
2219 #if P2MP
2221 #endif
2222 
2223  /* if --route-delay was specified, start timer */
2225  {
2228  if (c->c1.tuntap)
2229  {
2231  }
2232  }
2233  else
2234  {
2235  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2236  }
2237  }
2238  else if (c->options.mode == MODE_POINT_TO_POINT)
2239  {
2240  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2241  }
2242 
2243  c->c2.do_up_ran = true;
2244  }
2245  return true;
2246 }
2247 
2248 /*
2249  * These are the option categories which will be accepted by pull.
2250  */
2251 unsigned int
2253 {
2254  unsigned int flags =
2255  OPT_P_UP
2257  | OPT_P_SOCKBUF
2258  | OPT_P_SOCKFLAGS
2259  | OPT_P_SETENV
2260  | OPT_P_SHAPER
2261  | OPT_P_TIMER
2262  | OPT_P_COMP
2263  | OPT_P_PERSIST
2264  | OPT_P_MESSAGES
2266  | OPT_P_ECHO
2267  | OPT_P_PULL_MODE
2268  | OPT_P_PEER_ID;
2269 
2270  if (!c->options.route_nopull)
2271  {
2272  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2273  }
2274 
2275  if (c->options.ncp_enabled)
2276  {
2277  flags |= OPT_P_NCP;
2278  }
2279 
2280  return flags;
2281 }
2282 
2283 /*
2284  * Handle non-tun-related pulled options.
2285  */
2286 bool
2287 do_deferred_options(struct context *c, const unsigned int found)
2288 {
2289  if (found & OPT_P_MESSAGES)
2290  {
2292  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2293  }
2294  if (found & OPT_P_TIMER)
2295  {
2296  do_init_timers(c, true);
2297  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2298  }
2299 
2300  if (found & OPT_P_EXPLICIT_NOTIFY)
2301  {
2303  {
2304  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2306  }
2307  else
2308  {
2309  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2310  }
2311  }
2312 
2313 #ifdef USE_COMP
2314  if (found & OPT_P_COMP)
2315  {
2316  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2317  comp_uninit(c->c2.comp_context);
2318  c->c2.comp_context = comp_init(&c->options.comp);
2319  }
2320 #endif
2321 
2322  if (found & OPT_P_SHAPER)
2323  {
2324  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2326  }
2327 
2328  if (found & OPT_P_SOCKBUF)
2329  {
2330  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2332  }
2333 
2334  if (found & OPT_P_SOCKFLAGS)
2335  {
2336  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2338  }
2339 
2340  if (found & OPT_P_PERSIST)
2341  {
2342  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2343  }
2344  if (found & OPT_P_UP)
2345  {
2346  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2347  }
2348  if (found & OPT_P_ROUTE)
2349  {
2350  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2351  }
2352  if (found & OPT_P_ROUTE_EXTRAS)
2353  {
2354  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2355  }
2356  if (found & OPT_P_IPWIN32)
2357  {
2358  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2359  }
2360  if (found & OPT_P_SETENV)
2361  {
2362  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2363  }
2364 
2365  if (found & OPT_P_PEER_ID)
2366  {
2367  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2368  c->c2.tls_multi->use_peer_id = true;
2369  c->c2.tls_multi->peer_id = c->options.peer_id;
2370  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2371  if (!c->options.ce.link_mtu_defined)
2372  {
2373  frame_add_to_link_mtu(&c->c2.frame, +3);
2374  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2375  EXPANDED_SIZE(&c->c2.frame));
2376  }
2377  else
2378  {
2379  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2380  " fixed by config - reducing tun-mtu to %d, expect"
2381  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2382  }
2383  }
2384 
2385  /* process (potentially pushed) crypto options */
2386  if (c->options.pull)
2387  {
2388  if (!check_pull_client_ncp(c, found))
2389  {
2390  return false;
2391  }
2392  struct frame *frame_fragment = NULL;
2393 #ifdef ENABLE_FRAGMENT
2394  if (c->options.ce.fragment)
2395  {
2396  frame_fragment = &c->c2.frame_fragment;
2397  }
2398 #endif
2399 
2400  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2401  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2402  frame_fragment))
2403  {
2404  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2405  return false;
2406  }
2407  }
2408 
2409  return true;
2410 }
2411 
2412 /*
2413  * Possible hold on initialization, holdtime is the
2414  * time OpenVPN would wait without management
2415  */
2416 static bool
2417 do_hold(int holdtime)
2418 {
2419 #ifdef ENABLE_MANAGEMENT
2420  if (management)
2421  {
2422  /* block until management hold is released */
2423  if (management_hold(management, holdtime))
2424  {
2425  return true;
2426  }
2427  }
2428 #endif
2429  return false;
2430 }
2431 
2432 /*
2433  * Sleep before restart.
2434  */
2435 static void
2437 {
2438  int sec = 2;
2439  int backoff = 0;
2440 
2441  switch (c->options.ce.proto)
2442  {
2443  case PROTO_TCP_SERVER:
2444  sec = 1;
2445  break;
2446 
2447  case PROTO_UDP:
2448  case PROTO_TCP_CLIENT:
2449  sec = c->options.ce.connect_retry_seconds;
2450  break;
2451  }
2452 
2453 #ifdef ENABLE_DEBUG
2454  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2455  {
2456  sec = 0;
2457  }
2458 #endif
2459 
2460 #if P2MP
2461  if (auth_retry_get() == AR_NOINTERACT)
2462  {
2463  sec = 10;
2464  }
2465 #endif
2466 
2467  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2468  if (c->options.ce.proto != PROTO_TCP_SERVER)
2469  {
2470  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2471  if (backoff > 0)
2472  {
2473  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2474  sec = max_int(sec, 1) << min_int(backoff, 15);
2475  }
2476 
2477  if (sec > c->options.ce.connect_retry_seconds_max)
2478  {
2480  }
2481  }
2482 
2484  {
2485  sec = c->persist.restart_sleep_seconds;
2486  }
2487  else if (c->persist.restart_sleep_seconds == -1)
2488  {
2489  sec = 0;
2490  }
2492 
2493  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2494  if (do_hold(sec))
2495  {
2496  sec = 0;
2497  }
2498 
2499  if (sec)
2500  {
2501  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2502  management_sleep(sec);
2503  }
2504 }
2505 
2506 /*
2507  * Do a possible pause on context_2 initialization.
2508  */
2509 static void
2511 {
2512  if (!c->first_time)
2513  {
2515  }
2516  else
2517  {
2518  do_hold(0); /* do management hold on first context initialization */
2519  }
2520 }
2521 
2522 /*
2523  * Finalize MTU parameters based on command line or config file options.
2524  */
2525 static void
2526 frame_finalize_options(struct context *c, const struct options *o)
2527 {
2528  if (!o)
2529  {
2530  o = &c->options;
2531  }
2532 
2533  /*
2534  * Set adjustment factor for buffer alignment when no
2535  * cipher is used.
2536  */
2537  if (!CIPHER_ENABLED(c))
2538  {
2544  }
2545 
2547  frame_finalize(&c->c2.frame,
2548  o->ce.link_mtu_defined,
2549  o->ce.link_mtu,
2550  o->ce.tun_mtu_defined,
2551  o->ce.tun_mtu);
2552 }
2553 
2554 /*
2555  * Free a key schedule, including OpenSSL components.
