OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 
55 #include "memdbg.h"
56 
57 
58 static struct context *static_context; /* GLOBAL */
59 
60 /*
61  * Crypto initialization flags
62  */
63 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
64 #define CF_INIT_TLS_MULTI (1<<1)
65 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
66 
67 static void do_init_first_time(struct context *c);
68 
69 void
70 context_clear(struct context *c)
71 {
72  CLEAR(*c);
73 }
74 
75 void
76 context_clear_1(struct context *c)
77 {
78  CLEAR(c->c1);
79 }
80 
81 void
82 context_clear_2(struct context *c)
83 {
84  CLEAR(c->c2);
85 }
86 
87 void
88 context_clear_all_except_first_time(struct context *c)
89 {
90  const bool first_time_save = c->first_time;
91  const struct context_persist cpsave = c->persist;
92  context_clear(c);
93  c->first_time = first_time_save;
94  c->persist = cpsave;
95 }
96 
97 /*
98  * Pass tunnel endpoint and MTU parms to a user-supplied script.
99  * Used to execute the up/down script/plugins.
100  */
101 static void
102 run_up_down(const char *command,
103  const struct plugin_list *plugins,
104  int plugin_type,
105  const char *arg,
106 #ifdef _WIN32
107  DWORD adapter_index,
108 #endif
109  const char *dev_type,
110  int tun_mtu,
111  int link_mtu,
112  const char *ifconfig_local,
113  const char *ifconfig_remote,
114  const char *context,
115  const char *signal_text,
116  const char *script_type,
117  struct env_set *es)
118 {
119  struct gc_arena gc = gc_new();
120 
121  if (signal_text)
122  {
123  setenv_str(es, "signal", signal_text);
124  }
125  setenv_str(es, "script_context", context);
126  setenv_int(es, "tun_mtu", tun_mtu);
127  setenv_int(es, "link_mtu", link_mtu);
128  setenv_str(es, "dev", arg);
129  if (dev_type)
130  {
131  setenv_str(es, "dev_type", dev_type);
132  }
133 #ifdef _WIN32
134  setenv_int(es, "dev_idx", adapter_index);
135 #endif
136 
137  if (!ifconfig_local)
138  {
139  ifconfig_local = "";
140  }
141  if (!ifconfig_remote)
142  {
143  ifconfig_remote = "";
144  }
145  if (!context)
146  {
147  context = "";
148  }
149 
150  if (plugin_defined(plugins, plugin_type))
151  {
152  struct argv argv = argv_new();
153  ASSERT(arg);
154  argv_printf(&argv,
155  "%s %d %d %s %s %s",
156  arg,
157  tun_mtu, link_mtu,
158  ifconfig_local, ifconfig_remote,
159  context);
160 
161  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
162  {
163  msg(M_FATAL, "ERROR: up/down plugin call failed");
164  }
165 
166  argv_reset(&argv);
167  }
168 
169  if (command)
170  {
171  struct argv argv = argv_new();
172  ASSERT(arg);
173  setenv_str(es, "script_type", script_type);
174  argv_parse_cmd(&argv, command);
175  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
176  ifconfig_local, ifconfig_remote, context);
177  argv_msg(M_INFO, &argv);
178  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
179  argv_reset(&argv);
180  }
181 
182  gc_free(&gc);
183 }
184 
185 /*
186  * Should be called after options->ce is modified at the top
187  * of a SIGUSR1 restart.
188  */
189 static void
190 update_options_ce_post(struct options *options)
191 {
192 #if P2MP
193  /*
194  * In pull mode, we usually import --ping/--ping-restart parameters from
195  * the server. However we should also set an initial default --ping-restart
196  * for the period of time before we pull the --ping-restart parameter
197  * from the server.
198  */
199  if (options->pull
200  && options->ping_rec_timeout_action == PING_UNDEF
201  && proto_is_dgram(options->ce.proto))
202  {
203  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204  options->ping_rec_timeout_action = PING_RESTART;
205  }
206 #endif
207 }
208 
209 #ifdef ENABLE_MANAGEMENT
210 static bool
211 management_callback_proxy_cmd(void *arg, const char **p)
212 {
213  struct context *c = arg;
214  struct connection_entry *ce = &c->options.ce;
215  struct gc_arena *gc = &c->c2.gc;
216  bool ret = false;
217 
218  update_time();
219  if (streq(p[1], "NONE"))
220  {
221  ret = true;
222  }
223  else if (p[2] && p[3])
224  {
225  if (streq(p[1], "HTTP"))
226  {
227  struct http_proxy_options *ho;
228  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
229  {
230  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231  return false;
232  }
233  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
234  ho->server = string_alloc(p[2], gc);
235  ho->port = string_alloc(p[3], gc);
236  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237  ret = true;
238  }
239  else if (streq(p[1], "SOCKS"))
240  {
241  ce->socks_proxy_server = string_alloc(p[2], gc);
242  ce->socks_proxy_port = string_alloc(p[3], gc);
243  ret = true;
244  }
245  }
246  else
247  {
248  msg(M_WARN, "Bad proxy command");
249  }
250 
251  ce->flags &= ~CE_MAN_QUERY_PROXY;
252 
253  return ret;
254 }
255 
256 static bool
257 ce_management_query_proxy(struct context *c)
258 {
259  const struct connection_list *l = c->options.connection_list;
260  struct connection_entry *ce = &c->options.ce;
261  struct gc_arena gc;
262  bool ret = true;
263 
264  update_time();
265  if (management)
266  {
267  gc = gc_new();
268  {
269  struct buffer out = alloc_buf_gc(256, &gc);
270  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272  management_notify_generic(management, BSTR(&out));
273  }
274  ce->flags |= CE_MAN_QUERY_PROXY;
275  while (ce->flags & CE_MAN_QUERY_PROXY)
276  {
277  management_event_loop_n_seconds(management, 1);
278  if (IS_SIG(c))
279  {
280  ret = false;
281  break;
282  }
283  }
284  gc_free(&gc);
285  }
286 
287  return ret;
288 }
289 
290 
291 static bool
292 management_callback_remote_cmd(void *arg, const char **p)
293 {
294  struct context *c = (struct context *) arg;
295  struct connection_entry *ce = &c->options.ce;
296  int ret = false;
297  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
298  {
299  int flags = 0;
300  if (!strcmp(p[1], "ACCEPT"))
301  {
302  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
303  ret = true;
304  }
305  else if (!strcmp(p[1], "SKIP"))
306  {
307  flags = CE_MAN_QUERY_REMOTE_SKIP;
308  ret = true;
309  }
310  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
311  {
312  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
313  {
314  struct remote_host_store *rhs = c->options.rh_store;
315  if (!rhs)
316  {
317  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
318  c->options.rh_store = rhs;
319  }
320  strncpynt(rhs->host, p[2], RH_HOST_LEN);
321  strncpynt(rhs->port, p[3], RH_PORT_LEN);
322 
323  ce->remote = rhs->host;
324  ce->remote_port = rhs->port;
325  flags = CE_MAN_QUERY_REMOTE_MOD;
326  ret = true;
327  }
328  }
329  if (ret)
330  {
331  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
332  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
333  }
334  }
335  return ret;
336 }
337 
338 static bool
339 ce_management_query_remote(struct context *c)
340 {
341  struct gc_arena gc = gc_new();
342  volatile struct connection_entry *ce = &c->options.ce;
343  int ce_changed = true; /* presume the connection entry will be changed */
344 
345  update_time();
346  if (management)
347  {
348  struct buffer out = alloc_buf_gc(256, &gc);
349 
350  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
351  proto2ascii(ce->proto, ce->af, false));
352  management_notify_generic(management, BSTR(&out));
353 
354  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
355  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
356  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
357  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
358  {
359  management_event_loop_n_seconds(management, 1);
360  if (IS_SIG(c))
361  {
362  ce_changed = false; /* connection entry have not been set */
363  break;
364  }
365  }
366  }
367  gc_free(&gc);
368 
369  if (ce_changed)
370  {
371  /* If it is likely a connection entry was modified,
372  * check what changed in the flags and that it was not skipped
373  */
374  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
375  & CE_MAN_QUERY_REMOTE_MASK);
376  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
377  }
378  return ce_changed;
379 }
380 #endif /* ENABLE_MANAGEMENT */
381 
382 /*
383  * Initialize and possibly randomize connection list.
384  */
385 static void
386 init_connection_list(struct context *c)
387 {
388  struct connection_list *l = c->options.connection_list;
389 
390  l->current = -1;
391  if (c->options.remote_random)
392  {
393  int i;
394  for (i = 0; i < l->len; ++i)
395  {
396  const int j = get_random() % l->len;
397  if (i != j)
398  {
399  struct connection_entry *tmp;
400  tmp = l->array[i];
401  l->array[i] = l->array[j];
402  l->array[j] = tmp;
403  }
404  }
405  }
406 }
407 
408 /*
409  * Clear the remote address list
410  */
411 static void
412 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
413 {
414  if (lsa->remote_list && free)
415  {
416  freeaddrinfo(lsa->remote_list);
417  }
418  lsa->remote_list = NULL;
419  lsa->current_remote = NULL;
420 }
421 
422 /*
423  * Increment to next connection entry
424  */
425 static void
426 next_connection_entry(struct context *c)
427 {
428  struct connection_list *l = c->options.connection_list;
429  bool ce_defined;
430  struct connection_entry *ce;
431  int n_cycles = 0;
432 
433  do
434  {
435  ce_defined = true;
436  if (c->options.no_advance && l->current >= 0)
437  {
438  c->options.no_advance = false;
439  }
440  else
441  {
442  /* Check if there is another resolved address to try for
443  * the current connection */
444  if (c->c1.link_socket_addr.current_remote
445  && c->c1.link_socket_addr.current_remote->ai_next)
446  {
447  c->c1.link_socket_addr.current_remote =
448  c->c1.link_socket_addr.current_remote->ai_next;
449  }
450  else
451  {
452  /* FIXME (schwabe) fix the persist-remote-ip option for real,
453  * this is broken probably ever since connection lists and multiple
454  * remote existed
455  */
456  if (!c->options.persist_remote_ip)
457  {
458  /* close_instance should have cleared the addrinfo objects */
459  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
460  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
461  }
462  else
463  {
464  c->c1.link_socket_addr.current_remote =
465  c->c1.link_socket_addr.remote_list;
466  }
467 
468  /*
469  * Increase the number of connection attempts
470  * If this is connect-retry-max * size(l)
471  * OpenVPN will quit
472  */
473 
474  c->options.unsuccessful_attempts++;
475 
476  if (++l->current >= l->len)
477  {
478 
479  l->current = 0;
480  if (++n_cycles >= 2)
481  {
482  msg(M_FATAL, "No usable connection profiles are present");
483  }
484  }
485  }
486  }
487 
488  ce = l->array[l->current];
489 
490  if (ce->flags & CE_DISABLED)
491  {
492  ce_defined = false;
493  }
494 
495  c->options.ce = *ce;
496 #ifdef ENABLE_MANAGEMENT
497  if (ce_defined && management && management_query_remote_enabled(management))
498  {
499  /* allow management interface to override connection entry details */
500  ce_defined = ce_management_query_remote(c);
501  if (IS_SIG(c))
502  {
503  break;
504  }
505  }
506  else if (ce_defined && management && management_query_proxy_enabled(management))
507  {
508  ce_defined = ce_management_query_proxy(c);
509  if (IS_SIG(c))
510  {
511  break;
512  }
513  }
514 #endif
515  } while (!ce_defined);
516 
517  /* Check if this connection attempt would bring us over the limit */
518  if (c->options.connect_retry_max > 0
519  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
520  {
521  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
522  c->options.connect_retry_max);
523  }
524  update_options_ce_post(&c->options);
525 }
526 
527 /*
528  * Query for private key and auth-user-pass username/passwords
529  */
530 void
531 init_query_passwords(const struct context *c)
532 {
533  /* Certificate password input */
534  if (c->options.key_pass_file)
535  {
536  pem_password_setup(c->options.key_pass_file);
537  }
538 
539 #if P2MP
540  /* Auth user/pass input */
541  if (c->options.auth_user_pass_file)
542  {
543 #ifdef ENABLE_MANAGEMENT
544  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
545 #else
546  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
547 #endif
548  }
549 #endif
550 }
551 
552 /*
553  * Initialize/Uninitialize HTTP or SOCKS proxy
554  */
555 
556 static void
557 uninit_proxy_dowork(struct context *c)
558 {
559  if (c->c1.http_proxy_owned && c->c1.http_proxy)
560  {
561  http_proxy_close(c->c1.http_proxy);
562  c->c1.http_proxy = NULL;
563  c->c1.http_proxy_owned = false;
564  }
565  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
566  {
567  socks_proxy_close(c->c1.socks_proxy);
568  c->c1.socks_proxy = NULL;
569  c->c1.socks_proxy_owned = false;
570  }
571 }
572 
573 static void
574 init_proxy_dowork(struct context *c)
575 {
576  bool did_http = false;
577 
578  uninit_proxy_dowork(c);
579 
580  if (c->options.ce.http_proxy_options)
581  {
582  /* Possible HTTP proxy user/pass input */
583  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
584  if (c->c1.http_proxy)
585  {
586  did_http = true;
587  c->c1.http_proxy_owned = true;
588  }
589  }
590 
591  if (!did_http && c->options.ce.socks_proxy_server)
592  {
593  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
594  c->options.ce.socks_proxy_port,
595  c->options.ce.socks_proxy_authfile);
596  if (c->c1.socks_proxy)
597  {
598  c->c1.socks_proxy_owned = true;
599  }
600  }
601 }
602 
603 static void
604 init_proxy(struct context *c)
605 {
606  init_proxy_dowork(c);
607 }
608 
609 static void
610 uninit_proxy(struct context *c)
611 {
612  uninit_proxy_dowork(c);
613 }
614 
615 /*
616  * Saves the initial state of NCP-regotiable
617  * options into a storage which persists over SIGUSR1.
618  */
619 static void
620 save_ncp_options(struct context *c)
621 {
622  c->c1.ciphername = c->options.ciphername;
623  c->c1.authname = c->options.authname;
624  c->c1.keysize = c->options.keysize;
625 }
626 
627 /* Restores NCP-negotiable options to original values */
628 static void
629 restore_ncp_options(struct context *c)
630 {
631  c->options.ciphername = c->c1.ciphername;
632  c->options.authname = c->c1.authname;
633  c->options.keysize = c->c1.keysize;
634 }
635 
636 void
637 context_init_1(struct context *c)
638 {
639  context_clear_1(c);
640 
641  packet_id_persist_init(&c->c1.pid_persist);
642 
643  init_connection_list(c);
644 
645  save_ncp_options(c);
646 
647 #if defined(ENABLE_PKCS11)
648  if (c->first_time)
649  {
650  int i;
651  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
652  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
653  {
654  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
655  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
656  }
657  }
658 #endif
659 
660 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
661  {
662  /*
663  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
664  */
665  struct user_pass up;
666  CLEAR(up);
667  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
668  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
669  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
670  * 'needok' command, usually 'ok' or 'cancel'. */
671  }
672 #endif
673 
674 #ifdef ENABLE_SYSTEMD
675  /* We can report the PID via getpid() to systemd here as OpenVPN will not
676  * do any fork due to daemon() a future call.
677  * See possibly_become_daemon() [init.c] for more details.
678  */
679  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
680  (unsigned long) getpid());
681 #endif
682 
683 }
684 
685 void
686 context_gc_free(struct context *c)
687 {
688  gc_free(&c->c2.gc);
689  gc_free(&c->options.gc);
690  gc_free(&c->gc);
691 }
692 
693 #if PORT_SHARE
694 
695 static void
696 close_port_share(void)
697 {
698  if (port_share)
699  {
700  port_share_close(port_share);
701  port_share = NULL;
702  }
703 }
704 
705 static void
706 init_port_share(struct context *c)
707 {
708  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
709  {
710  port_share = port_share_open(c->options.port_share_host,
711  c->options.port_share_port,
712  MAX_RW_SIZE_LINK(&c->c2.frame),
713  c->options.port_share_journal_dir);
714  if (port_share == NULL)
715  {
716  msg(M_FATAL, "Fatal error: Port sharing failed");
717  }
718  }
719 }
720 
721 #endif /* if PORT_SHARE */
722 
723 
724 bool
725 init_static(void)
726 {
727  /* configure_path (); */
728 
729 #if defined(DMALLOC)
730  crypto_init_dmalloc();
731 #endif
732 
733 
734  /*
735  * Initialize random number seed. random() is only used
736  * when "weak" random numbers are acceptable.