2556  */
2557 static void
2558 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2559 {
2561  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2562  {
2563  tls_ctx_free(&ks->ssl_ctx);
2565  }
2566  CLEAR(*ks);
2567 }
2568 
2569 static void
2570 init_crypto_pre(struct context *c, const unsigned int flags)
2571 {
2572  if (c->options.engine)
2573  {
2575  }
2576 
2577  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2578  {
2579  /* load a persisted packet-id for cross-session replay-protection */
2580  if (c->options.packet_id_file)
2581  {
2583  }
2584  }
2585 
2586 #ifdef ENABLE_PREDICTION_RESISTANCE
2587  if (c->options.use_prediction_resistance)
2588  {
2589  rand_ctx_enable_prediction_resistance();
2590  }
2591 #endif
2592 }
2593 
2594 /*
2595  * Static Key Mode (using a pre-shared key)
2596  */
2597 static void
2598 do_init_crypto_static(struct context *c, const unsigned int flags)
2599 {
2600  const struct options *options = &c->options;
2601  ASSERT(options->shared_secret_file);
2602 
2603  init_crypto_pre(c, flags);
2604 
2605  /* Initialize flags */
2607  {
2609  }
2610 
2611  /* Initialize packet ID tracking */
2612  if (options->replay)
2613  {
2615  options->replay_window,
2616  options->replay_time,
2617  "STATIC", 0);
2622  }
2623 
2624  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2625  {
2626  /* Get cipher & hash algorithms */
2627  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2628  options->keysize, options->test_crypto, true);
2629 
2630  /* Read cipher and hmac keys from shared secret file */
2632  options->shared_secret_file,
2633  options->shared_secret_file_inline,
2634  options->key_direction, "Static Key Encryption",
2635  "secret");
2636  }
2637  else
2638  {
2639  msg(M_INFO, "Re-using pre-shared static key");
2640  }
2641 
2642  /* Get key schedule */
2644 
2645  /* Compute MTU parameters */
2647  options->replay, true);
2648 
2649  /* Sanity check on sequence number, and cipher mode options */
2650  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2651 }
2652 
2653 /*
2654  * Initialize the tls-auth/crypt key context
2655  */
2656 static void
2658 {
2659  const struct options *options = &c->options;
2660 
2661  /* TLS handshake authentication (--tls-auth) */
2662  if (options->ce.tls_auth_file)
2663  {
2664  /* Initialize key_type for tls-auth with auth only */
2666  if (!streq(options->authname, "none"))
2667  {
2671  }
2672  else
2673  {
2674  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2675  "algorithm specified ('%s')", options->authname);
2676  }
2677 
2679  &c->c1.ks.tls_wrap_key,
2680  options->ce.tls_auth_file,
2681  options->ce.tls_auth_file_inline,
2682  options->ce.key_direction,
2683  "Control Channel Authentication", "tls-auth");
2684  }
2685 
2686  /* TLS handshake encryption+authentication (--tls-crypt) */
2687  if (options->ce.tls_crypt_file)
2688  {
2690  options->ce.tls_crypt_file,
2691  options->ce.tls_crypt_file_inline,
2692  options->tls_server);
2693  }
2694 
2695  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2696  if (options->ce.tls_crypt_v2_file)
2697  {
2698  if (options->tls_server)
2699  {
2701  true, options->ce.tls_crypt_v2_file,
2702  options->ce.tls_crypt_v2_file_inline);
2703  }
2704  else
2705  {
2707  &c->c1.ks.tls_crypt_v2_wkc,
2708  options->ce.tls_crypt_v2_file,
2709  options->ce.tls_crypt_v2_file_inline);
2710  }
2711  }
2712 
2713 
2714 }
2715 
2716 /*
2717  * Initialise the auth-token key context
2718  */
2719 static void
2721 {
2722  if (!c->options.auth_token_generate)
2723  {
2724  return;
2725  }
2726 
2730 }
2731 
2732 /*
2733  * Initialize the persistent component of OpenVPN's TLS mode,
2734  * which is preserved across SIGUSR1 resets.
2735  */
2736 static void
2738 {
2739  const struct options *options = &c->options;
2740 
2741  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2742  {
2743  /*
2744  * Initialize the OpenSSL library's global
2745  * SSL context.
2746  */
2747  init_ssl(options, &(c->c1.ks.ssl_ctx));
2748  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2749  {
2750 #if P2MP
2751  switch (auth_retry_get())
2752  {
2753  case AR_NONE:
2754  msg(M_FATAL, "Error: private key password verification failed");
2755  break;
2756 
2757  case AR_INTERACT:
2758  ssl_purge_auth(false);
2759 
2760  case AR_NOINTERACT:
2761  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2762  break;
2763 
2764  default:
2765  ASSERT(0);
2766  }
2767  c->sig->signal_text = "private-key-password-failure";
2768  return;
2769 #else /* if P2MP */
2770  msg(M_FATAL, "Error: private key password verification failed");
2771 #endif /* if P2MP */
2772  }
2773 
2774  /* Do not warn if we only have BF-CBC in options->ciphername
2775  * because it is still the default cipher */
2776  bool warn = !streq(options->ciphername, "BF-CBC")
2777  || options->enable_ncp_fallback;
2778  /* Get cipher & hash algorithms */
2779  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2780  options->keysize, true, warn);
2781 
2782  /* Initialize PRNG with config-specified digest */
2783  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2784 
2785  /* initialize tls-auth/crypt/crypt-v2 key */
2787 
2788  /* initialise auth-token crypto support */
2790 
2791 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2792  if (options->priv_key_file_inline)
2793  {
2795  c->options.priv_key_file_inline = NULL;
2796  }
2797 #endif
2798  }
2799  else
2800  {
2801  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2802 
2803  /*
2804  * tls-auth/crypt key can be configured per connection block, therefore
2805  * we must reload it as it may have changed
2806  */
2808  }
2809 }
2810 
2811 static void
2812 do_init_crypto_tls(struct context *c, const unsigned int flags)
2813 {
2814  const struct options *options = &c->options;
2815  struct tls_options to;
2816  bool packet_id_long_form;
2817 
2818  ASSERT(options->tls_server || options->tls_client);
2819  ASSERT(!options->test_crypto);
2820 
2821  init_crypto_pre(c, flags);
2822 
2823  /* Make sure we are either a TLS client or server but not both */
2824  ASSERT(options->tls_server == !options->tls_client);
2825 
2826  /* initialize persistent component */
2828  if (IS_SIG(c))
2829  {
2830  return;
2831  }
2832 
2833  /* Sanity check on sequence number, and cipher mode options */
2834  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2835 
2836  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2837  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2838 
2839  /* Compute MTU parameters (postpone if we push/pull options) */
2840  if (c->options.pull || c->options.mode == MODE_SERVER)
2841  {
2842  /* Account for worst-case crypto overhead before allocating buffers */
2844  }
2845  else
2846  {
2848  options->replay, packet_id_long_form);
2849  }
2851 
2852  /* Set all command-line TLS-related options */
2853  CLEAR(to);
2854 
2855  if (options->mute_replay_warnings)
2856  {
2858  }
2859 
2861  if (packet_id_long_form)
2862  {
2864  }
2865 
2866  to.ssl_ctx = c->c1.ks.ssl_ctx;
2867  to.key_type = c->c1.ks.key_type;
2868  to.server = options->tls_server;
2869  to.replay = options->replay;
2870  to.replay_window = options->replay_window;
2871  to.replay_time = options->replay_time;
2874  to.config_ncp_ciphers = options->ncp_ciphers;
2875  to.ncp_enabled = options->ncp_enabled;
2876  to.transition_window = options->transition_window;
2877  to.handshake_window = options->handshake_window;
2878  to.packet_timeout = options->tls_timeout;
2879  to.renegotiate_bytes = options->renegotiate_bytes;
2881  if (options->renegotiate_seconds_min < 0)
2882  {
2883  /* Add 10% jitter to reneg-sec by default (server side only) */
2884  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2885  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2886  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2887  }
2888  else
2889  {
2890  /* Add user-specified jitter to reneg-sec */
2892  -(get_random() % max_int(options->renegotiate_seconds
2893  - options->renegotiate_seconds_min, 1));
2894  }
2895  to.single_session = options->single_session;
2896  to.mode = options->mode;
2897  to.pull = options->pull;
2898  if (options->push_peer_info) /* all there is */
2899  {
2900  to.push_peer_info_detail = 2;
2901  }
2902  else if (options->pull) /* pull clients send some details */
2903  {
2904  to.push_peer_info_detail = 1;
2905  }
2906  else /* default: no peer-info at all */
2907  {
2908  to.push_peer_info_detail = 0;
2909  }
2910 
2911  /* should we not xmit any packets until we get an initial
2912  * response from client? */
2913  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2914  {
2915  to.xmit_hold = true;
2916  }
2917 
2918  to.disable_occ = !options->occ;
2919 
2920  to.verify_command = options->tls_verify;
2921  to.verify_export_cert = options->tls_export_cert;
2922  to.verify_x509_type = (options->verify_x509_type & 0xff);
2923  to.verify_x509_name = options->verify_x509_name;
2924  to.crl_file = options->crl_file;
2925  to.crl_file_inline = options->crl_file_inline;
2926  to.ssl_flags = options->ssl_flags;
2927  to.ns_cert_type = options->ns_cert_type;
2928  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2929  to.remote_cert_eku = options->remote_cert_eku;
2930  to.verify_hash = options->verify_hash;
2931  to.verify_hash_algo = options->verify_hash_algo;
2932 #ifdef ENABLE_X509ALTUSERNAME
2933  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2934 #else
2936 #endif
2937  to.es = c->c2.es;
2938  to.net_ctx = &c->net_ctx;
2939 
2940 #ifdef ENABLE_DEBUG
2941  to.gremlin = c->options.gremlin;
2942 #endif
2943 
2944  to.plugins = c->plugins;
2945 
2946 #ifdef ENABLE_MANAGEMENT
2947  to.mda_context = &c->c2.mda_context;
2948 #endif
2949 
2952  to.tmp_dir = options->tmp_dir;
2953  if (options->ccd_exclusive)
2954  {
2956  }
2962 
2963  to.x509_track = options->x509_track;
2964 
2965 #if P2MP
2966 #ifdef ENABLE_MANAGEMENT
2967  to.sci = &options->sc_info;
2968 #endif
2969 #endif
2970 
2971 #ifdef USE_COMP
2972  to.comp_options = options->comp;
2973 #endif
2974 
2975 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2976  if (options->keying_material_exporter_label)
2977  {
2978  to.ekm_size = options->keying_material_exporter_length;
2979  if (to.ekm_size < 16 || to.ekm_size > 4095)
2980  {
2981  to.ekm_size = 0;
2982  }
2983 
2984  to.ekm_label = options->keying_material_exporter_label;
2985  to.ekm_label_size = strlen(to.ekm_label);
2986  }
2987  else
2988  {
2989  to.ekm_size = 0;
2990  }
2991 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2992 
2993  /* TLS handshake authentication (--tls-auth) */
2994  if (options->ce.tls_auth_file)
2995  {
2996  to.tls_wrap.mode = TLS_WRAP_AUTH;
3001  true, true);
3002  }
3003 
3004  /* TLS handshake encryption (--tls-crypt) */
3005  if (options->ce.tls_crypt_file
3006  || (options->ce.tls_crypt_v2_file && options->tls_client))
3007  {
3008  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3013 
3014  if (options->ce.tls_crypt_v2_file)
3015  {
3017  }
3018  }
3019 
3020  if (options->ce.tls_crypt_v2_file)
3021  {
3022  to.tls_crypt_v2 = true;
3023  if (options->tls_server)
3024  {
3027  }
3028  }
3029 
3030  /* If we are running over TCP, allow for
3031  * length prefix */
3033 
3034  /*
3035  * Initialize OpenVPN's master TLS-mode object.
3036  */
3037  if (flags & CF_INIT_TLS_MULTI)
3038  {
3039  c->c2.tls_multi = tls_multi_init(&to);
3040  }
3041 
3042  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3043  {
3045  }
3046 }
3047 
3048 static void
3050 {
3051  if (c->c2.tls_multi)
3052  {
3055  EXPANDED_SIZE(&c->c2.frame));
3057  "Control Channel MTU parms");
3058  }
3059  if (c->c2.tls_auth_standalone)
3060  {
3063  "TLS-Auth MTU parms");
3064  }
3065 }
3066 
3067 /*
3068  * No encryption or authentication.
3069  */
3070 static void
3072 {
3073  ASSERT(!c->options.test_crypto);
3074  msg(M_WARN,
3075  "******* WARNING *******: All encryption and authentication features "
3076  "disabled -- All data will be tunnelled as clear text and will not be "
3077  "protected against man-in-the-middle changes. "
3078  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3079 }
3080 
3081 static void
3082 do_init_crypto(struct context *c, const unsigned int flags)
3083 {
3084  if (c->options.shared_secret_file)
3085  {
3086  do_init_crypto_static(c, flags);
3087  }
3088  else if (c->options.tls_server || c->options.tls_client)
3089  {
3090  do_init_crypto_tls(c, flags);
3091  }
3092  else /* no encryption or authentication. */
3093  {
3095  }
3096 }
3097 
3098 static void
3100 {
3101 #ifdef USE_COMP
3102  /*
3103  * modify frame parameters if compression is enabled
3104  */
3105  if (comp_enabled(&c->options.comp))
3106  {
3107  comp_add_to_extra_frame(&c->c2.frame);
3108 
3109 #if !defined(ENABLE_LZ4)
3110  /*
3111  * Compression usage affects buffer alignment when non-swapped algs
3112  * such as LZO is used.
3113  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3114  * any special alignment because of the control-byte swap approach.
3115  * LZO alignment (on the other hand) is problematic because
3116  * the presence of the control byte means that either the output of
3117  * decryption must be written to an unaligned buffer, or the input
3118  * to compression (or packet dispatch if packet is uncompressed)
3119  * must be read from an unaligned buffer.
3120  * This code tries to align the input to compression (or packet
3121  * dispatch if packet is uncompressed) at the cost of requiring
3122  * decryption output to be written to an unaligned buffer, so
3123  * it's more of a tradeoff than an optimal solution and we don't
3124  * include it when we are doing a modern build with LZ4.
3125  * Strictly speaking, on the server it would be better to execute
3126  * this code for every connection after we decide the compression
3127  * method, but currently the frame code doesn't appear to be
3128  * flexible enough for this, since the frame is already established
3129  * before it is known which compression options will be pushed.
3130  */
3131  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3132  {
3133  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3137  }
3138 #endif
3139 
3140 #ifdef ENABLE_FRAGMENT
3141  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3142 #endif
3143  }
3144 #endif /* USE_COMP */
3145 
3146  /*
3147  * Adjust frame size for UDP Socks support.
3148  */
3149  if (c->options.ce.socks_proxy_server)
3150  {
3152  }
3153 
3154  /*
3155  * Adjust frame size based on the --tun-mtu-extra parameter.
3156  */
3158  {
3160  }
3161 
3162  /*
3163  * Adjust frame size based on link socket parameters.
3164  * (Since TCP is a stream protocol, we need to insert
3165  * a packet length uint16_t in the buffer.)
3166  */
3168 
3169  /*
3170  * Fill in the blanks in the frame parameters structure,
3171  * make sure values are rational, etc.
3172  */
3173  frame_finalize_options(c, NULL);
3174 
3175 #ifdef USE_COMP
3176  /*
3177  * Modify frame parameters if compression is compiled in.
3178  * Should be called after frame_finalize_options.
3179  */
3180  comp_add_to_extra_buffer(&c->c2.frame);
3181 #ifdef ENABLE_FRAGMENT
3182  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3183 #endif
3184 #endif /* USE_COMP */
3185 
3186  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3187  * and need link_mtu+3 bytes on socket reception (on server).
3188  *
3189  * accommodate receive path in f->extra_link, which has the side effect of
3190  * also increasing send buffers (BUF_SIZE() macro), which need to be
3191  * allocated big enough before receiving peer-id option from server.
3192  *
3193  * f->extra_frame is adjusted when peer-id option is push-received
3194  */
3196 
3197 #ifdef ENABLE_FRAGMENT
3198  /*
3199  * Set frame parameter for fragment code. This is necessary because
3200  * the fragmentation code deals with payloads which have already been
3201  * passed through the compression code.
3202  */
3203  c->c2.frame_fragment = c->c2.frame;
3206 #endif
3207 
3208 #if defined(ENABLE_FRAGMENT)
3209  /*
3210  * MTU advisories
3211  */
3212  if (c->options.ce.fragment && c->options.mtu_test)
3213  {
3214  msg(M_WARN,
3215  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3216  }
3217 #endif
3218 
3219 #ifdef ENABLE_FRAGMENT
3220  if ((c->options.ce.mssfix || c->options.ce.fragment)
3222  {
3223  msg(M_WARN,
3224  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3226  }
3227 #endif
3228 }
3229 
3230 static void
3232 {
3233  const struct options *o = &c->options;
3234 
3235  if (o->ping_send_timeout && !o->ping_rec_timeout)
3236  {
3237  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3238  }
3239 
3240  if (o->username || o->groupname || o->chroot_dir
3241 #ifdef ENABLE_SELINUX
3242  || o->selinux_context
3243 #endif
3244  )
3245  {
3246  if (!o->persist_tun)
3247  {
3248  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3249  }
3250  if (!o->persist_key
3251 #ifdef ENABLE_PKCS11
3252  && !o->pkcs11_id
3253 #endif
3254  )
3255  {
3256  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3257  }
3258  }
3259 
3260  if (o->chroot_dir && !(o->username && o->groupname))
3261  {
3262  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3263  }
3264 
3265 #if P2MP
3266  if (o->pull && o->ifconfig_local && c->first_time)
3267  {
3268  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3269  }
3270 
3272  {
3273  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3274  }
3275 
3276  if (o->mode == MODE_SERVER)
3277  {
3278  if (o->duplicate_cn && o->client_config_dir)
3279  {
3280  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3281  }
3283  {
3284  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3285  }
3286  if (!o->keepalive_ping || !o->keepalive_timeout)
3287  {
3288  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3289  }
3290  }
3291 #endif /* if P2MP */
3292 
3293  if (!o->replay)
3294  {
3295  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3296  }
3297 
3298  if (o->tls_server)
3299  {
3301  }
3302  if (o->tls_client
3303  && !o->tls_verify
3306  && !o->remote_cert_eku)
3307  {
3308  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3309  }
3310  if (o->ns_cert_type)
3311  {
3312  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3313  }
3314 
3315  /* If a script is used, print appropriate warnings */
3316  if (o->user_script_used)
3317  {
3318  if (script_security() >= SSEC_SCRIPTS)
3319  {
3320  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3321  }
3322  else if (script_security() >= SSEC_PW_ENV)
3323  {
3324  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3325  }
3326  else
3327  {
3328  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3329  }
3330  }
3331 }
3332 
3333 static void
3335 {
3337 }
3338 
3339 struct context_buffers *
3341 {
3342  struct context_buffers *b;
3343 
3344  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3345 
3346  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3347  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3348 
3349  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3350 
3351  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3352  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3353 
3354 #ifdef USE_COMP
3355  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3356  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3357 #endif
3358 
3359  return b;
3360 }
3361 
3362 void
3364 {
3365  if (b)
3366  {
3367  free_buf(&b->read_link_buf);
3368  free_buf(&b->read_tun_buf);
3369  free_buf(&b->aux_buf);
3370 
3371 #ifdef USE_COMP
3372  free_buf(&b->compress_buf);
3373  free_buf(&b->decompress_buf);
3374 #endif
3375 
3376  free_buf(&b->encrypt_buf);
3377  free_buf(&b->decrypt_buf);
3378 
3379  free(b);
3380  }
3381 }
3382 
3383 /*
3384  * Now that we know all frame parameters, initialize
3385  * our buffers.