737  * SSL library routines are always used when cryptographically
738  * strong random numbers are required.
739  */
740  struct timeval tv;
741  if (!gettimeofday(&tv, NULL))
742  {
743  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
744  srandom(seed);
745  }
746 
747  error_reset(); /* initialize error.c */
748  reset_check_status(); /* initialize status check code in socket.c */
749 
750 #ifdef _WIN32
751  init_win32();
752 #endif
753 
754 #ifdef OPENVPN_DEBUG_COMMAND_LINE
755  {
756  int i;
757  for (i = 0; i < argc; ++i)
758  {
759  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
760  }
761  }
762 #endif
763 
764  update_time();
765 
766  init_ssl_lib();
767 
768  /* init PRNG used for IV generation */
769  /* When forking, copy this to more places in the code to avoid fork
770  * random-state predictability */
771  prng_init(NULL, 0);
772 
773 #ifdef PID_TEST
774  packet_id_interactive_test(); /* test the sequence number code */
775  return false;
776 #endif
777 
778 #ifdef SCHEDULE_TEST
779  schedule_test();
780  return false;
781 #endif
782 
783 #ifdef LIST_TEST
784  list_test();
785  return false;
786 #endif
787 
788 #ifdef IFCONFIG_POOL_TEST
789  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
790  return false;
791 #endif
792 
793 #ifdef CHARACTER_CLASS_DEBUG
794  character_class_debug();
795  return false;
796 #endif
797 
798 #ifdef EXTRACT_X509_FIELD_TEST
799  extract_x509_field_test();
800  return false;
801 #endif
802 
803 #ifdef TIME_TEST
804  time_test();
805  return false;
806 #endif
807 
808 #ifdef TEST_GET_DEFAULT_GATEWAY
809  {
810  struct route_gateway_info rgi;
811  struct route_ipv6_gateway_info rgi6;
812  get_default_gateway(&rgi);
813  get_default_gateway_ipv6(&rgi6, NULL);
814  print_default_gateway(M_INFO, &rgi, &rgi6);
815  return false;
816  }
817 #endif
818 
819 #ifdef GEN_PATH_TEST
820  {
821  struct gc_arena gc = gc_new();
822  const char *fn = gen_path("foo",
823  "bar",
824  &gc);
825  printf("%s\n", fn);
826  gc_free(&gc);
827  }
828  return false;
829 #endif
830 
831 #ifdef STATUS_PRINTF_TEST
832  {
833  struct gc_arena gc = gc_new();
834  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
835  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
836  status_printf(so, "%s", "foo");
837  status_printf(so, "%s", "bar");
838  if (!status_close(so))
839  {
840  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
841  }
842  gc_free(&gc);
843  }
844  return false;
845 #endif
846 
847 #ifdef ARGV_TEST
848  {
849  void argv_test(void);
850 
851  argv_test();
852  return false;
853  }
854 #endif
855 
856 #ifdef PRNG_TEST
857  {
858  struct gc_arena gc = gc_new();
859  uint8_t rndbuf[8];
860  int i;
861  prng_init("sha1", 16);
862  /*prng_init (NULL, 0);*/
863  const int factor = 1;
864  for (i = 0; i < factor * 8; ++i)
865  {
866 #if 1
867  prng_bytes(rndbuf, sizeof(rndbuf));
868 #else
869  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
870 #endif
871  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
872  }
873  gc_free(&gc);
874  prng_uninit();
875  return false;
876  }
877 #endif /* ifdef PRNG_TEST */
878 
879 #ifdef BUFFER_LIST_AGGREGATE_TEST
880  /* test buffer_list_aggregate function */
881  {
882  static const char *text[] = {
883  "It was a bright cold day in April, ",
884  "and the clocks were striking ",
885  "thirteen. ",
886  "Winston Smith, ",
887  "his chin nuzzled into his breast in an ",
888  "effort to escape the vile wind, ",
889  "slipped quickly through the glass doors ",
890  "of Victory Mansions, though not quickly ",
891  "enough to prevent a swirl of gritty dust from ",
892  "entering along with him."
893  };
894 
895  int iter, listcap;
896  for (listcap = 0; listcap < 12; ++listcap)
897  {
898  for (iter = 0; iter < 512; ++iter)
899  {
900  struct buffer_list *bl = buffer_list_new(listcap);
901  {
902  int i;
903  for (i = 0; i < SIZE(text); ++i)
904  {
905  buffer_list_push(bl, (unsigned char *)text[i]);
906  }
907  }
908  printf("[cap=%d i=%d] *************************\n", listcap, iter);
909  if (!(iter & 8))
910  {
911  buffer_list_aggregate(bl, iter/2);
912  }
913  if (!(iter & 16))
914  {
915  buffer_list_push(bl, (unsigned char *)"Even more text...");
916  }
917  buffer_list_aggregate(bl, iter);
918  if (!(iter & 1))
919  {
920  buffer_list_push(bl, (unsigned char *)"More text...");
921  }
922  {
923  struct buffer *buf;
924  while ((buf = buffer_list_peek(bl)))
925  {
926  int c;
927  printf("'");
928  while ((c = buf_read_u8(buf)) >= 0)
929  {
930  putchar(c);
931  }
932  printf("'\n");
933  buffer_list_advance(bl, 0);
934  }
935  }
936  buffer_list_free(bl);
937  }
938  }
939  return false;
940  }
941 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
942 
943 #ifdef MSTATS_TEST
944  {
945  int i;
946  mstats_open("/dev/shm/mstats.dat");
947  for (i = 0; i < 30; ++i)
948  {
949  mmap_stats->n_clients += 1;
950  mmap_stats->link_write_bytes += 8;
951  mmap_stats->link_read_bytes += 16;
952  sleep(1);
953  }
954  mstats_close();
955  return false;
956  }
957 #endif
958 
959  return true;
960 }
961 
962 void
963 uninit_static(void)
964 {
965  free_ssl_lib();
966 
967 #ifdef ENABLE_PKCS11
968  pkcs11_terminate();
969 #endif
970 
971 #if PORT_SHARE
972  close_port_share();
973 #endif
974 
975 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
976  show_tls_performance_stats();
977 #endif
978 }
979 
980 void
981 init_verb_mute(struct context *c, unsigned int flags)
982 {
983  if (flags & IVM_LEVEL_1)
984  {
985  /* set verbosity and mute levels */
986  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
987  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
988  set_mute_cutoff(c->options.mute);
989  }
990 
991  /* special D_LOG_RW mode */
992  if (flags & IVM_LEVEL_2)
993  {
994  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
995  }
996 }
997 
998 /*
999  * Possibly set --dev based on --dev-node.
1000  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1001  * set --dev to tun.
1002  */
1003 void
1004 init_options_dev(struct options *options)
1005 {
1006  if (!options->dev && options->dev_node)
1007  {
1008  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1009  options->dev = basename(dev_node);
1010  }
1011 }
1012 
1013 bool
1014 print_openssl_info(const struct options *options)
1015 {
1016  /*
1017  * OpenSSL info print mode?
1018  */
1019  if (options->show_ciphers || options->show_digests || options->show_engines
1020  || options->show_tls_ciphers || options->show_curves)
1021  {
1022  if (options->show_ciphers)
1023  {
1024  show_available_ciphers();
1025  }
1026  if (options->show_digests)
1027  {
1028  show_available_digests();
1029  }
1030  if (options->show_engines)
1031  {
1032  show_available_engines();
1033  }
1034  if (options->show_tls_ciphers)
1035  {
1036  show_available_tls_ciphers(options->cipher_list,
1037  options->cipher_list_tls13,
1038  options->tls_cert_profile);
1039  }
1040  if (options->show_curves)
1041  {
1042  show_available_curves();
1043  }
1044  return true;
1045  }
1046  return false;
1047 }
1048 
1049 /*
1050  * Static pre-shared key generation mode?
1051  */
1052 bool
1053 do_genkey(const struct options *options)
1054 {
1055  /* should we disable paging? */
1056  if (options->mlock && (options->genkey))
1057  {
1058  platform_mlockall(true);
1059  }
1060 
1061  /*
1062  * We do not want user to use --genkey with --secret. In the transistion
1063  * phase we for secret.
1064  */
1065  if (options->genkey && options->genkey_type != GENKEY_SECRET
1066  && options->shared_secret_file)
1067  {
1068  msg(M_USAGE, "Using --genkey type with --secret filename is "
1069  "not supported. Use --genkey type filename instead.");
1070  }
1071  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1072  {
1073  int nbits_written;
1074  const char *genkey_filename = options->genkey_filename;
1075  if (options->shared_secret_file && options->genkey_filename)
1076  {
1077  msg(M_USAGE, "You must provide a filename to either --genkey "
1078  "or --secret, not both");
1079  }
1080 
1081  /*
1082  * Copy filename from shared_secret_file to genkey_filename to support
1083  * the old --genkey --secret foo.file syntax.
1084  */
1085  if (options->shared_secret_file)
1086  {
1087  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1088  "DEPRECATED. Use --genkey secret filename instead.");
1089  genkey_filename = options->shared_secret_file;
1090  }
1091 
1092  nbits_written = write_key_file(2, genkey_filename);
1093  if (nbits_written < 0)
1094  {
1095  msg(M_FATAL, "Failed to write key file");
1096  }
1097 
1098  msg(D_GENKEY | M_NOPREFIX,
1099  "Randomly generated %d bit key written to %s", nbits_written,
1100  options->shared_secret_file);
1101  return true;
1102  }
1103  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1104  {
1105  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1106  return true;
1107  }
1108  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1109  {
1110  if (!options->tls_crypt_v2_file)
1111  {
1112  msg(M_USAGE,
1113  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1114  }
1115 
1116  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1117  options->genkey_extra_data, options->tls_crypt_v2_file,
1118  options->tls_crypt_v2_inline);
1119  return true;
1120  }
1121  else
1122  {
1123  return false;
1124  }
1125 }
1126 
1127 /*
1128  * Persistent TUN/TAP device management mode?
1129  */
1130 bool
1131 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1132 {
1133  if (options->persist_config)
1134  {
1135  /* sanity check on options for --mktun or --rmtun */
1136  notnull(options->dev, "TUN/TAP device (--dev)");
1137  if (options->ce.remote || options->ifconfig_local
1138  || options->ifconfig_remote_netmask
1139  || options->shared_secret_file
1140  || options->tls_server || options->tls_client
1141  )
1142  {
1143  msg(M_FATAL|M_OPTERR,
1144  "options --mktun or --rmtun should only be used together with --dev");
1145  }
1146 #ifdef ENABLE_FEATURE_TUN_PERSIST
1147  tuncfg(options->dev, options->dev_type, options->dev_node,
1148  options->persist_mode,
1149  options->username, options->groupname, &options->tuntap_options,
1150  ctx);
1151  if (options->persist_mode && options->lladdr)
1152  {
1153  set_lladdr(options->dev, options->lladdr, NULL);
1154  }
1155  return true;
1156 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1157  msg( M_FATAL|M_OPTERR,
1158  "options --mktun and --rmtun are not available on your operating "
1159  "system. Please check 'man tun' (or 'tap'), whether your system "
1160  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1161  "persistent tunnel interfaces.", options->dev );
1162 #endif
1163  }
1164  return false;
1165 }
1166 
1167 /*
1168  * Should we become a daemon?
1169  * Return true if we did it.
1170  */
1171 bool
1172 possibly_become_daemon(const struct options *options)
1173 {
1174  bool ret = false;
1175 
1176 #ifdef ENABLE_SYSTEMD
1177  /* return without forking if we are running from systemd */
1178  if (sd_notify(0, "READY=0") > 0)
1179  {
1180  return ret;
1181  }
1182 #endif
1183 
1184  if (options->daemon)
1185  {
1186  ASSERT(!options->inetd);
1187  /* Don't chdir immediately, but the end of the init sequence, if needed */
1188  if (daemon(1, options->log) < 0)
1189  {
1190  msg(M_ERR, "daemon() failed or unsupported");
1191  }
1192  restore_signal_state();
1193  if (options->log)
1194  {
1195  set_std_files_to_null(true);
1196  }
1197 
1198  ret = true;
1199  }
1200  return ret;
1201 }
1202 
1203 /*
1204  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1205  */
1206 static void
1207 do_uid_gid_chroot(struct context *c, bool no_delay)
1208 {
1209  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1210  struct context_0 *c0 = c->c0;
1211 
1212  if (c0 && !c0->uid_gid_chroot_set)
1213  {
1214  /* chroot if requested */
1215  if (c->options.chroot_dir)
1216  {
1217  if (no_delay)
1218  {
1219  platform_chroot(c->options.chroot_dir);
1220  }
1221  else if (c->first_time)
1222  {
1223  msg(M_INFO, "NOTE: chroot %s", why_not);
1224  }
1225  }
1226 
1227  /* set user and/or group if we want to setuid/setgid */
1228  if (c0->uid_gid_specified)
1229  {
1230  if (no_delay)
1231  {
1232  platform_group_set(&c0->platform_state_group);
1233  platform_user_set(&c0->platform_state_user);
1234  }
1235  else if (c->first_time)
1236  {
1237  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1238  }
1239  }
1240 
1241 #ifdef ENABLE_MEMSTATS
1242  if (c->first_time && c->options.memstats_fn)
1243  {
1244  mstats_open(c->options.memstats_fn);
1245  }
1246 #endif
1247 
1248 #ifdef ENABLE_SELINUX
1249  /* Apply a SELinux context in order to restrict what OpenVPN can do
1250  * to _only_ what it is supposed to do after initialization is complete
1251  * (basically just network I/O operations). Doing it after chroot
1252  * requires /proc to be mounted in the chroot (which is annoying indeed
1253  * but doing it before requires more complex SELinux policies.
1254  */
1255  if (c->options.selinux_context)
1256  {
1257  if (no_delay)
1258  {
1259  if (-1 == setcon(c->options.selinux_context))
1260  {
1261  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1262  }
1263  else
1264  {
1265  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1266  }
1267  }
1268  else if (c->first_time)
1269  {
1270  msg(M_INFO, "NOTE: setcon %s", why_not);
1271  }
1272  }
1273 #endif
1274 
1275  /* Privileges are going to be dropped by now (if requested), be sure
1276  * to prevent any future privilege dropping attempts from now on.
1277  */
1278  if (no_delay)
1279  {
1280  c0->uid_gid_chroot_set = true;
1281  }
1282  }
1283 }
1284 
1285 /*
1286  * Return common name in a way that is formatted for
1287  * prepending to msg() output.