3386  */
3387 static void
3389 {
3391  c->c2.buffers_owned = true;
3392 }
3393 
3394 #ifdef ENABLE_FRAGMENT
3395 /*
3396  * Fragmenting code has buffers to initialize
3397  * once frame parameters are known.
3398  */
3399 static void
3401 {
3402  ASSERT(c->options.ce.fragment);
3406 }
3407 #endif
3408 
3409 /*
3410  * Allocate our socket object.
3411  */
3412 static void
3414 {
3415  ASSERT(!c->c2.link_socket);
3417  c->c2.link_socket_owned = true;
3418 }
3419 
3420 /*
3421  * bind the TCP/UDP socket
3422  */
3423 static void
3424 do_init_socket_1(struct context *c, const int mode)
3425 {
3426  unsigned int sockflags = c->options.sockflags;
3427 
3428 #if PORT_SHARE
3429  if (c->options.port_share_host && c->options.port_share_port)
3430  {
3431  sockflags |= SF_PORT_SHARE;
3432  }
3433 #endif
3434 
3436  c->options.ce.local,
3437  c->options.ce.local_port,
3438  c->options.ce.remote,
3439  c->options.ce.remote_port,
3440  c->c1.dns_cache,
3441  c->options.ce.proto,
3442  c->options.ce.af,
3444  mode,
3445  c->c2.accept_from,
3446  c->c1.http_proxy,
3447  c->c1.socks_proxy,
3448 #ifdef ENABLE_DEBUG
3449  c->options.gremlin,
3450 #endif
3451  c->options.ce.bind_local,
3452  c->options.ce.remote_float,
3453  c->options.inetd,
3454  &c->c1.link_socket_addr,
3455  c->options.ipchange,
3456  c->plugins,
3459  c->options.rcvbuf,
3460  c->options.sndbuf,
3461  c->options.mark,
3462  c->options.bind_dev,
3464  sockflags);
3465 }
3466 
3467 /*
3468  * finalize the TCP/UDP socket
3469  */
3470 static void
3472 {
3474  c->sig);
3475 }
3476 
3477 /*
3478  * Print MTU INFO
3479  */
3480 static void
3482 {
3483  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3484 #ifdef ENABLE_FRAGMENT
3485  if (c->c2.fragment)
3486  {
3488  "Fragmentation MTU parms");
3489  }
3490 #endif
3491 }
3492 
3493 /*
3494  * Get local and remote options compatibility strings.
3495  */
3496 static void
3498 {
3499  struct gc_arena gc = gc_new();
3500 
3502  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3503  false, &gc);
3505  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3506  true, &gc);
3507 
3508  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3511  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3514 
3515  if (c->c2.tls_multi)
3516  {
3520  }
3521 
3522  gc_free(&gc);
3523 }
3524 
3525 /*
3526  * These things can only be executed once per program instantiation.
3527  * Set up for possible UID/GID downgrade, but don't do it yet.
3528  * Daemonize if requested.
3529  */
3530 static void
3532 {
3533  if (c->first_time && !c->c0)
3534  {
3535  struct context_0 *c0;
3536 
3537  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3538  c0 = c->c0;
3539 
3540  /* get user and/or group that we want to setuid/setgid to */
3541  c0->uid_gid_specified =
3544 
3545  /* perform postponed chdir if --daemon */
3546  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3547  {
3548  platform_chdir("/");
3549  }
3550 
3551  /* should we change scheduling priority? */
3553  }
3554 }
3555 
3556 /*
3557  * If xinetd/inetd mode, don't allow restart.
3558  */
3559 static void
3561 {
3562  if (c->options.inetd
3563  && (c->sig->signal_received == SIGHUP
3564  || c->sig->signal_received == SIGUSR1))
3565  {
3566  c->sig->signal_received = SIGTERM;
3567  msg(M_INFO,
3568  PACKAGE_NAME
3569  " started by inetd/xinetd cannot restart... Exiting.");
3570  }
3571 }
3572 
3573 /*
3574  * free buffers
3575  */
3576 static void
3578 {
3579  if (c->c2.buffers_owned)
3580  {
3582  c->c2.buffers = NULL;
3583  c->c2.buffers_owned = false;
3584  }
3585 }
3586 
3587 /*
3588  * close TLS
3589  */
3590 static void
3592 {
3593  if (c->c2.tls_multi)
3594  {
3595  tls_multi_free(c->c2.tls_multi, true);
3596  c->c2.tls_multi = NULL;
3597  }
3598 
3599  /* free options compatibility strings */
3602 
3604 
3605  if (c->c2.pulled_options_state)
3606  {
3609  }
3610 }
3611 
3612 /*
3613  * Free key schedules
3614  */
3615 static void
3616 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3617 {
3618  /*
3619  * always free the tls_auth/crypt key. If persist_key is true, the key will
3620  * be reloaded from memory (pre-cached)
3621  */
3623  CLEAR(c->c1.ks.tls_wrap_key);
3626 
3627  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3628  {
3629  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3630  }
3631 }
3632 
3633 /*
3634  * Close TCP/UDP connection
3635  */
3636 static void
3638 {
3639  if (c->c2.link_socket && c->c2.link_socket_owned)
3640  {
3642  c->c2.link_socket = NULL;
3643  }
3644 
3645 
3646  /* Preserve the resolved list of remote if the user request to or if we want
3647  * reconnect to the same host again or there are still addresses that need
3648  * to be tried */
3649  if (!(c->sig->signal_received == SIGUSR1
3650  && ( (c->options.persist_remote_ip)
3651  ||
3652  ( c->sig->source != SIG_SOURCE_HARD
3654  && c->c1.link_socket_addr.current_remote->ai_next)
3655  || c->options.no_advance))
3656  )))
3657  {
3659  }
3660 
3661  /* Clear the remote actual address when persist_remote_ip is not in use */
3662  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3663  {
3665  }
3666 
3667  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3668  {
3670  {
3671  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3672  }
3673 
3674  c->c1.link_socket_addr.bind_local = NULL;
3675  }
3676 }
3677 
3678 /*
3679  * Close packet-id persistence file
3680  */
3681 static void
3683 {
3686  if (!(c->sig->signal_received == SIGUSR1))
3687  {
3689  }
3690 }
3691 
3692 #ifdef ENABLE_FRAGMENT
3693 /*
3694  * Close fragmentation handler.
3695  */
3696 static void
3698 {
3699  if (c->c2.fragment)
3700  {
3702  c->c2.fragment = NULL;
3703  }
3704 }
3705 #endif
3706 
3707 /*
3708  * Open and close our event objects.
3709  */
3710 
3711 static void
3713  bool need_us_timeout)
3714 {
3715  unsigned int flags = 0;
3716 
3718 
3719  flags |= EVENT_METHOD_FAST;
3720 
3721  if (need_us_timeout)
3722  {
3723  flags |= EVENT_METHOD_US_TIMEOUT;
3724  }
3725 
3726  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3727  c->c2.event_set_owned = true;
3728 }
3729 
3730 static void
3732 {
3733  if (c->c2.event_set && c->c2.event_set_owned)
3734  {
3735  event_free(c->c2.event_set);
3736  c->c2.event_set = NULL;
3737  c->c2.event_set_owned = false;
3738  }
3739 }
3740 
3741 /*
3742  * Open and close --status file
3743  */
3744 
3745 static void
3747 {
3748  if (!c->c1.status_output)
3749  {
3752  -1,
3753  NULL,
3755  c->c1.status_output_owned = true;
3756  }
3757 }
3758 
3759 static void
3761 {
3762  if (!(c->sig->signal_received == SIGUSR1))
3763  {
3764  if (c->c1.status_output_owned && c->c1.status_output)
3765  {
3767  c->c1.status_output = NULL;
3768  c->c1.status_output_owned = false;
3769  }
3770  }
3771 }
3772 
3773 /*
3774  * Handle ifconfig-pool persistence object.
3775  */
3776 static void
3778 {
3780  {
3783  c->c1.ifconfig_pool_persist_owned = true;
3784  }
3785 }
3786 
3787 static void
3789 {
3790  if (!(c->sig->signal_received == SIGUSR1))
3791  {
3793  {
3795  c->c1.ifconfig_pool_persist = NULL;
3796  c->c1.ifconfig_pool_persist_owned = false;
3797  }
3798  }
3799 }
3800 
3801 /*
3802  * Inherit environmental variables
3803  */
3804 
3805 static void
3806 do_inherit_env(struct context *c, const struct env_set *src)
3807 {
3808  c->c2.es = env_set_create(NULL);
3809  c->c2.es_owned = true;
3810  env_set_inherit(c->c2.es, src);
3811 }
3812 
3813 static void
3815 {
3816  if (c->c2.es && c->c2.es_owned)
3817  {
3818  env_set_destroy(c->c2.es);
3819  c->c2.es = NULL;
3820  c->c2.es_owned = false;
3821  }
3822 }
3823 
3824 /*
3825  * Fast I/O setup. Fast I/O is an optimization which only works
3826  * if all of the following are true:
3827  *
3828  * (1) The platform is not Windows
3829  * (2) --proto udp is enabled
3830  * (3) --shaper is disabled
3831  */
3832 static void
3834 {
3835  if (c->options.fast_io)
3836  {
3837 #ifdef _WIN32
3838  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3839 #else
3840  if (!proto_is_udp(c->options.ce.proto))
3841  {
3842  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3843  }
3844  else
3845  {
3846 #ifdef ENABLE_FEATURE_SHAPER
3847  if (c->options.shaper)
3848  {
3849  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3850  }
3851  else
3852 #endif
3853  {
3854  c->c2.fast_io = true;
3855  }
3856  }
3857 #endif
3858  }
3859 }
3860 
3861 static void
3863 {
3864  if (c->options.tls_exit)
3865  {
3866  c->c2.tls_exit_signal = SIGTERM;
3867  }
3868  else
3869  {
3870  c->c2.tls_exit_signal = SIGUSR1;
3871  }
3872 }
3873 
3874 #ifdef ENABLE_PLUGIN
3875 
3876 void
3878 {
3879  if (c->options.plugin_list && !c->plugins)
3880  {
3882  c->plugins_owned = true;
3883  }
3884 }
3885 
3886 void
3887 open_plugins(struct context *c, const bool import_options, int init_point)
3888 {
3889  if (c->plugins && c->plugins_owned)
3890  {
3891  if (import_options)
3892  {
3893  struct plugin_return pr, config;
3894  plugin_return_init(&pr);
3895  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3896  plugin_return_get_column(&pr, &config, "config");
3897  if (plugin_return_defined(&config))
3898  {
3899  int i;
3900  for (i = 0; i < config.n; ++i)
3901  {
3902  unsigned int option_types_found = 0;
3903  if (config.list[i] && config.list[i]->value)
3904  {
3906  config.list[i]->value,
3909  &option_types_found,
3910  c->es);
3911  }
3912  }
3913  }
3914  plugin_return_free(&pr);
3915  }
3916  else
3917  {
3918  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3919  }
3920  }
3921 }
3922 
3923 static void
3925 {
3926  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3927  {
3929  c->plugins = NULL;
3930  c->plugins_owned = false;
3931  }
3932 }
3933 
3934 static void
3935 do_inherit_plugins(struct context *c, const struct context *src)
3936 {
3937  if (!c->plugins && src->plugins)
3938  {
3939  c->plugins = plugin_list_inherit(src->plugins);
3940  c->plugins_owned = true;
3941  }
3942 }
3943 
3944 #endif /* ifdef ENABLE_PLUGIN */
3945 
3946 #ifdef ENABLE_MANAGEMENT
3947 
3948 static void
3949 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3950 {
3951  struct context *c = (struct context *) arg;
3952  print_status(c, so);
3953 }
3954 
3955 void
3956 management_show_net_callback(void *arg, const int msglevel)
3957 {
3958 #ifdef _WIN32
3959  show_routes(msglevel);
3960  show_adapters(msglevel);
3961  msg(msglevel, "END");
3962 #else
3963  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3964 #endif
3965 }
3966 
3967 #ifdef TARGET_ANDROID
3968 int
3969 management_callback_network_change(void *arg, bool samenetwork)
3970 {
3971  /* Check if the client should translate the network change to a SIGUSR1 to
3972  * reestablish the connection or just reprotect the socket
3973  *
3974  * At the moment just assume that, for all settings that use pull (not
3975  * --static) and are not using peer-id reestablishing the connection is
3976  * required (unless the network is the same)
3977  *
3978  * The function returns -1 on invalid fd and -2 if the socket cannot be
3979  * reused. On the -2 return value the man_network_change function triggers
3980  * a SIGUSR1 to force a reconnect.
3981  */
3982 
3983  int socketfd = -1;
3984  struct context *c = (struct context *) arg;
3985  if (!c->c2.link_socket)
3986  {
3987  return -1;
3988  }
3989  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3990  {
3991  return -1;
3992  }
3993 
3994  socketfd = c->c2.link_socket->sd;
3995  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3996  {
3997  return socketfd;
3998  }
3999  else
4000  {
4001  return -2;
4002  }
4003 }
4004 #endif /* ifdef TARGET_ANDROID */
4005 
4006 #endif /* ifdef ENABLE_MANAGEMENT */
4007 
4008 void
4010 {
4011 #ifdef ENABLE_MANAGEMENT
4012  if (management)
4013  {
4014  struct management_callback cb;
4015  CLEAR(cb);
4016  cb.arg = c;
4022 #ifdef TARGET_ANDROID
4023  cb.network_change = management_callback_network_change;
4024 #endif
4026  }
4027 #endif
4028 }
4029 
4030 #ifdef ENABLE_MANAGEMENT
4031 
4032 void
4034 {
4035  if (!management)
4036  {
4038  }
4039 }
4040 
4041 bool
4043 {
4044  /* initialize management layer */
4045  if (management)
4046  {
4047  if (c->options.management_addr)
4048  {
4049  unsigned int flags = c->options.management_flags;
4050  if (c->options.mode == MODE_SERVER)
4051  {
4052  flags |= MF_SERVER;
4053  }
4065  flags))
4066  {
4069  NULL,
4070  NULL,
4071  NULL,
4072  NULL,
4073  NULL);
4074  }
4075 
4076  /* initial management hold, called early, before first context initialization */
4077  do_hold(0);
4078  if (IS_SIG(c))
4079  {
4080  msg(M_WARN, "Signal received from management interface, exiting");
4081  return false;
4082  }
4083  }
4084  else
4085  {
4086  close_management();
4087  }
4088  }
4089  return true;
4090 }
4091 
4092 void
4094 {
4095  if (management)
4096  {
4098  management = NULL;
4099  }
4100 }
4101 
4102 #endif /* ifdef ENABLE_MANAGEMENT */
4103 
4104 
4105 void
4107 {
4108 #ifdef ENABLE_MANAGEMENT
4109  if (management)
4110  {
4112  }
4113 #endif
4114 }
4115 
4116 /*
4117  * Initialize a tunnel instance, handle pre and post-init
4118  * signal settings.
4119  */
4120 void
4121 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4122 {
4124  init_instance(c, env, flags);
4126 
4127  /*
4128  * This is done so that signals thrown during
4129  * initialization can bring us back to
4130  * a management hold.
4131  */
4132  if (IS_SIG(c))
4133  {
4134  remap_signal(c);
4136  }
4137 }
4138 
4139 /*
4140  * Initialize a tunnel instance.