1288  */
1289 const char *
1290 format_common_name(struct context *c, struct gc_arena *gc)
1291 {
1292  struct buffer out = alloc_buf_gc(256, gc);
1293  if (c->c2.tls_multi)
1294  {
1295  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1296  }
1297  return BSTR(&out);
1298 }
1299 
1300 void
1301 pre_setup(const struct options *options)
1302 {
1303 #ifdef _WIN32
1304  if (options->exit_event_name)
1305  {
1306  win32_signal_open(&win32_signal,
1307  WSO_FORCE_SERVICE,
1308  options->exit_event_name,
1309  options->exit_event_initial_state);
1310  }
1311  else
1312  {
1313  win32_signal_open(&win32_signal,
1314  WSO_FORCE_CONSOLE,
1315  NULL,
1316  false);
1317 
1318  /* put a title on the top window bar */
1319  if (win32_signal.mode == WSO_MODE_CONSOLE)
1320  {
1321  window_title_save(&window_title);
1322  window_title_generate(options->config);
1323  }
1324  }
1325 #endif /* ifdef _WIN32 */
1326 }
1327 
1328 void
1329 reset_coarse_timers(struct context *c)
1330 {
1331  c->c2.coarse_timer_wakeup = 0;
1332 }
1333 
1334 /*
1335  * Initialise the server poll timeout timer
1336  * This timer is used in the http/socks proxy setup so it needs to be setup
1337  * before
1338  */
1339 static void
1340 do_init_server_poll_timeout(struct context *c)
1341 {
1342  update_time();
1343  if (c->options.ce.connect_timeout)
1344  {
1345  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1346  }
1347 }
1348 
1349 /*
1350  * Initialize timers
1351  */
1352 static void
1353 do_init_timers(struct context *c, bool deferred)
1354 {
1355  update_time();
1356  reset_coarse_timers(c);
1357 
1358  /* initialize inactivity timeout */
1359  if (c->options.inactivity_timeout)
1360  {
1361  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1362  }
1363 
1364  /* initialize pings */
1365 
1366  if (c->options.ping_send_timeout)
1367  {
1368  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1369  }
1370 
1371  if (c->options.ping_rec_timeout)
1372  {
1373  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1374  }
1375 
1376  if (!deferred)
1377  {
1378  /* initialize connection establishment timer */
1379  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1380 
1381 #ifdef ENABLE_OCC
1382  /* initialize occ timers */
1383 
1384  if (c->options.occ
1385  && !TLS_MODE(c)
1386  && c->c2.options_string_local && c->c2.options_string_remote)
1387  {
1388  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1389  }
1390 
1391  if (c->options.mtu_test)
1392  {
1393  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1394  }
1395 #endif
1396 
1397  /* initialize packet_id persistence timer */
1398  if (c->options.packet_id_file)
1399  {
1400  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1401  }
1402 
1403  /* initialize tmp_int optimization that limits the number of times we call
1404  * tls_multi_process in the main event loop */
1405  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1406  }
1407 }
1408 
1409 /*
1410  * Initialize traffic shaper.
1411  */
1412 static void
1413 do_init_traffic_shaper(struct context *c)
1414 {
1415 #ifdef ENABLE_FEATURE_SHAPER
1416  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1417  if (c->options.shaper)
1418  {
1419  shaper_init(&c->c2.shaper, c->options.shaper);
1420  shaper_msg(&c->c2.shaper);
1421  }
1422 #endif
1423 }
1424 
1425 /*
1426  * Allocate route list structures for IPv4 and IPv6
1427  * (we do this for IPv4 even if no --route option has been seen, as other
1428  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1429  */
1430 static void
1431 do_alloc_route_list(struct context *c)
1432 {
1433  if (!c->c1.route_list)
1434  {
1435  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1436  }
1437  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1438  {
1439  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1440  }
1441 }
1442 
1443 
1444 /*
1445  * Initialize the route list, resolving any DNS names in route
1446  * options and saving routes in the environment.
1447  */
1448 static void
1449 do_init_route_list(const struct options *options,
1450  struct route_list *route_list,
1451  const struct link_socket_info *link_socket_info,
1452  struct env_set *es,
1453  openvpn_net_ctx_t *ctx)
1454 {
1455  const char *gw = NULL;
1456  int dev = dev_type_enum(options->dev, options->dev_type);
1457  int metric = 0;
1458 
1459  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1460  {
1461  gw = options->ifconfig_remote_netmask;
1462  }
1463  if (options->route_default_gateway)
1464  {
1465  gw = options->route_default_gateway;
1466  }
1467  if (options->route_default_metric)
1468  {
1469  metric = options->route_default_metric;
1470  }
1471 
1472  if (init_route_list(route_list,
1473  options->routes,
1474  gw,
1475  metric,
1476  link_socket_current_remote(link_socket_info),
1477  es,
1478  ctx))
1479  {
1480  /* copy routes to environment */
1481  setenv_routes(es, route_list);
1482  }
1483 }
1484 
1485 static void
1486 do_init_route_ipv6_list(const struct options *options,
1487  struct route_ipv6_list *route_ipv6_list,
1488  const struct link_socket_info *link_socket_info,
1489  struct env_set *es,
1490  openvpn_net_ctx_t *ctx)
1491 {
1492  const char *gw = NULL;
1493  int metric = -1; /* no metric set */
1494 
1495  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1496  if (options->route_ipv6_default_gateway)
1497  {
1498  gw = options->route_ipv6_default_gateway;
1499  }
1500 
1501  if (options->route_default_metric)
1502  {
1503  metric = options->route_default_metric;
1504  }
1505 
1506  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1507  */
1508  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1509  {
1510  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1511  int i;
1512 
1513  for (i = 0; opt_list[i]; i++)
1514  {
1515  add_route_ipv6_to_option_list( options->routes_ipv6,
1516  string_alloc(opt_list[i], options->routes_ipv6->gc),
1517  NULL, NULL );
1518  }
1519  }
1520 
1521  if (init_route_ipv6_list(route_ipv6_list,
1522  options->routes_ipv6,
1523  gw,
1524  metric,
1525  link_socket_current_remote_ipv6(link_socket_info),
1526  es,
1527  ctx))
1528  {
1529  /* copy routes to environment */
1530  setenv_routes_ipv6(es, route_ipv6_list);
1531  }
1532 }
1533 
1534 
1535 /*
1536  * Called after all initialization has been completed.
1537  */
1538 void
1539 initialization_sequence_completed(struct context *c, const unsigned int flags)
1540 {
1541  static const char message[] = "Initialization Sequence Completed";
1542 
1543  /* Reset the unsuccessful connection counter on complete initialisation */
1544  c->options.unsuccessful_attempts = 0;
1545 
1546  /* If we delayed UID/GID downgrade or chroot, do it now */
1547  do_uid_gid_chroot(c, true);
1548 
1549 
1550  /*
1551  * In some cases (i.e. when receiving auth-token via
1552  * push-reply) the auth-nocache option configured on the
1553  * client is overridden; for this reason we have to wait
1554  * for the push-reply message before attempting to wipe
1555  * the user/pass entered by the user
1556  */
1557  if (c->options.mode == MODE_POINT_TO_POINT)
1558  {
1559  delayed_auth_pass_purge();
1560  }
1561 
1562  /* Test if errors */
1563  if (flags & ISC_ERRORS)
1564  {
1565 #ifdef _WIN32
1566  show_routes(M_INFO|M_NOPREFIX);
1567  show_adapters(M_INFO|M_NOPREFIX);
1568  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1569 #else
1570 #ifdef ENABLE_SYSTEMD
1571  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1572 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1573  msg(M_INFO, "%s With Errors", message);
1574 #endif
1575  }
1576  else
1577  {
1578 #ifdef ENABLE_SYSTEMD
1579  sd_notifyf(0, "STATUS=%s", message);
1580 #endif
1581  msg(M_INFO, "%s", message);
1582  }
1583 
1584  /* Flag that we initialized */
1585  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1586  {
1587  c->options.no_advance = true;
1588  }
1589 
1590 #ifdef _WIN32
1591  fork_register_dns_action(c->c1.tuntap);
1592 #endif
1593 
1594 #ifdef ENABLE_MANAGEMENT
1595  /* Tell management interface that we initialized */
1596  if (management)
1597  {
1598  in_addr_t *tun_local = NULL;
1599  struct in6_addr *tun_local6 = NULL;
1600  struct openvpn_sockaddr local, remote;
1601  struct link_socket_actual *actual;
1602  socklen_t sa_len = sizeof(local);
1603  const char *detail = "SUCCESS";
1604  if (flags & ISC_ERRORS)
1605  {
1606  detail = "ERROR";
1607  }
1608 
1609  CLEAR(local);
1610  actual = &get_link_socket_info(c)->lsa->actual;
1611  remote = actual->dest;
1612  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1613 #if ENABLE_IP_PKTINFO
1614  if (!addr_defined(&local))
1615  {
1616  switch (local.addr.sa.sa_family)
1617  {
1618  case AF_INET:
1619 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1620  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1621 #else
1622  local.addr.in4.sin_addr = actual->pi.in4;
1623 #endif
1624  break;
1625 
1626  case AF_INET6:
1627  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1628  break;
1629  }
1630  }
1631 #endif
1632 
1633  if (c->c1.tuntap)
1634  {
1635  tun_local = &c->c1.tuntap->local;
1636  tun_local6 = &c->c1.tuntap->local_ipv6;
1637  }
1638  management_set_state(management,
1639  OPENVPN_STATE_CONNECTED,
1640  detail,
1641  tun_local,
1642  tun_local6,
1643  &local,
1644  &remote);
1645  if (tun_local)
1646  {
1647  management_post_tunnel_open(management, *tun_local);
1648  }
1649  }
1650 #endif /* ifdef ENABLE_MANAGEMENT */
1651 }
1652 
1653 /*
1654  * Possibly add routes and/or call route-up script
1655  * based on options.
1656  */
1657 void
1658 do_route(const struct options *options,
1659  struct route_list *route_list,
1660  struct route_ipv6_list *route_ipv6_list,
1661  const struct tuntap *tt,
1662  const struct plugin_list *plugins,
1663  struct env_set *es,
1664  openvpn_net_ctx_t *ctx)
1665 {
1666  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1667  {
1668  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1669  es, ctx);
1670  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1671  }
1672 #ifdef ENABLE_MANAGEMENT
1673  if (management)
1674  {
1675  management_up_down(management, "UP", es);
1676  }
1677 #endif
1678 
1679  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1680  {
1681  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1682  {
1683  msg(M_WARN, "WARNING: route-up plugin call failed");
1684  }
1685  }
1686 
1687  if (options->route_script)
1688  {
1689  struct argv argv = argv_new();
1690  setenv_str(es, "script_type", "route-up");
1691  argv_parse_cmd(&argv, options->route_script);
1692  openvpn_run_script(&argv, es, 0, "--route-up");
1693  argv_reset(&argv);
1694  }
1695 
1696 #ifdef _WIN32
1697  if (options->show_net_up)
1698  {
1699  show_routes(M_INFO|M_NOPREFIX);
1700  show_adapters(M_INFO|M_NOPREFIX);
1701  }
1702  else if (check_debug_level(D_SHOW_NET))
1703  {
1704  show_routes(D_SHOW_NET|M_NOPREFIX);
1705  show_adapters(D_SHOW_NET|M_NOPREFIX);
1706  }
1707 #endif
1708 }
1709 
1710 /*
1711  * initialize tun/tap device object
1712  */
1713 static void
1714 do_init_tun(struct context *c)
1715 {
1716  c->c1.tuntap = init_tun(c->options.dev,
1717  c->options.dev_type,
1718  c->options.topology,
1719  c->options.ifconfig_local,
1720  c->options.ifconfig_remote_netmask,
1721  c->options.ifconfig_ipv6_local,
1722  c->options.ifconfig_ipv6_netbits,
1723  c->options.ifconfig_ipv6_remote,
1724  c->c1.link_socket_addr.bind_local,
1725  c->c1.link_socket_addr.remote_list,
1726  !c->options.ifconfig_nowarn,
1727  c->c2.es,
1728  &c->net_ctx);
1729 
1730  init_tun_post(c->c1.tuntap,
1731  &c->c2.frame,
1732  &c->options.tuntap_options);
1733 
1734  c->c1.tuntap_owned = true;
1735 }
1736 
1737 /*
1738  * Open tun/tap device, ifconfig, call up script, etc.
1739  */
1740 
1741 static bool
1742 do_open_tun(struct context *c)
1743 {
1744  struct gc_arena gc = gc_new();
1745  bool ret = false;
1746 
1747 #ifndef TARGET_ANDROID
1748  if (!c->c1.tuntap)
1749  {
1750 #endif
1751 
1752 #ifdef TARGET_ANDROID
1753  /* If we emulate persist-tun on android we still have to open a new tun and
1754  * then close the old */
1755  int oldtunfd = -1;
1756  if (c->c1.tuntap)
1757  {
1758  oldtunfd = c->c1.tuntap->fd;
1759  free(c->c1.tuntap);
1760  c->c1.tuntap = NULL;
1761  c->c1.tuntap_owned = false;
1762  }
1763 #endif
1764 
1765  /* initialize (but do not open) tun/tap object */
1766  do_init_tun(c);
1767 
1768 #ifdef _WIN32
1769  /* store (hide) interactive service handle in tuntap_options */
1770  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1771  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1772 #endif
1773 
1774  /* allocate route list structure */
1775  do_alloc_route_list(c);
1776 
1777  /* parse and resolve the route option list */
1778  ASSERT(c->c2.link_socket);
1779  if (c->options.routes && c->c1.route_list)
1780  {
1781  do_init_route_list(&c->options, c->c1.route_list,
1782  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1783  }
1784  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1785  {
1786  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1787  &c->c2.link_socket->info, c->c2.es,
1788  &c->net_ctx);
1789  }
1790 
1791  /* do ifconfig */
1792  if (!c->options.ifconfig_noexec
1793  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1794  {
1795  /* guess actual tun/tap unit number that will be returned
1796  * by open_tun */
1797  const char *guess = guess_tuntap_dev(c->options.dev,
1798  c->options.dev_type,
1799  c->options.dev_node,
1800  &gc);
1801  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1802  &c->net_ctx);
1803  }
1804 
1805  /* possibly add routes */
1806  if (route_order() == ROUTE_BEFORE_TUN)
1807  {
1808  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1809  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1810  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1811  }
1812 #ifdef TARGET_ANDROID
1813  /* Store the old fd inside the fd so open_tun can use it */
1814  c->c1.tuntap->fd = oldtunfd;
1815 #endif
1816  /* open the tun device */
1817  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1818  c->c1.tuntap);
1819 
1820  /* set the hardware address */
1821  if (c->options.lladdr)
1822  {
1823  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1824  }
1825 
1826  /* do ifconfig */
1827  if (!c->options.ifconfig_noexec
1828  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1829  {
1830  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1831  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1832  }
1833 
1834  /* run the up script */
1835  run_up_down(c->options.up_script,
1836  c->plugins,
1837  OPENVPN_PLUGIN_UP,
1838  c->c1.tuntap->actual_name,
1839 #ifdef _WIN32
1840  c->c1.tuntap->adapter_index,
1841 #endif
1842  dev_type_string(c->options.dev, c->options.dev_type),
1843  TUN_MTU_SIZE(&c->c2.frame),
1844  EXPANDED_SIZE(&c->c2.frame),
1845  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1846  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1847  "init",
1848  NULL,
1849  "up",
1850  c->c2.es);
1851 
1852 #if defined(_WIN32)
1853  if (c->options.block_outside_dns)
1854  {
1855  dmsg(D_LOW, "Blocking outside DNS");
1856  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1857  {
1858  msg(M_FATAL, "Blocking DNS failed!");
1859  }
1860  }
1861 #endif
1862 
1863  /* possibly add routes */
1864  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1865  {
1866  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1867  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1868  }
1869 
1870  /*
1871  * Did tun/tap driver give us an MTU?