4141  */
4142 void
4143 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4144 {
4145  const struct options *options = &c->options;
4146  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4147  int link_socket_mode = LS_MODE_DEFAULT;
4148 
4149  /* init garbage collection level */
4150  gc_init(&c->c2.gc);
4151 
4152  /* inherit environmental variables */
4153  if (env)
4154  {
4155  do_inherit_env(c, env);
4156  }
4157 
4158  /* signals caught here will abort */
4159  c->sig->signal_received = 0;
4160  c->sig->signal_text = NULL;
4161  c->sig->source = SIG_SOURCE_SOFT;
4162 
4163  if (c->mode == CM_P2P)
4164  {
4166  }
4167 
4168  /* possible sleep or management hold if restart */
4169  if (c->mode == CM_P2P || c->mode == CM_TOP)
4170  {
4171  do_startup_pause(c);
4172  if (IS_SIG(c))
4173  {
4174  goto sig;
4175  }
4176  }
4177 
4178  if (c->options.resolve_in_advance)
4179  {
4180  do_preresolve(c);
4181  if (IS_SIG(c))
4182  {
4183  goto sig;
4184  }
4185  }
4186 
4187  /* map in current connection entry */
4189 
4190  /* link_socket_mode allows CM_CHILD_TCP
4191  * instances to inherit acceptable fds
4192  * from a top-level parent */
4193  if (c->options.ce.proto == PROTO_TCP_SERVER)
4194  {
4195  if (c->mode == CM_TOP)
4196  {
4197  link_socket_mode = LS_MODE_TCP_LISTEN;
4198  }
4199  else if (c->mode == CM_CHILD_TCP)
4200  {
4201  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4202  }
4203  }
4204 
4205  /* should we disable paging? */
4206  if (c->first_time && options->mlock)
4207  {
4208  platform_mlockall(true);
4209  }
4210 
4211 #if P2MP
4212  /* get passwords if undefined */
4213  if (auth_retry_get() == AR_INTERACT)
4214  {
4216  }
4217 #endif
4218 
4219  /* initialize context level 2 --verb/--mute parms */
4221 
4222  /* set error message delay for non-server modes */
4223  if (c->mode == CM_P2P)
4224  {
4226  }
4227 
4228  /* warn about inconsistent options */
4229  if (c->mode == CM_P2P || c->mode == CM_TOP)
4230  {
4231  do_option_warnings(c);
4232  }
4233 
4234 #ifdef ENABLE_PLUGIN
4235  /* initialize plugins */
4236  if (c->mode == CM_P2P || c->mode == CM_TOP)
4237  {
4239  }
4240 #endif
4241 
4242  /* should we enable fast I/O? */
4243  if (c->mode == CM_P2P || c->mode == CM_TOP)
4244  {
4245  do_setup_fast_io(c);
4246  }
4247 
4248  /* should we throw a signal on TLS errors? */
4250 
4251  /* open --status file */
4252  if (c->mode == CM_P2P || c->mode == CM_TOP)
4253  {
4255  }
4256 
4257  /* open --ifconfig-pool-persist file */
4258  if (c->mode == CM_TOP)
4259  {
4261  }
4262 
4263  /* reset OCC state */
4264  if (c->mode == CM_P2P || child)
4265  {
4266  c->c2.occ_op = occ_reset_op();
4267  }
4268 
4269  /* our wait-for-i/o objects, different for posix vs. win32 */
4270  if (c->mode == CM_P2P)
4271  {
4273  }
4274  else if (c->mode == CM_CHILD_TCP)
4275  {
4276  do_event_set_init(c, false);
4277  }
4278 
4279  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4280  init_proxy(c);
4281 
4282  /* allocate our socket object */
4283  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4284  {
4285  do_link_socket_new(c);
4286  }
4287 
4288 #ifdef ENABLE_FRAGMENT
4289  /* initialize internal fragmentation object */
4290  if (options->ce.fragment && (c->mode == CM_P2P || child))
4291  {
4292  c->c2.fragment = fragment_init(&c->c2.frame);
4293  }
4294 #endif
4295 
4296  /* init crypto layer */
4297  {
4298  unsigned int crypto_flags = 0;
4299  if (c->mode == CM_TOP)
4300  {
4301  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4302  }
4303  else if (c->mode == CM_P2P)
4304  {
4306  }
4307  else if (child)
4308  {
4309  crypto_flags = CF_INIT_TLS_MULTI;
4310  }
4311  do_init_crypto(c, crypto_flags);
4312  if (IS_SIG(c) && !child)
4313  {
4314  goto sig;
4315  }
4316  }
4317 
4318 #ifdef USE_COMP
4319  /* initialize compression library. */
4320  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4321  {
4322  c->c2.comp_context = comp_init(&options->comp);
4323  }
4324 #endif
4325 
4326  /* initialize MTU variables */
4327  do_init_frame(c);
4328 
4329  /* initialize TLS MTU variables */
4330  do_init_frame_tls(c);
4331 
4332  /* init workspace buffers whose size is derived from frame size */
4333  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4334  {
4335  do_init_buffers(c);
4336  }
4337 
4338 #ifdef ENABLE_FRAGMENT
4339  /* initialize internal fragmentation capability with known frame size */
4340  if (options->ce.fragment && (c->mode == CM_P2P || child))
4341  {
4342  do_init_fragment(c);
4343  }
4344 #endif
4345 
4346  /* initialize dynamic MTU variable */
4347  frame_init_mssfix(&c->c2.frame, &c->options);
4348 
4349  /* bind the TCP/UDP socket */
4350  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4351  {
4352  do_init_socket_1(c, link_socket_mode);
4353  }
4354 
4355  /* initialize tun/tap device object,
4356  * open tun/tap device, ifconfig, run up script, etc. */
4357  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4358  {
4359  c->c2.did_open_tun = do_open_tun(c);
4360  }
4361 
4362  c->c2.frame_initial = c->c2.frame;
4363 
4364  /* print MTU info */
4366 
4367  /* get local and remote options compatibility strings */
4368  if (c->mode == CM_P2P || child)
4369  {
4371  }
4372 
4373  /* initialize output speed limiter */
4374  if (c->mode == CM_P2P)
4375  {
4377  }
4378 
4379  /* do one-time inits, and possibly become a daemon here */
4380  do_init_first_time(c);
4381 
4382 #ifdef ENABLE_PLUGIN
4383  /* initialize plugins */
4384  if (c->mode == CM_P2P || c->mode == CM_TOP)
4385  {
4387  }
4388 #endif
4389 
4390  /* initialise connect timeout timer */
4392 
4393  /* finalize the TCP/UDP socket */
4394  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4395  {
4396  do_init_socket_2(c);
4397  }
4398 
4399  /*
4400  * Actually do UID/GID downgrade, and chroot, if requested.
4401  * May be delayed by --client, --pull, or --up-delay.
4402  */
4404 
4405  /* initialize timers */
4406  if (c->mode == CM_P2P || child)
4407  {
4408  do_init_timers(c, false);
4409  }
4410 
4411 #ifdef ENABLE_PLUGIN
4412  /* initialize plugins */
4413  if (c->mode == CM_P2P || c->mode == CM_TOP)
4414  {
4416  }
4417 #endif
4418 
4419 #if PORT_SHARE
4420  /* share OpenVPN port with foreign (such as HTTPS) server */
4421  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4422  {
4423  init_port_share(c);
4424  }
4425 #endif
4426 
4427 #ifdef ENABLE_PF
4428  if (child)
4429  {
4430  pf_init_context(c);
4431  }
4432 #endif
4433 
4434  /* Check for signals */
4435  if (IS_SIG(c))
4436  {
4437  goto sig;
4438  }
4439 
4440  return;
4441 
4442 sig:
4443  if (!c->sig->signal_text)
4444  {
4445  c->sig->signal_text = "init_instance";
4446  }
4447  close_context(c, -1, flags);
4448  return;
4449 }
4450 
4451 /*
4452  * Close a tunnel instance.
4453  */
4454 void
4456 {
4457  /* close event objects */
4458  do_close_event_set(c);
4459 
4460  if (c->mode == CM_P2P
4461  || c->mode == CM_CHILD_TCP
4462  || c->mode == CM_CHILD_UDP
4463  || c->mode == CM_TOP)
4464  {
4465  /* if xinetd/inetd mode, don't allow restart */
4467 
4468 #ifdef USE_COMP
4469  if (c->c2.comp_context)
4470  {
4471  comp_uninit(c->c2.comp_context);
4472  c->c2.comp_context = NULL;
4473  }
4474 #endif
4475 
4476  /* free buffers */
4477  do_close_free_buf(c);
4478 
4479  /* close TLS */
4480  do_close_tls(c);
4481 
4482  /* free key schedules */
4483  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4484 
4486 
4487  /* close TCP/UDP connection */
4489 
4490  /* close TUN/TAP device */
4491  do_close_tun(c, false);
4492 
4493 #ifdef ENABLE_MANAGEMENT
4494  if (management)
4495  {
4497  }
4498 #endif
4499 
4500 #ifdef ENABLE_PF
4501  pf_destroy_context(&c->c2.pf);
4502 #endif
4503 
4504 #ifdef ENABLE_PLUGIN
4505  /* call plugin close functions and unload */
4506  do_close_plugins(c);
4507 #endif
4508 
4509  /* close packet-id persistence file */
4510  do_close_packet_id(c);
4511 
4512  /* close --status file */
4514 
4515 #ifdef ENABLE_FRAGMENT
4516  /* close fragmentation handler */
4517  do_close_fragment(c);
4518 #endif
4519 
4520  /* close --ifconfig-pool-persist obj */
4522 
4523  /* free up environmental variable store */
4524  do_env_set_destroy(c);
4525 
4526  /* close HTTP or SOCKS proxy */
4527  uninit_proxy(c);
4528 
4529  /* garbage collect */
4530  gc_free(&c->c2.gc);
4531  }
4532 }
4533 
4534 void
4536  const struct context *src)
4537 {
4538  CLEAR(*dest);
4539 
4540  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4542 
4543  dest->gc = gc_new();
4544 
4545  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4546 
4547  /* c1 init */
4549 
4550  dest->c1.ks.key_type = src->c1.ks.key_type;
4551  /* inherit SSL context */
4552  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4553  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4556  /* inherit pre-NCP ciphers */
4557  dest->c1.ciphername = src->c1.ciphername;
4558  dest->c1.authname = src->c1.authname;
4559  dest->c1.keysize = src->c1.keysize;
4560 
4561  /* inherit auth-token */
4562  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4563 
4564  /* options */
4565  dest->options = src->options;
4566  options_detach(&dest->options);
4567 
4568  if (dest->mode == CM_CHILD_TCP)
4569  {
4570  /*
4571  * The CM_TOP context does the socket listen(),
4572  * and the CM_CHILD_TCP context does the accept().
4573  */
4574  dest->c2.accept_from = src->c2.link_socket;
4575  }
4576 
4577 #ifdef ENABLE_PLUGIN
4578  /* inherit plugins */
4579  do_inherit_plugins(dest, src);
4580 #endif
4581 
4582  /* context init */
4583  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4584  if (IS_SIG(dest))
4585  {
4586  return;
4587  }
4588 
4589  /* inherit tun/tap interface object */
4590  dest->c1.tuntap = src->c1.tuntap;
4591 
4592  /* UDP inherits some extra things which TCP does not */
4593  if (dest->mode == CM_CHILD_UDP)
4594  {
4595  /* inherit buffers */
4596  dest->c2.buffers = src->c2.buffers;
4597 
4598  /* inherit parent link_socket and tuntap */
4599  dest->c2.link_socket = src->c2.link_socket;
4600 
4601  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4602  *dest->c2.link_socket_info = src->c2.link_socket->info;
4603 
4604  /* locally override some link_socket_info fields */
4605  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4607  }
4608 }
4609 
4610 void
4612  const struct context *src)
4613 {
4614  /* copy parent */
4615  *dest = *src;
4616 
4617  /*
4618  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4619  * resources owned by the parent.
4620  *
4621  * Also note that CM_TOP_CLONE context objects are
4622  * closed by multi_top_free in multi.c.
4623  */
4624  dest->mode = CM_TOP_CLONE;
4625 
4626  dest->first_time = false;
4627  dest->c0 = NULL;
4628 
4629  options_detach(&dest->options);
4630  gc_detach(&dest->gc);
4631  gc_detach(&dest->c2.gc);
4632 
4633  /* detach plugins */
4634  dest->plugins_owned = false;
4635 
4636  dest->c2.tls_multi = NULL;
4637 
4638  /* detach c1 ownership */
4639  dest->c1.tuntap_owned = false;
4640  dest->c1.status_output_owned = false;
4641  dest->c1.ifconfig_pool_persist_owned = false;
4642 
4643  /* detach c2 ownership */
4644  dest->c2.event_set_owned = false;
4645  dest->c2.link_socket_owned = false;
4646  dest->c2.buffers_owned = false;
4647  dest->c2.es_owned = false;
4648 
4649  dest->c2.event_set = NULL;
4650  if (proto_is_dgram(src->options.ce.proto))
4651  {
4652  do_event_set_init(dest, false);
4653  }
4654 
4655 #ifdef USE_COMP
4656  dest->c2.comp_context = NULL;
4657 #endif
4658 }
4659 
4660 void
4661 close_context(struct context *c, int sig, unsigned int flags)
4662 {
4663  ASSERT(c);
4664  ASSERT(c->sig);
4665 
4666  if (sig >= 0)
4667  {
4668  c->sig->signal_received = sig;
4669  }
4670 
4671  if (c->sig->signal_received == SIGUSR1)
4672  {
4673  if ((flags & CC_USR1_TO_HUP)
4674  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4675  {
4676  c->sig->signal_received = SIGHUP;
4677  c->sig->signal_text = "close_context usr1 to hup";
4678  }
4679  }
4680 
4681  if (!(flags & CC_NO_CLOSE))
4682  {
4683  close_instance(c);
4684  }
4685 
4686  if (flags & CC_GC_FREE)
4687  {
4688  context_gc_free(c);
4689  }
4690 }
4691 
4692 /* Write our PID to a file */
4693 void
4694 write_pid_file(const char *filename, const char *chroot_dir)
4695 {
4696  if (filename)
4697  {
4698  unsigned int pid = 0;
4699  FILE *fp = platform_fopen(filename, "w");
4700  if (!fp)
4701  {
4702  msg(M_ERR, "Open error on pid file %s", filename);
4703  return;
4704  }
4705 
4706  pid = platform_getpid();
4707  fprintf(fp, "%u\n", pid);
4708  if (fclose(fp))
4709  {
4710  msg(M_ERR, "Close error on pid file %s", filename);
4711  }
4712 
4713  /* remember file name so it can be deleted "out of context" later */
4714  /* (the chroot case is more complex and not handled today) */
4715  if (!chroot_dir)
4716  {
4717  saved_pid_file_name = strdup(filename);
4718  }
4719  }
4720 }
4721 
4722 /* remove PID file on exit, called from openvpn_exit() */
4723 void
4725 {
4726  if (saved_pid_file_name)
4727  {
4729  }
4730 }
4731 
4732 
4733 /*
4734  * Do a loopback test
4735  * on the crypto subsystem.
4736  */
4737 static void *
4739 {
4740  struct context *c = (struct context *) arg;
4741  const struct options *options = &c->options;
4742 
4743  ASSERT(options->test_crypto);
4745  context_init_1(c);
4747  do_init_crypto_static(c, 0);
4748 
4749  frame_finalize_options(c, options);
4750 
4751  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4752 
4753  key_schedule_free(&c->c1.ks, true);
4755 
4756  context_gc_free(c);
4757  return NULL;
4758 }
4759 
4760 bool
4761 do_test_crypto(const struct options *o)
4762 {
4763  if (o->test_crypto)
4764  {
4765  struct context c;
4766 
4767  /* print version number */
4768  msg(M_INFO, "%s", title_string);
4769 
4770  context_clear(&c);
4771  c.options = *o;
4772  options_detach(&c.options);
4773  c.first_time = true;
4774  test_crypto_thread((void *) &c);
4775  return true;
4776  }
4777  return false;
4778 }
struct tuntap_options tuntap_options
Definition: options.h:301
bool tcp_mode
Definition: ssl_common.h:312
struct env_set * es
Definition: openvpn.h:440
char port[RH_PORT_LEN]
Definition: options.h:184
unsigned int platform_getpid(void)
Definition: platform.c:178
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
bool remote_float
Definition: options.h:95
bool socks_proxy_owned
Definition: openvpn.h:190
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:570
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2570
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:336
void management_close(struct management *man)
Definition: manage.c:2689
int ifconfig_pool_persist_refresh_freq
Definition: options.h:432
struct key_type key_type
Definition: ssl_common.h:258
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:555
bool persist_remote_ip
Definition: options.h:290
int sndbuf
Definition: options.h:349
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:369
bool log_rw
Definition: openvpn.h:402
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:104
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:474
struct frame frame_fragment_omit
Definition: openvpn.h:286
const char * tmp_dir
Definition: ssl_common.h:329
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:405
bool tun_mtu_defined
Definition: options.h:108
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:613
#define OPT_P_DEFAULT
Definition: options.h:692
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1545
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:364
Definition: tun.h:151
bool ncp_enabled
Definition: options.h:508
unsigned int management_flags
Definition: options.h:392
static void do_close_tun(struct context *c, bool force)
Definition: init.c:2012
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:891
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2598
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct buffer read_tun_buf
Definition: openvpn.h:112
const char * crl_file
Definition: ssl_common.h:290
#define M_NOPREFIX
Definition: error.h:102
bool block_outside_dns
Definition: options.h:629
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:106
struct event_timeout ping_rec_interval
Definition: openvpn.h:317
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1265
bool tls_crypt_v2
Definition: ssl_common.h:318
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:505
void platform_nice(int niceval)
Definition: platform.c:156
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
struct event_timeout route_wakeup_expire
Definition: openvpn.h:406
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:516
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1086
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5691
bool show_curves
Definition: options.h:222
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:626
const char * cipher_list
Definition: options.h:541
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
bool tls_server
Definition: options.h:526
struct link_socket * link_socket_new(void)
Definition: socket.c:1868
static void do_alloc_route_list(struct context *c)
Definition: init.c:1490
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:335
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1029
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3726
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:506
bool tls_crypt_v2_file_inline
Definition: options.h:605
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2165
static void init_proxy_dowork(struct context *c)
Definition: init.c:630
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1719
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
bool did_open_tun
Definition: openvpn.h:409
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
unsigned int auth_token_lifetime
Definition: ssl_common.h:336
const char * tls_cert_profile
Definition: options.h:544
int management_log_history_cache
Definition: options.h:383
#define M_OPTERR
Definition: error.h:105
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:319
struct interval tmp_int
Definition: openvpn.h:366
#define streq(x, y)
Definition: options.h:656
const char * ifconfig_pool_persist_filename
Definition: options.h:431
const char * chroot_dir
Definition: options.h:306
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:728
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3935
static void do_close_event_set(struct context *c)
Definition: init.c:3731
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2737
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
bool server_bridge_proxy_dhcp
Definition: options.h:418
#define S_FATAL
Definition: run_command.h:46
const char * dev
Definition: options.h:247
#define WSO_FORCE_SERVICE
Definition: win32.h:166
int ping_rec_timeout_action
Definition: options.h:286
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2175
bool auth_token_generate
Definition: options.h:474
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
int inetd
Definition: options.h:323
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4393
void tun_abort(void)
Definition: init.c:2145
Contains all state information for one tunnel.