1872  */
1873  if (c->c1.tuntap->post_open_mtu)
1874  {
1875  frame_set_mtu_dynamic(&c->c2.frame,
1876  c->c1.tuntap->post_open_mtu,
1877  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1878  }
1879 
1880  ret = true;
1881  static_context = c;
1882 #ifndef TARGET_ANDROID
1883 }
1884 else
1885 {
1886  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1887  c->c1.tuntap->actual_name);
1888 
1889  /* explicitly set the ifconfig_* env vars */
1890  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1891 
1892  /* run the up script if user specified --up-restart */
1893  if (c->options.up_restart)
1894  {
1895  run_up_down(c->options.up_script,
1896  c->plugins,
1897  OPENVPN_PLUGIN_UP,
1898  c->c1.tuntap->actual_name,
1899 #ifdef _WIN32
1900  c->c1.tuntap->adapter_index,
1901 #endif
1902  dev_type_string(c->options.dev, c->options.dev_type),
1903  TUN_MTU_SIZE(&c->c2.frame),
1904  EXPANDED_SIZE(&c->c2.frame),
1905  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1906  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1907  "restart",
1908  NULL,
1909  "up",
1910  c->c2.es);
1911  }
1912 #if defined(_WIN32)
1913  if (c->options.block_outside_dns)
1914  {
1915  dmsg(D_LOW, "Blocking outside DNS");
1916  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1917  {
1918  msg(M_FATAL, "Blocking DNS failed!");
1919  }
1920  }
1921 #endif
1922 
1923 }
1924 #endif /* ifndef TARGET_ANDROID */
1925  gc_free(&gc);
1926  return ret;
1927 }
1928 
1929 /*
1930  * Close TUN/TAP device
1931  */
1932 
1933 static void
1934 do_close_tun_simple(struct context *c)
1935 {
1936  msg(D_CLOSE, "Closing TUN/TAP interface");
1937  if (c->c1.tuntap)
1938  {
1939  close_tun(c->c1.tuntap, &c->net_ctx);
1940  c->c1.tuntap = NULL;
1941  }
1942  c->c1.tuntap_owned = false;
1943 #if P2MP
1944  CLEAR(c->c1.pulled_options_digest_save);
1945 #endif
1946 }
1947 
1948 static void
1949 do_close_tun(struct context *c, bool force)
1950 {
1951  struct gc_arena gc = gc_new();
1952  if (c->c1.tuntap && c->c1.tuntap_owned)
1953  {
1954  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1955 #ifdef _WIN32
1956  DWORD adapter_index = c->c1.tuntap->adapter_index;
1957 #endif
1958  const in_addr_t local = c->c1.tuntap->local;
1959  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1960 
1961  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1962  {
1963  static_context = NULL;
1964 
1965 #ifdef ENABLE_MANAGEMENT
1966  /* tell management layer we are about to close the TUN/TAP device */
1967  if (management)
1968  {
1969  management_pre_tunnel_close(management);
1970  management_up_down(management, "DOWN", c->c2.es);
1971  }
1972 #endif
1973 
1974  /* delete any routes we added */
1975  if (c->c1.route_list || c->c1.route_ipv6_list)
1976  {
1977  run_up_down(c->options.route_predown_script,
1978  c->plugins,
1979  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1980  tuntap_actual,
1981 #ifdef _WIN32
1982  adapter_index,
1983 #endif
1984  NULL,
1985  TUN_MTU_SIZE(&c->c2.frame),
1986  EXPANDED_SIZE(&c->c2.frame),
1987  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1988  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1989  "init",
1990  signal_description(c->sig->signal_received,
1991  c->sig->signal_text),
1992  "route-pre-down",
1993  c->c2.es);
1994 
1995  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
1996  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
1997  c->c2.es, &c->net_ctx);
1998  }
1999 
2000  /* actually close tun/tap device based on --down-pre flag */
2001  if (!c->options.down_pre)
2002  {
2003  do_close_tun_simple(c);
2004  }
2005 
2006  /* Run the down script -- note that it will run at reduced
2007  * privilege if, for example, "--user nobody" was used. */
2008  run_up_down(c->options.down_script,
2009  c->plugins,
2010  OPENVPN_PLUGIN_DOWN,
2011  tuntap_actual,
2012 #ifdef _WIN32
2013  adapter_index,
2014 #endif
2015  NULL,
2016  TUN_MTU_SIZE(&c->c2.frame),
2017  EXPANDED_SIZE(&c->c2.frame),
2018  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2019  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2020  "init",
2021  signal_description(c->sig->signal_received,
2022  c->sig->signal_text),
2023  "down",
2024  c->c2.es);
2025 
2026 #if defined(_WIN32)
2027  if (c->options.block_outside_dns)
2028  {
2029  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2030  {
2031  msg(M_FATAL, "Uninitialising WFP failed!");
2032  }
2033  }
2034 #endif
2035 
2036  /* actually close tun/tap device based on --down-pre flag */
2037  if (c->options.down_pre)
2038  {
2039  do_close_tun_simple(c);
2040  }
2041  }
2042  else
2043  {
2044  /* run the down script on this restart if --up-restart was specified */
2045  if (c->options.up_restart)
2046  {
2047  run_up_down(c->options.down_script,
2048  c->plugins,
2049  OPENVPN_PLUGIN_DOWN,
2050  tuntap_actual,
2051 #ifdef _WIN32
2052  adapter_index,
2053 #endif
2054  NULL,
2055  TUN_MTU_SIZE(&c->c2.frame),
2056  EXPANDED_SIZE(&c->c2.frame),
2057  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2058  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2059  "restart",
2060  signal_description(c->sig->signal_received,
2061  c->sig->signal_text),
2062  "down",
2063  c->c2.es);
2064  }
2065 
2066 #if defined(_WIN32)
2067  if (c->options.block_outside_dns)
2068  {
2069  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2070  {
2071  msg(M_FATAL, "Uninitialising WFP failed!");
2072  }
2073  }
2074 #endif
2075 
2076  }
2077  }
2078  gc_free(&gc);
2079 }
2080 
2081 void
2082 tun_abort(void)
2083 {
2084  struct context *c = static_context;
2085  if (c)
2086  {
2087  static_context = NULL;
2088  do_close_tun(c, true);
2089  }
2090 }
2091 
2092 /*
2093  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2094  */
2095 
2096 #if P2MP
2097 
2101 static bool
2102 options_hash_changed_or_zero(const struct sha256_digest *a,
2103  const struct sha256_digest *b)
2104 {
2105  const struct sha256_digest zero = {{0}};
2106  return memcmp(a, b, sizeof(struct sha256_digest))
2107  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2108 }
2109 #endif /* P2MP */
2110 
2111 bool
2112 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2113 {
2114  if (!c->c2.do_up_ran)
2115  {
2116  reset_coarse_timers(c);
2117 
2118  if (pulled_options)
2119  {
2120  if (!do_deferred_options(c, option_types_found))
2121  {
2122  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2123  return false;
2124  }
2125  }
2126 
2127  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2128  if (c->options.up_delay || PULL_DEFINED(&c->options))
2129  {
2130  c->c2.did_open_tun = do_open_tun(c);
2131  update_time();
2132 
2133 #if P2MP
2134  /*
2135  * Was tun interface object persisted from previous restart iteration,
2136  * and if so did pulled options string change from previous iteration?
2137  */
2138  if (!c->c2.did_open_tun
2139  && PULL_DEFINED(&c->options)
2140  && c->c1.tuntap
2141  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2142  &c->c2.pulled_options_digest))
2143  {
2144  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2145  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2146  do_close_tun(c, true);
2147  management_sleep(1);
2148  c->c2.did_open_tun = do_open_tun(c);
2149  update_time();
2150  }
2151 #endif
2152  }
2153 
2154  if (c->c2.did_open_tun)
2155  {
2156 #if P2MP
2157  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2158 #endif
2159 
2160  /* if --route-delay was specified, start timer */
2161  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2162  {
2163  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2164  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2165  if (c->c1.tuntap)
2166  {
2167  tun_standby_init(c->c1.tuntap);
2168  }
2169  }
2170  else
2171  {
2172  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2173  }
2174  }
2175  else if (c->options.mode == MODE_POINT_TO_POINT)
2176  {
2177  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2178  }
2179 
2180  c->c2.do_up_ran = true;
2181  }
2182  return true;
2183 }
2184 
2185 /*
2186  * These are the option categories which will be accepted by pull.
2187  */
2188 unsigned int
2189 pull_permission_mask(const struct context *c)
2190 {
2191  unsigned int flags =
2192  OPT_P_UP
2193  | OPT_P_ROUTE_EXTRAS
2194  | OPT_P_SOCKBUF
2195  | OPT_P_SOCKFLAGS
2196  | OPT_P_SETENV
2197  | OPT_P_SHAPER
2198  | OPT_P_TIMER
2199  | OPT_P_COMP
2200  | OPT_P_PERSIST
2201  | OPT_P_MESSAGES
2202  | OPT_P_EXPLICIT_NOTIFY
2203  | OPT_P_ECHO
2204  | OPT_P_PULL_MODE
2205  | OPT_P_PEER_ID;
2206 
2207  if (!c->options.route_nopull)
2208  {
2209  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2210  }
2211 
2212  if (c->options.ncp_enabled)
2213  {
2214  flags |= OPT_P_NCP;
2215  }
2216 
2217  return flags;
2218 }
2219 
2220 /*
2221  * Handle non-tun-related pulled options.
2222  */
2223 bool
2224 do_deferred_options(struct context *c, const unsigned int found)
2225 {
2226  if (found & OPT_P_MESSAGES)
2227  {
2228  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2229  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2230  }
2231  if (found & OPT_P_TIMER)
2232  {
2233  do_init_timers(c, true);
2234  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2235  }
2236 
2237 #ifdef ENABLE_OCC
2238  if (found & OPT_P_EXPLICIT_NOTIFY)
2239  {
2240  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2241  {
2242  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2243  c->options.ce.explicit_exit_notification = 0;
2244  }
2245  else
2246  {
2247  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2248  }
2249  }
2250 #endif
2251 
2252 #ifdef USE_COMP
2253  if (found & OPT_P_COMP)
2254  {
2255  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2256  comp_uninit(c->c2.comp_context);
2257  c->c2.comp_context = comp_init(&c->options.comp);
2258  }
2259 #endif
2260 
2261  if (found & OPT_P_SHAPER)
2262  {
2263  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2264  do_init_traffic_shaper(c);
2265  }
2266 
2267  if (found & OPT_P_SOCKBUF)
2268  {
2269  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2270  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2271  }
2272 
2273  if (found & OPT_P_SOCKFLAGS)
2274  {
2275  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2276  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2277  }
2278 
2279  if (found & OPT_P_PERSIST)
2280  {
2281  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2282  }
2283  if (found & OPT_P_UP)
2284  {
2285  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2286  }
2287  if (found & OPT_P_ROUTE)
2288  {
2289  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2290  }
2291  if (found & OPT_P_ROUTE_EXTRAS)
2292  {
2293  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2294  }
2295  if (found & OPT_P_IPWIN32)
2296  {
2297  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2298  }
2299  if (found & OPT_P_SETENV)
2300  {
2301  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2302  }
2303 
2304  if (found & OPT_P_PEER_ID)
2305  {
2306  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2307  c->c2.tls_multi->use_peer_id = true;
2308  c->c2.tls_multi->peer_id = c->options.peer_id;
2309  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2310  if (!c->options.ce.link_mtu_defined)
2311  {
2312  frame_add_to_link_mtu(&c->c2.frame, +3);
2313  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2314  EXPANDED_SIZE(&c->c2.frame));
2315  }
2316  else
2317  {
2318  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2319  " fixed by config - reducing tun-mtu to %d, expect"
2320  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2321  }
2322  }
2323 
2324  /* process (potentially pushed) crypto options */
2325  if (c->options.pull)
2326  {
2327  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2328  if (found & OPT_P_NCP)
2329  {
2330  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2331  }
2332  else if (c->options.ncp_enabled)
2333  {
2334  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2335  }
2336  struct frame *frame_fragment = NULL;
2337 #ifdef ENABLE_FRAGMENT
2338  if (c->options.ce.fragment)
2339  {
2340  frame_fragment = &c->c2.frame_fragment;
2341  }
2342 #endif
2343 
2344  /* Do not regenerate keys if server sends an extra push reply */
2345  if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized
2346  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2347  frame_fragment))
2348  {
2349  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2350  return false;
2351  }
2352  }
2353 
2354  return true;
2355 }
2356 
2357 /*
2358  * Possible hold on initialization, holdtime is the
2359  * time OpenVPN would wait without management
2360  */
2361 static bool
2362 do_hold(int holdtime)
2363 {
2364 #ifdef ENABLE_MANAGEMENT
2365  if (management)
2366  {
2367  /* block until management hold is released */
2368  if (management_hold(management, holdtime))
2369  {
2370  return true;
2371  }
2372  }
2373 #endif
2374  return false;
2375 }
2376 
2377 /*
2378  * Sleep before restart.
2379  */
2380 static void
2381 socket_restart_pause(struct context *c)
2382 {
2383  int sec = 2;
2384  int backoff = 0;
2385 
2386  switch (c->options.ce.proto)
2387  {
2388  case PROTO_TCP_SERVER:
2389  sec = 1;
2390  break;
2391 
2392  case PROTO_UDP:
2393  case PROTO_TCP_CLIENT:
2394  sec = c->options.ce.connect_retry_seconds;
2395  break;
2396  }
2397 
2398 #ifdef ENABLE_DEBUG
2399  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2400  {
2401  sec = 0;
2402  }
2403 #endif
2404 
2405 #if P2MP
2406  if (auth_retry_get() == AR_NOINTERACT)
2407  {
2408  sec = 10;
2409  }
2410 #endif
2411 
2412  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2413  if (c->options.ce.proto != PROTO_TCP_SERVER)
2414  {
2415  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2416  if (backoff > 0)
2417  {
2418  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2419  sec = max_int(sec, 1) << min_int(backoff, 15);
2420  }
2421 
2422  if (sec > c->options.ce.connect_retry_seconds_max)
2423  {
2424  sec = c->options.ce.connect_retry_seconds_max;
2425  }
2426  }
2427 
2428  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2429  {
2430  sec = c->persist.restart_sleep_seconds;
2431  }
2432  else if (c->persist.restart_sleep_seconds == -1)
2433  {
2434  sec = 0;
2435  }
2436  c->persist.restart_sleep_seconds = 0;
2437 
2438  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2439  if (do_hold(sec))
2440  {
2441  sec = 0;
2442  }
2443 
2444  if (sec)
2445  {
2446  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2447  management_sleep(sec);
2448  }
2449 }
2450 
2451 /*
2452  * Do a possible pause on context_2 initialization.
2453  */
2454 static void
2455 do_startup_pause(struct context *c)
2456 {
2457  if (!c->first_time)
2458  {
2459  socket_restart_pause(c);
2460  }
2461  else
2462  {
2463  do_hold(0); /* do management hold on first context initialization */
2464  }
2465 }
2466 
2467 /*
2468  * Finalize MTU parameters based on command line or config file options.
2469  */
2470 static void
2471 frame_finalize_options(struct context *c, const struct options *o)
2472 {
2473  if (!o)
2474  {
2475  o = &c->options;
2476  }
2477 
2478  /*
2479  * Set adjustment factor for buffer alignment when no
2480  * cipher is used.
2481  */
2482  if (!CIPHER_ENABLED(c))
2483  {
2484  frame_align_to_extra_frame(&c->c2.frame);
2485  frame_or_align_flags(&c->c2.frame,
2486  FRAME_HEADROOM_MARKER_FRAGMENT
2487  |FRAME_HEADROOM_MARKER_READ_LINK
2488  |FRAME_HEADROOM_MARKER_READ_STREAM);
2489  }
2490 
2491  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2492  frame_finalize(&c->c2.frame,
2493  o->ce.link_mtu_defined,
2494  o->ce.link_mtu,
2495  o->ce.tun_mtu_defined,
2496  o->ce.tun_mtu);
2497 }
2498 
2499 /*
2500  * Free a key schedule, including OpenSSL components.
2501  */
2502 static void
2503 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2504 {
2505  free_key_ctx_bi(&ks->static_key);
2506  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2507  {
2508  tls_ctx_free(&ks->ssl_ctx);
2509  free_key_ctx(&ks->tls_crypt_v2_server_key);
2510  }
2511  CLEAR(*ks);
2512 }
2513 
2514 static void
2515 init_crypto_pre(struct context *c, const unsigned int flags)
2516 {
2517  if (c->options.engine)
2518  {
2519  crypto_init_lib_engine(c->options.engine);
2520  }
2521 
2522  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2523  {
2524  /* load a persisted packet-id for cross-session replay-protection */
2525  if (c->options.packet_id_file)
2526  {
2527  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2528  }
2529  }
2530 
2531 #ifdef ENABLE_PREDICTION_RESISTANCE
2532  if (c->options.use_prediction_resistance)
2533  {
2534  rand_ctx_enable_prediction_resistance();
2535  }
2536 #endif
2537 
2538 }
2539 
2540 /*
2541  * Static Key Mode (using a pre-shared key)
2542  */
2543 static void
2544 do_init_crypto_static(struct context *c, const unsigned int flags)
2545 {
2546  const struct options *options = &c->options;
2547  ASSERT(options->shared_secret_file);
2548 
2549  init_crypto_pre(c, flags);
2550 
2551  /* Initialize flags */
2552  if (c->options.mute_replay_warnings)
2553  {
2554  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2555  }
2556 
2557  /* Initialize packet ID tracking */
2558  if (options->replay)
2559  {
2560  packet_id_init(&c->c2.crypto_options.packet_id,
2561  options->replay_window,
2562  options->replay_time,
2563  "STATIC", 0);
2564  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2565  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2566  packet_id_persist_load_obj(&c->c1.pid_persist,
2567  &c->c2.crypto_options.packet_id);
2568  }
2569 
2570  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2571  {
2572  /* Get cipher & hash algorithms */
2573  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2574  options->keysize, options->test_crypto, true);
2575 
2576  /* Read cipher and hmac keys from shared secret file */
2577  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2578  options->shared_secret_file,
2579  options->shared_secret_file_inline,
2580  options->key_direction, "Static Key Encryption",
2581  "secret");
2582  }
2583  else
2584  {
2585  msg(M_INFO, "Re-using pre-shared static key");
2586  }
2587 
2588  /* Get key schedule */
2589  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2590 
2591  /* Compute MTU parameters */
2592  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2593  options->replay, true);
2594 
2595  /* Sanity check on sequence number, and cipher mode options */
2596  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2597 }
2598 
2599 /*
2600  * Initialize the tls-auth/crypt key context
2601  */
2602 static void
2603 do_init_tls_wrap_key(struct context *c)
2604 {
2605  const struct options *options = &c->options;
2606 
2607  /* TLS handshake authentication (--tls-auth) */
2608  if (options->ce.tls_auth_file)
2609  {
2610  /* Initialize key_type for tls-auth with auth only */
2611  CLEAR(c->c1.ks.tls_auth_key_type);
2612  if (!streq(options->authname, "none"))
2613  {
2614  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2615  c->c1.ks.tls_auth_key_type.hmac_length =
2616  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2617  }
2618  else
2619  {
2620  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2621  "algorithm specified ('%s')", options->authname);
2622  }
2623 
2624  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2625  &c->c1.ks.tls_wrap_key,
2626  options->ce.tls_auth_file,
2627  options->ce.tls_auth_file_inline,
2628  options->ce.key_direction,
2629  "Control Channel Authentication", "tls-auth");
2630  }
2631 
2632  /* TLS handshake encryption+authentication (--tls-crypt) */
2633  if (options->ce.tls_crypt_file)
2634  {
2635  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2636  options->ce.tls_crypt_file,
2637  options->ce.tls_crypt_inline, options->tls_server);
2638  }
2639 
2640  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2641  if (options->ce.tls_crypt_v2_file)
2642  {
2643  if (options->tls_server)
2644  {
2645  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2646  true, options->ce.tls_crypt_v2_file,
2647  options->ce.tls_crypt_v2_inline);
2648  }
2649  else
2650  {
2651  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2652  &c->c1.ks.tls_crypt_v2_wkc,
2653  options->ce.tls_crypt_v2_file,
2654  options->ce.tls_crypt_v2_inline);
2655  }
2656  }
2657 
2658 
2659 }
2660 
2661 /*
2662  * Initialize the persistent component of OpenVPN's TLS mode,
2663  * which is preserved across SIGUSR1 resets.
2664  */
2665 static void
2666 do_init_crypto_tls_c1(struct context *c)
2667 {
2668  const struct options *options = &c->options;
2669 
2670  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2671  {
2672  /*
2673  * Initialize the OpenSSL library's global
2674  * SSL context.
2675  */
2676  init_ssl(options, &(c->c1.ks.ssl_ctx));
2677  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2678  {
2679 #if P2MP
2680  switch (auth_retry_get())
2681  {
2682  case AR_NONE:
2683  msg(M_FATAL, "Error: private key password verification failed");
2684  break;
2685 
2686  case AR_INTERACT:
2687  ssl_purge_auth(false);
2688 
2689  case AR_NOINTERACT:
2690  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2691  break;
2692 
2693  default:
2694  ASSERT(0);
2695  }
2696  c->sig->signal_text = "private-key-password-failure";
2697  return;
2698 #else /* if P2MP */
2699  msg(M_FATAL, "Error: private key password verification failed");
2700 #endif /* if P2MP */
2701  }
2702 
2703  /* Get cipher & hash algorithms */
2704  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2705  options->keysize, true, true);
2706 
2707  /* Initialize PRNG with config-specified digest */
2708  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2709 
2710  /* initialize tls-auth/crypt/crypt-v2 key */
2711  do_init_tls_wrap_key(c);
2712 
2713 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2714  if (options->priv_key_file_inline)
2715  {
2716  string_clear(c->options.priv_key_file_inline);
2717  c->options.priv_key_file_inline = NULL;
2718  }
2719 #endif
2720  }
2721  else
2722  {
2723  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2724 
2725  /*
2726  * tls-auth/crypt key can be configured per connection block, therefore
2727  * we must reload it as it may have changed
2728  */
2729  do_init_tls_wrap_key(c);
2730  }
2731 }
2732 
2733 static void
2734 do_init_crypto_tls(struct context *c, const unsigned int flags)
2735 {
2736  const struct options *options = &c->options;
2737  struct tls_options to;
2738  bool packet_id_long_form;
2739 
2740  ASSERT(options->tls_server || options->tls_client);
2741  ASSERT(!options->test_crypto);
2742 
2743  init_crypto_pre(c, flags);
2744 
2745  /* Make sure we are either a TLS client or server but not both */
2746  ASSERT(options->tls_server == !options->tls_client);
2747 
2748  /* initialize persistent component */
2749  do_init_crypto_tls_c1(c);
2750  if (IS_SIG(c))
2751  {
2752  return;
2753  }
2754 
2755  /* Sanity check on sequence number, and cipher mode options */
2756  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2757 
2758  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2759  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2760 
2761  /* Compute MTU parameters (postpone if we push/pull options) */
2762  if (c->options.pull || c->options.mode == MODE_SERVER)
2763  {
2764  /* Account for worst-case crypto overhead before allocating buffers */
2765  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2766  }
2767  else
2768  {
2769  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2770  options->replay, packet_id_long_form);
2771  }
2772  tls_adjust_frame_parameters(&c->c2.frame);
2773 
2774  /* Set all command-line TLS-related options */
2775  CLEAR(to);
2776 
2777  if (options->mute_replay_warnings)
2778  {
2779  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2780  }
2781 
2782  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2783  if (packet_id_long_form)
2784  {
2785  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2786  }
2787 
2788  to.ssl_ctx = c->c1.ks.ssl_ctx;
2789  to.key_type = c->c1.ks.key_type;
2790  to.server = options->tls_server;
2791  to.key_method = options->key_method;
2792  to.replay = options->replay;
2793  to.replay_window = options->replay_window;
2794  to.replay_time = options->replay_time;
2795  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2796  to.config_ciphername = c->c1.ciphername;
2797  to.config_authname = c->c1.authname;
2798  to.ncp_enabled = options->ncp_enabled;
2799  to.transition_window = options->transition_window;
2800  to.handshake_window = options->handshake_window;
2801  to.packet_timeout = options->tls_timeout;
2802  to.renegotiate_bytes = options->renegotiate_bytes;
2803  to.renegotiate_packets = options->renegotiate_packets;
2804  if (options->renegotiate_seconds_min < 0)
2805  {
2806  /* Add 10% jitter to reneg-sec by default (server side only) */
2807  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2808  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2809  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2810  }
2811  else
2812  {
2813  /* Add user-specified jitter to reneg-sec */
2814  to.renegotiate_seconds = options->renegotiate_seconds
2815  -(get_random() % max_int(options->renegotiate_seconds
2816  - options->renegotiate_seconds_min, 1));
2817  }
2818  to.single_session = options->single_session;
2819  to.mode = options->mode;
2820  to.pull = options->pull;
2821  if (options->push_peer_info) /* all there is */
2822  {
2823  to.push_peer_info_detail = 2;
2824  }
2825  else if (options->pull) /* pull clients send some details */
2826  {
2827  to.push_peer_info_detail = 1;
2828  }
2829  else /* default: no peer-info at all */
2830  {
2831  to.push_peer_info_detail = 0;
2832  }
2833 
2834  /* should we not xmit any packets until we get an initial
2835  * response from client? */
2836  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2837  {
2838  to.xmit_hold = true;
2839  }
2840 
2841 #ifdef ENABLE_OCC
2842  to.disable_occ = !options->occ;
2843 #endif
2844 
2845  to.verify_command = options->tls_verify;
2846  to.verify_export_cert = options->tls_export_cert;
2847  to.verify_x509_type = (options->verify_x509_type & 0xff);
2848  to.verify_x509_name = options->verify_x509_name;
2849  to.crl_file = options->crl_file;
2850  to.crl_file_inline = options->crl_file_inline;
2851  to.ssl_flags = options->ssl_flags;
2852  to.ns_cert_type = options->ns_cert_type;
2853  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2854  to.remote_cert_eku = options->remote_cert_eku;
2855  to.verify_hash = options->verify_hash;
2856  to.verify_hash_algo = options->verify_hash_algo;
2857 #ifdef ENABLE_X509ALTUSERNAME
2858  to.x509_username_field = (char *) options->x509_username_field;
2859 #else
2860  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2861 #endif
2862  to.es = c->c2.es;
2863  to.net_ctx = &c->net_ctx;
2864 
2865 #ifdef ENABLE_DEBUG
2866  to.gremlin = c->options.gremlin;
2867 #endif
2868 
2869  to.plugins = c->plugins;
2870 
2871 #ifdef MANAGEMENT_DEF_AUTH
2872  to.mda_context = &c->c2.mda_context;
2873 #endif
2874 
2875 #if P2MP_SERVER
2876  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2877  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2878  to.tmp_dir = options->tmp_dir;
2879  if (options->ccd_exclusive)
2880  {
2881  to.client_config_dir_exclusive = options->client_config_dir;
2882  }
2883  to.auth_user_pass_file = options->auth_user_pass_file;
2884  to.auth_token_generate = options->auth_token_generate;
2885  to.auth_token_lifetime = options->auth_token_lifetime;
2886 #endif
2887 
2888  to.x509_track = options->x509_track;
2889 
2890 #if P2MP
2891 #ifdef ENABLE_MANAGEMENT
2892  to.sci = &options->sc_info;
2893 #endif
2894 #endif
2895 
2896 #ifdef USE_COMP
2897  to.comp_options = options->comp;
2898 #endif
2899 
2900 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2901  if (options->keying_material_exporter_label)
2902  {
2903  to.ekm_size = options->keying_material_exporter_length;
2904  if (to.ekm_size < 16 || to.ekm_size > 4095)
2905  {
2906  to.ekm_size = 0;
2907  }
2908 
2909  to.ekm_label = options->keying_material_exporter_label;
2910  to.ekm_label_size = strlen(to.ekm_label);
2911  }
2912  else
2913  {
2914  to.ekm_size = 0;
2915  }
2916 #endif
2917 
2918  /* TLS handshake authentication (--tls-auth) */
2919  if (options->ce.tls_auth_file)
2920  {
2921  to.tls_wrap.mode = TLS_WRAP_AUTH;
2922  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2923  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2924  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2925  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2926  true, true);
2927  }
2928 
2929  /* TLS handshake encryption (--tls-crypt) */
2930  if (options->ce.tls_crypt_file
2931  || (options->ce.tls_crypt_v2_file && options->tls_client))
2932  {
2933  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2934  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2935  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2936  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2937  tls_crypt_adjust_frame_parameters(&to.frame);
2938 
2939  if (options->ce.tls_crypt_v2_file)
2940  {
2941  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2942  }
2943  }
2944 
2945  if (options->ce.tls_crypt_v2_file)
2946  {
2947  to.tls_crypt_v2 = true;
2948  if (options->tls_server)
2949  {
2950  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
2951  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
2952  }
2953  }
2954 
2955  /* If we are running over TCP, allow for
2956  * length prefix */
2957  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
2958 
2959  /*
2960  * Initialize OpenVPN's master TLS-mode object.
2961  */
2962  if (flags & CF_INIT_TLS_MULTI)
2963  {
2964  c->c2.tls_multi = tls_multi_init(&to);
2965  }
2966 
2967  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2968  {
2969  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2970  }
2971 }
2972 
2973 static void
2974 do_init_finalize_tls_frame(struct context *c)
2975 {
2976  if (c->c2.tls_multi)
2977  {
2978  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
2979  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
2980  EXPANDED_SIZE(&c->c2.frame));
2981  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
2982  "Control Channel MTU parms");
2983  }
2984  if (c->c2.tls_auth_standalone)
2985  {
2986  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
2987  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
2988  "TLS-Auth MTU parms");
2989  }
2990 }
2991 
2992 /*
2993  * No encryption or authentication.
2994  */
2995 static void
2996 do_init_crypto_none(const struct context *c)
2997 {
2998  ASSERT(!c->options.test_crypto);
2999  msg(M_WARN,
3000  "******* WARNING *******: All encryption and authentication features "
3001  "disabled -- All data will be tunnelled as clear text and will not be "
3002  "protected against man-in-the-middle changes. "
3003  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3004 }
3005 
3006 static void
3007 do_init_crypto(struct context *c, const unsigned int flags)
3008 {
3009  if (c->options.shared_secret_file)
3010  {
3011  do_init_crypto_static(c, flags);
3012  }
3013  else if (c->options.tls_server || c->options.tls_client)
3014  {
3015  do_init_crypto_tls(c, flags);
3016  }
3017  else /* no encryption or authentication. */
3018  {
3019  do_init_crypto_none(c);
3020  }
3021 }
3022 
3023 static void
3024 do_init_frame(struct context *c)
3025 {
3026 #ifdef USE_COMP
3027  /*
3028  * modify frame parameters if compression is enabled
3029  */
3030  if (comp_enabled(&c->options.comp))
3031  {
3032  comp_add_to_extra_frame(&c->c2.frame);
3033 
3034 #if !defined(ENABLE_LZ4)
3035  /*
3036  * Compression usage affects buffer alignment when non-swapped algs
3037  * such as LZO is used.
3038  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3039  * any special alignment because of the control-byte swap approach.
3040  * LZO alignment (on the other hand) is problematic because
3041  * the presence of the control byte means that either the output of
3042  * decryption must be written to an unaligned buffer, or the input
3043  * to compression (or packet dispatch if packet is uncompressed)
3044  * must be read from an unaligned buffer.
3045  * This code tries to align the input to compression (or packet
3046  * dispatch if packet is uncompressed) at the cost of requiring
3047  * decryption output to be written to an unaligned buffer, so
3048  * it's more of a tradeoff than an optimal solution and we don't
3049  * include it when we are doing a modern build with LZ4.
3050  * Strictly speaking, on the server it would be better to execute
3051  * this code for every connection after we decide the compression
3052  * method, but currently the frame code doesn't appear to be
3053  * flexible enough for this, since the frame is already established
3054  * before it is known which compression options will be pushed.
3055  */
3056  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3057  {
3058  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3059  frame_or_align_flags(&c->c2.frame,
3060  FRAME_HEADROOM_MARKER_FRAGMENT
3061  |FRAME_HEADROOM_MARKER_DECRYPT);
3062  }
3063 #endif
3064 
3065 #ifdef ENABLE_FRAGMENT
3066  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3067 #endif
3068  }
3069 #endif /* USE_COMP */
3070 
3071  /*
3072  * Adjust frame size for UDP Socks support.
3073  */
3074  if (c->options.ce.socks_proxy_server)
3075  {
3076  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3077  }
3078 
3079  /*
3080  * Adjust frame size based on the --tun-mtu-extra parameter.
3081  */
3082  if (c->options.ce.tun_mtu_extra_defined)
3083  {
3084  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3085  }
3086 
3087  /*
3088  * Adjust frame size based on link socket parameters.
3089  * (Since TCP is a stream protocol, we need to insert
3090  * a packet length uint16_t in the buffer.)
3091  */
3092  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3093 
3094  /*
3095  * Fill in the blanks in the frame parameters structure,
3096  * make sure values are rational, etc.
3097  */
3098  frame_finalize_options(c, NULL);
3099 
3100 #ifdef USE_COMP
3101  /*
3102  * Modify frame parameters if compression is compiled in.
3103  * Should be called after frame_finalize_options.
3104  */
3105  comp_add_to_extra_buffer(&c->c2.frame);
3106 #ifdef ENABLE_FRAGMENT
3107  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3108 #endif
3109 #endif /* USE_COMP */
3110 
3111  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3112  * and need link_mtu+3 bytes on socket reception (on server).
3113  *
3114  * accommodate receive path in f->extra_link, which has the side effect of
3115  * also increasing send buffers (BUF_SIZE() macro), which need to be
3116  * allocated big enough before receiving peer-id option from server.
3117  *
3118  * f->extra_frame is adjusted when peer-id option is push-received
3119  */
3120  frame_add_to_extra_link(&c->c2.frame, 3);
3121 
3122 #ifdef ENABLE_FRAGMENT
3123  /*
3124  * Set frame parameter for fragment code. This is necessary because
3125  * the fragmentation code deals with payloads which have already been
3126  * passed through the compression code.
3127  */
3128  c->c2.frame_fragment = c->c2.frame;
3129  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3130  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3131 #endif
3132 
3133 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3134  /*
3135  * MTU advisories
3136  */
3137  if (c->options.ce.fragment && c->options.mtu_test)
3138  {
3139  msg(M_WARN,
3140  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3141  }
3142 #endif
3143 
3144 #ifdef ENABLE_FRAGMENT
3145  if ((c->options.ce.mssfix || c->options.ce.fragment)
3146  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3147  {
3148  msg(M_WARN,
3149  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3150  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3151  }
3152 #endif
3153 }
3154 
3155 static void
3156 do_option_warnings(struct context *c)
3157 {
3158  const struct options *o = &c->options;
3159 
3160  if (o->ping_send_timeout && !o->ping_rec_timeout)
3161  {
3162  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3163  }
3164 
3165  if (o->username || o->groupname || o->chroot_dir
3166 #ifdef ENABLE_SELINUX
3167  || o->selinux_context
3168 #endif
3169  )
3170  {
3171  if (!o->persist_tun)
3172  {
3173  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3174  }
3175  if (!o->persist_key
3176 #ifdef ENABLE_PKCS11
3177  && !o->pkcs11_id
3178 #endif
3179  )
3180  {
3181  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3182  }
3183  }
3184 
3185  if (o->chroot_dir && !(o->username && o->groupname))
3186  {
3187  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3188  }
3189 
3190 #if P2MP
3191  if (o->pull && o->ifconfig_local && c->first_time)
3192  {
3193  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3194  }
3195 
3196 #if P2MP_SERVER
3197  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3198  {
3199  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3200  }
3201 
3202  if (o->mode == MODE_SERVER)
3203  {
3204  if (o->duplicate_cn && o->client_config_dir)
3205  {
3206  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3207  }
3208  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3209  {
3210  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3211  }
3212  if (!o->keepalive_ping || !o->keepalive_timeout)
3213  {
3214  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3215  }
3216  }
3217 #endif /* if P2MP_SERVER */
3218 #endif /* if P2MP */
3219 
3220  if (!o->replay)
3221  {
3222  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3223  }
3224 
3225  if (o->tls_server)
3226  {
3227  warn_on_use_of_common_subnets(&c->net_ctx);
3228  }
3229  if (o->tls_client
3230  && !o->tls_verify
3231  && o->verify_x509_type == VERIFY_X509_NONE
3232  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3233  && !o->remote_cert_eku)
3234  {
3235  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3236  }
3237  if (o->ns_cert_type)
3238  {
3239  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3240  }
3241 
3242  /* If a script is used, print appropriate warnings */
3243  if (o->user_script_used)
3244  {
3245  if (script_security() >= SSEC_SCRIPTS)
3246  {
3247  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3248  }
3249  else if (script_security() >= SSEC_PW_ENV)
3250  {
3251  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3252  }
3253  else
3254  {
3255  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3256  }
3257  }
3258 }
3259 
3260 static void
3261 do_init_frame_tls(struct context *c)
3262 {
3263  do_init_finalize_tls_frame(c);
3264 }
3265 
3266 struct context_buffers *
3267 init_context_buffers(const struct frame *frame)
3268 {
3269  struct context_buffers *b;
3270 
3271  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3272 
3273  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3274  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3275 
3276  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3277 
3278  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3279  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3280 
3281 #ifdef USE_COMP
3282  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3283  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3284 #endif
3285 
3286  return b;
3287 }
3288 
3289 void
3290 free_context_buffers(struct context_buffers *b)
3291 {
3292  if (b)
3293  {
3294  free_buf(&b->read_link_buf);
3295  free_buf(&b->read_tun_buf);
3296  free_buf(&b->aux_buf);
3297 
3298 #ifdef USE_COMP
3299  free_buf(&b->compress_buf);
3300  free_buf(&b->decompress_buf);
3301 #endif
3302 
3303  free_buf(&b->encrypt_buf);
3304  free_buf(&b->decrypt_buf);
3305 
3306  free(b);
3307  }
3308 }
3309 
3310 /*
3311  * Now that we know all frame parameters, initialize
3312  * our buffers.
3313  */
3314 static void
3315 do_init_buffers(struct context *c)
3316 {
3317  c->c2.buffers = init_context_buffers(&c->c2.frame);
3318  c->c2.buffers_owned = true;
3319 }
3320 
3321 #ifdef ENABLE_FRAGMENT
3322 /*
3323  * Fragmenting code has buffers to initialize
3324  * once frame parameters are known.
3325  */
3326 static void
3327 do_init_fragment(struct context *c)
3328 {
3329  ASSERT(c->options.ce.fragment);
3330  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3331  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3332  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3333 }
3334 #endif
3335 
3336 /*
3337  * Allocate our socket object.
3338  */
3339 static void
3340 do_link_socket_new(struct context *c)
3341 {
3342  ASSERT(!c->c2.link_socket);
3343  c->c2.link_socket = link_socket_new();
3344  c->c2.link_socket_owned = true;
3345 }
3346 
3347 /*
3348  * bind the TCP/UDP socket
3349  */
3350 static void
3351 do_init_socket_1(struct context *c, const int mode)
3352 {
3353  unsigned int sockflags = c->options.sockflags;
3354 
3355 #if PORT_SHARE
3356  if (c->options.port_share_host && c->options.port_share_port)
3357  {
3358  sockflags |= SF_PORT_SHARE;
3359  }
3360 #endif
3361 
3362  link_socket_init_phase1(c->c2.link_socket,
3363  c->options.ce.local,
3364  c->options.ce.local_port,
3365  c->options.ce.remote,
3366  c->options.ce.remote_port,
3367  c->c1.dns_cache,
3368  c->options.ce.proto,
3369  c->options.ce.af,
3370  c->options.ce.bind_ipv6_only,
3371  mode,
3372  c->c2.accept_from,
3373  c->c1.http_proxy,
3374  c->c1.socks_proxy,
3375 #ifdef ENABLE_DEBUG
3376  c->options.gremlin,
3377 #endif
3378  c->options.ce.bind_local,
3379  c->options.ce.remote_float,
3380  c->options.inetd,
3381  &c->c1.link_socket_addr,
3382  c->options.ipchange,
3383  c->plugins,
3384  c->options.resolve_retry_seconds,
3385  c->options.ce.mtu_discover_type,
3386  c->options.rcvbuf,
3387  c->options.sndbuf,
3388  c->options.mark,
3389  &c->c2.server_poll_interval,
3390  sockflags);
3391 }
3392 
3393 /*
3394  * finalize the TCP/UDP socket
3395  */
3396 static void
3397 do_init_socket_2(struct context *c)
3398 {
3399  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3400  c->sig);
3401 }
3402 
3403 /*
3404  * Print MTU INFO
3405  */
3406 static void
3407 do_print_data_channel_mtu_parms(struct context *c)
3408 {
3409  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3410 #ifdef ENABLE_FRAGMENT
3411  if (c->c2.fragment)
3412  {
3413  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3414  "Fragmentation MTU parms");
3415  }
3416 #endif
3417 }
3418 
3419 #ifdef ENABLE_OCC
3420 /*
3421  * Get local and remote options compatibility strings.
3422  */
3423 static void
3424 do_compute_occ_strings(struct context *c)
3425 {
3426  struct gc_arena gc = gc_new();
3427 
3428  c->c2.options_string_local =
3429  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3430  false, &gc);
3431  c->c2.options_string_remote =
3432  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3433  true, &gc);
3434 
3435  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3436  options_string_version(c->c2.options_string_local, &gc),
3437  c->c2.options_string_local);
3438  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3439  options_string_version(c->c2.options_string_remote, &gc),
3440  c->c2.options_string_remote);
3441 
3442  if (c->c2.tls_multi)
3443  {
3444  tls_multi_init_set_options(c->c2.tls_multi,
3445  c->c2.options_string_local,
3446  c->c2.options_string_remote);
3447  }
3448 
3449  gc_free(&gc);
3450 }
3451 #endif /* ifdef ENABLE_OCC */
3452 
3453 /*
3454  * These things can only be executed once per program instantiation.
3455  * Set up for possible UID/GID downgrade, but don't do it yet.
3456  * Daemonize if requested.
3457  */
3458 static void
3459 do_init_first_time(struct context *c)
3460 {
3461  if (c->first_time && !c->c0)
3462  {
3463  struct context_0 *c0;
3464 
3465  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3466  c0 = c->c0;
3467 
3468  /* get user and/or group that we want to setuid/setgid to */
3469  c0->uid_gid_specified =
3470  platform_group_get(c->options.groupname, &c0->platform_state_group)
3471  |platform_user_get(c->options.username, &c0->platform_state_user);
3472 
3473  /* perform postponed chdir if --daemon */
3474  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3475  {
3476  platform_chdir("/");
3477  }
3478 
3479  /* should we change scheduling priority? */
3480  platform_nice(c->options.nice);
3481  }
3482 }
3483 
3484 /*
3485  * If xinetd/inetd mode, don't allow restart.
3486  */
3487 static void
3488 do_close_check_if_restart_permitted(struct context *c)
3489 {
3490  if (c->options.inetd
3491  && (c->sig->signal_received == SIGHUP
3492  || c->sig->signal_received == SIGUSR1))
3493  {
3494  c->sig->signal_received = SIGTERM;
3495  msg(M_INFO,
3496  PACKAGE_NAME
3497  " started by inetd/xinetd cannot restart... Exiting.");
3498  }
3499 }
3500 
3501 /*
3502  * free buffers
3503  */
3504 static void
3505 do_close_free_buf(struct context *c)
3506 {
3507  if (c->c2.buffers_owned)
3508  {
3509  free_context_buffers(c->c2.buffers);
3510  c->c2.buffers = NULL;
3511  c->c2.buffers_owned = false;
3512  }
3513 }
3514 
3515 /*
3516  * close TLS
3517  */
3518 static void
3519 do_close_tls(struct context *c)
3520 {
3521  if (c->c2.tls_multi)
3522  {
3523  tls_multi_free(c->c2.tls_multi, true);
3524  c->c2.tls_multi = NULL;
3525  }
3526 
3527 #ifdef ENABLE_OCC
3528  /* free options compatibility strings */
3529  if (c->c2.options_string_local)
3530  {
3531  free(c->c2.options_string_local);
3532  }
3533  if (c->c2.options_string_remote)
3534  {
3535  free(c->c2.options_string_remote);
3536  }
3537  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3538 #endif
3539 
3540  if (c->c2.pulled_options_state)
3541  {
3542  md_ctx_cleanup(c->c2.pulled_options_state);
3543  md_ctx_free(c->c2.pulled_options_state);
3544  }
3545 }
3546 
3547 /*
3548  * Free key schedules
3549  */
3550 static void
3551 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3552 {
3553  /*
3554  * always free the tls_auth/crypt key. If persist_key is true, the key will
3555  * be reloaded from memory (pre-cached)
3556  */
3557  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3558  CLEAR(c->c1.ks.tls_wrap_key);
3559  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3560  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3561 
3562  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3563  {
3564  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3565  }
3566 }
3567 
3568 /*
3569  * Close TCP/UDP connection
3570  */
3571 static void
3572 do_close_link_socket(struct context *c)
3573 {
3574  if (c->c2.link_socket && c->c2.link_socket_owned)
3575  {
3576  link_socket_close(c->c2.link_socket);
3577  c->c2.link_socket = NULL;
3578  }
3579 
3580 
3581  /* Preserve the resolved list of remote if the user request to or if we want
3582  * reconnect to the same host again or there are still addresses that need
3583  * to be tried */
3584  if (!(c->sig->signal_received == SIGUSR1
3585  && ( (c->options.persist_remote_ip)
3586  ||
3587  ( c->sig->source != SIG_SOURCE_HARD
3588  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3589  || c->options.no_advance))
3590  )))
3591  {
3592  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3593  }
3594 
3595  /* Clear the remote actual address when persist_remote_ip is not in use */
3596  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3597  {
3598  CLEAR(c->c1.link_socket_addr.actual);
3599  }
3600 
3601  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3602  {
3603  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3604  {
3605  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3606  }
3607 
3608  c->c1.link_socket_addr.bind_local = NULL;
3609  }
3610 }
3611 
3612 /*
3613  * Close packet-id persistence file
3614  */
3615 static void
3616 do_close_packet_id(struct context *c)
3617 {
3618  packet_id_free(&c->c2.crypto_options.packet_id);
3619  packet_id_persist_save(&c->c1.pid_persist);
3620  if (!(c->sig->signal_received == SIGUSR1))
3621  {
3622  packet_id_persist_close(&c->c1.pid_persist);
3623  }
3624 }
3625 
3626 #ifdef ENABLE_FRAGMENT
3627 /*
3628  * Close fragmentation handler.
3629  */
3630 static void
3631 do_close_fragment(struct context *c)
3632 {
3633  if (c->c2.fragment)
3634  {
3635  fragment_free(c->c2.fragment);
3636  c->c2.fragment = NULL;
3637  }
3638 }
3639 #endif
3640 
3641 /*
3642  * Open and close our event objects.
3643  */
3644 
3645 static void
3646 do_event_set_init(struct context *c,
3647  bool need_us_timeout)
3648 {
3649  unsigned int flags = 0;
3650 
3651  c->c2.event_set_max = BASE_N_EVENTS;
3652 
3653  flags |= EVENT_METHOD_FAST;
3654 
3655  if (need_us_timeout)
3656  {
3657  flags |= EVENT_METHOD_US_TIMEOUT;
3658  }
3659 
3660  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3661  c->c2.event_set_owned = true;
3662 }
3663 
3664 static void
3665 do_close_event_set(struct context *c)
3666 {
3667  if (c->c2.event_set && c->c2.event_set_owned)
3668  {
3669  event_free(c->c2.event_set);
3670  c->c2.event_set = NULL;
3671  c->c2.event_set_owned = false;
3672  }
3673 }
3674 
3675 /*
3676  * Open and close --status file
3677  */
3678 
3679 static void
3680 do_open_status_output(struct context *c)
3681 {
3682  if (!c->c1.status_output)
3683  {
3684  c->c1.status_output = status_open(c->options.status_file,
3685  c->options.status_file_update_freq,
3686  -1,
3687  NULL,
3688  STATUS_OUTPUT_WRITE);
3689  c->c1.status_output_owned = true;
3690  }
3691 }
3692 
3693 static void
3694 do_close_status_output(struct context *c)
3695 {
3696  if (!(c->sig->signal_received == SIGUSR1))
3697  {
3698  if (c->c1.status_output_owned && c->c1.status_output)
3699  {
3700  status_close(c->c1.status_output);
3701  c->c1.status_output = NULL;
3702  c->c1.status_output_owned = false;
3703  }
3704  }
3705 }
3706 
3707 /*
3708  * Handle ifconfig-pool persistence object.
3709  */
3710 static void
3711 do_open_ifconfig_pool_persist(struct context *c)
3712 {
3713 #if P2MP_SERVER
3714  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3715  {
3716  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3717  c->options.ifconfig_pool_persist_refresh_freq);
3718  c->c1.ifconfig_pool_persist_owned = true;
3719  }
3720 #endif
3721 }
3722 
3723 static void
3724 do_close_ifconfig_pool_persist(struct context *c)
3725 {
3726 #if P2MP_SERVER
3727  if (!(c->sig->signal_received == SIGUSR1))
3728  {
3729  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3730  {
3731  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3732  c->c1.ifconfig_pool_persist = NULL;
3733  c->c1.ifconfig_pool_persist_owned = false;
3734  }
3735  }
3736 #endif
3737 }
3738 
3739 /*
3740  * Inherit environmental variables
3741  */
3742 
3743 static void
3744 do_inherit_env(struct context *c, const struct env_set *src)
3745 {
3746  c->c2.es = env_set_create(NULL);
3747  c->c2.es_owned = true;
3748  env_set_inherit(c->c2.es, src);
3749 }
3750 
3751 static void
3752 do_env_set_destroy(struct context *c)
3753 {
3754  if (c->c2.es && c->c2.es_owned)
3755  {
3756  env_set_destroy(c->c2.es);
3757  c->c2.es = NULL;
3758  c->c2.es_owned = false;
3759  }
3760 }
3761 
3762 /*
3763  * Fast I/O setup. Fast I/O is an optimization which only works
3764  * if all of the following are true:
3765  *
3766  * (1) The platform is not Windows
3767  * (2) --proto udp is enabled
3768  * (3) --shaper is disabled
3769  */
3770 static void
3771 do_setup_fast_io(struct context *c)
3772 {
3773  if (c->options.fast_io)
3774  {
3775 #ifdef _WIN32
3776  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3777 #else
3778  if (!proto_is_udp(c->options.ce.proto))
3779  {
3780  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3781  }
3782  else
3783  {
3784 #ifdef ENABLE_FEATURE_SHAPER
3785  if (c->options.shaper)
3786  {
3787  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3788  }
3789  else
3790 #endif
3791  {
3792  c->c2.fast_io = true;
3793  }
3794  }
3795 #endif
3796  }
3797 }
3798 
3799 static void
3800 do_signal_on_tls_errors(struct context *c)
3801 {
3802  if (c->options.tls_exit)
3803  {
3804  c->c2.tls_exit_signal = SIGTERM;
3805  }
3806  else
3807  {
3808  c->c2.tls_exit_signal = SIGUSR1;
3809  }
3810 }
3811 
3812 #ifdef ENABLE_PLUGIN
3813 
3814 void
3815 init_plugins(struct context *c)
3816 {
3817  if (c->options.plugin_list && !c->plugins)
3818  {
3819  c->plugins = plugin_list_init(c->options.plugin_list);
3820  c->plugins_owned = true;
3821  }
3822 }
3823 
3824 void
3825 open_plugins(struct context *c, const bool import_options, int init_point)
3826 {
3827  if (c->plugins && c->plugins_owned)
3828  {
3829  if (import_options)
3830  {
3831  struct plugin_return pr, config;
3832  plugin_return_init(&pr);
3833  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3834  plugin_return_get_column(&pr, &config, "config");
3835  if (plugin_return_defined(&config))
3836  {
3837  int i;
3838  for (i = 0; i < config.n; ++i)
3839  {
3840  unsigned int option_types_found = 0;
3841  if (config.list[i] && config.list[i]->value)
3842  {
3843  options_string_import(&c->options,
3844  config.list[i]->value,
3845  D_IMPORT_ERRORS|M_OPTERR,
3846  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3847  &option_types_found,
3848  c->es);
3849  }
3850  }
3851  }
3852  plugin_return_free(&pr);
3853  }
3854  else
3855  {
3856  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3857  }
3858  }
3859 }
3860 
3861 static void
3862 do_close_plugins(struct context *c)
3863 {
3864  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3865  {
3866  plugin_list_close(c->plugins);
3867  c->plugins = NULL;
3868  c->plugins_owned = false;
3869  }
3870 }
3871 
3872 static void
3873 do_inherit_plugins(struct context *c, const struct context *src)
3874 {
3875  if (!c->plugins && src->plugins)
3876  {
3877  c->plugins = plugin_list_inherit(src->plugins);
3878  c->plugins_owned = true;
3879  }
3880 }
3881 
3882 #endif /* ifdef ENABLE_PLUGIN */
3883 
3884 #ifdef ENABLE_MANAGEMENT
3885 
3886 static void
3887 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3888 {
3889  struct context *c = (struct context *) arg;
3890  print_status(c, so);
3891 }
3892 
3893 void
3894 management_show_net_callback(void *arg, const int msglevel)
3895 {
3896 #ifdef _WIN32
3897  show_routes(msglevel);
3898  show_adapters(msglevel);
3899  msg(msglevel, "END");
3900 #else
3901  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3902 #endif
3903 }
3904 
3905 #ifdef TARGET_ANDROID
3906 int
3907 management_callback_network_change(void *arg, bool samenetwork)
3908 {
3909  /* Check if the client should translate the network change to a SIGUSR1 to
3910  * reestablish the connection or just reprotect the socket
3911  *
3912  * At the moment just assume that, for all settings that use pull (not
3913  * --static) and are not using peer-id reestablishing the connection is
3914  * required (unless the network is the same)
3915  *
3916  * The function returns -1 on invalid fd and -2 if the socket cannot be
3917  * reused. On the -2 return value the man_network_change function triggers
3918  * a SIGUSR1 to force a reconnect.
3919  */
3920 
3921  int socketfd = -1;
3922  struct context *c = (struct context *) arg;
3923  if (!c->c2.link_socket)
3924  {
3925  return -1;
3926  }
3927  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3928  {
3929  return -1;
3930  }
3931 
3932  socketfd = c->c2.link_socket->sd;
3933  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3934  {
3935  return socketfd;
3936  }
3937  else
3938  {
3939  return -2;
3940  }
3941 }
3942 #endif /* ifdef TARGET_ANDROID */
3943 
3944 #endif /* ifdef ENABLE_MANAGEMENT */
3945 
3946 void
3947 init_management_callback_p2p(struct context *c)
3948 {
3949 #ifdef ENABLE_MANAGEMENT
3950  if (management)
3951  {
3952  struct management_callback cb;
3953  CLEAR(cb);
3954  cb.arg = c;
3955  cb.status = management_callback_status_p2p;
3956  cb.show_net = management_show_net_callback;
3957  cb.proxy_cmd = management_callback_proxy_cmd;
3958  cb.remote_cmd = management_callback_remote_cmd;
3959 #ifdef TARGET_ANDROID
3960  cb.network_change = management_callback_network_change;
3961 #endif
3962  management_set_callback(management, &cb);
3963  }
3964 #endif
3965 }
3966 
3967 #ifdef ENABLE_MANAGEMENT
3968 
3969 void
3970 init_management(void)
3971 {
3972  if (!management)
3973  {
3974  management = management_init();
3975  }
3976 }
3977 
3978 bool
3979 open_management(struct context *c)
3980 {
3981  /* initialize management layer */
3982  if (management)
3983  {
3984  if (c->options.management_addr)
3985  {
3986  unsigned int flags = c->options.management_flags;
3987  if (c->options.mode == MODE_SERVER)
3988  {
3989  flags |= MF_SERVER;
3990  }
3991  if (management_open(management,
3992  c->options.management_addr,
3993  c->options.management_port,
3994  c->options.management_user_pass,
3995  c->options.management_client_user,
3996  c->options.management_client_group,
3997  c->options.management_log_history_cache,
3998  c->options.management_echo_buffer_size,
3999  c->options.management_state_buffer_size,
4000  c->options.management_write_peer_info_file,
4001  c->options.remap_sigusr1,
4002  flags))
4003  {
4004  management_set_state(management,
4005  OPENVPN_STATE_CONNECTING,
4006  NULL,
4007  NULL,
4008  NULL,
4009  NULL,
4010  NULL);
4011  }
4012 
4013  /* initial management hold, called early, before first context initialization */
4014  do_hold(0);
4015  if (IS_SIG(c))
4016  {
4017  msg(M_WARN, "Signal received from management interface, exiting");
4018  return false;
4019  }
4020  }
4021  else
4022  {
4023  close_management();
4024  }
4025  }
4026  return true;
4027 }
4028 
4029 void
4030 close_management(void)
4031 {
4032  if (management)
4033  {
4034  management_close(management);
4035  management = NULL;
4036  }
4037 }
4038 
4039 #endif /* ifdef ENABLE_MANAGEMENT */
4040 
4041 
4042 void
4043 uninit_management_callback(void)
4044 {
4045 #ifdef ENABLE_MANAGEMENT
4046  if (management)
4047  {
4048  management_clear_callback(management);
4049  }
4050 #endif
4051 }
4052 
4053 /*
4054  * Initialize a tunnel instance, handle pre and post-init
4055  * signal settings.
4056  */
4057 void
4058 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4059 {
4060  pre_init_signal_catch();
4061  init_instance(c, env, flags);
4062  post_init_signal_catch();
4063 
4064  /*
4065  * This is done so that signals thrown during
4066  * initialization can bring us back to
4067  * a management hold.
4068  */
4069  if (IS_SIG(c))
4070  {
4071  remap_signal(c);
4072  uninit_management_callback();
4073  }
4074 }
4075 
4076 /*
4077  * Initialize a tunnel instance.
4078  */
4079 void
4080 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4081 {
4082  const struct options *options = &c->options;
4083  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4084  int link_socket_mode = LS_MODE_DEFAULT;
4085 
4086  /* init garbage collection level */
4087  gc_init(&c->c2.gc);
4088 
4089  /* inherit environmental variables */
4090  if (env)
4091  {
4092  do_inherit_env(c, env);
4093  }
4094 
4095  /* signals caught here will abort */
4096  c->sig->signal_received = 0;
4097  c->sig->signal_text = NULL;
4098  c->sig->source = SIG_SOURCE_SOFT;
4099 
4100  if (c->mode == CM_P2P)
4101  {
4102  init_management_callback_p2p(c);
4103  }
4104 
4105  /* possible sleep or management hold if restart */
4106  if (c->mode == CM_P2P || c->mode == CM_TOP)
4107  {
4108  do_startup_pause(c);
4109  if (IS_SIG(c))
4110  {
4111  goto sig;
4112  }
4113  }
4114 
4115  if (c->options.resolve_in_advance)
4116  {
4117  do_preresolve(c);
4118  if (IS_SIG(c))
4119  {
4120  goto sig;
4121  }
4122  }
4123 
4124  /* map in current connection entry */
4125  next_connection_entry(c);
4126 
4127  /* link_socket_mode allows CM_CHILD_TCP
4128  * instances to inherit acceptable fds
4129  * from a top-level parent */
4130  if (c->options.ce.proto == PROTO_TCP_SERVER)
4131  {
4132  if (c->mode == CM_TOP)
4133  {
4134  link_socket_mode = LS_MODE_TCP_LISTEN;
4135  }
4136  else if (c->mode == CM_CHILD_TCP)
4137  {
4138  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4139  }
4140  }
4141 
4142  /* should we disable paging? */
4143  if (c->first_time && options->mlock)
4144  {
4145  platform_mlockall(true);
4146  }
4147 
4148 #if P2MP
4149  /* get passwords if undefined */
4150  if (auth_retry_get() == AR_INTERACT)
4151  {
4152  init_query_passwords(c);
4153  }
4154 #endif
4155 
4156  /* initialize context level 2 --verb/--mute parms */
4157  init_verb_mute(c, IVM_LEVEL_2);
4158 
4159  /* set error message delay for non-server modes */
4160  if (c->mode == CM_P2P)
4161  {
4162  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4163  }
4164 
4165  /* warn about inconsistent options */
4166  if (c->mode == CM_P2P || c->mode == CM_TOP)
4167  {
4168  do_option_warnings(c);
4169  }
4170 
4171 #ifdef ENABLE_PLUGIN
4172  /* initialize plugins */
4173  if (c->mode == CM_P2P || c->mode == CM_TOP)
4174  {
4175  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4176  }
4177 #endif
4178 
4179  /* should we enable fast I/O? */
4180  if (c->mode == CM_P2P || c->mode == CM_TOP)
4181  {
4182  do_setup_fast_io(c);
4183  }
4184 
4185  /* should we throw a signal on TLS errors? */
4186  do_signal_on_tls_errors(c);
4187 
4188  /* open --status file */
4189  if (c->mode == CM_P2P || c->mode == CM_TOP)
4190  {
4191  do_open_status_output(c);
4192  }
4193 
4194  /* open --ifconfig-pool-persist file */
4195  if (c->mode == CM_TOP)
4196  {
4197  do_open_ifconfig_pool_persist(c);
4198  }
4199 
4200 #ifdef ENABLE_OCC
4201  /* reset OCC state */
4202  if (c->mode == CM_P2P || child)
4203  {
4204  c->c2.occ_op = occ_reset_op();
4205  }
4206 #endif
4207 
4208  /* our wait-for-i/o objects, different for posix vs. win32 */
4209  if (c->mode == CM_P2P)
4210  {
4211  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4212  }
4213  else if (c->mode == CM_CHILD_TCP)
4214  {
4215  do_event_set_init(c, false);
4216  }
4217 
4218  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4219  init_proxy(c);
4220 
4221  /* allocate our socket object */
4222  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4223  {
4224  do_link_socket_new(c);
4225  }
4226 
4227 #ifdef ENABLE_FRAGMENT
4228  /* initialize internal fragmentation object */
4229  if (options->ce.fragment && (c->mode == CM_P2P || child))
4230  {
4231  c->c2.fragment = fragment_init(&c->c2.frame);
4232  }
4233 #endif
4234 
4235  /* init crypto layer */
4236  {
4237  unsigned int crypto_flags = 0;
4238  if (c->mode == CM_TOP)
4239  {
4240  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4241  }
4242  else if (c->mode == CM_P2P)
4243  {
4244  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4245  }
4246  else if (child)
4247  {
4248  crypto_flags = CF_INIT_TLS_MULTI;
4249  }
4250  do_init_crypto(c, crypto_flags);
4251  if (IS_SIG(c) && !child)
4252  {
4253  goto sig;
4254  }
4255  }
4256 
4257 #ifdef USE_COMP
4258  /* initialize compression library. */
4259  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4260  {
4261  c->c2.comp_context = comp_init(&options->comp);
4262  }
4263 #endif
4264 
4265  /* initialize MTU variables */
4266  do_init_frame(c);
4267 
4268  /* initialize TLS MTU variables */
4269  do_init_frame_tls(c);
4270 
4271  /* init workspace buffers whose size is derived from frame size */
4272  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4273  {
4274  do_init_buffers(c);
4275  }
4276 
4277 #ifdef ENABLE_FRAGMENT
4278  /* initialize internal fragmentation capability with known frame size */
4279  if (options->ce.fragment && (c->mode == CM_P2P || child))
4280  {
4281  do_init_fragment(c);
4282  }
4283 #endif
4284 
4285  /* initialize dynamic MTU variable */
4286  frame_init_mssfix(&c->c2.frame, &c->options);
4287 
4288  /* bind the TCP/UDP socket */
4289  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4290  {
4291  do_init_socket_1(c, link_socket_mode);
4292  }
4293 
4294  /* initialize tun/tap device object,
4295  * open tun/tap device, ifconfig, run up script, etc. */
4296  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4297  {
4298  c->c2.did_open_tun = do_open_tun(c);
4299  }
4300 
4301  c->c2.frame_initial = c->c2.frame;
4302 
4303  /* print MTU info */
4304  do_print_data_channel_mtu_parms(c);
4305 
4306 #ifdef ENABLE_OCC
4307  /* get local and remote options compatibility strings */
4308  if (c->mode == CM_P2P || child)
4309  {
4310  do_compute_occ_strings(c);
4311  }
4312 #endif
4313 
4314  /* initialize output speed limiter */
4315  if (c->mode == CM_P2P)
4316  {
4317  do_init_traffic_shaper(c);
4318  }
4319 
4320  /* do one-time inits, and possibly become a daemon here */
4321  do_init_first_time(c);
4322 
4323 #ifdef ENABLE_PLUGIN
4324  /* initialize plugins */
4325  if (c->mode == CM_P2P || c->mode == CM_TOP)
4326  {
4327  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4328  }
4329 #endif
4330 
4331  /* initialise connect timeout timer */
4332  do_init_server_poll_timeout(c);
4333 
4334  /* finalize the TCP/UDP socket */
4335  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4336  {
4337  do_init_socket_2(c);
4338  }
4339 
4340  /*
4341  * Actually do UID/GID downgrade, and chroot, if requested.
4342  * May be delayed by --client, --pull, or --up-delay.
4343  */
4344  do_uid_gid_chroot(c, c->c2.did_open_tun);
4345 
4346  /* initialize timers */
4347  if (c->mode == CM_P2P || child)
4348  {
4349  do_init_timers(c, false);
4350  }
4351 
4352 #ifdef ENABLE_PLUGIN
4353  /* initialize plugins */
4354  if (c->mode == CM_P2P || c->mode == CM_TOP)
4355  {
4356  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4357  }
4358 #endif
4359 
4360 #if PORT_SHARE
4361  /* share OpenVPN port with foreign (such as HTTPS) server */
4362  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4363  {
4364  init_port_share(c);
4365  }
4366 #endif
4367 
4368 #ifdef ENABLE_PF
4369  if (child)
4370  {
4371  pf_init_context(c);
4372  }
4373 #endif
4374 
4375  /* Check for signals */
4376  if (IS_SIG(c))
4377  {
4378  goto sig;
4379  }
4380 
4381  return;
4382 
4383 sig:
4384  if (!c->sig->signal_text)
4385  {
4386  c->sig->signal_text = "init_instance";
4387  }
4388  close_context(c, -1, flags);
4389  return;
4390 }
4391 
4392 /*
4393  * Close a tunnel instance.
4394  */
4395 void
4396 close_instance(struct context *c)
4397 {
4398  /* close event objects */
4399  do_close_event_set(c);
4400 
4401  if (c->mode == CM_P2P
4402  || c->mode == CM_CHILD_TCP
4403  || c->mode == CM_CHILD_UDP
4404  || c->mode == CM_TOP)
4405  {
4406  /* if xinetd/inetd mode, don't allow restart */
4407  do_close_check_if_restart_permitted(c);
4408 
4409 #ifdef USE_COMP
4410  if (c->c2.comp_context)
4411  {
4412  comp_uninit(c->c2.comp_context);
4413  c->c2.comp_context = NULL;
4414  }
4415 #endif
4416 
4417  /* free buffers */
4418  do_close_free_buf(c);
4419 
4420  /* close TLS */
4421  do_close_tls(c);
4422 
4423  /* free key schedules */
4424  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4425 
4426  restore_ncp_options(c);
4427 
4428  /* close TCP/UDP connection */
4429  do_close_link_socket(c);
4430 
4431  /* close TUN/TAP device */
4432  do_close_tun(c, false);
4433 
4434 #ifdef MANAGEMENT_DEF_AUTH
4435  if (management)
4436  {
4437  management_notify_client_close(management, &c->c2.mda_context, NULL);
4438  }
4439 #endif
4440 
4441 #ifdef ENABLE_PF
4442  pf_destroy_context(&c->c2.pf);
4443 #endif
4444 
4445 #ifdef ENABLE_PLUGIN
4446  /* call plugin close functions and unload */
4447  do_close_plugins(c);
4448 #endif
4449 
4450  /* close packet-id persistence file */
4451  do_close_packet_id(c);
4452 
4453  /* close --status file */
4454  do_close_status_output(c);
4455 
4456 #ifdef ENABLE_FRAGMENT
4457  /* close fragmentation handler */
4458  do_close_fragment(c);
4459 #endif
4460 
4461  /* close --ifconfig-pool-persist obj */
4462  do_close_ifconfig_pool_persist(c);
4463 
4464  /* free up environmental variable store */
4465  do_env_set_destroy(c);
4466 
4467  /* close HTTP or SOCKS proxy */
4468  uninit_proxy(c);
4469 
4470  /* garbage collect */
4471  gc_free(&c->c2.gc);
4472  }
4473 }
4474 
4475 void
4476 inherit_context_child(struct context *dest,
4477  const struct context *src)
4478 {
4479  CLEAR(*dest);
4480 
4481  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4482  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4483 
4484  dest->gc = gc_new();
4485 
4486  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4487 
4488  /* c1 init */
4489  packet_id_persist_init(&dest->c1.pid_persist);
4490 
4491  dest->c1.ks.key_type = src->c1.ks.key_type;
4492  /* inherit SSL context */
4493  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4494  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4495  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4496  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4497  /* inherit pre-NCP ciphers */
4498  dest->c1.ciphername = src->c1.ciphername;
4499  dest->c1.authname = src->c1.authname;
4500  dest->c1.keysize = src->c1.keysize;
4501 
4502  /* options */
4503  dest->options = src->options;
4504  options_detach(&dest->options);
4505 
4506  if (dest->mode == CM_CHILD_TCP)
4507  {
4508  /*
4509  * The CM_TOP context does the socket listen(),
4510  * and the CM_CHILD_TCP context does the accept().
4511  */
4512  dest->c2.accept_from = src->c2.link_socket;
4513  }
4514 
4515 #ifdef ENABLE_PLUGIN
4516  /* inherit plugins */
4517  do_inherit_plugins(dest, src);
4518 #endif
4519 
4520  /* context init */
4521  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4522  if (IS_SIG(dest))
4523  {
4524  return;
4525  }
4526 
4527  /* inherit tun/tap interface object */
4528  dest->c1.tuntap = src->c1.tuntap;
4529 
4530  /* UDP inherits some extra things which TCP does not */
4531  if (dest->mode == CM_CHILD_UDP)
4532  {
4533  /* inherit buffers */
4534  dest->c2.buffers = src->c2.buffers;
4535 
4536  /* inherit parent link_socket and tuntap */
4537  dest->c2.link_socket = src->c2.link_socket;
4538 
4539  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4540  *dest->c2.link_socket_info = src->c2.link_socket->info;
4541 
4542  /* locally override some link_socket_info fields */
4543  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4544  dest->c2.link_socket_info->connection_established = false;
4545  }
4546 }
4547 
4548 void
4549 inherit_context_top(struct context *dest,
4550  const struct context *src)
4551 {
4552  /* copy parent */
4553  *dest = *src;
4554 
4555  /*
4556  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4557  * resources owned by the parent.
4558  *
4559  * Also note that CM_TOP_CLONE context objects are
4560  * closed by multi_top_free in multi.c.
4561  */
4562  dest->mode = CM_TOP_CLONE;
4563 
4564  dest->first_time = false;
4565  dest->c0 = NULL;
4566 
4567  options_detach(&dest->options);
4568  gc_detach(&dest->gc);
4569  gc_detach(&dest->c2.gc);
4570 
4571  /* detach plugins */
4572  dest->plugins_owned = false;
4573 
4574  dest->c2.tls_multi = NULL;
4575 
4576  /* detach c1 ownership */
4577  dest->c1.tuntap_owned = false;
4578  dest->c1.status_output_owned = false;
4579 #if P2MP_SERVER
4580  dest->c1.ifconfig_pool_persist_owned = false;
4581 #endif
4582 
4583  /* detach c2 ownership */
4584  dest->c2.event_set_owned = false;
4585  dest->c2.link_socket_owned = false;
4586  dest->c2.buffers_owned = false;
4587  dest->c2.es_owned = false;
4588 
4589  dest->c2.event_set = NULL;
4590  if (proto_is_dgram(src->options.ce.proto))
4591  {
4592  do_event_set_init(dest, false);
4593  }
4594 
4595 #ifdef USE_COMP
4596  dest->c2.comp_context = NULL;
4597 #endif
4598 }
4599 
4600 void
4601 close_context(struct context *c, int sig, unsigned int flags)
4602 {
4603  ASSERT(c);
4604  ASSERT(c->sig);
4605 
4606  if (sig >= 0)
4607  {
4608  c->sig->signal_received = sig;
4609  }
4610 
4611  if (c->sig->signal_received == SIGUSR1)
4612  {
4613  if ((flags & CC_USR1_TO_HUP)
4614  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4615  {
4616  c->sig->signal_received = SIGHUP;
4617  c->sig->signal_text = "close_context usr1 to hup";
4618  }
4619  }
4620 
4621  if (!(flags & CC_NO_CLOSE))
4622  {
4623  close_instance(c);
4624  }
4625 
4626  if (flags & CC_GC_FREE)
4627  {
4628  context_gc_free(c);
4629  }
4630 }
4631 
4632 /*
4633  * Do a loopback test
4634  * on the crypto subsystem.
4635  */
4636 static void *
4637 test_crypto_thread(void *arg)
4638 {
4639  struct context *c = (struct context *) arg;
4640  const struct options *options = &c->options;
4641 
4642  ASSERT(options->test_crypto);
4643  init_verb_mute(c, IVM_LEVEL_1);
4644  context_init_1(c);
4645  next_connection_entry(c);
4646  do_init_crypto_static(c, 0);
4647 
4648  frame_finalize_options(c, options);
4649 
4650  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4651 
4652  key_schedule_free(&c->c1.ks, true);
4653  packet_id_free(&c->c2.crypto_options.packet_id);
4654 
4655  context_gc_free(c);
4656  return NULL;
4657 }
4658 
4659 bool
4660 do_test_crypto(const struct options *o)
4661 {
4662  if (o->test_crypto)
4663  {
4664  struct context c;
4665 
4666  /* print version number */
4667  msg(M_INFO, "%s", title_string);
4668 
4669  context_clear(&c);
4670  c.options = *o;
4671  options_detach(&c.options);
4672  c.first_time = true;
4673  test_crypto_thread((void *) &c);
4674  return true;
4675  }
4676  return false;
4677 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:295
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:302
context_2::es
struct env_set * es
Definition: openvpn.h:428
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:177
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:209
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:189
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:456
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2515
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:330
management_close
void management_close(struct management *man)
Definition: manage.c:2636
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:428
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:247
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:284
options::sndbuf
int sndbuf
Definition: options.h:343
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:362
context_2::log_rw
bool log_rw
Definition: openvpn.h:388
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:406
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:269
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:320
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:391
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:557
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:677
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1486
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:240
tuntap
Definition: tun.h:132
options::ncp_enabled
bool ncp_enabled
Definition: options.h:498
options::management_flags
unsigned int management_flags
Definition: options.h:387
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1949
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:894
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2544
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:111
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:284
P2MP_SERVER
#define P2MP_SERVER
Definition: syshead.h:524
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:623
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:300
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1318
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:308
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:503
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:392
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:506
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1089
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5286
options::show_curves
bool show_curves
Definition: options.h:214
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:620
options::cipher_list
const char * cipher_list
Definition: options.h:525
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:516
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1431
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:292
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:981
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3546
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
argv_new
struct argv argv_new(void)
Definition: argv.c:52
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2102
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:574
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1711
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:162
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:395
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:324
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:527
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:378
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:352
streq
#define streq(x, y)
Definition: options.h:642
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:427
options::chroot_dir
const char * chroot_dir
Definition: options.h:300
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:731
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3873
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3665
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2666
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:414
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:239
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:164
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:280
tls_options::mode
int mode
Definition: ssl_common.h:269
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2112
options::auth_token_generate
bool auth_token_generate
Definition: options.h:470
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:317
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1323
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4178
tun_abort
void tun_abort(void)
Definition: init.c:2082
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:501
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:572
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3752
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2603
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:716
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:323
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:524
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:111
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1177
srandom
#define srandom
Definition: syshead.h:44
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3174
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:374
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:211
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:671
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
dmsg
#define dmsg
Definition: error.h:174
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4601
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3397
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:318
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:494
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
openvpn_sockaddr::addr
union openvpn_sockaddr::@8 addr
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5531
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:176
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:627
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3947
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:340
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:295
close_instance
void close_instance(struct context *c)
Definition: init.c:4396
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2808
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:573
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:327
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1345
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:650
options::persist_key
bool persist_key
Definition: options.h:285
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:116
options::replay_window
int replay_window
Definition: options.h:507
options::persist_mode
int persist_mode
Definition: options.h:207
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:211
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:412
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:321
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3800
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:375
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:282
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1470
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:298
options::rcvbuf
int rcvbuf
Definition: options.h:342
options::crl_file_inline
const char * crl_file_inline
Definition: options.h:538
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:254
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:426
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:273
options::connection_list
struct connection_list * connection_list
Definition: options.h:223
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:284
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:174
options::exit_event_name
const char * exit_event_name
Definition: options.h:619
AR_NONE
#define AR_NONE
Definition: options.h:829
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:255
options::route_noexec
bool route_noexec
Definition: options.h:357
options::sockflags
unsigned int sockflags
Definition: options.h:349
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2471
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:154
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3519
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:218
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:339
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:18
options::route_script
const char * route_script
Definition: options.h:352
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:380
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:291
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:162
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
in_addr_t
#define in_addr_t
Definition: config-msvc.h:104
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3024
options::config
const char * config
Definition: options.h:193
options::route_delay
int route_delay
Definition: options.h:358
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:528
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:307
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:353
tls_options::gremlin
int gremlin
Definition: ssl_common.h:363
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3825
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:366
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:262
options::down_pre
bool down_pre
Definition: options.h:309
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:268
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:672
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
SIGTERM
#define SIGTERM
Definition: config-msvc.h:118
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth, set via options->auth_token_generate.
Definition: ssl_common.h:322
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1413
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:564
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:531
options::push_peer_info
bool push_peer_info
Definition: options.h:608
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:652
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:114
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:574
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3696
PING_RESTART
#define PING_RESTART
Definition: options.h:279
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2974
options::handshake_window
int handshake_window
Definition: options.h:578
ASSERT
#define ASSERT(x)
Definition: error.h:221
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3862
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:129
tls_options
Definition: ssl_common.h:241
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:301
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:226
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:298
connection_entry::tls_auth_file_inline
const char * tls_auth_file_inline
Definition: options.h:136
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:235
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:579
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:332
options::verify_x509_type
int verify_x509_type
Definition: options.h:530
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:229
close_management
void close_management(void)
Definition: init.c:4030
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:304
options::prng_hash
const char * prng_hash
Definition: options.h:502
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1992
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:274
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:249
options::fast_io
bool fast_io
Definition: options.h:335
options::key_direction
int key_direction
Definition: options.h:496
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:275
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:190
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1398
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:145
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:58
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:74
connection_entry::tls_crypt_v2_inline
const char * tls_crypt_v2_inline
Definition: options.h:146
init_static
bool init_static(void)
Definition: init.c:725
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:268
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:197
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:565
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:299
options::route_delay_defined
bool route_delay_defined
Definition: options.h:360
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:513
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:225
options::tls_exit
bool tls_exit
Definition: options.h:610
MF_SERVER
#define MF_SERVER
Definition: manage.h:332
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1014
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1006
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:787
connection_entry::key_direction
int key_direction
Definition: options.h:137
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:680
tls_options::x509_username_field
char * x509_username_field
Definition: ssl_common.h:291
options::route_nopull
bool route_nopull
Definition: options.h:364
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3631
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1207
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6075
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:65
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:532
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:354
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4058
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:314
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:137
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:548
options::remote_random
bool remote_random
Definition: options.h:237
frame_add_to_link_mtu
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
status_close
bool status_close(struct status_output *so)
Definition: status.c:203
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:198
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:541
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:239
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:165
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:1004
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:538
prng_uninit
void prng_uninit(void)
Definition: crypto.c:1730
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1295
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:469
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:150
options::tls_verify
const char * tls_verify
Definition: options.h:529
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1439
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:98
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:303
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:526
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:368
open_management
bool open_management(struct context *c)
Definition: init.c:3979
CLEAR
#define CLEAR(x)
Definition: basic.h:33
packet_id_init
void