Definition: openvpn.h:503
#define CIPHER_ENABLED(c)
Definition: openvpn.h:574
Packet geometry parameters.
Definition: mtu.h:93
static void do_env_set_destroy(struct context *c)
Definition: init.c:3814
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2657
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:361
#define PUSH_BUNDLE_SIZE
Definition: common.h:84
struct env_set * es
Set of environment variables.
Definition: openvpn.h:526
#define D_PUSH
Definition: errlevel.h:83
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
#define M_USAGE
Definition: error.h:111
struct man_persist persist
Definition: manage.h:318
#define srandom
Definition: syshead.h:45
bool proto_is_udp(int proto)
Definition: socket.c:3204
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:375
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:255
void error_reset(void)
Definition: error.c:163
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:214
#define OPT_P_PLUGIN
Definition: options.h:685
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
#define dmsg
Definition: error.h:174
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4661
int script_security(void)
Definition: run_command.c:45
static void do_init_socket_2(struct context *c)
Definition: init.c:3471
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
#define SDL_CONSTRAIN
Definition: error.h:203
const char * auth_user_pass_verify_script
Definition: ssl_common.h:327
const char * shared_secret_file
Definition: options.h:502
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:329
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6683
#define RH_PORT_LEN
Definition: options.h:183
#define EVENT_METHOD_FAST
Definition: event.h:42
uint32_t peer_id
Definition: options.h:634
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:4009
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:354
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1198
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:333
bool tls_crypt_v2_file_inline
Definition: options.h:146
void close_instance(struct context *c)
Definition: init.c:4455
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2826
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
Definition: options.h:86
int renegotiate_seconds
Definition: options.h:579
const char * client_config_dir_exclusive
Definition: ssl_common.h:341
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1290
#define OPT_P_IPWIN32
Definition: options.h:664
bool persist_key
Definition: options.h:291
#define SIGUSR1
Definition: config-msvc.h:152
int replay_window
Definition: options.h:517
int persist_mode
Definition: options.h:215
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:457
const char * auth_user_pass_file
Definition: ssl_common.h:330
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3862
struct context_buffers * buffers
Definition: openvpn.h:389
int verify_x509_type
Definition: ssl_common.h:288
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:99
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1208
struct event_timeout wait_for_connect
Definition: openvpn.h:315
int rcvbuf
Definition: options.h:348
const char * config_ncp_ciphers
Definition: ssl_common.h:315
#define D_LOG_RW
Definition: errlevel.h:111
struct link_socket_info * link_socket_info
Definition: openvpn.h:271
static void next_connection_entry(struct context *c)
Definition: init.c:471
int handshake_window
Definition: ssl_common.h:279
struct connection_list * connection_list
Definition: options.h:231
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:408
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1339
#define LS_MODE_DEFAULT
Definition: socket.h:196
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:238
#define RH_HOST_LEN
Definition: options.h:181
const char * exit_event_name
Definition: options.h:625
#define AR_NONE
Definition: options.h:838
void md_ctx_free(md_ctx_t *ctx)
const struct link_socket * accept_from
Definition: openvpn.h:272
bool route_noexec
Definition: options.h:364
unsigned int sockflags
Definition: options.h:356
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2526
in_addr_t remote_netmask
Definition: tun.h:173
const char * tls_crypt_file
Definition: options.h:140
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
static void do_close_tls(struct context *c)
Definition: init.c:3591
const char * genkey_extra_data
Definition: options.h:226
static bool ce_management_query_remote(struct context *c)
Definition: init.c:382
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
char * x509_username_field[2]
Definition: ssl_common.h:300
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define ENABLE_PKCS11
Definition: config-msvc.h:16
const char * route_script
Definition: options.h:359
int management_state_buffer_size
Definition: options.h:385
struct man_def_auth_context * mda_context
Definition: ssl_common.h:367
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
int resolve_retry_seconds
Definition: options.h:297
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
const char * auth_token_secret_file
Definition: options.h:478
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:107
#define D_READ_WRITE
Definition: errlevel.h:165
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
#define in_addr_t
Definition: config-msvc.h:140
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:3099
const char * config
Definition: options.h:201
int route_delay
Definition: options.h:365
void remove_pid_file(void)
Definition: init.c:4724
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:530
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:313
const char * local_port
Definition: options.h:90
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:360
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3887
const char * ekm_label
Definition: ssl_common.h:380
void post_init_signal_catch(void)
Definition: sig.c:255
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
struct frame frame_initial
Definition: openvpn.h:279
bool down_pre
Definition: options.h:315
int keepalive_timeout
Definition: options.h:274
#define OPT_P_SOCKBUF
Definition: options.h:686
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
void * openvpn_net_ctx_t
Definition: networking.h:26
#define SIGTERM
Definition: config-msvc.h:154
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:332
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1472
#define TLS_MODE(c)
Definition: openvpn.h:566
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:587
bool push_peer_info
Definition: options.h:614
#define OPT_P_SETENV
Definition: options.h:666
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
#define SIGHUP
Definition: config-msvc.h:150
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
int renegotiate_seconds_min
Definition: options.h:580
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3794
bool tls_crypt_file_inline
Definition: options.h:141
#define PING_RESTART
Definition: options.h:285
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3049
int handshake_window
Definition: options.h:584
#define ASSERT(x)
Definition: error.h:221
static void do_close_plugins(struct context *c)
Definition: init.c:3924
#define D_SHOW_NET
Definition: errlevel.h:130
static int ifconfig_order(void)
Definition: tun.h:339
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:243
char * basename(char *filename)
static bool check_debug_level(unsigned int level)
Definition: error.h:245
unsigned int crypto_flags
Definition: ssl_common.h:308
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:243
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:597
int explicit_exit_notification
Definition: options.h:121
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
int status_file_update_freq
Definition: options.h:338
int verify_x509_type
Definition: options.h:547
unsigned int unsuccessful_attempts
Definition: options.h:237
void close_management(void)
Definition: init.c:4093
bool platform_unlink(const char *filename)
Definition: platform.c:287
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
bool auth_token_call_auth
Definition: options.h:476
const char * config_ciphername
Definition: ssl_common.h:314
const char * prng_hash
Definition: options.h:512
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1941
int ping_rec_timeout
Definition: options.h:280
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
#define D_LOW
Definition: errlevel.h:98
bool ifconfig_noexec
Definition: options.h:257
bool fast_io
Definition: options.h:341
int key_direction
Definition: options.h:504
int renegotiate_bytes
Definition: ssl_common.h:281
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
static void update_options_ce_post(struct options *options)
Definition: init.c:193
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1576
struct tuntap_options options
Definition: tun.h:164
bool link_mtu_defined
Definition: options.h:112
static struct context * static_context
Definition: init.c:60
char username[USER_PASS_LEN]
Definition: misc.h:75
bool init_static(void)
Definition: init.c:782
void platform_mlockall(bool print_msg)
Definition: platform.c:193
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
struct frame frame_fragment_initial
Definition: openvpn.h:285
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: